From nic.tjirkalli at za.verizonbusiness.com Mon Sep 1 02:20:15 2008 From: nic.tjirkalli at za.verizonbusiness.com (Nic Tjirkalli) Date: Mon, 1 Sep 2008 08:20:15 +0200 (SAST) Subject: [c-nsp] PPP Multilink with L2TP interfaces Message-ID: howdy ho, i am trying to get a CPE to 1) fire up a PPPoE session over an Ethernet interface to bring up a Dialer1 interface 2) over this interface, fire up 2 L2TP sessions (Virtual-PPP1 and Virtual-PPP2 and put these in a multilink bundel) The L2TP tunnels are terminating on 196.30.121.42 Now all works well except for the Multilink PPP part. the 2 L2TP sessions come up individual but there is no sign of any attempt to multilink (nothing seen in any debug ppp multilink) I have included my current config if anybody can tell me if what i am trying to do is even possible and how to fix my config i would be very happy and thankful thanx in advance =================== CPE configuration ============================= Current configuration : 3481 bytes ! version 12.4 no service timestamps debug uptime no service timestamps log uptime service password-encryption ! hostname l2tp-multilink ! boot-start-marker boot-end-marker ! logging buffered 4096 debugging enable secret 5 $1$8ZOc$o9WmyJlHqGd1R8E/iYAR0/ ! no aaa new-model ip cef ! ! ! ! no ip domain lookup ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 vpdn enable ! l2tp-class l2tpclass1 authentication password 7 15115E0B2C7221027123 ! ! multilink virtual-template 1 ! ! no crypto engine onboard 0 ! ! pseudowire-class pwclass1 encapsulation l2tpv2 protocol l2tpv2 l2tpclass1 ip local interface Dialer1 ! pseudowire-class pwclass2 encapsulation l2tpv2 protocol l2tpv2 l2tpclass1 ip local interface Dialer1 ! ! ! ! ! interface Loopback0 ip address 172.16.1.1 255.255.255.255 ! interface Null0 no ip unreachables ! interface FastEthernet0/0 no ip address speed 100 full-duplex pppoe enable group global pppoe-client dial-pool-number 1 ! interface FastEthernet0/1 no ip address duplex auto speed auto ! interface Virtual-PPP1 ip address negotiated ip mtu 1452 ip virtual-reassembly no logging event link-status no peer neighbor-route no cdp enable ppp chap hostname testuser1 ppp chap password 7 XXXXXXXX ppp pap sent-username testuser1 password 7 XXXXXXXX ppp multilink pseudowire 196.30.121.42 10 pw-class pwclass1 ! interface Virtual-Template1 ip unnumbered Loopback0 ppp multilink ! interface Virtual-PPP2 ip address negotiated ip mtu 1452 ip virtual-reassembly no logging event link-status no peer neighbor-route no cdp enable ppp chap hostname testuser2 ppp chap password 7 XXXXXXX ppp pap sent-username testuser2 password 7 XXXXXXX ppp multilink pseudowire 196.30.121.42 100 pw-class pwclass2 ! interface Dialer1 mtu 1492 ip address negotiated ip virtual-reassembly encapsulation ppp ip tcp adjust-mss 1452 dialer pool 1 dialer-group 1 ppp chap hostname testuser1 ppp chap password 7 XXXXXXXX ppp pap sent-username testuser1 password 7 XXXXXXXX ! no ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 Virtual-PPP1 ip route 196.30.121.42 255.255.255.255 Dialer1 ! ! ip http server no ip http secure-server ! ip access-list extended check_packets_in permit ahp any any permit esp any any permit udp any eq isakmp any eq isakmp permit ip any any ! access-list 1 permit any access-list 2 deny any access-list 3 permit 10.0.0.2 access-list 3 permit 206.64.200.15 access-list 3 permit 196.22.64.194 access-list 3 permit 10.222.0.1 access-list 3 permit 10.222.0.2 access-list 3 permit 10.244.0.2 no cdp run ! ! ! ! control-plane ! ! banner motd ^CC ################################################################## # You Should Not Be Here - Logg Off Imediately Thankyou # # # # # ################################################################## ^C ! line con 0 exec-timeout 0 0 line aux 0 exec-timeout 0 0 line vty 0 4 access-class 3 in exec-timeout 0 0 password 7 1315181718 login line vty 5 8 exec-timeout 0 0 no login line vty 9 15 no login ! scheduler allocate 20000 1000 end l2tp-multilink# --------------------------------------------------------------------- I like you. You remind me of when I was young and stupid. Nic Tjirkalli Verizon Business South Africa Network Strategy Team Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail is strictly confidential and intended only for use by the addressee unless otherwise indicated. Company Information:http:// www.verizonbusiness.com/za/contact/legal/ This e-mail is strictly confidential and intended only for use by the addressee unless otherwise indicated. From oboehmer at cisco.com Mon Sep 1 03:37:32 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Mon, 1 Sep 2008 09:37:32 +0200 Subject: [c-nsp] Error using VFI with local VLAN's on 7600/RSP720 12.2 SRC1 In-Reply-To: <6bb5f5b10808311627v6f49bb69i96e38c700e877dd9@mail.gmail.com> References: <48B9DFC4.5070701@lists.esoteric.ca> <70B7A1CCBFA5C649BD562B6D9F7ED78405ED27B7@xmb-ams-333.emea.cisco.com> <6bb5f5b10808311627v6f49bb69i96e38c700e877dd9@mail.gmail.com> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405ED28D2@xmb-ams-333.emea.cisco.com> Not sure if this would work. Stephen: What are you trying to achieve? oli Rubens Kuhl Jr. wrote on Monday, September 01, 2008 1:27 AM: > Can he add VLAN translation to the scenario ? > > > Rubens > > > On Sun, Aug 31, 2008 at 4:13 AM, Oliver Boehmer (oboehmer) > wrote: >> Stephen Fulton <> wrote on Sunday, August 31, 2008 2:03 AM: >> >>> Hi all, >>> >>> I'm testing out VFI's in a lab, and I've run into the following >>> when I attempt to add a second VLAN to the VFI instance. >> >> well, adding a 2nd SVI/Vlan to a VFI doesn't make sense (at least to >> me), if you want to bridge both segments (and the remote VFIs) >> together, you would put them into the same broadcast domain (speak: >> vlan). You can't use VFI/VPLS to create a single bridge domain for >> two local vlans. >> >> >> oli >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ From muarwi at gmail.com Mon Sep 1 03:48:41 2008 From: muarwi at gmail.com (Muarwi) Date: Mon, 1 Sep 2008 14:48:41 +0700 Subject: [c-nsp] Interdomain Multicast Routing Message-ID: <465d309c0809010048j1a5f5fbaja2bad4b1b07dfd3f@mail.gmail.com> Hi guys, I'm sorry if my questions is rather out of cisco's things. I've read books about interdomain multicast routing (also one from cisco press). From what I get, the solutions offered is PIM SM - MBGP - MSDP. My questions is : 1. what about using PIM Bidir for interdomain multicast? Is it possible to implement it in Cisco? 2. Has BGMP been being implemented in vendors? Thanks a lot for your response From gordon.bezzina at bell.net.mt Mon Sep 1 03:58:53 2008 From: gordon.bezzina at bell.net.mt (Gordon Bezzina) Date: Mon, 1 Sep 2008 09:58:53 +0200 Subject: [c-nsp] exceeding the hardware maximum routes in a 720BXL In-Reply-To: References: Message-ID: <014901c90c08$940c8550$bc258ff0$@bezzina@bell.net.mt> Hi, Just a quick question what will happen if you exceed the maximum routes That the FIB TCAM can store. c7600#sh mls cef maximum-routes FIB TCAM maximum routes : ======================= Current :- ------- IPv4 + MPLS - 512k (default) IPv6 + IP Multicast - 256k (default) c7600# Will switch completely to software routing, or just switch the Excess routes to software routing? Or will it drop routes or worst Still crash!? Also is there a best practice on changing the default maximum routes Allocations? Thanks Gordon From jeff.nsp at gmail.com Mon Sep 1 04:48:08 2008 From: jeff.nsp at gmail.com (Jeff Tantsura) Date: Mon, 1 Sep 2008 10:48:08 +0200 Subject: [c-nsp] Interdomain Multicast Routing In-Reply-To: <465d309c0809010048j1a5f5fbaja2bad4b1b07dfd3f@mail.gmail.com> References: <465d309c0809010048j1a5f5fbaja2bad4b1b07dfd3f@mail.gmail.com> Message-ID: <000601c90c0f$764584c0$650c10ac@ad.redback.com> Hi, The combination you've described has been working for many years, very well tested, supported by all major vendors. PIM (bidir as well) is used for intradomain multicast routing independently of interdomain multicast (MSDP/MBGP). Cisco does support PIM Bidir Cheers, Jeff P.S. Best book ever - "Interdomain Mutlicast Routing" by Edwards/Giuliano/Wright > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Muarwi > Sent: maandag 1 september 2008 9:49 > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Interdomain Multicast Routing > > Hi guys, I'm sorry if my questions is rather out of cisco's things. > > I've read books about interdomain multicast routing (also one from cisco > press). From what I get, the solutions offered is PIM SM - MBGP - MSDP. > > My questions is : > 1. what about using PIM Bidir for interdomain multicast? Is it possible to > implement it in Cisco? > 2. Has BGMP been being implemented in vendors? > > Thanks a lot for your response > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From ltd at cisco.com Mon Sep 1 05:50:49 2008 From: ltd at cisco.com (Lincoln Dale) Date: Mon, 01 Sep 2008 19:50:49 +1000 Subject: [c-nsp] exceeding the hardware maximum routes in a 720BXL In-Reply-To: <014901c90c08$940c8550$bc258ff0$@bezzina@bell.net.mt> References: <014901c90c08$940c8550$bc258ff0$@bezzina@bell.net.mt> Message-ID: <48BBBAF9.70009@cisco.com> Gordon Bezzina wrote: > Hi, > > Just a quick question what will happen if you exceed the maximum routes > That the FIB TCAM can store. > > c7600#sh mls cef maximum-routes > FIB TCAM maximum routes : > ======================= > Current :- > ------- > IPv4 + MPLS - 512k (default) > IPv6 + IP Multicast - 256k (default) > > > c7600# > > > Will switch completely to software routing, or just switch the > Excess routes to software routing? Or will it drop routes or worst > Still crash!? > it will switch to partial h/w, partial s/w. a wildcard will be installed that matches on anything that doesn't fit into the table (i.e. it'll be a punt-to-software for "0/0"). > > Also is there a best practice on changing the default maximum routes > Allocations? > default is 50/50 split between IPv4/MPLS / IPv6/Multicast. its perhaps difficult to crystal-ball uptake of IPv6 over the next 2 years, but its probably fair to say the current defaults are ok. cheers, lincoln. From Andrey_Oleinik at bms-consulting.com Mon Sep 1 07:29:37 2008 From: Andrey_Oleinik at bms-consulting.com (Andrey Oleinik) Date: Mon, 1 Sep 2008 14:29:37 +0300 Subject: [c-nsp] MWR 1941 Message-ID: <68D5E673B49F1D45A5BE41058C8AFDBC010247681CD5@BMSEXCH.BMS-CONSULTING.COM> Do anybody know if MWR 1941 DC supports HWIC-4ESW? Thank U. -- Respect, Andy Oleynik From leonardo.souza at nec.com.br Mon Sep 1 09:56:48 2008 From: leonardo.souza at nec.com.br (Leonardo Gama Souza) Date: Mon, 1 Sep 2008 10:56:48 -0300 Subject: [c-nsp] RES: Sup720 Config registry In-Reply-To: <083120081248.27528.48BA9304000ADD6F00006B882200763692080B0E9C0E@comcast.net> References: <083120081248.27528.48BA9304000ADD6F00006B882200763692080B0E9C0E@comcast.net> Message-ID: <9E07F8717FE8BC4FBAE6860F61EA6C1D0194F9AD@spsrvmail03.nec.br> Notice this can be broken due to CSCeg76624, CSCeg22424 or CSCed58891. You're safe if you're running 8.5(1) though. []?s -----Mensagem original----- De: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] Em nome de asadh at comcast.net Enviada em: domingo, 31 de agosto de 2008 09:48 Para: Brett Clausenhauf; cisco-nsp at puck.nether.net Assunto: Re: [c-nsp] Sup720 Config registry You can check the config-register setting on SP by: rem comm sw sh ver | i register SP is probably still set to 2142. You should change it to 0x2102 by going to config on RP. When you save the config it will be saved on SP also. After saving you can issue: rem comm sw sh ver | i register It should indicate 0x2102 aftrer reboot. Asad -------------- Original message -------------- From: "Brett Clausenhauf" > Hey Guys.. > > I have a query I cannot seem to find any answer too. > > > When a sup720 module is booting, if you do a CTRL + Break into rommon > & change the confreg register on the SP module (Changed to confreg > 0x2142 & NOT the RP module, what does this actually do? I did this by > mistake whilst troubleshooting an issue. The issue is now resolved but > I never got the opportunity to put this back (Also not sure what to > put it back too). The module boots up the config & appears to be > working 100 percent fine... I am very concerned if doing this does > anything detrimental that is going to be a concern later. > > Can anybody who might know advise? It would be very much appreciated.. > > > Thanks in advance. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From p.mayers at imperial.ac.uk Mon Sep 1 11:33:39 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Mon, 01 Sep 2008 16:33:39 +0100 Subject: [c-nsp] RES: Cisco Catalyst 6513 IOS version In-Reply-To: <20080829072040.GD27310@lboro.ac.uk> References: <48B520CE.7030008@actrix.co.nz> <48B5602E.7010705@imperial.ac.uk> <079b01c90970$092d2330$f211a8c0@flamadam> <20080829072040.GD27310@lboro.ac.uk> Message-ID: <48BC0B53.4040000@imperial.ac.uk> A.L.M.Buxey at lboro.ac.uk wrote: > Hi, > >> Lastest one running SXH1. No problems so far with FWSM, ACE and 6748s. > > we've got a 12.2(33)SXH3 box up and alive now - so far so much > better than SXH2 (and 2b) but we've yet to drive packets through > in anger. certainly looks like we might be SXH'd by the new year > (but dont quote me on that! ;-) ) Just don't try and "scp" anything from it... From MLouis at nwnit.com Mon Sep 1 11:45:06 2008 From: MLouis at nwnit.com (Mike Louis) Date: Mon, 1 Sep 2008 11:45:06 -0400 Subject: [c-nsp] Interdomain Multicast Routing Message-ID: This has been a confusing subject for me. If you enabled msdp between 2 pim sm domains and enabled mc routing on the intermediate bgp routers while using normal non-mbgp routing wouldn't mc still work? Why would you want to use mbgp unless you wanted mc routes to take a different path than unicast routes? Do most sp these days support mc in their networks for customers? Thanks mike -----Original Message----- From: Jeff Tantsura Sent: Monday, September 01, 2008 4:53 AM To: 'Muarwi' ; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Interdomain Multicast Routing Hi, The combination you've described has been working for many years, very well tested, supported by all major vendors. PIM (bidir as well) is used for intradomain multicast routing independently of interdomain multicast (MSDP/MBGP). Cisco does support PIM Bidir Cheers, Jeff P.S. Best book ever - "Interdomain Mutlicast Routing" by Edwards/Giuliano/Wright > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Muarwi > Sent: maandag 1 september 2008 9:49 > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Interdomain Multicast Routing > > Hi guys, I'm sorry if my questions is rather out of cisco's things. > > I've read books about interdomain multicast routing (also one from cisco > press). From what I get, the solutions offered is PIM SM - MBGP - MSDP. > > My questions is : > 1. what about using PIM Bidir for interdomain multicast? Is it possible to > implement it in Cisco? > 2. Has BGMP been being implemented in vendors? > > Thanks a lot for your response > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. From A.L.M.Buxey at lboro.ac.uk Mon Sep 1 11:47:00 2008 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Mon, 1 Sep 2008 16:47:00 +0100 Subject: [c-nsp] RES: Cisco Catalyst 6513 IOS version In-Reply-To: <48BC0B53.4040000@imperial.ac.uk> References: <48B520CE.7030008@actrix.co.nz> <48B5602E.7010705@imperial.ac.uk> <079b01c90970$092d2330$f211a8c0@flamadam> <20080829072040.GD27310@lboro.ac.uk> <48BC0B53.4040000@imperial.ac.uk> Message-ID: <20080901154700.GB24224@lboro.ac.uk> Hi, >> we've got a 12.2(33)SXH3 box up and alive now - so far so much >> better than SXH2 (and 2b) but we've yet to drive packets through >> in anger. certainly looks like we might be SXH'd by the new year >> (but dont quote me on that! ;-) ) > > Just don't try and "scp" anything from it... 8-) dont worry - i saw _that_ posting. anything with SXH in the subject line right now gets my immediate attention (remember that spammers.... ;-) ) alan From gert at greenie.muc.de Mon Sep 1 12:11:41 2008 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 1 Sep 2008 18:11:41 +0200 Subject: [c-nsp] Interdomain Multicast Routing In-Reply-To: References: Message-ID: <20080901161141.GS233@greenie.muc.de> Hi, On Mon, Sep 01, 2008 at 11:45:06AM -0400, Mike Louis wrote: > Do most sp these days support mc in their networks for customers? Do you know *any* SPs these days that support multicast? Yes, there are a few that have it still turned on, but does that mean it's a first grade, fully supported, product? We disabled external multicasting in our SP network last week - because there was only minimal customer demand in the last 6 or 7 years, and on those few occasions, I usually spent ages diagnosing black hole issues at one of our upstreams (turned up a new line, forgot to enable PIM on it, and such things). IPv4 multicast is extremely painful to debug. The whole MSDP/MBGP/PIM model is too complicated to maintain and too brittle for stable operations (SSM might be better - we never tried). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From criling at gmail.com Mon Sep 1 12:35:15 2008 From: criling at gmail.com (Chris Riling) Date: Mon, 1 Sep 2008 12:35:15 -0400 Subject: [c-nsp] Sup720 Config registry In-Reply-To: <20080831144435.GA4763@gerbil.cluepon.net> References: <20080831144435.GA4763@gerbil.cluepon.net> Message-ID: <8c829ec10809010935g11c22639s488104a8ff8e7ee8@mail.gmail.com> I have seen an interesting one as well... I had a 7606 with a sup32 out of sync once, and any input from the console port (or sometimes just on it's own) it would halt the switch processor and force a reboot... I'd suggest you make sure the SP and RP are always in sync :) Chris On Sun, Aug 31, 2008 at 10:44 AM, Richard A Steenbergen wrote: > On Sun, Aug 31, 2008 at 03:28:18PM +0200, Mikael Abrahamsson wrote: > > On Sun, 31 Aug 2008, Brett Clausenhauf wrote: > > > > >Can anybody who might know advise? It would be very much appreciated.. > > > > I had a similar issue back in SXE days (2+ years ago) where the conf-reg > > would get out of sync between modules on the Sup720-3bxl (it would show > > conf-reg 0x2102 in IOS, but rebooting would go into rommon). > > > > To fix it, I would simply do a conf-reg 0x2102 and "wr" in regular config > > mode, which seemed to set this conf-reg on all modules, making the > problem > > go away. > > I've seen a couple really cool side-effects from an out-of-sync config > register between RP and SP... For example, I was once rebooting a sup720 > to change the cef maximum-routes tcam partitioning, and as soon as it > would boot back up it would install a "reboot in 10 minutes" rule, > like what Jared mentioned here: > > http://puck.nether.net/pipermail/cisco-nsp/2006-October/035266.html > > After sitting through a lot of automatic reboots and trying everything > known to man to stop them, I finally found the problem was a desynced > config-register that you couldn't see from IOS at all (you had to start > a shell on the SP to see it), which caused the SP to not process the > RP's new tcam partition config. Apparently there was some edge condition > which might need you to reboot twice to fully update the SP, so Cisco > just wrote code to automatically reboot if the SP wasn't updated > correctly. Combine that with an out-of-sync config-register and you've > got lots of endless rebooting fun. :) > > -- > Richard A Steenbergen http://www.e-gerbil.net/ras > GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From p.mayers at imperial.ac.uk Mon Sep 1 12:39:12 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Mon, 01 Sep 2008 17:39:12 +0100 Subject: [c-nsp] Interdomain Multicast Routing In-Reply-To: <20080901161141.GS233@greenie.muc.de> References: <20080901161141.GS233@greenie.muc.de> Message-ID: <48BC1AB0.4050406@imperial.ac.uk> Gert Doering wrote: > Hi, > > On Mon, Sep 01, 2008 at 11:45:06AM -0400, Mike Louis wrote: >> Do most sp these days support mc in their networks for customers? > > Do you know *any* SPs these days that support multicast? > > Yes, there are a few that have it still turned on, but does that mean > it's a first grade, fully supported, product? > > We disabled external multicasting in our SP network last week - because > there was only minimal customer demand in the last 6 or 7 years, and > on those few occasions, I usually spent ages diagnosing black hole > issues at one of our upstreams (turned up a new line, forgot to enable > PIM on it, and such things). > > IPv4 multicast is extremely painful to debug. The whole MSDP/MBGP/PIM > model is too complicated to maintain and too brittle for stable operations > (SSM might be better - we never tried). SSM is certainly *easier* to troubleshoot as is IPv6 embedded RP. I wouldn't say they're "good" though; a large portion of the issues I've run into are much more general e.g. firewalls, lack of IGMP forwarding, lack of layer2 support, TTL problems, MTU problems, etc. From julien.leroiso at gmail.com Mon Sep 1 12:47:06 2008 From: julien.leroiso at gmail.com (julien leroiso) Date: Mon, 1 Sep 2008 18:47:06 +0200 Subject: [c-nsp] "real" BGP test router Message-ID: Hi, I know I can use quagga or dynamips/gns3 to validate my labs. But something real where other person add/remove routes should be great. so I'm looking for a "real" BGP router on internet to test my configuration. A router where peoble can ask a peering to test their conf. Regards, Julien. From frnkblk at iname.com Mon Sep 1 14:03:23 2008 From: frnkblk at iname.com (Frank Bulk) Date: Mon, 1 Sep 2008 13:03:23 -0500 Subject: [c-nsp] Few questions regarding fixed vs modular and when which is better. In-Reply-To: <6D6205FA-8F23-48FC-B495-9A022F1B5304@short.id.au> References: <48B6C5AE.5030501@lumison.net> <48B6CAC3.8000308@templin.org> <20080829073336.GH233@greenie.muc.de> <001b01c909c4$638d89b0$2aa89d10$@org.uk> <6D6205FA-8F23-48FC-B495-9A022F1B5304@short.id.au> Message-ID: Seems like a lot of extra cabling gymnastics to compensate for the failure of Cisco to provide an affordable 48-port dual-PSU 1U switch. Frank -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Shane Short Sent: Friday, August 29, 2008 6:30 AM To: cisco-nsp Subject: Re: [c-nsp] Few questions regarding fixed vs modular and when which is better. I've had pretty good success doing this in the past, however, I've run double the density and split it over two racks. Ie, 24 Servers per rack, so a 48port switch per rack, with 48 ties between the rack to tie it all together, each server would hit the switch in it's own rack, then tie over to the adjacent rack. Idea generally behind this was to have the servers/switches on opposing phases to eliminate power problems, without having to get Dual Power supplies in the switches themselves. -Shane On 29/08/2008, at 6:45 PM, Dean Smith wrote: > Surely 2 basic Switches - With Servers dual homed across giving you > independent uplinks to the core, dual control planes and dual power > etc > gives far better resilience at the price point than a simple switch > with an > extra PSU ? > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gert Doering > Sent: 29 August 2008 08:34 > To: Pete Templin > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Few questions regarding fixed vs modular and > when which > is better. > > Hi, > > On Thu, Aug 28, 2008 at 10:56:51AM -0500, Pete Templin wrote: >> Have you looked at their product line lately? I attended one of >> their >> LAN Switching Update events, and learned a lot about their new >> products, such as 1U 3560E models with 24 or 48 10/100/1000 ports and >> two X2 10G uplinks and dual power. Might that suffice? > > Still "full L3" with the L3 price tag. > > Something like a 2960G-24TC with dual power would be cool. > > gert > > -- > USENET is *not* the non-clickable part of WWW! > > //www.muc.de/~gert/ > Gert Doering - Munich, Germany > gert at greenie.muc.de > fax: +49-89-35655025 > gert at net.informatik.tu-muenchen.de > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From paul.cosgrove at heanet.ie Mon Sep 1 14:48:13 2008 From: paul.cosgrove at heanet.ie (Paul Cosgrove) Date: Mon, 01 Sep 2008 19:48:13 +0100 Subject: [c-nsp] Interdomain Multicast Routing In-Reply-To: References: Message-ID: <48BC38ED.4000508@heanet.ie> Hi Mike, Normally MSDP will work with just unicast BGP, but then RPF check changed between IOS and IOS XR... In IOS a router performing an RPF check looks first at the multicast routing table, and if it doesn't find a match it then looks at the unicast table. In IOS XR if you have any routes in the multicast table, and you do not find the one you are looking for, RPF fails. Doesn't matter whether or not the prefix is in the unicast table. You may have a situation where you are given multicast feeds (e.g. IPTV) and are only supplied with multicast BGP routes because they do not want any of your unicast traffic. You may well wish to receive those feeds, and also receive multicasts from sources which only advertises unicast routes. If I understand the RPF correctly, this presents you with a problem and may have to look at statics/ACLs etc. Paul. Mike Louis wrote: > This has been a confusing subject for me. If you enabled msdp between 2 pim sm domains and enabled mc routing on the intermediate bgp routers while using normal non-mbgp routing wouldn't mc still work? Why would you want to use mbgp unless you wanted mc routes to take a different path than unicast routes? Do most sp these days support mc in their networks for customers? > > Thanks > > mike > > -----Original Message----- > From: Jeff Tantsura > Sent: Monday, September 01, 2008 4:53 AM > To: 'Muarwi' ; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Interdomain Multicast Routing > > > Hi, > > The combination you've described has been working for many years, > very well tested, supported by all major vendors. > PIM (bidir as well) is used for intradomain multicast routing independently > of interdomain multicast (MSDP/MBGP). > Cisco does support PIM Bidir > > Cheers, > Jeff > > P.S. Best book ever - "Interdomain Mutlicast Routing" by > Edwards/Giuliano/Wright > >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- >> bounces at puck.nether.net] On Behalf Of Muarwi >> Sent: maandag 1 september 2008 9:49 >> To: cisco-nsp at puck.nether.net >> Subject: [c-nsp] Interdomain Multicast Routing >> >> Hi guys, I'm sorry if my questions is rather out of cisco's things. >> >> I've read books about interdomain multicast routing (also one from cisco >> press). From what I get, the solutions offered is PIM SM - MBGP - MSDP. >> >> My questions is : >> 1. what about using PIM Bidir for interdomain multicast? Is it possible to >> implement it in Cisco? >> 2. Has BGMP been being implemented in vendors? >> >> Thanks a lot for your response >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- HEAnet Limited Ireland's Education & Research Network 5 George's Dock, IFSC, Dublin 1, Ireland Tel: +353.1.6609040 Web: http://www.heanet.ie Company registered in Ireland: 275301 Please consider the environment before printing this e-mail. From tseveendorj at gmail.com Mon Sep 1 21:54:05 2008 From: tseveendorj at gmail.com (Tseveendorj Ochirlantuu) Date: Tue, 2 Sep 2008 09:54:05 +0800 Subject: [c-nsp] RTP related question Message-ID: <62c908120809011854y707caf87vd5325bcd7e9cedb0@mail.gmail.com> Hi I couldn't imagine how to test RTP between 2 points. How do I know remote RTP ports open? Sincerely, Tseveen From muarwi at gmail.com Mon Sep 1 22:49:23 2008 From: muarwi at gmail.com (Muarwi) Date: Tue, 2 Sep 2008 09:49:23 +0700 Subject: [c-nsp] Interdomain Multicast Routing In-Reply-To: <000601c90c0f$764584c0$650c10ac@ad.redback.com> References: <465d309c0809010048j1a5f5fbaja2bad4b1b07dfd3f@mail.gmail.com> <000601c90c0f$764584c0$650c10ac@ad.redback.com> Message-ID: <465d309c0809011949k2beb5eb7qda9a6d022aed36ce@mail.gmail.com> Hi Jeff, thanks a lot for your response. Then how about BGMP (RFC 3913) ? Is it still a proposed protocol? Thanks . On 9/1/08, Jeff Tantsura wrote: > > Hi, > > The combination you've described has been working for many years, > very well tested, supported by all major vendors. > PIM (bidir as well) is used for intradomain multicast routing > independently > of interdomain multicast (MSDP/MBGP). > Cisco does support PIM Bidir > > Cheers, > Jeff > > P.S. Best book ever - "Interdomain Mutlicast Routing" by > Edwards/Giuliano/Wright > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > > bounces at puck.nether.net] On Behalf Of Muarwi > > Sent: maandag 1 september 2008 9:49 > > To: cisco-nsp at puck.nether.net > > Subject: [c-nsp] Interdomain Multicast Routing > > > > Hi guys, I'm sorry if my questions is rather out of cisco's things. > > > > I've read books about interdomain multicast routing (also one from cisco > > press). From what I get, the solutions offered is PIM SM - MBGP - MSDP. > > > > My questions is : > > 1. what about using PIM Bidir for interdomain multicast? Is it possible > to > > implement it in Cisco? > > 2. Has BGMP been being implemented in vendors? > > > > Thanks a lot for your response > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From abalashov at evaristesys.com Mon Sep 1 22:51:10 2008 From: abalashov at evaristesys.com (Alex Balashov) Date: Mon, 1 Sep 2008 22:51:10 -0400 (EDT) Subject: [c-nsp] RTP related question In-Reply-To: <62c908120809011854y707caf87vd5325bcd7e9cedb0@mail.gmail.com> References: <62c908120809011854y707caf87vd5325bcd7e9cedb0@mail.gmail.com> Message-ID: <1cb627fb84d83ce4aa3f4ecd58c94efd.squirrel@webmail.corp.evaristesys.com> As RTP contains no backward acknowledgment mechanisms (other than RTCP reports), you really can't. You need to use a VoIP user agent and generate a bidirectional RTP stream (a conversation) and verify media receipt with a packet capture or subjectively, or via some means that the user agent provides. On Mon, September 1, 2008 9:54 pm, Tseveendorj Ochirlantuu wrote: > Hi > > I couldn't imagine how to test RTP between 2 points. How do I know remote > RTP ports open? > > Sincerely, > Tseveen > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Alex Balashov Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599 From pshuleski at gmail.com Mon Sep 1 23:15:13 2008 From: pshuleski at gmail.com (Pete S.) Date: Mon, 1 Sep 2008 23:15:13 -0400 Subject: [c-nsp] RES: Cisco Catalyst 6513 IOS version In-Reply-To: <20080901154700.GB24224@lboro.ac.uk> References: <48B520CE.7030008@actrix.co.nz> <48B5602E.7010705@imperial.ac.uk> <079b01c90970$092d2330$f211a8c0@flamadam> <20080829072040.GD27310@lboro.ac.uk> <48BC0B53.4040000@imperial.ac.uk> <20080901154700.GB24224@lboro.ac.uk> Message-ID: <50f158990809012015r32c2880ei9622a731a6acdf0a@mail.gmail.com> We've been running a mix od SXF, and SXH (un)fortunately. SXF is pretty solid. If you don't have any features(like VPN, adjust-mss specifically), or modules which require an SXH train(i.e. 6716) I'd suggest you stick with safe harbor SXF. The biggest running issue I have with SXH, is not containing the ISSU capability in the non-modular flavor. Modular still makes me nervous for production. --Pete On Mon, Sep 1, 2008 at 11:47 AM, wrote: > Hi, > >>> we've got a 12.2(33)SXH3 box up and alive now - so far so much >>> better than SXH2 (and 2b) but we've yet to drive packets through >>> in anger. certainly looks like we might be SXH'd by the new year >>> (but dont quote me on that! ;-) ) >> >> Just don't try and "scp" anything from it... > > 8-) dont worry - i saw _that_ posting. anything with SXH > in the subject line right now gets my immediate attention > (remember that spammers.... ;-) ) > > alan > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From dudepron at gmail.com Mon Sep 1 23:48:15 2008 From: dudepron at gmail.com (Aaron) Date: Mon, 1 Sep 2008 23:48:15 -0400 Subject: [c-nsp] Interdomain Multicast Routing In-Reply-To: References: Message-ID: <480dad640809012048o32821575we5e4a798b5e924da@mail.gmail.com> The large ones do. I know Sprint has been doing it for over 11 years. I would say that most do not charge or if they do it is minimal. NOC support may vary from provider to provider. On Mon, Sep 1, 2008 at 11:45 AM, Mike Louis wrote: > This has been a confusing subject for me. If you enabled msdp between 2 > pim sm domains and enabled mc routing on the intermediate bgp routers while > using normal non-mbgp routing wouldn't mc still work? Why would you want to > use mbgp unless you wanted mc routes to take a different path than unicast > routes? Do most sp these days support mc in their networks for customers? > > Thanks > > mike > > -----Original Message----- > From: Jeff Tantsura > Sent: Monday, September 01, 2008 4:53 AM > To: 'Muarwi' ; cisco-nsp at puck.nether.net < > cisco-nsp at puck.nether.net> > Subject: Re: [c-nsp] Interdomain Multicast Routing > > > Hi, > > The combination you've described has been working for many years, > very well tested, supported by all major vendors. > PIM (bidir as well) is used for intradomain multicast routing > independently > of interdomain multicast (MSDP/MBGP). > Cisco does support PIM Bidir > > Cheers, > Jeff > > P.S. Best book ever - "Interdomain Mutlicast Routing" by > Edwards/Giuliano/Wright > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > > bounces at puck.nether.net] On Behalf Of Muarwi > > Sent: maandag 1 september 2008 9:49 > > To: cisco-nsp at puck.nether.net > > Subject: [c-nsp] Interdomain Multicast Routing > > > > Hi guys, I'm sorry if my questions is rather out of cisco's things. > > > > I've read books about interdomain multicast routing (also one from cisco > > press). From what I get, the solutions offered is PIM SM - MBGP - MSDP. > > > > My questions is : > > 1. what about using PIM Bidir for interdomain multicast? Is it possible > to > > implement it in Cisco? > > 2. Has BGMP been being implemented in vendors? > > > > Thanks a lot for your response > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > Note: This message and any attachments is intended solely for the use of > the individual or entity to which it is addressed and may contain > information that is non-public, proprietary, legally privileged, > confidential, and/or exempt from disclosure. If you are not the intended > recipient, you are hereby notified that any use, dissemination, > distribution, or copying of this communication is strictly prohibited. If > you have received this communication in error, please notify the original > sender immediately by telephone or return email and destroy or delete this > message along with any attachments immediately. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From vikassharmas at gmail.com Tue Sep 2 00:25:03 2008 From: vikassharmas at gmail.com (Vikas Sharma) Date: Tue, 2 Sep 2008 09:55:03 +0530 Subject: [c-nsp] mpls ldp discovery transport-address Message-ID: Hi, Below is the output of sh mpls ldp discovery. Here LDP identifier and LDP discovery source are different. I can change discovery source using "mpls ldp discovery transport-address but my question here is what is the best practice and what are the benefits? is it using both LDP identifier and Discovery source same or different? One of the benefit I can see is if I use the same IP for both is I can reduce the number of labels. Any other benefit wrt security!!! router1# sh mpls ldp discovery Local LDP Identifier: 212.74.65.105:0 Discovery Sources: Interfaces: GigabitEthernet0/1 (ldp): xmit/recv LDP Id: 212.74.65.124:0 GigabitEthernet0/2 (ldp): xmit/recv LDP Id: 212.74.65.126:0 Targeted Hellos: 212.74.65.105 -> 212.74.65.124 (ldp): passive, xmit/recv LDP Id: 212.74.65.124:0 212.74.65.105 -> 212.74.65.126 (ldp): passive, xmit/recv LDP Id: 212.74.65.126:0 router1#sh mpls fo router1#sh mpls forwarding-table | in 212.74.65.124 4560 Pop tag 212.74.65.124/32 0 Gi0/1 212.74.88.233 router1#sh mpls forwarding-table | in 212.74.65.105 router1# Regards, Vikas Sharma From oboehmer at cisco.com Tue Sep 2 01:53:13 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Tue, 2 Sep 2008 07:53:13 +0200 Subject: [c-nsp] mpls ldp discovery transport-address In-Reply-To: References: Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405F396A2@xmb-ams-333.emea.cisco.com> Vikas Sharma <> wrote on Tuesday, September 02, 2008 6:25 AM: > Hi, > > Below is the output of sh mpls ldp discovery. Here LDP identifier and > LDP discovery source are different. I can change discovery source > using "mpls ldp discovery transport-address but my question here is > what is the best practice and what are the benefits? is it using both > LDP identifier and Discovery source same or different? best practice is to use a loopback as LDP router-ID and advertise this address as transport address (i.e. use the default behavior). This has multiple advantages: - less config - if you have multiple links between two nodes, you don't have to worry about advertising the same address on both links - it allows you to keep the session established even if the link supplying the transport address goes down (good for convergence) Or where you thinking about using a dedicated loopback as transport address? Not sure what the benefit of this would be. I've seen the transport address being used in some cases where the LDP router-ID is not advertised in IGP (for whatever reason), but these were corner cases.. > One of the benefit I can see is if I use the same IP for both is I can > reduce the number of labels. Any other benefit wrt security!!! not sure what you mean by "reducing number of labels".. Number of IGP labels is usually not a concern. Not sure about the security argument. oli From swmike at swm.pp.se Tue Sep 2 02:08:13 2008 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Tue, 2 Sep 2008 08:08:13 +0200 (CEST) Subject: [c-nsp] mpls ldp discovery transport-address In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405F396A2@xmb-ams-333.emea.cisco.com> References: <70B7A1CCBFA5C649BD562B6D9F7ED78405F396A2@xmb-ams-333.emea.cisco.com> Message-ID: > I've seen the transport address being used in some cases where the LDP > router-ID is not advertised in IGP (for whatever reason), but these were > corner cases.. I've had to use it when there were vendor interop-problems, the LDP session wouldn't come up otherwise. I even posted to the IETF MPLS list regarding the fact that I couldn't figure out where in the standard it was said what address should be used where, but I received no reply so I am still none the wiser how it should work so I know what vendor to tell to go fix their stuff. -- Mikael Abrahamsson email: swmike at swm.pp.se From gert at greenie.muc.de Tue Sep 2 02:27:32 2008 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 2 Sep 2008 08:27:32 +0200 Subject: [c-nsp] RES: Cisco Catalyst 6513 IOS version In-Reply-To: <50f158990809012015r32c2880ei9622a731a6acdf0a@mail.gmail.com> References: <48B520CE.7030008@actrix.co.nz> <48B5602E.7010705@imperial.ac.uk> <079b01c90970$092d2330$f211a8c0@flamadam> <20080829072040.GD27310@lboro.ac.uk> <48BC0B53.4040000@imperial.ac.uk> <20080901154700.GB24224@lboro.ac.uk> <50f158990809012015r32c2880ei9622a731a6acdf0a@mail.gmail.com> Message-ID: <20080902062732.GU233@greenie.muc.de> Hi, On Mon, Sep 01, 2008 at 11:15:13PM -0400, Pete S. wrote: > The biggest running issue I have with SXH, My biggest issues are: - no BFD on SVIs (worked fine in SXF) - the BGP ghost bug is back :-( (SXH3 regularily forgets to send withdraws to iBGP peers if a prefix completely disappears. During the course of 4 weeks, I have observed it twice, once for IPv4 and once for IPv6, without actually *looking* for it - so it's likely happening much more often) The thing I like most about SXH is the reworked mls netflow architecture where you only fill up netflow TCAM for those interfaces that you really want to see, and not "for all interfaces and the collector has to filter". gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From b.turnbow at twt.it Tue Sep 2 03:00:41 2008 From: b.turnbow at twt.it (Brian Turnbow) Date: Tue, 2 Sep 2008 09:00:41 +0200 Subject: [c-nsp] RTP related question In-Reply-To: <62c908120809011854y707caf87vd5325bcd7e9cedb0@mail.gmail.com> References: <62c908120809011854y707caf87vd5325bcd7e9cedb0@mail.gmail.com> Message-ID: You can use saa on cisco routers to simmulate traffic and gather stats (jitter packet loss ecc). That won't tell if the ports oare open but you can check line quality ecc. http://www.cisco.com/en/US/tech/tk869/tk769/technologies_white_paper09186a00801b1a1e.shtml Brian -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tseveendorj Ochirlantuu Sent: marted? 2 settembre 2008 3.54 To: cisco-voip at puck.nether.net Cc: cisco-nsp at puck.nether.net Subject: [c-nsp] RTP related question Hi I couldn't imagine how to test RTP between 2 points. How do I know remote RTP ports open? Sincerely, Tseveen _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From julien.leroiso at gmail.com Tue Sep 2 04:14:55 2008 From: julien.leroiso at gmail.com (julien leroiso) Date: Tue, 2 Sep 2008 10:14:55 +0200 Subject: [c-nsp] "real" BGP test router In-Reply-To: References: Message-ID: I said "real" because I'm thinking test router where other persons use it to test. But this BGP router have no impact on internet. This platform could be automatic with a form and give you an unused private AS number in their tables :p On Mon, Sep 1, 2008 at 6:47 PM, julien leroiso wrote: > Hi, > > I know I can use quagga or dynamips/gns3 to validate my labs. > But something real where other person add/remove routes should be great. > > so I'm looking for a "real" BGP router on internet to test my > configuration. > A router where peoble can ask a peering to test their conf. > > Regards, > Julien. > From list-cisco-nsp at pwns.ms Tue Sep 2 04:29:49 2008 From: list-cisco-nsp at pwns.ms (list-cisco-nsp at pwns.ms) Date: Tue, 2 Sep 2008 08:29:49 +0000 Subject: [c-nsp] "real" BGP test router In-Reply-To: References: Message-ID: <20080902082949.GA8158@pwns.ms> > I said "real" because I'm thinking test router where other persons use it to > test. > But this BGP router have no impact on internet. > > This platform could be automatic with a form and give you an unused private > AS number in their tables :p Do you mean something like http://noc.mono-ix.net/? From tomas at soitron.com Tue Sep 2 08:02:07 2008 From: tomas at soitron.com (Tomas Daniska) Date: Tue, 2 Sep 2008 14:02:07 +0200 Subject: [c-nsp] SRB4 (was RE: SRC2?) In-Reply-To: <1219992936.6106.16.camel@moby> References: <1218555162.2004.15.camel@empacher.cns.ufl.edu> <200808132004.24869.mtinka@globaltransit.net> <6B43981C32F8464CB24CEE209DA32BD3016D84C0@kenya.tronet.as> <1219992936.6106.16.camel@moby> Message-ID: <6B43981C32F8464CB24CEE209DA32BD30175B4C2@kenya.tronet.as> are you using ES20's? beware of CSCsm61571 -- deejay > -----Original Message----- > From: Liviu Pislaru [mailto:liviu.pislaru at gmail.com] > Sent: 29 August 2008 08:56 > To: Tomas Daniska > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] SRB4 (was RE: SRC2?) > > hi, > > i'm running SRB4 on WS-SUP720-3BXL & WS-F6700-DFC3CXL linecards. > > i was running SRB2, hit some BUGs and had to option: > > 1. upgrade to SRB4 > 2. downgrade to SRA7 (change DFC3CXL linecards) > > i went for option 1. and everything is working fine now except my logs > are full of these lines: > > Aug 29 09:45:59 EETDST: %DIAG-SP-3-TEST_SKIPPED: Module 7: > TestFabricFlowControlStatus{ID=33} is skipped > > Aug 29 09:46:01 EETDST: %DIAG-SP-3-TEST_SKIPPED: Module 7: > TestFabricFlowControlStatus{ID=33} is skipped > > > [...] > > 7 2 Supervisor Engine 720 (Hot) WS-SUP720-3BXL > SAL09412THT > 8 2 Supervisor Engine 720 (Active) WS-SUP720-3BXL > SAL09368YPZ > [...] > > > > i'm not worried (yet) because cisco says: > > ===================================================================== > > %DIAG-3-TEST_SKIPPED (x1): [chars]: [chars]{ID=[dec]} is skipped > > Explanation: The specified diagnostic test cannot be run. > > Recommended Action: None. Although the test cannot be run, this message > does > not indicate a problem. > > ===================================================================== > > or > > ===================================================================== > > %DIAG-3-TEST_SKIPPED (x0): [chars]: [chars]{ID=[dec]} is skipped > > Explanation: This message indicates that the diagnostic test cannot be > run. > > Recommended Action: No action is required. The system is working > properly. > > ===================================================================== > > but i had to filter these lines from my logs. > > i'm running BGP (full bgp table), MPLS, OSPF, MULTICAST on this router. > so i'm pretty pleased with SRB4 until now. > > -- > liviu. > > On Wed, 2008-08-13 at 14:58 +0200, Tomas Daniska wrote: > > speaking of the releases... is anyone running SRB4 in production yet? > > > > cheers > > > > -- > > > > deejay > > > > > > > -----Original Message----- > > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > > > bounces at puck.nether.net] On Behalf Of Mark Tinka > > > Sent: 13 August 2008 14:04 > > > To: cisco-nsp at puck.nether.net > > > Subject: Re: [c-nsp] SRC2? > > > > > > On Tuesday 12 August 2008 23:32:42 Chris Griffin wrote: > > > > > > > Anyone know when 12.2(33)SRC2 is supposed to be released, > > > > specifically for the 7600. I had heard by the end of > > > > July, but so far no release. > > > > > > Same here... heard it was meant to be mid-July, but nothing > > > yet. > > > > > > Having waited this long, it'll come when it comes, I > > > guess :-). > > > > > > Cheers, > > > > > > Mark. > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ From tbeecher at localnet.com Tue Sep 2 09:08:46 2008 From: tbeecher at localnet.com (Thomas Beecher) Date: Tue, 02 Sep 2008 09:08:46 -0400 Subject: [c-nsp] PA-POS-OC3SMI vs. PA-POS-OC3SML In-Reply-To: <200808291454.03298.kratzers@pa.net> References: <200808291454.03298.kratzers@pa.net> Message-ID: <48BD3ADE.3060405@localnet.com> Stephen- If L3 is handing this OC3 off to you inside your building, the SMI card is fine. It's technically rated at 9 miles between stations, so unless you're farther than that from the hand off, you're all set. Stephen Kratzer wrote: > All, > > We're looking to turn up an OC3 with Level3, but we've been unable to get a > hardware recommendation from them. All we know is that it'll be single mode > using SC connectors. Is the PA-POS-OC3SMI a safe bet, or do we need to get > distance information and purchase accordingly? Thanks. > > Stephen Kratzer > Network Engineer > CTI Networks, Inc. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Thomas Beecher II Senior Network Administrator LocalNet Corp. CoreComm Internet Services tbeecher at localnet.com From tdurack at gmail.com Tue Sep 2 09:09:18 2008 From: tdurack at gmail.com (Tim Durack) Date: Tue, 2 Sep 2008 09:09:18 -0400 Subject: [c-nsp] SUP720-3B / 3rd party CF Message-ID: <9e246b4d0809020609r5cc1ee8ftea9af71771f39308@mail.gmail.com> This is a mystery to me: I've got a few new VS-S720-10G-3C Sups that work just fine with Kingston 1GB CF. I've also got some old SUP720-3Bs that refuse to recognise anything other than Cisco CF. Tried formatting, upgrading rommon (8.5(2)), dd'ing Cisco flash to Kingston etc. This is under 12.2(33)SXH2 in case it makes a difference. Googling around and checking cisco-nsp archives suggest 3rd party flash should work just fine with the 3B. Anyone else run into this? Tim:> From maillist at webjogger.net Tue Sep 2 09:13:12 2008 From: maillist at webjogger.net (Adam Greene) Date: Tue, 2 Sep 2008 09:13:12 -0400 Subject: [c-nsp] PPP Multilink with L2TP interfaces References: Message-ID: <011e01c90cfd$a7003e40$12140a0a@GINKGO> Nic, Not familiar with L2TP in particular, but working with MLPPP in other contexts, it is usually necessary to specify a multilink group; i.e. everywhere you have the "ppp multilink" command you may need a corresponding "ppp multilink group 1" command, to put all the links in the same bundle. Also, I don't see a multilink interface in your configurations, but again that might be because with L2TP it's not required. However, something to consider. Thanks, Adam ----- Original Message ----- From: "Nic Tjirkalli" To: Sent: Monday, September 01, 2008 2:20 AM Subject: [c-nsp] PPP Multilink with L2TP interfaces > > howdy ho, > > i am trying to get a CPE to > 1) fire up a PPPoE session over an Ethernet interface to bring up a > Dialer1 > interface > 2) over this interface, fire up 2 L2TP sessions (Virtual-PPP1 and > Virtual-PPP2 and put these in a multilink bundel) > The L2TP tunnels are terminating on 196.30.121.42 > > Now all works well except for the Multilink PPP part. the 2 L2TP sessions > come up individual but there is no sign of any attempt to multilink > (nothing seen in any debug ppp multilink) > > I have included my current config > > if anybody can tell me if what i am trying to do is even possible and how > to fix my config i would be very happy and thankful > > thanx in advance > > > =================== CPE configuration ============================= > Current configuration : 3481 bytes > ! > version 12.4 > no service timestamps debug uptime > no service timestamps log uptime > service password-encryption > ! > hostname l2tp-multilink > ! > boot-start-marker > boot-end-marker > ! > logging buffered 4096 debugging > enable secret 5 $1$8ZOc$o9WmyJlHqGd1R8E/iYAR0/ > ! > no aaa new-model > ip cef > ! > ! > ! > ! > no ip domain lookup > ip auth-proxy max-nodata-conns 3 > ip admission max-nodata-conns 3 > vpdn enable > ! > l2tp-class l2tpclass1 > authentication > password 7 15115E0B2C7221027123 > ! > ! > multilink virtual-template 1 > ! > ! > no crypto engine onboard 0 > ! > ! > pseudowire-class pwclass1 > encapsulation l2tpv2 > protocol l2tpv2 l2tpclass1 > ip local interface Dialer1 > ! > pseudowire-class pwclass2 > encapsulation l2tpv2 > protocol l2tpv2 l2tpclass1 > ip local interface Dialer1 > ! > ! ! > ! > ! > interface Loopback0 > ip address 172.16.1.1 255.255.255.255 > ! > interface Null0 > no ip unreachables > ! > interface FastEthernet0/0 > no ip address > speed 100 > full-duplex > pppoe enable group global > pppoe-client dial-pool-number 1 > ! > interface FastEthernet0/1 > no ip address > duplex auto > speed auto > ! > interface Virtual-PPP1 > ip address negotiated > ip mtu 1452 > ip virtual-reassembly > no logging event link-status > no peer neighbor-route > no cdp enable > ppp chap hostname testuser1 > ppp chap password 7 XXXXXXXX > ppp pap sent-username testuser1 password 7 XXXXXXXX > ppp multilink > pseudowire 196.30.121.42 10 pw-class pwclass1 > ! > interface Virtual-Template1 > ip unnumbered Loopback0 > ppp multilink > ! > interface Virtual-PPP2 > ip address negotiated > ip mtu 1452 > ip virtual-reassembly > no logging event link-status > no peer neighbor-route > no cdp enable > ppp chap hostname testuser2 > ppp chap password 7 XXXXXXX > ppp pap sent-username testuser2 password 7 XXXXXXX > ppp multilink > pseudowire 196.30.121.42 100 pw-class pwclass2 > ! > interface Dialer1 > mtu 1492 > ip address negotiated > ip virtual-reassembly > encapsulation ppp > ip tcp adjust-mss 1452 > dialer pool 1 > dialer-group 1 > ppp chap hostname testuser1 > ppp chap password 7 XXXXXXXX > ppp pap sent-username testuser1 password 7 XXXXXXXX > ! > no ip forward-protocol nd > ip route 0.0.0.0 0.0.0.0 Virtual-PPP1 > ip route 196.30.121.42 255.255.255.255 Dialer1 > ! > ! > ip http server > no ip http secure-server > ! > ip access-list extended check_packets_in > permit ahp any any > permit esp any any > permit udp any eq isakmp any eq isakmp > permit ip any any > ! > access-list 1 permit any > access-list 2 deny any > access-list 3 permit 10.0.0.2 > access-list 3 permit 206.64.200.15 > access-list 3 permit 196.22.64.194 > access-list 3 permit 10.222.0.1 > access-list 3 permit 10.222.0.2 > access-list 3 permit 10.244.0.2 > no cdp run > ! > ! > ! > ! > control-plane > ! > ! > banner motd ^CC > ################################################################## > # You Should Not Be Here - Logg Off Imediately Thankyou # > # # > # # > ################################################################## > ^C > ! > line con 0 > exec-timeout 0 0 > line aux 0 > exec-timeout 0 0 > line vty 0 4 > access-class 3 in > exec-timeout 0 0 > password 7 1315181718 > login > line vty 5 8 > exec-timeout 0 0 > no login > line vty 9 15 > no login > ! > scheduler allocate 20000 1000 > end > > l2tp-multilink# > > > > --------------------------------------------------------------------- > I like you. You remind me of when I was young and stupid. > > Nic Tjirkalli > Verizon Business South Africa > Network Strategy Team > > Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail > is strictly confidential and intended only for use by the addressee unless > otherwise indicated. > > Company Information:http:// www.verizonbusiness.com/za/contact/legal/ > > This e-mail is strictly confidential and intended only for use by the > addressee unless otherwise indicated. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From ml at t-b-o-h.net Tue Sep 2 09:38:28 2008 From: ml at t-b-o-h.net (Tuc at T-B-O-H.NET) Date: Tue, 2 Sep 2008 09:38:28 -0400 (EDT) Subject: [c-nsp] How they do that? Message-ID: <200809021338.m82DcS56015726@himinbjorg.tucs-beachin-obx-house.com> Hi, Not a Cisco specific question, but thought this group would have the best insight. After 10 hours on the road, I'm more dopey than usual. Pull into a Marriott, and of course the first thing I do is hook the laptop up. Normally, during the FreeBSD boot process I stop it and switch the config over from a hardcoded IP/gateway (For use at home/office... I need to be DMZ'd for somet things, so the IP is static) to DHCP. Wasn't thinking straight and let it boot. Oddly, it resolved all my NTP servers, but then couldn't sync NTP time. Weird. My browser autostarts when I bring up X, and all of a sudden its on the Marriott site and asking me to validate I really want to use the net for free. I click it, and I'm good to go. So, I wonder if I just happen to use the same range, and oddly the same gateway (Non standard) as the hotel. I don't think anything of it. I go to dinner, come back, and notice on my console its complaining : Sep 2 09:12:58 himinbjorg kernel: Sep 2 09:12:58 himinbjorg kernel: arplookup 192.168.50.1 failed: host is not on local network I do a tcpdump and notice all sorts of IPs being handled by the 192.168.50.1 .... 10.'s, 172.'s, etc. I even see : 09:32:49.870101 CDPv2, ttl: 180s, Device-ID 'SW1_MDF', length 351 So how is this possible? Is there a protocol or something I haven't heard of? How would it know where my default gateway is? (Maybe just reply to every ARP with the 192.168.50.1 address? Sorta looks it.. I just ping'd something that doesn't exist, and got : ? (192.168.3.23) at 00:08:02:3e:b3:0f on xl0 [ethernet] Oddly an entry for 192.168.3.1 exists, which I would never ping for. Guess it tried to force a gateway on me. :) Then maybe when it gets a packet, it inspects it. If it is going to a real net address it plays gateway, if it isn't it just drops it? Thanks, Tuc Thanks, Tuc From MatlockK at exempla.org Tue Sep 2 10:14:01 2008 From: MatlockK at exempla.org (Matlock, Kenneth L) Date: Tue, 2 Sep 2008 08:14:01 -0600 Subject: [c-nsp] How they do that? In-Reply-To: <200809021338.m82DcS56015726@himinbjorg.tucs-beachin-obx-house.com> References: <200809021338.m82DcS56015726@himinbjorg.tucs-beachin-obx-house.com> Message-ID: <4288131ED5E3024C9CD4782CECCAD2C7037AF7B6@LMC-MAIL2.exempla.org> Sounds like the hotel is doing 2 things: 1) Proxy-arp on the router, giving you the MAC of the router when asking for something outside of what it has configured or layer 3. Whatever is doing the proxy arp must also be paying attention to who made the request, and forwarding the return traffic to you as layer 2. 2) Captive portal, there's a local dns 'server' there letting you resolve addresses, but won't allow any real traffic to flow through until you 'accept' the Terms of Service. (Fairly common setup these days at hospitals). Ken Matlock Network Analyst (303) 467-4671 matlockk at exempla.org -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tuc at T-B-O-H.NET Sent: Tuesday, September 02, 2008 7:38 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] How they do that? Hi, Not a Cisco specific question, but thought this group would have the best insight. After 10 hours on the road, I'm more dopey than usual. Pull into a Marriott, and of course the first thing I do is hook the laptop up. Normally, during the FreeBSD boot process I stop it and switch the config over from a hardcoded IP/gateway (For use at home/office... I need to be DMZ'd for somet things, so the IP is static) to DHCP. Wasn't thinking straight and let it boot. Oddly, it resolved all my NTP servers, but then couldn't sync NTP time. Weird. My browser autostarts when I bring up X, and all of a sudden its on the Marriott site and asking me to validate I really want to use the net for free. I click it, and I'm good to go. So, I wonder if I just happen to use the same range, and oddly the same gateway (Non standard) as the hotel. I don't think anything of it. I go to dinner, come back, and notice on my console its complaining : Sep 2 09:12:58 himinbjorg kernel: Sep 2 09:12:58 himinbjorg kernel: arplookup 192.168.50.1 failed: host is not on local network I do a tcpdump and notice all sorts of IPs being handled by the 192.168.50.1 .... 10.'s, 172.'s, etc. I even see : 09:32:49.870101 CDPv2, ttl: 180s, Device-ID 'SW1_MDF', length 351 So how is this possible? Is there a protocol or something I haven't heard of? How would it know where my default gateway is? (Maybe just reply to every ARP with the 192.168.50.1 address? Sorta looks it.. I just ping'd something that doesn't exist, and got : ? (192.168.3.23) at 00:08:02:3e:b3:0f on xl0 [ethernet] Oddly an entry for 192.168.3.1 exists, which I would never ping for. Guess it tried to force a gateway on me. :) Then maybe when it gets a packet, it inspects it. If it is going to a real net address it plays gateway, if it isn't it just drops it? Thanks, Tuc Thanks, Tuc _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From sthaug at nethelp.no Tue Sep 2 10:20:14 2008 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Tue, 02 Sep 2008 16:20:14 +0200 (CEST) Subject: [c-nsp] How they do that? In-Reply-To: <200809021338.m82DcS56015726@himinbjorg.tucs-beachin-obx-house.com> References: <200809021338.m82DcS56015726@himinbjorg.tucs-beachin-obx-house.com> Message-ID: <20080902.162014.74741570.sthaug@nethelp.no> > So how is this possible? Is there a protocol or something I > haven't heard of? How would it know where my default gateway is? > (Maybe just reply to every ARP with the 192.168.50.1 address? Sorta > looks it.. I just ping'd something that doesn't exist, and got : > > ? (192.168.3.23) at 00:08:02:3e:b3:0f on xl0 [ethernet] > > Oddly an entry for 192.168.3.1 exists, which I would never > ping for. Guess it tried to force a gateway on me. :) It's called proxy ARP, and is on by default on Cisco routers (and switches with routing functionality). It's a horrible default, and leads to all sorts of "interesting" problems. Proxy ARP: Just say no. Steinar Haug, Nethelp consulting, sthaug at nethelp.no From ross at kallisti.us Tue Sep 2 10:38:36 2008 From: ross at kallisti.us (Ross Vandegrift) Date: Tue, 2 Sep 2008 10:38:36 -0400 Subject: [c-nsp] SNMP access to err-disable on 2960s In-Reply-To: <6de481d10808300907q6dec809cveb35a84be0e10f7e@mail.gmail.com> References: <20080829140205.GA14820@kallisti.us> <6de481d10808300907q6dec809cveb35a84be0e10f7e@mail.gmail.com> Message-ID: <20080902143836.GB17734@kallisti.us> On Sat, Aug 30, 2008 at 09:07:28AM -0700, John Jensen wrote: > Have you tried looking at the CISCO-ERR-DISABLE-MIB file? > > You can download it here: > > ftp://ftp-sj.cisco.com/pub/mibs/v2/CISCO-ERR-DISABLE-MIB.my Somehow that was missing from the pack of Cisco MIBs I downloaded and pull my MIBs from. It looks perfect, but isn't supported on any of my 2960s, 3750s, or 6500s. Bah, what a load a crap. Ross -- Ross Vandegrift ross at kallisti.us "The good Christian should beware of mathematicians, and all those who make empty prophecies. The danger already exists that the mathematicians have made a covenant with the devil to darken the spirit and to confine man in the bonds of Hell." --St. Augustine, De Genesi ad Litteram, Book II, xviii, 37 From jeff.nsp at gmail.com Tue Sep 2 10:46:25 2008 From: jeff.nsp at gmail.com (Jeff Tantsura) Date: Tue, 2 Sep 2008 16:46:25 +0200 Subject: [c-nsp] Interdomain Multicast Routing In-Reply-To: <465d309c0809011949k2beb5eb7qda9a6d022aed36ce@mail.gmail.com> References: <465d309c0809010048j1a5f5fbaja2bad4b1b07dfd3f@mail.gmail.com> <000601c90c0f$764584c0$650c10ac@ad.redback.com> <465d309c0809011949k2beb5eb7qda9a6d022aed36ce@mail.gmail.com> Message-ID: <003501c90d0a$adbabbe0$6602a8c0@ad.redback.com> Hi, I don't see any development on BGMP. For IPv4 multicast PIM ASM/SSM +MSDP (mBGP) is the way to go. Here and there you'd see some enhancements, mostly vendor specific, dual PIM join on Redback is a good example. On the other hand there's a lot happening in MPLS multicast: P2MP RSVP, mLDP, NG mVPN, you name it. Cheers, Jeff _____ From: Muarwi [mailto:muarwi at gmail.com] Sent: dinsdag 2 september 2008 4:49 To: Jeff Tantsura Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Interdomain Multicast Routing Hi Jeff, thanks a lot for your response. Then how about BGMP (RFC 3913) ? Is it still a proposed protocol? Thanks . On 9/1/08, Jeff Tantsura wrote: Hi, The combination you've described has been working for many years, very well tested, supported by all major vendors. PIM (bidir as well) is used for intradomain multicast routing independently of interdomain multicast (MSDP/MBGP). Cisco does support PIM Bidir Cheers, Jeff P.S. Best book ever - "Interdomain Mutlicast Routing" by Edwards/Giuliano/Wright > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Muarwi > Sent: maandag 1 september 2008 9:49 > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Interdomain Multicast Routing > > Hi guys, I'm sorry if my questions is rather out of cisco's things. > > I've read books about interdomain multicast routing (also one from cisco > press). From what I get, the solutions offered is PIM SM - MBGP - MSDP. > > My questions is : > 1. what about using PIM Bidir for interdomain multicast? Is it possible to > implement it in Cisco? > 2. Has BGMP been being implemented in vendors? > > Thanks a lot for your response > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From peter at rathlev.dk Tue Sep 2 10:53:56 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Tue, 02 Sep 2008 16:53:56 +0200 Subject: [c-nsp] SUP720-3B / 3rd party CF In-Reply-To: <9e246b4d0809020609r5cc1ee8ftea9af71771f39308@mail.gmail.com> References: <9e246b4d0809020609r5cc1ee8ftea9af71771f39308@mail.gmail.com> Message-ID: <1220367236.17820.3.camel@abehat> On Tue, 2008-09-02 at 09:09 -0400, Tim Durack wrote: > This is a mystery to me: > > I've got a few new VS-S720-10G-3C Sups that work just fine with Kingston 1GB > CF. I've also got some old SUP720-3Bs that refuse to recognise anything > other than Cisco CF. Tried formatting, upgrading rommon (8.5(2)), dd'ing > Cisco flash to Kingston etc. This is under 12.2(33)SXH2 in case it makes a > difference. > > Googling around and checking cisco-nsp archives suggest 3rd party flash > should work just fine with the 3B. > > Anyone else run into this? According to the data sheet[1] the Sup720 only supports up to 512MB flash. We use 512MB cards in a range of 6500s with Sup720 HW-revisions 2.1, 4.3 and 5.2 without problems. Haven't tried 1GB though. Regards, Peter From tdurack at gmail.com Tue Sep 2 11:20:33 2008 From: tdurack at gmail.com (Tim Durack) Date: Tue, 2 Sep 2008 11:20:33 -0400 Subject: [c-nsp] SUP720-3B / 3rd party CF In-Reply-To: <1220367236.17820.3.camel@abehat> References: <9e246b4d0809020609r5cc1ee8ftea9af71771f39308@mail.gmail.com> <1220367236.17820.3.camel@abehat> Message-ID: <9e246b4d0809020820ld27c0a4g945413166a2d9606@mail.gmail.com> That's true, but the Cisco 1GB CF I borrowed from a S720-10G for a test seems to work okay. So I'm still scratching my head. At this point I'm probably going to spring for the Cisco CF, but I'd rather know that I could mix-n-match. Tim:> On Tue, Sep 2, 2008 at 10:53 AM, Peter Rathlev wrote: > On Tue, 2008-09-02 at 09:09 -0400, Tim Durack wrote: > > This is a mystery to me: > > > > I've got a few new VS-S720-10G-3C Sups that work just fine with Kingston > 1GB > > CF. I've also got some old SUP720-3Bs that refuse to recognise anything > > other than Cisco CF. Tried formatting, upgrading rommon (8.5(2)), dd'ing > > Cisco flash to Kingston etc. This is under 12.2(33)SXH2 in case it makes > a > > difference. > > > > Googling around and checking cisco-nsp archives suggest 3rd party flash > > should work just fine with the 3B. > > > > Anyone else run into this? > > According to the data sheet[1] the Sup720 only supports up to 512MB > flash. We use 512MB cards in a range of 6500s with Sup720 HW-revisions > 2.1, 4.3 and 5.2 without problems. Haven't tried 1GB though. > > Regards, > Peter > > > From adrian.minta at gmail.com Tue Sep 2 12:02:08 2008 From: adrian.minta at gmail.com (Adrian Minta) Date: Tue, 02 Sep 2008 19:02:08 +0300 Subject: [c-nsp] RES: Cisco Catalyst 6513 IOS version In-Reply-To: <20080902062732.GU233@greenie.muc.de> References: <48B520CE.7030008@actrix.co.nz> <48B5602E.7010705@imperial.ac.uk> <079b01c90970$092d2330$f211a8c0@flamadam> <20080829072040.GD27310@lboro.ac.uk> <48BC0B53.4040000@imperial.ac.uk> <20080901154700.GB24224@lboro.ac.uk> <50f158990809012015r32c2880ei9622a731a6acdf0a@mail.gmail.com> <20080902062732.GU233@greenie.muc.de> Message-ID: <48BD6380.6050309@gmail.com> Gert Doering wrote: > Hi, > > On Mon, Sep 01, 2008 at 11:15:13PM -0400, Pete S. wrote: > >> The biggest running issue I have with SXH, >> > > My biggest issues are: > > - no BFD on SVIs (worked fine in SXF) > > - the BGP ghost bug is back :-( > (SXH3 regularily forgets to send withdraws to iBGP peers if a prefix > completely disappears. During the course of 4 weeks, I have observed > it twice, once for IPv4 and once for IPv6, without actually *looking* > for it - so it's likely happening much more often) > > Yes, the nasty BGP bug is present. The only "solution" seems to be a periodically "clear ip bgp all". Cisco IOS Software, s6523_rp Software (s6523_rp-ADVIPSERVICESK9-M), Version 12.2(33)SXH3, RELEASE SOFTWARE (fc1) -- Best regards, Adrian Minta From peter at rathlev.dk Tue Sep 2 12:09:12 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Tue, 02 Sep 2008 18:09:12 +0200 Subject: [c-nsp] SUP720-3B / 3rd party CF In-Reply-To: <1220367236.17820.3.camel@abehat> References: <9e246b4d0809020609r5cc1ee8ftea9af71771f39308@mail.gmail.com> <1220367236.17820.3.camel@abehat> Message-ID: <1220371752.19570.1.camel@abehat> On Tue, 2008-09-02 at 16:53 +0200, Peter Rathlev wrote: > According to the data sheet[1] the Sup720 only supports up to 512MB > flash. We use 512MB cards in a range of 6500s with Sup720 HW-revisions > 2.1, 4.3 and 5.2 without problems. Haven't tried 1GB though. The data sheet ([1]) would of course be found here: http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/product_data_sheet09186a0080159856.html Regards, Peter From jared at puck.nether.net Tue Sep 2 12:27:32 2008 From: jared at puck.nether.net (Jared Mauch) Date: Tue, 2 Sep 2008 12:27:32 -0400 Subject: [c-nsp] SUP720-3B / 3rd party CF In-Reply-To: <9e246b4d0809020820ld27c0a4g945413166a2d9606@mail.gmail.com> References: <9e246b4d0809020609r5cc1ee8ftea9af71771f39308@mail.gmail.com> <1220367236.17820.3.camel@abehat> <9e246b4d0809020820ld27c0a4g945413166a2d9606@mail.gmail.com> Message-ID: <20080902162732.GB1967@puck.nether.net> On Tue, Sep 02, 2008 at 11:20:33AM -0400, Tim Durack wrote: > That's true, but the Cisco 1GB CF I borrowed from a S720-10G for a test > seems to work okay. So I'm still scratching my head. > > At this point I'm probably going to spring for the Cisco CF, but I'd rather > know that I could mix-n-match. Depending on your IOS version, it may make a difference, as well as the monlib on the CF. Make sure you format the devices in the router to insure there are limited/no problems. We have 1G CF cards working fine. In recent IOS versions you ca obtain detailed flash information. I recommend SanDisk. I've not tested over 1G CF cards, but running with SXF and SXH we seem to have no issue. If someone from TAC wants to try to counterpost that a "unsupported" CF card will violate our warranty or any other garbage like that, Please notify me when the PMs decide to ship sufficently sized CF to support the devices to provide core dumps for developers. - Jared Router#show disk0 all -#- --length-- -----date/time------ path 2 1 Jan 1 1980 HA:HA:HA s72033 946323456 bytes available (78217216 bytes used) ******** ATA Flash Card Geometry/Format Info ******** ATA CARD GEOMETRY Manufacturer Name SanDisk Model Number SanDisk SDCFB-1024 Serial Number SECURED Firmware Revision HDX 4.03 Number of Heads 16 Number of Cylinders 1986 Sectors per Cylinder 63 Sector Size 512 Total Sectors 2001888 ATA PARTITION 1 INFO Start Sector 63 Number of Sectors 2001825 Size in Bytes 1024934400 File System Type FAT16 Number of FAT Sectors 245 Sectors Per Cluster 32 Number of Clusters 62533 Number of Data Sectors 2001056 Base FAT Sector 108 Base Root Sector 598 Base Data Sector 630 ATA MONLIB INFO Image Monlib size 69912 Disk Monlib Size 53880 Disk Space Available 54784 Name NA End Sector NA Start sector NA Updated By NA Version NA RFS VERSION : Negotiated Version : 0 Highest version supported in Server : 0 Highest version supported in Client : 0 -- Jared Mauch | pgp key available via finger from jared at puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. From gert at greenie.muc.de Tue Sep 2 13:12:59 2008 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 2 Sep 2008 19:12:59 +0200 Subject: [c-nsp] RES: Cisco Catalyst 6513 IOS version In-Reply-To: <48BD6380.6050309@gmail.com> References: <48B520CE.7030008@actrix.co.nz> <48B5602E.7010705@imperial.ac.uk> <079b01c90970$092d2330$f211a8c0@flamadam> <20080829072040.GD27310@lboro.ac.uk> <48BC0B53.4040000@imperial.ac.uk> <20080901154700.GB24224@lboro.ac.uk> <50f158990809012015r32c2880ei9622a731a6acdf0a@mail.gmail.com> <20080902062732.GU233@greenie.muc.de> <48BD6380.6050309@gmail.com> Message-ID: <20080902171259.GB233@greenie.muc.de> Hi, On Tue, Sep 02, 2008 at 07:02:08PM +0300, Adrian Minta wrote: > > - the BGP ghost bug is back :-( > > Yes, the nasty BGP bug is present. The only "solution" seems to be a > periodically "clear ip bgp all". > Cisco IOS Software, s6523_rp Software (s6523_rp-ADVIPSERVICESK9-M), > Version 12.2(33)SXH3, RELEASE SOFTWARE (fc1) Gah. For me, "clear ip bgp soft *" seems also to have helped, but still, this is no way to run an ISP... Do you have a bug ID or a TAC case # for this? (I currently can't open cases for the boxes in question, as our gold partner is unable to get the contracts sorted out, but "soon!"). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From gschwim at gmail.com Tue Sep 2 13:22:54 2008 From: gschwim at gmail.com (Greg Schwimer) Date: Tue, 2 Sep 2008 10:22:54 -0700 Subject: [c-nsp] Running MPLS across non-MPLS networks Message-ID: <702ea15b0809021022j613a61a8sb05aa687c3f8f1ba@mail.gmail.com> I have a situation where I need to run MPLS across a non-MPLS network (the Internet) to connect two of my networks together. We have looked at GRE, but ran into issues and were later told by Cisco that running MPLS over GRE is unsupported. Any ideas as to a solution to this problem, aside from purchasing a third-party service (circuit, etc)? Greg From adrian.minta at gmail.com Tue Sep 2 13:33:08 2008 From: adrian.minta at gmail.com (Adrian Minta) Date: Tue, 02 Sep 2008 20:33:08 +0300 Subject: [c-nsp] RES: Cisco Catalyst 6513 IOS version In-Reply-To: <20080902171259.GB233@greenie.muc.de> References: <48B520CE.7030008@actrix.co.nz> <48B5602E.7010705@imperial.ac.uk> <079b01c90970$092d2330$f211a8c0@flamadam> <20080829072040.GD27310@lboro.ac.uk> <48BC0B53.4040000@imperial.ac.uk> <20080901154700.GB24224@lboro.ac.uk> <50f158990809012015r32c2880ei9622a731a6acdf0a@mail.gmail.com> <20080902062732.GU233@greenie.muc.de> <48BD6380.6050309@gmail.com> <20080902171259.GB233@greenie.muc.de> Message-ID: <48BD78D4.6010405@gmail.com> Gert Doering wrote: > Hi, > > On Tue, Sep 02, 2008 at 07:02:08PM +0300, Adrian Minta wrote: > >>> - the BGP ghost bug is back :-( >>> >> Yes, the nasty BGP bug is present. The only "solution" seems to be a >> periodically "clear ip bgp all". >> Cisco IOS Software, s6523_rp Software (s6523_rp-ADVIPSERVICESK9-M), >> Version 12.2(33)SXH3, RELEASE SOFTWARE (fc1) >> > > Gah. For me, "clear ip bgp soft *" seems also to have helped, but still, > this is no way to run an ISP... > > Do you have a bug ID or a TAC case # for this? (I currently can't open > cases for the boxes in question, as our gold partner is unable to get the > contracts sorted out, but "soon!"). > > gert > Not yet. Until today I considered this an isolated incident. Next time when the bug will strike I will for sure. -- Best regards, Adrian Minta From dudepron at gmail.com Tue Sep 2 14:15:12 2008 From: dudepron at gmail.com (Aaron) Date: Tue, 2 Sep 2008 14:15:12 -0400 Subject: [c-nsp] Running MPLS across non-MPLS networks In-Reply-To: <702ea15b0809021022j613a61a8sb05aa687c3f8f1ba@mail.gmail.com> References: <702ea15b0809021022j613a61a8sb05aa687c3f8f1ba@mail.gmail.com> Message-ID: <480dad640809021115m4d74887cx57c2d7f75138cddd@mail.gmail.com> l2tpv3 On Tue, Sep 2, 2008 at 1:22 PM, Greg Schwimer wrote: > I have a situation where I need to run MPLS across a non-MPLS network (the > Internet) to connect two of my networks together. We have looked at GRE, > but ran into issues and were later told by Cisco that running MPLS over GRE > is unsupported. > > Any ideas as to a solution to this problem, aside from purchasing a > third-party service (circuit, etc)? > > Greg > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From david.freedman at uk.clara.net Tue Sep 2 14:33:22 2008 From: david.freedman at uk.clara.net (David Freedman) Date: Tue, 02 Sep 2008 19:33:22 +0100 Subject: [c-nsp] Leaky SoO Message-ID: Hi, I'm seeing leaky SoO in 12.4M (prefixes get advertised back to sites with same SoO they came from), possibly down to CSCek73579, I notice there are no first-fixed-in 12.4M or 12.2SB targets, would somebody on here from cisco mind taking a look at the internal notes and tell me if this bug applies to normal BGP setups (i.e with no EIGRP) and if so, when I could expect a fix in 12.4M or 12.2SB ? Many thanks David Freedman From tdurack at gmail.com Tue Sep 2 14:48:40 2008 From: tdurack at gmail.com (Tim Durack) Date: Tue, 2 Sep 2008 14:48:40 -0400 Subject: [c-nsp] SUP720-3B / 3rd party CF In-Reply-To: <20080902162732.GB1967@puck.nether.net> References: <9e246b4d0809020609r5cc1ee8ftea9af71771f39308@mail.gmail.com> <1220367236.17820.3.camel@abehat> <9e246b4d0809020820ld27c0a4g945413166a2d9606@mail.gmail.com> <20080902162732.GB1967@puck.nether.net> Message-ID: <9e246b4d0809021148g745983d1rd5ff4a6cd84b304d@mail.gmail.com> Hmm. I've got a handful of Kingston cards that work on both 3B/3C and a handful that work only on 3C. Those that don't work give an error on read/format: %Error show disk0: (no such device) Tim:> On Tue, Sep 2, 2008 at 12:27 PM, Jared Mauch wrote: > On Tue, Sep 02, 2008 at 11:20:33AM -0400, Tim Durack wrote: > > That's true, but the Cisco 1GB CF I borrowed from a S720-10G for a test > > seems to work okay. So I'm still scratching my head. > > > > At this point I'm probably going to spring for the Cisco CF, but I'd > rather > > know that I could mix-n-match. > > Depending on your IOS version, it may make a difference, as well as > the monlib on the CF. Make sure you format the devices in the router to > insure there are limited/no problems. > > We have 1G CF cards working fine. In recent IOS versions you ca > obtain > detailed flash information. I recommend SanDisk. I've not tested over 1G > CF > cards, but running with SXF and SXH we seem to have no issue. > > If someone from TAC wants to try to counterpost that a "unsupported" > CF card will violate our warranty or any other garbage like that, Please > notify me when the PMs decide to ship sufficently sized CF to support > the devices to provide core dumps for developers. > > - Jared > > > Router#show disk0 all > -#- --length-- -----date/time------ path > 2 1 Jan 1 1980 HA:HA:HA s72033 > > 946323456 bytes available (78217216 bytes used) > > ******** ATA Flash Card Geometry/Format Info ******** > > ATA CARD GEOMETRY > Manufacturer Name SanDisk > Model Number SanDisk SDCFB-1024 > Serial Number SECURED > Firmware Revision HDX 4.03 > Number of Heads 16 > Number of Cylinders 1986 > Sectors per Cylinder 63 > Sector Size 512 > Total Sectors 2001888 > > ATA PARTITION 1 INFO > Start Sector 63 > Number of Sectors 2001825 > Size in Bytes 1024934400 > File System Type FAT16 > Number of FAT Sectors 245 > Sectors Per Cluster 32 > Number of Clusters 62533 > Number of Data Sectors 2001056 > Base FAT Sector 108 > Base Root Sector 598 > Base Data Sector 630 > > ATA MONLIB INFO > Image Monlib size 69912 > Disk Monlib Size 53880 > Disk Space Available 54784 > Name NA > End Sector NA > Start sector NA > Updated By NA > Version NA > > RFS VERSION : > Negotiated Version : 0 > Highest version supported in Server : 0 > Highest version supported in Client : 0 > > > > -- > Jared Mauch | pgp key available via finger from jared at puck.nether.net > clue++; | http://puck.nether.net/~jared/ My statements are only mine. > From sethm at rollernet.us Tue Sep 2 15:07:34 2008 From: sethm at rollernet.us (Seth Mattinen) Date: Tue, 02 Sep 2008 12:07:34 -0700 Subject: [c-nsp] IPv6 ACL question for the 3750 Message-ID: <48BD8EF6.6080800@rollernet.us> I'm playing with IPv6 on a 3750. Looking at the release notes for 12.2(46)SE, I see the following limitation for IPv6 access lists: * The switch does not support output port ACLs. It's currently running 12.2(25)SEE and I tested statements like "permit tcp any host x:x:x:x:2d0:b7ff:fee6:574 eq 80" that work fine, but that limitation (which does not appear in the release notes for 12.2(25)SEE) lead me to believe this capability was dropped. Is this true, or am I misreading it? Or am I stuck with jumping all the way to a 6500/Sup720 to get decent (i.e. complete) IPv6 support? ~Seth From cboyd at gizmopartners.com Tue Sep 2 15:46:04 2008 From: cboyd at gizmopartners.com (Chris Boyd) Date: Tue, 2 Sep 2008 14:46:04 -0500 Subject: [c-nsp] How they do that? In-Reply-To: <200809021338.m82DcS56015726@himinbjorg.tucs-beachin-obx-house.com> References: <200809021338.m82DcS56015726@himinbjorg.tucs-beachin-obx-house.com> Message-ID: On Sep 2, 2008, at 8:38 AM, Tuc at T-B-O-H.NET wrote: > Hi, > > Not a Cisco specific question, but thought this group > would have the best insight. > > After 10 hours on the road, I'm more dopey than usual. Pull > into a Marriott, and of course the first thing I do is hook the laptop > up. Normally, during the FreeBSD boot process I stop it and switch the > config over from a hardcoded IP/gateway (For use at home/office... I > need to be DMZ'd for somet things, so the IP is static) to DHCP. > Wasn't > thinking straight and let it boot. Since some have replied about proxy arp and the like, I'll go ahead and reply to the list. It's more complicated than that. Many hotels use a device from Nomadix http://www.nomadix.com/ (now part of DoCoMo). It's a supercharged packet munger that can take almost any end station config and rewrite the headers to get you connected to the outside world, usually after redirecting an HTTP session to the clickthrough "Don't Be Evil" agreement, credit card info collection etc. Very effective and flexible. --Chris From avayner at cisco.com Tue Sep 2 16:25:11 2008 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Tue, 2 Sep 2008 22:25:11 +0200 Subject: [c-nsp] Leaky SoO In-Reply-To: References: Message-ID: <67F7C1FAF83A074AA3520D8F155782A501C9E062@xmb-ams-331.emea.cisco.com> David, This seems to be an EIGRP related bug. I sent a quick note to the DE regarding the fix in the listed releases... Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of David Freedman Sent: Tuesday, September 02, 2008 21:33 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Leaky SoO Hi, I'm seeing leaky SoO in 12.4M (prefixes get advertised back to sites with same SoO they came from), possibly down to CSCek73579, I notice there are no first-fixed-in 12.4M or 12.2SB targets, would somebody on here from cisco mind taking a look at the internal notes and tell me if this bug applies to normal BGP setups (i.e with no EIGRP) and if so, when I could expect a fix in 12.4M or 12.2SB ? Many thanks David Freedman _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From daniel.voyer at bell.ca Tue Sep 2 16:54:23 2008 From: daniel.voyer at bell.ca (daniel.voyer at bell.ca) Date: Tue, 2 Sep 2008 16:54:23 -0400 Subject: [c-nsp] Problem with the mailing list In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405F396A2@xmb-ams-333.emea.cisco.com> References: <70B7A1CCBFA5C649BD562B6D9F7ED78405F396A2@xmb-ams-333.emea.cisco.com> Message-ID: <52D7E1CAB4BB0B4EA26C12C51BA771E309AF4B7315@MBX03.bell.corp.bce.ca> Hello, Why do I get every mails in double ? In a week, I get 10131 mails. - dan From howard at leadmon.net Tue Sep 2 17:00:24 2008 From: howard at leadmon.net (Howard Leadmon) Date: Tue, 2 Sep 2008 17:00:24 -0400 Subject: [c-nsp] Cisco ACNS Query regarding negative caching? Message-ID: <016d01c90d3e$ee65eb40$cb31c1c0$@net> I know I don't see much on ACNS here, but was hoping someone might have worked with the ACNS software more than I have, as it's pretty new to me. I have a Content Engine 590 here I am working with, running ACNS 5.9.11, using WCCPv2, and overall it's working well. The problem I am running into is if it sends a request, and that request fails, it seems to cache that request for like 15 min before it will even attempt it again. So for example I was reading a forum remotely, was doing great, and apparently it missed a response, and that was it, it wouldn't even try the forum again till that negative response timed/aged out. I turned off the proxy redirect and all would work fine, turn it back on and dead. Once the negative response aged out things were normal again. Is there some setting to tell it if it gets a negative response to always retry if requested again? I have looked at the config and reference guides from Cisco, and though I can set a ton of stuff, I haven't found a way to stop this behavior. Anyone have any ideas, or clues on how to change this action by the Content Engine? --- Howard Leadmon From apiasecki at gmail.com Tue Sep 2 19:36:58 2008 From: apiasecki at gmail.com (Adam Piasecki) Date: Tue, 2 Sep 2008 19:36:58 -0400 Subject: [c-nsp] How they do that? In-Reply-To: References: <200809021338.m82DcS56015726@himinbjorg.tucs-beachin-obx-house.com> Message-ID: <345400390809021636o1bb0d04aof4e79cde11e836a9@mail.gmail.com> IP3 http://www.ip3.com/ is also a big one that does this type of stuff. I would say 90% of laptop users who travel, know they need to change to a dynamic IP & DNS. This whole hacking the way IP works, really sucks. It leads to all sorts of weird problems, Just to save you a couple of support calls. From mtinka at globaltransit.net Tue Sep 2 21:25:01 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Wed, 3 Sep 2008 09:25:01 +0800 Subject: [c-nsp] SUP720-3B / 3rd party CF In-Reply-To: <1220367236.17820.3.camel@abehat> References: <9e246b4d0809020609r5cc1ee8ftea9af71771f39308@mail.gmail.com> <1220367236.17820.3.camel@abehat> Message-ID: <200809030925.01720.mtinka@globaltransit.net> On Tuesday 02 September 2008 22:53:56 Peter Rathlev wrote: > According to the data sheet[1] the Sup720 only supports > up to 512MB flash. We use 512MB cards in a range of 6500s > with Sup720 HW-revisions 2.1, 4.3 and 5.2 without > problems. Haven't tried 1GB though. When we were upgrading from the SUP2 to the SUP720, we told Cisco we'd use the IBM 1GB compact flash modules unless they gave us something similar. In the end, Cisco shipped our SUP720's with Cisco-branded 1GB compact flash cards (external). However, the internal flash card remains at 512MB, which is fine with us: #sh file systems * 1024589824 944439296 disk rw disk0:# 512024576 398319616 disk rw sup-bootdisk: sup-bootflash:# Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From jlewis at lewis.org Tue Sep 2 22:09:46 2008 From: jlewis at lewis.org (Jon Lewis) Date: Tue, 2 Sep 2008 22:09:46 -0400 (EDT) Subject: [c-nsp] SUP720-3B / 3rd party CF In-Reply-To: <200809030925.01720.mtinka@globaltransit.net> References: <9e246b4d0809020609r5cc1ee8ftea9af71771f39308@mail.gmail.com> <1220367236.17820.3.camel@abehat> <200809030925.01720.mtinka@globaltransit.net> Message-ID: On Wed, 3 Sep 2008, Mark Tinka wrote: > On Tuesday 02 September 2008 22:53:56 Peter Rathlev wrote: > >> According to the data sheet[1] the Sup720 only supports >> up to 512MB flash. We use 512MB cards in a range of 6500s >> with Sup720 HW-revisions 2.1, 4.3 and 5.2 without >> problems. Haven't tried 1GB though. > > When we were upgrading from the SUP2 to the SUP720, we told > Cisco we'd use the IBM 1GB compact flash modules unless > they gave us something similar. > > In the end, Cisco shipped our SUP720's with Cisco-branded > 1GB compact flash cards (external). However, the internal > flash card remains at 512MB, which is fine with us: If you search the archive, you'll find some posts from me about using 2gb and 4gb cards in sup720-3bxls. The 2's work properly. The 4's have an apparently cosmetic size reporting overflow. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From ariemer at wesenergy.com.au Wed Sep 3 05:05:31 2008 From: ariemer at wesenergy.com.au (Aaron Riemer) Date: Wed, 3 Sep 2008 17:05:31 +0800 Subject: [c-nsp] 6500 WS-SUP32-GE-3B failure Message-ID: <0867622C64B50C4B878AB45C95F43F1106124A09@MAILWA01.wesenergy.local> Hey guys, We currently have a WS-SUP32-GE-3B where the SFP ports are not coming online. Is there a test that can be run from the switch to detect if there is a hardware failure? A sh module indicates that the SUP is ok.. We are thinking about reseating the SUP as it is in hot standby with another identical SUP and then possibly rebooting before lodging a TAC case. Any suggestions welcome :-) Cheers, Aaron. LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. From tomas at soitron.com Wed Sep 3 05:08:02 2008 From: tomas at soitron.com (Tomas Daniska) Date: Wed, 3 Sep 2008 11:08:02 +0200 Subject: [c-nsp] How they do that? In-Reply-To: <345400390809021636o1bb0d04aof4e79cde11e836a9@mail.gmail.com> References: <200809021338.m82DcS56015726@himinbjorg.tucs-beachin-obx-house.com> <345400390809021636o1bb0d04aof4e79cde11e836a9@mail.gmail.com> Message-ID: <6B43981C32F8464CB24CEE209DA32BD30175B5DC@kenya.tronet.as> Leaving the signup/billing page and access control aside, most of the SOHO gateway products do this. I've noticed it first on my home ZyXEL accidentally when messing with my gf's notebook IP config - she had a static 10.x.x.x assignment and the home network is of course 192.168.1.0. Try this at home if you like :) -- deejay > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Adam Piasecki > Sent: 03 September 2008 01:37 > To: Chris Boyd > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] How they do that? > > IP3 http://www.ip3.com/ is also a big one that does this type of stuff. > > I would say 90% of laptop users who travel, know they need to change to a > dynamic IP & DNS. This whole hacking the way IP works, really sucks. It > leads to all sorts of weird problems, Just to save you a couple of support > calls. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From p.mayers at imperial.ac.uk Wed Sep 3 05:24:01 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Wed, 3 Sep 2008 10:24:01 +0100 Subject: [c-nsp] SUP720-3B / 3rd party CF In-Reply-To: <1220367236.17820.3.camel@abehat> References: <9e246b4d0809020609r5cc1ee8ftea9af71771f39308@mail.gmail.com> <1220367236.17820.3.camel@abehat> Message-ID: <20080903092401.GB32609@wildfire.net.ic.ac.uk> On Tue, Sep 02, 2008 at 04:53:56PM +0200, Peter Rathlev wrote: >On Tue, 2008-09-02 at 09:09 -0400, Tim Durack wrote: >> This is a mystery to me: >> >> I've got a few new VS-S720-10G-3C Sups that work just fine with Kingston 1GB >> CF. I've also got some old SUP720-3Bs that refuse to recognise anything >> other than Cisco CF. Tried formatting, upgrading rommon (8.5(2)), dd'ing >> Cisco flash to Kingston etc. This is under 12.2(33)SXH2 in case it makes a >> difference. >> >> Googling around and checking cisco-nsp archives suggest 3rd party flash >> should work just fine with the 3B. >> >> Anyone else run into this? > >According to the data sheet[1] the Sup720 only supports up to 512MB >flash. We use 512MB cards in a range of 6500s with Sup720 HW-revisions >2.1, 4.3 and 5.2 without problems. Haven't tried 1GB though. We've got non-Cisco 1Gb cards in 3Bs under SXF and SXH2a - sup hardware versions are 4.4, rommon 8.1(3) However we've also had some other 1Gb CF fail, which I think might have been kingston. We didn't look into it in too much detail, just dropped back to 512Mb. > >Regards, >Peter > > >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ From djweis at internetsolver.com Wed Sep 3 06:46:48 2008 From: djweis at internetsolver.com (Dave Weis) Date: Wed, 03 Sep 2008 05:46:48 -0500 Subject: [c-nsp] ME3400 DC Power Message-ID: <48BE6B18.2050804@internetsolver.com> Do I need to supply both power supplies with an A&B side for redundancy or will I have redundancy if I have the A side of PS1 and PS2 connected? Thanks dave -- Dave Weis Internet Solver Your Technology Partner 515-224-9229 www.internetsolver.com From david.freedman at uk.clara.net Wed Sep 3 08:01:27 2008 From: david.freedman at uk.clara.net (David Freedman) Date: Wed, 3 Sep 2008 13:01:27 +0100 Subject: [c-nsp] Leaky SoO References: <67F7C1FAF83A074AA3520D8F155782A501C9E062@xmb-ams-331.emea.cisco.com> Message-ID: Ok, thanks, the problem I'm seeing follows, note that am not using as-override but instead "allow-as in" on the CE router, I have a very specific reason for doing this (I'm preserving the AS_PATH but instead using SoO to do some site based filtering) It seems not to work, as you can see in my example, the prefix coming from a remote CE with same SoO (10.1.0.0/16) is advertised to my CE (10.12.75.128)... PE (12.4(12)): router bgp 1234 ! ! address-family ipv4 vrf FOO ! neighbor 10.12.75.158 remote-as 65489 neighbor 10.12.75.158 version 4 neighbor 10.12.75.158 activate neighbor 10.12.75.158 soft-reconfiguration inbound neighbor 10.12.75.158 route-map do_stuff in neighbor 10.12.75.158 next-hop-self exit-address-family ! route-map do_stuff permit 5 match ip address prefix-list some_prefixes_a set local-preference 200 set extcommunity soo 65489:5 ! route-map do_stuff permit 10 match ip address prefix-list some_prefixes_b set extcommunity soo 65489:5 ! pe# sh ip bgp v vrf FOO nei 10.12.75.158 | in SoO Site-of-Origin is SoO:65489:5 pe# sh ip bgp v vrf FOO 10.1.0.0/16 BGP routing table entry for 10.1.0.0/16, version 21 Paths: (1 available, best #1, table Default-IP-Routing-Table) Advertised to update-groups: 2 65489 1.1.1.1 from 1.1.1.1 (10.12.1.50) Origin incomplete, metric 0, localpref 200, valid, internal, best Extended Community: SoO:65489:5 pe#sh ip ro v FOO 10.1.0.0 Routing entry for 10.1.0.0/16 Known via "bgp 1234", distance 200, metric 0 Tag 65489, type internal Last update from 1.1.1.1 00:24:24 ago Routing Descriptor Blocks: * 1.1.1.1, from 1.1.1.1, 00:24:24 ago Route metric is 0, traffic share count is 1 AS Hops 1 Route tag 65489 pe#sh ip bgp v vrf FOO nei 10.12.75.158 adv | in 10.1.0.0 *>i10.1.0.0/16 1.1.1.1 0 200 0 65489 ? CE (12.4(12)): ce# sh ip bgp 10.1.0.0/16 BGP routing table entry for 10.1.0.0/16, version 23 Paths: (1 available, best #1, table Default-IP-Routing-Table) Not advertised to any peer 1234 65489, (received & used) 10.12.75.157 from 10.12.75.157 (2.2.2.2) Origin incomplete, localpref 100, valid, external, best ------------------------------------------------ David Freedman Group Network Engineering Claranet Limited http://www.clara.net -----Original Message----- From: Arie Vayner (avayner) [mailto:avayner at cisco.com] Sent: Tue 9/2/2008 21:25 To: David Freedman; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Leaky SoO David, This seems to be an EIGRP related bug. I sent a quick note to the DE regarding the fix in the listed releases... Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of David Freedman Sent: Tuesday, September 02, 2008 21:33 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Leaky SoO Hi, I'm seeing leaky SoO in 12.4M (prefixes get advertised back to sites with same SoO they came from), possibly down to CSCek73579, I notice there are no first-fixed-in 12.4M or 12.2SB targets, would somebody on here from cisco mind taking a look at the internal notes and tell me if this bug applies to normal BGP setups (i.e with no EIGRP) and if so, when I could expect a fix in 12.4M or 12.2SB ? Many thanks David Freedman _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From tdurack at gmail.com Wed Sep 3 08:26:15 2008 From: tdurack at gmail.com (Tim Durack) Date: Wed, 3 Sep 2008 08:26:15 -0400 Subject: [c-nsp] SUP720-3B / 3rd party CF In-Reply-To: <20080903092401.GB32609@wildfire.net.ic.ac.uk> References: <9e246b4d0809020609r5cc1ee8ftea9af71771f39308@mail.gmail.com> <1220367236.17820.3.camel@abehat> <20080903092401.GB32609@wildfire.net.ic.ac.uk> Message-ID: <9e246b4d0809030526s701ffe00q85eab2291152fafb@mail.gmail.com> I've been digging around and it looks like the culprit might be the manufacturer string reported by the cf. Old Kingston's report as Toshiba, whereas new report as Kingston. Old work in the 3Bs only, new work in 3B/3C. My guess is the cf/ata adapter on the 3Bs doesn't recognise the new string as being a valid cf. Tim:> On Wed, Sep 3, 2008 at 5:24 AM, Phil Mayers wrote: > On Tue, Sep 02, 2008 at 04:53:56PM +0200, Peter Rathlev wrote: > >> On Tue, 2008-09-02 at 09:09 -0400, Tim Durack wrote: >> >>> This is a mystery to me: >>> >>> I've got a few new VS-S720-10G-3C Sups that work just fine with Kingston >>> 1GB >>> CF. I've also got some old SUP720-3Bs that refuse to recognise anything >>> other than Cisco CF. Tried formatting, upgrading rommon (8.5(2)), dd'ing >>> Cisco flash to Kingston etc. This is under 12.2(33)SXH2 in case it makes >>> a >>> difference. >>> >>> Googling around and checking cisco-nsp archives suggest 3rd party flash >>> should work just fine with the 3B. >>> >>> Anyone else run into this? >>> >> >> According to the data sheet[1] the Sup720 only supports up to 512MB >> flash. We use 512MB cards in a range of 6500s with Sup720 HW-revisions >> 2.1, 4.3 and 5.2 without problems. Haven't tried 1GB though. >> > > We've got non-Cisco 1Gb cards in 3Bs under SXF and SXH2a - sup hardware > versions are 4.4, rommon 8.1(3) > > However we've also had some other 1Gb CF fail, which I think might have > been kingston. We didn't look into it in too much detail, just dropped back > to 512Mb. > > >> Regards, >> Peter >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > From jeff.nsp at gmail.com Wed Sep 3 08:55:06 2008 From: jeff.nsp at gmail.com (Jeff Tantsura) Date: Wed, 3 Sep 2008 14:55:06 +0200 Subject: [c-nsp] Running MPLS across non-MPLS networks In-Reply-To: <702ea15b0809021022j613a61a8sb05aa687c3f8f1ba@mail.gmail.com> References: <702ea15b0809021022j613a61a8sb05aa687c3f8f1ba@mail.gmail.com> Message-ID: <000001c90dc4$4abb26a0$650c10ac@ad.redback.com> L2TPv3? > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Greg Schwimer > Sent: dinsdag 2 september 2008 19:23 > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Running MPLS across non-MPLS networks > > I have a situation where I need to run MPLS across a non-MPLS network (the > Internet) to connect two of my networks together. We have looked at GRE, > but ran into issues and were later told by Cisco that running MPLS over > GRE > is unsupported. > > Any ideas as to a solution to this problem, aside from purchasing a > third-party service (circuit, etc)? > > Greg > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From justin at justinshore.com Wed Sep 3 09:16:12 2008 From: justin at justinshore.com (Justin Shore) Date: Wed, 03 Sep 2008 08:16:12 -0500 Subject: [c-nsp] SUP720-3B / 3rd party CF In-Reply-To: <9e246b4d0809020609r5cc1ee8ftea9af71771f39308@mail.gmail.com> References: <9e246b4d0809020609r5cc1ee8ftea9af71771f39308@mail.gmail.com> Message-ID: <48BE8E1C.90304@justinshore.com> Tim Durack wrote: > This is a mystery to me: > > I've got a few new VS-S720-10G-3C Sups that work just fine with Kingston 1GB > CF. I've also got some old SUP720-3Bs that refuse to recognise anything > other than Cisco CF. Tried formatting, upgrading rommon (8.5(2)), dd'ing > Cisco flash to Kingston etc. This is under 12.2(33)SXH2 in case it makes a > difference. > > Googling around and checking cisco-nsp archives suggest 3rd party flash > should work just fine with the 3B. > > Anyone else run into this? I run $10 1GB Kingstons in all our equipment, from ISRs to our Sup720-3BXLs. They work great. My ISRs all run 12.4T releases and my Sup720s currently run SRB. Justin From tdurack at gmail.com Wed Sep 3 09:33:23 2008 From: tdurack at gmail.com (Tim Durack) Date: Wed, 3 Sep 2008 09:33:23 -0400 Subject: [c-nsp] SUP720-3B / 3rd party CF In-Reply-To: <48BE8E1C.90304@justinshore.com> References: <9e246b4d0809020609r5cc1ee8ftea9af71771f39308@mail.gmail.com> <48BE8E1C.90304@justinshore.com> Message-ID: <9e246b4d0809030633h15911927p465f8071f1bf1424@mail.gmail.com> And that's what I'm trying to do, but apparently not all Kingston cf is created equal. My guess is if you do a "show disk0: all" the Kingston cf will show up as a Toshiba something or other. Tim:> On Wed, Sep 3, 2008 at 9:16 AM, Justin Shore wrote: > Tim Durack wrote: > >> This is a mystery to me: >> >> I've got a few new VS-S720-10G-3C Sups that work just fine with Kingston >> 1GB >> CF. I've also got some old SUP720-3Bs that refuse to recognise anything >> other than Cisco CF. Tried formatting, upgrading rommon (8.5(2)), dd'ing >> Cisco flash to Kingston etc. This is under 12.2(33)SXH2 in case it makes a >> difference. >> >> Googling around and checking cisco-nsp archives suggest 3rd party flash >> should work just fine with the 3B. >> >> Anyone else run into this? >> > > I run $10 1GB Kingstons in all our equipment, from ISRs to our > Sup720-3BXLs. They work great. My ISRs all run 12.4T releases and my > Sup720s currently run SRB. > > Justin > > From dan at beanfield.com Wed Sep 3 09:09:45 2008 From: dan at beanfield.com (Dan Armstrong) Date: Wed, 03 Sep 2008 09:09:45 -0400 Subject: [c-nsp] ME3400 DC Power In-Reply-To: <48BE6B18.2050804@internetsolver.com> References: <48BE6B18.2050804@internetsolver.com> Message-ID: <48BE8C99.2010500@beanfield.com> The power supplies on the ME3400s have 2 inputs, for "breaker" redundancy.. some models have to physical power supplies, some have only one - in all cases, each supply has 2 inputs. If your model has 2 power supplies, you can hookup just the A side of each unit, and you'll be fine. Dave Weis wrote: > > Do I need to supply both power supplies with an A&B side for > redundancy or will I have redundancy if I have the A side of PS1 and > PS2 connected? > > Thanks > > dave > > From frnkblk at iname.com Wed Sep 3 12:56:16 2008 From: frnkblk at iname.com (Frank Bulk) Date: Wed, 3 Sep 2008 11:56:16 -0500 Subject: [c-nsp] How they do that? In-Reply-To: <6B43981C32F8464CB24CEE209DA32BD30175B5DC@kenya.tronet.as> References: <200809021338.m82DcS56015726@himinbjorg.tucs-beachin-obx-house.com> <345400390809021636o1bb0d04aof4e79cde11e836a9@mail.gmail.com> <6B43981C32F8464CB24CEE209DA32BD30175B5DC@kenya.tronet.as> Message-ID: Please quantify "most". That's not been my experience. Frank -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tomas Daniska Sent: Wednesday, September 03, 2008 4:08 AM To: Adam Piasecki; Chris Boyd Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] How they do that? Leaving the signup/billing page and access control aside, most of the SOHO gateway products do this. I've noticed it first on my home ZyXEL accidentally when messing with my gf's notebook IP config - she had a static 10.x.x.x assignment and the home network is of course 192.168.1.0. Try this at home if you like :) -- deejay > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Adam Piasecki > Sent: 03 September 2008 01:37 > To: Chris Boyd > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] How they do that? > > IP3 http://www.ip3.com/ is also a big one that does this type of stuff. > > I would say 90% of laptop users who travel, know they need to change to a > dynamic IP & DNS. This whole hacking the way IP works, really sucks. It > leads to all sorts of weird problems, Just to save you a couple of support > calls. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From tomz at cisco.com Wed Sep 3 13:21:59 2008 From: tomz at cisco.com (Tom Zingale (tomz)) Date: Wed, 3 Sep 2008 10:21:59 -0700 Subject: [c-nsp] IPv6 ACL question for the 3750 In-Reply-To: <48BD8EF6.6080800@rollernet.us> References: <48BD8EF6.6080800@rollernet.us> Message-ID: The 3750 does not support Ipv6 output port ACL's but does support output router ACL's. You need the advanced IP Services IOS feature set for output router ACL's. > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Seth Mattinen > Sent: Tuesday, September 02, 2008 12:08 PM > To: cisco-nsp > Subject: [c-nsp] IPv6 ACL question for the 3750 > > I'm playing with IPv6 on a 3750. Looking at the release notes for > 12.2(46)SE, I see the following limitation for IPv6 access lists: > > * The switch does not support output port ACLs. > > It's currently running 12.2(25)SEE and I tested statements like "permit > tcp any host x:x:x:x:2d0:b7ff:fee6:574 eq 80" that work fine, but that > limitation (which does not appear in the release notes for 12.2(25)SEE) > lead me to believe this capability was dropped. Is this true, or am I > misreading it? > > Or am I stuck with jumping all the way to a 6500/Sup720 to get decent > (i.e. complete) IPv6 support? > > ~Seth > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From psirt at cisco.com Wed Sep 3 13:15:00 2008 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: Wednesday, 03 September 2008 12:15:00 -0500 Subject: [c-nsp] Cisco Security Advisory: Remote Access VPN and SIP Vulnerabilities in Cisco PIX and Cisco ASA Message-ID: <20080903121500.pixasa@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Remote Access VPN and SIP Vulnerabilities in Cisco PIX and Cisco ASA Advisory ID: cisco-sa-20080903-asa Revision 1.0 For Public Release 2008 September 3 1600 UTC (GMT) +--------------------------------------------------------------------- Summary ======= Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances that may result in a reload of the device or disclosure of confidential information. This security advisory outlines details of the following vulnerabilities: * Erroneous SIP Processing Vulnerabilities * IPSec Client Authentication Processing Vulnerability * SSL VPN Memory Leak Vulnerability * URI Processing Error Vulnerability in SSL VPNs * Potential Information Disclosure in Clientless VPNs Note: These vulnerabilities are independent of each other. A device may be affected by one vulnerability and not affected by another. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20080903-asa.shtml Affected Products ================= The following paragraphs describe the affected Cisco ASA and Cisco PIX software versions: Vulnerable Products +------------------ The following sections provide details on the versions of Cisco ASA that are affected by each vulnerability. The show version command-line interface (CLI) command can be used to determine if a vulnerable version of the Cisco PIX or Cisco ASA software is running. The following example shows a Cisco ASA device that runs software release 8.0(2): ASA# show version Cisco Adaptive Security Appliance Software Version 8.0(2) Device Manager Version 6.0(1) [...] Customers who use the Cisco Adaptive Security Device Manager (ASDM) to manage their devices can find their software version displayed in a table in the login window or in the upper left corner of the ASDM window. Erroneous SIP Processing Vulnerabilities Cisco PIX and Cisco ASA devices configured for SIP inspection are vulnerable to multiple processing errors that may result in denial of service attacks. Cisco PIX and ASA software versions prior to 7.0(7) 16, 7.1(2)71, 7.2(4)7, 8.0(3)20, and 8.1(1)8 are vulnerable to these SIP processing errors. IPSec Client Authentication Processing Vulnerability Cisco PIX and Cisco ASA devices that terminate remote access VPN connections are vulnerable to a denial of service attack if the device is running software versions prior to 7.2(4)2, 8.0(3)14, and 8.1(1)4. Cisco PIX and Cisco ASA devices that run software versions 7.0 and 7.1 are not affected by this vulnerability. SSL VPN Memory Leak Vulnerability Cisco ASA devices that terminate clientless remote access VPN connections are vulnerable to a denial of service attack affecting the SSL processing software if the device is running a software version prior to 7.2(4)2, 8.0(3)14, or 8.1(1)4. Cisco ASA devices that run software versions 7.0 and 7.1 are not affected by this vulnerability. URI Processing Error Vulnerability in SSL VPNs Cisco ASA devices that terminate clientless remote access VPN connections are vulnerable to a denial of service attack in the HTTP server if the device is running software versions prior to 8.0(3)15, and 8.1(1)5. Cisco ASA devices that run software versions 7.0, 7.1, or 7.2 are not affected by this vulnerability. Potential Information Disclosure in Clientless VPNs Cisco ASA devices that terminate clientless remote access VPN connections are vulnerable to potential information disclosure if the device is running affected 8.0 or 8.1 software versions. Cisco ASA devices running software versions 7.0, 7.1, or 7.2 are not affected by this vulnerability. Cisco ASA devices the run software versions prior to 8.0(3)15 and 8.1(1)4, or after 8.0(3)16 and 8.1(1)5 are also not affected by this vulnerability. Products Confirmed Not Vulnerable +-------------------------------- The Cisco Firewall Services Module (FWSM) is not affected by any of these vulnerabilities. Cisco PIX security appliances running software versions 6.x are not vulnerable. IOS, IOS XR, and Cisco Unified Boarder Elements (CUBE) are not vulnerable to these issues. No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= The following sections provide details to help determine if a device may be affected by any of the vulnerabilities. Erroneous SIP Processing Vulnerabilities Cisco PIX and Cisco ASA devices configured for SIP inspection are vulnerable to multiple processing errors that may result in denial of service attacks. All Cisco PIX and Cisco ASA software releases may be vulnerable to these SIP processing vulnerabilities. A successful attack may result in a reload of the device. SIP inspection is enabled with the inspect sip command. To determine whether the Cisco PIX or Cisco ASA security appliance is configured to support inspection of sip packets, log in to the device and issue the CLI command show service-policy | include sip. If the output contains the text Inspect: sip and some statistics, then the device has a vulnerable configuration. The following example shows a vulnerable Cisco ASA Security Appliance: asa#show service-policy | include sip Inspect: sip, packet 0, drop 0, reset-drop 0 asa# These vulnerability is documented in the following Cisco Bug IDs and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-2732. * CSCsq07867 * CSCsq57091 * CSCsk60581 * CSCsq39315 IPSec Client Authentication Processing Vulnerability Cisco PIX and Cisco ASA devices configured to terminate client based VPN connections are vulnerable to a crafted authentication processing vulnerability if they are running software versions 7.2, 8.0, or 8.1. Devices that run software versions 7.0 or 7.1 are not affected by this vulnerability. A successful attack may result in a reload of the device. Remote access VPN connections will have Internet Security Association and Key Management Protocol (ISAKMP) enabled on an interface with the crypto command, such as: crypto isakmp enable outside. This vulnerability is documented in Cisco Bug ID CSCso69942 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-2733. SSL VPN Memory Leak Vulnerability and URI Processing Error Vulnerability in SSL VPNs A crafted SSL or HTTP packet may cause a denial of service condition on a Cisco ASA device that is configured to terminate clientless VPN connections. A successful attack may result in a reload of the device. Cisco ASA devices that run versions 7.2, 8.0, or 8.1 with clientless SSL VPNs enabled may be affected by this vulnerability. Devices that run software versions 7.0 and 7.1 are not affected by this vulnerability. Clientless VPN, SSL VPN Client, and AnyConnect connections are enabled via the webvpn command. For example, the following configuration shows a Cisco ASA with Clientless VPNs configured and enabled. In this case the ASA will listen for VPN connections on the default port, TCP port 443: http server enable ! webvpn enable outside Note that with this particular configuration, the device is vulnerable to attacks coming from the outside interface due to the enable outside command within the webvpn group configuration. These vulnerabilities are documented in Cisco Bug ID CSCso66472 and CSCsq19369. They have been assigned Common Vulnerabilities and Exposures (CVE) identifiers CVE-2008-2734 and CVE-2008-2735. Potential Information Disclosure in Clientless VPNs On Cisco ASA devices configured to terminate clientless VPN connections, an attacker may be able to discover potentially sensitive information such as usernames and passwords. This attack requires an attacker to convince a user to visit a rogue web server, reply to an e-mail, or interact with a service to successfully exploit the vulnerability. Cisco ASA devices running software versions 8.0 or 8.1 with clientless VPNs enabled may be affected by this vulnerability. Cisco ASA devices running that run software versions 7.0, 7.1, or 7.2 are not vulnerable to this vulnerability. Clientless SSL VPN connections are enabled via the webvpn command. For example, the following configuration shows a Cisco ASA device with Clientless VPNs configured and enabled. In this case the Cisco ASA device will listen for VPN connections on the default port, TCP port 443: http server enable ! webvpn enable outside Note that with this particular configuration, the device is vulnerable to attacks coming from the outside interface due to the enable outside command within the webvpn group configuration. This vulnerability is documented in Cisco Bug ID CSCsq45636 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-2736. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is calculated in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss Erroneous SIP Processing Vulnerabilities CSCsq07867 - Memory corruption with traceback in SIP inspection code CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official Fix Report Confidence - Confirmed CSCsq57091 - Memory corruption and traceback when inspecting malformed SIP packets CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official Fix Report Confidence - Confirmed CSCsk60581 - Device reload possible when SIP inspection is enabled CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official Fix Report Confidence - Confirmed CSCsq39315 - Traceback when processing malformed SIP requests CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official Fix Report Confidence - Confirmed IPSec Client Authentication Processing Vulnerability CSCso69942 - Traceback in Remote Access Authentication Code CVSS Base Score - 6.8 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.6 Exploitability - Functional Remediation Level - Official Fix Report Confidence - Confirmed SSL VPN Memory Leak Vulnerability CSCso66472 - Crypto memory leak causing Clientless SSL VPNs to hang CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official Fix Report Confidence - Confirmed URI Processing Error Vulnerability in SSL VPNs CSCsq19369 - URI Processing Error in Clientless SSL VPN connections CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official Fix Report Confidence - Confirmed Potential Information Disclosure in Clientless VPNs CSCsq45636 - Potential Information Disclosure in Clientless SSL VPNs CVSS Base Score - 7.1 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - None Availability Impact - None CVSS Temporal Score - 5.9 Exploitability - Functional Remediation Level - Official Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the Erroneous SIP Processing Vulnerabilities, IPSec Client Authentication Processing Vulnerability, SSL VPN Memory Leak Vulnerability, or URI Processing Error Vulnerability in SSL VPNs may result in the device reloading. This can be repeatedly exploited and may lead to a denial of service attack. The Potential Information Disclosure in Clientless SSL VPNs vulnerability may allow an attacker to obtain user and group credentials if the user interacts with a rogue system or document. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. The following list contains the first fixed software release of each vulnerability: +-----------------------------------------------------+ | | | Affected | First | | Vulnerability | Bug ID | Release | Fixed | | | | | Release | |----------------+------------+----------+------------| | | | 7.0 | 7.0(7)15 | | | |----------+------------| | | | 7.1 | 7.1(2)70 | |Memory | |----------+------------| | corruption | | 7.2 | Not | | with traceback | CSCsq07867 | | vulnerable | |in SIP | |----------+------------| | inspection | | 8.0 | Not | | code | | | vulnerable | | | |----------+------------| | | | 8.1 | Not | | | | | vulnerable | |----------------+------------+----------+------------| | | | 7.0 | Not | | | | | vulnerable | |Memory | |----------+------------| | corruption and | | 7.1 | Not | | traceback when | | | vulnerable | |inspecting |CSCsq57091 |----------+------------| | malformed SIP | | 7.2 | 7.2(4)7 | |packets | |----------+------------| | | | 8.0 | 8.0(3)20 | | | |----------+------------| | | | 8.1 | 8.1(1)8 | |----------------+------------+----------+------------| | | | 7.0 | Not | | | | | vulnerable | | | |----------+------------| | | | 7.1 | Not | | Device reload | | | vulnerable | |possible when |CSCsk60581 |----------+------------| | SIP inspection | | 7.2 | 7.2(3)18 | |is enabled | |----------+------------| | | | 8.0 | 8.0(3)8 | | | |----------+------------| | | | 8.1 | Not | | | | | vulnerable | |----------------+------------+----------+------------| | | | 7.0 | 7.0(7)16 | | | |----------+------------| | | | 7.1 | 7.1(2)71 | | | |----------+------------| | Traceback when | | 7.2 | Not | | processing | CSCsq39315 | | vulnerable | |malformed SIP | |----------+------------| | requests | | 8.0 | Not | | | | | vulnerable | | | |----------+------------| | | | 8.1 | Not | | | | | vulnerable | |----------------+------------+----------+------------| | | | 7.0 | Not | | | | | vulnerable | | | |----------+------------| | Traceback in | | 7.1 | Not | | Remote Access | | | vulnerable | |Authentication |CSCso69942 |----------+------------| | Code | | 7.2 | 7.2(4)2 | | | |----------+------------| | | | 8.0 | 8.0(3)14 | | | |----------+------------| | | | 8.1 | 8.1(1)4 | |----------------+------------+----------+------------| | | | 7.0 | Not | | | | | vulnerable | | | |----------+------------| | Crypto memory | | 7.1 | Not | | leak causing | | | vulnerable | |Clientless SSL |CSCso66472 |----------+------------| | VPNs to hang | | 7.2 | 7.2(4)2 | | | |----------+------------| | | | 8.0 | 8.0(3)14 | | | |----------+------------| | | | 8.1 | 8.1(1)4 | |----------------+------------+----------+------------| | | | 7.0 | Not | | | | | vulnerable | | | |----------+------------| | HTTP | | 7.1 | Not | | Processing | | | vulnerable | |Error in |CSCsq19369 |----------+------------| | Clientless SSL | | 7.2 | Not | | VPN | | | vulnerable | |connections | |----------+------------| | | | 8.0 | 8.0(3)15 | | | |----------+------------| | | | 8.1 | 8.1(1)5 | |----------------+------------+----------+------------| | | | 7.0 | Not | | | | | vulnerable | | | |----------+------------| | Potential | | 7.1 | Not | | Information | | | vulnerable | |Disclosure in |CSCsq45636 |----------+------------| | Clientless SSL | | 7.2 | Not | | VPNs | | | vulnerable | | | |----------+------------| | | | 8.0 | 8.0(3)16 | | | |----------+------------| | | | 8.1 | 8.1(1)6 | |-----------------------------+----------+------------| | | 7.0 | 7.0(7)16 | | |----------+------------| | | 7.1 | 7.1(2)72 | | |----------+------------| | Recommended Release | 7.2 | 7.2(4)9 | | |----------+------------| | | 8.0 | 8.0(4) | | |----------+------------| | | 8.1 | 8.1(1)8 | +-----------------------------------------------------+ Fixed Cisco PIX software can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/pix?psrtdcat20e2 Fixed Cisco ASA software can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/asa?psrtdcat20e2 Workarounds =========== The following workarounds may help some customers mitigate these vulnerabilities. Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20080903-asa.shtml Erroneous SIP Processing Vulnerabilities SIP inspection should be disabled if it is not needed and temporarily disabling the feature will mitigate the SIP processing vulnerabilities. SIP inspection can be disabled with the command no inspect sip. IPSec Authentication Processing Vulnerability Use strong group credentials for remote access VPN connections and do not give out the group credentials to end users. SSL VPN Memory Leak Vulnerability and URI Processing Error Vulnerability in SSL VPNs IPSec clients are not vulnerable to this issue and may be used in conjunction with strong group credentials until the device can be upgraded. Potential Information Disclosure in Clientless SSL VPNs Client based VPN connections are not vulnerable to the information disclosure vulnerability. If you are running 8.0(3)15, 8.0(3)16, 8.1(1)4, or 8.1(1)5, you may safely use client based VPN connections as an alternative to clientless VPNs. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt at cisco.com or security-alert at cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac at cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. These vulnerabilities were reported to Cisco by customers that experienced these issues during normal operation of their equipment and through internal testing efforts. Status of this Notice: FINAL THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080903-asa.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce at cisco.com * first-bulletins at lists.first.org * bugtraq at securityfocus.com * vulnwatch at vulnwatch.org * cisco at spot.colorado.edu * cisco-nsp at puck.nether.net * full-disclosure at lists.grok.org.uk * comp.dcom.sys.cisco at newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2008-Sept-03 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- iD8DBQFIvsPo86n/Gc8U/uARAmOIAKCcTL2O+3w2mEm0GTe2mcnb0NZ5uQCdG9aV ldazcXFRcGmkm4g38B67ezM= =t2NV -----END PGP SIGNATURE----- From kunkel at w-link.net Wed Sep 3 13:58:35 2008 From: kunkel at w-link.net (Rick Kunkel) Date: Wed, 3 Sep 2008 10:58:35 -0700 (Pacific Daylight Time) Subject: [c-nsp] Dreaded FIB Exception on Sup2 Message-ID: Well, I've hit the dreaded error message on my Sup2: %MLSCEF-SP-7-FIB_EXCEPTION: FIB TCAM exception, Some entries will be software switched I've done a lot of reading on this (cisco.com, this list, etc.), with the conclusion that this supervisor engine is likely just at the end of its useful lifetime, but I figured I'd double check I wasn't missing anything. This happened when I started getting a full routing table from a provider today. We're connected to one peering point and another aggregation-style provider, and are in the process of adding a Cogent connection (hold any tempting comments on that one, please). Is there a "show" command I can use to find the usage in the TCAM? I can't seem to find a good one. SOme useful ones I've found for the Sup3 don't work on the Sup2 apparently. Some ones I've used to deduce what's going on though: ROUTER#show ip route sum IP routing table name is Default-IP-Routing-Table(0) Route Source Networks Subnets Overhead Memory (bytes) connected 1 6 448 1120 static 8 1 576 1440 eigrp 11 57 4352 10880 bgp 130170 133117 16850368 42131020 External: 263287 Internal: 0 Local: 0 internal 3190 3764200 Total 133380 133181 16855744 45908660 ROUTER#show ip cef sum IP Distributed CEF with switching (Table Version 641214), flags=0x0 263458 routes, 0 reresolve, 0 unresolved (0 old, 0 new), peak 2992 263458 leaves, 14567 nodes, 50979968 bytes, 640846 inserts, 377388 invalidations 0 load sharing elements, 0 bytes, 0 references universal per-destination load sharing algorithm, id EB4814E6 3(0) CEF resets, 3 revisions of existing leaves Resolution Timer: Exponential (currently 1s, peak 2s) 3 in-place/0 aborted modifications refcounts: 4241756 leaf, 3729408 node Table epoch: 0 (263458 entries at this epoch) Adjacency Table has 71 adjacencies ROUTER#show mls cef sum Total CEF switched packets: 0000271471473221 Total CEF switched bytes: 0182929990663338 Total routes: 261865 IP unicast routes: 261865 IPX routes: 0 IP multicast routes: 0 Any thoughts? Am I simply SOL without a new Sup? I've heard tell of optimizing TCAM memory, but it would appear that maybe that wouldn't even cut the mustard with the amount of routes I'm dealing with maybe...(?) If I get full routes from two providers and a thousand or so routes form the peering point, AND have a 0.0.0.0/0 route out a preferred provider, could that cover my bases? One more thing. My show ver: ROUTER#show ver Cisco Internetwork Operating System Software IOS (tm) c6sup2_rp Software (c6sup2_rp-PSV-M), Version 12.1(26)E8, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by cisco Systems, Inc. Compiled Fri 29-Dec-06 06:42 by hqluong Image text-base: 0x40008F90, data-base: 0x41856000 ROM: System Bootstrap, Version 12.2(17r)S1, RELEASE SOFTWARE (fc1) BOOTLDR: c6sup2_rp Software (c6sup2_rp-PSV-M), Version 12.1(26)E8, RELEASE SOFTWARE (fc1) ROUTER uptime is 37 weeks, 4 days, 6 hours, 54 minutes Time since ROUTER switched to active is 37 weeks, 4 days, 6 hours, 54 minutes System returned to ROM by power-on (SP by power-on) System restarted at 03:01:49 PST Sat Dec 15 2007 System image file is "sup-bootflash:c6sup22-psv-mz.121-26.E8.bin" cisco WS-C6509 (R7000) processor (revision 3.0) with 458752K/65536K bytes of memory. Processor board ID SAL0730H93F R7000 CPU at 300Mhz, Implementation 39, Rev 3.3, 256KB L2, 1024KB L3 Cache Last reset from power-on X.25 software, Version 3.0.0. Bridging software. 2 Virtual Ethernet/IEEE 802.3 interface(s) 48 FastEthernet/IEEE 802.3 interface(s) 10 Gigabit Ethernet/IEEE 802.3 interface(s) 381K bytes of non-volatile configuration memory. 32768K bytes of Flash internal SIMM (Sector size 512K). Configuration register is 0x2102 Thanks much! Rick Kunkel From CB at nianet.dk Wed Sep 3 14:22:19 2008 From: CB at nianet.dk (Christian Bering) Date: Wed, 3 Sep 2008 20:22:19 +0200 Subject: [c-nsp] Dreaded FIB Exception on Sup2 References: Message-ID: Hi Rick, >I've done a lot of reading on this (cisco.com, this list, >etc.), with the conclusion that this supervisor engine is >likely just at the end of its useful lifetime, If you need a full table then yes. >Is there a "show" command I can use to find the usage in >the TCAM? I think 'show mls cef maximum-routes' and 'show mls cef summary' work on a Sup2. >Any thoughts? Am I simply SOL without a new Sup? Yes. For a full table you need to upgrade to an RSP720-3CXL. -- Regards Christian Bering From gsgranados at comcast.net Wed Sep 3 14:31:13 2008 From: gsgranados at comcast.net (Scott Granados) Date: Wed, 3 Sep 2008 11:31:13 -0700 Subject: [c-nsp] Need pointers for configuring NAT on 1841 Message-ID: <010501c90df3$434c55e0$1b0310ac@ccntd1.covad.com> I have a DSL loop provisioned as follows. Via PPPOE I'm assigned a /30 that's allocated from unrouted addresses. I then am routed a public pool /29 in length via the /30. I'm using a Cisco 1841 with a WIC-1-ADSL card and 2 ethernet ports. On one of the LAN ports I have the /29. (This works) I'd like to set up nat on the other LAN port and I would assume that I would use one of my addresses from my /29 for the translation. I have the following config but can't figure out the NAT portion to add or find good examples via google. Any pointers would be appreciated or better still a pointer that could take me through the fundimentals (assuming my config will work at all). Thank you Scott ip dhcp pool lan network 192.168.13.0 255.255.255.0 default-router 192.168.13.1 ! multilink bundle-name authenticated vpdn enable ! vpdn-group 1 request-dialin protocol pppoe l2tp tunnel receive-window 1024 bba-group pppoe global ! ! interface FastEthernet0/0 ip address 192.168.13.1 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 ip address x.x.x.1 255.255.255.248 duplex auto speed auto ! interface ATM0/0/0 no ip address no atm ilmi-keepalive dsl operating-mode auto dsl enable-training-log pvc 0/35 encapsulation aal5snap pppoe-client dial-pool-number 1 ! interface Dialer1 ip address negotiated ip mtu 1492 encapsulation ppp no ip mroute-cache dialer pool 1 dialer-group 1 ppp authentication chap callin ppp chap hostname "YourNameHere at bz8" ppp chap password 0 "YourPassWord" ! ip route 0.0.0.0 0.0.0.0 Dialer1 ! From peter at rathlev.dk Wed Sep 3 15:22:03 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Wed, 03 Sep 2008 21:22:03 +0200 Subject: [c-nsp] 6500 WS-SUP32-GE-3B failure In-Reply-To: <0867622C64B50C4B878AB45C95F43F1106124A09@MAILWA01.wesenergy.local> References: <0867622C64B50C4B878AB45C95F43F1106124A09@MAILWA01.wesenergy.local> Message-ID: <1220469723.32656.3.camel@abehat> On Wed, 2008-09-03 at 17:05 +0800, Aaron Riemer wrote: > We currently have a WS-SUP32-GE-3B where the SFP ports are not coming > online. Is there a test that can be run from the switch to detect if > there is a hardware failure? A sh module indicates that the SUP is ok.. You could try the "diagnostic start module X test Y" commands. It can do some non-disruptive tests too. Regards, Peter From peter at rathlev.dk Wed Sep 3 15:26:44 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Wed, 03 Sep 2008 21:26:44 +0200 Subject: [c-nsp] Dreaded FIB Exception on Sup2 In-Reply-To: References: Message-ID: <1220470004.32656.7.camel@abehat> On Wed, 2008-09-03 at 10:58 -0700, Rick Kunkel wrote: > Any thoughts? Am I simply SOL without a new Sup? On Wed, 2008-09-03 at 20:22 +0200, Christian Bering wrote: > Yes. For a full table you need to upgrade to an RSP720-3CXL. And even the SUP720 can manage too, as long as it has the magic "XL" in the end. :-) Regards, Peter From c.spurgeon at mail.utexas.edu Wed Sep 3 15:07:50 2008 From: c.spurgeon at mail.utexas.edu (Charles Spurgeon) Date: Wed, 3 Sep 2008 14:07:50 -0500 Subject: [c-nsp] Crash bug in SXH3 In-Reply-To: <489B7063.8040904@imperial.ac.uk> References: <489B7063.8040904@imperial.ac.uk> Message-ID: <20080903190750.GA19777@argus.gw.utexas.edu> To which I will add another warning: there is also a fatal crash bug in SXH3 that is triggered by removing a route-map. The CSCsk21935 buginfo heading is: "Crash in ipfib_policy_forward after remove policy route-map" This bug is internally viewable only and we got the heading info from the TAC. It's apparently related to this publicly viewable bug: CSCsm75286 This bug in combination with an apparent hardware error on a Sup720 left one of our core routers equipped with dual sup720s crashed and sitting in rommon. We are informed that SXF code also has the route-map bug, but we have more confidence in that code (having removed route-maps in it many times without problems) so we have reverted to SXF6 while awaiting a new SXH build. -Charles Charles E. Spurgeon / UTnet UT Austin ITS / Networking c.spurgeon at its.utexas.edu / 512.475.9265 On Thu, Aug 07, 2008 at 10:59:40PM +0100, Phil Mayers wrote: > All, > > Just a warning, there is a fatal crash bug in SXH3 related to using SCP. > Considering the release notes claim fixes in that very area, this is > highly amusing (note: issue may not actually be amusing) > > Does anyone else think the 6500 software train is becoming a bad joke? > SRC claims *today* ISSU using dual sups / SSO, a much larger chunk of > (33) features e.g. 6vpe etc. and one presumes a faster rate of ports > from mainline IOS because they don't need to modularise everything. > > SXH on the other hand has... erm... buggy modularity. And... buggy > monolithic too. > > I haven't got a TAC case open because we've rolled back to SXH2a (which > has its own set of crash bugs, but less frequent ones...) and it's late > - a task for tomorrow I feel. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From CB at nianet.dk Wed Sep 3 15:53:02 2008 From: CB at nianet.dk (Christian Bering) Date: Wed, 3 Sep 2008 21:53:02 +0200 Subject: [c-nsp] Dreaded FIB Exception on Sup2 References: <1220470004.32656.7.camel@abehat> Message-ID: Hi, >>Yes. For a full table you need to upgrade to an RSP720-3CXL. >And even the SUP720 can manage too, as long as it has the >magic "XL" in the end. :-) Yeah but since the list price for the RSP720-3CXL is the same as the list price for the SUP720-3BXL, I don't see a reason not to go for the RSP. Does one exist? -- Regards Christian Bering From cchurc05 at harris.com Wed Sep 3 15:56:36 2008 From: cchurc05 at harris.com (Church, Charles) Date: Wed, 3 Sep 2008 14:56:36 -0500 Subject: [c-nsp] Crash bug in SXH3 In-Reply-To: <20080903190750.GA19777@argus.gw.utexas.edu> References: <489B7063.8040904@imperial.ac.uk> <20080903190750.GA19777@argus.gw.utexas.edu> Message-ID: -----Original Message----- >From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Charles Spurgeon >Subject: Re: [c-nsp] Crash bug in SXH3 >This bug in combination with an apparent hardware error on a Sup720 >left one of our core routers equipped with dual sup720s crashed and >sitting in rommon. Is this 'sitting in ROMMON' and not automatically rebooting normal? We had a 720 do that a couple weeks ago due to a NAT bug. I thought there was a crash count that put it in ROMMON only if it crashed 'x' number of times in a row. Or is this one of those ROMMON bugs I saw mentioned recently by someone? Chuck From rubensk at gmail.com Wed Sep 3 16:11:40 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Wed, 3 Sep 2008 17:11:40 -0300 Subject: [c-nsp] Crash bug in SXH3 In-Reply-To: <20080903190750.GA19777@argus.gw.utexas.edu> References: <489B7063.8040904@imperial.ac.uk> <20080903190750.GA19777@argus.gw.utexas.edu> Message-ID: <6bb5f5b10809031311p53604476o4e0e0aa0511ff74f@mail.gmail.com> > We are informed that SXF code also has the route-map bug, but we have > more confidence in that code (having removed route-maps in it many > times without problems) so we have reverted to SXF6 while awaiting a > new SXH build. SHX4 is a quarter away, any sightings of a SXH3a on the horizon ? Rubens From A.L.M.Buxey at lboro.ac.uk Wed Sep 3 16:22:50 2008 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Wed, 3 Sep 2008 21:22:50 +0100 Subject: [c-nsp] Crash bug in SXH3 In-Reply-To: <20080903190750.GA19777@argus.gw.utexas.edu> References: <489B7063.8040904@imperial.ac.uk> <20080903190750.GA19777@argus.gw.utexas.edu> Message-ID: <20080903202250.GB2942@lboro.ac.uk> Hi, > times without problems) so we have reverted to SXF6 while awaiting a > new SXH build. any reason for an SXF6 so old? eg why not SXF12 ? alan From cchurc05 at harris.com Wed Sep 3 16:28:36 2008 From: cchurc05 at harris.com (Church, Charles) Date: Wed, 3 Sep 2008 15:28:36 -0500 Subject: [c-nsp] Dreaded FIB Exception on Sup2 In-Reply-To: References: <1220470004.32656.7.camel@abehat> Message-ID: I don't think you can put an RSP720 in a 6500 chassis. There is the VS 720 with the 3CXL PFC, but that is about $8K more. I don't think you can get the 3CXL in a 6500 without getting the 10gig ports. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Christian Bering Sent: Wednesday, September 03, 2008 3:53 PM To: Peter Rathlev Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Dreaded FIB Exception on Sup2 Hi, >>Yes. For a full table you need to upgrade to an RSP720-3CXL. >And even the SUP720 can manage too, as long as it has the >magic "XL" in the end. :-) Yeah but since the list price for the RSP720-3CXL is the same as the list price for the SUP720-3BXL, I don't see a reason not to go for the RSP. Does one exist? -- Regards Christian Bering _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From justin at justinshore.com Wed Sep 3 16:29:49 2008 From: justin at justinshore.com (Justin Shore) Date: Wed, 03 Sep 2008 15:29:49 -0500 Subject: [c-nsp] SUP720-3B / 3rd party CF In-Reply-To: <9e246b4d0809030633h15911927p465f8071f1bf1424@mail.gmail.com> References: <9e246b4d0809020609r5cc1ee8ftea9af71771f39308@mail.gmail.com> <48BE8E1C.90304@justinshore.com> <9e246b4d0809030633h15911927p465f8071f1bf1424@mail.gmail.com> Message-ID: <48BEF3BD.9090807@justinshore.com> Tim Durack wrote: > And that's what I'm trying to do, but apparently not all Kingston cf is > created equal. > > My guess is if you do a "show disk0: all" the Kingston cf will show up > as a Toshiba something or other. 7613-1#show sup-bootdisk: all -#- --length-- -----date/time------ path 1 33554432 Mar 21 2007 23:45:52 sea_log.dat 2 32896 Jun 20 2007 11:04:06 bgp 4 26110976 Mar 14 2007 08:23:54 c7600-fpd-pkg.122-33.SRB.pkg 5 254679 Mar 01 2007 01:38:50 crashinfo_20070228-203851 6 109627908 Mar 14 2007 08:33:04 c7600s72033-advipservicesk9-mz.122-33.SRB.bin 7 110884868 Jun 21 2007 08:48:02 c7600s72033-advipservicesk9-mz.122-33.SRB1.bin 8 26191872 Jun 21 2007 09:01:30 c7600-fpd-pkg.122-33.SRB1.pkg 205340672 bytes available (306700288 bytes used) ******** ATA Flash Card Geometry/Format Info ******** ATA CARD GEOMETRY Manufacturer Name STI Model Number STI Flash 7.4.0 Serial Number STI J106306210131218 Firmware Revision 01.25.06 Number of Heads 16 Number of Cylinders 993 Sectors per Cylinder 63 Sector Size 512 Total Sectors 1000944 ATA PARTITION 1 INFO Start Sector 63 Number of Sectors 1000881 Size in Bytes 512451072 File System Type FAT16 Number of FAT Sectors 245 Sectors Per Cluster 16 Number of Clusters 62505 Number of Data Sectors 1000080 Base FAT Sector 134 Base Root Sector 624 Base Data Sector 656 ATA MONLIB INFO Image Monlib size 64120 Disk Monlib Size 64120 Disk Space Available 68096 Name c7200-atafslib-m Start sector 2 End sector 127 Updated By s72033_sp-ADVIPSERVICESK9_WAN-M12.2(33)SRA1 Version 1 Monlib Version 2 Monlib Params Version 1 7613-2.clr#sh sup-bootdisk: all -#- --length-- -----date/time------ path 1 109627908 Mar 14 2007 08:34:18 c7600s72033-advipservicesk9-mz.122-33.SRB.bin 2 33554432 Mar 14 2007 13:39:04 sea_log.dat 4 26110976 Mar 14 2007 08:26:20 c7600-fpd-pkg.122-33.SRB.pkg 5 13833 Mar 14 2007 22:02:28 bgp 6 110884868 Jun 20 2007 09:22:22 c7600s72033-advipservicesk9-mz.122-33.SRB1.bin 7 26191872 Jun 21 2007 09:01:46 c7600-fpd-pkg.122-33.SRB1.pkg 205627392 bytes available (306413568 bytes used) ******** ATA Flash Card Geometry/Format Info ******** ATA CARD GEOMETRY Manufacturer Name STI Model Number STI Flash 7.4.0 Serial Number STI J175106335203831 Firmware Revision 01.25.06 Number of Heads 16 Number of Cylinders 993 Sectors per Cylinder 63 Sector Size 512 Total Sectors 1000944 ATA PARTITION 1 INFO Start Sector 63 Number of Sectors 1000881 Size in Bytes 512451072 File System Type FAT16 Number of FAT Sectors 245 Sectors Per Cluster 16 Number of Clusters 62505 Number of Data Sectors 1000080 Base FAT Sector 134 Base Root Sector 624 Base Data Sector 656 ATA MONLIB INFO Image Monlib size 64120 Disk Monlib Size 64120 Disk Space Available 68096 Name c7200-atafslib-m Start sector 2 End sector 127 Updated By s72033_sp-ADVIPSERVICESK9_WAN-M12.2(33)SRA1 Version 1 Monlib Version 2 Monlib Params Version 1 The same command on a 3845 running 12.4(15)T5 omits all tech details above the # of heads. However an identical card in a 2811 running 20T shows that info once again: ATA CARD GEOMETRY Manufacturer Name Model Number CF CARD 1GB Serial Number CF1GB 00005104 Firmware Revision 20070131 Number of Heads 16 Number of Cylinders 1966 Sectors per Cylinder 63 Sector Size 512 Total Sectors 1981728 ATA PARTITION 1 INFO Start Sector 63 Number of Sectors 1981665 Size in Bytes 1014612480 File System Type FAT16 Number of FAT Sectors 242 Sectors Per Cluster 32 Number of Clusters 61879 Number of Data Sectors 1980128 Base FAT Sector 1 Base Root Sector 485 Base Data Sector 517 ATA MONLIB INFO Image Monlib size 112876 Disk Monlib Size NA Disk Space Available NA Name NA End Sector NA Start sector NA Updated By NA Version NA We're using the cheap Kingston modules. Not the fancy ones that claim faster write times. It's the "CF/1GB" model. http://www.kingston.com/flash/cf_standard.asp They can be had for about $10 wholesale. Justin From chip.gwyn at gmail.com Wed Sep 3 16:32:42 2008 From: chip.gwyn at gmail.com (chip) Date: Wed, 3 Sep 2008 16:32:42 -0400 Subject: [c-nsp] Dreaded FIB Exception on Sup2 In-Reply-To: References: <1220470004.32656.7.camel@abehat> Message-ID: <64a8ad980809031332q3092b175r171d7569bc8f81f@mail.gmail.com> On Wed, Sep 3, 2008 at 3:53 PM, Christian Bering wrote: > Hi, > > >>Yes. For a full table you need to upgrade to an RSP720-3CXL. > > >And even the SUP720 can manage too, as long as it has the > >magic "XL" in the end. :-) > > Yeah but since the list price for the RSP720-3CXL is the same as the > list price for the SUP720-3BXL, I don't see a reason not to go for the > RSP. Does one exist? > > -- > Regards > Christian Bering > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > There's still some cards that the SUP720-3BXL will support that the RSP720 will not. The EOL'd OC12 cards I think. So just make sure you're covered and you should be ok. --chip -- Just my $.02, your mileage may vary, batteries not included, etc.... From jason at pins.net Wed Sep 3 16:36:47 2008 From: jason at pins.net (Jason Berenson) Date: Wed, 03 Sep 2008 16:36:47 -0400 Subject: [c-nsp] Need pointers for configuring NAT on 1841 In-Reply-To: <010501c90df3$434c55e0$1b0310ac@ccntd1.covad.com> References: <010501c90df3$434c55e0$1b0310ac@ccntd1.covad.com> Message-ID: <48BEF55F.5050208@pins.net> Scott, I believe you will need a public /30 if you want to do NAT on the Cisco. Your dialer would be the "ip nat outside" and the ethernet connection with all the 192.168.x.y/24 addresses would be the "ip nat inside" interface. This should take care of outbound NAT: ip nat inside source list 1 interface dialer1 overload access-list 1 permit 192.168.1.0 0.0.0.255 This should take care of any inbound ports you want to open: ip nat inside source static udp 192.168.x.y 5060 interface dialer1 5060 -Jason Scott Granados wrote: > I have a DSL loop provisioned as follows. Via PPPOE I'm assigned a > /30 that's allocated from unrouted addresses. I then am routed a > public pool /29 in length via the /30. > > I'm using a Cisco 1841 with a WIC-1-ADSL card and 2 ethernet ports. > On one of the LAN ports I have the /29. (This works) I'd like to set > up nat on the other LAN port and I would assume that I would use one > of my addresses from my /29 for the translation. I have the following > config but can't figure out the NAT portion to add or find good > examples via google. Any pointers would be appreciated or better > still a pointer that could take me through the fundimentals (assuming > my config will work at all). > > Thank you > Scott > > ip dhcp pool lan > > network 192.168.13.0 255.255.255.0 > > default-router 192.168.13.1 > ! > > multilink bundle-name authenticated > > vpdn enable > > ! > > vpdn-group 1 > > request-dialin > > protocol pppoe > > l2tp tunnel receive-window 1024 > > > bba-group pppoe global > > ! > > ! > > interface FastEthernet0/0 > > ip address 192.168.13.1 255.255.255.0 > > duplex auto > > speed auto > > ! > > interface FastEthernet0/1 > > ip address x.x.x.1 255.255.255.248 > > duplex auto > > speed auto > > ! > > interface ATM0/0/0 > > no ip address > > no atm ilmi-keepalive > > dsl operating-mode auto > > dsl enable-training-log > > pvc 0/35 > > encapsulation aal5snap > > pppoe-client dial-pool-number 1 > > ! > > interface Dialer1 > > ip address negotiated > > ip mtu 1492 > > encapsulation ppp > > no ip mroute-cache > > dialer pool 1 > > dialer-group 1 > > ppp authentication chap callin > > ppp chap hostname "YourNameHere at bz8" > > ppp chap password 0 "YourPassWord" > > ! > > ip route 0.0.0.0 0.0.0.0 Dialer1 > > ! > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From justin at justinshore.com Wed Sep 3 16:45:03 2008 From: justin at justinshore.com (Justin Shore) Date: Wed, 03 Sep 2008 15:45:03 -0500 Subject: [c-nsp] ME3400 DC Power In-Reply-To: <48BE8C99.2010500@beanfield.com> References: <48BE6B18.2050804@internetsolver.com> <48BE8C99.2010500@beanfield.com> Message-ID: <48BEF74F.3080600@justinshore.com> Doing this in a unit with 2 PSUs will give you PSU redundancy, should one fail. It will also give you breaker/fuse redundancy, should one pop. However it won't give you power source redundancy. You still need a B feed connected to a PSU to get redundancy for the power source. http://www.cisco.com/en/US/docs/switches/metro/me3400/hardware/installation/guide/HGDCPWR.html In my experience you're more likely to lose a power source than a PSU. When it doubt wire the device as indicated with A & B to both PSUs. Though I would never wire a device this way, figure C-7 give you an option for daisy-chaining 2 power feeds through both PSUs. Justin Dan Armstrong wrote: > The power supplies on the ME3400s have 2 inputs, for "breaker" > redundancy.. some models have to physical power supplies, some have only > one - in all cases, each supply has 2 inputs. If your model has 2 power > supplies, you can hookup just the A side of each unit, and you'll be fine. > > > > Dave Weis wrote: >> >> Do I need to supply both power supplies with an A&B side for >> redundancy or will I have redundancy if I have the A side of PS1 and >> PS2 connected? >> >> Thanks >> >> dave From kgraham at industrial-marshmallow.com Wed Sep 3 16:52:24 2008 From: kgraham at industrial-marshmallow.com (Kevin Graham) Date: Wed, 3 Sep 2008 13:52:24 -0700 (PDT) Subject: [c-nsp] Dreaded FIB Exception on Sup2 Message-ID: <4841.72918.qm@web905.biz.mail.mud.yahoo.com> > Yeah but since the list price for the RSP720-3CXL is the same as the > list price for the SUP720-3BXL, I don't see a reason not to go for the > RSP. Does one exist? It's minimal, but RSP720-3CXL is going to require a "7600", though if you are willing to trade the MSFC4 for VSS, you can go with a VS-Sup720-3CXL. Either one is going to force you off of 12.2SXF. From peter at rathlev.dk Wed Sep 3 17:36:41 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Wed, 03 Sep 2008 23:36:41 +0200 Subject: [c-nsp] Dreaded FIB Exception on Sup2 In-Reply-To: References: <1220470004.32656.7.camel@abehat> Message-ID: <1220477801.32656.14.camel@abehat> On Wed, 2008-09-03 at 21:53 +0200, Christian Bering wrote: > Yeah but since the list price for the RSP720-3CXL is the same as the > list price for the SUP720-3BXL, I don't see a reason not to go for the > RSP. Does one exist? Isn't the RSP720 strictly 7600? Seems OP uses a Cat6500. And it introduces newer and thus potentially more buggy elements, the PFC3C and MSFC4, compared to a "plain vanilla" SUP720/PFC3B/MSFC3. (Not that these aren't buggy sometimes... :-)) Regards, Peter From rubensk at gmail.com Wed Sep 3 17:49:06 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Wed, 3 Sep 2008 18:49:06 -0300 Subject: [c-nsp] SXH3 SP memory requirements Message-ID: <6bb5f5b10809031449g1a3a3142hecbdda4e4fdbc8ef@mail.gmail.com> My understanding of the SXH3 release notes was that monolithic IOS (Adv. IP Services feature set) requires 256MB of SP(Switching Processor) memory (which is the ME6524 default) and 512MB of RP(Routing Processor) memory (also the ME6524 default). I've opened a TAC case (SR 609292161, if any Cisco employee wants to review) and TAC tells me that 512MB of SP memory is required to run SHX3. I've tested it on the lab and it seems to boot... any comments ? Rubens From c.spurgeon at mail.utexas.edu Wed Sep 3 18:23:00 2008 From: c.spurgeon at mail.utexas.edu (Charles Spurgeon) Date: Wed, 3 Sep 2008 17:23:00 -0500 Subject: [c-nsp] Crash bug in SXH3 In-Reply-To: <20080903202250.GB2942@lboro.ac.uk> References: <489B7063.8040904@imperial.ac.uk> <20080903190750.GA19777@argus.gw.utexas.edu> <20080903202250.GB2942@lboro.ac.uk> Message-ID: <20080903222300.GA16526@argus.gw.utexas.edu> On Wed, Sep 03, 2008 at 09:22:27PM +0100, A.L.M.Buxey at lboro.ac.uk wrote: > Hi, > > > times without problems) so we have reverted to SXF6 while awaiting a > > new SXH build. > > any reason for an SXF6 so old? eg why not SXF12 ? The usual reason: being very conservative with core/border gear. SXF6 was something we had frozen on for a (long) while, since it was stable and did everything we needed at the time and was even a safe harbor release. Rather than dodge and weave through subsequent SXF releases given various reports on SXF bugs, we just stuck with what worked. When we were forced to back down from SXH3 we went with the release we had last used successfully. If we were planning to stay on SXF I'd be looking at more recent releases. However, we need SXH for 16-port 10GigE card support, so we're waiting for a new release of SXH. The TAC said they'd update us on the next release date for SXH but we haven't heard anything for the last week or so. -Charles From c.spurgeon at mail.utexas.edu Wed Sep 3 18:29:42 2008 From: c.spurgeon at mail.utexas.edu (Charles Spurgeon) Date: Wed, 3 Sep 2008 17:29:42 -0500 Subject: [c-nsp] Crash bug in SXH3 In-Reply-To: References: <489B7063.8040904@imperial.ac.uk> <20080903190750.GA19777@argus.gw.utexas.edu> Message-ID: <20080903222942.GB16526@argus.gw.utexas.edu> On Wed, Sep 03, 2008 at 02:56:13PM -0500, Church, Charles wrote: > -----Original Message----- > >From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Charles Spurgeon > >Subject: Re: [c-nsp] Crash bug in SXH3 > > >This bug in combination with an apparent hardware error on a Sup720 > >left one of our core routers equipped with dual sup720s crashed and > >sitting in rommon. > > Is this 'sitting in ROMMON' and not automatically rebooting normal? We > had a 720 do that a couple weeks ago due to a NAT bug. I thought there > was a crash count that put it in ROMMON only if it crashed 'x' number of > times in a row. Or is this one of those ROMMON bugs I saw mentioned > recently by someone? The TAC engineer appeared to be of the opinion that crashing to rommon was an expected result of the hardware failure. I assumed that it was due to crashing some number of times in a row in relation to a hardware failure. Our attempts to duplicate the orginal crash by repeatedly removing a route-map were unsuccessful. We were told that the bug is intermittent and timing related. When the TAC informed us that there also appeared to be a hardware problem on the sup720 as well as the route-map crash we RMA'd the sup and reverted to SXF code, so we haven't been able to recreate the failure mode. -Charles From RTeller at deltadentalwa.com Wed Sep 3 18:40:27 2008 From: RTeller at deltadentalwa.com (Teller, Robert) Date: Wed, 3 Sep 2008 15:40:27 -0700 Subject: [c-nsp] DHCP and HSRP Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC011D4@tiger.deltadentalwa.com> Is it possible to configure two 6509's to share DHCP information so that if the active HSRP router goes down and the standby comes up it doesn't generate a bunch of ip conflicts? Or do I need to maintain a separate scope on each HSRP member? Robert Teller Washington Dental Service Network Administrator (206) 528-2371 RTeller at DeltaDentalWa.com ######################################################### The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. ######################################################### From jared at puck.nether.net Wed Sep 3 19:31:22 2008 From: jared at puck.nether.net (Jared Mauch) Date: Wed, 3 Sep 2008 19:31:22 -0400 Subject: [c-nsp] Crash bug in SXH3 In-Reply-To: <20080903222300.GA16526@argus.gw.utexas.edu> References: <489B7063.8040904@imperial.ac.uk> <20080903190750.GA19777@argus.gw.utexas.edu> <20080903202250.GB2942@lboro.ac.uk> <20080903222300.GA16526@argus.gw.utexas.edu> Message-ID: <20080903233122.GC67129@puck.nether.net> On Wed, Sep 03, 2008 at 05:23:00PM -0500, Charles Spurgeon wrote: > On Wed, Sep 03, 2008 at 09:22:27PM +0100, A.L.M.Buxey at lboro.ac.uk wrote: > > Hi, > > > > > times without problems) so we have reverted to SXF6 while awaiting a > > > new SXH build. > > > > any reason for an SXF6 so old? eg why not SXF12 ? > > The usual reason: being very conservative with core/border gear. > > SXF6 was something we had frozen on for a (long) while, since it was > stable and did everything we needed at the time and was even a safe > harbor release. Rather than dodge and weave through subsequent SXF > releases given various reports on SXF bugs, we just stuck with what > worked. > > When we were forced to back down from SXH3 we went with the release we > had last used successfully. If we were planning to stay on SXF I'd be > looking at more recent releases. However, we need SXH for 16-port > 10GigE card support, so we're waiting for a new release of SXH. > > The TAC said they'd update us on the next release date for SXH but > we haven't heard anything for the last week or so. Ask tac to email the release ops team, you should be able to get a tentative date. I've had mixed results with SXH. I suspect that the next major release will beat a rebuild of SXH, but I'm willing to be wrong. Perhaps a TME for the 6500 (whom i know is on the list ;) will chime in about these problems with SXH? - Jared -- Jared Mauch | pgp key available via finger from jared at puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. From MLouis at nwnit.com Wed Sep 3 20:38:22 2008 From: MLouis at nwnit.com (Mike Louis) Date: Wed, 3 Sep 2008 20:38:22 -0400 Subject: [c-nsp] DHCP and HSRP In-Reply-To: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC011D4@tiger.deltadentalwa.com> References: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC011D4@tiger.deltadentalwa.com> Message-ID: If you configure the ip dhcp data base command to write to a common share, say a tftp share for example, you could prevent the ip address conflicts. The dhcp database is used by the local dhcp server to determine the state of the leases that the dhcp server has handed out. If you do not configure a dhcp server, i believe the leases are retained in RAM. If you reboot a switch with leases in RAM then you will have dhcp conflicts when the switch reboots and starts handing out dhcp in a scope that it thinks has an open lease pool. Thats how i have seen it work. HTH Mike ________________________________________ From: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net] On Behalf Of Teller, Robert [RTeller at deltadentalwa.com] Sent: Wednesday, September 03, 2008 6:40 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] DHCP and HSRP Is it possible to configure two 6509's to share DHCP information so that if the active HSRP router goes down and the standby comes up it doesn't generate a bunch of ip conflicts? Or do I need to maintain a separate scope on each HSRP member? Robert Teller Washington Dental Service Network Administrator (206) 528-2371 RTeller at DeltaDentalWa.com ######################################################### The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. ######################################################### _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. From mtinka at globaltransit.net Wed Sep 3 21:55:21 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Thu, 4 Sep 2008 09:55:21 +0800 Subject: [c-nsp] Crash bug in SXH3 In-Reply-To: <20080903190750.GA19777@argus.gw.utexas.edu> References: <489B7063.8040904@imperial.ac.uk> <20080903190750.GA19777@argus.gw.utexas.edu> Message-ID: <200809040955.26302.mtinka@globaltransit.net> On Thursday 04 September 2008 03:07:50 Charles Spurgeon wrote: > To which I will add another warning: there is also a > fatal crash bug in SXH3 that is triggered by removing a > route-map. We've been running SXH3 on our core switches in our larger PoP (6506/SUP720-3BXL + 6509-E/SUP720-3BXL), with WS-X6724-SFP + DFC-3CXL line cards. Suffice it to say, we use them purely for Layer 2 forwarding and IS-IS DIS (primary and backup). The only interesting issue we've faced after moving from SXH2a to SXH3 was the switches started requiring our fall-back enable password rather than the primary one we always used (authentication/accounting is done via TACACS+). Our AAA configuration remained the same, but this issue cropped up. We worked around it, as we try to figure out what's going on. Besides that, no other issues to report, but then again they really aren't doing anything interesting besides creating Layer 2 bandwidth and propagating IS-IS PDU's. Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From overkillxx at gmail.com Wed Sep 3 22:41:12 2008 From: overkillxx at gmail.com (Brett Clausenhauf) Date: Thu, 4 Sep 2008 12:41:12 +1000 Subject: [c-nsp] CSS strange behaviour.... Or is it just my config [7:132492] In-Reply-To: <200809040227.m842RBGe015086@groupstudy.com> References: <200809040227.m842RBGe015086@groupstudy.com> Message-ID: Hi Guys, I have some strange behaviour (Or perhaps wrong config) on a CSS11503. Basically I am just adding a very basic config to it (1 service defined) & for some reason in order for it to work properly I MUST have a group command defined. If I don't have the group statement it worked for awhile & then ceases to forward incoming requests on the VIP address for tcp port 85. Tried suspend/active on the Service & Group.. Still it didn't work. The minute I added the group statement it works.... Being relatively new to the CSS I am not sure why this is needed. Does anyone know why? Here is the elements of the config in question: !************************** SERVICE ************************** service Test102_Web_VIP6_85 ip address 192.168.10.224 port 85 keepalive port 85 keepalive type http keepalive maxfailure 2 keepalive frequency 30 keepalive retryperiod 30 active !*************************** OWNER *************************** owner WWW content contTest102_VIP6_85 port 85 protocol tcp add service Test102_Web_VIP6_85 vip address 10.251.1.31 active !*************************** GROUP *************************** group grpTest102_VIP6 vip address 10.251.1.31 add service Test102_Web_VIP6_85 active From jim at tgasolutions.com Thu Sep 4 00:05:22 2008 From: jim at tgasolutions.com (Jim McBurnett) Date: Thu, 4 Sep 2008 00:05:22 -0400 Subject: [c-nsp] latest stable... Message-ID: Hey folks, It's been awhile but I have run into a strange set of BGP bugs, and the worst is on SUP 720 running 12.2(18)SXD7 CSCef01705 CSCsc36517 Now for the question-with these 2 bugs, and the other 389 BGP relate bugs on this release-what are all of you having the best success on for a sup 720 on a 7606? How about an NPE-G1 on a 7206? I'd like to go ahead an upgrade both of these 2 boxes in a carefully planned manner since they are the internet facing BGP speakers for a medium sized network... And minimize the down time.... Any and all ideas would be greatly appreciated! Thanks, Jim McBurnett From gert at greenie.muc.de Thu Sep 4 02:10:39 2008 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 4 Sep 2008 08:10:39 +0200 Subject: [c-nsp] Dreaded FIB Exception on Sup2 In-Reply-To: References: <1220470004.32656.7.camel@abehat> Message-ID: <20080904061039.GM233@greenie.muc.de> Hi, On Wed, Sep 03, 2008 at 09:53:02PM +0200, Christian Bering wrote: > Yeah but since the list price for the RSP720-3CXL is the same as the > list price for the SUP720-3BXL, I don't see a reason not to go for the > RSP. Does one exist? The RSP is made by the business unit inside Cisco that brought us the dreaded "SR IOS for 7600 will not run on 6500 chassis" annoyance. Vote with your money. Besides, if you happen to *have* a 6500 chassis, the RSP won't work there. (Not that there is any difference between a 6500 and a 7600, besides the color of the metal and the EEPROM programming... thankyouverymuch) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From gert at greenie.muc.de Thu Sep 4 02:11:58 2008 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 4 Sep 2008 08:11:58 +0200 Subject: [c-nsp] Dreaded FIB Exception on Sup2 In-Reply-To: <4841.72918.qm@web905.biz.mail.mud.yahoo.com> References: <4841.72918.qm@web905.biz.mail.mud.yahoo.com> Message-ID: <20080904061158.GN233@greenie.muc.de> Hi, On Wed, Sep 03, 2008 at 01:52:24PM -0700, Kevin Graham wrote: > > Yeah but since the list price for the RSP720-3CXL is the same as the > > > list price for the SUP720-3BXL, I don't see a reason not to go for the > > RSP. Does one exist? > > It's minimal, but RSP720-3CXL is going to require a "7600", though if you > are willing to trade the MSFC4 for VSS, you can go with a VS-Sup720-3CXL. > Either one is going to force you off of 12.2SXF. Since the difference between 3B and 3C mainly seems to be "number of MAC addresses", a Sup720-3BXL will usually do the job well enough. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From gert at greenie.muc.de Thu Sep 4 02:22:27 2008 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 4 Sep 2008 08:22:27 +0200 Subject: [c-nsp] CSS strange behaviour.... Or is it just my config [7:132492] In-Reply-To: References: <200809040227.m842RBGe015086@groupstudy.com> Message-ID: <20080904062227.GP233@greenie.muc.de> Hi, On Thu, Sep 04, 2008 at 12:41:12PM +1000, Brett Clausenhauf wrote: > If I don't have the group statement it worked for awhile & then ceases to > forward incoming requests on the VIP address for tcp port 85. > Tried suspend/active on the Service & Group.. Still it didn't work. The > minute I added the group statement it works.... Being relatively new to the > CSS I am not sure why this is needed. Does anyone know why? Stab in the dark: your web server could be doing DNS lookups to write the client hostname to the log. If you have no group statement, DNS will not work (because that's an outgoing session), so the HTTP request will be very slow (DNS timeout). The keepalive will determine "HTTP server down" and will take the server out of service. (As said, this could be completely off base, but you might want to do some tcpdumping on the server to verify what's going on). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From gert at greenie.muc.de Thu Sep 4 02:23:52 2008 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 4 Sep 2008 08:23:52 +0200 Subject: [c-nsp] latest stable... In-Reply-To: References: Message-ID: <20080904062352.GQ233@greenie.muc.de> Hi, On Thu, Sep 04, 2008 at 12:05:22AM -0400, Jim McBurnett wrote: > Now for the question-with these 2 bugs, and the other 389 BGP relate bugs on this release-what are all of you having the best success on for a sup 720 on a 7606? I'd go for SXF14. > How about an NPE-G1 on a 7206? Depending on your feature requirements - 12.3 main or 12.2SB. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From ariemer at wesenergy.com.au Thu Sep 4 02:27:07 2008 From: ariemer at wesenergy.com.au (Aaron Riemer) Date: Thu, 4 Sep 2008 14:27:07 +0800 Subject: [c-nsp] 6500 WS-SUP32-GE-3B failure In-Reply-To: <1220469723.32656.3.camel@abehat> References: <0867622C64B50C4B878AB45C95F43F1106124A09@MAILWA01.wesenergy.local> <1220469723.32656.3.camel@abehat> Message-ID: <0867622C64B50C4B878AB45C95F43F1106150982@MAILWA01.wesenergy.local> Thanks Pete, Non disruptive tests haven't indicated anything as yet. Will try when we go down for outage. Cheers, Aaron. -----Original Message----- From: Peter Rathlev [mailto:peter at rathlev.dk] Sent: Thursday, 4 September 2008 3:22 AM To: Aaron Riemer Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 6500 WS-SUP32-GE-3B failure On Wed, 2008-09-03 at 17:05 +0800, Aaron Riemer wrote: > We currently have a WS-SUP32-GE-3B where the SFP ports are not coming > online. Is there a test that can be run from the switch to detect if > there is a hardware failure? A sh module indicates that the SUP is ok.. You could try the "diagnostic start module X test Y" commands. It can do some non-disruptive tests too. Regards, Peter LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. From achatz at forthnet.gr Thu Sep 4 03:01:19 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Thu, 04 Sep 2008 10:01:19 +0300 Subject: [c-nsp] how to debug etherchannel on 6500? In-Reply-To: <383357750808290358j6e97cf71hf01c07834ba31344@mail.gmail.com> References: <48B63445.4010406@forthnet.gr> <383357750808290358j6e97cf71hf01c07834ba31344@mail.gmail.com> Message-ID: <48BF87BF.6090701@forthnet.gr> That worked fine, although i'm still not getting the detailed output i was getting on 3750. But it's a start. 6500#remote command switch debug lacp Link Aggregation Control Protocol debugging is on 6500#remote command switch debug pagp Port Aggregation Protocol debugging is on 6500#remote command switch debug etherchannel PAgP/LACP Shim/FEC debugging is on Thx Mateusz ;) -- Tassos Mateusz B?aszczyk wrote on 29/8/2008 1:58 ??: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Tassos, > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFIt9ZHIvBv0k5esR4RAsnqAJ9rLbJSVRYQsz0SL0s1BcKjG1Ev4wCfcT3c > 4+Pu5a0a1zxsu1sfpCOa6iw= > =wvWL > -----END PGP SIGNATURE----- > > >> Is the "debug etherchannel all" supposed to display anything? If not, is >> there another debug command on the 6500 like the "debug pagp/lacp" on the >> 3750? >> > > when I was testing ME6524s I didnt see any output of the STP debugging > until I did "remote command switch debug ..." > > It might work for you. > > Best Regards, > From ryanclambert at gmail.com Thu Sep 4 03:07:11 2008 From: ryanclambert at gmail.com (Ryan) Date: Thu, 4 Sep 2008 03:07:11 -0400 Subject: [c-nsp] silly qos question Message-ID: <002a01c90e5c$db50b750$91f225f0$@com> Hey all, Quick QoS question here. I seem to be having some trouble getting a policy applied to a Serial (T1) interface, and for the life of me don?t understand why. I?m pretty sure it?s my fault and not a ?feature?. Error I am getting when I try to apply the service policy direction output: %INTERFACE_NAME% class Data-DSCP requested bandwidth 750 (kbps) Available only 656 (kbps) Here are the class/policy map statements: class-map match-any Control-DSCP match ip dscp cs3 match ip dscp af31 class-map match-any Voice-DSCP match ip dscp ef class-map match-any Video-DSCP match ip dscp af41 class-map match-any class-default class-map match-any Data-DSCP match ip dscp default policy-map QoS-Policy-Office class Voice-DSCP priority 360 class Video-DSCP bandwidth 128 class Control-DSCP bandwidth 8 class Data-DSCP bandwidth 750 class class-default If I bump bandwidth of class Data-DSCP down to 656 from 750, it applies with no backtalk. Clearly I am missing something on a conceptual level, here. Any help is appreciated. ? Platform: 7206VXR, NPE-G1 running 12.3(26) SP code. Thanks! -Ryan From ccie15385 at gmail.com Thu Sep 4 03:20:07 2008 From: ccie15385 at gmail.com (JH Cockburn) Date: Thu, 4 Sep 2008 09:20:07 +0200 Subject: [c-nsp] DHCP and HSRP In-Reply-To: References: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC011D4@tiger.deltadentalwa.com> Message-ID: <6099F23391024C8D9A18E647808FC803@africa.enterprise.root> Hi All, Or you can config the router to first ping (I think this is default...) the IP it wants to assign, and if it is active it will assign the next and so forth. JC -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mike Louis Sent: Thursday, September 04, 2008 2:38 AM To: Teller, Robert; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] DHCP and HSRP If you configure the ip dhcp data base command to write to a common share, say a tftp share for example, you could prevent the ip address conflicts. The dhcp database is used by the local dhcp server to determine the state of the leases that the dhcp server has handed out. If you do not configure a dhcp server, i believe the leases are retained in RAM. If you reboot a switch with leases in RAM then you will have dhcp conflicts when the switch reboots and starts handing out dhcp in a scope that it thinks has an open lease pool. Thats how i have seen it work. HTH Mike ________________________________________ From: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net] On Behalf Of Teller, Robert [RTeller at deltadentalwa.com] Sent: Wednesday, September 03, 2008 6:40 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] DHCP and HSRP Is it possible to configure two 6509's to share DHCP information so that if the active HSRP router goes down and the standby comes up it doesn't generate a bunch of ip conflicts? Or do I need to maintain a separate scope on each HSRP member? Robert Teller Washington Dental Service Network Administrator (206) 528-2371 RTeller at DeltaDentalWa.com ######################################################### The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. ######################################################### _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From tseveendorj at gmail.com Thu Sep 4 03:24:03 2008 From: tseveendorj at gmail.com (Tseveendorj Ochirlantuu) Date: Thu, 4 Sep 2008 15:24:03 +0800 Subject: [c-nsp] RTP port Message-ID: <62c908120809040024q72fd82c6u869b4adeb0fbb479@mail.gmail.com> Hi, If is it possible to choose RTP port on AS5350XM? for example: don't use all ports 16000-60000 on gateway. Only use between 16000-17000. Sincerely, Tseveen. From achatz at forthnet.gr Thu Sep 4 03:32:08 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Thu, 04 Sep 2008 10:32:08 +0300 Subject: [c-nsp] silly qos question In-Reply-To: <002a01c90e5c$db50b750$91f225f0$@com> References: <002a01c90e5c$db50b750$91f225f0$@com> Message-ID: <48BF8EF8.60202@forthnet.gr> Ryan, have a look at the max-reserved-bandwidth command. http://www.cisco.com/en/US/docs/ios/12_3/qos/command/reference/qos_m1g.html#wp1113113 -- Tassos Ryan wrote on 4/9/2008 10:07 ??: > Hey all, > > Quick QoS question here. I seem to be having some trouble getting a policy applied to a Serial (T1) interface, and for the life of me don?t understand why. I?m pretty sure it?s my fault and not a "feature". > > Error I am getting when I try to apply the service policy direction output: > > %INTERFACE_NAME% class Data-DSCP requested bandwidth 750 (kbps) Available only 656 (kbps) > > > Here are the class/policy map statements: > > class-map match-any Control-DSCP > match ip dscp cs3 > match ip dscp af31 > class-map match-any Voice-DSCP > match ip dscp ef > class-map match-any Video-DSCP > match ip dscp af41 > class-map match-any class-default > class-map match-any Data-DSCP > match ip dscp default > > policy-map QoS-Policy-Office > class Voice-DSCP > priority 360 > class Video-DSCP > bandwidth 128 > class Control-DSCP > bandwidth 8 > class Data-DSCP > bandwidth 750 > class class-default > > If I bump bandwidth of class Data-DSCP down to 656 from 750, it applies with no backtalk. > > Clearly I am missing something on a conceptual level, here. Any help is appreciated. ? > > Platform: > > 7206VXR, NPE-G1 running 12.3(26) SP code. > > Thanks! > -Ryan > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From p.mayers at imperial.ac.uk Thu Sep 4 03:32:13 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Thu, 4 Sep 2008 08:32:13 +0100 Subject: [c-nsp] SUP720-3B / 3rd party CF In-Reply-To: <48BEF3BD.9090807@justinshore.com> References: <9e246b4d0809020609r5cc1ee8ftea9af71771f39308@mail.gmail.com> <48BE8E1C.90304@justinshore.com> <9e246b4d0809030633h15911927p465f8071f1bf1424@mail.gmail.com> <48BEF3BD.9090807@justinshore.com> Message-ID: <20080904073213.GA11595@wildfire.net.ic.ac.uk> On Wed, Sep 03, 2008 at 03:29:49PM -0500, Justin Shore wrote: >We're using the cheap Kingston modules. Not the fancy ones that claim >faster write times. It's the "CF/1GB" model. > I wonder if that's it - I'm pretty sure our 2nd batch of cards claimed faster write times (not that it makes any difference - the CF card interface on the sup720 seems slow by design grumble) From ariemer at wesenergy.com.au Thu Sep 4 03:37:49 2008 From: ariemer at wesenergy.com.au (Aaron Riemer) Date: Thu, 4 Sep 2008 15:37:49 +0800 Subject: [c-nsp] silly qos question In-Reply-To: <002a01c90e5c$db50b750$91f225f0$@com> References: <002a01c90e5c$db50b750$91f225f0$@com> Message-ID: <0867622C64B50C4B878AB45C95F43F1106150A2F@MAILWA01.wesenergy.local> This is because you are trying to reserve more than 75% of the actual bandwidth. Remember that by default cisco allows 25% for the class default to allow for routing protocol and network management traffic etc.. It is possibly best to use bandwidth percent and priority percent to make this clear or if the interface is later upgraded etc. You can remove the class-default 25% restriction by the way but I cannot remember the command to do it sorry :) I am sure google will have the answer for you :) Cheers, Aaron. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ryan Sent: Thursday, 4 September 2008 3:07 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] silly qos question Hey all, Quick QoS question here. I seem to be having some trouble getting a policy applied to a Serial (T1) interface, and for the life of me don?t understand why. I?m pretty sure it?s my fault and not a ?feature?. Error I am getting when I try to apply the service policy direction output: %INTERFACE_NAME% class Data-DSCP requested bandwidth 750 (kbps) Available only 656 (kbps) Here are the class/policy map statements: class-map match-any Control-DSCP match ip dscp cs3 match ip dscp af31 class-map match-any Voice-DSCP match ip dscp ef class-map match-any Video-DSCP match ip dscp af41 class-map match-any class-default class-map match-any Data-DSCP match ip dscp default policy-map QoS-Policy-Office class Voice-DSCP priority 360 class Video-DSCP bandwidth 128 class Control-DSCP bandwidth 8 class Data-DSCP bandwidth 750 class class-default If I bump bandwidth of class Data-DSCP down to 656 from 750, it applies with no backtalk. Clearly I am missing something on a conceptual level, here. Any help is appreciated. ? Platform: 7206VXR, NPE-G1 running 12.3(26) SP code. Thanks! -Ryan _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. From stretch at packetlife.net Thu Sep 4 03:39:37 2008 From: stretch at packetlife.net (Jeremy Stretch) Date: Thu, 04 Sep 2008 10:39:37 +0300 Subject: [c-nsp] silly qos question In-Reply-To: <002a01c90e5c$db50b750$91f225f0$@com> References: <002a01c90e5c$db50b750$91f225f0$@com> Message-ID: <48BF90B9.8090001@packetlife.net> With the 656 Kbps limit for the Data-DSCP class, your reserved bandwidths total 1152 Kbps, or 75% of a 1.536 Mbps interface. Remember that by default IOS will only reserve up to 75% of an interface's bandwidth. You should be able to change this with the 'max-reserved-bandwidth ' command applied to the interface. -- stretch http://packetlife.net Ryan wrote: > Hey all, > > Quick QoS question here. I seem to be having some trouble getting a policy applied to a Serial (T1) interface, and for the life of me don???t understand why. I???m pretty sure it???s my fault and not a ???feature???. > > Error I am getting when I try to apply the service policy direction output: > > %INTERFACE_NAME% class Data-DSCP requested bandwidth 750 (kbps) Available only 656 (kbps) > > > Here are the class/policy map statements: > > class-map match-any Control-DSCP > match ip dscp cs3 > match ip dscp af31 > class-map match-any Voice-DSCP > match ip dscp ef > class-map match-any Video-DSCP > match ip dscp af41 > class-map match-any class-default > class-map match-any Data-DSCP > match ip dscp default > > policy-map QoS-Policy-Office > class Voice-DSCP > priority 360 > class Video-DSCP > bandwidth 128 > class Control-DSCP > bandwidth 8 > class Data-DSCP > bandwidth 750 > class class-default > > If I bump bandwidth of class Data-DSCP down to 656 from 750, it applies with no backtalk. > > Clearly I am missing something on a conceptual level, here. Any help is appreciated. ??? > > Platform: > > 7206VXR, NPE-G1 running 12.3(26) SP code. > > Thanks! > -Ryan > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From achatz at forthnet.gr Thu Sep 4 03:44:23 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Thu, 04 Sep 2008 10:44:23 +0300 Subject: [c-nsp] DHCP and HSRP In-Reply-To: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC011D4@tiger.deltadentalwa.com> References: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC011D4@tiger.deltadentalwa.com> Message-ID: <48BF91D7.9030603@forthnet.gr> Cisco was supposed to add the ip redundancy feature of HSRP to the DHCP server functionality, like it's happening with NAT. I don't know if this has happened... At least the UDP forwarding support is there. -- Tassos Teller, Robert wrote on 4/9/2008 1:40 ??: > Is it possible to configure two 6509's to share DHCP information so that > if the active HSRP router goes down and the standby comes up it doesn't > generate a bunch of ip conflicts? Or do I need to maintain a separate > scope on each HSRP member? > > > > Robert Teller > Washington Dental Service > Network Administrator > (206) 528-2371 > RTeller at DeltaDentalWa.com > > > > > ######################################################### > The information contained in this e-mail and subsequent attachments may be privileged, > confidential and protected from disclosure. This transmission is intended for the sole > use of the individual and entity to whom it is addressed. If you are not the intended > recipient, any dissemination, distribution or copying is strictly prohibited. If you > think that you have received this message in error, please e-mail the sender at the above > e-mail address. > ######################################################### > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ariemer at wesenergy.com.au Thu Sep 4 03:45:09 2008 From: ariemer at wesenergy.com.au (Aaron Riemer) Date: Thu, 4 Sep 2008 15:45:09 +0800 Subject: [c-nsp] silly qos question In-Reply-To: <002a01c90e5c$db50b750$91f225f0$@com> References: <002a01c90e5c$db50b750$91f225f0$@com> Message-ID: <0867622C64B50C4B878AB45C95F43F1106150A3C@MAILWA01.wesenergy.local> Further to my original post the way to get around the 25% class-default limit is to use the interface command max-reserved-bandwidth. HTH. Cheers, Aaron. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ryan Sent: Thursday, 4 September 2008 3:07 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] silly qos question Hey all, Quick QoS question here. I seem to be having some trouble getting a policy applied to a Serial (T1) interface, and for the life of me don?t understand why. I?m pretty sure it?s my fault and not a ?feature?. Error I am getting when I try to apply the service policy direction output: %INTERFACE_NAME% class Data-DSCP requested bandwidth 750 (kbps) Available only 656 (kbps) Here are the class/policy map statements: class-map match-any Control-DSCP match ip dscp cs3 match ip dscp af31 class-map match-any Voice-DSCP match ip dscp ef class-map match-any Video-DSCP match ip dscp af41 class-map match-any class-default class-map match-any Data-DSCP match ip dscp default policy-map QoS-Policy-Office class Voice-DSCP priority 360 class Video-DSCP bandwidth 128 class Control-DSCP bandwidth 8 class Data-DSCP bandwidth 750 class class-default If I bump bandwidth of class Data-DSCP down to 656 from 750, it applies with no backtalk. Clearly I am missing something on a conceptual level, here. Any help is appreciated. ? Platform: 7206VXR, NPE-G1 running 12.3(26) SP code. Thanks! -Ryan _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. From ryanclambert at gmail.com Thu Sep 4 03:45:41 2008 From: ryanclambert at gmail.com (Ryan) Date: Thu, 4 Sep 2008 03:45:41 -0400 Subject: [c-nsp] silly qos question In-Reply-To: <48BF8EF8.60202@forthnet.gr> References: <002a01c90e5c$db50b750$91f225f0$@com> <48BF8EF8.60202@forthnet.gr> Message-ID: <002b01c90e62$3b99d150$b2cd73f0$@com> Got it. Thanks everyone for the quick response; my hair was coming out. I did a 12.0(28)S -> 12.3(26) upgrade and it started yapping at me. I neglected to mention that, sorry -- it's almost 4am. The old software just let me do it without any feedback. I guess I ASSumed it was all just as well. My first mistake. :) -Ryan -----Original Message----- From: Tassos Chatzithomaoglou [mailto:achatz at forthnet.gr] Sent: Thursday, September 04, 2008 3:32 AM To: Ryan Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] silly qos question Ryan, have a look at the max-reserved-bandwidth command. http://www.cisco.com/en/US/docs/ios/12_3/qos/command/reference/qos_m1g.html# wp1113113 -- Tassos Ryan wrote on 4/9/2008 10:07 ??: > Hey all, > > Quick QoS question here. I seem to be having some trouble getting a policy applied to a Serial (T1) interface, and for the life of me don?t understand why. I?m pretty sure it?s my fault and not a "feature". > > Error I am getting when I try to apply the service policy direction output: > > %INTERFACE_NAME% class Data-DSCP requested bandwidth 750 (kbps) Available only 656 (kbps) > > > Here are the class/policy map statements: > > class-map match-any Control-DSCP > match ip dscp cs3 > match ip dscp af31 > class-map match-any Voice-DSCP > match ip dscp ef > class-map match-any Video-DSCP > match ip dscp af41 > class-map match-any class-default > class-map match-any Data-DSCP > match ip dscp default > > policy-map QoS-Policy-Office > class Voice-DSCP > priority 360 > class Video-DSCP > bandwidth 128 > class Control-DSCP > bandwidth 8 > class Data-DSCP > bandwidth 750 > class class-default > > If I bump bandwidth of class Data-DSCP down to 656 from 750, it applies with no backtalk. > > Clearly I am missing something on a conceptual level, here. Any help is appreciated. ? > > Platform: > > 7206VXR, NPE-G1 running 12.3(26) SP code. > > Thanks! > -Ryan > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From CB at nianet.dk Thu Sep 4 03:46:33 2008 From: CB at nianet.dk (Christian Bering) Date: Thu, 4 Sep 2008 09:46:33 +0200 Subject: [c-nsp] Dreaded FIB Exception on Sup2 References: <1220470004.32656.7.camel@abehat> <20080904061039.GM233@greenie.muc.de> Message-ID: Gert et al, >Besides, if you happen to *have* a 6500 chassis, the RSP won't >work there. Ah. Since we stuck to 7600s that difference had escaped me. Thanks for clarifying. -- Regards Christian Bering From gert at greenie.muc.de Thu Sep 4 04:02:08 2008 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 4 Sep 2008 10:02:08 +0200 Subject: [c-nsp] CSS strange behaviour.... Or is it just my config [7:132492] In-Reply-To: References: <200809040227.m842RBGe015086@groupstudy.com> <20080904062227.GP233@greenie.muc.de> Message-ID: <20080904080208.GA17238@greenie.muc.de> Hi, On Thu, Sep 04, 2008 at 05:49:31PM +1000, Brett Clausenhauf wrote: > Undortunately this is doubtful. The web server is literally just configured > & is not logging.Regards, By default, most webservers *do* log... As I said, this was just a stab in the dark - run tcpdump (or wireshark) on the server to see what sort of outgoing connections it does. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From gert at greenie.muc.de Thu Sep 4 04:24:59 2008 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 4 Sep 2008 10:24:59 +0200 Subject: [c-nsp] Dreaded FIB Exception on Sup2 In-Reply-To: References: <1220470004.32656.7.camel@abehat> <20080904061039.GM233@greenie.muc.de> Message-ID: <20080904082459.GC17238@greenie.muc.de> Hi, On Thu, Sep 04, 2008 at 09:46:33AM +0200, Christian Bering wrote: > >Besides, if you happen to *have* a 6500 chassis, the RSP won't > >work there. > > Ah. Since we stuck to 7600s that difference had escaped me. Thanks for > clarifying. On a 7600, you can use Sup720 or RSP720, but you can't use Sup720-10Gs, which are quite nice... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From jr at xor.at Thu Sep 4 03:37:08 2008 From: jr at xor.at (Johannes Resch) Date: Thu, 4 Sep 2008 09:37:08 +0200 (CEST) Subject: [c-nsp] silly qos question In-Reply-To: <002a01c90e5c$db50b750$91f225f0$@com> References: <002a01c90e5c$db50b750$91f225f0$@com> Message-ID: <36898.195.112.95.126.1220513828.squirrel@and.xor.at> On Thu, September 4, 2008 09:07, Ryan wrote: > Hey all, > > Quick QoS question here. I seem to be having some trouble getting a policy > applied to a Serial (T1) interface, and for the life of me don???t > understand why. I???m pretty sure it???s my fault and not a ???feature???. > > Error I am getting when I try to apply the service policy direction > output: > > %INTERFACE_NAME% class Data-DSCP requested bandwidth 750 (kbps) Available > only 656 (kbps) Did you set "max-reserved-bandwidth" to 100% on the interface? Regards, -jr From Oliver.Dewdney at LBi.com Thu Sep 4 06:20:13 2008 From: Oliver.Dewdney at LBi.com (Oliver Dewdney) Date: Thu, 4 Sep 2008 11:20:13 +0100 Subject: [c-nsp] Dreaded FIB Exception on Sup2 In-Reply-To: References: Message-ID: Do you need full routing tables? Jon Lewis emailed a week ago about how to reduce the table by filtering the bgp feeds to get the table to fit. I think that the routing/connectivity should be fine for a hosting provider. http://jonsblog.lewis.org/ which can be used until you are in a position to upgrade or Cisco come out with a FIB optimization, which will never happen. How did Cisco come out with so many 720s that the compatibility matrix is so complicated? Oli -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rick Kunkel Sent: 03 September 2008 18:59 To: cisco-nsp at puck.nether.net Subject: [c-nsp] Dreaded FIB Exception on Sup2 Well, I've hit the dreaded error message on my Sup2: %MLSCEF-SP-7-FIB_EXCEPTION: FIB TCAM exception, Some entries will be software switched I've done a lot of reading on this (cisco.com, this list, etc.), with the conclusion that this supervisor engine is likely just at the end of its useful lifetime, but I figured I'd double check I wasn't missing anything. This happened when I started getting a full routing table from a provider today. We're connected to one peering point and another aggregation-style provider, and are in the process of adding a Cogent connection (hold any tempting comments on that one, please). LBi. The global marketing and technology agency. Winner: Media Guardian Design Innovation Award 2008 LBi Ltd is registered in England and Wales, the registered number and address are 03080409, Truman Brewery, 146 Brick Lane, London, E1 6RU. This email may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden. From MLouis at nwnit.com Thu Sep 4 07:42:22 2008 From: MLouis at nwnit.com (Mike Louis) Date: Thu, 4 Sep 2008 07:42:22 -0400 Subject: [c-nsp] silly qos question Message-ID: I usually set the max reserve command to 95 percent to leave room for routing and other overhead. That way I don't have to specify a specific class to take care of it if I reserve akll remaining bw in the pm -----Original Message----- From: Johannes Resch Sent: Thursday, September 04, 2008 5:43 AM To: Ryan Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] silly qos question On Thu, September 4, 2008 09:07, Ryan wrote: > Hey all, > > Quick QoS question here. I seem to be having some trouble getting a policy > applied to a Serial (T1) interface, and for the life of me don???t > understand why. I???m pretty sure it???s my fault and not a ???feature???. > > Error I am getting when I try to apply the service policy direction > output: > > %INTERFACE_NAME% class Data-DSCP requested bandwidth 750 (kbps) Available > only 656 (kbps) Did you set "max-reserved-bandwidth" to 100% on the interface? Regards, -jr _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. From tim at pelican.org Thu Sep 4 07:55:42 2008 From: tim at pelican.org (Tim Franklin) Date: Thu, 4 Sep 2008 12:55:42 +0100 (BST) Subject: [c-nsp] silly qos question In-Reply-To: References: Message-ID: <7e23c545134878c7cffa696d344457e6.squirrel@webmail.pelican.org> On Thu, September 4, 2008 12:42 pm, Mike Louis wrote: > I usually set the max reserve command to 95 percent to leave room for > routing and other overhead. That way I don't have to specify a specific > class to take care of it if I reserve akll remaining bw in the pm Be careful, this *doesn't* guarantee that remaining 5% is reserved for management / routing, unless you explicitly police all the other classes. It stops you *reserving* it for other classes, but it doesn't stop those other classes *using* it. Much safer, IMO, to put a class (or classes) in for management / routing, and then let the bandwidth reserved for these go back into the pool while it's not being used. Regards, Tim. From fweimer at bfk.de Thu Sep 4 08:05:54 2008 From: fweimer at bfk.de (Florian Weimer) Date: Thu, 04 Sep 2008 14:05:54 +0200 Subject: [c-nsp] Dreaded FIB Exception on Sup2 In-Reply-To: (Oliver Dewdney's message of "Thu, 4 Sep 2008 11:20:13 +0100") References: Message-ID: <82vdxc2k0t.fsf@mid.bfk.de> * Oliver Dewdney: > Do you need full routing tables? Jon Lewis emailed a week ago about > how to reduce the table by filtering the bgp feeds to get the table > to fit. I think that the routing/connectivity should be fine for a > hosting provider. > > http://jonsblog.lewis.org/ Do you mean the filters based on RIR minimum allocations? From time to time, someone who should now better announces something smaller without the covering aggregate, so this requires some maintenance. -- Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstra?e 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 From gert at greenie.muc.de Thu Sep 4 08:18:49 2008 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 4 Sep 2008 14:18:49 +0200 Subject: [c-nsp] Dreaded FIB Exception on Sup2 In-Reply-To: <82vdxc2k0t.fsf@mid.bfk.de> References: <82vdxc2k0t.fsf@mid.bfk.de> Message-ID: <20080904121849.GE17238@greenie.muc.de> Hi, On Thu, Sep 04, 2008 at 02:05:54PM +0200, Florian Weimer wrote: > Do you mean the filters based on RIR minimum allocations? From time > to time, someone who should now better announces something smaller > without the covering aggregate, So what? They do not want your traffic, obviously... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From philou at philou.ch Thu Sep 4 07:23:45 2008 From: philou at philou.ch (Philippe Strauss) Date: Thu, 4 Sep 2008 13:23:45 +0200 Subject: [c-nsp] c7604 "starter kit" Message-ID: <20080904112344.GA2758@whitechalk.dfinet.ch> Hello c-nsp, For a small ISP who need to get a routing gear much more resistant do DDoS than 7200 NPE-G1/2 (with a bit over 400kpps on a POS OC3 on a G2, the router is at 100% CPU, probably better on ethernet but...), what is the entry level 7600? I'm new to the convoluted world of hardware routing :-) chassis 7604? 3bxl or 3cxl? sup720 or rsp720? linecard: what are the SPA? distributed forwarding? we don't need it a priori. there is a 6 gbic port (2+4) with PXF, what is this beast? probably something to avoid. I've heard once upon a time a 8 port GigE linecard was available and not anymore. will the 8 port fixed GigE (not 10/100 but only 1000) of the cat6500 line work in a c7600? We don't need 20 ports and that's a bit expensive. All port must do layer3, of course. Full BGP table, many times (3 full peer plus 100 local peerings w few prefixes). TIA! -- Philippe Strauss http://philou.ch From fweimer at bfk.de Thu Sep 4 09:13:21 2008 From: fweimer at bfk.de (Florian Weimer) Date: Thu, 04 Sep 2008 15:13:21 +0200 Subject: [c-nsp] Dreaded FIB Exception on Sup2 In-Reply-To: <20080904121849.GE17238@greenie.muc.de> (Gert Doering's message of "Thu, 4 Sep 2008 14:18:49 +0200") References: <82vdxc2k0t.fsf@mid.bfk.de> <20080904121849.GE17238@greenie.muc.de> Message-ID: <82ljy82gwe.fsf@mid.bfk.de> * Gert Doering: > On Thu, Sep 04, 2008 at 02:05:54PM +0200, Florian Weimer wrote: >> Do you mean the filters based on RIR minimum allocations? From time >> to time, someone who should now better announces something smaller >> without the covering aggregate, > > So what? They do not want your traffic, obviously... But your customers might be interested in theirs. To some extent, RIR minimum allocation filters trade FIB resources for operator resources. Desparate attempts at traffic engineering are certainly not restricted to those who have no traffic to deal with. 8-/ -- Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstra?e 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 From rich.davies at gmail.com Thu Sep 4 09:21:37 2008 From: rich.davies at gmail.com (Rich Davies) Date: Thu, 4 Sep 2008 09:21:37 -0400 Subject: [c-nsp] Dreaded FIB Exception on Sup2 In-Reply-To: <20080904121849.GE17238@greenie.muc.de> References: <82vdxc2k0t.fsf@mid.bfk.de> <20080904121849.GE17238@greenie.muc.de> Message-ID: <3e4b8fe10809040621i2826be74o6cd14b9648631706@mail.gmail.com> Has anyone ever utilized Unicast RPF (reverse path forwarding) to help mitigate this limitation on the SUP2's? I have also ran into the same limitation with our SUP2's (full BGP routing table, multiple peering sessions) and I have read that enabling Unicast RPF would help temporarily alleviate the TCAM memory being exhausted but in the long run a SUP7203BXL would be the best solution (unfortunately very pricy). Has anyone ever used uRPF to help correct this (for short term) or is the SUP7203BXL the only solution? -Rich Rich Davies rich.davies at gmail.com On Thu, Sep 4, 2008 at 8:18 AM, Gert Doering wrote: > Hi, > > On Thu, Sep 04, 2008 at 02:05:54PM +0200, Florian Weimer wrote: > > Do you mean the filters based on RIR minimum allocations? From time > > to time, someone who should now better announces something smaller > > without the covering aggregate, > > So what? They do not want your traffic, obviously... > > gert > -- > USENET is *not* the non-clickable part of WWW! > // > www.muc.de/~gert/ > Gert Doering - Munich, Germany > gert at greenie.muc.de > fax: +49-89-35655025 > gert at net.informatik.tu-muenchen.de > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From saku+cisco-nsp at ytti.fi Thu Sep 4 09:23:55 2008 From: saku+cisco-nsp at ytti.fi (Saku Ytti) Date: Thu, 4 Sep 2008 16:23:55 +0300 Subject: [c-nsp] c7604 "starter kit" In-Reply-To: <20080904112344.GA2758@whitechalk.dfinet.ch> References: <20080904112344.GA2758@whitechalk.dfinet.ch> Message-ID: <20080904132355.GA17595@mx.ytti.net> On (2008-09-04 13:23 +0200), Philippe Strauss wrote: Hey, > chassis 7604? This is fine it's 'S' chassis like 7606S and 7609S even though the 'S' is not visible there and it's black and not white :). Technically it's the same. > 3bxl or 3cxl? > sup720 or rsp720? sup720 comes 3c(xl) and rsp720 comes with 3b(xl). Differences between C and B are rather minor and mostly related to L2 (like more MACs). However there are some rarely mentioned things fixed in 3C that affect eg. MPLS. Big benefit of RSP720 is MSFC4, which means you have faster control-plane which can take more memory. I would definitely go with RSP720. > linecard: what are the SPA? distributed forwarding? we don't need it a priori. > there is a 6 gbic port (2+4) with PXF, what is this beast? probably something > to avoid. SPA's house intelligent ports, which means mainly HQoS and vlan local signifance and of course non-ethernet interface. If you don't need any feature SPA has, you really should go with LAN card, due to cost reaons. > I've heard once upon a time a 8 port GigE linecard was available and not anymore. > will the 8 port fixed GigE (not 10/100 but only 1000) of the cat6500 line work > in a c7600? If you buy LAN cards, I wouldn't look other than WS-X67.. and WS-X65.. as they connected to the fabric. > We don't need 20 ports and that's a bit expensive. > All port must do layer3, of course. All LAN cards with 3B/3C will happily do not just L3 but also MPLS. > Full BGP table, many times (3 full peer plus 100 local peerings w few prefixes). No problem (you need XL) You might also look at ASR1k as next-gen PE to replace VXR. 7600 has limitation in hardware, especially in terms of IPv6 (no IPv6 uRPF, lookup key size has compromises in ACL usage and others). When you compare 7600 with SIP/SPA, ASR1k is even cheaper solution and much more flexible. One thing to notice is that ASR1k does not currently have EoMPLS support in any software, but other than that, all generally used features are supported. If I'd need non-ethernet interfaces, vlan local signifance or HQoS and I wouldn't need EoMPLS, I'd definitely go with ASR1k rather than 7600. -- ++ytti From fweimer at bfk.de Thu Sep 4 09:25:33 2008 From: fweimer at bfk.de (Florian Weimer) Date: Thu, 04 Sep 2008 15:25:33 +0200 Subject: [c-nsp] Dreaded FIB Exception on Sup2 In-Reply-To: <3e4b8fe10809040621i2826be74o6cd14b9648631706@mail.gmail.com> (Rich Davies's message of "Thu, 4 Sep 2008 09:21:37 -0400") References: <82vdxc2k0t.fsf@mid.bfk.de> <20080904121849.GE17238@greenie.muc.de> <3e4b8fe10809040621i2826be74o6cd14b9648631706@mail.gmail.com> Message-ID: <82d4jk2gc2.fsf@mid.bfk.de> * Rich Davies: > Has anyone ever utilized Unicast RPF (reverse path forwarding) to help > mitigate this limitation on the SUP2's? I have also ran into the same > limitation with our SUP2's (full BGP routing table, multiple peering > sessions) and I have read that enabling Unicast RPF would help temporarily > alleviate the TCAM memory being exhausted On a MSFC2/PFC2, enabling uRPF cuts the number of available routes in half, so it makes things only worse. Don't know about more modern MSFCs, sorry. -- Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstra?e 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 From gert at greenie.muc.de Thu Sep 4 09:23:39 2008 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 4 Sep 2008 15:23:39 +0200 Subject: [c-nsp] Dreaded FIB Exception on Sup2 In-Reply-To: <3e4b8fe10809040621i2826be74o6cd14b9648631706@mail.gmail.com> References: <82vdxc2k0t.fsf@mid.bfk.de> <20080904121849.GE17238@greenie.muc.de> <3e4b8fe10809040621i2826be74o6cd14b9648631706@mail.gmail.com> Message-ID: <20080904132339.GG17238@greenie.muc.de> Hi, On Thu, Sep 04, 2008 at 09:21:37AM -0400, Rich Davies wrote: > Has anyone ever utilized Unicast RPF (reverse path forwarding) to help > mitigate this limitation on the SUP2's? I have also ran into the same > limitation with our SUP2's (full BGP routing table, multiple peering > sessions) and I have read that enabling Unicast RPF would help temporarily > alleviate the TCAM memory being exhausted You have read funny stuff. Enabling uRPF on the SUP2 *halves* the available TCAM space, to 128k routes. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From swmike at swm.pp.se Thu Sep 4 09:30:00 2008 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Thu, 4 Sep 2008 15:30:00 +0200 (CEST) Subject: [c-nsp] c7604 "starter kit" In-Reply-To: <20080904112344.GA2758@whitechalk.dfinet.ch> References: <20080904112344.GA2758@whitechalk.dfinet.ch> Message-ID: On Thu, 4 Sep 2008, Philippe Strauss wrote: > I'm new to the convoluted world of hardware routing :-) > > chassis 7604? > 3bxl or 3cxl? > sup720 or rsp720? Latest, same money, newer hardware, so 7604 RSP720-3CXL. > linecard: what are the SPA? distributed forwarding? we don't need it a priori. > there is a 6 gbic port (2+4) with PXF, what is this beast? probably something > to avoid. You need OC3 ports? Yeah, you're going to be paying a lot for SIP-400+SPA, it'll do 4 gigabit/s actual traffic. > I've heard once upon a time a 8 port GigE linecard was available and not anymore. > will the 8 port fixed GigE (not 10/100 but only 1000) of the cat6500 line work > in a c7600? Yes. > We don't need 20 ports and that's a bit expensive. > All port must do layer3, of course. > Full BGP table, many times (3 full peer plus 100 local peerings w few prefixes). Full BGP table costs money, if you're on a budget, get a used Cisco 12000, it'll take you into the gigabits/s realm quite cheaply, then when you're past that, go for 7600. 7600 makes a lot of sense if you're ethernet only, the SONET/SDH interfaces are quite pricey due to the need for SIP/SPAs. -- Mikael Abrahamsson email: swmike at swm.pp.se From lists at memetic.org Thu Sep 4 09:31:56 2008 From: lists at memetic.org (Adam Armstrong) Date: Thu, 04 Sep 2008 14:31:56 +0100 Subject: [c-nsp] c7604 "starter kit" In-Reply-To: <20080904112344.GA2758@whitechalk.dfinet.ch> References: <20080904112344.GA2758@whitechalk.dfinet.ch> Message-ID: <48BFE34C.30106@memetic.org> > For a small ISP who need to get a routing gear much more resistant do DDoS than > 7200 NPE-G1/2 (with a bit over 400kpps on a POS OC3 on a G2, the router is at 100% CPU, > probably better on ethernet but...), what is the entry level 7600? > > I'm new to the convoluted world of hardware routing :-) > > chassis 7604? > 7603 or 7604, depending upon wether you want redundant SUP/RSP. > 3bxl or 3cxl? > sup720 or rsp720? > Those two quetsions are the same, SUP720 is 3BXL and RSP720 is 3CXL. The RSP is the 'official' 7600 version. It has twice the router processor speed, and a slightly enanced PFC, so just get the RSP (it's the same price!). > linecard: what are the SPA? distributed forwarding? we don't need it a priori. > there is a 6 gbic port (2+4) with PXF, what is this beast? probably something > to avoid. > SPA are interface cards. On the 7600 platform you put SPAs into SIP, which is basically an ASIC based carrier card which sits on the switch fabric (they do more features than the lan cards). If you're not doing VPLS or very complex QoS, you don't need SIP/SPA, lan cards will be fine. If you need to terminate a POS interface, you will need a SIP/SPA though... Don't use the old PA carriers, as they just effectively have 7200-speed processors doing the forwarding, so are still susceptible to DoS. > I've heard once upon a time a 8 port GigE linecard was available and not anymore. > will the 8 port fixed GigE (not 10/100 but only 1000) of the cat6500 line work > in a c7600? > Almost always, yes. There are some cards which won't, such as the the 8 port 10GE card. > We don't need 20 ports and that's a bit expensive. > All port must do layer3, of course. > Full BGP table, many times (3 full peer plus 100 local peerings w few prefixes). > A 7600 with RSP 7200 will do lots of full tables. All lan cards will do ports as L3. You might want to look at buying the lan cards 2nd user, they're an order of magnitude cheaper than new! (especially older cards like the WS-X6148G). I hope that helps. adam. From dgranzer at gmail.com Thu Sep 4 10:11:06 2008 From: dgranzer at gmail.com (David Granzer) Date: Thu, 4 Sep 2008 16:11:06 +0200 Subject: [c-nsp] c7604 "starter kit" In-Reply-To: <20080904132355.GA17595@mx.ytti.net> References: <20080904112344.GA2758@whitechalk.dfinet.ch> <20080904132355.GA17595@mx.ytti.net> Message-ID: <844ef89c0809040711w480d9586peaade37cc4054102@mail.gmail.com> Hello, On 9/4/08, Saku Ytti wrote: > On (2008-09-04 13:23 +0200), Philippe Strauss wrote: > > Hey, > > > chassis 7604? > > This is fine it's 'S' chassis like 7606S and 7609S even though the 'S' > is not visible there and it's black and not white :). Technically it's > the same. > > > > 3bxl or 3cxl? > > sup720 or rsp720? > > > sup720 comes 3c(xl) and rsp720 comes with 3b(xl). RSP720 comes with 3C(XL) and SUP720 with 3B(XL). WS-SUP720-3BXL RSP720-3CXL-GE SUP720 - Supervisor 720 is designed for 6500 series RSP720 - Route Switch Processor 720 is designed for 7600 series Regards, David > Differences between C and > B are rather minor and mostly related to L2 (like more MACs). However > there are some rarely mentioned things fixed in 3C that affect eg. MPLS. > Big benefit of RSP720 is MSFC4, which means you have faster control-plane > which can take more memory. I would definitely go with RSP720. > > > > linecard: what are the SPA? distributed forwarding? we don't need it a priori. > > there is a 6 gbic port (2+4) with PXF, what is this beast? probably something > > to avoid. > > > SPA's house intelligent ports, which means mainly HQoS and vlan local signifance > and of course non-ethernet interface. > If you don't need any feature SPA has, you really should go with LAN card, > due to cost reaons. > > > > I've heard once upon a time a 8 port GigE linecard was available and not anymore. > > will the 8 port fixed GigE (not 10/100 but only 1000) of the cat6500 line work > > in a c7600? > > > If you buy LAN cards, I wouldn't look other than WS-X67.. and WS-X65.. as > they connected to the fabric. > > > > We don't need 20 ports and that's a bit expensive. > > All port must do layer3, of course. > > > All LAN cards with 3B/3C will happily do not just L3 but also MPLS. > > > > Full BGP table, many times (3 full peer plus 100 local peerings w few prefixes). > > > No problem (you need XL) > > > You might also look at ASR1k as next-gen PE to replace VXR. 7600 has > limitation in hardware, especially in terms of IPv6 (no IPv6 uRPF, lookup > key size has compromises in ACL usage and others). When you compare > 7600 with SIP/SPA, ASR1k is even cheaper solution and much more flexible. > One thing to notice is that ASR1k does not currently have EoMPLS support > in any software, but other than that, all generally used features > are supported. > If I'd need non-ethernet interfaces, vlan local signifance or HQoS and > I wouldn't need EoMPLS, I'd definitely go with ASR1k rather than 7600. > > -- > > ++ytti > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From sabt at sabt.net Thu Sep 4 10:00:54 2008 From: sabt at sabt.net (Sebastian Abt) Date: Thu, 4 Sep 2008 16:00:54 +0200 Subject: [c-nsp] c7604 "starter kit" In-Reply-To: <20080904132355.GA17595@mx.ytti.net> References: <20080904112344.GA2758@whitechalk.dfinet.ch> <20080904132355.GA17595@mx.ytti.net> Message-ID: <20080904140054.GL4491@sephina.sabt.net> * Saku Ytti wrote: > sup720 comes 3c(xl) and rsp720 comes with 3b(xl). Vice versa you mean, don't you? sebastian -- SABT-RIPE PGPKEY-D008DA9C From greg at ip-man.net Thu Sep 4 11:17:41 2008 From: greg at ip-man.net (Gregoire Huet) Date: Thu, 04 Sep 2008 17:17:41 +0200 Subject: [c-nsp] Moving Sup720 from cat6k to 7600 Message-ID: <48BFFC15.2020200@ip-man.net> Hello I would like to boot a Sup720-3BXL in a 7604 chassis, but it won't. The sup was previously used in a cat6k chassis (as announced by the bootstrap), and even with a CompactFlash formatted on a running 7604/720-3BXL, the blade does not boot. The compact flash is readable and a 'dir' shows the image, but booting on it crashes after a while (there is just the ATA line displayed), and about 30 seconds after, it's returning to rommon with a weird message (that i can possibly report here if needed). Is there a known trick to 'convert' the blade from cat6k to 76xx ? Thanks a lot for any help Best regards, Gregoire Huet From elmi at 4ever.de Thu Sep 4 11:24:21 2008 From: elmi at 4ever.de (Elmar K. Bins) Date: Thu, 4 Sep 2008 17:24:21 +0200 Subject: [c-nsp] 7301 (NPE-G1) leaking L2 frames over L3 In-Reply-To: <20080821143415.GT12234@ronin.4ever.de> References: <20080821143415.GT12234@ronin.4ever.de> Message-ID: <20080904152421.GR48711@ronin.4ever.de> Following up on my own problem... (fullquote provided for context in archives) upgrading from 12.3(14)T7 to 12.4(21) fixed the leakage. Just in case anyone else runs into that problem... Yours, Elmar. elmi at 4ever.de (Elmar K. Bins) wrote: > Hi knowledgeable folks, > > I have a somewhat weird issue with an admittedly slightly aged IOS > on a 7301: That router is leaking Ethernet frames from one L3 interface > to another. > > I have been alerted by the folks at the exchange (who monitor very > closely, thanks). Since they haven't turned my port off yet, > leaking should be minimal. > > The box is a 7301 with PA-2FE-TX (f1/0 connected to the exchange), > running IOS 12.3(14)T7. > > Inside - towards some servers - is a L3 portchannel > (via a WS-3750): > > interface Port-channel1 > description PO to sw (via g0/0 and g0/1) > ip address xxx.xxx.xxx.1 255.255.255.0 > ip access-group MGT-no in > ip access-group acl-SERVICE-out out > no ip redirects > no ip unreachables > no ip proxy-arp > ip route-cache same-interface > ip route-cache flow > load-interval 30 > duplex full > hold-queue 150 in > end > > > Outside is a layer 3 port to the exchange fabric: > > interface FastEthernet1/0 > description exchange port > ip address xxx.xxx.xxx.xxx 255.255.254.0 > ip access-group FILTER_IN-FastEthernet1-0-in-3 in > no ip redirects > no ip unreachables > no ip proxy-arp > ip accounting mac-address input > ip accounting mac-address output > ip accounting access-violations > load-interval 30 > duplex full > speed 100 > ipv6 address xx:xx:xx:xx:xx:xx:xx:xx/64 > ipv6 nd suppress-ra > no ipv6 mld router > no keepalive > no cdp enable > end > > > Captured frames show that Ethernet frames with source MACs > of the server NICs make it to the exchange fabric somehow. > > My questions: > > - is this some kind of misconfiguration on my part? > - if not: does anyone know of / remember such a bug? > - how could I find info, probably on cisco.com? > > I'm at a loss here. Blindly upgrading to T14 or whatever > might or might not kill the bug. I'd like to reboot as > rarely as possible... > > Thanks for any help, hints or insight. > > Elmar. From saku+cisco-nsp at ytti.fi Thu Sep 4 11:35:20 2008 From: saku+cisco-nsp at ytti.fi (Saku Ytti) Date: Thu, 4 Sep 2008 18:35:20 +0300 Subject: [c-nsp] c7604 "starter kit" In-Reply-To: <20080904140054.GL4491@sephina.sabt.net> References: <20080904112344.GA2758@whitechalk.dfinet.ch> <20080904132355.GA17595@mx.ytti.net> <20080904140054.GL4491@sephina.sabt.net> Message-ID: <20080904153520.GA22840@mx.ytti.net> On (2008-09-04 16:00 +0200), Sebastian Abt wrote: > * Saku Ytti wrote: > > sup720 comes 3c(xl) and rsp720 comes with 3b(xl). > > Vice versa you mean, don't you? Indeed thanks for catching it. -- ++ytti From cchurc05 at harris.com Thu Sep 4 11:53:38 2008 From: cchurc05 at harris.com (Church, Charles) Date: Thu, 4 Sep 2008 10:53:38 -0500 Subject: [c-nsp] Moving Sup720 from cat6k to 7600 In-Reply-To: <48BFFC15.2020200@ip-man.net> References: <48BFFC15.2020200@ip-man.net> Message-ID: Is it possible you're trying to boot an IOS version that doesn't support that chassis? I'm sure there is a minimum version for a 7604, and I'm sure it's more recent than the minimum for the 6500 it came out of. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gregoire Huet Sent: Thursday, September 04, 2008 11:18 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Moving Sup720 from cat6k to 7600 Hello I would like to boot a Sup720-3BXL in a 7604 chassis, but it won't. The sup was previously used in a cat6k chassis (as announced by the bootstrap), and even with a CompactFlash formatted on a running 7604/720-3BXL, the blade does not boot. The compact flash is readable and a 'dir' shows the image, but booting on it crashes after a while (there is just the ATA line displayed), and about 30 seconds after, it's returning to rommon with a weird message (that i can possibly report here if needed). Is there a known trick to 'convert' the blade from cat6k to 76xx ? Thanks a lot for any help Best regards, Gregoire Huet _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From peter at rathlev.dk Thu Sep 4 12:29:19 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Thu, 04 Sep 2008 18:29:19 +0200 Subject: [c-nsp] c7604 "starter kit" In-Reply-To: <48BFE34C.30106@memetic.org> References: <20080904112344.GA2758@whitechalk.dfinet.ch> <48BFE34C.30106@memetic.org> Message-ID: <1220545759.13061.9.camel@abehat> On Thu, 2008-09-04 at 14:31 +0100, Adam Armstrong wrote: > On Thu, 2008-09-04 at 13:23 +0200, Philippe Strauss wrote: > > I've heard once upon a time a 8 port GigE linecard was available and > > not anymore. will the 8 port fixed GigE (not 10/100 but only 1000) of > > the cat6500 line work in a c7600? > > Almost always, yes. There are some cards which won't, such as the the 8 > port 10GE card. C7600/SRC supports the WS-X6708-10G-3C{,XL}. The 16 port WS-X6716-10G-3C is 6500 only though. > A 7600 with RSP 7200 will do lots of full tables. All lan cards will do > ports as L3. You might want to look at buying the lan cards 2nd user, > they're an order of magnitude cheaper than new! (especially older cards > like the WS-X6148G). Beware of the non-fabric-enabled and 8:1 oversubscribed 6148 cards. They're LAN cards, so they have all the PFC features, but capacity wise they're not exactly brilliant. Regards, Peter From peter at rathlev.dk Thu Sep 4 12:36:01 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Thu, 04 Sep 2008 18:36:01 +0200 Subject: [c-nsp] Moving Sup720 from cat6k to 7600 In-Reply-To: <48BFFC15.2020200@ip-man.net> References: <48BFFC15.2020200@ip-man.net> Message-ID: <1220546161.13061.12.camel@abehat> On Thu, 2008-09-04 at 17:17 +0200, Gregoire Huet wrote: > Hello > > I would like to boot a Sup720-3BXL in a 7604 chassis, but it won't. > > The sup was previously used in a cat6k chassis (as announced by the > bootstrap), and even with a CompactFlash formatted on a running > 7604/720-3BXL, the blade does not boot. > > The compact flash is readable and a 'dir' shows the image, but booting > on it crashes after a while (there is just the ATA line displayed), and > about 30 seconds after, it's returning to rommon with a weird message > (that i can possibly report here if needed). > > Is there a known trick to 'convert' the blade from cat6k to 76xx ? You need at least 12.2(18)SXE for the 7604 chassis. What software version is on the card now? If it's the software, you can insert a flash card with the newer software and boot from that. Regards, Peter From MatlockK at exempla.org Thu Sep 4 12:39:22 2008 From: MatlockK at exempla.org (Matlock, Kenneth L) Date: Thu, 4 Sep 2008 10:39:22 -0600 Subject: [c-nsp] Odd MGCP issue with Caller-id Message-ID: <4288131ED5E3024C9CD4782CECCAD2C7037AF7E4@LMC-MAIL2.exempla.org> We have a Call Manager 4.1 setup, and are using a few 2851's with FXS cards (VIC-4FXS/DID=) as gateways using MGCP for Fax lines. Everything is (and has) been working fine, but we have been tracing down a problem where *some* destinations could not call these extensions (there wasn't a rhyme or reason we could see at first). What we finally found, was that is was based off the length of the *calling* name. If it was 15 characters or less in call manager, it would work, but 16+ would not (they'd get a reorder tone). The relevant debug logs are as follows: Sep 4 09:46:38 MDT: //-1/7EF7044C8022/MGCP|aaln/S0/SU2/0|-1|-1//gen_caller_id(9324):[ lvl=1]mode == VALIDATE cid =<09/04/09/46,24671,Ken Matlock Test Test Test> Sep 4 09:46:38 MDT: //-1/xxxxxxxxxxxx/MGCP/mgcp_parse_cid_str(5889):[lvl=2]time=<09/04/09/46 > num=<24671> name= Sep 4 09:46:38 MDT: //-1/7EF7044C8022/MGCP|aaln/S0/SU2/0|-1|-1//gen_caller_id(9337):[ lvl=0]-- Country code = US Sep 4 09:46:38 MDT: //-1/7EF7044C8022/MGCP|aaln/S0/SU2/0|-1|-1//gen_caller_id(9362):[ lvl=1]-- Caller Id type = 1 Sep 4 09:46:38 MDT: //-1/7EF7044C8022/MGCP|aaln/S0/SU2/0|-1|-1//gen_caller_id(9424):[ lvl=0]-- returns code = 54 Sep 4 09:46:38 MDT: //-1/7EF7044C8022/MGCP|aaln/S0/SU2/0|-1|-1//process_start_signal( 4062):[lvl=2]process_start_signal(): FAIL with rc: 54, need to reject the whole list And Sep 4 09:46:38 MDT: MGCP Packet sent to 172.18.164.136:2427---> 510 100502 unsupported caller id length <--- I've done numerous searches on those errors, and checked the bug toolkit for both IOS version we've tried (12.4(20)T and 12.4(21) ) and no luck. Tried the 'caller-id block' on the port (but since it's not incoming on the FXS port I didn't think it'd help anyway). While we CAN go into Callmanager and shorten all the stations with 16+ character display names, I'd hate to have to go to that trouble if I can help it. Is there a way to increase that limit, or is that a hard-set in either the FXS cards, or MGCP? Ken Matlock Network Analyst (303) 467-4671 matlockk at exempla.org From greg at ip-man.net Thu Sep 4 12:39:43 2008 From: greg at ip-man.net (Gregoire Huet) Date: Thu, 04 Sep 2008 18:39:43 +0200 Subject: [c-nsp] Moving Sup720 from cat6k to 7600 In-Reply-To: References: <48BFFC15.2020200@ip-man.net> Message-ID: <48C00F4F.2040505@ip-man.net> Church, Charles wrote : > Is it possible you're trying to boot an IOS version that doesn't support > that chassis? I'm sure there is a minimum version for a 7604, and I'm > sure it's more recent than the minimum for the 6500 it came out of. I'm trying to boot c7600s72033-advipservicesk9-mz.122-33.SRC1.bin By the way, i have the trace of the booting process : rommon 7 > reset System Bootstrap, Version 8.5(2) Copyright (c) 1994-2007 by cisco Systems, Inc. Cat6k-Sup720/SP processor with 1048576 Kbytes of main memory rommon 1 > boot disk0: Initializing ATA monitor library... string is disk0:c7600s72033-advipservicesk9-mz.122-33.SRC1.bin Loading image, please wait ... Initializing ATA monitor library... *** Illegal Opcode Exception *** PC = 0x80102ae4, Cause = 0x28, Status Reg = 0x30409003 monitor: command "boot" aborted due to exception rommon 2 > Thank you Greg From jp at saucer.midcoast.com Thu Sep 4 12:00:37 2008 From: jp at saucer.midcoast.com (jp) Date: Thu, 4 Sep 2008 12:00:37 -0400 Subject: [c-nsp] Surge protection on leased lines In-Reply-To: References: <48B2D0FF.9090809@west.net> Message-ID: <20080904160037.GA21273@saucer.midcoast.com> Usually our Telco has gas/carbon arrestors at the NID and they differ for pots or T1 as T1 is higher voltage. Make sure your nid, smartbox, router are all grounded together and to the electrical system ground. I suspect they are not if current is flowing in and damaging your wic. I know APC made some ptel series arrestors for T1/ISDN usage for protecting the twisted pairs when the rj45/48 interfaces are used. I have these and they are good. Too bad you don't have access to that. On Mon, Aug 25, 2008 at 06:05:07PM +0200, Brian Turnbow wrote: > Thanks for the response. > They are external csus but they are "telco property" and they don't want us to touch them. > We have asked several times that they install protection coming into the building but no go... > They install a remote powered integrated shdsl modem/csu in an all plastic housing and the only place we > Have been able to connect a ground is to the v.35 mount on the integrated csu. No help there. > Lighting strike= burned modem/csu= burned wic > The v.35 protector would be a try to at least save our wic cards and costs of dispatching a Tech > for every passing storm. > > > Brian > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jay Hennigan > Sent: luned? 25 agosto 2008 17.34 > To: Cisco Mailing list > Subject: Re: [c-nsp] Surge protection on leased lines > > Brian Turnbow wrote: > > Hello, > > > > We have several customers that our having problems every time a storm > > goes through. > > Our national telco company seems to offer no lightning protection on > > their lines, and every storm causes a line outage and burns up the > > attached wic. > > We've made sure the chassis are grounded , but would also like to try > > and install a surge protection detween the v.35 interface of the telco > > and our CPEs. > > I see that Cisco offers a surge protection cable for smart serial > > interfaces, but not for classic serial interfaces. > > I wanted ask what others would recommend / experiences regarding surge > > protection on leased lines. > > This is an external CSU? > > I think you want it between the telco smartjack and the CSU, not on the > v.35. This should be two pairs of wires. > > First thing to do is ensure that the telco smartjack, the CSU, and the > router are solidly connected to a common ground, as this may be the > source of the problem if the sneak current is not coming across the > leased line. > > There are a number of companies making lightning protectors for twisted > pair lines, Reliable Electric and Polyphaser are two. > > But, triple-check the grounding first because if it's common-mode across > a ground differential the protectors won't help. > > -- > Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net > Impulse Internet Service - http://www.impulse.net/ > Your local telephone and internet company - 805 884-6323 - WB6RDV > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- /* Jason Philbrook | Midcoast Internet Solutions - Wireless and DSL KB1IOJ | Broadband Internet Access, Dialup, and Hosting http://f64.nu/ | for Midcoast Maine http://www.midcoast.com/ */ From blahu77 at gmail.com Thu Sep 4 13:00:01 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Thu, 4 Sep 2008 18:00:01 +0100 Subject: [c-nsp] NPE G1, CEF and ACLs and high CPU Message-ID: <383357750809041000uad21b4ag386233e3b2ea4fde@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 List, One of our Edge Routers (NPE-G1,12.2(28)SB6 ) (1 Transit, 100+ peerings) is running on constant ~60% utilization. When BGP scanner kicks in, it peaks up at 80%. The box routes around - input rate 429,009,000 bits/sec, 64,257 packets/sec - output rate 276,711,000 bits/sec, 61,002 packets/sec ======================================================= edge#sh proc cpu sorted CPU utilization for five seconds: 59%/59%; one minute: 62%; five minutes: 61% <---------!!! PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 25 2644284001898122167 139 0.15% 0.38% 0.31% 0 ARP Input 62 2232065721093370453 204 0.15% 0.15% 0.15% 0 IP Input 35 66326072 13016133 5095 0.07% 0.11% 0.08% 0 Net Background 181 470863980 365252356 1289 0.07% 0.10% 0.09% 0 BGP Router 5 227768 783058 290 0.00% 0.00% 0.00% 0 Pool Manager ======================================================= Most of it is on the Interrupts... I was checking the cef switching which led me to the ACL on the port.... ======================================================= edge#sh ip cef switching statistics Path Reason Drop Punt Punt2Host RP LES Packet destined for us 0 140529659 0 RP LES Unresolved route 10984 0 0 RP LES Features 92 0 0 RP LES Total 11076 140529659 0 RP PAS No route 92517 0 73 RP PAS Packet destined for us 0 140529751 0 RP PAS No adjacency 431407 0 356877 RP PAS Incomplete adjacency 61069 0 479 RP PAS Unresolved route 9035960 0 0 RP PAS Bad checksum 118268 0 0 RP PAS TTL expired 0 0 407737419 RP PAS IP options set 0 0 221250 RP PAS Bad IP packet length 288 0 0 RP PAS Routed to Null0 782828 0 188 RP PAS Features 107260019 0 47245292 <--------------!!!! RP PAS Total 117782356 140529751 455561578 All Total 117793432 281059410 455561578 edge#sh ip cef switching statistics feature IPv4 CEF input features: Path Feature Drop Consume Punt Punt2Host Gave route RP LES CAR 92 0 0 0 0 RP PAS Access List 91374396 0 0 47245296 0 <--------------!!!! RP PAS CAR 15885623 0 0 0 0 Total 107260111 0 0 47245296 0 IPv4 CEF output features: Path Feature Drop Consume Punt Punt2Host New i/f Total 0 0 0 0 0 IPv4 CEF post-encap features: Path Feature Drop Consume Punt Punt2Host New i/f Total 0 0 0 0 0 ======================================================= I see that a lot of Punted packets go to CPU "because of" the ACL... On the port I have inbound ACL to protect the infrastructure and filter off rogue, bogus packets... For most of the entries it is quite generic - i.e. deny ip src dst, but for some lines explicitly lists tcp and udp ports. My question is - does this (tcp, udp ports) could force the router to execute the ACL in CPU? Or is it something else? Thanks in advance for any pointers PS. Sorry if that topic was munched many times and I just add to the chaos... Best Regards, - -- - -mat -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIwBQPIvBv0k5esR4RAonNAKCMZc/rEiZpznuueMRoKvx3xyI6VQCgvElQ PXCtW6qsU5nQxk4tc6cHet4= =ldkL -----END PGP SIGNATURE----- From mathias.spoerr at at.ibm.com Thu Sep 4 09:43:46 2008 From: mathias.spoerr at at.ibm.com (Mathias Spoerr) Date: Thu, 4 Sep 2008 15:43:46 +0200 Subject: [c-nsp] c7604 "starter kit" In-Reply-To: <20080904112344.GA2758@whitechalk.dfinet.ch> References: <20080904112344.GA2758@whitechalk.dfinet.ch> Message-ID: maybe the ASR 100x router is more suitable for you. Mathias From: Philippe Strauss To: Cisco NSP Date: 04.09.2008 14:48 Subject: [c-nsp] c7604 "starter kit" Hello c-nsp, For a small ISP who need to get a routing gear much more resistant do DDoS than 7200 NPE-G1/2 (with a bit over 400kpps on a POS OC3 on a G2, the router is at 100% CPU, probably better on ethernet but...), what is the entry level 7600? I'm new to the convoluted world of hardware routing :-) chassis 7604? 3bxl or 3cxl? sup720 or rsp720? linecard: what are the SPA? distributed forwarding? we don't need it a priori. there is a 6 gbic port (2+4) with PXF, what is this beast? probably something to avoid. I've heard once upon a time a 8 port GigE linecard was available and not anymore. will the 8 port fixed GigE (not 10/100 but only 1000) of the cat6500 line work in a c7600? We don't need 20 ports and that's a bit expensive. All port must do layer3, of course. Full BGP table, many times (3 full peer plus 100 local peerings w few prefixes). TIA! -- Philippe Strauss http://philou.ch _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 7943 bytes Desc: S/MIME Cryptographic Signature URL: From rubensk at gmail.com Thu Sep 4 13:01:53 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Thu, 4 Sep 2008 14:01:53 -0300 Subject: [c-nsp] c7604 "starter kit" In-Reply-To: <20080904132355.GA17595@mx.ytti.net> References: <20080904112344.GA2758@whitechalk.dfinet.ch> <20080904132355.GA17595@mx.ytti.net> Message-ID: <6bb5f5b10809041001q317d4694o8b57be06fcfd54da@mail.gmail.com> > You might also look at ASR1k as next-gen PE to replace VXR. 7600 has > limitation in hardware, especially in terms of IPv6 (no IPv6 uRPF, lookup > key size has compromises in ACL usage and others). When you compare > 7600 with SIP/SPA, ASR1k is even cheaper solution and much more flexible. > One thing to notice is that ASR1k does not currently have EoMPLS support > in any software, but other than that, all generally used features > are supported. > If I'd need non-ethernet interfaces, vlan local signifance or HQoS and > I wouldn't need EoMPLS, I'd definitely go with ASR1k rather than 7600. Can an ASR1k handle 3 full-routing transit feeds and a hundred peers ? Would it require ESP5 or ESP10 ? On the MPLS side, beside EoMPLS, can it do MPLS L3 VPN and MPLS-TE ? Rubens From saku+cisco-nsp at ytti.fi Thu Sep 4 13:09:28 2008 From: saku+cisco-nsp at ytti.fi (Saku Ytti) Date: Thu, 4 Sep 2008 20:09:28 +0300 Subject: [c-nsp] c7604 "starter kit" In-Reply-To: <6bb5f5b10809041001q317d4694o8b57be06fcfd54da@mail.gmail.com> References: <20080904112344.GA2758@whitechalk.dfinet.ch> <20080904132355.GA17595@mx.ytti.net> <6bb5f5b10809041001q317d4694o8b57be06fcfd54da@mail.gmail.com> Message-ID: <20080904170928.GA23309@mx.ytti.net> On (2008-09-04 14:01 -0300), Rubens Kuhl Jr. wrote: > Can an ASR1k handle 3 full-routing transit feeds and a hundred peers ? Yes. > Would it require ESP5 or ESP10 ? Shouldn't make difference other than capacity wise. > On the MPLS side, beside EoMPLS, can it do MPLS L3 VPN and MPLS-TE ? L3 VPN yes, TE no sure. -- ++ytti From kratzers at pa.net Thu Sep 4 14:56:01 2008 From: kratzers at pa.net (Stephen Kratzer) Date: Thu, 4 Sep 2008 14:56:01 -0400 Subject: [c-nsp] NPE G1, CEF and ACLs and high CPU In-Reply-To: <383357750809041000uad21b4ag386233e3b2ea4fde@mail.gmail.com> References: <383357750809041000uad21b4ag386233e3b2ea4fde@mail.gmail.com> Message-ID: <200809041456.01591.kratzers@pa.net> On Thursday 04 September 2008 13:00:01 Mateusz B?aszczyk wrote: > My question is - does this (tcp, udp ports) could force the router to > execute the ACL in CPU? > Or is it something else? The 'log' keyword will cause matching packets to not be CEF switched. Also, if you're denying a lot of traffic from a certain source, you might want to just bit-bucket it rather than sending ICMP responses. Stephen Kratzer Network Engineer CTI Networks, Inc. From blahu77 at gmail.com Thu Sep 4 15:12:12 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Thu, 4 Sep 2008 20:12:12 +0100 Subject: [c-nsp] NPE G1, CEF and ACLs and high CPU In-Reply-To: <200809041456.01591.kratzers@pa.net> References: <383357750809041000uad21b4ag386233e3b2ea4fde@mail.gmail.com> <200809041456.01591.kratzers@pa.net> Message-ID: <383357750809041212h2e17aaa2i967ba4ffc3e4c3de@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 2008/9/4 Stephen Kratzer : -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIwDMLIvBv0k5esR4RAlzjAJwLMhczm7XSVWQ3KVO3t3EbcRbAFwCfWMis iiGQ+roqhyVjEmFP54MN8ik= =910N -----END PGP SIGNATURE----- > The 'log' keyword will cause matching packets to not be CEF switched. nope, log is not present. > Also, if > you're denying a lot of traffic from a certain source, you might want to just > bit-bucket it rather than sending ICMP responses. you mean - "no ip unreachables"? -- -mat From petelists at templin.org Thu Sep 4 15:44:09 2008 From: petelists at templin.org (Pete Templin) Date: Thu, 04 Sep 2008 14:44:09 -0500 Subject: [c-nsp] c7604 "starter kit" In-Reply-To: <1220545759.13061.9.camel@abehat> References: <20080904112344.GA2758@whitechalk.dfinet.ch> <48BFE34C.30106@memetic.org> <1220545759.13061.9.camel@abehat> Message-ID: <48C03A89.2080706@templin.org> Peter Rathlev wrote: > On Thu, 2008-09-04 at 14:31 +0100, Adam Armstrong wrote: >> On Thu, 2008-09-04 at 13:23 +0200, Philippe Strauss wrote: >>> I've heard once upon a time a 8 port GigE linecard was available and >>> not anymore. will the 8 port fixed GigE (not 10/100 but only 1000) of >>> the cat6500 line work in a c7600? > C7600/SRC supports the WS-X6708-10G-3C{,XL}. The 16 port WS-X6716-10G-3C > is 6500 only though. He said 8GE, not 8XE. pt From kratzers at pa.net Thu Sep 4 15:46:23 2008 From: kratzers at pa.net (Stephen Kratzer) Date: Thu, 4 Sep 2008 15:46:23 -0400 Subject: [c-nsp] NPE G1, CEF and ACLs and high CPU In-Reply-To: <383357750809041212h2e17aaa2i967ba4ffc3e4c3de@mail.gmail.com> References: <383357750809041000uad21b4ag386233e3b2ea4fde@mail.gmail.com> <200809041456.01591.kratzers@pa.net> <383357750809041212h2e17aaa2i967ba4ffc3e4c3de@mail.gmail.com> Message-ID: <200809041546.23959.kratzers@pa.net> On Thursday 04 September 2008 15:12:12 Mateusz B?aszczyk wrote: > 2008/9/4 Stephen Kratzer : > > The 'log' keyword will cause matching packets to not be CEF switched. > > nope, log is not present. > > > Also, if > > you're denying a lot of traffic from a certain source, you might want to > > just bit-bucket it rather than sending ICMP responses. > > you mean - "no ip unreachables"? You could match the access list in a route map and set the outbound interface to Null0. From peter at rathlev.dk Thu Sep 4 15:56:45 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Thu, 04 Sep 2008 21:56:45 +0200 Subject: [c-nsp] c7604 "starter kit" In-Reply-To: <48C03A89.2080706@templin.org> References: <20080904112344.GA2758@whitechalk.dfinet.ch> <48BFE34C.30106@memetic.org> <1220545759.13061.9.camel@abehat> <48C03A89.2080706@templin.org> Message-ID: <1220558205.7247.4.camel@abehat> On Thu, 2008-09-04 at 14:44 -0500, Pete Templin wrote: > Peter Rathlev wrote: > > On Thu, 2008-09-04 at 14:31 +0100, Adam Armstrong wrote: > >> On Thu, 2008-09-04 at 13:23 +0200, Philippe Strauss wrote: > >>> I've heard once upon a time a 8 port GigE linecard was available and > >>> not anymore. will the 8 port fixed GigE (not 10/100 but only 1000) of > >>> the cat6500 line work in a c7600? > > > C7600/SRC supports the WS-X6708-10G-3C{,XL}. The 16 port WS-X6716-10G-3C > > is 6500 only though. > > He said 8GE, not 8XE. Yes, OP did, but my comment was a response to Adam's mail, mentioning "There are some cards which won't, such as the the 8 port 10GE card.". I don't know the 8 GE card, maybe I should've been more clear in my mail. Regards, Peter From Anton.Schweitzer at o2.com Thu Sep 4 16:03:18 2008 From: Anton.Schweitzer at o2.com (Anton.Schweitzer at o2.com) Date: Thu, 4 Sep 2008 22:03:18 +0200 Subject: [c-nsp] =?iso-8859-1?q?Anton_Schweitzer_ist_au=DFer_Haus=2E?= Message-ID: Ich werde ab 12.08.2008 nicht im B?ro sein. Ich kehre zur?ck am 13.10.2008. Bitte wenden Sie sich an meinen Vorgesetzten Florian Schwarz From acidutu at hotmail.com Thu Sep 4 16:04:23 2008 From: acidutu at hotmail.com (hawk98 TheHawk) Date: Thu, 4 Sep 2008 20:04:23 +0000 Subject: [c-nsp] (no subject) Message-ID: Hello All, We?re noticing a large number of input errors on multiple GigE interfaces on various C720X NPE-G1 routers. These input errors match exactly with the number of overruns on those interfaces. There are a couple strange things that we?ve noticed: 1. this problem happens on more than 1 router (similar configuration on all routers) 2. all routers affected began exhibiting these errors roughly around the same time (same early morning) 3. All routers are G1 and ran the same IOS code 4. One of the routers was rebooted and upgraded to a different code however the problem still persists 5. we suspect it directly affects the functionality of the router as we see random lockups of the units 6. All routers are connected to redundant switches and cabling/switches have been ruled out. Below is a sample output of the show interface on one of the routers: GigabitEthernet0/1 is up, line protocol is up Hardware is BCM1250 Internal MAC, address is 00b0.c2ee.b81b (bia 00b0.c2ee.b81b) Description: XXXXXXXX MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 2/255 Encapsulation 802.1Q Virtual LAN, Vlan ID 1., loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s, media type is RJ45 output flow-control is XON, input flow-control is XON ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:00, output hang never Last clearing of 'show interface' counters never Input queue: 1/75/499528/97 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 8539000 bits/sec, 10996 packets/sec 5 minute output rate 1905000 bits/sec, 807 packets/sec 139728650 packets input, 10628478461 bytes, 92 no buffer Received 487174 broadcasts, 0 runts, 0 giants, 0 throttles 171399 input errors, 0 CRC, 0 frame, 171399 overrun, 0 ignored 0 watchdog, 1904930 multicast, 0 pause input 0 input packets with dribble condition detected 8125773 packets output, 2521690484 bytes, 0 underruns 2 output errors, 0 collisions, 1 interface resets 3842 unknown protocol drops 0 babbles, 0 late collision, 0 deferred 2 lost carrier, 0 no carrier, 0 pause output 0 output buffer failures, 0 output buffers swapped out Does anyone have any idea what might be going on? I initially suspected an IOS bug (since all devices were affected) however after the upgrade the problem still persists. Any help is appreciated. Adrian _________________________________________________________________ From cchurc05 at harris.com Thu Sep 4 16:12:58 2008 From: cchurc05 at harris.com (Church, Charles) Date: Thu, 4 Sep 2008 15:12:58 -0500 Subject: [c-nsp] Moving Sup720 from cat6k to 7600 In-Reply-To: <48C00F4F.2040505@ip-man.net> References: <48BFFC15.2020200@ip-man.net> <48C00F4F.2040505@ip-man.net> Message-ID: I would think that should support an 7604 chassis. Any chance the IOS is corrupt on the flash? Or the Monlib isn't right. Can you put the card in a working 6500 and verify the IOS image (MD5) and verify via 'show disk0 all' that the monlib stuff is right? Chuck -----Original Message----- From: Gregoire Huet [mailto:greg at ip-man.net] Sent: Thursday, September 04, 2008 12:40 PM To: Church, Charles Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Moving Sup720 from cat6k to 7600 Church, Charles wrote : > Is it possible you're trying to boot an IOS version that doesn't support > that chassis? I'm sure there is a minimum version for a 7604, and I'm > sure it's more recent than the minimum for the 6500 it came out of. I'm trying to boot c7600s72033-advipservicesk9-mz.122-33.SRC1.bin By the way, i have the trace of the booting process : rommon 7 > reset System Bootstrap, Version 8.5(2) Copyright (c) 1994-2007 by cisco Systems, Inc. Cat6k-Sup720/SP processor with 1048576 Kbytes of main memory rommon 1 > boot disk0: Initializing ATA monitor library... string is disk0:c7600s72033-advipservicesk9-mz.122-33.SRC1.bin Loading image, please wait ... Initializing ATA monitor library... *** Illegal Opcode Exception *** PC = 0x80102ae4, Cause = 0x28, Status Reg = 0x30409003 monitor: command "boot" aborted due to exception rommon 2 > Thank you Greg From gm at wavegard.com Thu Sep 4 16:49:49 2008 From: gm at wavegard.com (Grant Moerschel) Date: Thu, 4 Sep 2008 15:49:49 -0500 Subject: [c-nsp] VoIP classifying and queuing in an access switch <--> core Layer 2 network Message-ID: <71BC8F601C01554CA7410616B26C50D1016703CD@mail-37ps.atlarge.net> In an access switch to core where the connections are Layer 2, what is the best method to a) classify voip traffic as it enters the access switch and b) prioritize it via some queuing mechanism as it traverses the trunk going to the core? Does anyone have sample configs for something like this? Pc <-> phone <-> access switch <-> core switch. Priority to VoIP traffic on trunks. Thanks ~~~~ Grant P. Moerschel gm -at- wavegard -dot- com ~~~~ From jdevane at nevadanap.com Thu Sep 4 17:36:46 2008 From: jdevane at nevadanap.com (Jim Devane) Date: Thu, 4 Sep 2008 14:36:46 -0700 Subject: [c-nsp] vtp domain mindef Message-ID: <10188D798B596E4585DEAEAC62596D2309D57FDA@WATERFORD.switchnet.nv> Hello, We observed something interesting. A 6509, IOS, 720-3BXL, 12.2-18 SXF suddenly dumped its vlan.dat. It sounds like a classic case of inserting a switch with a higher VTP rev confg but that was not the case. No network changes either physical or virtual took place (syslog and ACS confirmed) The interesting part. The switch had no VTP domain previously defined. Somewhat magically, vtp domain mindef appeared in the config. This was never configured by a user also syslog and ACS confirmed. Has anyone heard of mindef as a default of some sort for VTP domains? Anyone heard of something like this happening? thanks, jim From j0nneblaze at gmail.com Thu Sep 4 19:06:56 2008 From: j0nneblaze at gmail.com (Matt Schlotman) Date: Thu, 4 Sep 2008 16:06:56 -0700 Subject: [c-nsp] IOS 12.2(18)SXF14 In-Reply-To: References: Message-ID: On Thu, Sep 4, 2008 at 1:30 PM, Matt Schlotman wrote: > I have a Cisco 6509 with a WS-SUP720-3BXL that came with 12.2(18)SXF14 as > the version of IOS. Can anyone recommend if I should continue to run this > version or if I should go with an older, tested version such as SXF11? > From achatz at forthnet.gr Thu Sep 4 19:11:02 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Fri, 05 Sep 2008 02:11:02 +0300 Subject: [c-nsp] vtp domain mindef In-Reply-To: <10188D798B596E4585DEAEAC62596D2309D57FDA@WATERFORD.switchnet.nv> References: <10188D798B596E4585DEAEAC62596D2309D57FDA@WATERFORD.switchnet.nv> Message-ID: <48C06B06.40204@forthnet.gr> I don't know what mindef is, but a switch with a null vtp domain (which is the default) will get the vtp domain of another switch (server or client) through any trunk link. -- Tassos Jim Devane wrote on 05/09/2008 00:36: > Hello, > > We observed something interesting. A 6509, IOS, 720-3BXL, 12.2-18 SXF suddenly dumped its vlan.dat. It sounds like a classic case of inserting a switch with a higher VTP rev confg but that was not the case. No network changes either physical or virtual took place (syslog and ACS confirmed) > The interesting part. The switch had no VTP domain previously defined. Somewhat magically, vtp domain mindef appeared in the config. This was never configured by a user also syslog and ACS confirmed. > > Has anyone heard of mindef as a default of some sort for VTP domains? Anyone heard of something like this happening? > > > thanks, > jim > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From overkillxx at gmail.com Thu Sep 4 19:52:05 2008 From: overkillxx at gmail.com (Brett Clausenhauf) Date: Fri, 5 Sep 2008 09:52:05 +1000 Subject: [c-nsp] CSS strange behaviour.... Or is it just my config [7:132492] In-Reply-To: <20080904080208.GA17238@greenie.muc.de> References: <200809040227.m842RBGe015086@groupstudy.com> <20080904062227.GP233@greenie.muc.de> <20080904080208.GA17238@greenie.muc.de> Message-ID: Hi Gert, I've since tried other ports (Port 23 for example) & it still does the same thing. This has got me stumped... I cannot figure out why it needs the group command to stay working. On Thu, Sep 4, 2008 at 6:02 PM, Gert Doering wrote: > Hi, > > On Thu, Sep 04, 2008 at 05:49:31PM +1000, Brett Clausenhauf wrote: > > Undortunately this is doubtful. The web server is literally just > configured > > & is not logging.Regards, > > By default, most webservers *do* log... > > As I said, this was just a stab in the dark - run tcpdump (or wireshark) > on the server to see what sort of outgoing connections it does. > > gert > -- > USENET is *not* the non-clickable part of WWW! > // > www.muc.de/~gert/ > Gert Doering - Munich, Germany > gert at greenie.muc.de > fax: +49-89-35655025 > gert at net.informatik.tu-muenchen.de > From danletkeman at gmail.com Thu Sep 4 20:07:57 2008 From: danletkeman at gmail.com (Dan Letkeman) Date: Thu, 4 Sep 2008 19:07:57 -0500 Subject: [c-nsp] Recommended 2800 ISR Message-ID: I was wondering if anyone has recommendations for a 2800 series router for a 20-30mbit internet connection. I would like to run a firewall IOS and, nat and basic ACL's. Would a 2811 be an appropriate choice? Thanks, Dan. From streiner at cluebyfour.org Thu Sep 4 20:39:06 2008 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Thu, 4 Sep 2008 20:39:06 -0400 (EDT) Subject: [c-nsp] Recommended 2800 ISR In-Reply-To: References: Message-ID: On Thu, 4 Sep 2008, Dan Letkeman wrote: > I was wondering if anyone has recommendations for a 2800 series router > for a 20-30mbit internet connection. I would like to run a firewall > IOS and, nat and basic ACL's. Would a 2811 be an appropriate choice? If you're not running BGP with full feeds, you *might* be able to get away with a 2811, given that you're running IOS firewall and NAT as well, but you probably wouldn't have much headroom for growth, or if you decide you need additional features in the future (Netflow, QoS, routing protocols, etc). jms From ben.steele at internode.on.net Thu Sep 4 20:41:11 2008 From: ben.steele at internode.on.net (Ben Steele) Date: Fri, 5 Sep 2008 10:11:11 +0930 Subject: [c-nsp] Recommended 2800 ISR In-Reply-To: References: Message-ID: <00ab01c90ef0$18983d20$49c8b760$@steele@internode.on.net> If you don't plan on expanding that 20-30Mbit too much in the future even 2801 will handle that fairly comfortably, the main killer in your list is the IOS firewall, the rest would have been cef switched, i've done between 20-30Mbit on a 2801 with all the below running with no issues before, 2811 would definitely handle it ok. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dan Letkeman Sent: Friday, 5 September 2008 9:38 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Recommended 2800 ISR I was wondering if anyone has recommendations for a 2800 series router for a 20-30mbit internet connection. I would like to run a firewall IOS and, nat and basic ACL's. Would a 2811 be an appropriate choice? Thanks, Dan. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From giulianocm at uol.com.br Thu Sep 4 20:43:05 2008 From: giulianocm at uol.com.br (GIULIANO (UOL)) Date: Thu, 04 Sep 2008 21:43:05 -0300 Subject: [c-nsp] Recommended 2800 ISR In-Reply-To: References: Message-ID: <48C08099.6060908@uol.com.br> Dan, Yes. It is a good choice. Take a look: http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf Its an initial guide for router performance. Att, Giuliano > I was wondering if anyone has recommendations for a 2800 series router > for a 20-30mbit internet connection. I would like to run a firewall > IOS and, nat and basic ACL's. Would a 2811 be an appropriate choice? > > Thanks, > Dan. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > ------------------------------------------------------------------------ > > > No virus found in this incoming message. > Checked by AVG - http://www.avg.com > Version: 8.0.169 / Virus Database: 270.6.16/1652 - Release Date: 04/09/2008 18:54 > From ariemer at wesenergy.com.au Thu Sep 4 21:00:24 2008 From: ariemer at wesenergy.com.au (Aaron Riemer) Date: Fri, 5 Sep 2008 09:00:24 +0800 Subject: [c-nsp] Dashboard Network Monitoring Software Message-ID: <0867622C64B50C4B878AB45C95F43F1106150B8D@MAILWA01.wesenergy.local> Hi Guys, Is anyone out there using any open source or free dashboard network monitoring software? I would like to have a map background with our sites and possibly blink the sites RED if the site stopped responding to pings or SNMP queries etc? I know Solarwinds and HP Openview are good but we are not willing to shell out the money just for a dashboard. Cheers, Aaron. LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. From acidutu at hotmail.com Thu Sep 4 21:11:41 2008 From: acidutu at hotmail.com (The Hawk) Date: Fri, 5 Sep 2008 01:11:41 +0000 Subject: [c-nsp] C720X NPE-G1 - interface errors + router freezes Message-ID: Forgot to add a subject line last time...Sorry for the double post...some additional info has also been added inline. Hello All, We?re noticing a large number of input errors on multiple GigE interfaces on various C720X NPE-G1 routers. These input errors match exactly with the number of overruns on those interfaces. I wouldn't be so concerned about the errors if other strange things were not happening on the routers. (such as frequent lockups and frequent eigrp drops). At this point they go hand in hand however we need to pinpoint the origin of the problems and it hasn't been easy. These are a couple strange things that we?ve noticed: 1. this problem happens on more than 1 router (similar configuration on all routers) 2. all routers affected began exhibiting these errors roughly around the same time (same early morning) 3. All routers are G1 and ran the same IOS code (12.4.12) 4. One of the routers was rebooted and upgraded to a different code however the problem still persists (12.4.21) 5. we suspect it directly affects the functionality of the router as we see random lockups of the units (which may be the cause of the increased errors not the result of) 6. All routers are connected to redundant switches and cabling/switches have been ruled out. Below is a sample output of the show interface on one of the routers: GigabitEthernet0/1 is up, line protocol is up Hardware is BCM1250 Internal MAC, address is 00b0.c2ee.b81b (bia 00b0.c2ee.b81b) Description: XXXXXXXX MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 2/255 Encapsulation 802.1Q Virtual LAN, Vlan ID 1., loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s, media type is RJ45 output flow-control is XON, input flow-control is XON ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:00, output hang never Last clearing of 'show interface' counters never Input queue: 1/75/499528/97 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 8539000 bits/sec, 10996 packets/sec 5 minute output rate 1905000 bits/sec, 807 packets/sec 139728650 packets input, 10628478461 bytes, 92 no buffer Received 487174 broadcasts, 0 runts, 0 giants, 0 throttles 171399 input errors, 0 CRC, 0 frame, 171399 overrun, 0 ignored 0 watchdog, 1904930 multicast, 0 pause input 0 input packets with dribble condition detected 8125773 packets output, 2521690484 bytes, 0 underruns 2 output errors, 0 collisions, 1 interface resets 3842 unknown protocol drops 0 babbles, 0 late collision, 0 deferred 2 lost carrier, 0 no carrier, 0 pause output 0 output buffer failures, 0 output buffers swapped out Does anyone have any idea what might be going on? I initially suspected an IOS bug (since all devices were affected) however after the upgrade the problem still persists. Any help is appreciated. Adrian _________________________________________________________________ From zeusdadog at gmail.com Thu Sep 4 21:17:44 2008 From: zeusdadog at gmail.com (Jay Nakamura) Date: Thu, 4 Sep 2008 21:17:44 -0400 Subject: [c-nsp] Recommended 2800 ISR In-Reply-To: <48C08099.6060908@uol.com.br> References: <48C08099.6060908@uol.com.br> Message-ID: <9418aca70809041817j33a453adp45a8c5eb39d27a93@mail.gmail.com> What about going with an ASA? Much more performance for the money. But it depends on what all you want to do on the router. IOS is a lot more flexible on what you can do. On Thu, Sep 4, 2008 at 8:43 PM, GIULIANO (UOL) wrote: > > > http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf > Speaking of performance guide, does anyone know if there are any document like that one that is a little more up to date and include performance numbers for some of the switches that do L3 routing? I use that PDF all the time but wished it was updated more often. From rmg at conviva.com Thu Sep 4 21:47:22 2008 From: rmg at conviva.com (Robert Gutierrez) Date: Thu, 4 Sep 2008 18:47:22 -0700 (PDT) Subject: [c-nsp] c7604 "starter kit" In-Reply-To: <20080904170928.GA23309@mx.ytti.net> References: <20080904112344.GA2758@whitechalk.dfinet.ch><20080904132355.GA17595@mx.ytti.net><6bb5f5b10809041001q317d4694o8b57be06fcfd54da@mail.gmail.com> <20080904170928.GA23309@mx.ytti.net> Message-ID: <014301c90ef9$5a698480$500a10ac@ranma> I tried to sell management here a dual ASR1003 + distro (4900M based), but 10G distro is still just too much! TOR's still had to be 10G connected from the 4900M, and that's a hell of a lot of X2's to buy on top of that. Yeah, I could have bought the 20 port GE card for the 4900M for now, but Taiwan has the single-lane 10G switches coming next year, and I just don't feel that Cisco will drop prices then on X2's or SFP+'s to give me long-term confidence, pricing wise. I might as well do an ASR1003 + 4948-10G as the distro to 2960G's. Ugh, el-cheapo! So I did a pair of 7606's, 3CXL (taking full routes) and a 6748-GE-TX port-channeled to the TOR's. Cisco has 10G locked up for now, but that prices small shops like us out. And also makes sure we *will* go with 3rd party next year, locking out Cisco except for the core. I mean it's not like when I worked at MSN and had zillions to spend on even small lab networks. I have a real budget now. And Cisco is a very hard pill to swallow on a real budget. At least I didn't suggest Vyatta/Quagga on a Dell server feeding Dell switches :P Rob Gutierrez / Sr. Network Engineer Conviva Inc, San Mateo, CA -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Saku Ytti Sent: Thursday, September 04, 2008 10:09 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] c7604 "starter kit" On (2008-09-04 14:01 -0300), Rubens Kuhl Jr. wrote: > Can an ASR1k handle 3 full-routing transit feeds and a hundred peers ? Yes. > Would it require ESP5 or ESP10 ? Shouldn't make difference other than capacity wise. > On the MPLS side, beside EoMPLS, can it do MPLS L3 VPN and MPLS-TE ? L3 VPN yes, TE no sure. -- ++ytti _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From nick.geyer at eds.com Thu Sep 4 21:49:35 2008 From: nick.geyer at eds.com (Geyer, Nick) Date: Fri, 5 Sep 2008 11:49:35 +1000 Subject: [c-nsp] C720X NPE-G1 - interface errors + router freezes In-Reply-To: References: Message-ID: <83027F7A5EB4D6449A1393A94E4D41DA03C7E2A7@aubwm232.apac.corp.eds.com> I have seen issues like you mention creep up on NPE-G1's that have been in service for a while. It all starts with a few input errors here and there and progressively gets worse. Reseating the NPE seems to clear up all the issues and it starts chugging along happily again. Possibly worth a try on one of your routers to see if it makes a difference. Nick -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of The Hawk Sent: Friday, 5 September 2008 11:12 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] C720X NPE-G1 - interface errors + router freezes Forgot to add a subject line last time...Sorry for the double post...some additional info has also been added inline. Hello All, We're noticing a large number of input errors on multiple GigE interfaces on various C720X NPE-G1 routers. These input errors match exactly with the number of overruns on those interfaces. I wouldn't be so concerned about the errors if other strange things were not happening on the routers. (such as frequent lockups and frequent eigrp drops). At this point they go hand in hand however we need to pinpoint the origin of the problems and it hasn't been easy. These are a couple strange things that we've noticed: 1. this problem happens on more than 1 router (similar configuration on all routers) 2. all routers affected began exhibiting these errors roughly around the same time (same early morning) 3. All routers are G1 and ran the same IOS code (12.4.12) 4. One of the routers was rebooted and upgraded to a different code however the problem still persists (12.4.21) 5. we suspect it directly affects the functionality of the router as we see random lockups of the units (which may be the cause of the increased errors not the result of) 6. All routers are connected to redundant switches and cabling/switches have been ruled out. Below is a sample output of the show interface on one of the routers: GigabitEthernet0/1 is up, line protocol is up Hardware is BCM1250 Internal MAC, address is 00b0.c2ee.b81b (bia 00b0.c2ee.b81b) Description: XXXXXXXX MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 2/255 Encapsulation 802.1Q Virtual LAN, Vlan ID 1., loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s, media type is RJ45 output flow-control is XON, input flow-control is XON ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:00, output hang never Last clearing of 'show interface' counters never Input queue: 1/75/499528/97 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 8539000 bits/sec, 10996 packets/sec 5 minute output rate 1905000 bits/sec, 807 packets/sec 139728650 packets input, 10628478461 bytes, 92 no buffer Received 487174 broadcasts, 0 runts, 0 giants, 0 throttles 171399 input errors, 0 CRC, 0 frame, 171399 overrun, 0 ignored 0 watchdog, 1904930 multicast, 0 pause input 0 input packets with dribble condition detected 8125773 packets output, 2521690484 bytes, 0 underruns 2 output errors, 0 collisions, 1 interface resets 3842 unknown protocol drops 0 babbles, 0 late collision, 0 deferred 2 lost carrier, 0 no carrier, 0 pause output 0 output buffer failures, 0 output buffers swapped out Does anyone have any idea what might be going on? I initially suspected an IOS bug (since all devices were affected) however after the upgrade the problem still persists. Any help is appreciated. Adrian _________________________________________________________________ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From danletkeman at gmail.com Thu Sep 4 22:01:36 2008 From: danletkeman at gmail.com (Dan Letkeman) Date: Thu, 4 Sep 2008 21:01:36 -0500 Subject: [c-nsp] Recommended 2800 ISR In-Reply-To: <48C08099.6060908@uol.com.br> References: <48C08099.6060908@uol.com.br> Message-ID: I have read that document before, do those numbers (2811 - 61.44mpbs CEF Fast switching) mean that it can process that bandwidth with nothing else running on the router? On Thu, Sep 4, 2008 at 7:43 PM, GIULIANO (UOL) wrote: > Dan, > > Yes. It is a good choice. > > Take a look: > > http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf > > > Its an initial guide for router performance. > > Att, > > Giuliano > > >> I was wondering if anyone has recommendations for a 2800 series router >> for a 20-30mbit internet connection. I would like to run a firewall >> IOS and, nat and basic ACL's. Would a 2811 be an appropriate choice? >> >> Thanks, >> Dan. >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> >> ------------------------------------------------------------------------ >> >> >> No virus found in this incoming message. >> Checked by AVG - http://www.avg.com >> Version: 8.0.169 / Virus Database: 270.6.16/1652 - Release Date: 04/09/2008 18:54 >> > > From mtinka at globaltransit.net Thu Sep 4 22:03:27 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Fri, 5 Sep 2008 10:03:27 +0800 Subject: [c-nsp] c7604 "starter kit" In-Reply-To: <014301c90ef9$5a698480$500a10ac@ranma> References: <20080904112344.GA2758@whitechalk.dfinet.ch> <20080904170928.GA23309@mx.ytti.net> <014301c90ef9$5a698480$500a10ac@ranma> Message-ID: <200809051003.32163.mtinka@globaltransit.net> On Friday 05 September 2008 09:47:22 Robert Gutierrez wrote: > I tried to sell management here a dual ASR1003... AFAIK, Cisco don't have a 3-slot model of the ASR1000. You probably meant the ASR1002 or ASR1004 :-). Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From acidutu at hotmail.com Thu Sep 4 22:06:16 2008 From: acidutu at hotmail.com (The Hawk) Date: Fri, 5 Sep 2008 02:06:16 +0000 Subject: [c-nsp] C720X NPE-G1 - interface errors + router freezes Message-ID: Hello Nick, Thanks for your suggestion. I will try this one of these nights although I strongly believe that it will not solve this particular issue. As I mentioned in the original post, we have multiple NPE-G1s that all started experiencing the same issue on the same day (early morning around 4:00AM).... I'm leaning towards some sort of attack that's happening on these routers to exploit a known vulnerability. I was really hoping that the IOS upgrade would have fixed that but no luck there. Based on interface reports these GIGe Interfaces are not pushing more than 10 - 40Mb of traffic through them ... if it is some sort of attack, it must be using small packets or once again, a known vulnerability is exploited. Adrian> Subject: RE: [c-nsp] C720X NPE-G1 - interface errors + router freezes> Date: Fri, 5 Sep 2008 11:49:35 +1000> From: nick.geyer at eds.com> To: acidutu at hotmail.com; cisco-nsp at puck.nether.net> > I have seen issues like you mention creep up on NPE-G1's that have been> in service for a while. It all starts with a few input errors here and> there and progressively gets worse.> > Reseating the NPE seems to clear up all the issues and it starts> chugging along happily again. Possibly worth a try on one of your> routers to see if it makes a difference.> > Nick> > -----Original Message-----> From: cisco-nsp-bounces at puck.nether.net> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of The Hawk> Sent: Friday, 5 September 2008 11:12 AM> To: cisco-nsp at puck.nether.net> Subject: [c-nsp] C720X NPE-G1 - interface errors + router freezes> > > > Forgot to add a subject line last time...Sorry for the double> post...some additional info has also been added inline.> > Hello All,> > We're noticing a large number of input errors on multiple GigE> interfaces on various C720X NPE-G1 routers. These input errors match> exactly with the number of overruns on those interfaces. I wouldn't be> so concerned about the errors if other strange things were not happening> on the routers. (such as frequent lockups and frequent eigrp drops). At> this point they go hand in hand however we need to pinpoint the origin> of the problems and it hasn't been easy.> > These are a couple strange things that we've noticed:> > 1. this problem happens on more than 1 router (similar> configuration on all routers)> 2. all routers affected began exhibiting these errors roughly> around the same time (same early morning)> 3. All routers are G1 and ran the same IOS code (12.4.12)> 4. One of the routers was rebooted and upgraded to a different> code however the problem still persists (12.4.21)> 5. we suspect it directly affects the functionality of the router> as we see random lockups of the units (which may be the cause of the> increased errors not the result of)> 6. All routers are connected to redundant switches and> cabling/switches have been ruled out.> > Below is a sample output of the show interface on one of the routers:> > GigabitEthernet0/1 is up, line protocol is up> Hardware is BCM1250 Internal MAC, address is 00b0.c2ee.b81b (bia> 00b0.c2ee.b81b)> Description: XXXXXXXX> MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,> reliability 255/255, txload 1/255, rxload 2/255> Encapsulation 802.1Q Virtual LAN, Vlan ID 1., loopback not set> Keepalive set (10 sec)> Full-duplex, 1000Mb/s, media type is RJ45> output flow-control is XON, input flow-control is XON> ARP type: ARPA, ARP Timeout 04:00:00> Last input 00:00:00, output 00:00:00, output hang never> Last clearing of 'show interface' counters never> Input queue: 1/75/499528/97 (size/max/drops/flushes); Total output> drops: 0> Queueing strategy: fifo> Output queue: 0/40 (size/max)> 5 minute input rate 8539000 bits/sec, 10996 packets/sec> 5 minute output rate 1905000 bits/sec, 807 packets/sec> 139728650 packets input, 10628478461 bytes, 92 no buffer> Received 487174 broadcasts, 0 runts, 0 giants, 0 throttles> 171399 input errors, 0 CRC, 0 frame, 171399 overrun, 0 ignored> 0 watchdog, 1904930 multicast, 0 pause input> 0 input packets with dribble condition detected> 8125773 packets output, 2521690484 bytes, 0 underruns> 2 output errors, 0 collisions, 1 interface resets> 3842 unknown protocol drops> 0 babbles, 0 late collision, 0 deferred> 2 lost carrier, 0 no carrier, 0 pause output> 0 output buffer failures, 0 output buffers swapped out> > Does anyone have any idea what might be going on?> > I initially suspected an IOS bug (since all devices were affected)> however after the upgrade the problem still persists.> > Any help is appreciated.> Adrian> _________________________________________________________________> > _______________________________________________> cisco-nsp mailing list cisco-nsp at puck.nether.net> https://puck.nether.net/mailman/listinfo/cisco-nsp> archive at http://puck.nether.net/pipermail/cisco-nsp/ _________________________________________________________________ From rmg at conviva.com Thu Sep 4 22:14:31 2008 From: rmg at conviva.com (Robert Gutierrez) Date: Thu, 4 Sep 2008 19:14:31 -0700 (PDT) Subject: [c-nsp] c7604 "starter kit" In-Reply-To: <200809051003.32163.mtinka@globaltransit.net> References: <20080904112344.GA2758@whitechalk.dfinet.ch> <20080904170928.GA23309@mx.ytti.net> <014301c90ef9$5a698480$500a10ac@ranma> <200809051003.32163.mtinka@globaltransit.net> Message-ID: <014f01c90efd$256d61d0$500a10ac@ranma> Oops. yeah, the ASR1002 :) Fingers ahead of the brain on the keyboard. But the rest applies ... Rob Gutierrez / Sr. Network Engineer Conviva Inc, San Mateo, CA. -----Original Message----- From: Mark Tinka [mailto:mtinka at globaltransit.net] Sent: Thursday, September 04, 2008 7:03 PM To: cisco-nsp at puck.nether.net Cc: Robert Gutierrez Subject: Re: [c-nsp] c7604 "starter kit" On Friday 05 September 2008 09:47:22 Robert Gutierrez wrote: > I tried to sell management here a dual ASR1003... AFAIK, Cisco don't have a 3-slot model of the ASR1000. You probably meant the ASR1002 or ASR1004 :-). Cheers, Mark. From mtinka at globaltransit.net Thu Sep 4 22:15:02 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Fri, 5 Sep 2008 10:15:02 +0800 Subject: [c-nsp] c7604 "starter kit" In-Reply-To: <20080904170928.GA23309@mx.ytti.net> References: <20080904112344.GA2758@whitechalk.dfinet.ch> <6bb5f5b10809041001q317d4694o8b57be06fcfd54da@mail.gmail.com> <20080904170928.GA23309@mx.ytti.net> Message-ID: <200809051015.06641.mtinka@globaltransit.net> On Friday 05 September 2008 01:09:28 Saku Ytti wrote: > L3 VPN yes, TE no sure. According to FN, MPLS-TE is unsupported. Quite surprising, actually... Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From James.Baker at chelmer.co.nz Thu Sep 4 22:16:56 2008 From: James.Baker at chelmer.co.nz (James Baker) Date: Fri, 5 Sep 2008 14:16:56 +1200 Subject: [c-nsp] Dashboard Network Monitoring Software In-Reply-To: <0867622C64B50C4B878AB45C95F43F1106150B8D@MAILWA01.wesenergy.local> References: <0867622C64B50C4B878AB45C95F43F1106150B8D@MAILWA01.wesenergy.local> Message-ID: <64396C74FCE435468BE2AF5A73F9C2FD869209@chmaexch.chelmer.co.nz> Nagios. Look at setting up the 2d Status map. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Aaron Riemer Sent: Friday, 5 September 2008 1:00 p.m. To: cisco-nsp at puck.nether.net Subject: [c-nsp] Dashboard Network Monitoring Software Hi Guys, Is anyone out there using any open source or free dashboard network monitoring software? I would like to have a map background with our sites and possibly blink the sites RED if the site stopped responding to pings or SNMP queries etc? I know Solarwinds and HP Openview are good but we are not willing to shell out the money just for a dashboard. Cheers, Aaron. LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ---------- The information contained in this e-mail and any attachments is confidential and is intended for the attention and use of the named addressee(s) only. Any views expressed in this message are those of the individual sender and may not necessarily reflect the views of Chelmer Limited. ##################################################################################### This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal ##################################################################################### From ariemer at wesenergy.com.au Thu Sep 4 22:33:27 2008 From: ariemer at wesenergy.com.au (Aaron Riemer) Date: Fri, 5 Sep 2008 10:33:27 +0800 Subject: [c-nsp] Dashboard Network Monitoring Software In-Reply-To: <64396C74FCE435468BE2AF5A73F9C2FD869209@chmaexch.chelmer.co.nz> References: <0867622C64B50C4B878AB45C95F43F1106150B8D@MAILWA01.wesenergy.local> <64396C74FCE435468BE2AF5A73F9C2FD869209@chmaexch.chelmer.co.nz> Message-ID: <0867622C64B50C4B878AB45C95F43F1106150C86@MAILWA01.wesenergy.local> Hi James, Yes I thought about nagios. Is it possible to put your own background map in and then position nodes on the map? Thanks for the suggestion. Cheers, Aaron. -----Original Message----- From: James Baker [mailto:James.Baker at chelmer.co.nz] Sent: Friday, 5 September 2008 10:17 AM To: Aaron Riemer; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Dashboard Network Monitoring Software Nagios. Look at setting up the 2d Status map. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Aaron Riemer Sent: Friday, 5 September 2008 1:00 p.m. To: cisco-nsp at puck.nether.net Subject: [c-nsp] Dashboard Network Monitoring Software Hi Guys, Is anyone out there using any open source or free dashboard network monitoring software? I would like to have a map background with our sites and possibly blink the sites RED if the site stopped responding to pings or SNMP queries etc? I know Solarwinds and HP Openview are good but we are not willing to shell out the money just for a dashboard. Cheers, Aaron. LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ---------- The information contained in this e-mail and any attachments is confidential and is intended for the attention and use of the named addressee(s) only. Any views expressed in this message are those of the individual sender and may not necessarily reflect the views of Chelmer Limited. ######################################################################## ############# This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal ######################################################################## ############# LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. From dhooper at emerge.net.au Thu Sep 4 22:55:26 2008 From: dhooper at emerge.net.au (Daniel Hooper) Date: Fri, 5 Sep 2008 10:55:26 +0800 Subject: [c-nsp] Dashboard Network Monitoring Software In-Reply-To: <0867622C64B50C4B878AB45C95F43F1106150B8D@MAILWA01.wesenergy.local> References: <0867622C64B50C4B878AB45C95F43F1106150B8D@MAILWA01.wesenergy.local> Message-ID: www.nagios.org -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Aaron Riemer Sent: Friday, 5 September 2008 9:00 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Dashboard Network Monitoring Software Hi Guys, Is anyone out there using any open source or free dashboard network monitoring software? I would like to have a map background with our sites and possibly blink the sites RED if the site stopped responding to pings or SNMP queries etc? I know Solarwinds and HP Openview are good but we are not willing to shell out the money just for a dashboard. Cheers, Aaron. LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ben.steele at internode.on.net Thu Sep 4 23:02:35 2008 From: ben.steele at internode.on.net (Ben Steele) Date: Fri, 5 Sep 2008 12:32:35 +0930 Subject: [c-nsp] Recommended 2800 ISR In-Reply-To: References: <48C08099.6060908@uol.com.br> Message-ID: <00ac01c90f03$d9afdeb0$8d0f9c10$@steele@internode.on.net> Those figures aren't a real world typical example, they are based on small(64byte) packet sizes x pps the router can do, if you increase the byte size to above 1000 you can see those numbers quickly explode to a more realistic figure. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dan Letkeman Sent: Friday, 5 September 2008 11:32 AM To: giulianocm at uol.com.br; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Recommended 2800 ISR I have read that document before, do those numbers (2811 - 61.44mpbs CEF Fast switching) mean that it can process that bandwidth with nothing else running on the router? On Thu, Sep 4, 2008 at 7:43 PM, GIULIANO (UOL) wrote: > Dan, > > Yes. It is a good choice. > > Take a look: > > http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerp erformance.pdf > > > Its an initial guide for router performance. > > Att, > > Giuliano > > >> I was wondering if anyone has recommendations for a 2800 series router >> for a 20-30mbit internet connection. I would like to run a firewall >> IOS and, nat and basic ACL's. Would a 2811 be an appropriate choice? >> >> Thanks, >> Dan. >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> >> ------------------------------------------------------------------------ >> >> >> No virus found in this incoming message. >> Checked by AVG - http://www.avg.com >> Version: 8.0.169 / Virus Database: 270.6.16/1652 - Release Date: 04/09/2008 18:54 >> > > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From MatlockK at exempla.org Thu Sep 4 23:24:43 2008 From: MatlockK at exempla.org (Matlock, Kenneth L) Date: Thu, 4 Sep 2008 21:24:43 -0600 Subject: [c-nsp] Odd MGCP issue with Caller-id References: <4288131ED5E3024C9CD4782CECCAD2C7037AF7E4@LMC-MAIL2.exempla.org> Message-ID: <4288131ED5E3024C9CD4782CECCAD2C70489E739@LMC-MAIL2.exempla.org> Just as a follow-up, and to archive this resolution. I added 'cptone GB' to the 'voice-port 0/2/0' interface and it immediately started working. The fax machine behind the port answered, and all is well. That has a 20 character limit, but at least it works short-term. Tonight after the clinic closes I'll put the 12.4(3h) code we're running on another clinic's 2851, and we should be good to go! It looks like the check was enforced starting at 12.4(20)T and 12.4(21), and I'm told the bug ID was CSCsj70344 (although it talks about calling number, I assume they put in the checks at that point). It'd be nice to have a command-line option to turn off the check entirely, but for now at least there's a fix. Thanks to Oliver Boehmer for pointing me in the right direction! Ken Matlock Network Analyst (303) 467-4671 matlockk at exempla.org ________________________________ From: cisco-nsp-bounces at puck.nether.net on behalf of Matlock, Kenneth L Sent: Thu 9/4/2008 10:39 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Odd MGCP issue with Caller-id We have a Call Manager 4.1 setup, and are using a few 2851's with FXS cards (VIC-4FXS/DID=) as gateways using MGCP for Fax lines. Everything is (and has) been working fine, but we have been tracing down a problem where *some* destinations could not call these extensions (there wasn't a rhyme or reason we could see at first). What we finally found, was that is was based off the length of the *calling* name. If it was 15 characters or less in call manager, it would work, but 16+ would not (they'd get a reorder tone). The relevant debug logs are as follows: Sep 4 09:46:38 MDT: //-1/7EF7044C8022/MGCP|aaln/S0/SU2/0|-1|-1//gen_caller_id(9324):[ lvl=1]mode == VALIDATE cid =<09/04/09/46,24671,Ken Matlock Test Test Test> Sep 4 09:46:38 MDT: //-1/xxxxxxxxxxxx/MGCP/mgcp_parse_cid_str(5889):[lvl=2]time=<09/04/09/46 > num=<24671> name= Sep 4 09:46:38 MDT: //-1/7EF7044C8022/MGCP|aaln/S0/SU2/0|-1|-1//gen_caller_id(9337):[ lvl=0]-- Country code = US Sep 4 09:46:38 MDT: //-1/7EF7044C8022/MGCP|aaln/S0/SU2/0|-1|-1//gen_caller_id(9362):[ lvl=1]-- Caller Id type = 1 Sep 4 09:46:38 MDT: //-1/7EF7044C8022/MGCP|aaln/S0/SU2/0|-1|-1//gen_caller_id(9424):[ lvl=0]-- returns code = 54 Sep 4 09:46:38 MDT: //-1/7EF7044C8022/MGCP|aaln/S0/SU2/0|-1|-1//process_start_signal( 4062):[lvl=2]process_start_signal(): FAIL with rc: 54, need to reject the whole list And Sep 4 09:46:38 MDT: MGCP Packet sent to 172.18.164.136:2427---> 510 100502 unsupported caller id length <--- I've done numerous searches on those errors, and checked the bug toolkit for both IOS version we've tried (12.4(20)T and 12.4(21) ) and no luck. Tried the 'caller-id block' on the port (but since it's not incoming on the FXS port I didn't think it'd help anyway). While we CAN go into Callmanager and shorten all the stations with 16+ character display names, I'd hate to have to go to that trouble if I can help it. Is there a way to increase that limit, or is that a hard-set in either the FXS cards, or MGCP? Ken Matlock Network Analyst (303) 467-4671 matlockk at exempla.org _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From tedm at toybox.placo.com Thu Sep 4 22:52:41 2008 From: tedm at toybox.placo.com (Ted Mittelstaedt) Date: Thu, 4 Sep 2008 19:52:41 -0700 Subject: [c-nsp] Surge protection on leased lines In-Reply-To: <20080904160037.GA21273@saucer.midcoast.com> Message-ID: Here is an explanation of what your SUPPOSED to have: http://www.cermetek.com/Support/APP-Notes/611-0175.pdf with some schematics in case you want to roll your own protectors. According to this, per FCC part 68, your national telephone company is in violation of FCC regs if it is not providing an isolation barrier at the customer handoff, which clearly it is not if your losing WICs to lighting. They may be sliding under the regulation by giving you the handoff via V.35 but I doubt it. Frankly I've never seen a SHDSL line being handed off to the customer on a V.35. I've seen plenty of Telco-owned muxes that took a T1 or SHDSL and handed off to the customer via both POTS and V35, though, but I don't see the point of an NIU that goes from SHDSL to V.35 - it's extra cost for the Telco, and that would require the customer prem equipment to be sitting next to the Dmarc since your not going to run V.35 a hundred or so feet from the dmarc to the network room. This scheme sounds cockamamie to me. You learn something new every day. If I were you I would call your local municipality on this. All the electrical codes I've ever seen require the utility side of any feed into a building to have a solid, low-resistance ground at the entry point. They cannot just connect to a cold water pipe or some such nonsense, they have to drive a copper rod into the ground and ground to that. The fact that your "national telco" is allowing lightning energy to come into your building is a fire hazard and I am quite sure is in violation of your local wiring codes. They need a sold ground and suppression such as varistors connected between that ground and both wires of the pair that the SHDSL line is on. If you can get the specific code requirements for your municipality you can threaten to report your national telco to both the FCC and the local municipality if they do not install surge suppression. Ted PS I am assuming your in the US, here. > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of jp > Sent: Thursday, September 04, 2008 9:01 AM > To: Brian Turnbow > Cc: Cisco Mailing list > Subject: Re: [c-nsp] Surge protection on leased lines > > > Usually our Telco has gas/carbon arrestors at the NID and they differ > for pots or T1 as T1 is higher voltage. > > Make sure your nid, smartbox, router are all grounded together and to > the electrical system ground. I suspect they are not if current is > flowing in and damaging your wic. > > I know APC made some ptel series arrestors for T1/ISDN usage for > protecting the twisted pairs when the rj45/48 interfaces are used. I > have these and they are good. Too bad you don't have access to that. > > On Mon, Aug 25, 2008 at 06:05:07PM +0200, Brian Turnbow wrote: > > Thanks for the response. > > They are external csus but they are "telco property" and they > don't want us to touch them. > > We have asked several times that they install protection > coming into the building but no go... > > They install a remote powered integrated shdsl modem/csu in an > all plastic housing and the only place we > > Have been able to connect a ground is to the v.35 mount on the > integrated csu. No help there. > > Lighting strike= burned modem/csu= burned wic > > The v.35 protector would be a try to at least save our wic > cards and costs of dispatching a Tech > > for every passing storm. > > > > > > Brian > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jay Hennigan > > Sent: luned? 25 agosto 2008 17.34 > > To: Cisco Mailing list > > Subject: Re: [c-nsp] Surge protection on leased lines > > > > Brian Turnbow wrote: > > > Hello, > > > > > > We have several customers that our having problems every time a storm > > > goes through. > > > Our national telco company seems to offer no lightning protection on > > > their lines, and every storm causes a line outage and burns up the > > > attached wic. > > > We've made sure the chassis are grounded , but would also like to try > > > and install a surge protection detween the v.35 interface of the telco > > > and our CPEs. > > > I see that Cisco offers a surge protection cable for smart serial > > > interfaces, but not for classic serial interfaces. > > > I wanted ask what others would recommend / experiences regarding surge > > > protection on leased lines. > > > > This is an external CSU? > > > > I think you want it between the telco smartjack and the CSU, not on the > > v.35. This should be two pairs of wires. > > > > First thing to do is ensure that the telco smartjack, the CSU, and the > > router are solidly connected to a common ground, as this may be the > > source of the problem if the sneak current is not coming across the > > leased line. > > > > There are a number of companies making lightning protectors for twisted > > pair lines, Reliable Electric and Polyphaser are two. > > > > But, triple-check the grounding first because if it's > common-mode across > > a ground differential the protectors won't help. > > > > -- > > Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net > > Impulse Internet Service - http://www.impulse.net/ > > Your local telephone and internet company - 805 884-6323 - WB6RDV > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > -- > /* > Jason Philbrook | Midcoast Internet Solutions - Wireless and DSL > KB1IOJ | Broadband Internet Access, Dialup, and Hosting > http://f64.nu/ | for Midcoast Maine http://www.midcoast.com/ > */ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From gtb at slac.stanford.edu Thu Sep 4 23:41:02 2008 From: gtb at slac.stanford.edu (Buhrmaster, Gary) Date: Thu, 4 Sep 2008 20:41:02 -0700 Subject: [c-nsp] Recommended 2800 ISR In-Reply-To: References: <48C08099.6060908@uol.com.br> Message-ID: > I have read that document before, do those numbers (2811 - 61.44mpbs > CEF Fast switching) mean that it can process that bandwidth with > nothing else running on the router? With the wind behind the bits heading downhill. The first paragraph says: Numbers are given with 64 byte packet size, IP only, and are only an indication of raw switching performance. These are testing numbers, usually with FE to FE or POS to POS, no services enabled. As you add ACL's, encryption, compression, etc - performance will decline significantly from the given numbers .... The moment you add (for example) NAT or Firewall features, expect significantly less performance. As always, your Mbps will vary and your situation will be unique (and almost never to your benefit). From sfischer1967 at gmail.com Thu Sep 4 23:57:34 2008 From: sfischer1967 at gmail.com (Steve Fischer) Date: Thu, 4 Sep 2008 23:57:34 -0400 Subject: [c-nsp] IOS 12.2(18)SXF14 Message-ID: <010c01c90f0b$87b7db00$97279100$@com> Matt - We've been running 12.2(18)SXF13 on 4 Cat6500's w/SUP720-3B's for a good little while, and it has proven to be rock solid. I believe we were using the SXF11 code, and there was some impetus, perhaps a security alert, that moved us to the SXF13 code. I recommend 1) reading the release notes, and 2) checking out Cisco's SafeHarbor site: http://www.cisco.com/go/safeharbor . The SafeHarbor site lists SXF11 as "passed", but, when you attempt to download it from Cisco, it lists advisories concerning that release that were addressed in later releases. Looking at the "fixes" in the SXF14 release, there is nothing there compelling me to move from SXF13. My experience with the SXF13 code has been very good. From ecables at gmail.com Fri Sep 5 00:16:08 2008 From: ecables at gmail.com (Eric Cables) Date: Thu, 4 Sep 2008 21:16:08 -0700 Subject: [c-nsp] vtp domain mindef In-Reply-To: <48C06B06.40204@forthnet.gr> References: <10188D798B596E4585DEAEAC62596D2309D57FDA@WATERFORD.switchnet.nv> <48C06B06.40204@forthnet.gr> Message-ID: Not sure if this helps you, but I found a link via a google search w/ someone who also had a "mindef" vtp domain name... http://www.happyrouter.com/forum/index.php?topic=216.0 -- My vtp status: VTP Version : 2 Configuration Revision : 0 Maximum VLANs supported locally : 1005 Number of existing VLANs : 8 VTP Operating Mode : Transparent VTP Domain Name : mindef VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0x89 0x45 0xAA 0x2D 0x9E 0x3F 0x92 0x92 -- -- Eric Cables On Thu, Sep 4, 2008 at 4:11 PM, Tassos Chatzithomaoglou wrote: > I don't know what mindef is, but a switch with a null vtp domain (which is > the default) will get the vtp domain of another switch (server or client) > through any trunk link. > > -- > Tassos > > Jim Devane wrote on 05/09/2008 00:36: >> >> Hello, >> >> We observed something interesting. A 6509, IOS, 720-3BXL, 12.2-18 SXF >> suddenly dumped its vlan.dat. It sounds like a classic case of inserting a >> switch with a higher VTP rev confg but that was not the case. No network >> changes either physical or virtual took place (syslog and ACS confirmed) >> The interesting part. The switch had no VTP domain previously defined. >> Somewhat magically, vtp domain mindef appeared in the config. This was never >> configured by a user also syslog and ACS confirmed. >> >> Has anyone heard of mindef as a default of some sort for VTP domains? >> Anyone heard of something like this happening? >> >> >> thanks, >> jim >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ben.steele at internode.on.net Fri Sep 5 00:45:34 2008 From: ben.steele at internode.on.net (Ben Steele) Date: Fri, 5 Sep 2008 14:15:34 +0930 Subject: [c-nsp] c7604 "starter kit" In-Reply-To: <200809051015.06641.mtinka@globaltransit.net> References: <20080904112344.GA2758@whitechalk.dfinet.ch> <6bb5f5b10809041001q317d4694o8b57be06fcfd54da@mail.gmail.com> <20080904170928.GA23309@mx.ytti.net> <200809051015.06641.mtinka@globaltransit.net> Message-ID: <00b901c90f12$3c293010$b47b9030$@steele@internode.on.net> I'm pretty sure it is scheduled for release in an upcoming update, I know there was lots of "hmmm's" when I saw the list of current unsupported technologies during our companies presentation, but I seem to recall most of them set for release in the future, I mean it would be ridiculous to never support mpls-te on the ASR. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Tinka Sent: Friday, 5 September 2008 11:45 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] c7604 "starter kit" On Friday 05 September 2008 01:09:28 Saku Ytti wrote: > L3 VPN yes, TE no sure. According to FN, MPLS-TE is unsupported. Quite surprising, actually... Mark. From mtinka at globaltransit.net Fri Sep 5 00:47:19 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Fri, 5 Sep 2008 12:47:19 +0800 Subject: [c-nsp] c7604 "starter kit" In-Reply-To: <00b901c90f12$3c293010$b47b9030$@steele@internode.on.net> References: <20080904112344.GA2758@whitechalk.dfinet.ch> <200809051015.06641.mtinka@globaltransit.net> <00b901c90f12$3c293010$b47b9030$@steele@internode.on.net> Message-ID: <200809051247.23496.mtinka@globaltransit.net> On Friday 05 September 2008 12:45:34 Ben Steele wrote: > I'm pretty sure it is scheduled for release in an > upcoming update, I know there was lots of "hmmm's" when I > saw the list of current unsupported technologies during > our companies presentation, but I seem to recall most of > them set for release in the future, I mean it would be > ridiculous to never support mpls-te on the ASR. Of course :-). Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From chiwaikam at hotmail.com Fri Sep 5 02:08:14 2008 From: chiwaikam at hotmail.com (tony kam) Date: Fri, 5 Sep 2008 14:08:14 +0800 Subject: [c-nsp] Allow VTY access by telnet and ssh In-Reply-To: <0867622C64B50C4B878AB45C95F43F1106150C86@MAILWA01.wesenergy.local> References: <0867622C64B50C4B878AB45C95F43F1106150B8D@MAILWA01.wesenergy.local> <64396C74FCE435468BE2AF5A73F9C2FD869209@chmaexch.chelmer.co.nz> <0867622C64B50C4B878AB45C95F43F1106150C86@MAILWA01.wesenergy.local> Message-ID: Dear all, Please advise if there is any configuration template to enable both telnet and ssh to have access right into router VTY lines. Regards, Tony From James.Baker at chelmer.co.nz Fri Sep 5 01:50:00 2008 From: James.Baker at chelmer.co.nz (James Baker) Date: Fri, 5 Sep 2008 17:50:00 +1200 Subject: [c-nsp] Dashboard Network Monitoring Software In-Reply-To: <0867622C64B50C4B878AB45C95F43F1106150C86@MAILWA01.wesenergy.local> References: <0867622C64B50C4B878AB45C95F43F1106150B8D@MAILWA01.wesenergy.local><64396C74FCE435468BE2AF5A73F9C2FD869209@chmaexch.chelmer.co.nz> <0867622C64B50C4B878AB45C95F43F1106150C86@MAILWA01.wesenergy.local> Message-ID: <64396C74FCE435468BE2AF5A73F9C2FD86920D@chmaexch.chelmer.co.nz> oh yes most defiantly. If it's too rough as well, check out zabbix and there is one more I can't remember(let me google this) ah yes Zenoss which can integrate with google maps Cheers -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Aaron Riemer Sent: Friday, 5 September 2008 2:33 p.m. To: James Baker Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Dashboard Network Monitoring Software Hi James, Yes I thought about nagios. Is it possible to put your own background map in and then position nodes on the map? Thanks for the suggestion. Cheers, Aaron. -----Original Message----- From: James Baker [mailto:James.Baker at chelmer.co.nz] Sent: Friday, 5 September 2008 10:17 AM To: Aaron Riemer; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Dashboard Network Monitoring Software Nagios. Look at setting up the 2d Status map. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Aaron Riemer Sent: Friday, 5 September 2008 1:00 p.m. To: cisco-nsp at puck.nether.net Subject: [c-nsp] Dashboard Network Monitoring Software Hi Guys, Is anyone out there using any open source or free dashboard network monitoring software? I would like to have a map background with our sites and possibly blink the sites RED if the site stopped responding to pings or SNMP queries etc? I know Solarwinds and HP Openview are good but we are not willing to shell out the money just for a dashboard. Cheers, Aaron. LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ---------- The information contained in this e-mail and any attachments is confidential and is intended for the attention and use of the named addressee(s) only. Any views expressed in this message are those of the individual sender and may not necessarily reflect the views of Chelmer Limited. ######################################################################## ############# This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal ######################################################################## ############# LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ##################################################################################### This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal ##################################################################################### From abalashov at evaristesys.com Fri Sep 5 02:25:18 2008 From: abalashov at evaristesys.com (Alex Balashov) Date: Fri, 05 Sep 2008 02:25:18 -0400 Subject: [c-nsp] Allow VTY access by telnet and ssh In-Reply-To: References: <0867622C64B50C4B878AB45C95F43F1106150B8D@MAILWA01.wesenergy.local> <64396C74FCE435468BE2AF5A73F9C2FD869209@chmaexch.chelmer.co.nz> <0867622C64B50C4B878AB45C95F43F1106150C86@MAILWA01.wesenergy.local> Message-ID: <48C0D0CE.1050504@evaristesys.com> tony kam wrote: > Dear all, > > Please advise if there is any configuration template to enable both telnet and ssh to have access right into router VTY lines. What do you mean by "right into?" -- Alex Balashov Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599 From abalashov at evaristesys.com Fri Sep 5 02:27:51 2008 From: abalashov at evaristesys.com (Alex Balashov) Date: Fri, 05 Sep 2008 02:27:51 -0400 Subject: [c-nsp] VoIP classifying and queuing in an access switch <--> core Layer 2 network In-Reply-To: <71BC8F601C01554CA7410616B26C50D1016703CD@mail-37ps.atlarge.net> References: <71BC8F601C01554CA7410616B26C50D1016703CD@mail-37ps.atlarge.net> Message-ID: <48C0D167.7030602@evaristesys.com> If the switch is purely Layer 2, it would be difficult to classify VoIP traffic ipso facto, as the factors that differentiate it from other kinds of traffic are, by definition, >= Layer 3. About the only thing you can do there is use segregated VLANs, and/or take advantage of the native "voice VLAN" feature of certain Catalysts: http://www.cisco.com/en/US/docs/switches/lan/catalyst2940/software/release/12.1_19_ea1/configuration/guide/swvoip.html Grant Moerschel wrote: > In an access switch to core where the connections are Layer 2, what is > the best method to a) classify voip traffic as it enters the access > switch and b) prioritize it via some queuing mechanism as it traverses > the trunk going to the core? Does anyone have sample configs for > something like this? > > Pc <-> phone <-> access switch <-> core switch. Priority to VoIP traffic > on trunks. -- Alex Balashov Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599 From abalashov at evaristesys.com Fri Sep 5 02:29:49 2008 From: abalashov at evaristesys.com (Alex Balashov) Date: Fri, 05 Sep 2008 02:29:49 -0400 Subject: [c-nsp] Recommended 2800 ISR In-Reply-To: <9418aca70809041817j33a453adp45a8c5eb39d27a93@mail.gmail.com> References: <48C08099.6060908@uol.com.br> <9418aca70809041817j33a453adp45a8c5eb39d27a93@mail.gmail.com> Message-ID: <48C0D1DD.9040708@evaristesys.com> Jay Nakamura wrote: > What about going with an ASA? Much more performance for the money. But it > depends on what all you want to do on the router. IOS is a lot more > flexible on what you can do. But, an ASA or PIX is far more optimised for NAT and ACL duty. -- Alex Balashov Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599 From r.engehausen at gmail.com Fri Sep 5 02:33:35 2008 From: r.engehausen at gmail.com (Roy) Date: Thu, 04 Sep 2008 23:33:35 -0700 Subject: [c-nsp] Dashboard Network Monitoring Software In-Reply-To: <0867622C64B50C4B878AB45C95F43F1106150C86@MAILWA01.wesenergy.local> References: <0867622C64B50C4B878AB45C95F43F1106150B8D@MAILWA01.wesenergy.local> <64396C74FCE435468BE2AF5A73F9C2FD869209@chmaexch.chelmer.co.nz> <0867622C64B50C4B878AB45C95F43F1106150C86@MAILWA01.wesenergy.local> Message-ID: <48C0D2BF.8050407@gmail.com> Try Opsview. Very nice clean GUI for nagios, nagiosgraph, and MRTG. Aaron Riemer wrote: > Hi James, > > Yes I thought about nagios. Is it possible to put your own background > map in and then position nodes on the map? > > Thanks for the suggestion. > > Cheers, > > Aaron. > -----Original Message----- > From: James Baker [mailto:James.Baker at chelmer.co.nz] > Sent: Friday, 5 September 2008 10:17 AM > To: Aaron Riemer; cisco-nsp at puck.nether.net > Subject: RE: [c-nsp] Dashboard Network Monitoring Software > > Nagios. Look at setting up the 2d Status map. > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Aaron Riemer > Sent: Friday, 5 September 2008 1:00 p.m. > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Dashboard Network Monitoring Software > > Hi Guys, > > > > Is anyone out there using any open source or free dashboard network > monitoring software? I would like to have a map background with our > sites and possibly blink the sites RED if the site stopped responding to > pings or SNMP queries etc? I know Solarwinds and HP Openview are good > but we are not willing to shell out the money just for a dashboard. > > > > Cheers, > > > > Aaron. > > > > > > > > > > > LEGAL DISCLAIMER: This message contains confidential information and is > intended only for the individual named. If you are not the named > addressee you should not disseminate, distribute or copy this e-mail. > Please notify the sender immediately by e-mail if you have received this > e-mail by mistake and delete this e-mail from your system. If you are > not the intended recipient you are notified that disclosing, copying, > distributing or taking any action in reliance on the contents of this > information is strictly prohibited. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ---------- > > The information contained in this e-mail and any attachments is > confidential > and is intended for the attention and use of the named addressee(s) > only. > Any views expressed in this message are those of the individual sender > and > may not necessarily reflect the views of Chelmer Limited. > > ######################################################################## > ############# > This e-mail message has been scanned for Viruses and Content and cleared > > by NetIQ MailMarshal > ######################################################################## > ############# > > LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From abalashov at evaristesys.com Fri Sep 5 02:34:12 2008 From: abalashov at evaristesys.com (Alex Balashov) Date: Fri, 05 Sep 2008 02:34:12 -0400 Subject: [c-nsp] RTP port In-Reply-To: <62c908120809040024q72fd82c6u869b4adeb0fbb479@mail.gmail.com> References: <62c908120809040024q72fd82c6u869b4adeb0fbb479@mail.gmail.com> Message-ID: <48C0D2E4.1020309@evaristesys.com> Tseveendorj Ochirlantuu wrote: > If is it possible to choose RTP port on AS5350XM? > for example: don't use all ports 16000-60000 on gateway. Only use between > 16000-17000. Not natively, but you could probably do this using NAT on the outgoing interfaces. Although, for various performance reasons, I think you would not want to. -- Alex Balashov Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599 From chiwaikam at hotmail.com Fri Sep 5 02:39:00 2008 From: chiwaikam at hotmail.com (tony kam) Date: Fri, 5 Sep 2008 14:39:00 +0800 Subject: [c-nsp] Allow VTY access by telnet and ssh In-Reply-To: <48C0D0CE.1050504@evaristesys.com> References: <0867622C64B50C4B878AB45C95F43F1106150B8D@MAILWA01.wesenergy.local> <64396C74FCE435468BE2AF5A73F9C2FD869209@chmaexch.chelmer.co.nz> <0867622C64B50C4B878AB45C95F43F1106150C86@MAILWA01.wesenergy.local> <48C0D0CE.1050504@evaristesys.com> Message-ID: It meant users can use either telnet or ssh client to log into router VTY lines. Besides, I think it is possible to use ACL to control which user group can use telnet and which user group can use ssh. Please advise if you have such sample configuration.> Date: Fri, 5 Sep 2008 02:25:18 -0400> From: abalashov at evaristesys.com> To: chiwaikam at hotmail.com> CC: cisco-nsp at puck.nether.net> Subject: Re: [c-nsp] Allow VTY access by telnet and ssh> > tony kam wrote:> > Dear all,> > > > Please advise if there is any configuration template to enable both telnet and ssh to have access right into router VTY lines. > > What do you mean by "right into?"> > -- > Alex Balashov> Evariste Systems> Web : http://www.evaristesys.com/> Tel : (+1) (678) 954-0670> Direct : (+1) (678) 954-0671> Mobile : (+1) (706) 338-8599 From abalashov at evaristesys.com Fri Sep 5 02:41:35 2008 From: abalashov at evaristesys.com (Alex Balashov) Date: Fri, 05 Sep 2008 02:41:35 -0400 Subject: [c-nsp] Allow VTY access by telnet and ssh In-Reply-To: References: <0867622C64B50C4B878AB45C95F43F1106150B8D@MAILWA01.wesenergy.local> <64396C74FCE435468BE2AF5A73F9C2FD869209@chmaexch.chelmer.co.nz> <0867622C64B50C4B878AB45C95F43F1106150C86@MAILWA01.wesenergy.local> <48C0D0CE.1050504@evaristesys.com> Message-ID: <48C0D49F.9080504@evaristesys.com> All logins are on VTYs, so that qualification is not needed. Check out: http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/mgaccess.html tony kam wrote: > It meant users can use either telnet or ssh client to log into router > VTY lines. Besides, I think it is possible to use ACL to control which > user group can use telnet and which user group can use ssh. > > Please advise if you have such sample configuration. > > > Date: Fri, 5 Sep 2008 02:25:18 -0400 > > From: abalashov at evaristesys.com > > To: chiwaikam at hotmail.com > > CC: cisco-nsp at puck.nether.net > > Subject: Re: [c-nsp] Allow VTY access by telnet and ssh > > > > tony kam wrote: > > > Dear all, > > > > > > Please advise if there is any configuration template to enable both > telnet and ssh to have access right into router VTY lines. > > > > What do you mean by "right into?" > > > > -- > > Alex Balashov > > Evariste Systems > > Web : http://www.evaristesys.com/ > > Tel : (+1) (678) 954-0670 > > Direct : (+1) (678) 954-0671 > > Mobile : (+1) (706) 338-8599 > -- Alex Balashov Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599 From ben.steele at internode.on.net Fri Sep 5 02:43:58 2008 From: ben.steele at internode.on.net (Ben Steele) Date: Fri, 5 Sep 2008 16:13:58 +0930 Subject: [c-nsp] WebVPN via RADIUS - how to identify by group? Message-ID: <00d001c90f22$c6f0e2f0$54d2a8d0$@steele@internode.on.net> Howdy all, Anyone know if it's possible to get as ASA to spit out the group name in an av-pair via radius when authenticating a user? (in this case webvpn). The issue i'm having is multiple clients on the one ASA authenticating via IAS/AD and the possibility of overlapping usernames between clients(groups), I need another identifier from the ASA to auth them against other than user/pass, ie group would be perfect. Any ideas? Cheers Ben From abalashov at evaristesys.com Fri Sep 5 02:42:38 2008 From: abalashov at evaristesys.com (Alex Balashov) Date: Fri, 05 Sep 2008 02:42:38 -0400 Subject: [c-nsp] Allow VTY access by telnet and ssh In-Reply-To: <48C0D49F.9080504@evaristesys.com> References: <0867622C64B50C4B878AB45C95F43F1106150B8D@MAILWA01.wesenergy.local> <64396C74FCE435468BE2AF5A73F9C2FD869209@chmaexch.chelmer.co.nz> <0867622C64B50C4B878AB45C95F43F1106150C86@MAILWA01.wesenergy.local> <48C0D0CE.1050504@evaristesys.com> <48C0D49F.9080504@evaristesys.com> Message-ID: <48C0D4DE.7030001@evaristesys.com> Whoops, that was for ASAs. Try: http://articles.techrepublic.com.com/5100-10878_11-5875046.html http://www.cisco.com/en/US/products/sw/iosswrel/ps1818/products_configuration_example09186a0080204528.shtml Alex Balashov wrote: > All logins are on VTYs, so that qualification is not needed. > > Check out: > > http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/mgaccess.html > > > tony kam wrote: > >> It meant users can use either telnet or ssh client to log into router >> VTY lines. Besides, I think it is possible to use ACL to control which >> user group can use telnet and which user group can use ssh. >> >> Please advise if you have such sample configuration. >> >> > Date: Fri, 5 Sep 2008 02:25:18 -0400 >> > From: abalashov at evaristesys.com >> > To: chiwaikam at hotmail.com >> > CC: cisco-nsp at puck.nether.net >> > Subject: Re: [c-nsp] Allow VTY access by telnet and ssh >> > >> > tony kam wrote: >> > > Dear all, >> > > >> > > Please advise if there is any configuration template to enable >> both telnet and ssh to have access right into router VTY lines. >> > >> > What do you mean by "right into?" >> > >> > -- >> > Alex Balashov >> > Evariste Systems >> > Web : http://www.evaristesys.com/ >> > Tel : (+1) (678) 954-0670 >> > Direct : (+1) (678) 954-0671 >> > Mobile : (+1) (706) 338-8599 >> > > -- Alex Balashov Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599 From john.douglas at gmail.com Fri Sep 5 02:45:26 2008 From: john.douglas at gmail.com (john douglas) Date: Fri, 5 Sep 2008 16:45:26 +1000 Subject: [c-nsp] CF format problems on 6500/7600 SUP720-3BXL Message-ID: <5c846eaf0809042345g6af1bdday59cb23a0ce10f8d1@mail.gmail.com> hi all, firstly i've read the threads about monlib etc, i tend to make it standard practice to format the flash card in whatever chassis it is currently in before use, however in this case, i cant even format the flash cards. we are talking about genuine sandisk 1GB which seem to work ok elsewhere but in the 6500 & 7600 SUP720-3BXL based platforms everything appears fine until you go to format the card and then you get this Router#format disk1: Format operation may take a while. Continue? [confirm] Format operation will destroy all data in "disk1:". Continue? [confirm] %Error formatting disk1 (Format failure - Drive Communication) and then the CF card promptly disappears Router#dir disk1: %Error opening disk1:/ (No such device) Router#sh plat hard cap | i disk 1 SP disk0: 128151552 78741504 61% i have tried formatting these CF cards on other routers eg 7301, 1841, bring them over to the SUP720, they look fine, but the moment you go to re-format - splat. i have tried formatting these CF cards on a PC using a CF card reader, again they look fine, but again splat. now, what is REALLY wierd i format these CF card on a Canon EOS 400D digital SLR and they work just fine in the SUP720 Router#sh disk1: -#- --length-- -----date/time------ path 1 0 Sep 02 2008 15:43:54 DCIM 2 0 Sep 02 2008 15:43:54 DCIM/217CANON 260796416 bytes available (8192 bytes used) Router#dir disk1:/DCIM/217CANON/ Directory of disk1:/DCIM/217CANON/ No files in directory 260804608 bytes total (260796416 bytes free) Router#format disk1: Format operation may take a while. Continue? [confirm] Format operation will destroy all data in "disk1:". Continue? [confirm] Format: Drive communication & 1st Sector Write OK... Writing Monlib sectors. Monlib Version = 2 (0.2) ............................................................................................................................................... Monlib write complete . Format: All system sectors written. OK... Format: Total sectors in formatted partition: 510281 Format: Total bytes in formatted partition: 261263872 Format: Operation completed successfully. Format of disk1 complete very confused... From bandwidth.user at gmail.com Fri Sep 5 02:52:11 2008 From: bandwidth.user at gmail.com (roy) Date: Fri, 05 Sep 2008 14:52:11 +0800 Subject: [c-nsp] Allow VTY access by telnet and ssh In-Reply-To: References: <0867622C64B50C4B878AB45C95F43F1106150B8D@MAILWA01.wesenergy.local> <64396C74FCE435468BE2AF5A73F9C2FD869209@chmaexch.chelmer.co.nz> <0867622C64B50C4B878AB45C95F43F1106150C86@MAILWA01.wesenergy.local> Message-ID: <1220597531.5582.9.camel@localhost> On Fri, 2008-09-05 at 14:08 +0800, tony kam wrote: > Dear all, > > Please advise if there is any configuration template to enable both > telnet and ssh to have access right into router VTY lines. <...> line vty x y transport input telnet ssh <...> hth, roy From oboehmer at cisco.com Fri Sep 5 03:17:13 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Fri, 5 Sep 2008 09:17:13 +0200 Subject: [c-nsp] VoIP classifying and queuing in an access switch <--> core Layer 2 network In-Reply-To: <48C0D167.7030602@evaristesys.com> References: <71BC8F601C01554CA7410616B26C50D1016703CD@mail-37ps.atlarge.net> <48C0D167.7030602@evaristesys.com> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405F7F91E@xmb-ams-333.emea.cisco.com> Alex Balashov <> wrote on Friday, September 05, 2008 8:28 AM: > If the switch is purely Layer 2, it would be difficult to classify > VoIP traffic ipso facto, as the factors that differentiate it from > other kinds of traffic are, by definition, >= Layer 3. Well, even a Layer 2 switch can classify based on L3 information, most of today's (and yesterday's) Cat2xxx/3xxx support this. I would recommend looking at the Enterprise QoS solution reference at www.cisco.com/go/srnd for plenty of examples for various access switch platforms. oli > About the only thing you can do there is use segregated VLANs, and/or > take advantage of the native "voice VLAN" feature of certain > Catalysts: > > http://www.cisco.com/en/US/docs/switches/lan/catalyst2940/software/relea se/12.1_19_ea1/configuration/guide/swvoip.html > > Grant Moerschel wrote: > >> In an access switch to core where the connections are Layer 2, what >> is the best method to a) classify voip traffic as it enters the >> access switch and b) prioritize it via some queuing mechanism as it >> traverses the trunk going to the core? Does anyone have sample >> configs for something like this? >> >> Pc <-> phone <-> access switch <-> core switch. Priority to VoIP >> traffic on trunks. > > -- > Alex Balashov > Evariste Systems > Web : http://www.evaristesys.com/ > Tel : (+1) (678) 954-0670 > Direct : (+1) (678) 954-0671 > Mobile : (+1) (706) 338-8599 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From lists at daniels.id.au Fri Sep 5 02:45:14 2008 From: lists at daniels.id.au (Aaron Daniels - Lists) Date: Fri, 5 Sep 2008 16:45:14 +1000 Subject: [c-nsp] Dashboard Network Monitoring Software In-Reply-To: References: <0867622C64B50C4B878AB45C95F43F1106150B8D@MAILWA01.wesenergy.local> Message-ID: <014b01c90f22$f60cf9c0$e226ed40$@id.au> Also take a look at Zenoss www.zenoss.org Aaron > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Daniel Hooper > Sent: Friday, 5 September 2008 12:55 PM > To: Aaron Riemer > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Dashboard Network Monitoring Software > > www.nagios.org > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Aaron Riemer > Sent: Friday, 5 September 2008 9:00 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Dashboard Network Monitoring Software > > Hi Guys, > > > > Is anyone out there using any open source or free dashboard network > monitoring software? I would like to have a map background with our > sites and possibly blink the sites RED if the site stopped responding > to > pings or SNMP queries etc? I know Solarwinds and HP Openview are good > but we are not willing to shell out the money just for a dashboard. > > > > Cheers, > > > > Aaron. > > > > > > > > > > > LEGAL DISCLAIMER: This message contains confidential information and is > intended only for the individual named. If you are not the named > addressee you should not disseminate, distribute or copy this e-mail. > Please notify the sender immediately by e-mail if you have received > this > e-mail by mistake and delete this e-mail from your system. If you are > not the intended recipient you are notified that disclosing, copying, > distributing or taking any action in reliance on the contents of this > information is strictly prohibited. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From achatz at forthnet.gr Fri Sep 5 03:18:36 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Fri, 05 Sep 2008 10:18:36 +0300 Subject: [c-nsp] c7604 "starter kit" In-Reply-To: <00b901c90f12$3c293010$b47b9030$@steele@internode.on.net> References: <20080904112344.GA2758@whitechalk.dfinet.ch> <6bb5f5b10809041001q317d4694o8b57be06fcfd54da@mail.gmail.com> <20080904170928.GA23309@mx.ytti.net> <200809051015.06641.mtinka@globaltransit.net> <00b901c90f12$3c293010$b47b9030$@steele@internode.on.net> Message-ID: <48C0DD4C.1020703@forthnet.gr> MPLE TE should be in RLS3; probably EoMPLS too. -- Tassos Ben Steele wrote on 05/09/2008 07:45: > I'm pretty sure it is scheduled for release in an upcoming update, I know > there was lots of "hmmm's" when I saw the list of current unsupported > technologies during our companies presentation, but I seem to recall most of > them set for release in the future, I mean it would be ridiculous to never > support mpls-te on the ASR. > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Tinka > Sent: Friday, 5 September 2008 11:45 AM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] c7604 "starter kit" > > On Friday 05 September 2008 01:09:28 Saku Ytti wrote: > >> L3 VPN yes, TE no sure. > > According to FN, MPLS-TE is unsupported. Quite surprising, actually... > > Mark. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From abalashov at evaristesys.com Fri Sep 5 03:26:41 2008 From: abalashov at evaristesys.com (Alex Balashov) Date: Fri, 05 Sep 2008 03:26:41 -0400 Subject: [c-nsp] VoIP classifying and queuing in an access switch <--> core Layer 2 network In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405F7F91E@xmb-ams-333.emea.cisco.com> References: <71BC8F601C01554CA7410616B26C50D1016703CD@mail-37ps.atlarge.net> <48C0D167.7030602@evaristesys.com> <70B7A1CCBFA5C649BD562B6D9F7ED78405F7F91E@xmb-ams-333.emea.cisco.com> Message-ID: <48C0DF31.3030200@evaristesys.com> Oliver Boehmer (oboehmer) wrote: > Alex Balashov <> wrote on Friday, September 05, 2008 8:28 AM: > >> If the switch is purely Layer 2, it would be difficult to classify >> VoIP traffic ipso facto, as the factors that differentiate it from >> other kinds of traffic are, by definition, >= Layer 3. > > Well, even a Layer 2 switch can classify based on L3 information, most > of today's (and yesterday's) Cat2xxx/3xxx support this. > I would recommend looking at the Enterprise QoS solution reference at > www.cisco.com/go/srnd for plenty of examples for various access switch > platforms. Really... I wasn't aware Layer 2 devices had DiffServ/DSCP awareness. I stand corrected, then! -- Alex Balashov Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599 From CB at nianet.dk Fri Sep 5 03:34:09 2008 From: CB at nianet.dk (Christian Bering) Date: Fri, 5 Sep 2008 09:34:09 +0200 Subject: [c-nsp] Allow VTY access by telnet and ssh References: <0867622C64B50C4B878AB45C95F43F1106150B8D@MAILWA01.wesenergy.local><64396C74FCE435468BE2AF5A73F9C2FD869209@chmaexch.chelmer.co.nz> <0867622C64B50C4B878AB45C95F43F1106150C86@MAILWA01.wesenergy.local> Message-ID: Hi, >Please advise if there is any configuration template to enable >both telnet and ssh to have access right into router VTY lines. Do you mean like this, or are you talking about something else? ! line vty 0 4 transport input telnet ssh ! crypto key generate rsa general-keys modulus 2048 ! -- Regards Christian Bering From jay at west.net Fri Sep 5 03:20:54 2008 From: jay at west.net (Jay Hennigan) Date: Fri, 05 Sep 2008 00:20:54 -0700 Subject: [c-nsp] Allow VTY access by telnet and ssh In-Reply-To: References: <0867622C64B50C4B878AB45C95F43F1106150B8D@MAILWA01.wesenergy.local> <64396C74FCE435468BE2AF5A73F9C2FD869209@chmaexch.chelmer.co.nz> <0867622C64B50C4B878AB45C95F43F1106150C86@MAILWA01.wesenergy.local> Message-ID: <48C0DDD6.8000305@west.net> tony kam wrote: > Dear all, > > Please advise if there is any configuration template to enable both telnet and ssh to have access right into router VTY lines. Did you try: line vty 0 4 transport input telnet ssh The number of vty lines may be different depending on platform and IOS, for example, "line vty 0 15". -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV From wim.holemans at ua.ac.be Fri Sep 5 04:35:14 2008 From: wim.holemans at ua.ac.be (Holemans Wim) Date: Fri, 5 Sep 2008 10:35:14 +0200 Subject: [c-nsp] FWSM failover transparent mode Message-ID: <2F7B70885960AA42BE820036B3A8CDA02AC25B@xmail06.ad.ua.ac.be> Just upgraded our FWSM to version 3.1.11 after 3 random crashes in a month. Now we are thinking about buying a second FWSM to do failover in order to limit downtime and facilitate upgrades : most of our servers are connected to the 6513 carrying this FWSM. We use the 2 standard virtual contexts of the FWSM, both in transparent mode, 8 bridged vlans on one, 2 bridged vlans on the second. In the release notes of 3.1.11 I however read under Open Caveats "CSCm73157 : Failover is not working in transparent mode..." Anyone has experience with FWSM failover in transparent mode ? Does this really doesn't work ? Does it work under 3.2 or 4.0 ? Any info would be appreciated before we invest more than 15K Euros... Wim Holemans Netwerkdienst Universiteit Antwerpen From ariemer at wesenergy.com.au Fri Sep 5 04:50:02 2008 From: ariemer at wesenergy.com.au (Aaron Riemer) Date: Fri, 5 Sep 2008 16:50:02 +0800 Subject: [c-nsp] Dashboard Network Monitoring Software In-Reply-To: <014b01c90f22$f60cf9c0$e226ed40$@id.au> References: <0867622C64B50C4B878AB45C95F43F1106150B8D@MAILWA01.wesenergy.local> <014b01c90f22$f60cf9c0$e226ed40$@id.au> Message-ID: <0867622C64B50C4B878AB45C95F43F1106150F02@MAILWA01.wesenergy.local> Zenoss looks cool but it looks like you have to pay for that software :) Cheers for the ideas. Aaron. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Aaron Daniels - Lists Sent: Friday, 5 September 2008 2:45 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Dashboard Network Monitoring Software Also take a look at Zenoss www.zenoss.org Aaron > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Daniel Hooper > Sent: Friday, 5 September 2008 12:55 PM > To: Aaron Riemer > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Dashboard Network Monitoring Software > > www.nagios.org > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Aaron Riemer > Sent: Friday, 5 September 2008 9:00 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Dashboard Network Monitoring Software > > Hi Guys, > > > > Is anyone out there using any open source or free dashboard network > monitoring software? I would like to have a map background with our > sites and possibly blink the sites RED if the site stopped responding > to > pings or SNMP queries etc? I know Solarwinds and HP Openview are good > but we are not willing to shell out the money just for a dashboard. > > > > Cheers, > > > > Aaron. > > > > > > > > > > > LEGAL DISCLAIMER: This message contains confidential information and is > intended only for the individual named. If you are not the named > addressee you should not disseminate, distribute or copy this e-mail. > Please notify the sender immediately by e-mail if you have received > this > e-mail by mistake and delete this e-mail from your system. If you are > not the intended recipient you are notified that disclosing, copying, > distributing or taking any action in reliance on the contents of this > information is strictly prohibited. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. From paul.cosgrove at heanet.ie Fri Sep 5 05:04:25 2008 From: paul.cosgrove at heanet.ie (Paul Cosgrove) Date: Fri, 05 Sep 2008 10:04:25 +0100 Subject: [c-nsp] disabling 3750 mac address learning Message-ID: <48C0F619.3090903@heanet.ie> Noticed that the 3750 ios 12.2(46)SE release supports the disabling of mac address learning per vlan. Does anyone have any experience with this release yet? The feature seems to have been introduced earlier in the 3650s and has obviously been in ME switches for a while. http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_46_se/command/reference/cli1.html#wp10289393 Paul. -- HEAnet Limited Ireland's Education & Research Network 5 George's Dock, IFSC, Dublin 1, Ireland Tel: +353.1.6609040 Web: http://www.heanet.ie Company registered in Ireland: 275301 Please consider the environment before printing this e-mail. From mailinglist at bangky.net Fri Sep 5 05:42:25 2008 From: mailinglist at bangky.net (Ang Kah Yik) Date: Fri, 5 Sep 2008 17:42:25 +0800 Subject: [c-nsp] Allow VTY access by telnet and ssh In-Reply-To: <48C0DDD6.8000305@west.net> References: <0867622C64B50C4B878AB45C95F43F1106150B8D@MAILWA01.wesenergy.local> <64396C74FCE435468BE2AF5A73F9C2FD869209@chmaexch.chelmer.co.nz> <0867622C64B50C4B878AB45C95F43F1106150C86@MAILWA01.wesenergy.local> <48C0DDD6.8000305@west.net> Message-ID: I think more specifically, he wanted to be able to permit a particular group of users to use telnet and another to use ssh. While I'm not sure why it'd be good to use telnet when ssh is available, I suppose it would be possible to apply an ACL on the VTYs to deny access to telnet/ssh as required. On Fri, Sep 5, 2008 at 3:20 PM, Jay Hennigan wrote: > tony kam wrote: > >> Dear all, >> Please advise if there is any configuration template to enable both >> telnet and ssh to have access right into router VTY lines. >> > > Did you try: > > line vty 0 4 > transport input telnet ssh > > The number of vty lines may be different depending on platform and IOS, for > example, "line vty 0 15". > > -- > Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net > Impulse Internet Service - http://www.impulse.net/ > Your local telephone and internet company - 805 884-6323 - WB6RDV > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Ang Kah Yik From jay at west.net Fri Sep 5 06:27:59 2008 From: jay at west.net (Jay Hennigan) Date: Fri, 05 Sep 2008 03:27:59 -0700 Subject: [c-nsp] Allow VTY access by telnet and ssh In-Reply-To: References: <0867622C64B50C4B878AB45C95F43F1106150B8D@MAILWA01.wesenergy.local> <64396C74FCE435468BE2AF5A73F9C2FD869209@chmaexch.chelmer.co.nz> <0867622C64B50C4B878AB45C95F43F1106150C86@MAILWA01.wesenergy.local> <48C0DDD6.8000305@west.net> Message-ID: <48C109AF.7030509@west.net> Ang Kah Yik wrote: > I think more specifically, he wanted to be able to permit a particular group > of users to use telnet and another to use ssh. > While I'm not sure why it'd be good to use telnet when ssh is available, I > suppose it would be possible to apply an ACL on the VTYs to deny access to > telnet/ssh as required. I haven't tried it, but it might be possible to use an extended ACL for this. ip access-list extended vty-list permit tcp 1.1.1.0 0.0.0.255 any eq 22 permit tcp 2.2.2.0 0.0.0.255 any eq 23 line vty 0 4 transport input telnet ssh access-class vty-list in -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV From allan.eising at gmail.com Fri Sep 5 06:46:14 2008 From: allan.eising at gmail.com (Allan Eising) Date: Fri, 5 Sep 2008 12:46:14 +0200 Subject: [c-nsp] Allow VTY access by telnet and ssh In-Reply-To: <48C109AF.7030509@west.net> References: <0867622C64B50C4B878AB45C95F43F1106150B8D@MAILWA01.wesenergy.local> <64396C74FCE435468BE2AF5A73F9C2FD869209@chmaexch.chelmer.co.nz> <0867622C64B50C4B878AB45C95F43F1106150C86@MAILWA01.wesenergy.local> <48C0DDD6.8000305@west.net> <48C109AF.7030509@west.net> Message-ID: I can't see why you should use an extended acl to do that. "transport input telnet ssh" should allow access only through those two protocols, so filtering that through an ACL is a bit redundant in my opinion. You should be able to use a standard acl like: ip access-list standard vty permit 10.0.0.0 0.0.0.255 permit 10.1.0.0 0.0.0.255 deny any log ! line vty 0 4 transport input telnet ssh access-class vty in ! That should do it. Best regards, Allan Eising On Fri, Sep 5, 2008 at 12:27 PM, Jay Hennigan wrote: > Ang Kah Yik wrote: >> >> I think more specifically, he wanted to be able to permit a particular >> group >> of users to use telnet and another to use ssh. >> While I'm not sure why it'd be good to use telnet when ssh is available, I >> suppose it would be possible to apply an ACL on the VTYs to deny access to >> telnet/ssh as required. > > I haven't tried it, but it might be possible to use an extended ACL for > this. > > ip access-list extended vty-list > permit tcp 1.1.1.0 0.0.0.255 any eq 22 > permit tcp 2.2.2.0 0.0.0.255 any eq 23 > > line vty 0 4 > transport input telnet ssh > access-class vty-list in > > -- > Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net > Impulse Internet Service - http://www.impulse.net/ > Your local telephone and internet company - 805 884-6323 - WB6RDV > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jay at west.net Fri Sep 5 06:53:11 2008 From: jay at west.net (Jay Hennigan) Date: Fri, 05 Sep 2008 03:53:11 -0700 Subject: [c-nsp] Allow VTY access by telnet and ssh In-Reply-To: References: <0867622C64B50C4B878AB45C95F43F1106150B8D@MAILWA01.wesenergy.local> <64396C74FCE435468BE2AF5A73F9C2FD869209@chmaexch.chelmer.co.nz> <0867622C64B50C4B878AB45C95F43F1106150C86@MAILWA01.wesenergy.local> <48C0DDD6.8000305@west.net> <48C109AF.7030509@west.net> Message-ID: <48C10F97.1040604@west.net> Allan Eising wrote: > I can't see why you should use an extended acl to do that. "transport > input telnet ssh" should allow access only through those two > protocols, so filtering that through an ACL is a bit redundant in my > opinion. > > You should be able to use a standard acl like: > ip access-list standard vty > permit 10.0.0.0 0.0.0.255 > permit 10.1.0.0 0.0.0.255 > deny any log > ! > line vty 0 4 > transport input telnet ssh > access-class vty in > ! The objective was to allow one group to use telnet and another to use ssh. This would require an extended ACL. >> Ang Kah Yik wrote: >>> I think more specifically, he wanted to be able to permit a particular >>> group >>> of users to use telnet and another to use ssh. >>> While I'm not sure why it'd be good to use telnet when ssh is available, I >>> suppose it would be possible to apply an ACL on the VTYs to deny access to >>> telnet/ssh as required. -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV From sthaug at nethelp.no Fri Sep 5 07:33:37 2008 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Fri, 05 Sep 2008 13:33:37 +0200 (CEST) Subject: [c-nsp] disabling 3750 mac address learning In-Reply-To: <48C0F619.3090903@heanet.ie> References: <48C0F619.3090903@heanet.ie> Message-ID: <20080905.133337.74700578.sthaug@nethelp.no> > Noticed that the 3750 ios 12.2(46)SE release supports the disabling of > mac address learning per vlan. Does anyone have any experience with > this release yet? > > The feature seems to have been introduced earlier in the 3650s and has > obviously been in ME switches for a while. The feature has been there longer, in the form of an RSPAN-enabled VLAN. Steinar Haug, Nethelp consulting, sthaug at nethelp.no From streiner at cluebyfour.org Fri Sep 5 07:51:09 2008 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Fri, 5 Sep 2008 07:51:09 -0400 (EDT) Subject: [c-nsp] FWSM failover transparent mode In-Reply-To: <2F7B70885960AA42BE820036B3A8CDA02AC25B@xmail06.ad.ua.ac.be> References: <2F7B70885960AA42BE820036B3A8CDA02AC25B@xmail06.ad.ua.ac.be> Message-ID: On Fri, 5 Sep 2008, Holemans Wim wrote: > Just upgraded our FWSM to version 3.1.11 after 3 random crashes in a > month. Now we are thinking about buying a second FWSM to do failover in > order to limit downtime and facilitate upgrades : most of our servers > are connected to the 6513 carrying this FWSM. > > In the release notes of 3.1.11 I however read under Open Caveats > > "CSCm73157 : Failover is not working in transparent mode..." > > Anyone has experience with FWSM failover in transparent mode ? Does this > really doesn't work ? > > Does it work under 3.2 or 4.0 ? FWSM failover in transparent mode does work in 3.2. Specifically, 3.2(4) and above. Right now we're running 3.2(6) and 3.2(7) in production. I want to give the 4.x code more time to 'bake' before I put it in production here. I may try it out in our development lab soon. jms From rodunn at cisco.com Fri Sep 5 08:07:24 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Fri, 5 Sep 2008 08:07:24 -0400 Subject: [c-nsp] NPE G1, CEF and ACLs and high CPU In-Reply-To: <200809041546.23959.kratzers@pa.net> References: <383357750809041000uad21b4ag386233e3b2ea4fde@mail.gmail.com> <200809041456.01591.kratzers@pa.net> <383357750809041212h2e17aaa2i967ba4ffc3e4c3de@mail.gmail.com> <200809041546.23959.kratzers@pa.net> Message-ID: <20080905120724.GI15736@rtp-cse-489.cisco.com> But make sure you do: config t int null 0 no ip unreachables The ACL drops are, last I checked, rate limit punts. If it's high CPU at IP Input really need 12.4(20)T and get a sniffer trace in the punt path to see what traffic it really is. Rodney On Thu, Sep 04, 2008 at 03:46:23PM -0400, Stephen Kratzer wrote: > On Thursday 04 September 2008 15:12:12 Mateusz B??aszczyk wrote: > > 2008/9/4 Stephen Kratzer : > > > The 'log' keyword will cause matching packets to not be CEF switched. > > > > nope, log is not present. > > > > > Also, if > > > you're denying a lot of traffic from a certain source, you might want to > > > just bit-bucket it rather than sending ICMP responses. > > > > you mean - "no ip unreachables"? > > You could match the access list in a route map and set the outbound interface > to Null0. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From david_laporte at harvard.edu Fri Sep 5 08:23:54 2008 From: david_laporte at harvard.edu (LaPorte, David) Date: Fri, 05 Sep 2008 08:23:54 -0400 Subject: [c-nsp] WebVPN via RADIUS - how to identify by group? In-Reply-To: <00d001c90f22$c6f0e2f0$54d2a8d0$@steele@internode.on.net> References: <00d001c90f22$c6f0e2f0$54d2a8d0$@steele@internode.on.net> Message-ID: <48C124DA.5020408@harvard.edu> You could pass the group as a realm to the RADIUS server by having the users log in as USER at GROUP. The RADIUS server could authenticate them and return a Class="OU=GROUP;" attribute to map them properly. You could also provide a group list to the user: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808bd83d.shtml I prefer not to do this since it could make enumeration attacks a bit easier, but it has it's place. hope that helps, Dave Ben Steele wrote: > Howdy all, > > > > Anyone know if it's possible to get as ASA to spit out the group name in an > av-pair via radius when authenticating a user? (in this case webvpn). > > > > The issue i'm having is multiple clients on the one ASA authenticating via > IAS/AD and the possibility of overlapping usernames between clients(groups), > I need another identifier from the ASA to auth them against other than > user/pass, ie group would be perfect. > > > > Any ideas? > > > > Cheers > > > > Ben > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- David LaPorte, CISSP, CCNP Security Manager, Network and Server Systems Harvard University Information Systems ----------------------------------------------- Email: david_laporte at harvard.edu PGP: 0x4DC3E508 4A1F058DB2B32FEF10A14F6BD370A6AD4DC3E508 From gert at greenie.muc.de Fri Sep 5 09:34:28 2008 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 5 Sep 2008 15:34:28 +0200 Subject: [c-nsp] CSS strange behaviour.... Or is it just my config [7:132492] In-Reply-To: References: <200809040227.m842RBGe015086@groupstudy.com> <20080904062227.GP233@greenie.muc.de> <20080904080208.GA17238@greenie.muc.de> Message-ID: <20080905133427.GJ17238@greenie.muc.de> Hi, On Fri, Sep 05, 2008 at 09:52:05AM +1000, Brett Clausenhauf wrote: > I've since tried other ports (Port 23 for example) & it still does the same > thing. This has got me stumped... I cannot figure out why it needs the group > command to stay working. telnet (xinetd/tcpd) usually does a DNS lookup as well. As I said: run tcpdump/wireshark to see what sort of outbound connection your machines do. The CSS doesn't need the group section for itself. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From tvarriale at comcast.net Fri Sep 5 10:25:23 2008 From: tvarriale at comcast.net (Tony Varriale) Date: Fri, 5 Sep 2008 09:25:23 -0500 Subject: [c-nsp] FWSM failover transparent mode References: <2F7B70885960AA42BE820036B3A8CDA02AC25B@xmail06.ad.ua.ac.be> Message-ID: <005101c90f63$3c73f0e0$f211a8c0@flamadam> I'm running 3.2(6) fairly well in production. I would go up to 3.2(4) or better. tv ----- Original Message ----- From: "Holemans Wim" To: Sent: Friday, September 05, 2008 3:35 AM Subject: [c-nsp] FWSM failover transparent mode > Just upgraded our FWSM to version 3.1.11 after 3 random crashes in a > month. Now we are thinking about buying a second FWSM to do failover in > order to limit downtime and facilitate upgrades : most of our servers > are connected to the 6513 carrying this FWSM. > > We use the 2 standard virtual contexts of the FWSM, both in transparent > mode, 8 bridged vlans on one, 2 bridged vlans on the second. > > > > In the release notes of 3.1.11 I however read under Open Caveats > > "CSCm73157 : Failover is not working in transparent mode..." > > > > Anyone has experience with FWSM failover in transparent mode ? Does this > really doesn't work ? > > Does it work under 3.2 or 4.0 ? > > > > Any info would be appreciated before we invest more than 15K Euros... > > > > Wim Holemans > > Netwerkdienst Universiteit Antwerpen > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From nic.tjirkalli at za.verizonbusiness.com Fri Sep 5 10:36:08 2008 From: nic.tjirkalli at za.verizonbusiness.com (Nic Tjirkalli) Date: Fri, 5 Sep 2008 16:36:08 +0200 (SAST) Subject: [c-nsp] NPE G1, CEF and ACLs and high CPU In-Reply-To: <20080905120724.GI15736@rtp-cse-489.cisco.com> References: <383357750809041000uad21b4ag386233e3b2ea4fde@mail.gmail.com> <200809041456.01591.kratzers@pa.net> <383357750809041212h2e17aaa2i967ba4ffc3e4c3de@mail.gmail.com> <200809041546.23959.kratzers@pa.net> <20080905120724.GI15736@rtp-cse-489.cisco.com> Message-ID: howdy ho, > But make sure you do: > > config t > int null 0 > no ip unreachables > > The ACL drops are, last I checked, rate limit punts. this is interesting - there is a good article detailing cef and CPU punting at :- http://searchnetworkingchannel.techtarget.com/generic/0,295582,sid100_gci1261924,00.html Reading that and this posting begs the question - if there is a lrage amount of ACL drops and these packets are punted to cPU and the CPU rate-limit for punted packets has been exceeded, then possible packets that need to be CPU processed will be dropped in favour of ACL denied packets - this seems a bit ridiculous. Any way to get acl dropped packets not to be CPU punted or to use control-plane policing to discard them before they hit the CPU? thanx > > If it's high CPU at IP Input really need 12.4(20)T and get > a sniffer trace in the punt path to see what traffic it really is. > > Rodney > > On Thu, Sep 04, 2008 at 03:46:23PM -0400, Stephen Kratzer wrote: >> On Thursday 04 September 2008 15:12:12 Mateusz B??aszczyk wrote: >>> 2008/9/4 Stephen Kratzer : >>>> The 'log' keyword will cause matching packets to not be CEF switched. >>> >>> nope, log is not present. >>> >>>> Also, if >>>> you're denying a lot of traffic from a certain source, you might want to >>>> just bit-bucket it rather than sending ICMP responses. >>> >>> you mean - "no ip unreachables"? >> >> You could match the access list in a route map and set the outbound interface >> to Null0. >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > --------------------------------------------------------------------- It's hard to be nostalgic when you can't remember anything good. Nic Tjirkalli Verizon Business South Africa Network Strategy Team Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail is strictly confidential and intended only for use by the addressee unless otherwise indicated. Company Information:http:// www.verizonbusiness.com/za/contact/legal/ This e-mail is strictly confidential and intended only for use by the addressee unless otherwise indicated. From serge.devorop at gmail.com Fri Sep 5 10:38:30 2008 From: serge.devorop at gmail.com (Sergey Voropaev) Date: Fri, 5 Sep 2008 18:38:30 +0400 Subject: [c-nsp] free WAN emulation software Message-ID: Hi guys, Could anyone advise free WAN (wide area network) emulator software. I need to find solution for the following reason. We have some network application and we want to know how good this applications work over the WAN with predefined parameters. The better emulator must support operations with more parameters. The main parameters is delay, jitter, throughput, bit errors, packets lost, resequencing etc. I think that this should be server with two NIC and installed soft, so such soft I'm looking for. From MLouis at nwnit.com Fri Sep 5 11:22:40 2008 From: MLouis at nwnit.com (Mike Louis) Date: Fri, 5 Sep 2008 11:22:40 -0400 Subject: [c-nsp] free WAN emulation software In-Reply-To: References: Message-ID: Check out the WAN bridge software on the cisoc waas software download site. Its a live CD. SHould be your best bet. ________________________________________ From: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net] On Behalf Of Sergey Voropaev [serge.devorop at gmail.com] Sent: Friday, September 05, 2008 10:38 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] free WAN emulation software Hi guys, Could anyone advise free WAN (wide area network) emulator software. I need to find solution for the following reason. We have some network application and we want to know how good this applications work over the WAN with predefined parameters. The better emulator must support operations with more parameters. The main parameters is delay, jitter, throughput, bit errors, packets lost, resequencing etc. I think that this should be server with two NIC and installed soft, so such soft I'm looking for. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. From matt at deploylinux.net Fri Sep 5 10:52:42 2008 From: matt at deploylinux.net (Matthew Marlowe) Date: Fri, 5 Sep 2008 07:52:42 -0700 Subject: [c-nsp] Recommended 2800 ISR In-Reply-To: References: <48C08099.6060908@uol.com.br> Message-ID: <006c01c90f67$0d3428a0$279c79e0$@net> Cisco actually is pretty honest about the performance of the routers with most/all security features enabled if you go to the QA section of the product pages and click on router model and look for the question "What is the performance of router XX?". At which point, they'll state that a Cisco 3845 can process a single T3 and that the 28xx's performance is measured in multiples of T-1's (with 2851 being 6xT1 and 2801 being 1xT1). I've done some measuring of 2800/3800 series performance and the statements seem to be born out. If you have the acl's/inspection/ips enabled, a 3845 really will give out around 50Mbps, even though the router is rated with a raw capacity of ~250Mbps. If you just have reasonable acl's and stateful firewall/inspection features, performance seems to double and you might get ~100Mbps on a 3845 imho, I'd think the ratio would be about the same on a 28xx(2851 -> 18Mbps?). Your mileage may vary. The recommendation to look at ASA's is pretty good and would be cheaper. Otherwise, among the ISR's, a 3825 would be the safe bet. Regards, Matt -- Matthew Marlowe matt at deploylinux.net DeployLinux Consulting, Inc Direct: 858-217-5730 Senior Infrastructure Consultant Office: 888-459-0515 Cell: 805-857-9144 Fax: 858-876-1692 YIM:deploylinuxconsulting Designing, Securing, and Maintaining Mission Critical Linux Servers for Successful Internet Applications -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Buhrmaster, Gary Sent: Thursday, September 04, 2008 8:41 PM To: Dan Letkeman; giulianocm at uol.com.br; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Recommended 2800 ISR > I have read that document before, do those numbers (2811 - 61.44mpbs > CEF Fast switching) mean that it can process that bandwidth with > nothing else running on the router? With the wind behind the bits heading downhill. The first paragraph says: Numbers are given with 64 byte packet size, IP only, and are only an indication of raw switching performance. These are testing numbers, usually with FE to FE or POS to POS, no services enabled. As you add ACL's, encryption, compression, etc - performance will decline significantly from the given numbers .... The moment you add (for example) NAT or Firewall features, expect significantly less performance. As always, your Mbps will vary and your situation will be unique (and almost never to your benefit). _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From agristina+cisco-nsp at gmail.com Fri Sep 5 12:00:30 2008 From: agristina+cisco-nsp at gmail.com (Andrew Gristina) Date: Fri, 5 Sep 2008 09:00:30 -0700 Subject: [c-nsp] free WAN emulation software In-Reply-To: References: Message-ID: <70bb1b8f0809050900j2adf0cb1ide6f91d6519cf71@mail.gmail.com> The opensource options are dummynet on BSD: http://info.iet.unipi.it/~luigi/ip_dummynet/ Which is good for emulating links 100Mb or slower, I think it needs patches if you are going to emulate long fat pipes. I used the boot floppy, it is easier to use if you have some unix experience. or Nistnet on linux (the traffic shaping stuff is now in kernel). But I find it is old, and that netem is is better in linux- basically the tc commands: http://www.linuxfoundation.org/en/Net:Netem On Fri, Sep 5, 2008 at 7:38 AM, Sergey Voropaev wrote: > Hi guys, > > Could anyone advise free WAN (wide area network) emulator software. I > need to find solution for the following reason. We have some network > application and we want to know how good this applications work over > the WAN with predefined parameters. The better emulator must support > operations with more parameters. The main parameters is delay, jitter, > throughput, bit errors, packets lost, resequencing etc. > > I think that this should be server with two NIC and installed soft, so > such soft I'm looking for. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From gert at greenie.muc.de Fri Sep 5 12:13:20 2008 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 5 Sep 2008 18:13:20 +0200 Subject: [c-nsp] c7604 "starter kit" In-Reply-To: <844ef89c0809040711w480d9586peaade37cc4054102@mail.gmail.com> References: <20080904112344.GA2758@whitechalk.dfinet.ch> <20080904132355.GA17595@mx.ytti.net> <844ef89c0809040711w480d9586peaade37cc4054102@mail.gmail.com> Message-ID: <20080905161320.GK17238@greenie.muc.de> Hi, On Thu, Sep 04, 2008 at 04:11:06PM +0200, David Granzer wrote: > RSP720 comes with 3C(XL) and SUP720 with 3B(XL). And Sup720-10G (which is nowadays marked as "VSS-something") with 3C(XL) again. Always remember: whatever you expect from the 7600 series: if it's not there at the day of purchasing, and Cisco sales promises you something, don't believe anything. The 7600 BU is not to be trusted. (Plus: expect useful features to suddenly go away). Consider a Juniper M7i or something if all you need is 2 GE ports and the option for WANs. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From ecables at gmail.com Fri Sep 5 12:17:03 2008 From: ecables at gmail.com (Eric Cables) Date: Fri, 5 Sep 2008 09:17:03 -0700 Subject: [c-nsp] Dashboard Network Monitoring Software In-Reply-To: <0867622C64B50C4B878AB45C95F43F1106150F02@MAILWA01.wesenergy.local> References: <0867622C64B50C4B878AB45C95F43F1106150B8D@MAILWA01.wesenergy.local> <014b01c90f22$f60cf9c0$e226ed40$@id.au> <0867622C64B50C4B878AB45C95F43F1106150F02@MAILWA01.wesenergy.local> Message-ID: Zenoss has two versions, Zenoss Community (free) and Zenoss Enterprise (not free). The only notable feature, for network management, I see in Zenoss Enterprise is the RANCID ZenPack. The community version is pretty full featured, and looks very cool (I tested it out for a few days). Unfortunately, it is very robust, which translates to a lot of overhead management to get it running properly. Nagios, in comparison, just "works", and can be setup relatively quickly. Is anyone out there using Zenoss for network monitoring? How do you like it? -- Eric Cables On Fri, Sep 5, 2008 at 1:50 AM, Aaron Riemer wrote: > Zenoss looks cool but it looks like you have to pay for that software :) > > Cheers for the ideas. > > Aaron. > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Aaron Daniels - > Lists > Sent: Friday, 5 September 2008 2:45 PM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Dashboard Network Monitoring Software > > Also take a look at Zenoss > www.zenoss.org > > Aaron > >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- >> bounces at puck.nether.net] On Behalf Of Daniel Hooper >> Sent: Friday, 5 September 2008 12:55 PM >> To: Aaron Riemer >> Cc: cisco-nsp at puck.nether.net >> Subject: Re: [c-nsp] Dashboard Network Monitoring Software >> >> www.nagios.org >> >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Aaron Riemer >> Sent: Friday, 5 September 2008 9:00 AM >> To: cisco-nsp at puck.nether.net >> Subject: [c-nsp] Dashboard Network Monitoring Software >> >> Hi Guys, >> >> >> >> Is anyone out there using any open source or free dashboard network >> monitoring software? I would like to have a map background with our >> sites and possibly blink the sites RED if the site stopped responding >> to >> pings or SNMP queries etc? I know Solarwinds and HP Openview are good >> but we are not willing to shell out the money just for a dashboard. >> >> >> >> Cheers, >> >> >> >> Aaron. >> >> >> >> >> >> >> >> >> >> >> LEGAL DISCLAIMER: This message contains confidential information and > is >> intended only for the individual named. If you are not the named >> addressee you should not disseminate, distribute or copy this e-mail. >> Please notify the sender immediately by e-mail if you have received >> this >> e-mail by mistake and delete this e-mail from your system. If you are >> not the intended recipient you are notified that disclosing, copying, >> distributing or taking any action in reliance on the contents of this >> information is strictly prohibited. >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jml at packetpimp.org Fri Sep 5 12:18:21 2008 From: jml at packetpimp.org (Jason LeBlanc) Date: Fri, 05 Sep 2008 12:18:21 -0400 Subject: [c-nsp] Recommended 2800 ISR In-Reply-To: References: Message-ID: <48C15BCD.6060805@packetpimp.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have two 2811s with a full view on each and partial for ibgp, no issues. Justin M. Streiner wrote: > On Thu, 4 Sep 2008, Dan Letkeman wrote: > >> I was wondering if anyone has recommendations for a 2800 series router >> for a 20-30mbit internet connection. I would like to run a firewall >> IOS and, nat and basic ACL's. Would a 2811 be an appropriate choice? > > If you're not running BGP with full feeds, you *might* be able to get > away with a 2811, given that you're running IOS firewall and NAT as > well, but you probably wouldn't have much headroom for growth, or if you > decide you need additional features in the future (Netflow, QoS, routing > protocols, etc). > > jms > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIwVvNw+p9Y9BHZ8kRAtBBAJ9MVa6OsKlL3fRZ73LrSGjqSMIk3QCghJBz YC6nP2buuoVWQE5H3cUJKjg= =o7vd -----END PGP SIGNATURE----- From tvarriale at comcast.net Fri Sep 5 12:16:00 2008 From: tvarriale at comcast.net (Tony Varriale) Date: Fri, 5 Sep 2008 11:16:00 -0500 Subject: [c-nsp] Recommended 2800 ISR References: <48C08099.6060908@uol.com.br> <006c01c90f67$0d3428a0$279c79e0$@net> Message-ID: <000e01c90f72$b0164e30$f211a8c0@flamadam> I would agree. I've actually found they are a little conversative in their numbers from their concentrators up to the routers. tv ----- Original Message ----- From: "Matthew Marlowe" To: "'Buhrmaster, Gary'" ; "'Dan Letkeman'" ; ; Sent: Friday, September 05, 2008 9:52 AM Subject: Re: [c-nsp] Recommended 2800 ISR > Cisco actually is pretty honest about the performance of the routers with > most/all security features enabled if you go to the QA section of the > product pages and click on router model and look for the question "What is > the performance of router XX?". At which point, they'll state that a > Cisco 3845 can process a single T3 and that the 28xx's performance is > measured in multiples of T-1's (with 2851 being 6xT1 and 2801 being 1xT1). > > I've done some measuring of 2800/3800 series performance and the > statements > seem to be born out. If you have the acl's/inspection/ips enabled, a 3845 > really will give out around 50Mbps, even though the router is rated with a > raw capacity of ~250Mbps. If you just have reasonable acl's and stateful > firewall/inspection features, performance seems to double and you might > get > ~100Mbps on a 3845 imho, I'd think the ratio would be about the same on a > 28xx(2851 -> 18Mbps?). Your mileage may vary. > > The recommendation to look at ASA's is pretty good and would be cheaper. > Otherwise, among the ISR's, a 3825 would be the safe bet. > > Regards, > Matt > -- > Matthew Marlowe matt at deploylinux.net > DeployLinux Consulting, Inc Direct: 858-217-5730 > Senior Infrastructure Consultant Office: 888-459-0515 > Cell: 805-857-9144 Fax: 858-876-1692 YIM:deploylinuxconsulting > > Designing, Securing, and Maintaining Mission Critical Linux Servers > for Successful Internet Applications > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Buhrmaster, Gary > Sent: Thursday, September 04, 2008 8:41 PM > To: Dan Letkeman; giulianocm at uol.com.br; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Recommended 2800 ISR > > >> I have read that document before, do those numbers (2811 - 61.44mpbs >> CEF Fast switching) mean that it can process that bandwidth with >> nothing else running on the router? > > With the wind behind the bits heading downhill. > The first paragraph says: > > Numbers are given with 64 byte packet size, IP only, > and are only an indication of raw switching performance. > These are testing numbers, usually with FE to FE or POS > to POS, no services enabled. As you add ACL's, encryption, > compression, etc - performance will decline significantly > from the given numbers .... > > The moment you add (for example) NAT or Firewall features, > expect significantly less performance. As always, your > Mbps will vary and your situation will be unique (and > almost never to your benefit). > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From paul.cosgrove at heanet.ie Fri Sep 5 12:38:35 2008 From: paul.cosgrove at heanet.ie (Paul Cosgrove) Date: Fri, 05 Sep 2008 17:38:35 +0100 Subject: [c-nsp] disabling 3750 mac address learning In-Reply-To: <20080905.133337.74700578.sthaug@nethelp.no> References: <48C0F619.3090903@heanet.ie> <20080905.133337.74700578.sthaug@nethelp.no> Message-ID: <48C1608B.3000508@heanet.ie> sthaug at nethelp.no wrote: >> Noticed that the 3750 ios 12.2(46)SE release supports the disabling of >> mac address learning per vlan. Does anyone have any experience with >> this release yet? >> >> The feature seems to have been introduced earlier in the 3650s and has >> obviously been in ME switches for a while. > > The feature has been there longer, in the form of an RSPAN-enabled VLAN. > > Steinar Haug, Nethelp consulting, sthaug at nethelp.no > Thanks Steinar, I think there are a few differences between these. The command docs say the following about RSPAN VLANs: - All traffic in the RSPAN VLAN is always flooded. - No MAC address learning occurs on the RSPAN VLAN. - RSPAN VLAN traffic only flows on trunk ports. - RSPAN VLANs must be configured in VLAN configuration mode by using the remote-span VLAN configuration mode command. - STP can run on RSPAN VLAN trunks but not on SPAN destination ports. - An RSPAN VLAN cannot be a private-VLAN primary or secondary VLAN. The first and third points suggests that for RSPAN VLANs you: - cannot use static mac assignments - cannot use access ports Paul. -- HEAnet Limited Ireland's Education & Research Network 5 George's Dock, IFSC, Dublin 1, Ireland Tel: +353.1.6609040 Web: http://www.heanet.ie Company registered in Ireland: 275301 Please consider the environment before printing this e-mail. From Gregori.Parker at theplatform.com Fri Sep 5 12:49:13 2008 From: Gregori.Parker at theplatform.com (Gregori Parker) Date: Fri, 5 Sep 2008 09:49:13 -0700 Subject: [c-nsp] Dashboard Network Monitoring Software In-Reply-To: References: <0867622C64B50C4B878AB45C95F43F1106150B8D@MAILWA01.wesenergy.local><014b01c90f22$f60cf9c0$e226ed40$@id.au><0867622C64B50C4B878AB45C95F43F1106150F02@MAILWA01.wesenergy.local> Message-ID: <1A9866F953006D45AEE0166066114E091307F95A@TPMAIL02.corp.theplatform.com> We just moved to Zenoss Ent for server monitoring, and I think it was a great move. In my tests however, Zenoss simply didn't cut it for managing/monitoring our network devices - at least not without weeks of template customization. So my search for the ultimate NMS for network devices continues...until then I'll continue to segment NMS responsibilities into various subcategories (fault mgmt, config mgmt, security mgmt, perf mgmt, capacity mgmt, etc) and handle those with a mix of tools. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Eric Cables Sent: Friday, September 05, 2008 9:17 AM To: Aaron Riemer Cc: Aaron Daniels - Lists; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Dashboard Network Monitoring Software Zenoss has two versions, Zenoss Community (free) and Zenoss Enterprise (not free). The only notable feature, for network management, I see in Zenoss Enterprise is the RANCID ZenPack. The community version is pretty full featured, and looks very cool (I tested it out for a few days). Unfortunately, it is very robust, which translates to a lot of overhead management to get it running properly. Nagios, in comparison, just "works", and can be setup relatively quickly. Is anyone out there using Zenoss for network monitoring? How do you like it? -- Eric Cables On Fri, Sep 5, 2008 at 1:50 AM, Aaron Riemer wrote: > Zenoss looks cool but it looks like you have to pay for that software :) > > Cheers for the ideas. > > Aaron. > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Aaron Daniels - > Lists > Sent: Friday, 5 September 2008 2:45 PM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Dashboard Network Monitoring Software > > Also take a look at Zenoss > www.zenoss.org > > Aaron > >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- >> bounces at puck.nether.net] On Behalf Of Daniel Hooper >> Sent: Friday, 5 September 2008 12:55 PM >> To: Aaron Riemer >> Cc: cisco-nsp at puck.nether.net >> Subject: Re: [c-nsp] Dashboard Network Monitoring Software >> >> www.nagios.org >> >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Aaron Riemer >> Sent: Friday, 5 September 2008 9:00 AM >> To: cisco-nsp at puck.nether.net >> Subject: [c-nsp] Dashboard Network Monitoring Software >> >> Hi Guys, >> >> >> >> Is anyone out there using any open source or free dashboard network >> monitoring software? I would like to have a map background with our >> sites and possibly blink the sites RED if the site stopped responding >> to >> pings or SNMP queries etc? I know Solarwinds and HP Openview are good >> but we are not willing to shell out the money just for a dashboard. >> >> >> >> Cheers, >> >> >> >> Aaron. >> >> >> >> >> >> >> >> >> >> >> LEGAL DISCLAIMER: This message contains confidential information and > is >> intended only for the individual named. If you are not the named >> addressee you should not disseminate, distribute or copy this e-mail. >> Please notify the sender immediately by e-mail if you have received >> this >> e-mail by mistake and delete this e-mail from your system. If you are >> not the intended recipient you are notified that disclosing, copying, >> distributing or taking any action in reliance on the contents of this >> information is strictly prohibited. >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From lowen at pari.edu Fri Sep 5 12:53:05 2008 From: lowen at pari.edu (Lamar Owen) Date: Fri, 5 Sep 2008 12:53:05 -0400 Subject: [c-nsp] Surge protection on leased lines In-Reply-To: References: Message-ID: <200809051253.05519.lowen@pari.edu> On Thursday 04 September 2008 22:52:41 Ted Mittelstaedt wrote: > They need a sold ground and suppression such as varistors > connected between that ground and both wires of the pair > that the SHDSL line is on. If you can get the specific > code requirements for your municipality you can threaten > to report your national telco to both the FCC and the > local municipality if they do not install surge suppression. [Previous poster] > > Make sure your nid, smartbox, router are all grounded together and to > > the electrical system ground. I suspect they are not if current is > > flowing in and damaging your wic. Make sure also that the grounding electrode for the telco and the grounding electrode for the electrical are properly and effectively bonded (as in the NEC Article 250 definition). I've seen numerous instances of 'properly' installed and connected lightning arrestors that were not properly bonded to the electrical service ground; if the electrodes are even a few feet apart they can, in the lightning field/current gradient of a strike, easily have 15-50 thousand volts between 'grounds'. -- Lamar Owen Chief Information Officer Pisgah Astronomical Research Institute 1 PARI Drive Rosman, NC 28772 http://www.pari.edu From ecables at gmail.com Fri Sep 5 12:58:37 2008 From: ecables at gmail.com (Eric Cables) Date: Fri, 5 Sep 2008 09:58:37 -0700 Subject: [c-nsp] FWSM failover transparent mode In-Reply-To: <2F7B70885960AA42BE820036B3A8CDA02AC25B@xmail06.ad.ua.ac.be> References: <2F7B70885960AA42BE820036B3A8CDA02AC25B@xmail06.ad.ua.ac.be> Message-ID: Not to hijack this thread, but what modules are you using for server connectivity in your 6513? We deployed some 6513s as SF switches long ago (bad decision), and are now swapping them out with the 6509-E chassis due to the need for additional performance (6748s in all slots). -- Eric Cables On Fri, Sep 5, 2008 at 1:35 AM, Holemans Wim wrote: > Just upgraded our FWSM to version 3.1.11 after 3 random crashes in a > month. Now we are thinking about buying a second FWSM to do failover in > order to limit downtime and facilitate upgrades : most of our servers > are connected to the 6513 carrying this FWSM. > > We use the 2 standard virtual contexts of the FWSM, both in transparent > mode, 8 bridged vlans on one, 2 bridged vlans on the second. > > > > In the release notes of 3.1.11 I however read under Open Caveats > > "CSCm73157 : Failover is not working in transparent mode..." > > > > Anyone has experience with FWSM failover in transparent mode ? Does this > really doesn't work ? > > Does it work under 3.2 or 4.0 ? > > > > Any info would be appreciated before we invest more than 15K Euros... > > > > Wim Holemans > > Netwerkdienst Universiteit Antwerpen > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From A.L.M.Buxey at lboro.ac.uk Fri Sep 5 13:22:19 2008 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Fri, 5 Sep 2008 18:22:19 +0100 Subject: [c-nsp] Dashboard Network Monitoring Software In-Reply-To: References: <0867622C64B50C4B878AB45C95F43F1106150B8D@MAILWA01.wesenergy.local> <014b01c90f22$f60cf9c0$e226ed40$@id.au> <0867622C64B50C4B878AB45C95F43F1106150F02@MAILWA01.wesenergy.local> Message-ID: <20080905172219.GB14050@lboro.ac.uk> Hi, > Is anyone out there using Zenoss for network monitoring? How do you like it? I worry that I find myself spending too long trying to get a huge variety of monitoring systems actually working - and then configured to work properly and 'look nice' or be usable by our local community (eg using AD authentication instead of a noddy local pwd file or database password system like so many want...) i feel that I am not alone in missing out on a really cool piece of software simply because of being burnt by so many other tools. - we still run some of the older hardy tools that many would recommend - NAGIOS, NetDISCO, Rancid, MRTG, RTG, + a couple of other random bits. these recent discussions are quite informative but without a nice resource or concensus I feel that many useful ones might get lost in the melee etc. I'm also after somethign that has the fancy gfx that mgmt like eg solarwinds console - but without the price tag - AND with some actually useful stuff under the hood - any further recommendations? alan From sthaug at nethelp.no Fri Sep 5 13:22:50 2008 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Fri, 05 Sep 2008 19:22:50 +0200 (CEST) Subject: [c-nsp] disabling 3750 mac address learning In-Reply-To: <48C1608B.3000508@heanet.ie> References: <48C0F619.3090903@heanet.ie> <20080905.133337.74700578.sthaug@nethelp.no> <48C1608B.3000508@heanet.ie> Message-ID: <20080905.192250.74733578.sthaug@nethelp.no> > I think there are a few differences between these. The command docs say > the following about RSPAN VLANs: > - All traffic in the RSPAN VLAN is always flooded. > - No MAC address learning occurs on the RSPAN VLAN. > - RSPAN VLAN traffic only flows on trunk ports. > - RSPAN VLANs must be configured in VLAN configuration mode by using the > remote-span VLAN configuration mode command. > - STP can run on RSPAN VLAN trunks but not on SPAN destination ports. > - An RSPAN VLAN cannot be a private-VLAN primary or secondary VLAN. Absolutely - the commands are not equivalent. What I was trying to say was that the technical ability to disable MAC address learning has existed for a while. I am glad that it can now done explicitly instead of being "hidden away" in the form of RSPAN. Steinar Haug, Nethelp consulting, sthaug at nethelp.no From razor at meganet.net Fri Sep 5 12:36:33 2008 From: razor at meganet.net (Paul A) Date: Fri, 5 Sep 2008 12:36:33 -0400 Subject: [c-nsp] can't ping from router Message-ID: <012001c90f75$8e65db40$ab3191c0$@net> Hi, I have a 7200 terminating some pppoe customers using BBA-GROUP. Everything is working and has been working without any issues. However digging around I came across a weird problem. It seems that from the 7200 terminating router I can't ping any of the pppoe user's ip addresses but I can from outside the 7200. I'm using a BBA-GROUP that references Virtual-Template 1, the weird part is everything is working but my virtual-template shows that its down. stingray-capedsl-gw#sh int virtual-template 1 Virtual-Template1 is down, line protocol is down Should this interface not be showing as up/up? And is this the reason my I can't seem to ping from within the 7200. Thanks P. bba-group pppoe pppoeusers virtual-template 1 service profile pppoeusers sessions per-mac limit 1 sessions auto cleanup interface Virtual-Template1 description xxxx mtu 1492 ip unnumbered Loopback0 no ip redirects no ip unreachables peer default ip address pool pppoeuserspool ppp authentication pap pppoeusers ppp authorization pppoeusers ppp ipcp dns xxxx ppp ipcp address required ppp ipcp address unique interface Loopback0 no ip address no ip redirects no ip unreachables ip local pool pppoeuserspool xxxx.2 xxxx.254 From moua0100 at umn.edu Fri Sep 5 13:37:35 2008 From: moua0100 at umn.edu (Ge Moua) Date: Fri, 5 Sep 2008 12:37:35 -0500 Subject: [c-nsp] FWSM failover transparent mode In-Reply-To: References: <2F7B70885960AA42BE820036B3A8CDA02AC25B@xmail06.ad.ua.ac.be> Message-ID: <032001c90f7e$15948280$31dd5ea0@ad.umn.edu> We experienced the reboots too; there is also bugs in this revision code train for ethertype ACLs. We migrated to 3.2(4) & all is fixed. Regards, Ge Moua | Email: moua0100 at umn.edu Network Design Engineer University of Minnesota | Networking & Telecommunications Services -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Eric Cables Sent: Friday, September 05, 2008 11:59 AM To: Holemans Wim Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] FWSM failover transparent mode Not to hijack this thread, but what modules are you using for server connectivity in your 6513? We deployed some 6513s as SF switches long ago (bad decision), and are now swapping them out with the 6509-E chassis due to the need for additional performance (6748s in all slots). -- Eric Cables On Fri, Sep 5, 2008 at 1:35 AM, Holemans Wim wrote: > Just upgraded our FWSM to version 3.1.11 after 3 random crashes in a > month. Now we are thinking about buying a second FWSM to do failover > in order to limit downtime and facilitate upgrades : most of our > servers are connected to the 6513 carrying this FWSM. > > We use the 2 standard virtual contexts of the FWSM, both in > transparent mode, 8 bridged vlans on one, 2 bridged vlans on the second. > > > > In the release notes of 3.1.11 I however read under Open Caveats > > "CSCm73157 : Failover is not working in transparent mode..." > > > > Anyone has experience with FWSM failover in transparent mode ? Does > this really doesn't work ? > > Does it work under 3.2 or 4.0 ? > > > > Any info would be appreciated before we invest more than 15K Euros... > > > > Wim Holemans > > Netwerkdienst Universiteit Antwerpen > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From wim.holemans at ua.ac.be Fri Sep 5 13:50:02 2008 From: wim.holemans at ua.ac.be (Holemans Wim) Date: Fri, 5 Sep 2008 19:50:02 +0200 Subject: [c-nsp] FWSM failover transparent mode References: <2F7B70885960AA42BE820036B3A8CDA02AC25B@xmail06.ad.ua.ac.be> Message-ID: <2F7B70885960AA42BE820036B3A8CDA02AC280@xmail06.ad.ua.ac.be> 48 port 10/100/1000mb EtherModule WS-X6148-GE-TX Bought them without knowing about the 8port 1Gig limit ; We plan to replace this construction next year with a VSS solution, type of 65XX not yet chosen. Wim Holemans -----Original Message----- From: Eric Cables [mailto:ecables at gmail.com] Sent: vrijdag 5 september 2008 18:59 To: Holemans Wim Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] FWSM failover transparent mode Not to hijack this thread, but what modules are you using for server connectivity in your 6513? We deployed some 6513s as SF switches long ago (bad decision), and are now swapping them out with the 6509-E chassis due to the need for additional performance (6748s in all slots). -- Eric Cables On Fri, Sep 5, 2008 at 1:35 AM, Holemans Wim wrote: > Just upgraded our FWSM to version 3.1.11 after 3 random crashes in a > month. Now we are thinking about buying a second FWSM to do failover in > order to limit downtime and facilitate upgrades : most of our servers > are connected to the 6513 carrying this FWSM. > > We use the 2 standard virtual contexts of the FWSM, both in transparent > mode, 8 bridged vlans on one, 2 bridged vlans on the second. > > > > In the release notes of 3.1.11 I however read under Open Caveats > > "CSCm73157 : Failover is not working in transparent mode..." > > > > Anyone has experience with FWSM failover in transparent mode ? Does this > really doesn't work ? > > Does it work under 3.2 or 4.0 ? > > > > Any info would be appreciated before we invest more than 15K Euros... > > > > Wim Holemans > > Netwerkdienst Universiteit Antwerpen > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jim at tgasolutions.com Fri Sep 5 13:54:07 2008 From: jim at tgasolutions.com (Jim McBurnett) Date: Fri, 5 Sep 2008 13:54:07 -0400 Subject: [c-nsp] latest stable... In-Reply-To: <20080904062352.GQ233@greenie.muc.de> References: <20080904062352.GQ233@greenie.muc.de> Message-ID: Great... For the G1-- all we need is BGP and Ethernet-- Nothing special.. Metro E fiber inbound and FIBER out... Thanks, Jim -----Original Message----- From: Gert Doering [mailto:gert at greenie.muc.de] Sent: Thursday, September 04, 2008 2:24 AM To: Jim McBurnett Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] latest stable... Hi, On Thu, Sep 04, 2008 at 12:05:22AM -0400, Jim McBurnett wrote: > Now for the question-with these 2 bugs, and the other 389 BGP relate bugs on this release-what are all of you having the best success on for a sup 720 on a 7606? I'd go for SXF14. > How about an NPE-G1 on a 7206? Depending on your feature requirements - 12.3 main or 12.2SB. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From r.engehausen at gmail.com Fri Sep 5 14:18:16 2008 From: r.engehausen at gmail.com (Roy) Date: Fri, 05 Sep 2008 11:18:16 -0700 Subject: [c-nsp] Dashboard Network Monitoring Software In-Reply-To: <20080905172219.GB14050@lboro.ac.uk> References: <0867622C64B50C4B878AB45C95F43F1106150B8D@MAILWA01.wesenergy.local> <014b01c90f22$f60cf9c0$e226ed40$@id.au> <0867622C64B50C4B878AB45C95F43F1106150F02@MAILWA01.wesenergy.local> <20080905172219.GB14050@lboro.ac.uk> Message-ID: <48C177E8.4070105@gmail.com> A.L.M.Buxey at lboro.ac.uk wrote: > Hi, > > >> Is anyone out there using Zenoss for network monitoring? How do you like it? >> > > I worry that I find myself spending too long trying to get > a huge variety of monitoring systems actually working - and > then configured to work properly and 'look nice' or be usable > by our local community (eg using AD authentication instead > of a noddy local pwd file or database password system like > so many want...) i feel that I am not alone in missing out > on a really cool piece of software simply because of being > burnt by so many other tools. - we still run some of the older > hardy tools that many would recommend - NAGIOS, NetDISCO, > Rancid, MRTG, RTG, + a couple of other random bits. > > these recent discussions are quite informative but without > a nice resource or concensus I feel that many useful ones > might get lost in the melee etc. > > I'm also after somethign that has the fancy gfx that mgmt like > eg solarwinds console - but without the price tag - AND with some > actually useful stuff under the hood - any further recommendations? > > alan > Opsview (http://www.opsview.org) From rodunn at cisco.com Fri Sep 5 14:42:03 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Fri, 5 Sep 2008 14:42:03 -0400 Subject: [c-nsp] NPE G1, CEF and ACLs and high CPU In-Reply-To: References: <383357750809041000uad21b4ag386233e3b2ea4fde@mail.gmail.com> <200809041456.01591.kratzers@pa.net> <383357750809041212h2e17aaa2i967ba4ffc3e4c3de@mail.gmail.com> <200809041546.23959.kratzers@pa.net> <20080905120724.GI15736@rtp-cse-489.cisco.com> Message-ID: <20080905184202.GD20054@rtp-cse-489.cisco.com> On Fri, Sep 05, 2008 at 04:36:08PM +0200, Nic Tjirkalli wrote: > howdy ho, > > >But make sure you do: > > > >config t > >int null 0 > >no ip unreachables > > > >The ACL drops are, last I checked, rate limit punts. > this is interesting - there is a good article detailing cef and CPU > punting at :- > http://searchnetworkingchannel.techtarget.com/generic/0,295582,sid100_gci1261924,00.html > > > > Reading that and this posting begs the question > - if there is a lrage amount of ACL drops and these packets are punted to > cPU and the CPU rate-limit for punted packets has been exceeded, then > possible packets that need to be CPU processed will be dropped in favour > of ACL denied packets That's not true. The packets are dropped under interrupt that match the ACL deny other than punting some to generate the unreachable. You will always deny them. - this seems a bit ridiculous. > > Any way to get acl dropped packets not to be CPU punted or to use > control-plane policing to discard them before they hit the CPU? > > thanx > > > > > >If it's high CPU at IP Input really need 12.4(20)T and get > >a sniffer trace in the punt path to see what traffic it really is. > > > >Rodney > > > >On Thu, Sep 04, 2008 at 03:46:23PM -0400, Stephen Kratzer wrote: > >>On Thursday 04 September 2008 15:12:12 Mateusz B??aszczyk wrote: > >>>2008/9/4 Stephen Kratzer : > >>>>The 'log' keyword will cause matching packets to not be CEF switched. > >>> > >>>nope, log is not present. > >>> > >>>>Also, if > >>>>you're denying a lot of traffic from a certain source, you might want to > >>>>just bit-bucket it rather than sending ICMP responses. > >>> > >>>you mean - "no ip unreachables"? > >> > >>You could match the access list in a route map and set the outbound > >>interface > >>to Null0. > >>_______________________________________________ > >>cisco-nsp mailing list cisco-nsp at puck.nether.net > >>https://puck.nether.net/mailman/listinfo/cisco-nsp > >>archive at http://puck.nether.net/pipermail/cisco-nsp/ > >_______________________________________________ > >cisco-nsp mailing list cisco-nsp at puck.nether.net > >https://puck.nether.net/mailman/listinfo/cisco-nsp > >archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > --------------------------------------------------------------------- > It's hard to be nostalgic when you can't remember anything good. > > Nic Tjirkalli > Verizon Business South Africa > Network Strategy Team > > Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail > is strictly confidential and intended only for use by the addressee unless > otherwise indicated. > > Company Information:http:// www.verizonbusiness.com/za/contact/legal/ > > This e-mail is strictly confidential and intended only for use by the > addressee unless otherwise indicated. From tvarriale at comcast.net Fri Sep 5 14:57:56 2008 From: tvarriale at comcast.net (Tony Varriale) Date: Fri, 5 Sep 2008 13:57:56 -0500 Subject: [c-nsp] FWSM failover transparent mode References: <2F7B70885960AA42BE820036B3A8CDA02AC25B@xmail06.ad.ua.ac.be> Message-ID: <001601c90f89$4f29b780$f211a8c0@flamadam> 6748s here. The customer was considering VSS but it didn't/doesn't support FWSM and ACE. So, he's stuck for a bit. tv ----- Original Message ----- From: "Eric Cables" To: "Holemans Wim" Cc: Sent: Friday, September 05, 2008 11:58 AM Subject: Re: [c-nsp] FWSM failover transparent mode > Not to hijack this thread, but what modules are you using for server > connectivity in your 6513? We deployed some 6513s as SF switches long > ago (bad decision), and are now swapping them out with the 6509-E > chassis due to the need for additional performance (6748s in all > slots). > > -- > Eric Cables > > > > On Fri, Sep 5, 2008 at 1:35 AM, Holemans Wim > wrote: >> Just upgraded our FWSM to version 3.1.11 after 3 random crashes in a >> month. Now we are thinking about buying a second FWSM to do failover in >> order to limit downtime and facilitate upgrades : most of our servers >> are connected to the 6513 carrying this FWSM. >> >> We use the 2 standard virtual contexts of the FWSM, both in transparent >> mode, 8 bridged vlans on one, 2 bridged vlans on the second. >> >> >> >> In the release notes of 3.1.11 I however read under Open Caveats >> >> "CSCm73157 : Failover is not working in transparent mode..." >> >> >> >> Anyone has experience with FWSM failover in transparent mode ? Does this >> really doesn't work ? >> >> Does it work under 3.2 or 4.0 ? >> >> >> >> Any info would be appreciated before we invest more than 15K Euros... >> >> >> >> Wim Holemans >> >> Netwerkdienst Universiteit Antwerpen >> >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jcartier at acs.on.ca Fri Sep 5 15:15:11 2008 From: jcartier at acs.on.ca (Jeff Cartier) Date: Fri, 5 Sep 2008 15:15:11 -0400 Subject: [c-nsp] Service-Policy on 1800 SVI Message-ID: Hey Everyone, I'm running into an issue on a 1841 router where I have an internet feed coming into one of the integrated switchports....I have the vlan that the switchport is configured in as a EtherSVI with a public IP address. I need to configure a policy-map with QoS but it appears you cannot configure a service-policy on a EtherSVI...Is this correct? After finding that heartbreaker out I then tried applying the service-policy to the switchport...it takes, but of course doesn't show any matches and rates using 'show policy-map interface Fa0/9'. So my question would be...how do I configure QoS on a 1841 Router when my interface is a EtherSVI? Sincerely, Jeff From christian at broknrobot.com Fri Sep 5 15:45:50 2008 From: christian at broknrobot.com (Christian Koch) Date: Fri, 5 Sep 2008 15:45:50 -0400 Subject: [c-nsp] Dashboard Network Monitoring Software In-Reply-To: <0867622C64B50C4B878AB45C95F43F1106150B8D@MAILWA01.wesenergy.local> References: <0867622C64B50C4B878AB45C95F43F1106150B8D@MAILWA01.wesenergy.local> Message-ID: you can also try a weather map like below... http://www.network-weathermap.com/ http://netmon.grnet.gr/weathermap/#docs On Thu, Sep 4, 2008 at 9:00 PM, Aaron Riemer wrote: > Hi Guys, > > > > Is anyone out there using any open source or free dashboard network > monitoring software? I would like to have a map background with our > sites and possibly blink the sites RED if the site stopped responding to > pings or SNMP queries etc? I know Solarwinds and HP Openview are good > but we are not willing to shell out the money just for a dashboard. > > > > Cheers, > > > > Aaron. > > > > > > > > > > > LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From kratzers at pa.net Fri Sep 5 15:47:09 2008 From: kratzers at pa.net (Stephen Kratzer) Date: Fri, 5 Sep 2008 15:47:09 -0400 Subject: [c-nsp] can't ping from router In-Reply-To: <012001c90f75$8e65db40$ab3191c0$@net> References: <012001c90f75$8e65db40$ab3191c0$@net> Message-ID: <200809051547.09702.kratzers@pa.net> On Friday 05 September 2008 12:36:33 Paul A wrote: > Hi, I have a 7200 terminating some pppoe customers using BBA-GROUP. > Everything is working and has been working without any issues. However > digging around I came across a weird problem. It seems that from the 7200 > terminating router I can't ping any of the pppoe user's ip addresses but I > can from outside the 7200. > > I'm using a BBA-GROUP that references Virtual-Template 1, the weird part is > everything is working but my virtual-template shows that its down. > > stingray-capedsl-gw#sh int virtual-template 1 > Virtual-Template1 is down, line protocol is down > > Should this interface not be showing as up/up? And is this the reason my I > can't seem to ping from within the 7200. > > Thanks P. > > > bba-group pppoe pppoeusers > virtual-template 1 > service profile pppoeusers > sessions per-mac limit 1 > sessions auto cleanup > > > interface Virtual-Template1 > description xxxx > mtu 1492 > ip unnumbered Loopback0 > no ip redirects > no ip unreachables > peer default ip address pool pppoeuserspool > ppp authentication pap pppoeusers > ppp authorization pppoeusers > ppp ipcp dns xxxx > ppp ipcp address required > ppp ipcp address unique > > interface Loopback0 > no ip address > no ip redirects > no ip unreachables > > ip local pool pppoeuserspool xxxx.2 xxxx.254 > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ The Virtual-Template interface should be down/down. Since it's not a real interface, and it's not associated with a real interface with a real status, it won't have L1/L2 statuses. Maybe try sourcing the pings from Loop0. From pdavis at i2k.com Fri Sep 5 15:05:15 2008 From: pdavis at i2k.com (Phil Davis) Date: Fri, 05 Sep 2008 15:05:15 -0400 Subject: [c-nsp] can't ping from router In-Reply-To: <012001c90f75$8e65db40$ab3191c0$@net> References: <012001c90f75$8e65db40$ab3191c0$@net> Message-ID: <48C182EB.6030201@i2k.com> Hello, Paul A wrote: > Hi, I have a 7200 terminating some pppoe customers using BBA-GROUP. > Everything is working and has been working without any issues. However > digging around I came across a weird problem. It seems that from the 7200 > terminating router I can't ping any of the pppoe user's ip addresses but I > can from outside the 7200. > > I'm using a BBA-GROUP that references Virtual-Template 1, the weird part is > everything is working but my virtual-template shows that its down. > > stingray-capedsl-gw#sh int virtual-template 1 > Virtual-Template1 is down, line protocol is down > > Should this interface not be showing as up/up? And is this the reason my I > can't seem to ping from within the 7200. > > Thanks P. > > > bba-group pppoe pppoeusers > virtual-template 1 > service profile pppoeusers > sessions per-mac limit 1 > sessions auto cleanup > > > interface Virtual-Template1 > description xxxx > mtu 1492 > ip unnumbered Loopback0 > no ip redirects > no ip unreachables > peer default ip address pool pppoeuserspool > ppp authentication pap pppoeusers > ppp authorization pppoeusers > ppp ipcp dns xxxx > ppp ipcp address required > ppp ipcp address unique > > interface Loopback0 > no ip address > no ip redirects > no ip unreachables > > ip local pool pppoeuserspool xxxx.2 xxxx.254 > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > You've defined a helper interface for the Virtual-Template, but that interface does not have an IP address, so it's trying to send pings from an unnumbered address. If you put an address on Loopback0, pings will work. Phil From razor at meganet.net Fri Sep 5 16:05:50 2008 From: razor at meganet.net (Paul A) Date: Fri, 5 Sep 2008 16:05:50 -0400 Subject: [c-nsp] can't ping from router In-Reply-To: <200809051547.09702.kratzers@pa.net> References: <012001c90f75$8e65db40$ab3191c0$@net> <200809051547.09702.kratzers@pa.net> Message-ID: <017901c90f92$cb2d3830$6187a890$@net> Gotcha, I guess the interface showing down/down was weird to me because I have used other virtual-templates that were always up, but looking back its because they were ip unnumbered from a real interface this L1/L2 stats. As for the pings I sourced them from multiple ips/interfaces and I still get no replies from within the router which is just weird maybe it's the version of IOS im using? Version 12.4(10)FC1 Paul -----Original Message----- From: Stephen Kratzer [mailto:kratzers at pa.net] Sent: Friday, September 05, 2008 3:47 PM To: cisco-nsp at puck.nether.net Cc: Paul A Subject: Re: [c-nsp] can't ping from router On Friday 05 September 2008 12:36:33 Paul A wrote: > Hi, I have a 7200 terminating some pppoe customers using BBA-GROUP. > Everything is working and has been working without any issues. However > digging around I came across a weird problem. It seems that from the 7200 > terminating router I can't ping any of the pppoe user's ip addresses but I > can from outside the 7200. > > I'm using a BBA-GROUP that references Virtual-Template 1, the weird part is > everything is working but my virtual-template shows that its down. > > stingray-capedsl-gw#sh int virtual-template 1 > Virtual-Template1 is down, line protocol is down > > Should this interface not be showing as up/up? And is this the reason my I > can't seem to ping from within the 7200. > > Thanks P. > > > bba-group pppoe pppoeusers > virtual-template 1 > service profile pppoeusers > sessions per-mac limit 1 > sessions auto cleanup > > > interface Virtual-Template1 > description xxxx > mtu 1492 > ip unnumbered Loopback0 > no ip redirects > no ip unreachables > peer default ip address pool pppoeuserspool > ppp authentication pap pppoeusers > ppp authorization pppoeusers > ppp ipcp dns xxxx > ppp ipcp address required > ppp ipcp address unique > > interface Loopback0 > no ip address > no ip redirects > no ip unreachables > > ip local pool pppoeuserspool xxxx.2 xxxx.254 > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ The Virtual-Template interface should be down/down. Since it's not a real interface, and it's not associated with a real interface with a real status, it won't have L1/L2 statuses. Maybe try sourcing the pings from Loop0. No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.169 / Virus Database: 270.6.16/1651 - Release Date: 9/4/2008 6:57 AM From razor at meganet.net Fri Sep 5 16:59:17 2008 From: razor at meganet.net (Paul A) Date: Fri, 5 Sep 2008 16:59:17 -0400 Subject: [c-nsp] can't ping from router In-Reply-To: <48C182EB.6030201@i2k.com> References: <012001c90f75$8e65db40$ab3191c0$@net> <48C182EB.6030201@i2k.com> Message-ID: <019c01c90f9a$42addac0$c8099040$@net> Phil, I was thinking that might be the issue and once I assigned an ip it worked and now I can ping. I was testing from a source interface that was up with an ip and wasn't getting replies but that's because it was sending replies to the helper interface. Thanks for pointing that out to me. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Phil Davis Sent: Friday, September 05, 2008 3:05 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] can't ping from router Hello, Paul A wrote: > Hi, I have a 7200 terminating some pppoe customers using BBA-GROUP. > Everything is working and has been working without any issues. However > digging around I came across a weird problem. It seems that from the 7200 > terminating router I can't ping any of the pppoe user's ip addresses but I > can from outside the 7200. > > I'm using a BBA-GROUP that references Virtual-Template 1, the weird part is > everything is working but my virtual-template shows that its down. > > stingray-capedsl-gw#sh int virtual-template 1 > Virtual-Template1 is down, line protocol is down > > Should this interface not be showing as up/up? And is this the reason my I > can't seem to ping from within the 7200. > > Thanks P. > > > bba-group pppoe pppoeusers > virtual-template 1 > service profile pppoeusers > sessions per-mac limit 1 > sessions auto cleanup > > > interface Virtual-Template1 > description xxxx > mtu 1492 > ip unnumbered Loopback0 > no ip redirects > no ip unreachables > peer default ip address pool pppoeuserspool > ppp authentication pap pppoeusers > ppp authorization pppoeusers > ppp ipcp dns xxxx > ppp ipcp address required > ppp ipcp address unique > > interface Loopback0 > no ip address > no ip redirects > no ip unreachables > > ip local pool pppoeuserspool xxxx.2 xxxx.254 > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > You've defined a helper interface for the Virtual-Template, but that interface does not have an IP address, so it's trying to send pings from an unnumbered address. If you put an address on Loopback0, pings will work. Phil _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.169 / Virus Database: 270.6.16/1651 - Release Date: 9/4/2008 6:57 AM From lowen at pari.edu Fri Sep 5 17:14:54 2008 From: lowen at pari.edu (Lamar Owen) Date: Fri, 5 Sep 2008 17:14:54 -0400 Subject: [c-nsp] Bridging over GRE tunnels. Message-ID: <200809051714.55143.lowen@pari.edu> Good afternoon. After lots of searching, I found that bridging over GRE tunnels is configurable, but unsupported. (yes, really: +++++++++ cr1-5509-rsfc-1(config)#bridge 1 protocol ieee cr1-5509-rsfc-1(config)#int tu0 cr1-5509-rsfc-1(config-if)#bridge-group 1 1d04h: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down % This command is an unreleased and unsupported feature cr1-5509-rsfc-1(config-if)# 1d04h: Note: A random Spanning Tree Bridge Identifier address of 0000.0c92.7210 has been chosen for Bridge Group 1 since there is no mac address associated with the selected interface. 1d04h: Ensure that this address is unique. cr1-5509-rsfc-1(config-if)# +++++++++ Anyone here have experience with this? RSFC in a Catalyst 5509, IOS 12.1 (that's the only IOS on RSFC's). Anyone have comments on stability found or not found? If this works, it means the RSFC's in my 5500's have just gained a new lease on life. -- Lamar Owen Chief Information Officer Pisgah Astronomical Research Institute 1 PARI Drive Rosman, NC 28772 http://www.pari.edu From gert at greenie.muc.de Fri Sep 5 18:01:53 2008 From: gert at greenie.muc.de (Gert Doering) Date: Sat, 6 Sep 2008 00:01:53 +0200 Subject: [c-nsp] latest stable... In-Reply-To: References: <20080904062352.GQ233@greenie.muc.de> Message-ID: <20080905220153.GL17238@greenie.muc.de> Hi, On Fri, Sep 05, 2008 at 01:54:07PM -0400, Jim McBurnett wrote: > Great... > For the G1-- all we need is BGP and Ethernet-- Nothing special.. > Metro E fiber inbound and FIBER out... I'd go for 12.3(latest) main line. 12.2S/SB/SR will have lots more nice features, as will have 12.4/12.4T, but those usually bring some drawbacks regarding stability. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From dudepron at gmail.com Fri Sep 5 18:12:27 2008 From: dudepron at gmail.com (Aaron) Date: Fri, 5 Sep 2008 18:12:27 -0400 Subject: [c-nsp] latest stable... In-Reply-To: <20080905220153.GL17238@greenie.muc.de> References: <20080904062352.GQ233@greenie.muc.de> <20080905220153.GL17238@greenie.muc.de> Message-ID: <480dad640809051512y7b24e62bjf62c75fcba763421@mail.gmail.com> for the 7200 with just bgp why not use 12.0S? On Fri, Sep 5, 2008 at 6:01 PM, Gert Doering wrote: > Hi, > > On Fri, Sep 05, 2008 at 01:54:07PM -0400, Jim McBurnett wrote: > > Great... > > For the G1-- all we need is BGP and Ethernet-- Nothing special.. > > Metro E fiber inbound and FIBER out... > > I'd go for 12.3(latest) main line. 12.2S/SB/SR will have lots more nice > features, as will have 12.4/12.4T, but those usually bring some drawbacks > regarding stability. > > gert > -- > USENET is *not* the non-clickable part of WWW! > // > www.muc.de/~gert/ > Gert Doering - Munich, Germany > gert at greenie.muc.de > fax: +49-89-35655025 > gert at net.informatik.tu-muenchen.de > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From arla at rn.dk Fri Sep 5 18:50:25 2008 From: arla at rn.dk (Arne Larsen / Region Nordjylland) Date: Sat, 6 Sep 2008 00:50:25 +0200 Subject: [c-nsp] problem with VPN3002 hardware client Message-ID: <8D68760F464FFD40A01BF2FB374E4A28869444B50D@SRVEXC02.aas.its.nja.dk> Hi All. I?m I just out of luck or is there something pulling my legs. I?ve got 3 vpn3002 hardware clients, and I can?t change the password off the user on any of them. Or rather they won?t save the password for the user right. When I set them up for they connect fine and all works well, I can reboot them this works also. But if I?m pulling the power, it looses the password for the user and only that. I?ve tried to upgrade and downgrade the software whit out any luck. Is there a hidden switch or configuration function that can protect this, or I?m I just looking at 3 that has a defect in nvram. /Arne From sethm at rollernet.us Fri Sep 5 19:07:30 2008 From: sethm at rollernet.us (sethm at rollernet.us) Date: Fri, 5 Sep 2008 16:07:30 -0700 (PDT) Subject: [c-nsp] IPv6 on the 877W Message-ID: I just went back and forth with TAC regarding IPv6 support on an 877W. Ultimately, the problem was that there isn't any support for IPv6 IRB, and IRB is the only way to put the wireless radio on the same segment as the ethernet ports. Boo. I found a bug id in the c-nsp archives (CSCej50923) about this from 2005, and I was told it was closed without a fix. Also of note, I turned the 877W into a brick by doing the following (in order): * Assign IPv6 address to int vlan 1 * do "no bridge-group 1" on int vlan 1 * IPv6 works! no IPv4, though * do "bridge-group 1" on int vlan 1 * ipv6 and ipv4 work! however... * router locks up after a bit, then never boots again after a power cycle Seems IPv6 is pretty buggy (and lacking) on this thing. ~Seth From ben.steele at internode.on.net Fri Sep 5 20:41:33 2008 From: ben.steele at internode.on.net (Ben Steele) Date: Sat, 6 Sep 2008 10:11:33 +0930 Subject: [c-nsp] WebVPN via RADIUS - how to identify by group? In-Reply-To: <48C124DA.5020408@harvard.edu> References: <00d001c90f22$c6f0e2f0$54d2a8d0$@steele@internode.on.net> <48C124DA.5020408@harvard.edu> Message-ID: <002901c90fb9$500e4a50$f02adef0$@steele@internode.on.net> Problem with the group selection method is via a debug radius I don't see it send any attribute about the group to RADIUS(I did try this way at first) and therefore I can't get RADIUS to match on a group as well as user/pass, the username at realm might be an option, have you tried this before by sending back a group attribute to the ASA from RADIUS and it actually acknowledging it and putting the WEBVPN user into that group?. Cheers Ben -----Original Message----- From: LaPorte, David [mailto:david_laporte at harvard.edu] Sent: Friday, 5 September 2008 9:54 PM To: Ben Steele Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] WebVPN via RADIUS - how to identify by group? You could pass the group as a realm to the RADIUS server by having the users log in as USER at GROUP. The RADIUS server could authenticate them and return a Class="OU=GROUP;" attribute to map them properly. You could also provide a group list to the user: http://www.cisco.com/en/US/products/ps6120/products_configuration_example091 86a00808bd83d.shtml I prefer not to do this since it could make enumeration attacks a bit easier, but it has it's place. hope that helps, Dave Ben Steele wrote: > Howdy all, > > > > Anyone know if it's possible to get as ASA to spit out the group name in an > av-pair via radius when authenticating a user? (in this case webvpn). > > > > The issue i'm having is multiple clients on the one ASA authenticating via > IAS/AD and the possibility of overlapping usernames between clients(groups), > I need another identifier from the ASA to auth them against other than > user/pass, ie group would be perfect. > > > > Any ideas? > > > > Cheers > > > > Ben > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- David LaPorte, CISSP, CCNP Security Manager, Network and Server Systems Harvard University Information Systems ----------------------------------------------- Email: david_laporte at harvard.edu PGP: 0x4DC3E508 4A1F058DB2B32FEF10A14F6BD370A6AD4DC3E508 From lists at daniels.id.au Fri Sep 5 22:12:56 2008 From: lists at daniels.id.au (Aaron Daniels - Lists) Date: Sat, 6 Sep 2008 12:12:56 +1000 Subject: [c-nsp] Dashboard Network Monitoring Software In-Reply-To: <0867622C64B50C4B878AB45C95F43F1106150F02@MAILWA01.wesenergy.local> References: <0867622C64B50C4B878AB45C95F43F1106150B8D@MAILWA01.wesenergy.local> <014b01c90f22$f60cf9c0$e226ed40$@id.au> <0867622C64B50C4B878AB45C95F43F1106150F02@MAILWA01.wesenergy.local> Message-ID: <00bd01c90fc6$18a8b2a0$49fa17e0$@id.au> Zenoss is open source. But you are able to purchase a support contract if your organisation requires that kind of thing (ours does) Thanks, Aaron > -----Original Message----- > From: Aaron Riemer [mailto:ariemer at wesenergy.com.au] > Sent: Friday, 5 September 2008 6:50 PM > To: Aaron Daniels - Lists; cisco-nsp at puck.nether.net > Subject: RE: [c-nsp] Dashboard Network Monitoring Software > > Zenoss looks cool but it looks like you have to pay for that software > :) > > Cheers for the ideas. > > Aaron. > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Aaron Daniels - > Lists > Sent: Friday, 5 September 2008 2:45 PM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Dashboard Network Monitoring Software > > Also take a look at Zenoss > www.zenoss.org > > Aaron > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > > bounces at puck.nether.net] On Behalf Of Daniel Hooper > > Sent: Friday, 5 September 2008 12:55 PM > > To: Aaron Riemer > > Cc: cisco-nsp at puck.nether.net > > Subject: Re: [c-nsp] Dashboard Network Monitoring Software > > > > www.nagios.org > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net > > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Aaron Riemer > > Sent: Friday, 5 September 2008 9:00 AM > > To: cisco-nsp at puck.nether.net > > Subject: [c-nsp] Dashboard Network Monitoring Software > > > > Hi Guys, > > > > > > > > Is anyone out there using any open source or free dashboard network > > monitoring software? I would like to have a map background with our > > sites and possibly blink the sites RED if the site stopped responding > > to > > pings or SNMP queries etc? I know Solarwinds and HP Openview are good > > but we are not willing to shell out the money just for a dashboard. > > > > > > > > Cheers, > > > > > > > > Aaron. > > > > > > > > > > > > > > > > > > > > > > LEGAL DISCLAIMER: This message contains confidential information and > is > > intended only for the individual named. If you are not the named > > addressee you should not disseminate, distribute or copy this e-mail. > > Please notify the sender immediately by e-mail if you have received > > this > > e-mail by mistake and delete this e-mail from your system. If you are > > not the intended recipient you are notified that disclosing, copying, > > distributing or taking any action in reliance on the contents of this > > information is strictly prohibited. > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > LEGAL DISCLAIMER: This message contains confidential information and is > intended only for the individual named. If you are not the named > addressee you should not disseminate, distribute or copy this e-mail. > Please notify the sender immediately by e-mail if you have received > this e-mail by mistake and delete this e-mail from your system. If you > are not the intended recipient you are notified that disclosing, > copying, distributing or taking any action in reliance on the contents > of this information is strictly prohibited. From aaronis at people.net.au Fri Sep 5 22:21:16 2008 From: aaronis at people.net.au (aaron) Date: Sat, 6 Sep 2008 10:21:16 +0800 Subject: [c-nsp] Dashboard Network Monitoring Software In-Reply-To: Message-ID: <200809060221.m862LDuY024759@puck.nether.net> Yep weathermap looks awesome. Do you know if its possible for the map to change the icon of a site if it is down or unreachable? That would be awesome :) Aaron. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Christian Koch Sent: Saturday, September 06, 2008 3:46 AM To: Aaron Riemer Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Dashboard Network Monitoring Software you can also try a weather map like below... http://www.network-weathermap.com/ http://netmon.grnet.gr/weathermap/#docs On Thu, Sep 4, 2008 at 9:00 PM, Aaron Riemer wrote: > Hi Guys, > > > > Is anyone out there using any open source or free dashboard network > monitoring software? I would like to have a map background with our > sites and possibly blink the sites RED if the site stopped responding to > pings or SNMP queries etc? I know Solarwinds and HP Openview are good > but we are not willing to shell out the money just for a dashboard. > > > > Cheers, > > > > Aaron. > > > > > > > > > > > LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.169 / Virus Database: 270.6.17/1655 - Release Date: 9/5/2008 7:05 PM From david_laporte at harvard.edu Fri Sep 5 22:36:17 2008 From: david_laporte at harvard.edu (LaPorte, David) Date: Fri, 05 Sep 2008 22:36:17 -0400 Subject: [c-nsp] WebVPN via RADIUS - how to identify by group? In-Reply-To: <002901c90fb9$500e4a50$f02adef0$@steele@internode.on.net> References: <00d001c90f22$c6f0e2f0$54d2a8d0$@steele@internode.on.net> <48C124DA.5020408@harvard.edu> <002901c90fb9$500e4a50$f02adef0$@steele@internode.on.net> Message-ID: <48C1ECA1.4050905@harvard.edu> We're doing exactly that, although with Radiator vs IAS. Dave Ben Steele wrote: > Problem with the group selection method is via a debug radius I don't see it > send any attribute about the group to RADIUS(I did try this way at first) > and therefore I can't get RADIUS to match on a group as well as user/pass, > the username at realm might be an option, have you tried this before by sending > back a group attribute to the ASA from RADIUS and it actually acknowledging > it and putting the WEBVPN user into that group?. > > Cheers > > Ben > > -----Original Message----- > From: LaPorte, David [mailto:david_laporte at harvard.edu] > Sent: Friday, 5 September 2008 9:54 PM > To: Ben Steele > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] WebVPN via RADIUS - how to identify by group? > > You could pass the group as a realm to the RADIUS server by having the > users log in as USER at GROUP. The RADIUS server could authenticate them > and return a Class="OU=GROUP;" attribute to map them properly. > > You could also provide a group list to the user: > > http://www.cisco.com/en/US/products/ps6120/products_configuration_example091 > 86a00808bd83d.shtml > > I prefer not to do this since it could make enumeration attacks a bit > easier, but it has it's place. > > hope that helps, > Dave > > Ben Steele wrote: >> Howdy all, >> >> >> >> Anyone know if it's possible to get as ASA to spit out the group name in > an >> av-pair via radius when authenticating a user? (in this case webvpn). >> >> >> >> The issue i'm having is multiple clients on the one ASA authenticating via >> IAS/AD and the possibility of overlapping usernames between > clients(groups), >> I need another identifier from the ASA to auth them against other than >> user/pass, ie group would be perfect. >> >> >> >> Any ideas? >> >> >> >> Cheers >> >> >> >> Ben From sethm at rollernet.us Sat Sep 6 00:36:59 2008 From: sethm at rollernet.us (Seth Mattinen) Date: Fri, 05 Sep 2008 21:36:59 -0700 Subject: [c-nsp] Receiving BGP communities Message-ID: <48C208EB.7050109@rollernet.us> Is there a reason why I would not be receiving BGP communities? Upstream says they are sending, but I don't see anything. The only communities I can see are the one from my cymru bogon route server neighbors. Upstream's end is a Juniper, if that makes a difference. I feel like I'm missing something stupid like a "receive community" command. ~Seth From Stuart_Lowes at coffey.com Sat Sep 6 00:39:40 2008 From: Stuart_Lowes at coffey.com (Stuart Lowes) Date: Sat, 6 Sep 2008 14:39:40 +1000 Subject: [c-nsp] WebVPN via RADIUS - how to identify by group? Message-ID: Ben Steele wrote: > Problem with the group selection method is via a debug radius I don't see it > send any attribute about the group to RADIUS(I did try this way at first) > and therefore I can't get RADIUS to match on a group as well as user/pass, > the username at realm might be an option, have you tried this before by sending > back a group attribute to the ASA from RADIUS and it actually acknowledging > it and putting the WEBVPN user into that group?. Ben, If you have two group policies setup on your ASA, "GroupPolicy1" and "GroupPolicy2", you can set the RADIUS "Class" attribute to OU=GroupPolicy1 or OU=GroupPolicy2. In IAS setup two policies, matching AD Security Group "Group1" and "Group2" respectively. Members of Group1 are assigned OU=GroupPolicy1, and Group2 gets OU=GroupPolicy2. The text after OU= then matches the name of the ASA's group policy exactly and will assign that Group Policy to the VPN user's session. If you now also have two Tunnel Groups, "TunnelGroup1" and "TunnelGroup2" on the ASA, you can use the "group-lock xxx" command to lock TunnelGroup1 to GroupPolicy1 and TunnelGroup2 to GroupPolicy2. If a user who is a member of Group1 tries to use the TunnelGroup2 VPN profile, they will get rejected when the ASA compares the OU=GroupPolicy1 (assigned to user by IAS) with the GroupPolicy2 value expected by TunnelGroup2. Cheers Stuart Environmental Notice: Please consider the environment before printing this email.

Confidentiality Notice: The content of this message and any attachments may be privileged, in confidence or sensitive. Any unauthorised use is expressly prohibited. If you have received this email in error please notify the sender, disregard and then delete the email. This email may have been corrupted or interfered with. Coffey International Limited cannot guarantee that the message you receive is the same as the message we sent. At Coffey International Limited's discretion we may send a paper copy for confirmation. In the event of any discrepancy between paper and electronic versions the paper version is to take precedence. No warranty is made that this email and its contents are free from computer viruses or other defects.

CILDISCL0005 From ranmails at gmail.com Sat Sep 6 03:52:02 2008 From: ranmails at gmail.com (Ran Liebermann) Date: Sat, 6 Sep 2008 10:52:02 +0300 Subject: [c-nsp] Receiving BGP communities In-Reply-To: <48C208EB.7050109@rollernet.us> References: <48C208EB.7050109@rollernet.us> Message-ID: <8c19328e0809060052i643202abo3453d54826ad4ae3@mail.gmail.com> Maybe you have an ingress route-map setting new communities without the "additive" suffix? -- Ran. On Sat, Sep 6, 2008 at 7:36 AM, Seth Mattinen wrote: > Is there a reason why I would not be receiving BGP communities? Upstream > says they are sending, but I don't see anything. The only communities I can > see are the one from my cymru bogon route server neighbors. Upstream's end > is a Juniper, if that makes a difference. > > I feel like I'm missing something stupid like a "receive community" command. > > ~Seth From gert at greenie.muc.de Sat Sep 6 04:44:24 2008 From: gert at greenie.muc.de (Gert Doering) Date: Sat, 6 Sep 2008 10:44:24 +0200 Subject: [c-nsp] latest stable... In-Reply-To: <480dad640809051512y7b24e62bjf62c75fcba763421@mail.gmail.com> References: <20080904062352.GQ233@greenie.muc.de> <20080905220153.GL17238@greenie.muc.de> <480dad640809051512y7b24e62bjf62c75fcba763421@mail.gmail.com> Message-ID: <20080906084424.GM17238@greenie.muc.de> Hi, On Fri, Sep 05, 2008 at 06:12:27PM -0400, Aaron wrote: > for the 7200 with just bgp why not use 12.0S? 12.0S has no IPv6 support on the 7200 platform, so I consider this release unsuitable for anything. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From blahu77 at gmail.com Sat Sep 6 06:59:24 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Sat, 6 Sep 2008 11:59:24 +0100 Subject: [c-nsp] NPE G1, CEF and ACLs and high CPU In-Reply-To: <20080905184202.GD20054@rtp-cse-489.cisco.com> References: <383357750809041000uad21b4ag386233e3b2ea4fde@mail.gmail.com> <200809041456.01591.kratzers@pa.net> <383357750809041212h2e17aaa2i967ba4ffc3e4c3de@mail.gmail.com> <200809041546.23959.kratzers@pa.net> <20080905120724.GI15736@rtp-cse-489.cisco.com> <20080905184202.GD20054@rtp-cse-489.cisco.com> Message-ID: <383357750809060359w5b204530qe491c7adf048a8cf@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rondey, Nic, >> > >> >config t >> >int null 0 >> >no ip unreachables yes this is configured already. >> > >> >The ACL drops are, last I checked, rate limit punts. >> this is interesting - there is a good article detailing cef and CPU >> punting at :- >> http://searchnetworkingchannel.techtarget.com/generic/0,295582,sid100_gci1261924,00.html >> >> >> >> Reading that and this posting begs the question >> - if there is a lrage amount of ACL drops and these packets are punted to >> cPU and the CPU rate-limit for punted packets has been exceeded, then >> possible packets that need to be CPU processed will be dropped in favour >> of ACL denied packets > > That's not true. The packets are dropped under interrupt that match > the ACL deny other than punting some to generate the unreachable. > You will always deny them. > >> >If it's high CPU at IP Input really need 12.4(20)T and get >> >a sniffer trace in the punt path to see what traffic it really is. This part is interesting. I might try that. Question - there are 2 switching paths on the router 1) process switching which means invoking ip_input for every packet 2) interrupt context switching which is supported by different caching mechanisms - fast switching, CEF etc. If there is marginal utilisation of ip_input process and also most of the CPU utilisation is pointing to interrupts - what does it mean? >> >>>>Also, if >> >>>>you're denying a lot of traffic from a certain source, you might want to >> >>>>just bit-bucket it rather than sending ICMP responses. >> >>> >> >>You could match the access list in a route map and set the outbound >> >>interface >> >>to Null0. The configured ACL follows the example for infrastructure ACLs (here: http://cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml#limitaccess ) Does it mean the NPE-G1 is not enough to process ~400Mbps/60kpps with ACL like above? The other night when traffic was much lower the ACL was removed from the port and overall utilization dropped from 45% to 37%. Is that a lot? 8% decrease is nothing but 1/5th of drop is quite substantial. I am puzzled here. Would a bigger box (as mentioned in the other thread "7600 starter kit") solve the problem? Best Regards, - -- - -mat -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIwmKMIvBv0k5esR4RAoE3AJ9qwbN70MPfjwjo2cd4JEeROxM3VACdElAw 7ND4V+Okkj2li6ktFVQ4+/Q= =g9Ev -----END PGP SIGNATURE----- From sam_mailinglists at spacething.org Sat Sep 6 09:46:13 2008 From: sam_mailinglists at spacething.org (Sam Stickland) Date: Sat, 06 Sep 2008 14:46:13 +0100 Subject: [c-nsp] FWSM 3.1(9) corrupting TCP SYN-ACKs when timestamps are enabled Message-ID: <48C289A5.5030807@spacething.org> Hi, We do have a TAC case on this, I'm just wondering if anyone here has seen something similar. We upgraded from 3.1(1) to 3.1(9) on our context based L3, FWSMs. Now, if an incoming SYN has timestamps there's a 50% chance that the FWSM generates a bad checksum when it NAT translates the returning SYN-ACK (from the webserver), causing the client to drop the SYN-ACK. SYNs without the timestamp options don't cause a problem. The problem seems to be isolated to two inside interfaces (in two different contexts), but they both NAT translate into the same inside range. Sam From mksmith at adhost.com Sat Sep 6 12:20:29 2008 From: mksmith at adhost.com (Michael K. Smith) Date: Sat, 06 Sep 2008 09:20:29 -0700 Subject: [c-nsp] IPv6 on the 877W In-Reply-To: Message-ID: Hey Seth: On 9/5/08 4:07 PM, "sethm at rollernet.us" wrote: > I just went back and forth with TAC regarding IPv6 support on an 877W. > Ultimately, the problem was that there isn't any support for IPv6 IRB, and > IRB is the only way to put the wireless radio on the same segment as the > ethernet ports. Boo. I found a bug id in the c-nsp archives (CSCej50923) > about this from 2005, and I was told it was closed without a fix. > > Also of note, I turned the 877W into a brick by doing the following (in > order): > > * Assign IPv6 address to int vlan 1 > * do "no bridge-group 1" on int vlan 1 > * IPv6 works! no IPv4, though > * do "bridge-group 1" on int vlan 1 > * ipv6 and ipv4 work! however... > * router locks up after a bit, then never boots again after a power cycle > > Seems IPv6 is pretty buggy (and lacking) on this thing. > You can run both IPv6 and IPv4, but not bridged. So, if you assign a /64 to your VLAN 1 interface and a /64 to the wireless interface, you get connectivity, albeit from two different networks. I've got a sanitized copy of a working config here: http://www.andbobsyouruncle.net/wordpress/?p=11 running 12.3(8r)YI3 Regards, Mike From sethm at rollernet.us Sat Sep 6 13:20:03 2008 From: sethm at rollernet.us (Seth Mattinen) Date: Sat, 6 Sep 2008 10:20:03 -0700 (PDT) Subject: [c-nsp] Receiving BGP communities In-Reply-To: <8c19328e0809060052i643202abo3453d54826ad4ae3@mail.gmail.com> References: <48C208EB.7050109@rollernet.us> <8c19328e0809060052i643202abo3453d54826ad4ae3@mail.gmail.com> Message-ID: <4c16f96b03def1ddfd8b827b1aae9bbd.squirrel@webmail.rollernet.us> On Sat, September 6, 2008 00:52, Ran Liebermann wrote: > Maybe you have an ingress route-map setting new communities without > the "additive" suffix? > Here's what my ingress route-map looks like: ip as-path access-list 2 permit ^3561$ route-map set-localpref permit 10 match as-path 2 set local-preference 200 set community 11170:3561 additive ! route-map set-localpref permit 20 set community 11170:3561 additive ! route-map set-localpref permit 30 ! I'll admit I'm quite new to BGP communities, but I *can* see 11170:3561 within my own network, just nothing upstream says they're sending. ~Seth From avayner at cisco.com Sat Sep 6 14:35:42 2008 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Sat, 6 Sep 2008 20:35:42 +0200 Subject: [c-nsp] Receiving BGP communities In-Reply-To: <4c16f96b03def1ddfd8b827b1aae9bbd.squirrel@webmail.rollernet.us> References: <48C208EB.7050109@rollernet.us><8c19328e0809060052i643202abo3453d54826ad4ae3@mail.gmail.com> <4c16f96b03def1ddfd8b827b1aae9bbd.squirrel@webmail.rollernet.us> Message-ID: <67F7C1FAF83A074AA3520D8F155782A501CFF619@xmb-ams-331.emea.cisco.com> Seth, You can use the "debug ip bgp updates" command (if you are getting a big table, you can use an ACL to filter it out...). If you get communities from your upstream, you would see it. If not, just send them the output, and let them worry about it. Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Seth Mattinen Sent: Saturday, September 06, 2008 20:20 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Receiving BGP communities On Sat, September 6, 2008 00:52, Ran Liebermann wrote: > Maybe you have an ingress route-map setting new communities without > the "additive" suffix? > Here's what my ingress route-map looks like: ip as-path access-list 2 permit ^3561$ route-map set-localpref permit 10 match as-path 2 set local-preference 200 set community 11170:3561 additive ! route-map set-localpref permit 20 set community 11170:3561 additive ! route-map set-localpref permit 30 ! I'll admit I'm quite new to BGP communities, but I *can* see 11170:3561 within my own network, just nothing upstream says they're sending. ~Seth _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From sethm at rollernet.us Sat Sep 6 15:48:57 2008 From: sethm at rollernet.us (Seth Mattinen) Date: Sat, 06 Sep 2008 12:48:57 -0700 Subject: [c-nsp] Receiving BGP communities In-Reply-To: <67F7C1FAF83A074AA3520D8F155782A501CFF619@xmb-ams-331.emea.cisco.com> References: <48C208EB.7050109@rollernet.us><8c19328e0809060052i643202abo3453d54826ad4ae3@mail.gmail.com> <4c16f96b03def1ddfd8b827b1aae9bbd.squirrel@webmail.rollernet.us> <67F7C1FAF83A074AA3520D8F155782A501CFF619@xmb-ams-331.emea.cisco.com> Message-ID: <48C2DEA9.4080102@rollernet.us> Arie Vayner (avayner) wrote: > Seth, > > You can use the "debug ip bgp updates" command (if you are getting a big > table, you can use an ACL to filter it out...). > If you get communities from your upstream, you would see it. If not, > just send them the output, and let them worry about it. > Thanks. Doesn't look like they are, so I'll give it back to them. I try not to blame someone else when I'm doing something new to me. ;) ~Seth From dr at cluenet.de Sat Sep 6 14:49:36 2008 From: dr at cluenet.de (Daniel Roesen) Date: Sat, 6 Sep 2008 20:49:36 +0200 Subject: [c-nsp] Difference between SPA-nXOC3-ATM and SPA-nXOC3-ATM-V2 Message-ID: <20080906184936.GA29909@srv01.cluenet.de> Hi, there seem to be two generations of ATM OC3 SPAs around: SPA-2XOC3-ATM / SPA-4XOC3-ATM: http://www.cisco.com/en/US/prod/collateral/modules/ps6267/product_data_sheet0900aecd8027cba7.html and SPA-1XOC3-ATM-V2 / SPA-3XOC3-ATM-V2: http://www.cisco.com/en/US/prod/collateral/modules/ps6267/data_sheet_C78-487941.html The differences I found are: 2/4 port: - supported in 6500/7600 - double height SPA => lower density - max 16,000 VCs "(subject to overall configuration limitations)" 1/3 port V2 - supported in CRS1/XR12k - single height SPA => higher density - 2047 VCs per port Did I miss anything relevant? Is the 1/3 really a newer generation of SPAs than the 2/4 port ones? I rarely find more info on the 1/3 port SPAs than the URL above. It's not listed in the Global Price List as well, so I wonder wether it's very very new? Does anyone have list pricing for the 3-port? Given that ASR1k BU is now telling us that the 1/3 V2 SPAs are planned for RLS3, I'm looking into those SPAs in more detail... didn't have them on radar at all and was planning with the 2/4 ports until yesterday... Any feedback appreciated. Best regards, Daniel -- CLUE-RIPE -- Jabber: dr at cluenet.de -- dr at IRCnet -- PGP: 0xA85C8AA0 From frnkblk at iname.com Sat Sep 6 22:40:17 2008 From: frnkblk at iname.com (Frank Bulk) Date: Sat, 6 Sep 2008 21:40:17 -0500 Subject: [c-nsp] Surge protection on leased lines In-Reply-To: References: <20080904160037.GA21273@saucer.midcoast.com> Message-ID: This is exactly the thing that Verizon was called on the carpet for in NY state. Frank -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ted Mittelstaedt Sent: Thursday, September 04, 2008 9:53 PM To: jp; Brian Turnbow Cc: Cisco Mailing list Subject: Re: [c-nsp] Surge protection on leased lines Here is an explanation of what your SUPPOSED to have: http://www.cermetek.com/Support/APP-Notes/611-0175.pdf with some schematics in case you want to roll your own protectors. According to this, per FCC part 68, your national telephone company is in violation of FCC regs if it is not providing an isolation barrier at the customer handoff, which clearly it is not if your losing WICs to lighting. They may be sliding under the regulation by giving you the handoff via V.35 but I doubt it. Frankly I've never seen a SHDSL line being handed off to the customer on a V.35. I've seen plenty of Telco-owned muxes that took a T1 or SHDSL and handed off to the customer via both POTS and V35, though, but I don't see the point of an NIU that goes from SHDSL to V.35 - it's extra cost for the Telco, and that would require the customer prem equipment to be sitting next to the Dmarc since your not going to run V.35 a hundred or so feet from the dmarc to the network room. This scheme sounds cockamamie to me. You learn something new every day. If I were you I would call your local municipality on this. All the electrical codes I've ever seen require the utility side of any feed into a building to have a solid, low-resistance ground at the entry point. They cannot just connect to a cold water pipe or some such nonsense, they have to drive a copper rod into the ground and ground to that. The fact that your "national telco" is allowing lightning energy to come into your building is a fire hazard and I am quite sure is in violation of your local wiring codes. They need a sold ground and suppression such as varistors connected between that ground and both wires of the pair that the SHDSL line is on. If you can get the specific code requirements for your municipality you can threaten to report your national telco to both the FCC and the local municipality if they do not install surge suppression. Ted PS I am assuming your in the US, here. > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of jp > Sent: Thursday, September 04, 2008 9:01 AM > To: Brian Turnbow > Cc: Cisco Mailing list > Subject: Re: [c-nsp] Surge protection on leased lines > > > Usually our Telco has gas/carbon arrestors at the NID and they differ > for pots or T1 as T1 is higher voltage. > > Make sure your nid, smartbox, router are all grounded together and to > the electrical system ground. I suspect they are not if current is > flowing in and damaging your wic. > > I know APC made some ptel series arrestors for T1/ISDN usage for > protecting the twisted pairs when the rj45/48 interfaces are used. I > have these and they are good. Too bad you don't have access to that. > > On Mon, Aug 25, 2008 at 06:05:07PM +0200, Brian Turnbow wrote: > > Thanks for the response. > > They are external csus but they are "telco property" and they > don't want us to touch them. > > We have asked several times that they install protection > coming into the building but no go... > > They install a remote powered integrated shdsl modem/csu in an > all plastic housing and the only place we > > Have been able to connect a ground is to the v.35 mount on the > integrated csu. No help there. > > Lighting strike= burned modem/csu= burned wic > > The v.35 protector would be a try to at least save our wic > cards and costs of dispatching a Tech > > for every passing storm. > > > > > > Brian > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jay Hennigan > > Sent: luned? 25 agosto 2008 17.34 > > To: Cisco Mailing list > > Subject: Re: [c-nsp] Surge protection on leased lines > > > > Brian Turnbow wrote: > > > Hello, > > > > > > We have several customers that our having problems every time a storm > > > goes through. > > > Our national telco company seems to offer no lightning protection on > > > their lines, and every storm causes a line outage and burns up the > > > attached wic. > > > We've made sure the chassis are grounded , but would also like to try > > > and install a surge protection detween the v.35 interface of the telco > > > and our CPEs. > > > I see that Cisco offers a surge protection cable for smart serial > > > interfaces, but not for classic serial interfaces. > > > I wanted ask what others would recommend / experiences regarding surge > > > protection on leased lines. > > > > This is an external CSU? > > > > I think you want it between the telco smartjack and the CSU, not on the > > v.35. This should be two pairs of wires. > > > > First thing to do is ensure that the telco smartjack, the CSU, and the > > router are solidly connected to a common ground, as this may be the > > source of the problem if the sneak current is not coming across the > > leased line. > > > > There are a number of companies making lightning protectors for twisted > > pair lines, Reliable Electric and Polyphaser are two. > > > > But, triple-check the grounding first because if it's > common-mode across > > a ground differential the protectors won't help. > > > > -- > > Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net > > Impulse Internet Service - http://www.impulse.net/ > > Your local telephone and internet company - 805 884-6323 - WB6RDV > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > -- > /* > Jason Philbrook | Midcoast Internet Solutions - Wireless and DSL > KB1IOJ | Broadband Internet Access, Dialup, and Hosting > http://f64.nu/ | for Midcoast Maine http://www.midcoast.com/ > */ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From frnkblk at iname.com Sat Sep 6 23:53:42 2008 From: frnkblk at iname.com (Frank Bulk) Date: Sat, 6 Sep 2008 22:53:42 -0500 Subject: [c-nsp] c7604 "starter kit" In-Reply-To: <00b901c90f12$3c293010$b47b9030$@steele@internode.on.net> References: <20080904112344.GA2758@whitechalk.dfinet.ch> <6bb5f5b10809041001q317d4694o8b57be06fcfd54da@mail.gmail.com> <20080904170928.GA23309@mx.ytti.net> <200809051015.06641.mtinka@globaltransit.net> <00b901c90f12$3c293010$b47b9030$@steele@internode.on.net> Message-ID: The first time I went through the ASR materials I was left with the impression that they were launching this product with the minimum software features and hardware support. It's going to be some time before it's as full-featured as it really needs to be. Frank -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ben Steele Sent: Thursday, September 04, 2008 11:46 PM To: mtinka at globaltransit.net; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] c7604 "starter kit" I'm pretty sure it is scheduled for release in an upcoming update, I know there was lots of "hmmm's" when I saw the list of current unsupported technologies during our companies presentation, but I seem to recall most of them set for release in the future, I mean it would be ridiculous to never support mpls-te on the ASR. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Tinka Sent: Friday, 5 September 2008 11:45 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] c7604 "starter kit" On Friday 05 September 2008 01:09:28 Saku Ytti wrote: > L3 VPN yes, TE no sure. According to FN, MPLS-TE is unsupported. Quite surprising, actually... Mark. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ranmails at gmail.com Sun Sep 7 00:41:53 2008 From: ranmails at gmail.com (Ran Liebermann) Date: Sun, 7 Sep 2008 07:41:53 +0300 Subject: [c-nsp] Receiving BGP communities In-Reply-To: <4c16f96b03def1ddfd8b827b1aae9bbd.squirrel@webmail.rollernet.us> References: <48C208EB.7050109@rollernet.us> <8c19328e0809060052i643202abo3453d54826ad4ae3@mail.gmail.com> <4c16f96b03def1ddfd8b827b1aae9bbd.squirrel@webmail.rollernet.us> Message-ID: <8c19328e0809062141l37a7f7a7kc367a13725b5f5e7@mail.gmail.com> Hi Seth, Your route-map is ok (although the 3rd sequence - sequence 30 is redundant and you can remove it completely). Seems that Savvis don't send the communities to you. Regards, -- Ran. On Sat, Sep 6, 2008 at 8:20 PM, Seth Mattinen wrote: > On Sat, September 6, 2008 00:52, Ran Liebermann wrote: >> Maybe you have an ingress route-map setting new communities without >> the "additive" suffix? >> > > Here's what my ingress route-map looks like: > > ip as-path access-list 2 permit ^3561$ > > route-map set-localpref permit 10 > match as-path 2 > set local-preference 200 > set community 11170:3561 additive > ! > route-map set-localpref permit 20 > set community 11170:3561 additive > ! > route-map set-localpref permit 30 > ! > > I'll admit I'm quite new to BGP communities, but I *can* see 11170:3561 > within my own network, just nothing upstream says they're sending. > > ~Seth > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From zivl at gilat.net Sun Sep 7 03:27:35 2008 From: zivl at gilat.net (Ziv Leyes) Date: Sun, 7 Sep 2008 10:27:35 +0300 Subject: [c-nsp] latest stable... In-Reply-To: <480dad640809051512y7b24e62bjf62c75fcba763421@mail.gmail.com> References: <20080904062352.GQ233@greenie.muc.de> <20080905220153.GL17238@greenie.muc.de> <480dad640809051512y7b24e62bjf62c75fcba763421@mail.gmail.com> Message-ID: I have a few 7206 VXR NPE-G1 running IS-MZ 12.4(13b) for a few months now and so far (touch wood) no problems... They mostly hold an STM and another GE Link circuits and two main uplink peers and a dozen of customers peers. Throughput of each is around 150-200Mb on and off. Hope this info helps. Ziv -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Aaron Sent: Saturday, September 06, 2008 1:12 AM To: Gert Doering Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] latest stable... for the 7200 with just bgp why not use 12.0S? On Fri, Sep 5, 2008 at 6:01 PM, Gert Doering wrote: > Hi, > > On Fri, Sep 05, 2008 at 01:54:07PM -0400, Jim McBurnett wrote: > > Great... > > For the G1-- all we need is BGP and Ethernet-- Nothing special.. > > Metro E fiber inbound and FIBER out... > > I'd go for 12.3(latest) main line. 12.2S/SB/SR will have lots more nice > features, as will have 12.4/12.4T, but those usually bring some drawbacks > regarding stability. > > gert > -- > USENET is *not* the non-clickable part of WWW! > // > www.muc.de/~gert/ > Gert Doering - Munich, Germany > gert at greenie.muc.de > fax: +49-89-35655025 > gert at net.informatik.tu-muenchen.de > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From saku+cisco-nsp at ytti.fi Sun Sep 7 03:57:06 2008 From: saku+cisco-nsp at ytti.fi (Saku Ytti) Date: Sun, 7 Sep 2008 10:57:06 +0300 Subject: [c-nsp] c7604 "starter kit" In-Reply-To: References: <20080904112344.GA2758@whitechalk.dfinet.ch> <6bb5f5b10809041001q317d4694o8b57be06fcfd54da@mail.gmail.com> <20080904170928.GA23309@mx.ytti.net> <200809051015.06641.mtinka@globaltransit.net> Message-ID: <20080907075706.GA7640@mx.ytti.net> On (2008-09-06 22:53 -0500), Frank Bulk wrote: > The first time I went through the ASR materials I was left with the > impression that they were launching this product with the minimum software > features and hardware support. It's going to be some time before it's as > full-featured as it really needs to be. Just out of curiosity what were main points that left you wanting? For me (PE usage), it was pretty much only EoMPLS, had that been in FCS, I would have definitely EFT'd it. -- ++ytti From ecralar at hotmail.com Sun Sep 7 06:46:09 2008 From: ecralar at hotmail.com (Alex) Date: Sun, 7 Sep 2008 11:46:09 +0100 Subject: [c-nsp] free WAN emulation software References: <70bb1b8f0809050900j2adf0cb1ide6f91d6519cf71@mail.gmail.com> Message-ID: Hi there, M0n0wall http://m0n0.ch/wall/ is pretty good, you can insert predefined delay/BW/packet loss on the link if you want to. All it takes is a cheap PC and bootable CD(+floppy to save the config). In terms of physical connectivity, you are restricted to Ethernet only. Rgds Alex ----- Original Message ----- From: "Andrew Gristina" To: "Sergey Voropaev" Cc: Sent: Friday, September 05, 2008 5:00 PM Subject: Re: [c-nsp] free WAN emulation software > The opensource options are dummynet on BSD: > > http://info.iet.unipi.it/~luigi/ip_dummynet/ > > Which is good for emulating links 100Mb or slower, I think it needs > patches if you are going to emulate long fat pipes. I used the boot > floppy, it is easier to use if you have some unix experience. > > or > > Nistnet on linux (the traffic shaping stuff is now in kernel). > > But I find it is old, and that netem is is better in linux- basically > the tc commands: > > http://www.linuxfoundation.org/en/Net:Netem > > > On Fri, Sep 5, 2008 at 7:38 AM, Sergey Voropaev > wrote: >> Hi guys, >> >> Could anyone advise free WAN (wide area network) emulator software. I >> need to find solution for the following reason. We have some network >> application and we want to know how good this applications work over >> the WAN with predefined parameters. The better emulator must support >> operations with more parameters. The main parameters is delay, jitter, >> throughput, bit errors, packets lost, resequencing etc. >> >> I think that this should be server with two NIC and installed soft, so >> such soft I'm looking for. >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From felixnkansah at gmail.com Sun Sep 7 08:27:57 2008 From: felixnkansah at gmail.com (Felix Nkansah) Date: Sun, 7 Sep 2008 12:27:57 +0000 Subject: [c-nsp] free WAN emulation software In-Reply-To: References: Message-ID: <18dba4e50809070527q7cd451a1scdc80d29b351d4a3@mail.gmail.com> Hi, Cisco NIST Net Wan Emulation Software. http://www.cisco.com/en/US/docs/app_ntwk_services/waas/wafs/v30/nistnet/NIST.html Regards, Felix From howie at thingy.com Sun Sep 7 11:51:16 2008 From: howie at thingy.com (Howard Jones) Date: Sun, 07 Sep 2008 16:51:16 +0100 Subject: [c-nsp] Dashboard Network Monitoring Software In-Reply-To: <200809060221.m862LDuY024759@puck.nether.net> References: <200809060221.m862LDuY024759@puck.nether.net> Message-ID: <48C3F874.3040005@thingy.com> aaron wrote: > Yep weathermap looks awesome. Do you know if its possible for the map to > change the icon of a site if it is down or unreachable? That would be > awesome :) > This is definitely possible on network-weathermap.com weathermap, assuming you have either some exisiting monitoring tool that it can get data from, or fping (experimental support). Data access is via plugins, so it's relatively easy to lash up something with your existing tools, if necessary. grnet weathermap does only link throughput, as far as I know. Howie (aka howie at network-weathermap.com :-) ) From lists at quux.de Sun Sep 7 16:18:53 2008 From: lists at quux.de (Jens Link) Date: Sun, 07 Sep 2008 22:18:53 +0200 Subject: [c-nsp] Dashboard Network Monitoring Software In-Reply-To: <0867622C64B50C4B878AB45C95F43F1106150C86@MAILWA01.wesenergy.local> (Aaron Riemer's message of "Fri, 5 Sep 2008 10:33:27 +0800") References: <0867622C64B50C4B878AB45C95F43F1106150B8D@MAILWA01.wesenergy.local> <64396C74FCE435468BE2AF5A73F9C2FD869209@chmaexch.chelmer.co.nz> <0867622C64B50C4B878AB45C95F43F1106150C86@MAILWA01.wesenergy.local> Message-ID: <87bpyzn1zm.fsf@laphroiag.quux.de> "Aaron Riemer" writes: > Hi James, > > Yes I thought about nagios. Is it possible to put your own background > map in and then position nodes on the map? Take a look at nagviz, http://sourceforge.net/projects/nagvis/ ,---- | NagVis is a visualization addon for the well known network managment | system Nagios. NagVis can be used to visualize Nagios Data, e.g. to | display IT processes like a mail system or a network infrastructure. `---- cheers Jens -- Berlin, Germany | http://www.quux.de | jabber: jenslink at guug.de sage at guug Berlin: http://www.guug.de/lokal/berlin/index.html From brett at looney.id.au Sun Sep 7 21:47:45 2008 From: brett at looney.id.au (Brett Looney) Date: Mon, 8 Sep 2008 09:47:45 +0800 Subject: [c-nsp] Service-Policy on 1800 SVI In-Reply-To: References: Message-ID: <0d5501c91154$e3ff8a70$abfe9f50$@id.au> > I'm running into an issue on a 1841 router where I have an internet > feed coming into one of the integrated switchports....I have the vlan > that the switchport is configured in as a EtherSVI with a public IP > address. I need to configure a policy-map with QoS but it appears > you cannot configure a service-policy on a EtherSVI...Is this correct? That's pretty much correct. You need to put the service policy on a routed port - either one of the two onboard Ethernets or get one of the routed HWIC cards (such as a HWIC-1FE) which are (of course) much more expensive than the HWIC switch cards. Putting a service policy on a SVI just doesn't work. On some platforms you can do it but you are severely limited in what you can do in that policy. B. From rubensk at gmail.com Sun Sep 7 22:17:49 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Sun, 7 Sep 2008 23:17:49 -0300 Subject: [c-nsp] Service-Policy on 1800 SVI In-Reply-To: <0d5501c91154$e3ff8a70$abfe9f50$@id.au> References: <0d5501c91154$e3ff8a70$abfe9f50$@id.au> Message-ID: <6bb5f5b10809071917u402e209fh9b2473da67ad1d8e@mail.gmail.com> Does the same apply to Cisco 881 ? Rubens On Sun, Sep 7, 2008 at 10:47 PM, Brett Looney wrote: >> I'm running into an issue on a 1841 router where I have an internet >> feed coming into one of the integrated switchports....I have the vlan >> that the switchport is configured in as a EtherSVI with a public IP >> address. I need to configure a policy-map with QoS but it appears >> you cannot configure a service-policy on a EtherSVI...Is this correct? > > That's pretty much correct. You need to put the service policy on a routed > port - either one of the two onboard Ethernets or get one of the routed HWIC > cards (such as a HWIC-1FE) which are (of course) much more expensive than > the HWIC switch cards. > > Putting a service policy on a SVI just doesn't work. On some platforms you > can do it but you are severely limited in what you can do in that policy. > > B. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From brett at looney.id.au Sun Sep 7 22:35:20 2008 From: brett at looney.id.au (Brett Looney) Date: Mon, 8 Sep 2008 10:35:20 +0800 Subject: [c-nsp] Service-Policy on 1800 SVI In-Reply-To: <6bb5f5b10809071917u402e209fh9b2473da67ad1d8e@mail.gmail.com> References: <0d5501c91154$e3ff8a70$abfe9f50$@id.au> <6bb5f5b10809071917u402e209fh9b2473da67ad1d8e@mail.gmail.com> Message-ID: <0d5e01c9115b$89f65c50$9de314f0$@id.au> > Does the same apply to Cisco 881 ? Unknown - haven't seen one yet. But guessing: certainly the "WAN" Ethernet port on the 881 should be able to have a service policy applied but the SVI - probably not. B. From networking.stuff at googlemail.com Mon Sep 8 02:19:24 2008 From: networking.stuff at googlemail.com (Chintan Shah) Date: Mon, 8 Sep 2008 11:49:24 +0530 Subject: [c-nsp] BGP Next-hope convergance Message-ID: <1e7e04890809072319i10e4843fm17e2e82f4391901a@mail.gmail.com> Hi Guys, I have 6509 (PE3) switch learning VPNV4 routes from two PE1 & PE2 and select best path PE1 ( based on IGP metric). Now, PE-1 uplink to core failes and CR(P) find that PE1 not reachable based on IGP dead time = 9 sec and PEe learn that PE1 no more reachable now ( another 6 sec) so totatl IGP convegance =15 sec. howerver PE3 take another 5-6 sec to select best path is PE2 now for remote VPNV4 routes and total i get 21 sec....Why PE3 doesn't select PE2 afer 15 sec (IGP convergance) and wait another 5-6 ...what is that 5-6 can cause overvall convergance 21 sec ?? Can some one help me to understand ? Regards, Chintan From swmike at swm.pp.se Mon Sep 8 03:06:21 2008 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Mon, 8 Sep 2008 09:06:21 +0200 (CEST) Subject: [c-nsp] BGP Next-hope convergance In-Reply-To: <1e7e04890809072319i10e4843fm17e2e82f4391901a@mail.gmail.com> References: <1e7e04890809072319i10e4843fm17e2e82f4391901a@mail.gmail.com> Message-ID: On Mon, 8 Sep 2008, Chintan Shah wrote: > Hi Guys, > > I have 6509 (PE3) switch learning VPNV4 routes from two PE1 & PE2 and > select > best path PE1 ( based on IGP metric). > Now, PE-1 uplink to core failes and CR(P) find that PE1 not reachable > based > on IGP dead time = 9 sec and PEe learn that PE1 no more reachable now ( > another 6 sec) so totatl IGP convegance =15 sec. howerver PE3 take > another > 5-6 sec to select best path is PE2 now for remote VPNV4 routes and total > i > get 21 sec....Why PE3 doesn't select PE2 afer 15 sec (IGP convergance) > and > wait another 5-6 ...what is that 5-6 can cause overvall convergance 21 > sec > ?? > Can some one help me to understand ? First of all, what are your RD values? You need to make sure RD values are unique for each PE (use the IP:value format, instead of the AS:value format commonly used). Also, do the VPNv4 BGP sessions go down promptly when the next-hop becomes unreachable? If the platform supports BFD, you should use that to make the IGP session go down quicker. An easy way around this is also to make sure PE1-PE2 are connected somehow, so a PE never becomes unreachable due to a single link failing. With proper design you will be able to reach 0-2 second convergence time... -- Mikael Abrahamsson email: swmike at swm.pp.se From cisco-nsp at tracker.fire-world.de Mon Sep 8 04:42:50 2008 From: cisco-nsp at tracker.fire-world.de (Sebastian Wiesinger) Date: Mon, 8 Sep 2008 10:42:50 +0200 Subject: [c-nsp] Why do I have to specify "allow-default" uRPF option on 4500-E? Message-ID: <20080908084250.GA28509@danton.fire-world.de> Hello, I have a Cisco 4500-E / SUP6-E switch on which I want to configure uRPF. I tried to enable it and got the following message: re1-new(config-if)#ip verify unicast source reachable-via rx % ip verify configuration not supported on interface Vl13 - must specify allow-default With the allow-default option no problem: re1-new(config-if)#ip verify unicast source reachable-via rx allow-default re1-new(config-if)# Any idea why I have to enable allow-default? In the configuration guide for the 4500-E the command is printed with the allow-default option but without any explanation why it has to be specified. And what *exactly* does the allow-default option do? In the Cisco paper it says: The allow-default option may be used with either the rx or any option to include IP addresses not specifically contained in the routing table. Am I right that this would only affect uRPF in the case that I point a default 0.0.0.0/0 towards the interface? Regards, Sebastian -- GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant From peter at rathlev.dk Mon Sep 8 05:24:45 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Mon, 08 Sep 2008 11:24:45 +0200 Subject: [c-nsp] BGP Next-hope convergance In-Reply-To: References: <1e7e04890809072319i10e4843fm17e2e82f4391901a@mail.gmail.com> Message-ID: <1220865885.3896.1.camel@abehat> On Mon, 2008-09-08 at 09:06 +0200, Mikael Abrahamsson wrote: > First of all, what are your RD values? You need to make sure RD values > are unique for each PE (use the IP:value format, instead of the > AS:value format commonly used). Does this have an effect on the convergence times? I seem to remember having been told that this is a good idea generally, but never really understood why. Can anybody shed light on why this is? Regards, Peter From saku+cisco-nsp at ytti.fi Mon Sep 8 05:55:53 2008 From: saku+cisco-nsp at ytti.fi (Saku Ytti) Date: Mon, 8 Sep 2008 12:55:53 +0300 Subject: [c-nsp] BGP Next-hope convergance In-Reply-To: <1220865885.3896.1.camel@abehat> References: <1e7e04890809072319i10e4843fm17e2e82f4391901a@mail.gmail.com> <1220865885.3896.1.camel@abehat> Message-ID: <20080908095553.GA27602@mx.ytti.net> On (2008-09-08 11:24 +0200), Peter Rathlev wrote: > On Mon, 2008-09-08 at 09:06 +0200, Mikael Abrahamsson wrote: > > First of all, what are your RD values? You need to make sure RD values > > are unique for each PE (use the IP:value format, instead of the > > AS:value format commonly used). > > Does this have an effect on the convergence times? I seem to remember > having been told that this is a good idea generally, but never really > understood why. Can anybody shed light on why this is? I'm not sure what you're asking. 1) why IP instead AS - purely non-technical reasons. With IP you can do loop0:SAME 2) why multiple RD's - so that RR best path algorithm doesn't kill your redundant or load-balancing route. So that PE can install two or more routes. -- ++ytti From david.freedman at uk.clara.net Mon Sep 8 06:21:27 2008 From: david.freedman at uk.clara.net (David Freedman) Date: Mon, 8 Sep 2008 11:21:27 +0100 Subject: [c-nsp] 12.40(20T), pppoe woes Message-ID: Have just moved to testing 12.4(20)T for the HQF functionality, have now hit another stumbling point. Was previously doing multiple pppoe sessions (multiple pppoe client feature) using the HWIC-4ESW which mandates that the pppoe-client functionality *must* come from SVI, in 12.4(20)T this no longer works: router(config)# interface Vlan2 router(config-if)# pppoe-client dial-pool-number 2 %PPPoE-Client not supported on vlan interfaces Placing the client on the actual interface does not work (either PADI does not get transmitted or PADO is not interpreted correctly , either way, timeout occurs) Has this feature been removed? can't find any reference in 12.4T release notes against feature documentation or caveats nor does bugtool come back with anything useful. Many thanks, Dave. ------------------------------------------------ David Freedman Group Network Engineering Claranet Limited http://www.clara.net From oboehmer at cisco.com Mon Sep 8 06:43:32 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Mon, 8 Sep 2008 12:43:32 +0200 Subject: [c-nsp] 12.40(20T), pppoe woes In-Reply-To: References: Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405F80226@xmb-ams-333.emea.cisco.com> David Freedman <> wrote on Monday, September 08, 2008 12:21 PM: > Have just moved to testing 12.4(20)T for the HQF functionality, have > now hit another stumbling point. > > Was previously doing multiple pppoe sessions (multiple pppoe client > feature) using the HWIC-4ESW > which mandates that the pppoe-client functionality *must* come from > SVI, > in 12.4(20)T this no longer works: > > router(config)# interface Vlan2 > router(config-if)# pppoe-client dial-pool-number 2 > %PPPoE-Client not supported on vlan interfaces > > Placing the client on the actual interface does not work (either PADI > does not get transmitted > or PADO is not interpreted correctly , either way, timeout occurs) > > Has this feature been removed? can't find any reference in 12.4T > release notes against feature documentation or caveats nor does > bugtool come back with anything useful. David, please check CSCsu35584, it will be fixed in the upcoming 12.4(20)T1 rebuild and the above restriction will be removed.. oli From david.freedman at uk.clara.net Mon Sep 8 06:45:10 2008 From: david.freedman at uk.clara.net (David Freedman) Date: Mon, 8 Sep 2008 11:45:10 +0100 Subject: [c-nsp] 12.40(20T), pppoe woes References: <70B7A1CCBFA5C649BD562B6D9F7ED78405F80226@xmb-ams-333.emea.cisco.com> Message-ID: Ah wonderful ollie, thought I was going mad! Thanks again ------------------------------------------------ David Freedman Group Network Engineering Claranet Limited http://www.clara.net -----Original Message----- From: Oliver Boehmer (oboehmer) [mailto:oboehmer at cisco.com] Sent: Mon 9/8/2008 11:43 To: David Freedman; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] 12.40(20T), pppoe woes David Freedman <> wrote on Monday, September 08, 2008 12:21 PM: > Have just moved to testing 12.4(20)T for the HQF functionality, have > now hit another stumbling point. > > Was previously doing multiple pppoe sessions (multiple pppoe client > feature) using the HWIC-4ESW > which mandates that the pppoe-client functionality *must* come from > SVI, > in 12.4(20)T this no longer works: > > router(config)# interface Vlan2 > router(config-if)# pppoe-client dial-pool-number 2 > %PPPoE-Client not supported on vlan interfaces > > Placing the client on the actual interface does not work (either PADI > does not get transmitted > or PADO is not interpreted correctly , either way, timeout occurs) > > Has this feature been removed? can't find any reference in 12.4T > release notes against feature documentation or caveats nor does > bugtool come back with anything useful. David, please check CSCsu35584, it will be fixed in the upcoming 12.4(20)T1 rebuild and the above restriction will be removed.. oli From swmike at swm.pp.se Mon Sep 8 06:56:33 2008 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Mon, 8 Sep 2008 12:56:33 +0200 (CEST) Subject: [c-nsp] BGP Next-hope convergance In-Reply-To: <1220865885.3896.1.camel@abehat> References: <1e7e04890809072319i10e4843fm17e2e82f4391901a@mail.gmail.com> <1220865885.3896.1.camel@abehat> Message-ID: On Mon, 8 Sep 2008, Peter Rathlev wrote: > Does this have an effect on the convergence times? I seem to remember > having been told that this is a good idea generally, but never really > understood why. Can anybody shed light on why this is? What Ytti said, and let me give you an example: PE1 and PE2 uplinks a redundantly connected customer. PE3 has another customer connection in the same VPN. Using unique RDs per PE, will ensure that PE3 has routes to both PE1 and PE2 in a route reflector structure, and if PE1 goes away then PE3 will have PE2 route in RIB and can update FIB without RR involvement. In case PE1 customer link goes down, it can change FIB to point to PE2 without RR involvement meaning packets will be forwarded continously as soon as the link-down is detected and FIB is updated, instead of the RR noticing it and sending updates. So yes, you want to use PE unique RDs, there little downside apart from a bit higher memory usage. -- Mikael Abrahamsson email: swmike at swm.pp.se From p.mayers at imperial.ac.uk Mon Sep 8 07:08:56 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Mon, 08 Sep 2008 12:08:56 +0100 Subject: [c-nsp] BGP Next-hope convergance In-Reply-To: References: <1e7e04890809072319i10e4843fm17e2e82f4391901a@mail.gmail.com> <1220865885.3896.1.camel@abehat> Message-ID: <48C507C8.5040002@imperial.ac.uk> Mikael Abrahamsson wrote: > On Mon, 8 Sep 2008, Peter Rathlev wrote: > >> Does this have an effect on the convergence times? I seem to remember >> having been told that this is a good idea generally, but never really >> understood why. Can anybody shed light on why this is? > > What Ytti said, and let me give you an example: > > PE1 and PE2 uplinks a redundantly connected customer. > PE3 has another customer connection in the same VPN. > > Using unique RDs per PE, will ensure that PE3 has routes to both PE1 and > PE2 in a route reflector structure, and if PE1 goes away then PE3 will > have PE2 route in RIB and can update FIB without RR involvement. > > In case PE1 customer link goes down, it can change FIB to point to PE2 > without RR involvement meaning packets will be forwarded continously as > soon as the link-down is detected and FIB is updated, instead of the RR > noticing it and sending updates. > > So yes, you want to use PE unique RDs, there little downside apart from > a bit higher memory usage. > Can someone clarify that RD versus route-target are unrelated, i.e. that I can have: PE1: ip vrf BLAH rd PE1-loop:1 route-target both 65000:1 ip vrf FOO rd PE1-loop:2 route-target both 65000:2 PE2: ip vrf BLAH rd PE2-loop:1 route-target both 65000:1 ip vrf FOO rd PE2-loop:2 route-target both 65000:2 From swmike at swm.pp.se Mon Sep 8 07:30:37 2008 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Mon, 8 Sep 2008 13:30:37 +0200 (CEST) Subject: [c-nsp] BGP Next-hope convergance In-Reply-To: <48C507C8.5040002@imperial.ac.uk> References: <1e7e04890809072319i10e4843fm17e2e82f4391901a@mail.gmail.com> <1220865885.3896.1.camel@abehat> <48C507C8.5040002@imperial.ac.uk> Message-ID: On Mon, 8 Sep 2008, Phil Mayers wrote: > Can someone clarify that RD versus route-target are unrelated, i.e. that I > can have: Yes, RT is an extended BGP-community used for filtering routes, RD is a route DISTINGUISHER, it makes two identical prefixes unique because they come from different sources. So make RD:s unique per PE, and of course make RTs identical within the VPN. -- Mikael Abrahamsson email: swmike at swm.pp.se From saku+cisco-nsp at ytti.fi Mon Sep 8 07:32:33 2008 From: saku+cisco-nsp at ytti.fi (Saku Ytti) Date: Mon, 8 Sep 2008 14:32:33 +0300 Subject: [c-nsp] BGP Next-hope convergance In-Reply-To: <48C507C8.5040002@imperial.ac.uk> References: <1e7e04890809072319i10e4843fm17e2e82f4391901a@mail.gmail.com> <1220865885.3896.1.camel@abehat> <48C507C8.5040002@imperial.ac.uk> Message-ID: <20080908113233.GA28285@mx.ytti.net> On (2008-09-08 12:08 +0100), Phil Mayers wrote: > Can someone clarify that RD versus route-target are unrelated, i.e. that > I can have: RD is just hack to allow two or more e.g. 10.0.0.0/8 routes exist in BGP. How to make these different routes? Prefix some junk in front of them, done. RD does not decide which vrf gets which route. There might just as well be some 'auto RD ' chassis wide option which ensures unique RD in each VRF, and you never manually configure RD anywhere. RT otoh, is normal extended bgp community, which decides which VRF gets which route. -- ++ytti From peter at rathlev.dk Mon Sep 8 08:20:44 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Mon, 08 Sep 2008 14:20:44 +0200 Subject: [c-nsp] BGP Next-hope convergance In-Reply-To: References: <1e7e04890809072319i10e4843fm17e2e82f4391901a@mail.gmail.com> <1220865885.3896.1.camel@abehat> Message-ID: <1220876444.3896.4.camel@abehat> On Mon, 2008-09-08 at 12:56 +0200, Mikael Abrahamsson wrote: > On Mon, 8 Sep 2008, Peter Rathlev wrote: > > Does this have an effect on the convergence times? I seem to remember > > having been told that this is a good idea generally, but never really > > understood why. Can anybody shed light on why this is? > > What Ytti said, and let me give you an example: Thank you very much, both of you. Now I know exactly why we would do this. :-) Regards, Peter From brett at looney.id.au Mon Sep 8 08:32:09 2008 From: brett at looney.id.au (Brett Looney) Date: Mon, 8 Sep 2008 20:32:09 +0800 Subject: [c-nsp] IOS, IPSEC and hairpinned traffic Message-ID: <000001c911ae$e9ad7310$bd085930$@id.au> Greets, Got an odd problem and I just want to make sure that what I'm trying to do is possible - basically, hairpin traffic through a router where both remote endpoints are IPSEC-based. Three devices: A, B, C. A is a Cisco router with a dynamic IP address behind some NAT box. B is a Cisco router with a static IP address. C is a non-Cisco firewall with a static IP address. There are working IPSEC tunnels between A and B; and between B and C. The IPSEC tunnel between A and B isn't using DMVPN because that doesn't play nicely with the NAT in question so we're doing dynamic IPSEC stuff - no worries so far. The tunnel between B and C is standard LAN-to-LAN stuff. Now, I'd like users at A to be able to communicate with a server at C. I can't establish a direct tunnel because C doesn't support LAN-to-LAN endpoints with dynamic IP addresses. So, I thought I'd hairpin the traffic through B. Easy, right - just add some access list entries to the existing ACLs and away we go. Well, no. It doesn't appear to work that way. Traffic from A to C hits B and I see it hit the outbound IPSEC access list but there is no crypto happening. Nothing. Similarly with traffic from C to A - it hits B, gets decrypted, hits the outbound IPSEC access list to A but no crypto to A - packets don't leave B and certainly don't arrive at A. No error messages anywhere on any debug I can see. I've also tried doing "set ip access-group out" to check what is happening and I get no matches at all. I know the access lists are correct because if I put a loopback interface on B with the IP addresses of A (or C) then I can ping across happily. So it definitely has to do with the hairpin. For the record, I've checked the NAT tables and they don't contain any entries for the A/B/C IP addresses in question but given that I'm hairpinning through an "ip nat outside" interface I didn't expect that anyway. Is this actually supported? I know there are restrictions with the ASA/Pixen but I thought this would work with IOS. Am I missing some hidden (or unknown to me) command (like "crypto allow same-interface traffic")? Finally, yes, I realise one solution is to replace C with an IOS box and I have suggested that (my preferred option)... I also realise I could replace the router and NAT box at A with a router that also does NAT and I'm working on that too. TIA. Sorry for the long story. ;-) B. From alaerte.vidali at nsn.com Mon Sep 8 09:15:53 2008 From: alaerte.vidali at nsn.com (Vidali, Alaerte (NSN - BR/Rio de Janeiro)) Date: Mon, 8 Sep 2008 08:15:53 -0500 Subject: [c-nsp] Fragmentation on SUP720 In-Reply-To: References: Message-ID: <27C3D43D640FE947A3BDEB7077A373FE015C6850@USCHEXC006.nsn-intra.net> Hi, Any reference about fragmentation x CPU usage on SUP720? Tks, Alaerte From rodunn at cisco.com Mon Sep 8 09:28:08 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Mon, 8 Sep 2008 09:28:08 -0400 Subject: [c-nsp] Fragmentation on SUP720 In-Reply-To: <27C3D43D640FE947A3BDEB7077A373FE015C6850@USCHEXC006.nsn-intra.net> References: <27C3D43D640FE947A3BDEB7077A373FE015C6850@USCHEXC006.nsn-intra.net> Message-ID: <20080908132808.GK19347@rtp-cse-489.cisco.com> Why are you doing it? There are some whacky issues it can cause. ie: it will break PMTUD if it's an MPLS core and it's sup720s on each end of the LSP. Rodney On Mon, Sep 08, 2008 at 08:15:53AM -0500, Vidali, Alaerte (NSN - BR/Rio de Janeiro) wrote: > > Hi, > > Any reference about fragmentation x CPU usage on SUP720? > > Tks, > Alaerte > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From alaerte.vidali at nsn.com Mon Sep 8 09:52:14 2008 From: alaerte.vidali at nsn.com (Vidali, Alaerte (NSN - BR/Rio de Janeiro)) Date: Mon, 8 Sep 2008 08:52:14 -0500 Subject: [c-nsp] Fragmentation on SUP720 In-Reply-To: <20080908132808.GK19347@rtp-cse-489.cisco.com> References: <27C3D43D640FE947A3BDEB7077A373FE015C6850@USCHEXC006.nsn-intra.net> <20080908132808.GK19347@rtp-cse-489.cisco.com> Message-ID: <27C3D43D640FE947A3BDEB7077A373FE015C6886@USCHEXC006.nsn-intra.net> Hi Rodney, My advice is also to avoid it. Customer says they are out of option and due to issue on system they want to see if Cisco can handle fragmentation for some time until get definitive solution. Do you know if fragmentation is done in SUP720, no matter what interface module is installed? Br, Alaerte -----Original Message----- From: ext Rodney Dunn [mailto:rodunn at cisco.com] Sent: segunda-feira, 8 de setembro de 2008 10:28 To: Vidali, Alaerte (NSN - BR/Rio de Janeiro) Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Fragmentation on SUP720 Why are you doing it? There are some whacky issues it can cause. ie: it will break PMTUD if it's an MPLS core and it's sup720s on each end of the LSP. Rodney On Mon, Sep 08, 2008 at 08:15:53AM -0500, Vidali, Alaerte (NSN - BR/Rio de Janeiro) wrote: > > Hi, > > Any reference about fragmentation x CPU usage on SUP720? > > Tks, > Alaerte > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rodunn at cisco.com Mon Sep 8 09:56:22 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Mon, 8 Sep 2008 09:56:22 -0400 Subject: [c-nsp] Fragmentation on SUP720 In-Reply-To: <27C3D43D640FE947A3BDEB7077A373FE015C6886@USCHEXC006.nsn-intra.net> References: <27C3D43D640FE947A3BDEB7077A373FE015C6850@USCHEXC006.nsn-intra.net> <20080908132808.GK19347@rtp-cse-489.cisco.com> <27C3D43D640FE947A3BDEB7077A373FE015C6886@USCHEXC006.nsn-intra.net> Message-ID: <20080908135622.GR19347@rtp-cse-489.cisco.com> On Mon, Sep 08, 2008 at 08:52:14AM -0500, Vidali, Alaerte (NSN - BR/Rio de Janeiro) wrote: > Hi Rodney, > > My advice is also to avoid it. Customer says they are out of option and > due to issue on system they want to see if Cisco can handle > fragmentation for some time until get definitive solution. > > Do you know if fragmentation is done in SUP720, no matter what interface > module is installed? IIRC it's punted and dune under interrupt on the RP CPU. I don't know the performance numbers because it's not advised so we do little to no testing on those setups. Rodney > > Br, > Alaerte > > -----Original Message----- > From: ext Rodney Dunn [mailto:rodunn at cisco.com] > Sent: segunda-feira, 8 de setembro de 2008 10:28 > To: Vidali, Alaerte (NSN - BR/Rio de Janeiro) > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Fragmentation on SUP720 > > Why are you doing it? > > There are some whacky issues it can cause. ie: it will break PMTUD if > it's an MPLS core and it's sup720s on each end of the LSP. > > Rodney > > > On Mon, Sep 08, 2008 at 08:15:53AM -0500, Vidali, Alaerte (NSN - BR/Rio > de Janeiro) wrote: > > > > Hi, > > > > Any reference about fragmentation x CPU usage on SUP720? > > > > Tks, > > Alaerte > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rodunn at cisco.com Mon Sep 8 09:59:35 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Mon, 8 Sep 2008 09:59:35 -0400 Subject: [c-nsp] NPE G1, CEF and ACLs and high CPU In-Reply-To: <383357750809060359w5b204530qe491c7adf048a8cf@mail.gmail.com> References: <383357750809041000uad21b4ag386233e3b2ea4fde@mail.gmail.com> <200809041456.01591.kratzers@pa.net> <383357750809041212h2e17aaa2i967ba4ffc3e4c3de@mail.gmail.com> <200809041546.23959.kratzers@pa.net> <20080905120724.GI15736@rtp-cse-489.cisco.com> <20080905184202.GD20054@rtp-cse-489.cisco.com> <383357750809060359w5b204530qe491c7adf048a8cf@mail.gmail.com> Message-ID: <20080908135935.GS19347@rtp-cse-489.cisco.com> On Sat, Sep 06, 2008 at 11:59:24AM +0100, Mateusz B?aszczyk wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Rondey, Nic, > >> > > >> >config t > >> >int null 0 > >> >no ip unreachables > > yes this is configured already. > > >> > > >> >The ACL drops are, last I checked, rate limit punts. > >> this is interesting - there is a good article detailing cef and CPU > >> punting at :- > >> > http://searchnetworkingchannel.techtarget.com/generic/0,295582,sid100_gci1261924,00.html > >> > >> > >> > >> Reading that and this posting begs the question > >> - if there is a lrage amount of ACL drops and these packets are punted to > >> cPU and the CPU rate-limit for punted packets has been exceeded, then > >> possible packets that need to be CPU processed will be dropped in favour > >> of ACL denied packets > > > > That's not true. The packets are dropped under interrupt that match > > the ACL deny other than punting some to generate the unreachable. > > You will always deny them. > > > > >> >If it's high CPU at IP Input really need 12.4(20)T and get > >> >a sniffer trace in the punt path to see what traffic it really is. > > This part is interesting. I might try that. > Question - there are 2 switching paths on the router > 1) process switching which means invoking ip_input for every packet That is if you have CEF disabled. Let's forget the "ip fastswitching" discussion because after 12.4(20)T it's gone. It's process or CEF only. > 2) interrupt context switching which is supported by different caching > mechanisms - fast switching, CEF etc. If there is marginal utilisation > of ip_input process and also most of the CPU utilisation is pointing > to interrupts - what does it mean? That means you have a lot of interrupt traffic transit the box and some is getting punted to process level after a lookup in the rx CEF routines or either further down the CEF switching vector due to a feature punt. > > >> >>>>Also, if > >> >>>>you're denying a lot of traffic from a certain source, you might want to > >> >>>>just bit-bucket it rather than sending ICMP responses. > >> >>> > >> >>You could match the access list in a route map and set the outbound > >> >>interface > >> >>to Null0. > > The configured ACL follows the example for infrastructure ACLs (here: > http://cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml#limitaccess > ) > > Does it mean the NPE-G1 is not enough to process ~400Mbps/60kpps with > ACL like above? Depends on the exact ACL and other features configured. > The other night when traffic was much lower the ACL was removed from > the port and overall utilization dropped from 45% to 37%. Is that a > lot? 8% decrease is nothing but 1/5th of drop is quite substantial. I > am puzzled here. Probably normal. I'd suggest looking at the new ASR1000 that can do ACL's in hardware. > > Would a bigger box (as mentioned in the other thread "7600 starter > kit") solve the problem? Yes as long as your process level traffic isn't the main issue. Rodney > > Best Regards, > > - -- > - -mat > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFIwmKMIvBv0k5esR4RAoE3AJ9qwbN70MPfjwjo2cd4JEeROxM3VACdElAw > 7ND4V+Okkj2li6ktFVQ4+/Q= > =g9Ev > -----END PGP SIGNATURE----- From asturluismi at gmail.com Mon Sep 8 10:12:19 2008 From: asturluismi at gmail.com (luismi) Date: Mon, 08 Sep 2008 16:12:19 +0200 Subject: [c-nsp] Possible new bug in a 3750 stack Message-ID: <1220883139.8814.6.camel@dsba-ipso> Hi all, Is there anyone there with the same problem? I have a 3750 stack with 2 switches running flash:/c3750-ipservicesk9-mz.122-44.SE1.bin, the configuration is pretty simple, just several port-channels. I can see... STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 4294952019 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 4294952019 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 4294952019 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 4294952019 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 4294952019 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 4294952019 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 4294952019 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 4294952019 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 4294952019 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 4294952019 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 4294952019 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 4294952019 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 4294952019 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 4294952019 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 4294952019 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 4294952019 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 4294952019 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 4294952019 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 4294952019 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 4294952019 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 4294952019 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Quite fine, isn't it? I did a "clear counters" last friday and they seems to appear and dissapear as they want. Is there anyone there with the same problem? I checked Bug Toolkit for this release and I didn't see a bug for that yet. From jcartier at acs.on.ca Mon Sep 8 10:28:55 2008 From: jcartier at acs.on.ca (Jeff Cartier) Date: Mon, 8 Sep 2008 10:28:55 -0400 Subject: [c-nsp] Cisco 1800 - Service-Policy SVI Message-ID: I've been trying to figure out how to configure QoS on a Cisco 1841 router under a SVI...it doesn't appear to have the option to place a service-policy under the vlan SVI. Any suggestions? Jeff Cartier Network Engineer Applied Computer Solutions *(519) 944-4300 ext. 233 *jcartier at acs.on.ca www.acs.on.ca From greg at ip-man.net Mon Sep 8 10:32:58 2008 From: greg at ip-man.net (Gregoire Huet) Date: Mon, 08 Sep 2008 16:32:58 +0200 Subject: [c-nsp] Moving Sup720 from cat6k to 7600 In-Reply-To: References: <48BFFC15.2020200@ip-man.net> <48C00F4F.2040505@ip-man.net> Message-ID: <48C5379A.5030008@ip-man.net> Hello, I want first to thank all the people who helped. The problem is solved, it was indeed a monlib issue. I can only boot my Sup720s on a CF which was formatted in the right slot on this blade. That's weird... If i format on disk1: (from a cat6k) then the 7604 will only boot it from disk1: and not from disk0: ! Thank you very much Best regards Greg Church, Charles a ?crit : > I would think that should support an 7604 chassis. Any chance the IOS > is corrupt on the flash? Or the Monlib isn't right. Can you put the > card in a working 6500 and verify the IOS image (MD5) and verify via > 'show disk0 all' that the monlib stuff is right? > > Chuck > > -----Original Message----- > From: Gregoire Huet [mailto:greg at ip-man.net] > Sent: Thursday, September 04, 2008 12:40 PM > To: Church, Charles > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Moving Sup720 from cat6k to 7600 > > > Church, Charles wrote : >> Is it possible you're trying to boot an IOS version that doesn't > support >> that chassis? I'm sure there is a minimum version for a 7604, and I'm >> sure it's more recent than the minimum for the 6500 it came out of. > > I'm trying to boot c7600s72033-advipservicesk9-mz.122-33.SRC1.bin > > By the way, i have the trace of the booting process : > > rommon 7 > reset > > System Bootstrap, Version 8.5(2) > Copyright (c) 1994-2007 by cisco Systems, Inc. > Cat6k-Sup720/SP processor with 1048576 Kbytes of main memory > > rommon 1 > boot disk0: > > Initializing ATA monitor library... > string is disk0:c7600s72033-advipservicesk9-mz.122-33.SRC1.bin > Loading image, please wait ... > > > Initializing ATA monitor library... > > *** Illegal Opcode Exception *** > PC = 0x80102ae4, Cause = 0x28, Status Reg = 0x30409003 > > monitor: command "boot" aborted due to exception > rommon 2 > > > > Thank you > > Greg > > From isplists at duracom.net Mon Sep 8 11:01:08 2008 From: isplists at duracom.net (Rhino Lists) Date: Mon, 8 Sep 2008 10:01:08 -0500 Subject: [c-nsp] PPPOE Static IP Message-ID: <002001c911c3$b9bdd310$2d397930$@net> I have a cisco 7206 terminating PPPOE DSL connections via Radius. I have a user who wants a static IP. Do I need to create another ip pool and how do I assign the IP in radius? K From Oliver.Dewdney at LBi.com Mon Sep 8 11:06:36 2008 From: Oliver.Dewdney at LBi.com (Oliver Dewdney) Date: Mon, 8 Sep 2008 16:06:36 +0100 Subject: [c-nsp] Possible new bug in a 3750 stack In-Reply-To: <1220883139.8814.6.camel@dsba-ipso> References: <1220883139.8814.6.camel@dsba-ipso> Message-ID: Yes, different numbers, different IOS, and not on a port channel... System image file is "flash:c3750-ipbasek9-mz.122-44.SE2/c3750-ipbasek9-mz.122-44.SE2.bin" switch#show int g 1/0/12 | i drop Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 15443990 switch #show int g 1/0/12 | i drop Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 23165985 Oli -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of luismi Sent: 08 September 2008 15:12 To: cisco-nsp at puck.nether.net Subject: [c-nsp] Possible new bug in a 3750 stack Hi all, Is there anyone there with the same problem? I have a 3750 stack with 2 switches running flash:/c3750-ipservicesk9-mz.122-44.SE1.bin, the configuration is pretty simple, just several port-channels. I can see... STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 4294952019 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 4294952019 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 4294952019 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 4294952019 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 4294952019 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 4294952019 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 4294952019 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 4294952019 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 4294952019 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 4294952019 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 4294952019 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 4294952019 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 4294952019 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 4294952019 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 4294952019 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 4294952019 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 4294952019 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 4294952019 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 4294952019 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 4294952019 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 4294952019 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 STACK02# sh int Gi2/0/10 | i drops Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Quite fine, isn't it? I did a "clear counters" last friday and they seems to appear and dissapear as they want. Is there anyone there with the same problem? I checked Bug Toolkit for this release and I didn't see a bug for that yet. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ LBi. The global marketing and technology agency. Winner: Media Guardian Design Innovation Award 2008 LBi Ltd is registered in England and Wales, the registered number and address are 03080409, Truman Brewery, 146 Brick Lane, London, E1 6RU. This email may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden. From networking.stuff at googlemail.com Mon Sep 8 11:21:34 2008 From: networking.stuff at googlemail.com (Chintan Shah) Date: Mon, 8 Sep 2008 20:51:34 +0530 Subject: [c-nsp] Population of MLS cef entry Message-ID: <1e7e04890809080821x21ad4bfi74b8036584480b3a@mail.gmail.com> Hi Guys, Does any one knows once ip cef table update the routes , how much time it take to populate the entry in mls cef table ? I see that when my primary IGP path fails , ip cef table change the path to backup but mls cef table take some time and that makes my overall convgance double than IGP convergance. The box is 6509/sup720 running 12.(18)SXF12a Regards, Chintan From jcartier at acs.on.ca Mon Sep 8 11:45:41 2008 From: jcartier at acs.on.ca (Jeff Cartier) Date: Mon, 8 Sep 2008 11:45:41 -0400 Subject: [c-nsp] iBGP Multi-link question Message-ID: I'm in a scenario where I have two routers, configured with two loopbacks, connected together via two links. I'm in the process of transitioning from one loopback to the other and I was wondering if there are any caveats to having two sessions up...one BGP session to the first lookback (existing), then another BGP session up to the second loopback (new). I don't believe their should be any issues with this...and I don't see any documentation suggesting otherwise...just thought I'd ask to be certain :-) ROUTER1============ROUTER2 Lo1:10.1.1.1/32 Lo1:10.1.2.1/32 Lo2:10.1.1.2/32 Lo2:10.1.2.2/32 From kratzers at pa.net Mon Sep 8 12:39:51 2008 From: kratzers at pa.net (Stephen Kratzer) Date: Mon, 8 Sep 2008 12:39:51 -0400 Subject: [c-nsp] PPPOE Static IP In-Reply-To: <002001c911c3$b9bdd310$2d397930$@net> References: <002001c911c3$b9bdd310$2d397930$@net> Message-ID: <200809081239.52604.kratzers@pa.net> On Monday 08 September 2008 11:01:08 Rhino Lists wrote: > I have a cisco 7206 terminating PPPOE DSL connections via Radius. I have a > user who wants a static IP. Do I need to create another ip pool and how do > I assign the IP in radius? > > > > K Set Framed-IP-Address := x.x.x.x and Framed-IP-Netmask := x.x.x.x or Cisco-AVPair += ip:addr=x.x.x.x. Stephen Kratzer Network Engineer CTI Networks, Inc. From Drikus.Brits at is.co.za Mon Sep 8 12:58:09 2008 From: Drikus.Brits at is.co.za (Drikus Brits) Date: Mon, 8 Sep 2008 18:58:09 +0200 Subject: [c-nsp] PPPOE Static IP Message-ID: <89D2AE9E4EAAB34FABDBF2913867C62F182EEDFD@ZABRYSVISEX04.af.didata.local> Your basis of radius attributes will most likely be : Framed-Protocol := PPP Framed-MTU := 1500 Framed-IP-Address := 192.168.1.100 Framed-IP-Netmask := 255.255.255.255 Service-Type := Framed-User And the required Cisco-AVPair attribute. and you shouldn't require a second pool on your 7206. The pool would only serve a function if you were assigning on a per-authentication basis, were it would take a new ip from the pool for each new connection. You can use either a sql db or flatfile for the commands. Regards, -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rhino Lists Sent: Monday, September 08, 2008 5:01 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] PPPOE Static IP I have a cisco 7206 terminating PPPOE DSL connections via Radius. I have a user who wants a static IP. Do I need to create another ip pool and how do I assign the IP in radius? K _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Please note: This email and its content are subject to the disclaimer as displayed at the following link http://www.is.co.za/legal/E-mail+Confidentiality+Notice+and+Disclaimer.htm. Should you not have Web access, send a mail to disclaimers at is.co.za and a copy will be emailed to you. From jfitz at Princeton.EDU Mon Sep 8 15:07:58 2008 From: jfitz at Princeton.EDU (Jeff Fitzwater) Date: Mon, 8 Sep 2008 15:07:58 -0400 Subject: [c-nsp] FWSM shun stats counter wrap Message-ID: <552765BB-21BB-4934-83D1-C6D5A7E52625@princeton.edu> Can anyone confirm that the counter for "show shun statistics" on a FWSM, is a 16 bit counter wrapping at 65K entries? If so is there any way to change it (which I doubt)? We are running 4.02 code and use the SHUN heavily. Thanks for any info. Jeff Fitzwater OIT Network Systems Princeton University From jfitz at Princeton.EDU Mon Sep 8 15:21:03 2008 From: jfitz at Princeton.EDU (Jeff Fitzwater) Date: Mon, 8 Sep 2008 15:21:03 -0400 Subject: [c-nsp] FWSM shun stats counter wrap In-Reply-To: <552765BB-21BB-4934-83D1-C6D5A7E52625@princeton.edu> References: <552765BB-21BB-4934-83D1-C6D5A7E52625@princeton.edu> Message-ID: Small correction to question. The counter in question, is a per host counter not the overall shun stats counter. If I have 20 hosts as SHUNed Inever see the counter per host go over 65K. Jeff On Sep 8, 2008, at 3:07 PM, Jeff Fitzwater wrote: > Can anyone confirm that the counter for "show shun statistics" on a > FWSM, is a 16 bit counter wrapping at 65K entries? If so is there > any way to change it (which I doubt)? > > We are running 4.02 code and use the SHUN heavily. > > > Thanks for any info. > > > Jeff Fitzwater > OIT Network Systems > Princeton University > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From blahu77 at gmail.com Mon Sep 8 16:10:58 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Mon, 8 Sep 2008 21:10:58 +0100 Subject: [c-nsp] NPE G1, CEF and ACLs and high CPU In-Reply-To: <20080908135935.GS19347@rtp-cse-489.cisco.com> References: <383357750809041000uad21b4ag386233e3b2ea4fde@mail.gmail.com> <200809041456.01591.kratzers@pa.net> <383357750809041212h2e17aaa2i967ba4ffc3e4c3de@mail.gmail.com> <200809041546.23959.kratzers@pa.net> <20080905120724.GI15736@rtp-cse-489.cisco.com> <20080905184202.GD20054@rtp-cse-489.cisco.com> <383357750809060359w5b204530qe491c7adf048a8cf@mail.gmail.com> <20080908135935.GS19347@rtp-cse-489.cisco.com> Message-ID: <383357750809081310t21fe1193rd07859b9571cc120@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rodney, >> 1) process switching which means invoking ip_input for every packet > > That is if you have CEF disabled. Let's forget the "ip fastswitching" > discussion because after 12.4(20)T it's gone. It's process or CEF only. That was a recall. It wasn't my intention to go to deep into this. > That means you have a lot of interrupt traffic transit the box and some > is getting punted to process level after a lookup in the rx CEF routines > or either further down the CEF switching vector due to a feature punt. [...] All right, My understanding of CEF mechanism was corrent. And you are saying the best way to actually check what these packets are is to push 12.4(20)T on to the box and start sniffing? >> Does it mean the NPE-G1 is not enough to process ~400Mbps/60kpps with >> ACL like above? > > Depends on the exact ACL and other features configured. Or by looking at the ACL you are able to pin point the "bad" acl statements? The acl (extended) looks like this (from memory-dump) ! deny rogue IPs (it is interesting how many catches are here) deny ip 10.0.0.0 .... any deny ip 192... any deny ip host 0.0.0.0 any etc.... ! deny spoofing us... deny ip any deny ip any ! pings and traceroute permit icmp any any permit udp any any range 32xxx 34xxx ! transit providers permit tcp host host eg bgp permit tcp host eq bgp host ! Internet eXchanges - bgp/msdp permit tcp host eg bgp permit tcp eq bgp host deny ip any deny ip any ! some legacy stuff permit ip any host ! deny access to infrastructure deny ip any ... deny ip any permit ip any any also (maybe worth noting) we got CAR for icmp packets enabled on the port on (input). > Probably normal. I'd suggest looking at the new ASR1000 that can do > ACL's in hardware. any significant advantage over entry-level 6500/7600? - -- - -mat -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIxYbSIvBv0k5esR4RAgksAJ0XKkxBNTLzTQ0/MbG/pBYU5YdkFQCgpU4j 5aVcJsL7GI0+aWXUoXKAPlk= =Bmcv -----END PGP SIGNATURE----- From blahu77 at gmail.com Mon Sep 8 16:15:31 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Mon, 8 Sep 2008 21:15:31 +0100 Subject: [c-nsp] NPE G1, CEF and ACLs and high CPU In-Reply-To: <20080908135935.GS19347@rtp-cse-489.cisco.com> References: <383357750809041000uad21b4ag386233e3b2ea4fde@mail.gmail.com> <200809041456.01591.kratzers@pa.net> <383357750809041212h2e17aaa2i967ba4ffc3e4c3de@mail.gmail.com> <200809041546.23959.kratzers@pa.net> <20080905120724.GI15736@rtp-cse-489.cisco.com> <20080905184202.GD20054@rtp-cse-489.cisco.com> <383357750809060359w5b204530qe491c7adf048a8cf@mail.gmail.com> <20080908135935.GS19347@rtp-cse-489.cisco.com> Message-ID: <383357750809081315p58423820vef081acdbe858b21@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 REPOST again as firegpg removed some important bits from acl.. Rodney, >> 1) process switching which means invoking ip_input for every packet > > That is if you have CEF disabled. Let's forget the "ip fastswitching" > discussion because after 12.4(20)T it's gone. It's process or CEF only. That was a recall. It wasn't my intention to go to deep into this. > That means you have a lot of interrupt traffic transit the box and some > is getting punted to process level after a lookup in the rx CEF routines > or either further down the CEF switching vector due to a feature punt. [...] All right, My understanding of CEF mechanism was corrent. And you are saying the best way to actually check what these packets are is to push 12.4(20)T on to the box and start sniffing? >> Does it mean the NPE-G1 is not enough to process ~400Mbps/60kpps with >> ACL like above? > > Depends on the exact ACL and other features configured. Or by looking at the ACL you are able to pin point the "bad" acl statements? The acl (extended) looks like this (from memory-dump) ! deny rogue IPs (it is interesting how many catches are here) deny ip 10.0.0.0 .... any deny ip 192... any deny ip host 0.0.0.0 any etc.... ! deny spoofing us... deny ip OURBLOCK1 any deny ip OURBLOCK2 any ! pings and traceroute permit icmp any any permit udp any any range 32xxx 34xxx ! transit providers permit tcp host THEM1 host US1 eg bgp permit tcp host THEM1 eq bgp host US1 ! Internet eXchanges - bgp/msdp permit tcp THEM2 WCARD2 host US2 eg bgp permit tcp THEM2 WCARD2 eq bgp host US2 deny ip any US1 deny ip any US2 ! some legacy stuff permit ip any host XXX ! deny access to infrastructure deny ip any NETWORK_1 ... deny ip any NETWORK_N permit ip any any also (maybe worth noting) we got CAR for icmp packets enabled on the port on (input). > Probably normal. I'd suggest looking at the new ASR1000 that can do > ACL's in hardware. any significant advantage over entry-level 6500/7600? - -- - -mat -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIxYfiIvBv0k5esR4RAhZOAKDNjB8soD4o7+JXpEeq4w8/y5Z9AACfXwO4 aykwTNGqUnKd8w/Ag3GBTug= =97La -----END PGP SIGNATURE----- From rodunn at cisco.com Mon Sep 8 16:35:49 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Mon, 8 Sep 2008 16:35:49 -0400 Subject: [c-nsp] NPE G1, CEF and ACLs and high CPU In-Reply-To: <383357750809081315p58423820vef081acdbe858b21@mail.gmail.com> References: <383357750809041000uad21b4ag386233e3b2ea4fde@mail.gmail.com> <200809041456.01591.kratzers@pa.net> <383357750809041212h2e17aaa2i967ba4ffc3e4c3de@mail.gmail.com> <200809041546.23959.kratzers@pa.net> <20080905120724.GI15736@rtp-cse-489.cisco.com> <20080905184202.GD20054@rtp-cse-489.cisco.com> <383357750809060359w5b204530qe491c7adf048a8cf@mail.gmail.com> <20080908135935.GS19347@rtp-cse-489.cisco.com> <383357750809081315p58423820vef081acdbe858b21@mail.gmail.com> Message-ID: <20080908203549.GG23073@rtp-cse-489.cisco.com> > > > Probably normal. I'd suggest looking at the new ASR1000 that can do > > ACL's in hardware. > > any significant advantage over entry-level 6500/7600? You will see more midrange features moving forward with it most likely. Rodney > > > > - -- > - -mat > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFIxYfiIvBv0k5esR4RAhZOAKDNjB8soD4o7+JXpEeq4w8/y5Z9AACfXwO4 > aykwTNGqUnKd8w/Ag3GBTug= > =97La > -----END PGP SIGNATURE----- From billf at mu.org Mon Sep 8 16:50:46 2008 From: billf at mu.org (bill fumerola) Date: Mon, 8 Sep 2008 13:50:46 -0700 Subject: [c-nsp] NPE G1, CEF and ACLs and high CPU In-Reply-To: <383357750809081315p58423820vef081acdbe858b21@mail.gmail.com> References: <383357750809041000uad21b4ag386233e3b2ea4fde@mail.gmail.com> <200809041456.01591.kratzers@pa.net> <383357750809041212h2e17aaa2i967ba4ffc3e4c3de@mail.gmail.com> <200809041546.23959.kratzers@pa.net> <20080905120724.GI15736@rtp-cse-489.cisco.com> <20080905184202.GD20054@rtp-cse-489.cisco.com> <383357750809060359w5b204530qe491c7adf048a8cf@mail.gmail.com> <20080908135935.GS19347@rtp-cse-489.cisco.com> <383357750809081315p58423820vef081acdbe858b21@mail.gmail.com> Message-ID: <20080908205046.GK29172@elvis.mu.org> [ reading through quickly, just some ACL pointers.. ] On Mon, Sep 08, 2008 at 09:15:31PM +0100, Mateusz B?aszczyk wrote: > ! deny rogue IPs (it is interesting how many catches are here) > deny ip 10.0.0.0 .... any > deny ip 192... any > deny ip host 0.0.0.0 any this breaks PMTUD. icmp messages from poorly addressed routers still need to get back to your hosts. > etc.... > ! deny spoofing us... > deny ip OURBLOCK1 any > deny ip OURBLOCK2 any move to the top. > ! pings and traceroute > permit icmp any any either permit the specific ICMPs required for end to end communication to work and permit the rest after your anti-spoof, or just move this towards the top. > permit udp any any range 32xxx 34xxx rarely used, moved towards the bottom. > ! transit providers > permit tcp host THEM1 host US1 eg bgp > permit tcp host THEM1 eq bgp host US1 > ! Internet eXchanges - bgp/msdp > permit tcp THEM2 WCARD2 host US2 eg bgp > permit tcp THEM2 WCARD2 eq bgp host US2 > deny ip any US1 > deny ip any US2 rarely used, move towards bottom. consider removing the port-specific portions and see if you can get your ISP to use the TTL hack. > ! some legacy stuff > permit ip any host XXX move towards the top. > ! deny access to infrastructure > deny ip any NETWORK_1 > ... > deny ip any NETWORK_N sometimes, you can null route these blocks and use policy route-maps that set next-hop for your local device and/or management networks that allow the forwarding plane take care of discarding these > permit ip any any and here's where the majority of your traffic matches - at the bottom. this will kill performance. consider the trade-off of adding a: permit tcp any any established towards the top of your config. that rule will catch the majority of most networks' traffic. your deny rules below will still prevent SYN packets from getting through to your infrastructure space. yes, your 'infrastructure' will be open to ACK floods and other such things, but you can deploy other measures to assist with that. for example: ACLs on the interfaces facing your management network instead. also, if you run a service that represents the bulk of your traffic on that device, add a short-circuit rule for that service higher at the top, even if a rule with wider reach allows the same later. > any significant advantage over entry-level 6500/7600? 6500/7600 will be way less order dependent and you'll be able to have much longer ACLs. in my experience, on software platforms 99% of your traffic should either be permitted or denied in the first 5 or so rules or you're going to see serious performance problems. consider using 'access-list compiled' if your platform/IOS support it. distribute your ACLs as much as possible. take a multi layered approach. know your device's strengths and weaknesses when it comes to filtering and exploit those. -- bill From blahu77 at gmail.com Mon Sep 8 17:14:12 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Mon, 8 Sep 2008 22:14:12 +0100 Subject: [c-nsp] NPE G1, CEF and ACLs and high CPU In-Reply-To: <20080908205046.GK29172@elvis.mu.org> References: <383357750809041000uad21b4ag386233e3b2ea4fde@mail.gmail.com> <383357750809041212h2e17aaa2i967ba4ffc3e4c3de@mail.gmail.com> <200809041546.23959.kratzers@pa.net> <20080905120724.GI15736@rtp-cse-489.cisco.com> <20080905184202.GD20054@rtp-cse-489.cisco.com> <383357750809060359w5b204530qe491c7adf048a8cf@mail.gmail.com> <20080908135935.GS19347@rtp-cse-489.cisco.com> <383357750809081315p58423820vef081acdbe858b21@mail.gmail.com> <20080908205046.GK29172@elvis.mu.org> Message-ID: <383357750809081414t77efb2v7a0acb130a671e46@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bill, very much thanks for that. It looks that I need a special ACL with 1 entry at the top covering half of the original :) I will work on it and report the results accordingly. 2008/9/8 bill fumerola : > [ reading through quickly, just some ACL pointers.. ] > > On Mon, Sep 08, 2008 at 09:15:31PM +0100, Mateusz B?aszczyk wrote: >> ! deny rogue IPs (it is interesting how many catches are here) >> deny ip 10.0.0.0 .... any >> deny ip 192... any >> deny ip host 0.0.0.0 any > > this breaks PMTUD. icmp messages from poorly addressed routers still > need to get back to your hosts. > >> etc.... >> ! deny spoofing us... >> deny ip OURBLOCK1 any >> deny ip OURBLOCK2 any > > move to the top. > >> ! pings and traceroute >> permit icmp any any > > either permit the specific ICMPs required for end to end communication > to work and permit the rest after your anti-spoof, or just move this > towards the top. > >> permit udp any any range 32xxx 34xxx > > rarely used, moved towards the bottom. > >> ! transit providers >> permit tcp host THEM1 host US1 eg bgp >> permit tcp host THEM1 eq bgp host US1 >> ! Internet eXchanges - bgp/msdp >> permit tcp THEM2 WCARD2 host US2 eg bgp >> permit tcp THEM2 WCARD2 eq bgp host US2 >> deny ip any US1 >> deny ip any US2 > > rarely used, move towards bottom. consider removing the port-specific > portions and see if you can get your ISP to use the TTL hack. > >> ! some legacy stuff >> permit ip any host XXX > > move towards the top. > >> ! deny access to infrastructure >> deny ip any NETWORK_1 >> ... >> deny ip any NETWORK_N > > > sometimes, you can null route these blocks and use policy route-maps > that set next-hop for your local device and/or management networks > that allow the forwarding plane take care of discarding these > > >> permit ip any any > > and here's where the majority of your traffic matches - at the bottom. > this will kill performance. consider the trade-off of adding a: > > permit tcp any any established > > towards the top of your config. that rule will catch the majority of > most networks' traffic. your deny rules below will still prevent SYN > packets from getting through to your infrastructure space. yes, your > 'infrastructure' will be open to ACK floods and other such things, but > you can deploy other measures to assist with that. for example: ACLs on > the interfaces facing your management network instead. > > also, if you run a service that represents the bulk of your traffic on > that device, add a short-circuit rule for that service higher at the > top, even if a rule with wider reach allows the same later. > >> any significant advantage over entry-level 6500/7600? > > 6500/7600 will be way less order dependent and you'll be able to have > much longer ACLs. in my experience, on software platforms 99% of your > traffic should either be permitted or denied in the first 5 or so rules > or you're going to see serious performance problems. > > consider using 'access-list compiled' if your platform/IOS support it. > > distribute your ACLs as much as possible. take a multi layered approach. > know your device's strengths and weaknesses when it comes to filtering > and exploit those. > > -- bill > - -- - -mat -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIxZWkIvBv0k5esR4RAi5bAJ9P4+P3+rWK46LV3U2Jf7E8whwN8wCfemqA I/nuXWZh52qSpiCq/uiPYnk= =b5nR -----END PGP SIGNATURE----- From mb at adv.gcomm.com.au Mon Sep 8 19:47:41 2008 From: mb at adv.gcomm.com.au (mb at adv.gcomm.com.au) Date: Tue, 09 Sep 2008 09:47:41 +1000 Subject: [c-nsp] Possible new bug in a 3750 stack In-Reply-To: <1220883139.8814.6.camel@dsba-ipso> References: <1220883139.8814.6.camel@dsba-ipso> Message-ID: <20080909094741.97k6t01qcin4cgs8@webmail.datafx.com.au> Quoting luismi : > Hi all, > > Is there anyone there with the same problem? > I have a 3750 stack with 2 switches running > flash:/c3750-ipservicesk9-mz.122-44.SE1.bin, the configuration is pretty > simple, just several port-channels. Hi, Running 2 x WS-C3750E-24TD-S in stack w/ c3750e-universal-mz.122-44.SE2.bin, and am not seeing this issue. MB ------------------------------------------------------------------------- This e-mail was sent via Data FX Online WebMail http://www.datafx.com.au/ From mb at adv.gcomm.com.au Mon Sep 8 19:35:57 2008 From: mb at adv.gcomm.com.au (mb at adv.gcomm.com.au) Date: Tue, 09 Sep 2008 09:35:57 +1000 Subject: [c-nsp] Tool(free?) to extract vlan+trunk info from Cat4003 Message-ID: <20080909093557.6dijkup7xdea88sk@webmail.datafx.com.au> Hi, We have a few old Cat4003's that we need to get all L2 Info from(All vlans/trunks etc) - Was hoping there was a tool(free) that could automate the task? Had a look at Cisco Network Assist, and enabled http server on the 4ks, but it looks like CNA is requesting info that does not exist on the 4003's: 2008 Sep 08 19:39:18 aest +10:00 %MGMT-5-HTTP_URINOTFOUND:Request for /exec/show/version/CR from client 0.0.0.0 not found 2008 Sep 08 19:39:18 aest +10:00 %MGMT-5-HTTP_URINOTFOUND:Request for /exec/show/version/CR from client 0.0.0.0 not found 2008 Sep 08 19:39:18 aest +10:00 %MGMT-5-HTTP_URINOTFOUND:Request for /exec/show/version/CR from client 0.0.0.0 not found 2008 Sep 08 19:39:19 aest +10:00 %MGMT-5-HTTP_URINOTFOUND:Request for /exec/show/version/CR from client 0.0.0.0 not found 2008 Sep 08 19:39:19 aest +10:00 %MGMT-5-HTTP_URINOTFOUND:Request for /screens/base/hw_info.html from client 0.0.0.0 not found 2008 Sep 08 19:39:19 aest +10:00 %MGMT-5-HTTP_URINOTFOUND:Request for /screens/base/hw_info.html from client 0.0.0.0 not found 2008 Sep 08 19:39:19 aest +10:00 %MGMT-5-HTTP_URINOTFOUND:Request for /screens/base/hw_info.html from client 0.0.0.0 not found ... Thanks in advance. ------------------------------------------------------------------------- This e-mail was sent via Data FX Online WebMail http://www.datafx.com.au/ From abalashov at evaristesys.com Tue Sep 9 00:31:13 2008 From: abalashov at evaristesys.com (Alex Balashov) Date: Tue, 09 Sep 2008 00:31:13 -0400 Subject: [c-nsp] NPE G1, CEF and ACLs and high CPU In-Reply-To: <20080908205046.GK29172@elvis.mu.org> References: <383357750809041000uad21b4ag386233e3b2ea4fde@mail.gmail.com> <200809041456.01591.kratzers@pa.net> <383357750809041212h2e17aaa2i967ba4ffc3e4c3de@mail.gmail.com> <200809041546.23959.kratzers@pa.net> <20080905120724.GI15736@rtp-cse-489.cisco.com> <20080905184202.GD20054@rtp-cse-489.cisco.com> <383357750809060359w5b204530qe491c7adf048a8cf@mail.gmail.com> <20080908135935.GS19347@rtp-cse-489.cisco.com> <383357750809081315p58423820vef081acdbe858b21@mail.gmail.com> <20080908205046.GK29172@elvis.mu.org> Message-ID: <48C5FC11.2020109@evaristesys.com> Are you _sure_ that order is important in these ACLs? I ask because I honestly don't know, so don't get me wrong. It just seems rather unlikely. Organising data like that into structures where matching and access can happen at more or less an O(1) formal computational complexity is a basic skill that is taught at the beginning of any undergraduate curriculum in computer science. Students are taught to understand that large amounts of random (non-sorted) data cannot be stored in a linear structure, and that even linear structures with comparatively few elements (such as an access list) can be very slow if the lookup is repeated with very great frequency. That's why such data gets stored in multidimensional and relational data structures: things like binary trees (and their innumerable permutations), undirected string vector graphs for heavy lexical token matching, hash tables, and various relational mechanisms for forming bindings or indices from a quick and superficial glimpse at the data. It's how every firewall/packet filtering engine (such as Linux netfilter, or the FreeBSD packet filter) is implemented, so packets are matched using a hashing strategy rather than linear, iterative comparisons. What you appear to be suggesting in your dwelling upon the significance of rules being at the bottom or top of an access list definition would also imply that these basic algorithmic innovations and elements of the software engineering canon have somehow managed, with great finesse, to escape the notice of the people who wrote IOS. I refuse to believe that. bill fumerola wrote: > [ reading through quickly, just some ACL pointers.. ] > > On Mon, Sep 08, 2008 at 09:15:31PM +0100, Mateusz B?aszczyk wrote: >> ! deny rogue IPs (it is interesting how many catches are here) >> deny ip 10.0.0.0 .... any >> deny ip 192... any >> deny ip host 0.0.0.0 any > > this breaks PMTUD. icmp messages from poorly addressed routers still > need to get back to your hosts. > >> etc.... >> ! deny spoofing us... >> deny ip OURBLOCK1 any >> deny ip OURBLOCK2 any > > move to the top. > >> ! pings and traceroute >> permit icmp any any > > either permit the specific ICMPs required for end to end communication > to work and permit the rest after your anti-spoof, or just move this > towards the top. > >> permit udp any any range 32xxx 34xxx > > rarely used, moved towards the bottom. > >> ! transit providers >> permit tcp host THEM1 host US1 eg bgp >> permit tcp host THEM1 eq bgp host US1 >> ! Internet eXchanges - bgp/msdp >> permit tcp THEM2 WCARD2 host US2 eg bgp >> permit tcp THEM2 WCARD2 eq bgp host US2 >> deny ip any US1 >> deny ip any US2 > > rarely used, move towards bottom. consider removing the port-specific > portions and see if you can get your ISP to use the TTL hack. > >> ! some legacy stuff >> permit ip any host XXX > > move towards the top. > >> ! deny access to infrastructure >> deny ip any NETWORK_1 >> ... >> deny ip any NETWORK_N > > > sometimes, you can null route these blocks and use policy route-maps > that set next-hop for your local device and/or management networks > that allow the forwarding plane take care of discarding these > > >> permit ip any any > > and here's where the majority of your traffic matches - at the bottom. > this will kill performance. consider the trade-off of adding a: > > permit tcp any any established > > towards the top of your config. that rule will catch the majority of > most networks' traffic. your deny rules below will still prevent SYN > packets from getting through to your infrastructure space. yes, your > 'infrastructure' will be open to ACK floods and other such things, but > you can deploy other measures to assist with that. for example: ACLs on > the interfaces facing your management network instead. > > also, if you run a service that represents the bulk of your traffic on > that device, add a short-circuit rule for that service higher at the > top, even if a rule with wider reach allows the same later. > >> any significant advantage over entry-level 6500/7600? > > 6500/7600 will be way less order dependent and you'll be able to have > much longer ACLs. in my experience, on software platforms 99% of your > traffic should either be permitted or denied in the first 5 or so rules > or you're going to see serious performance problems. > > consider using 'access-list compiled' if your platform/IOS support it. > > distribute your ACLs as much as possible. take a multi layered approach. > know your device's strengths and weaknesses when it comes to filtering > and exploit those. > > -- bill > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Alex Balashov Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599 From adrian at creative.net.au Tue Sep 9 00:32:31 2008 From: adrian at creative.net.au (Adrian Chadd) Date: Tue, 9 Sep 2008 12:32:31 +0800 Subject: [c-nsp] NPE G1, CEF and ACLs and high CPU In-Reply-To: <48C5FC11.2020109@evaristesys.com> References: <383357750809041212h2e17aaa2i967ba4ffc3e4c3de@mail.gmail.com> <200809041546.23959.kratzers@pa.net> <20080905120724.GI15736@rtp-cse-489.cisco.com> <20080905184202.GD20054@rtp-cse-489.cisco.com> <383357750809060359w5b204530qe491c7adf048a8cf@mail.gmail.com> <20080908135935.GS19347@rtp-cse-489.cisco.com> <383357750809081315p58423820vef081acdbe858b21@mail.gmail.com> <20080908205046.GK29172@elvis.mu.org> <48C5FC11.2020109@evaristesys.com> Message-ID: <20080909043231.GF16324@skywalker.creative.net.au> Bill is practically right. The semantics for Cisco ACLs aren't "here's a set of IP ranges, apply this behaviour", they're a linear walk of rules from top to bottom applying behaviour at each step. Collapsing that into the smallest set of possible operations is -not- taught at first/second year computer science. Eg: * permit ssh 1.2.3.0/24 * deny ssh 1.2.4.8/30 * permit ssh 1.2.0.0/16 * deny ssh 1.0.0.0/8 Please yank the first year computer science curriculum bit which provides the student with the clue required to algorithmically determine the smallest set of permit/deny's keeping the above semantics correct. Then do some basic analysis to find out what the resource bounds are on determining that. Oh, then prove that you can evaluate it in "more or less O(1) time". Go on, I dare you :) (Note: I -think- the TCAM ACL rule programming in later IOSes can do that? Perhaps Rodney or someone else from Cisco can comment.. :) There's some rule folding (and compiling?) stuff that I've heard about in later software-forwarding IOSes which attempt to mitigate this somewhat but I've never really sat down and (ab)used it. Now, I suggest you go back and read how iptables / ipfw / pf rules are actually -parsed- and -handled- in the various *NIXes you speak of. I've done this exercise and I'll give you a hint - rules are evaluated much the same as they are on the Cisco, except in some cases the evaluation doesn't stop at first hit and there are other gotchas (like "match X goto rule Y"). Go figure out why. I'll give you an even bigger hint - the best way to get a speedup under *NIX packet filters is to build "sets" of IP addresses to apply your policies rather than individual rules for each network you want to allow SSH for. The difference between one rule w/ a 200,000 network IP set versus 200,000 entries is pretty staggering - and the latter depends on the rule ordering. Just like Bill said. :) Adrian On Tue, Sep 09, 2008, Alex Balashov wrote: > Are you _sure_ that order is important in these ACLs? I ask because I > honestly don't know, so don't get me wrong. > > It just seems rather unlikely. Organising data like that into > structures where matching and access can happen at more or less an O(1) > formal computational complexity is a basic skill that is taught at the > beginning of any undergraduate curriculum in computer science. Students > are taught to understand that large amounts of random (non-sorted) data > cannot be stored in a linear structure, and that even linear structures > with comparatively few elements (such as an access list) can be very > slow if the lookup is repeated with very great frequency. > > That's why such data gets stored in multidimensional and relational data > structures: things like binary trees (and their innumerable > permutations), undirected string vector graphs for heavy lexical token > matching, hash tables, and various relational mechanisms for forming > bindings or indices from a quick and superficial glimpse at the data. > > It's how every firewall/packet filtering engine (such as Linux > netfilter, or the FreeBSD packet filter) is implemented, so packets are > matched using a hashing strategy rather than linear, iterative comparisons. > > What you appear to be suggesting in your dwelling upon the significance > of rules being at the bottom or top of an access list definition would > also imply that these basic algorithmic innovations and elements of the > software engineering canon have somehow managed, with great finesse, to > escape the notice of the people who wrote IOS. I refuse to believe that. > > bill fumerola wrote: > > >[ reading through quickly, just some ACL pointers.. ] > > > >On Mon, Sep 08, 2008 at 09:15:31PM +0100, Mateusz B?aszczyk wrote: > >>! deny rogue IPs (it is interesting how many catches are here) > >>deny ip 10.0.0.0 .... any > >>deny ip 192... any > >>deny ip host 0.0.0.0 any > > > >this breaks PMTUD. icmp messages from poorly addressed routers still > >need to get back to your hosts. > > > >>etc.... > >>! deny spoofing us... > >>deny ip OURBLOCK1 any > >>deny ip OURBLOCK2 any > > > >move to the top. > > > >>! pings and traceroute > >>permit icmp any any > > > >either permit the specific ICMPs required for end to end communication > >to work and permit the rest after your anti-spoof, or just move this > >towards the top. > > > >>permit udp any any range 32xxx 34xxx > > > >rarely used, moved towards the bottom. > > > >>! transit providers > >>permit tcp host THEM1 host US1 eg bgp > >>permit tcp host THEM1 eq bgp host US1 > >>! Internet eXchanges - bgp/msdp > >>permit tcp THEM2 WCARD2 host US2 eg bgp > >>permit tcp THEM2 WCARD2 eq bgp host US2 > >>deny ip any US1 > >>deny ip any US2 > > > >rarely used, move towards bottom. consider removing the port-specific > >portions and see if you can get your ISP to use the TTL hack. > > > >>! some legacy stuff > >>permit ip any host XXX > > > >move towards the top. > > > >>! deny access to infrastructure > >>deny ip any NETWORK_1 > >>... > >>deny ip any NETWORK_N > > > > > >sometimes, you can null route these blocks and use policy route-maps > >that set next-hop for your local device and/or management networks > >that allow the forwarding plane take care of discarding these > > > > > >>permit ip any any > > > >and here's where the majority of your traffic matches - at the bottom. > >this will kill performance. consider the trade-off of adding a: > > > >permit tcp any any established > > > >towards the top of your config. that rule will catch the majority of > >most networks' traffic. your deny rules below will still prevent SYN > >packets from getting through to your infrastructure space. yes, your > >'infrastructure' will be open to ACK floods and other such things, but > >you can deploy other measures to assist with that. for example: ACLs on > >the interfaces facing your management network instead. > > > >also, if you run a service that represents the bulk of your traffic on > >that device, add a short-circuit rule for that service higher at the > >top, even if a rule with wider reach allows the same later. > > > >>any significant advantage over entry-level 6500/7600? > > > >6500/7600 will be way less order dependent and you'll be able to have > >much longer ACLs. in my experience, on software platforms 99% of your > >traffic should either be permitted or denied in the first 5 or so rules > >or you're going to see serious performance problems. > > > >consider using 'access-list compiled' if your platform/IOS support it. > > > >distribute your ACLs as much as possible. take a multi layered approach. > >know your device's strengths and weaknesses when it comes to filtering > >and exploit those. > > > >-- bill > >_______________________________________________ > >cisco-nsp mailing list cisco-nsp at puck.nether.net > >https://puck.nether.net/mailman/listinfo/cisco-nsp > >archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > -- > Alex Balashov > Evariste Systems > Web : http://www.evaristesys.com/ > Tel : (+1) (678) 954-0670 > Direct : (+1) (678) 954-0671 > Mobile : (+1) (706) 338-8599 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA - From abalashov at evaristesys.com Tue Sep 9 01:07:57 2008 From: abalashov at evaristesys.com (Alex Balashov) Date: Tue, 09 Sep 2008 01:07:57 -0400 Subject: [c-nsp] NPE G1, CEF and ACLs and high CPU In-Reply-To: <20080909043231.GF16324@skywalker.creative.net.au> References: <383357750809041212h2e17aaa2i967ba4ffc3e4c3de@mail.gmail.com> <200809041546.23959.kratzers@pa.net> <20080905120724.GI15736@rtp-cse-489.cisco.com> <20080905184202.GD20054@rtp-cse-489.cisco.com> <383357750809060359w5b204530qe491c7adf048a8cf@mail.gmail.com> <20080908135935.GS19347@rtp-cse-489.cisco.com> <383357750809081315p58423820vef081acdbe858b21@mail.gmail.com> <20080908205046.GK29172@elvis.mu.org> <48C5FC11.2020109@evaristesys.com> <20080909043231.GF16324@skywalker.creative.net.au> Message-ID: <48C604AD.7080500@evaristesys.com> Are you serious? Well, I unhappily and disappointedly stand corrected, then. Indeed, Cisco documentation appears to confirm what you and Bill are saying. There are a variety of known algorithms for traversing hashed structures while taking order of precedence into account. I am, quite frankly, astonished that they are not used, or that it takes some sort of ASIC or TCAM enhancement to make that happen. Adrian Chadd wrote: > Bill is practically right. The semantics for Cisco ACLs aren't "here's a set > of IP ranges, apply this behaviour", they're a linear walk of rules from > top to bottom applying behaviour at each step. Collapsing that into the > smallest set of possible operations is -not- taught at first/second year > computer science. Eg: > > * permit ssh 1.2.3.0/24 > * deny ssh 1.2.4.8/30 > * permit ssh 1.2.0.0/16 > * deny ssh 1.0.0.0/8 > > Please yank the first year computer science curriculum bit which provides > the student with the clue required to algorithmically determine the smallest > set of permit/deny's keeping the above semantics correct. Then do some basic > analysis to find out what the resource bounds are on determining that. > Oh, then prove that you can evaluate it in "more or less O(1) time". Go on, > I dare you :) (Note: I -think- the TCAM ACL rule programming in later IOSes > can do that? Perhaps Rodney or someone else from Cisco can comment.. :) > > There's some rule folding (and compiling?) stuff that I've heard about in > later software-forwarding IOSes which attempt to mitigate this somewhat but > I've never really sat down and (ab)used it. > > Now, I suggest you go back and read how iptables / ipfw / pf rules > are actually -parsed- and -handled- in the various *NIXes you speak of. > I've done this exercise and I'll give you a hint - rules are evaluated > much the same as they are on the Cisco, except in some cases the evaluation > doesn't stop at first hit and there are other gotchas (like "match X goto rule > Y"). Go figure out why. > > I'll give you an even bigger hint - the best way to get a speedup under > *NIX packet filters is to build "sets" of IP addresses to apply your policies > rather than individual rules for each network you want to allow SSH for. > The difference between one rule w/ a 200,000 network IP set versus 200,000 > entries is pretty staggering - and the latter depends on the rule ordering. > Just like Bill said. :) > > > > > Adrian > > On Tue, Sep 09, 2008, Alex Balashov wrote: >> Are you _sure_ that order is important in these ACLs? I ask because I >> honestly don't know, so don't get me wrong. >> >> It just seems rather unlikely. Organising data like that into >> structures where matching and access can happen at more or less an O(1) >> formal computational complexity is a basic skill that is taught at the >> beginning of any undergraduate curriculum in computer science. Students >> are taught to understand that large amounts of random (non-sorted) data >> cannot be stored in a linear structure, and that even linear structures >> with comparatively few elements (such as an access list) can be very >> slow if the lookup is repeated with very great frequency. >> >> That's why such data gets stored in multidimensional and relational data >> structures: things like binary trees (and their innumerable >> permutations), undirected string vector graphs for heavy lexical token >> matching, hash tables, and various relational mechanisms for forming >> bindings or indices from a quick and superficial glimpse at the data. >> >> It's how every firewall/packet filtering engine (such as Linux >> netfilter, or the FreeBSD packet filter) is implemented, so packets are >> matched using a hashing strategy rather than linear, iterative comparisons. >> >> What you appear to be suggesting in your dwelling upon the significance >> of rules being at the bottom or top of an access list definition would >> also imply that these basic algorithmic innovations and elements of the >> software engineering canon have somehow managed, with great finesse, to >> escape the notice of the people who wrote IOS. I refuse to believe that. >> >> bill fumerola wrote: >> >>> [ reading through quickly, just some ACL pointers.. ] >>> >>> On Mon, Sep 08, 2008 at 09:15:31PM +0100, Mateusz B?aszczyk wrote: >>>> ! deny rogue IPs (it is interesting how many catches are here) >>>> deny ip 10.0.0.0 .... any >>>> deny ip 192... any >>>> deny ip host 0.0.0.0 any >>> this breaks PMTUD. icmp messages from poorly addressed routers still >>> need to get back to your hosts. >>> >>>> etc.... >>>> ! deny spoofing us... >>>> deny ip OURBLOCK1 any >>>> deny ip OURBLOCK2 any >>> move to the top. >>> >>>> ! pings and traceroute >>>> permit icmp any any >>> either permit the specific ICMPs required for end to end communication >>> to work and permit the rest after your anti-spoof, or just move this >>> towards the top. >>> >>>> permit udp any any range 32xxx 34xxx >>> rarely used, moved towards the bottom. >>> >>>> ! transit providers >>>> permit tcp host THEM1 host US1 eg bgp >>>> permit tcp host THEM1 eq bgp host US1 >>>> ! Internet eXchanges - bgp/msdp >>>> permit tcp THEM2 WCARD2 host US2 eg bgp >>>> permit tcp THEM2 WCARD2 eq bgp host US2 >>>> deny ip any US1 >>>> deny ip any US2 >>> rarely used, move towards bottom. consider removing the port-specific >>> portions and see if you can get your ISP to use the TTL hack. >>> >>>> ! some legacy stuff >>>> permit ip any host XXX >>> move towards the top. >>> >>>> ! deny access to infrastructure >>>> deny ip any NETWORK_1 >>>> ... >>>> deny ip any NETWORK_N >>> >>> sometimes, you can null route these blocks and use policy route-maps >>> that set next-hop for your local device and/or management networks >>> that allow the forwarding plane take care of discarding these >>> >>> >>>> permit ip any any >>> and here's where the majority of your traffic matches - at the bottom. >>> this will kill performance. consider the trade-off of adding a: >>> >>> permit tcp any any established >>> >>> towards the top of your config. that rule will catch the majority of >>> most networks' traffic. your deny rules below will still prevent SYN >>> packets from getting through to your infrastructure space. yes, your >>> 'infrastructure' will be open to ACK floods and other such things, but >>> you can deploy other measures to assist with that. for example: ACLs on >>> the interfaces facing your management network instead. >>> >>> also, if you run a service that represents the bulk of your traffic on >>> that device, add a short-circuit rule for that service higher at the >>> top, even if a rule with wider reach allows the same later. >>> >>>> any significant advantage over entry-level 6500/7600? >>> 6500/7600 will be way less order dependent and you'll be able to have >>> much longer ACLs. in my experience, on software platforms 99% of your >>> traffic should either be permitted or denied in the first 5 or so rules >>> or you're going to see serious performance problems. >>> >>> consider using 'access-list compiled' if your platform/IOS support it. >>> >>> distribute your ACLs as much as possible. take a multi layered approach. >>> know your device's strengths and weaknesses when it comes to filtering >>> and exploit those. >>> >>> -- bill >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> -- >> Alex Balashov >> Evariste Systems >> Web : http://www.evaristesys.com/ >> Tel : (+1) (678) 954-0670 >> Direct : (+1) (678) 954-0671 >> Mobile : (+1) (706) 338-8599 >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Alex Balashov Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599 From adrian at creative.net.au Tue Sep 9 02:10:45 2008 From: adrian at creative.net.au (Adrian Chadd) Date: Tue, 9 Sep 2008 14:10:45 +0800 Subject: [c-nsp] NPE G1, CEF and ACLs and high CPU In-Reply-To: <72D7D15A-D2B7-4FC8-97C3-C788AD760DD2@bitgravity.com> References: <20080905120724.GI15736@rtp-cse-489.cisco.com> <20080905184202.GD20054@rtp-cse-489.cisco.com> <383357750809060359w5b204530qe491c7adf048a8cf@mail.gmail.com> <20080908135935.GS19347@rtp-cse-489.cisco.com> <383357750809081315p58423820vef081acdbe858b21@mail.gmail.com> <20080908205046.GK29172@elvis.mu.org> <48C5FC11.2020109@evaristesys.com> <20080909043231.GF16324@skywalker.creative.net.au> <72D7D15A-D2B7-4FC8-97C3-C788AD760DD2@bitgravity.com> Message-ID: <20080909061044.GI16324@skywalker.creative.net.au> On Mon, Sep 08, 2008, David Hawthorne wrote: > btw, one of the surprising tricks we learned was that the range > start_port end_port specification won't fill up TCAM on the 6500/7600 > IFF your port ranges fall on bit boundaries just like networks do. I'm sure I've read that documented somewhere. which isn't surprising if "port range" in TCAM is implemented using mask/eval like IP address matching - I guess it'd have to create one mask and multiple match entries to represent your non-contig bit port boundaries. (That may be the motivation behind the earlier TCAM of "limited masks/lots more matches" .. ?) Anyway, too much armchair conjecture from this non-neteng.. back to coding. :) Adrian From rubensk at gmail.com Tue Sep 9 02:21:18 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Tue, 9 Sep 2008 03:21:18 -0300 Subject: [c-nsp] NPE G1, CEF and ACLs and high CPU In-Reply-To: <48C604AD.7080500@evaristesys.com> References: <383357750809041212h2e17aaa2i967ba4ffc3e4c3de@mail.gmail.com> <20080905184202.GD20054@rtp-cse-489.cisco.com> <383357750809060359w5b204530qe491c7adf048a8cf@mail.gmail.com> <20080908135935.GS19347@rtp-cse-489.cisco.com> <383357750809081315p58423820vef081acdbe858b21@mail.gmail.com> <20080908205046.GK29172@elvis.mu.org> <48C5FC11.2020109@evaristesys.com> <20080909043231.GF16324@skywalker.creative.net.au> <48C604AD.7080500@evaristesys.com> Message-ID: <6bb5f5b10809082321w4069eb8fj735b712ea31840fa@mail.gmail.com> Such algorithms are indeed used, as you can see at the IOS reference for the "access-list compiled" command where the ACL is converted to a data structure that is O(1). I don't know which algorithm they use in IOS nowadays, but for a very good reference on all of those algorithms (using RAM or CAM), I recommend this paper: "Survey and Taxonomy of Packet Classification Techniques" by David E. Taylor: http://www.cse.seas.wustl.edu/Research/FileDownload.asp?334 Rubens On Tue, Sep 9, 2008 at 2:07 AM, Alex Balashov wrote: > Are you serious? > > Well, I unhappily and disappointedly stand corrected, then. Indeed, Cisco > documentation appears to confirm what you and Bill are saying. > > There are a variety of known algorithms for traversing hashed structures > while taking order of precedence into account. I am, quite frankly, > astonished that they are not used, or that it takes some sort of ASIC or > TCAM enhancement to make that happen. > > > > Adrian Chadd wrote: > >> Bill is practically right. The semantics for Cisco ACLs aren't "here's a >> set >> of IP ranges, apply this behaviour", they're a linear walk of rules from >> top to bottom applying behaviour at each step. Collapsing that into the >> smallest set of possible operations is -not- taught at first/second year >> computer science. Eg: >> >> * permit ssh 1.2.3.0/24 >> * deny ssh 1.2.4.8/30 >> * permit ssh 1.2.0.0/16 >> * deny ssh 1.0.0.0/8 >> >> Please yank the first year computer science curriculum bit which provides >> the student with the clue required to algorithmically determine the >> smallest >> set of permit/deny's keeping the above semantics correct. Then do some >> basic >> analysis to find out what the resource bounds are on determining that. >> Oh, then prove that you can evaluate it in "more or less O(1) time". Go >> on, >> I dare you :) (Note: I -think- the TCAM ACL rule programming in later >> IOSes >> can do that? Perhaps Rodney or someone else from Cisco can comment.. :) >> >> There's some rule folding (and compiling?) stuff that I've heard about in >> later software-forwarding IOSes which attempt to mitigate this somewhat >> but >> I've never really sat down and (ab)used it. >> >> Now, I suggest you go back and read how iptables / ipfw / pf rules >> are actually -parsed- and -handled- in the various *NIXes you speak of. >> I've done this exercise and I'll give you a hint - rules are evaluated >> much the same as they are on the Cisco, except in some cases the >> evaluation >> doesn't stop at first hit and there are other gotchas (like "match X goto >> rule >> Y"). Go figure out why. >> >> I'll give you an even bigger hint - the best way to get a speedup under >> *NIX packet filters is to build "sets" of IP addresses to apply your >> policies >> rather than individual rules for each network you want to allow SSH for. >> The difference between one rule w/ a 200,000 network IP set versus 200,000 >> entries is pretty staggering - and the latter depends on the rule >> ordering. >> Just like Bill said. :) >> >> >> >> >> Adrian >> >> On Tue, Sep 09, 2008, Alex Balashov wrote: >>> >>> Are you _sure_ that order is important in these ACLs? I ask because I >>> honestly don't know, so don't get me wrong. >>> >>> It just seems rather unlikely. Organising data like that into structures >>> where matching and access can happen at more or less an O(1) formal >>> computational complexity is a basic skill that is taught at the beginning of >>> any undergraduate curriculum in computer science. Students are taught to >>> understand that large amounts of random (non-sorted) data cannot be stored >>> in a linear structure, and that even linear structures with comparatively >>> few elements (such as an access list) can be very slow if the lookup is >>> repeated with very great frequency. >>> >>> That's why such data gets stored in multidimensional and relational data >>> structures: things like binary trees (and their innumerable permutations), >>> undirected string vector graphs for heavy lexical token matching, hash >>> tables, and various relational mechanisms for forming bindings or indices >>> from a quick and superficial glimpse at the data. >>> >>> It's how every firewall/packet filtering engine (such as Linux netfilter, >>> or the FreeBSD packet filter) is implemented, so packets are matched using a >>> hashing strategy rather than linear, iterative comparisons. >>> >>> What you appear to be suggesting in your dwelling upon the significance >>> of rules being at the bottom or top of an access list definition would also >>> imply that these basic algorithmic innovations and elements of the software >>> engineering canon have somehow managed, with great finesse, to escape the >>> notice of the people who wrote IOS. I refuse to believe that. >>> >>> bill fumerola wrote: >>> >>>> [ reading through quickly, just some ACL pointers.. ] >>>> >>>> On Mon, Sep 08, 2008 at 09:15:31PM +0100, Mateusz B?aszczyk wrote: >>>>> >>>>> ! deny rogue IPs (it is interesting how many catches are here) >>>>> deny ip 10.0.0.0 .... any >>>>> deny ip 192... any >>>>> deny ip host 0.0.0.0 any >>>> >>>> this breaks PMTUD. icmp messages from poorly addressed routers still >>>> need to get back to your hosts. >>>> >>>>> etc.... >>>>> ! deny spoofing us... >>>>> deny ip OURBLOCK1 any >>>>> deny ip OURBLOCK2 any >>>> >>>> move to the top. >>>> >>>>> ! pings and traceroute >>>>> permit icmp any any >>>> >>>> either permit the specific ICMPs required for end to end communication >>>> to work and permit the rest after your anti-spoof, or just move this >>>> towards the top. >>>> >>>>> permit udp any any range 32xxx 34xxx >>>> >>>> rarely used, moved towards the bottom. >>>> >>>>> ! transit providers >>>>> permit tcp host THEM1 host US1 eg bgp >>>>> permit tcp host THEM1 eq bgp host US1 >>>>> ! Internet eXchanges - bgp/msdp >>>>> permit tcp THEM2 WCARD2 host US2 eg bgp >>>>> permit tcp THEM2 WCARD2 eq bgp host US2 >>>>> deny ip any US1 >>>>> deny ip any US2 >>>> >>>> rarely used, move towards bottom. consider removing the port-specific >>>> portions and see if you can get your ISP to use the TTL hack. >>>> >>>>> ! some legacy stuff >>>>> permit ip any host XXX >>>> >>>> move towards the top. >>>> >>>>> ! deny access to infrastructure >>>>> deny ip any NETWORK_1 >>>>> ... >>>>> deny ip any NETWORK_N >>>> >>>> >>>> sometimes, you can null route these blocks and use policy route-maps >>>> that set next-hop for your local device and/or management networks >>>> that allow the forwarding plane take care of discarding these >>>> >>>> >>>>> permit ip any any >>>> >>>> and here's where the majority of your traffic matches - at the bottom. >>>> this will kill performance. consider the trade-off of adding a: >>>> >>>> permit tcp any any established >>>> >>>> towards the top of your config. that rule will catch the majority of >>>> most networks' traffic. your deny rules below will still prevent SYN >>>> packets from getting through to your infrastructure space. yes, your >>>> 'infrastructure' will be open to ACK floods and other such things, but >>>> you can deploy other measures to assist with that. for example: ACLs on >>>> the interfaces facing your management network instead. >>>> >>>> also, if you run a service that represents the bulk of your traffic on >>>> that device, add a short-circuit rule for that service higher at the >>>> top, even if a rule with wider reach allows the same later. >>>> >>>>> any significant advantage over entry-level 6500/7600? >>>> >>>> 6500/7600 will be way less order dependent and you'll be able to have >>>> much longer ACLs. in my experience, on software platforms 99% of your >>>> traffic should either be permitted or denied in the first 5 or so rules >>>> or you're going to see serious performance problems. >>>> >>>> consider using 'access-list compiled' if your platform/IOS support it. >>>> >>>> distribute your ACLs as much as possible. take a multi layered approach. >>>> know your device's strengths and weaknesses when it comes to filtering >>>> and exploit those. >>>> >>>> -- bill >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >>> -- >>> Alex Balashov >>> Evariste Systems >>> Web : http://www.evaristesys.com/ >>> Tel : (+1) (678) 954-0670 >>> Direct : (+1) (678) 954-0671 >>> Mobile : (+1) (706) 338-8599 >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > > -- > Alex Balashov > Evariste Systems > Web : http://www.evaristesys.com/ > Tel : (+1) (678) 954-0670 > Direct : (+1) (678) 954-0671 > Mobile : (+1) (706) 338-8599 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From reuben-cisco-nsp at reub.net Tue Sep 9 01:50:10 2008 From: reuben-cisco-nsp at reub.net (Reuben Farrelly) Date: Tue, 09 Sep 2008 15:50:10 +1000 Subject: [c-nsp] 12.40(20T), pppoe woes In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405F80226@xmb-ams-333.emea.cisco.com> References: <70B7A1CCBFA5C649BD562B6D9F7ED78405F80226@xmb-ams-333.emea.cisco.com> Message-ID: <48C60E92.3000600@reub.net> On 8/09/2008 8:43 PM, Oliver Boehmer (oboehmer) wrote: > David, > > please check CSCsu35584, it will be fixed in the upcoming 12.4(20)T1 > rebuild and the above restriction will be removed.. > > oli Hi Oli, What is the approximate timeframe on 12.4(20)T1? I'm asking because I'd really like to upgrade to 12.4(20)T but when I did all manner of things broke badly - most notably Zone Based Firewall (CSCsq43934 and CSCsr58052) and SIP registration (CSCsq85615, CSCsr00711). ie it wasn't a pleasant experience. Fortunately 12.4(15)T7 is pretty good now so that's my downgrade path but still... Reuben From dhawth at bitgravity.com Tue Sep 9 02:06:28 2008 From: dhawth at bitgravity.com (David Hawthorne) Date: Mon, 8 Sep 2008 23:06:28 -0700 Subject: [c-nsp] NPE G1, CEF and ACLs and high CPU In-Reply-To: <20080909043231.GF16324@skywalker.creative.net.au> References: <383357750809041212h2e17aaa2i967ba4ffc3e4c3de@mail.gmail.com> <200809041546.23959.kratzers@pa.net> <20080905120724.GI15736@rtp-cse-489.cisco.com> <20080905184202.GD20054@rtp-cse-489.cisco.com> <383357750809060359w5b204530qe491c7adf048a8cf@mail.gmail.com> <20080908135935.GS19347@rtp-cse-489.cisco.com> <383357750809081315p58423820vef081acdbe858b21@mail.gmail.com> <20080908205046.GK29172@elvis.mu.org> <48C5FC11.2020109@evaristesys.com> <20080909043231.GF16324@skywalker.creative.net.au> Message-ID: <72D7D15A-D2B7-4FC8-97C3-C788AD760DD2@bitgravity.com> On Sep 8, 2008, at 9:32 PM, Adrian Chadd wrote: > Bill is practically right. The semantics for Cisco ACLs aren't > "here's a set > of IP ranges, apply this behaviour", they're a linear walk of rules > from > top to bottom applying behaviour at each step. Collapsing that into > the > smallest set of possible operations is -not- taught at first/second > year > computer science. Eg: > > * permit ssh 1.2.3.0/24 > * deny ssh 1.2.4.8/30 > * permit ssh 1.2.0.0/16 > * deny ssh 1.0.0.0/8 > > Please yank the first year computer science curriculum bit which > provides > the student with the clue required to algorithmically determine the > smallest > set of permit/deny's keeping the above semantics correct. Then do > some basic > analysis to find out what the resource bounds are on determining that. > Oh, then prove that you can evaluate it in "more or less O(1) time". > Go on, > I dare you :) (Note: I -think- the TCAM ACL rule programming in > later IOSes > can do that? Perhaps Rodney or someone else from Cisco can > comment.. :) > > There's some rule folding (and compiling?) stuff that I've heard > about in > later software-forwarding IOSes which attempt to mitigate this > somewhat but > I've never really sat down and (ab)used it. > Nice. I actually worked at $big_company during and after Bill's tenure there, and I had to step into his rather large boots developing the ACL system after he left. By the time I was done, we actually had all of that, because we has run into issues with filling up TCAM on those 6500s and needed to get some aggregation and cruft-removal done. TCAM is used for quite a few things in IOS, as you're probably aware. I couldn't get it any better than O(n!), and it took forever and a day to run against all of the ACLs, although that was due in part to the fact that Junipers allow multiple source and destination subnets and port ranges and protocols to have to test against. The ACLs were also mind-bogglingly huge. Cisco rules were like very skinny Juniper terms, so they went pretty quick. It's surprisingly simple once you can get the ACLs parsed into a consistent data structure, assuming you're dealing primarily with the common case as given above and not dealing with special actions. So it *has* been done. Just not at Cisco. Necessity is the mother of invention. :p btw, one of the surprising tricks we learned was that the range start_port end_port specification won't fill up TCAM on the 6500/7600 IFF your port ranges fall on bit boundaries just like networks do. From thotta at gmail.com Tue Sep 9 02:59:40 2008 From: thotta at gmail.com (Takao Hotta) Date: Tue, 9 Sep 2008 15:59:40 +0900 Subject: [c-nsp] changing the number of equal-cost paths Message-ID: <5a2269f70809082359h36562fe2h7340df992a749fb6@mail.gmail.com> Hi, I would like to change the number of ospf ecmp by using the maximum-paths command for up to six equal-cost paths on Cisco 12406. But I am worried about the impacts on routing/cef/connection for spf recalculation. Things is it has 6 links now, but ecmp number was like default (four). Anyone know any ideas for configuration change without packet loss/drops as much as possible? Thanks in advance. Takao From matt at iseek.com.au Tue Sep 9 02:35:55 2008 From: matt at iseek.com.au (Matt Carter) Date: Tue, 9 Sep 2008 16:35:55 +1000 Subject: [c-nsp] NPE G1, CEF and ACLs and high CPU In-Reply-To: <48C604AD.7080500@evaristesys.com> References: <383357750809041212h2e17aaa2i967ba4ffc3e4c3de@mail.gmail.com> <200809041546.23959.kratzers@pa.net> <20080905120724.GI15736@rtp-cse-489.cisco.com> <20080905184202.GD20054@rtp-cse-489.cisco.com> <383357750809060359w5b204530qe491c7adf048a8cf@mail.gmail.com> <20080908135935.GS19347@rtp-cse-489.cisco.com> <383357750809081315p58423820vef081acdbe858b21@mail.gmail.com> <20080908205046.GK29172@elvis.mu.org> <48C5FC11.2020109@evaristesys.com> <20080909043231.GF16324@skywalker.creative.net.au> <48C604AD.7080500@evaristesys.com> Message-ID: <7FEDD455961B164D8C4EEA60E22914205B78D56F50@EXCHANGE1.intranet.iseek.com.au> > Are you serious? > > Well, I unhappily and disappointedly stand corrected, then. Indeed, > Cisco documentation appears to confirm what you and Bill are saying. > > There are a variety of known algorithms for traversing hashed > structures > while taking order of precedence into account. I am, quite frankly, > astonished that they are not used, or that it takes some sort of ASIC > or > TCAM enhancement to make that happen. Turbo (compiled) ACL's was previously mentioned in this thread - have you looked at those ?? The Turbo ACL feature compiles the ACLs into a set of lookup tables, while maintaining the first match requirements. Packet headers are used to access these tables in a small, fixed number of lookups, independently of the existing number of ACL entries. The benefits of this feature include: *For ACLs longer than three entries, the CPU load required to match the packet to the predetermined packet-matching rule is lessened. The CPU load is fixed, regardless of the size of the ACL, allowing for larger ACLs without incurring any CPU overhead penalties. The larger the ACL, the greater the benefit. *The time taken to match the packet is fixed, so that latency of the packets is smaller (substantially in the case of large ACLs) and more importantly, consistent, allowing better network stability and more accurate transit times. From matt at iseek.com.au Tue Sep 9 02:32:00 2008 From: matt at iseek.com.au (Matt Carter) Date: Tue, 9 Sep 2008 16:32:00 +1000 Subject: [c-nsp] NPE G1, CEF and ACLs and high CPU In-Reply-To: <48C5FC11.2020109@evaristesys.com> References: <383357750809041000uad21b4ag386233e3b2ea4fde@mail.gmail.com> <200809041456.01591.kratzers@pa.net> <383357750809041212h2e17aaa2i967ba4ffc3e4c3de@mail.gmail.com> <200809041546.23959.kratzers@pa.net> <20080905120724.GI15736@rtp-cse-489.cisco.com> <20080905184202.GD20054@rtp-cse-489.cisco.com> <383357750809060359w5b204530qe491c7adf048a8cf@mail.gmail.com> <20080908135935.GS19347@rtp-cse-489.cisco.com> <383357750809081315p58423820vef081acdbe858b21@mail.gmail.com> <20080908205046.GK29172@elvis.mu.org> <48C5FC11.2020109@evaristesys.com> Message-ID: <7FEDD455961B164D8C4EEA60E22914205B78D56F4F@EXCHANGE1.intranet.iseek.com.au> > Are you _sure_ that order is important in these ACLs? I ask because I > honestly don't know, so don't get me wrong. yes it is.. i have seen software based platforms knock 10-20% cpu off by reworking very poorly laid out ACL's in a "top down" fashion. > > It just seems rather unlikely. Organising data like that into > structures where matching and access can happen at more or less an O(1) > formal computational complexity is a basic skill that is taught at the > beginning of any undergraduate curriculum in computer science. > Students > are taught to understand that large amounts of random (non-sorted) data > cannot be stored in a linear structure, and that even linear structures > with comparatively few elements (such as an access list) can be very > slow if the lookup is repeated with very great frequency. aren't we doing some kind of eval on our current lists before applying a new one? like i'm thinking 1) fire up the ACL leave it running for a while, look at the number of hits per ACL entry, and rework the ACL such that the maximum number of hits is at the top. 2) shortcut ACL's as bill mentioned eg, consider the following ACL 5 deny udp host 10 deny udp host 20 deny udp host 25 permit ip any presume that 60% of your traffic is TCP. all of this traffic is having to drop through 3 denies before it gets permitted. you could save a significant amount of processing by simply putting 1 permit tcp 5 deny udp host 10 deny udp host 20 deny udp host 25 permit ip any sure, you are doubling up in what is permitted because the TCP would have hit the permit ip any at the bottom anyway, but you are saving a considerable amount of processing by having 60% of your traffic match the first ACL entry. sure, oversimplified, but if you can't permit tcp outright, consider a permit established before you start denying other tcp bits and pieces, because more often than not the majority of traffic being forwarded is established. so in regards to having IOS reorganise the ACL for you that would have to make the assumption that the IOS has the capability to work out what is the ACL entries that are getting the most matches, in order to reorganise them, it isnt going to be able to predict this for you. in regards to shortcut ACL's i seriously doubt any time in the near future IOS is going to help you in this regard. do some netflow analysis and work out your traffic mix, look at your security requirements and develop an ACL that encompasses both considerations. From abalashov at evaristesys.com Tue Sep 9 04:04:46 2008 From: abalashov at evaristesys.com (Alex Balashov) Date: Tue, 09 Sep 2008 04:04:46 -0400 Subject: [c-nsp] NPE G1, CEF and ACLs and high CPU In-Reply-To: <7FEDD455961B164D8C4EEA60E22914205B78D56F4F@EXCHANGE1.intranet.iseek.com.au> References: <383357750809041000uad21b4ag386233e3b2ea4fde@mail.gmail.com> <200809041456.01591.kratzers@pa.net> <383357750809041212h2e17aaa2i967ba4ffc3e4c3de@mail.gmail.com> <200809041546.23959.kratzers@pa.net> <20080905120724.GI15736@rtp-cse-489.cisco.com> <20080905184202.GD20054@rtp-cse-489.cisco.com> <383357750809060359w5b204530qe491c7adf048a8cf@mail.gmail.com> <20080908135935.GS19347@rtp-cse-489.cisco.com> <383357750809081315p58423820vef081acdbe858b21@mail.gmail.com> <20080908205046.GK29172@elvis.mu.org> <48C5FC11.2020109@evaristesys.com> <7FEDD455961B164D8C4EEA60E22914205B78D56F4F@EXCHANGE1.intranet.iseek.com.au> Message-ID: <48C62E1E.2080805@evaristesys.com> Just to be clear, in case it isn't, I was not referring to how the ACLs are organised from the user perspective, presentation-wise, but rather I was surprised that they are not all put into an optimised data structure on the back side by IOS by default so that matching can happen with somewhere between O(1) and O(n) performance. Thank you all for the enlightenment on compiled/turbo ACLs. It makes me wonder whether the reason why routers are generally considered a poorer solution for extensive ACL duty than PIXs or ASAs. Does the PIX use compiled ACLs by default? Or perhaps there is some sort of extremely helpful ACIC-driven optimisation that they provide? Matt Carter wrote: >> Are you _sure_ that order is important in these ACLs? I ask because I >> honestly don't know, so don't get me wrong. > > yes it is.. i have seen software based platforms knock 10-20% cpu off by reworking very poorly laid out ACL's in a "top down" fashion. > >> It just seems rather unlikely. Organising data like that into >> structures where matching and access can happen at more or less an O(1) >> formal computational complexity is a basic skill that is taught at the >> beginning of any undergraduate curriculum in computer science. >> Students >> are taught to understand that large amounts of random (non-sorted) data >> cannot be stored in a linear structure, and that even linear structures >> with comparatively few elements (such as an access list) can be very >> slow if the lookup is repeated with very great frequency. > > aren't we doing some kind of eval on our current lists before applying a new one? like i'm thinking > > 1) fire up the ACL leave it running for a while, look at the number of hits per ACL entry, and rework the ACL such that the maximum number of hits is at the top. > > 2) shortcut ACL's as bill mentioned > eg, consider the following ACL > > 5 deny udp host > 10 deny udp host > 20 deny udp host > 25 permit ip any > > presume that 60% of your traffic is TCP. all of this traffic is having to drop through 3 denies before it gets permitted. you could save a significant amount of processing by simply putting > > 1 permit tcp > 5 deny udp host > 10 deny udp host > 20 deny udp host > 25 permit ip any > > sure, you are doubling up in what is permitted because the TCP would have hit the permit ip any at the bottom anyway, but you are saving a considerable amount of processing by having 60% of your traffic match the first ACL entry. sure, oversimplified, but if you can't permit tcp outright, consider a permit established before you start denying other tcp bits and pieces, because more often than not the majority of traffic being forwarded is established. > > so in regards to having IOS reorganise the ACL for you that would have to make the assumption that the IOS has the capability to work out what is the ACL entries that are getting the most matches, in order to reorganise them, it isnt going to be able to predict this for you. -- Alex Balashov Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599 From abalashov at evaristesys.com Tue Sep 9 04:28:27 2008 From: abalashov at evaristesys.com (Alex Balashov) Date: Tue, 09 Sep 2008 04:28:27 -0400 Subject: [c-nsp] NPE G1, CEF and ACLs and high CPU In-Reply-To: <20080909043231.GF16324@skywalker.creative.net.au> References: <383357750809041212h2e17aaa2i967ba4ffc3e4c3de@mail.gmail.com> <200809041546.23959.kratzers@pa.net> <20080905120724.GI15736@rtp-cse-489.cisco.com> <20080905184202.GD20054@rtp-cse-489.cisco.com> <383357750809060359w5b204530qe491c7adf048a8cf@mail.gmail.com> <20080908135935.GS19347@rtp-cse-489.cisco.com> <383357750809081315p58423820vef081acdbe858b21@mail.gmail.com> <20080908205046.GK29172@elvis.mu.org> <48C5FC11.2020109@evaristesys.com> <20080909043231.GF16324@skywalker.creative.net.au> Message-ID: <48C633AB.1010209@evaristesys.com> Adrian Chadd wrote: > Please yank the first year computer science curriculum bit which provides > the student with the clue required to algorithmically determine the smallest > set of permit/deny's keeping the above semantics correct. Then do some basic > analysis to find out what the resource bounds are on determining that. > Oh, then prove that you can evaluate it in "more or less O(1) time". Go on, > I dare you :) You're right - point definitely taken. :) Without wanting to get into a discussion about the relative merits of sundry CS curricula: I didn't mean that the solution to this exact problem, or close variants of it, are taught in introductory CS. What I meant was more that the underlying, formal methodological intuitions are taught, or at least should be taught, as far as I know, as a key pedagogical point. In other words, it ought to occur to someone doing this type of implementation that subjecting thousands to tens of thousands of packets per second to one or more sets of linear evaluations of arbitrary size is going to be murderously inefficient, and that a different approach should be taken. I don't know a lot about the hardware anatomy of a lot of these devices, and especially the ASIC-assisted software components. But I do know their overall processing power is not typically very much, in the grand scheme of things, as compared to commodity PC hardware, so if they are handling some of the PPS loads we're discussing every day, then surely the data structures in which these endless webs of ACLs are stored and which are traversed when matching ACL criteria are not simple, naive linear lists. I haven't done a detailed study, of course, and that seems impossible to do without some access to IOS internals, but from an intuitive perspective as a systems developer it seems computationally impossible. Of course, the fact that I, personally, find something counterintuitive is no testament of any scientific credibility to its impossibility or nonexistence. :) > Now, I suggest you go back and read how iptables / ipfw / pf rules > are actually -parsed- and -handled- in the various *NIXes you speak of. > I've done this exercise and I'll give you a hint - rules are evaluated > much the same as they are on the Cisco, except in some cases the evaluation > doesn't stop at first hit and there are other gotchas (like "match X goto rule > Y"). Go figure out why. I know how they are parsed and evaluated from a superficial perspective. Our observational language and our ontology about these rules is founded to a great extent on the linear form and order of precedence that those rules take in the user interface and the state machine that is described to us. What I was taking for granted is that in the back end of the packet filter, implemented inside the cavernous interior of the kernel beyond the reach of various APIs, libraries and state databases, these rules take a very different form than what is handed to the user or accessor in the representational realm. It seems fairly obvious that there must be some very erudite, learned hashing or tree-building going on. -- Alex -- Alex Balashov Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599 From ross at kallisti.us Tue Sep 9 09:07:32 2008 From: ross at kallisti.us (Ross Vandegrift) Date: Tue, 9 Sep 2008 09:07:32 -0400 Subject: [c-nsp] Tool(free?) to extract vlan+trunk info from Cat4003 In-Reply-To: <20080909093557.6dijkup7xdea88sk@webmail.datafx.com.au> References: <20080909093557.6dijkup7xdea88sk@webmail.datafx.com.au> Message-ID: <20080909130732.GA26295@kallisti.us> On Tue, Sep 09, 2008 at 09:35:57AM +1000, mb at adv.gcomm.com.au wrote: > Hi, > > We have a few old Cat4003's that we need to get all L2 Info from(All > vlans/trunks etc) - Was hoping there was a tool(free) that could > automate the task? > > Had a look at Cisco Network Assist, and enabled http server on the 4ks, > but it looks like CNA is requesting info that does not exist on the > 4003's: Is SNMP an option? You can look at CISCO-VTP-MIB::vlanTrunkPortDynamicStatus to find out the trunking status of an interface. vlanTrunkPortVlansEnabled* will give you a bitmask of the vlans that are permitted on a trunk. vtpVlanName and vtpVlanState will tell you the basic info on a given vlan. CISCO-VLAN-MEMBERSHIP-MIB::vmVlan will show you vlans assigned to access ports. -- Ross Vandegrift ross at kallisti.us "The good Christian should beware of mathematicians, and all those who make empty prophecies. The danger already exists that the mathematicians have made a covenant with the devil to darken the spirit and to confine man in the bonds of Hell." --St. Augustine, De Genesi ad Litteram, Book II, xviii, 37 From maillist at webjogger.net Tue Sep 9 09:41:54 2008 From: maillist at webjogger.net (Adam Greene) Date: Tue, 9 Sep 2008 09:41:54 -0400 Subject: [c-nsp] iBGP Multi-link question References: Message-ID: <3D1D76D4036E45069BC1820B6548FBE0@GINKGO> Jeff, in my experience having multiple BGP sessions between two routers, with different end-points for each session, works fine ... ----- Original Message ----- From: "Jeff Cartier" To: Sent: Monday, September 08, 2008 11:45 AM Subject: [c-nsp] iBGP Multi-link question > I'm in a scenario where I have two routers, configured with two > loopbacks, connected together via two links. I'm in the process of > transitioning from one loopback to the other and I was wondering if > there are any caveats to having two sessions up...one BGP session to the > first lookback (existing), then another BGP session up to the second > loopback (new). > > > > I don't believe their should be any issues with this...and I don't see > any documentation suggesting otherwise...just thought I'd ask to be > certain :-) > > > > ROUTER1============ROUTER2 > > Lo1:10.1.1.1/32 Lo1:10.1.2.1/32 > > Lo2:10.1.1.2/32 Lo2:10.1.2.2/32 > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From rodunn at cisco.com Tue Sep 9 09:48:34 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Tue, 9 Sep 2008 09:48:34 -0400 Subject: [c-nsp] NPE G1, CEF and ACLs and high CPU In-Reply-To: <7FEDD455961B164D8C4EEA60E22914205B78D56F50@EXCHANGE1.intranet.iseek.com.au> References: <20080905184202.GD20054@rtp-cse-489.cisco.com> <383357750809060359w5b204530qe491c7adf048a8cf@mail.gmail.com> <20080908135935.GS19347@rtp-cse-489.cisco.com> <383357750809081315p58423820vef081acdbe858b21@mail.gmail.com> <20080908205046.GK29172@elvis.mu.org> <48C5FC11.2020109@evaristesys.com> <20080909043231.GF16324@skywalker.creative.net.au> <48C604AD.7080500@evaristesys.com> <7FEDD455961B164D8C4EEA60E22914205B78D56F50@EXCHANGE1.intranet.iseek.com.au> Message-ID: <20080909134834.GB624@rtp-cse-489.cisco.com> Don't use TACL's on the software platforms. It has been removed from the CLI for the ISR's (it shouldn't have slipped in to begin with). There are very difficult challenges to handle for things such as updating the ACL on configuration change, memory usage, etc. Most HW forwarding platforms merge the ACL's in some fashion to reduce the footprint size. In IOS there is a Trie based ACL now over the linear format. It's on by default and you can't change it. Rodney On Tue, Sep 09, 2008 at 04:35:55PM +1000, Matt Carter wrote: > > Are you serious? > > > > Well, I unhappily and disappointedly stand corrected, then. Indeed, > > Cisco documentation appears to confirm what you and Bill are saying. > > > > There are a variety of known algorithms for traversing hashed > > structures > > while taking order of precedence into account. I am, quite frankly, > > astonished that they are not used, or that it takes some sort of ASIC > > or > > TCAM enhancement to make that happen. > > Turbo (compiled) ACL's was previously mentioned in this thread - have you looked at those ?? > > The Turbo ACL feature compiles the ACLs into a set of lookup tables, while maintaining the first match requirements. Packet headers are used to access these tables in a small, fixed number of lookups, independently of the existing number of ACL entries. The benefits of this feature include: > > *For ACLs longer than three entries, the CPU load required to match the packet to the predetermined packet-matching rule is lessened. The CPU load is fixed, regardless of the size of the ACL, allowing for larger ACLs without incurring any CPU overhead penalties. The larger the ACL, the greater the benefit. > > *The time taken to match the packet is fixed, so that latency of the packets is smaller (substantially in the case of large ACLs) and more importantly, consistent, allowing better network stability and more accurate transit times. > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rodunn at cisco.com Tue Sep 9 09:50:59 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Tue, 9 Sep 2008 09:50:59 -0400 Subject: [c-nsp] changing the number of equal-cost paths In-Reply-To: <5a2269f70809082359h36562fe2h7340df992a749fb6@mail.gmail.com> References: <5a2269f70809082359h36562fe2h7340df992a749fb6@mail.gmail.com> Message-ID: <20080909135058.GC624@rtp-cse-489.cisco.com> The packet loss would be very very minimal. Users most likely will not even notice it. Your biggest worry in these environments is the hw programming resources and memory usage when you go with so many dual paths. Just be aware of that and make sure your hw programming LC's can support it. Rodney On Tue, Sep 09, 2008 at 03:59:40PM +0900, Takao Hotta wrote: > Hi, > > I would like to change the number of ospf ecmp by using the > maximum-paths command for up to six equal-cost paths on Cisco 12406. > But I am worried about the impacts on routing/cef/connection for spf > recalculation. Things is it has 6 links now, but ecmp number was like > default (four). Anyone know any ideas for configuration change > without packet loss/drops as much as possible? > > Thanks in advance. > Takao > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rens at autempspourmoi.be Tue Sep 9 10:01:52 2008 From: rens at autempspourmoi.be (Rens) Date: Tue, 9 Sep 2008 16:01:52 +0200 Subject: [c-nsp] Errors before boot loader Message-ID: <81FF162258F4476DAC6190201B439281@EU.corp.clearwire.com> Hi, Should I worry about errors that are sent from the boot loader? %SYS-4-CONFIG_NEWER: Configuration from version 12.4 may not be correctly understood %AAAA-4-SERVUNDEF: The server-group "tacacs+" is not defined. Please define it. %AAAA-4-SERVUNDEF: The server-group "tacacs+" is not defined. Please define it. %AAAA-4-SERVUNDEF: The server-group "tacacs+" is not defined. Please define it. % CEF not enabled. Enable first % CEF not enabled. Enable first % CEF not enabled. Enable first % CEF not enabled. Enable first %SYS-6-BOOT_MESSAGES: Messages above this line are from the boot loader. Regards, Rens From blahu77 at gmail.com Tue Sep 9 10:26:18 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Tue, 9 Sep 2008 15:26:18 +0100 Subject: [c-nsp] NPE G1, CEF and ACLs and high CPU In-Reply-To: <20080909134834.GB624@rtp-cse-489.cisco.com> References: <383357750809060359w5b204530qe491c7adf048a8cf@mail.gmail.com> <20080908135935.GS19347@rtp-cse-489.cisco.com> <383357750809081315p58423820vef081acdbe858b21@mail.gmail.com> <20080908205046.GK29172@elvis.mu.org> <48C5FC11.2020109@evaristesys.com> <20080909043231.GF16324@skywalker.creative.net.au> <48C604AD.7080500@evaristesys.com> <7FEDD455961B164D8C4EEA60E22914205B78D56F50@EXCHANGE1.intranet.iseek.com.au> <20080909134834.GB624@rtp-cse-489.cisco.com> Message-ID: <383357750809090726l452f8837wfdc8b55d59c20b3f@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rodney 2008/9/9 Rodney Dunn : > Don't use TACL's on the software platforms. It has been removed > from the CLI for the ISR's (it shouldn't have slipped in to begin with). > edge2#sh ver | in IOS Cisco IOS Software, 7301 Software (C7301-K91P-M), Version 12.2(28)SB6, RELEASE SOFTWARE (fc1) edge2(config)#access-list compiled ? reuse Reuse tables when compiling (for reduced memory requirements) So, it is NOT recommended to use this feature on that router? > There are very difficult challenges to handle for things such > as updating the ACL on configuration change, memory usage, etc. > and if we made a policy that each ACL update would consist of: 1) remove access-group from the port 2) remove acl 3) create new acl 4) put access-group on the port Would the above apply as well? > Most HW forwarding platforms merge the ACL's in some fashion to > reduce the footprint size. So when using TACL is recommended? On software-based it is not, on hardware-based we got other mechanisms... I am confused. > In IOS there is a Trie based ACL now over the linear format. > It's on by default and you can't change it. now - meaning 12.4T ? - -- - -mat -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIxoeIIvBv0k5esR4RAuhvAJ0W5Mcn38E7kM20gz2AaWOMKs4htwCgg/ep RaIQcLoM3P2Mc8NhQuL1vG8= =Y+MU -----END PGP SIGNATURE----- From rodunn at cisco.com Tue Sep 9 10:34:44 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Tue, 9 Sep 2008 10:34:44 -0400 Subject: [c-nsp] NPE G1, CEF and ACLs and high CPU In-Reply-To: <383357750809090726l452f8837wfdc8b55d59c20b3f@mail.gmail.com> References: <383357750809060359w5b204530qe491c7adf048a8cf@mail.gmail.com> <20080908135935.GS19347@rtp-cse-489.cisco.com> <383357750809081315p58423820vef081acdbe858b21@mail.gmail.com> <20080908205046.GK29172@elvis.mu.org> <48C5FC11.2020109@evaristesys.com> <20080909043231.GF16324@skywalker.creative.net.au> <48C604AD.7080500@evaristesys.com> <7FEDD455961B164D8C4EEA60E22914205B78D56F50@EXCHANGE1.intranet.iseek.com.au> <20080909134834.GB624@rtp-cse-489.cisco.com> <383357750809090726l452f8837wfdc8b55d59c20b3f@mail.gmail.com> Message-ID: <20080909143444.GM624@rtp-cse-489.cisco.com> On Tue, Sep 09, 2008 at 03:26:18PM +0100, Mateusz B?aszczyk wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Rodney > > 2008/9/9 Rodney Dunn : > > Don't use TACL's on the software platforms. It has been removed > > from the CLI for the ISR's (it shouldn't have slipped in to begin with). > > > > edge2#sh ver | in IOS > Cisco IOS Software, 7301 Software (C7301-K91P-M), Version 12.2(28)SB6, > RELEASE SOFTWARE (fc1) > > edge2(config)#access-list compiled ? > reuse Reuse tables when compiling (for reduced memory requirements) > > > So, it is NOT recommended to use this feature on that router? They didn't remove it on the 72xx, 7301, and 75xx from what I remember because they had the distributed or CPU/memory to handle them and there were so many customers already using them. If your ACL's are static you will probably be ok. But if it were my network I'd be on code that used Trie based ACL's and get away from TACL's given the problems I worked on with them. When they work they work well but when there are problems with a lot of updates and size they get pretty messy. If you want speed on them with long ACL's you really should look at something that can do them in hardware. s> > > > There are very difficult challenges to handle for things such > > as updating the ACL on configuration change, memory usage, etc. > > > > and if we made a policy that each ACL update would consist of: > 1) remove access-group from the port > 2) remove acl > 3) create new acl > 4) put access-group on the port > > Would the above apply as well? Removing it form an interface no. Removing the ACL not as much. It's more about modifying the ACL. > > > Most HW forwarding platforms merge the ACL's in some fashion to > > reduce the footprint size. > > So when using TACL is recommended? On software-based it is not, on > hardware-based we got other mechanisms... > I am confused. In genearl it's not advised to use them at all anymore. > > > In IOS there is a Trie based ACL now over the linear format. > > It's on by default and you can't change it. > > > now - meaning 12.4T ? Yes...12.4M got it too. > > - -- > - -mat > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFIxoeIIvBv0k5esR4RAuhvAJ0W5Mcn38E7kM20gz2AaWOMKs4htwCgg/ep > RaIQcLoM3P2Mc8NhQuL1vG8= > =Y+MU > -----END PGP SIGNATURE----- From rodunn at cisco.com Tue Sep 9 10:35:01 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Tue, 9 Sep 2008 10:35:01 -0400 Subject: [c-nsp] Errors before boot loader In-Reply-To: <81FF162258F4476DAC6190201B439281@EU.corp.clearwire.com> References: <81FF162258F4476DAC6190201B439281@EU.corp.clearwire.com> Message-ID: <20080909143501.GN624@rtp-cse-489.cisco.com> No. Rodney On Tue, Sep 09, 2008 at 04:01:52PM +0200, Rens wrote: > Hi, > > > > Should I worry about errors that are sent from the boot loader? > > > > %SYS-4-CONFIG_NEWER: Configuration from version 12.4 may not be correctly > understood > > %AAAA-4-SERVUNDEF: The server-group "tacacs+" is not defined. Please define > it. > > %AAAA-4-SERVUNDEF: The server-group "tacacs+" is not defined. Please define > it. > > %AAAA-4-SERVUNDEF: The server-group "tacacs+" is not defined. Please define > it. > > % CEF not enabled. Enable first > > % CEF not enabled. Enable first > > % CEF not enabled. Enable first > > % CEF not enabled. Enable first > > %SYS-6-BOOT_MESSAGES: Messages above this line are from the boot loader. > > > > Regards, > > > > Rens > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jeff-kell at utc.edu Tue Sep 9 10:41:31 2008 From: jeff-kell at utc.edu (Jeff Kell) Date: Tue, 09 Sep 2008 10:41:31 -0400 Subject: [c-nsp] 10G Xenpak 'virgin' question Message-ID: <48C68B1B.4010705@utc.edu> We're trying to light up our first 10G Xenpak link, so far without success, so I'm looking for a quick sanity check. 3750G-16TD switch with an LR Xenpak [ours], trying to link to a Ciena [not ours] add/drop ONS. We had some marginal power levels trying to backhaul the circuit across campus, so we relocated the 3750 next to the fiber ingress and trying to get the link up directly connected with no luck. No link light (ever), not even a noise packet in the interface stats. The interface isn't shutdown. I've tried it P2P (no switchport) and trunk (switchport) and still nothing. Is there something obvious about a 10G interface configuration that I'm overlooking to get the thing to "speak" ? Jeff From colin at netech.ie Tue Sep 9 11:19:02 2008 From: colin at netech.ie (Colin Whittaker) Date: Tue, 9 Sep 2008 16:19:02 +0100 Subject: [c-nsp] 10G Xenpak 'virgin' question In-Reply-To: <48C68B1B.4010705@utc.edu> References: <48C68B1B.4010705@utc.edu> Message-ID: <20080909151902.GA23977@infiltrator.gizzard.com> The Ciena is probably not doing auto negotiation. try "speed nonegotiate" on the interface and once it sees light it should bring the interface up. On Tue, Sep 09, 2008 at 10:41:31AM -0400, Jeff Kell wrote: > We're trying to light up our first 10G Xenpak link, so far without > success, so I'm looking for a quick sanity check. > > 3750G-16TD switch with an LR Xenpak [ours], trying to link to a Ciena > [not ours] add/drop ONS. > > We had some marginal power levels trying to backhaul the circuit across > campus, so we relocated the 3750 next to the fiber ingress and trying to > get the link up directly connected with no luck. > > No link light (ever), not even a noise packet in the interface stats. > The interface isn't shutdown. I've tried it P2P (no switchport) and > trunk (switchport) and still nothing. > > Is there something obvious about a 10G interface configuration that I'm > overlooking to get the thing to "speak" ? > > Jeff > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Colin Whittaker +353 (0)86 8211 965 http://colin.netech.ie colin at netech.ie From rodunn at cisco.com Tue Sep 9 12:13:04 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Tue, 9 Sep 2008 12:13:04 -0400 Subject: [c-nsp] 12.40(20T), pppoe woes In-Reply-To: <48C60E92.3000600@reub.net> References: <70B7A1CCBFA5C649BD562B6D9F7ED78405F80226@xmb-ams-333.emea.cisco.com> <48C60E92.3000600@reub.net> Message-ID: <20080909161304.GR624@rtp-cse-489.cisco.com> Around 10/17. On Tue, Sep 09, 2008 at 03:50:10PM +1000, Reuben Farrelly wrote: > > > On 8/09/2008 8:43 PM, Oliver Boehmer (oboehmer) wrote: > >David, > > > >please check CSCsu35584, it will be fixed in the upcoming 12.4(20)T1 > >rebuild and the above restriction will be removed.. > > > > oli > > Hi Oli, > > What is the approximate timeframe on 12.4(20)T1? > > I'm asking because I'd really like to upgrade to 12.4(20)T but when I did > all manner of things broke badly - most notably Zone Based Firewall > (CSCsq43934 and CSCsr58052) and SIP registration (CSCsq85615, CSCsr00711). > > ie it wasn't a pleasant experience. Fortunately 12.4(15)T7 is pretty good > now so that's my downgrade path but still... > > Reuben > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From gsgranados at comcast.net Tue Sep 9 14:44:06 2008 From: gsgranados at comcast.net (Scott Granados) Date: Tue, 9 Sep 2008 11:44:06 -0700 Subject: [c-nsp] Buffer Tuning pointer? Message-ID: <028801c912ac$0df6e910$1b0310ac@ccntd1.covad.com> I'm using a 7206 NPE-G1 and noticing a lot of buffer misses. Everything that I find via Google points me to opening a support case but provides very little background information. There's also a "buffer tune automatic" command but little listed about it's proper use. Does anyone have a good buffer tuning pointer or pointer for good fundamental / n00by information concerning buffers? Thank you Scott From jason.plank at comcast.net Tue Sep 9 14:50:20 2008 From: jason.plank at comcast.net (jason.plank at comcast.net) Date: Tue, 09 Sep 2008 18:50:20 +0000 Subject: [c-nsp] Buffer Tuning pointer? Message-ID: <090920081850.13139.48C6C56B000C390500003353220073407605020E049FD202019C0E06@comcast.net> Scott, Review: http://www.cisco.com/en/US/products/hw/modules/ps2643/products_tech_note09186a0080093fc5.shtml This URL is good for getting an understanding on what a buffer miss actually is. I usually look at what the buffers are currently set to and increase in varying increments. -- Regards, Jason Plank CCIE #16560 e: jason.plank at comcast.net -------------- Original message ---------------------- From: "Scott Granados" > I'm using a 7206 NPE-G1 and noticing a lot of buffer misses. Everything > that I find via Google points me to opening a support case but provides very > little background information. There's also a "buffer tune automatic" > command but little listed about it's proper use. Does anyone have a good > buffer tuning pointer or pointer for good fundamental / n00by information > concerning buffers? > > Thank you > Scott > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From streiner at cluebyfour.org Tue Sep 9 15:02:09 2008 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Tue, 9 Sep 2008 15:02:09 -0400 (EDT) Subject: [c-nsp] 10G Xenpak 'virgin' question In-Reply-To: <48C68B1B.4010705@utc.edu> References: <48C68B1B.4010705@utc.edu> Message-ID: On Tue, 9 Sep 2008, Jeff Kell wrote: > We're trying to light up our first 10G Xenpak link, so far without > success, so I'm looking for a quick sanity check. > > 3750G-16TD switch with an LR Xenpak [ours], trying to link to a Ciena > [not ours] add/drop ONS. What type of optics are in use on both ends? Note that LX4 will not talk to SR/LR/ER/ZR. Are you using singlemode or multimode fiber? When you say "across campus" I'm assuming singlemode, but I've been wrong before :) Also, do OTDR tests show a clean link all through the span? jms > We had some marginal power levels trying to backhaul the circuit across > campus, so we relocated the 3750 next to the fiber ingress and trying to > get the link up directly connected with no luck. > > No link light (ever), not even a noise packet in the interface stats. > The interface isn't shutdown. I've tried it P2P (no switchport) and > trunk (switchport) and still nothing. > > Is there something obvious about a 10G interface configuration that I'm > overlooking to get the thing to "speak" ? > > Jeff > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From scubacuda at gmail.com Tue Sep 9 15:03:39 2008 From: scubacuda at gmail.com (Rogelio) Date: Tue, 09 Sep 2008 12:03:39 -0700 Subject: [c-nsp] can cisco pix "boomerang" mail traffic? Message-ID: <48C6C88B.7030001@gmail.com> Can a Cisco PIX "boomerang" a packet--i.e. route a packet coming from the internal network that is destined for an Internet host back into the internal network via NAT? I ask because I have have email clients pointing to mail.domain.com, and unless I do a split DNS with my mail A record pointing to a 192 address inside and an external mail A record pointing to my public IP address, I'm not quite sure how to do it. Users using Microsoft Outlook + Exchange don't have a problem getting their email. But users using other email clients (Thunderbird, Outlook Express, etc) obviously cannot resolve the host name if they are on the wrong side of the network. Thunderbird has different identities for each email account, but that's too much work for some of the users. From r.nevot at gmail.com Tue Sep 9 15:20:23 2008 From: r.nevot at gmail.com (Raul Lopez Nevot) Date: Tue, 9 Sep 2008 21:20:23 +0200 Subject: [c-nsp] can cisco pix "boomerang" mail traffic? In-Reply-To: <48C6C88B.7030001@gmail.com> References: <48C6C88B.7030001@gmail.com> Message-ID: Hello, On Tue, Sep 9, 2008 at 9:03 PM, Rogelio wrote: > Can a Cisco PIX "boomerang" a packet--i.e. route a packet coming from the > internal network that is destined for an Internet host back into > the internal network via NAT? > > I ask because I have have email clients pointing to mail.domain.com, and > unless I do a split DNS with my mail A record pointing to a 192 address > inside and an external mail A record pointing to my public IP address, I'm > not quite sure how to do it. > If I have understood your scenario, sure you will do split DNS, but you can let the PIX work for you. Take a look to http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml regards From Gregori.Parker at theplatform.com Tue Sep 9 15:24:48 2008 From: Gregori.Parker at theplatform.com (Gregori Parker) Date: Tue, 9 Sep 2008 12:24:48 -0700 Subject: [c-nsp] can cisco pix "boomerang" mail traffic? In-Reply-To: <48C6C88B.7030001@gmail.com> References: <48C6C88B.7030001@gmail.com> Message-ID: <1A9866F953006D45AEE0166066114E09131EC10E@TPMAIL02.corp.theplatform.com> Had a similar problem, and dns-doctoring wasn't the right solution (it might work for you if your resolver is external) http://www.cisco.com/en/US/products/ps6120/products_configuration_exampl e09186a00807968d1.shtml The alternate solution, 'hairpinning', did the job (same link)... just don't forget the global statement on the outside interface. HTH - Gregori -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rogelio Sent: Tuesday, September 09, 2008 12:04 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] can cisco pix "boomerang" mail traffic? Can a Cisco PIX "boomerang" a packet--i.e. route a packet coming from the internal network that is destined for an Internet host back into the internal network via NAT? I ask because I have have email clients pointing to mail.domain.com, and unless I do a split DNS with my mail A record pointing to a 192 address inside and an external mail A record pointing to my public IP address, I'm not quite sure how to do it. Users using Microsoft Outlook + Exchange don't have a problem getting their email. But users using other email clients (Thunderbird, Outlook Express, etc) obviously cannot resolve the host name if they are on the wrong side of the network. Thunderbird has different identities for each email account, but that's too much work for some of the users. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From kristian at spritelink.net Tue Sep 9 16:10:06 2008 From: kristian at spritelink.net (Kristian Larsson) Date: Tue, 9 Sep 2008 22:10:06 +0200 Subject: [c-nsp] NPE G1, CEF and ACLs and high CPU In-Reply-To: <48C62E1E.2080805@evaristesys.com> References: <20080905120724.GI15736@rtp-cse-489.cisco.com> <20080905184202.GD20054@rtp-cse-489.cisco.com> <383357750809060359w5b204530qe491c7adf048a8cf@mail.gmail.com> <20080908135935.GS19347@rtp-cse-489.cisco.com> <383357750809081315p58423820vef081acdbe858b21@mail.gmail.com> <20080908205046.GK29172@elvis.mu.org> <48C5FC11.2020109@evaristesys.com> <7FEDD455961B164D8C4EEA60E22914205B78D56F4F@EXCHANGE1.intranet.iseek.com.au> <48C62E1E.2080805@evaristesys.com> Message-ID: <20080909201006.GC43091@spritelink.se> On Tue, Sep 09, 2008 at 04:04:46AM -0400, Alex Balashov wrote: > Just to be clear, in case it isn't, I was not referring to how the ACLs are > organised from the user perspective, presentation-wise, but rather I was > surprised that they are not all put into an optimised data structure on the > back side by IOS by default so that matching can happen with somewhere > between O(1) and O(n) performance. > > Thank you all for the enlightenment on compiled/turbo ACLs. > > It makes me wonder whether the reason why routers are generally considered > a poorer solution for extensive ACL duty than PIXs or ASAs. Does the PIX > use compiled ACLs by default? Or perhaps there is some sort of extremely > helpful ACIC-driven optimisation that they provide? Cisco IOS (without the firewall feature set) doesn't really support stateful firewalls, but is rather a fixed set of filters applied to packets. PIX / ASA does stateful packet inspection and some other mumbo jumbo that security people like to have. I think that would be the #1 reason of why one would choose a PIX over an IOS device. I have no clue whether they're actually faster or not at filtering packets. -K >>> Are you _sure_ that order is important in these ACLs? I ask because I >>> honestly don't know, so don't get me wrong. >> yes it is.. i have seen software based platforms knock 10-20% cpu off by >> reworking very poorly laid out ACL's in a "top down" fashion. >>> It just seems rather unlikely. Organising data like that into >>> structures where matching and access can happen at more or less an O(1) >>> formal computational complexity is a basic skill that is taught at the >>> beginning of any undergraduate curriculum in computer science. >>> Students >>> are taught to understand that large amounts of random (non-sorted) data >>> cannot be stored in a linear structure, and that even linear structures >>> with comparatively few elements (such as an access list) can be very >>> slow if the lookup is repeated with very great frequency. >> aren't we doing some kind of eval on our current lists before applying a >> new one? like i'm thinking >> 1) fire up the ACL leave it running for a while, look at the number of >> hits per ACL entry, and rework the ACL such that the maximum number of >> hits is at the top. >> 2) shortcut ACL's as bill mentioned >> eg, consider the following ACL >> 5 deny udp host >> 10 deny udp host >> 20 deny udp host >> 25 permit ip any >> presume that 60% of your traffic is TCP. all of this traffic is having to >> drop through 3 denies before it gets permitted. you could save a >> significant amount of processing by simply putting >> 1 permit tcp >> 5 deny udp host >> 10 deny udp host >> 20 deny udp host >> 25 permit ip any >> sure, you are doubling up in what is permitted because the TCP would have >> hit the permit ip any at the bottom anyway, but you are saving a >> considerable amount of processing by having 60% of your traffic match the >> first ACL entry. sure, oversimplified, but if you can't permit tcp >> outright, consider a permit established before you start denying other tcp >> bits and pieces, because more often than not the majority of traffic being >> forwarded is established. >> so in regards to having IOS reorganise the ACL for you that would have to >> make the assumption that the IOS has the capability to work out what is >> the ACL entries that are getting the most matches, in order to reorganise >> them, it isnt going to be able to predict this for you. > > > -- > Alex Balashov > Evariste Systems > Web : http://www.evaristesys.com/ > Tel : (+1) (678) 954-0670 > Direct : (+1) (678) 954-0671 > Mobile : (+1) (706) 338-8599 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Kristian Larsson KLL-RIPE Network Engineer / Internet Core Tele2 / SWIPnet [AS1257] +46 704 910401 kll at spritelink.net From jfitz at Princeton.EDU Tue Sep 9 16:33:52 2008 From: jfitz at Princeton.EDU (Jeff Fitzwater) Date: Tue, 9 Sep 2008 16:33:52 -0400 Subject: [c-nsp] Monitoring CPU punted traffic Message-ID: I am running 720CXL with SXH code and am trying to monitor the punted traffic to the RP so that I can confirm what actually gets punted to it. It appears to show packets but not positive I have configured it correctly. Has anyone else used this tool? The doc states that when using the RP CPU as SOURCE that the traffic is seen from the viewpoint of the ASIC, as shown in snippet below... ------------ Source CPUs A source CPU is a CPU monitored for traffic analysis. With Release 12.2(33)SXH and later releases, you can configure both the SP CPU and the RP CPU as SPAN sources. These are examples of what you can do with the data generated by CPU monitoring: ?Develop baseline information about CPU traffic. ?Develop information to use when creating CoPP policies. ?Troubleshoot CPU-related issues (for example, high CPU utilization). Note?CPU SPAN monitors CPU traffic from the perspective of the ASICs that send and receive the CPU traffic, rather than from on board the CPUs themselves. ?Traffic to and from the CPU is tagged with VLAN IDs. You can configure source VLAN filtering of the CPU traffic. ------------- This is how I configured the SPAN port.... (config) monitor ses 1 local (This puts me in config-mon-local mode) (config-mon-local) destination interface gi13/17 (THIS PORT HAS TCPDUMP HOST ATTACHED) (config-mon-local) source cpu rp tx (As stated in doc traffic is from viewpoint of ASIC, so I used TX assuming transmitted traffic to RP CPU.) (config-mon-local)no shutdown (This is needed to turn on monitor) (config-mon-local) exit (Must exit in order for no shutdown to take effect) Thanks for any advise on this config. Jeff Fitzwater OIT Network Systems Princeton University From maillist at webjogger.net Tue Sep 9 16:38:31 2008 From: maillist at webjogger.net (Adam Greene) Date: Tue, 9 Sep 2008 16:38:31 -0400 Subject: [c-nsp] iBGP Multi-link question References: <3D1D76D4036E45069BC1820B6548FBE0@GINKGO> Message-ID: Jeff, it just occurred to me that I did this in an eBGP environment, not iBGP as you were asking ... ----- Original Message ----- From: "Adam Greene" To: "Jeff Cartier" ; Sent: Tuesday, September 09, 2008 9:41 AM Subject: Re: [c-nsp] iBGP Multi-link question > Jeff, in my experience having multiple BGP sessions between two routers, > with different end-points for each session, works fine ... > > ----- Original Message ----- > From: "Jeff Cartier" > To: > Sent: Monday, September 08, 2008 11:45 AM > Subject: [c-nsp] iBGP Multi-link question > > >> I'm in a scenario where I have two routers, configured with two >> loopbacks, connected together via two links. I'm in the process of >> transitioning from one loopback to the other and I was wondering if >> there are any caveats to having two sessions up...one BGP session to the >> first lookback (existing), then another BGP session up to the second >> loopback (new). >> >> >> >> I don't believe their should be any issues with this...and I don't see >> any documentation suggesting otherwise...just thought I'd ask to be >> certain :-) >> >> >> >> ROUTER1============ROUTER2 >> >> Lo1:10.1.1.1/32 Lo1:10.1.2.1/32 >> >> Lo2:10.1.1.2/32 Lo2:10.1.2.2/32 >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From lukasz at bromirski.net Tue Sep 9 16:39:38 2008 From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=) Date: Tue, 09 Sep 2008 22:39:38 +0200 Subject: [c-nsp] NPE G1, CEF and ACLs and high CPU In-Reply-To: <20080909201006.GC43091@spritelink.se> References: <20080905120724.GI15736@rtp-cse-489.cisco.com> <20080905184202.GD20054@rtp-cse-489.cisco.com> <383357750809060359w5b204530qe491c7adf048a8cf@mail.gmail.com> <20080908135935.GS19347@rtp-cse-489.cisco.com> <383357750809081315p58423820vef081acdbe858b21@mail.gmail.com> <20080908205046.GK29172@elvis.mu.org> <48C5FC11.2020109@evaristesys.com> <7FEDD455961B164D8C4EEA60E22914205B78D56F4F@EXCHANGE1.intranet.iseek.com.au> <48C62E1E.2080805@evaristesys.com> <20080909201006.GC43091@spritelink.se> Message-ID: <48C6DF0A.70709@bromirski.net> Kristian Larsson wrote: > Cisco IOS (without the firewall feature set) > doesn't really support stateful firewalls, but is > rather a fixed set of filters applied to packets. > PIX / ASA does stateful packet inspection and some > other mumbo jumbo that security people like to > have. I think that would be the #1 reason of why > one would choose a PIX over an IOS device. > I have no clue whether they're actually faster or > not at filtering packets. They are. Statefully filtering and inspecting packets requires a lot of horsepower, and CPUs in ASAs are much beefier than the ones You can spot on ISRs or 7200. NAT and CBAC/ZBFW are features hitting CPUs in routers a lot. -- "Don't expect me to cry for all the | ?ukasz Bromirski reasons you had to die" -- Kurt Cobain | http://lukasz.bromirski.net From sthaug at nethelp.no Tue Sep 9 17:01:50 2008 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Tue, 09 Sep 2008 23:01:50 +0200 (CEST) Subject: [c-nsp] NPE G1, CEF and ACLs and high CPU In-Reply-To: <20080909201006.GC43091@spritelink.se> References: <7FEDD455961B164D8C4EEA60E22914205B78D56F4F@EXCHANGE1.intranet.iseek.com.au> <48C62E1E.2080805@evaristesys.com> <20080909201006.GC43091@spritelink.se> Message-ID: <20080909.230150.74703307.sthaug@nethelp.no> > I have no clue whether they're actually faster or > not at filtering packets. Can PIX/ASA filter 10 Gig minimum sized packets at line rate (like many core routers can)? I notice the data sheet for the ASA 5580-40 claims 10 Gbps (real-world HTTP), 20 Gbps (jumbo frames) - but there's no mention of minimum sized packets. Steinar Haug, Nethelp consulting, sthaug at nethelp.no From lukasz at bromirski.net Tue Sep 9 17:51:19 2008 From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=) Date: Tue, 09 Sep 2008 23:51:19 +0200 Subject: [c-nsp] NPE G1, CEF and ACLs and high CPU In-Reply-To: <20080909.230150.74703307.sthaug@nethelp.no> References: <7FEDD455961B164D8C4EEA60E22914205B78D56F4F@EXCHANGE1.intranet.iseek.com.au> <48C62E1E.2080805@evaristesys.com> <20080909201006.GC43091@spritelink.se> <20080909.230150.74703307.sthaug@nethelp.no> Message-ID: <48C6EFD7.9010003@bromirski.net> sthaug at nethelp.no wrote: >> I have no clue whether they're actually faster or >> not at filtering packets. > > Can PIX/ASA filter 10 Gig minimum sized packets at line rate (like many > core routers can)? I notice the data sheet for the ASA 5580-40 claims 10 > Gbps (real-world HTTP), 20 Gbps (jumbo frames) - but there's no mention > of minimum sized packets. As You're propably know - not. Filtering packets without keeping state for session is a lot simpler and implemented for years in hardware. With NPs like those used in ASA5580 and FWSM you can accelerate inspection of some of the traffic, but not all of course. -- "Don't expect me to cry for all the | ?ukasz Bromirski reasons you had to die" -- Kurt Cobain | http://lukasz.bromirski.net From lukasz at bromirski.net Tue Sep 9 17:55:25 2008 From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=) Date: Tue, 09 Sep 2008 23:55:25 +0200 Subject: [c-nsp] NPE G1, CEF and ACLs and high CPU In-Reply-To: <48C6DF0A.70709@bromirski.net> References: <20080905120724.GI15736@rtp-cse-489.cisco.com> <20080905184202.GD20054@rtp-cse-489.cisco.com> <383357750809060359w5b204530qe491c7adf048a8cf@mail.gmail.com> <20080908135935.GS19347@rtp-cse-489.cisco.com> <383357750809081315p58423820vef081acdbe858b21@mail.gmail.com> <20080908205046.GK29172@elvis.mu.org> <48C5FC11.2020109@evaristesys.com> <7FEDD455961B164D8C4EEA60E22914205B78D56F4F@EXCHANGE1.intranet.iseek.com.au> <48C62E1E.2080805@evaristesys.com> <20080909201006.GC43091@spritelink.se> <48C6DF0A.70709@bromirski.net> Message-ID: <48C6F0CD.8040606@bromirski.net> ?ukasz Bromirski wrote: > Kristian Larsson wrote: >> I have no clue whether they're actually faster or >> not at filtering packets. > They are. Statefully filtering and inspecting packets requires a lot > of horsepower, and CPUs in ASAs are much beefier than the ones You can > spot on ISRs or 7200. NAT and CBAC/ZBFW are features hitting CPUs > in routers a lot. Uh, sorry, I thought it was 'at firewalling', not 'filtering packets'. Still, ISRs and 7200 will be slower than ASA 5510 and higher models with simple packet filtering (stateless that is). For stateful - way slower. -- "Don't expect me to cry for all the | ?ukasz Bromirski reasons you had to die" -- Kurt Cobain | http://lukasz.bromirski.net From jonvoip at gmail.com Tue Sep 9 22:07:43 2008 From: jonvoip at gmail.com (Jonathan Charles) Date: Tue, 9 Sep 2008 21:07:43 -0500 Subject: [c-nsp] WLC 4402 routing Message-ID: <5d093f9a0809091907g70632769j6d7e9d651c316352@mail.gmail.com> I have a 4402 with two subnets, voice and data... and a management interface. This is a remote site and the AAA server is at the HQ... There is no IP address on the service port, but the WLC will not let me add a route to get to the AAA server... I do not have another subnet to use... Why can't I use the in-band management interface to route back to my AAA Server? Jonathan From damin at nacs.net Tue Sep 9 23:44:45 2008 From: damin at nacs.net (Gregory Boehnlein) Date: Tue, 9 Sep 2008 23:44:45 -0400 Subject: [c-nsp] BGP Route Selection Message-ID: <16af01c912f7$910a6750$b31f35f0$@net> Cisco RSP4+ (R5000) processor with 262144K/2072K bytes of memory. Slave in slot 3 is running Cisco IOS Software, RSP Software (RSP-IK91SV-M), Version 12.2(25)S12, RELEASE SOFTWARE (fc1) Hello, I'm bringing up a new BGP peer and am working at tweaking our BGP routing configuration. In doing so, I'm noticing something weird about a particular path, and since I'm rather tired at the moment, wanted to have a fresh set of eyes take a look at it. Can someone explain to me the reason why Path #3 is being chosen over the lower AS-Path #1 and #2 routing choices? core1#show ip bgp 4.68.95.11 BGP routing table entry for 4.0.0.0/9, version 6 Paths: (4 available, best #3, table Default-IP-Routing-Table) Multipath: eBGP Not advertised to any peer 3356, (aggregated by 3356 4.69.130.12) 4.53.194.5 from 4.53.194.5 (4.69.181.195) Origin IGP, metric 1000, localpref 100, valid, external, atomic-aggregate Community: 3356:0 3356:3 3356:100 3356:123 3356:575 3356:2006 3356, (aggregated by 3356 4.69.130.12), (received-only) 4.53.194.5 from 4.53.194.5 (4.69.181.195) Origin IGP, metric 0, localpref 100, valid, external, atomic-aggregate Community: 3356:0 3356:3 3356:100 3356:123 3356:575 3356:2006 2828 3356, (aggregated by 3356 4.69.130.12) 67.106.93.233 (metric 20) from 207.166.219.2 (207.166.219.2) Origin IGP, metric 1000, localpref 150, valid, internal, atomic-aggregate, best 2828 3356, (aggregated by 3356 4.69.130.12), (received-only) 67.106.93.233 (metric 20) from 207.166.219.2 (207.166.219.2) Origin IGP, metric 3, localpref 150, valid, internal, atomic-aggregate From mtinka at globaltransit.net Wed Sep 10 00:35:05 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Wed, 10 Sep 2008 12:35:05 +0800 Subject: [c-nsp] BGP Route Selection In-Reply-To: <16af01c912f7$910a6750$b31f35f0$@net> References: <16af01c912f7$910a6750$b31f35f0$@net> Message-ID: <200809101235.09688.mtinka@globaltransit.net> On Wednesday 10 September 2008 11:44:45 Gregory Boehnlein wrote: > Can someone explain > to me the reason why Path #3 is being chosen over the > lower AS-Path #1 and #2 routing choices? Path 3 is the best because it has a higher LOCAL_PREF value (150) vs. that from paths 1 and 2. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From jlewis at lewis.org Wed Sep 10 00:40:35 2008 From: jlewis at lewis.org (Jon Lewis) Date: Wed, 10 Sep 2008 00:40:35 -0400 (EDT) Subject: [c-nsp] BGP Route Selection In-Reply-To: <16af01c912f7$910a6750$b31f35f0$@net> References: <16af01c912f7$910a6750$b31f35f0$@net> Message-ID: On Tue, 9 Sep 2008, Gregory Boehnlein wrote: > I'm bringing up a new BGP peer and am working at tweaking our BGP > routing configuration. In doing so, I'm noticing something weird about a > particular path, and since I'm rather tired at the moment, wanted to have a > fresh set of eyes take a look at it. Can someone explain to me the reason > why Path #3 is being chosen over the lower AS-Path #1 and #2 routing > choices? Path 3 has localpref 150, which "overrules" the shorter as path at localpref 100. You're probably using an input route-map and setting this. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From frnkblk at iname.com Wed Sep 10 01:13:12 2008 From: frnkblk at iname.com (Frank Bulk) Date: Wed, 10 Sep 2008 00:13:12 -0500 Subject: [c-nsp] can cisco pix "boomerang" mail traffic? In-Reply-To: References: <48C6C88B.7030001@gmail.com> Message-ID: We use that, works like a charm. Frank -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Raul Lopez Nevot Sent: Tuesday, September 09, 2008 2:20 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] can cisco pix "boomerang" mail traffic? Hello, On Tue, Sep 9, 2008 at 9:03 PM, Rogelio wrote: > Can a Cisco PIX "boomerang" a packet--i.e. route a packet coming from the > internal network that is destined for an Internet host back into > the internal network via NAT? > > I ask because I have have email clients pointing to mail.domain.com, and > unless I do a split DNS with my mail A record pointing to a 192 address > inside and an external mail A record pointing to my public IP address, I'm > not quite sure how to do it. > If I have understood your scenario, sure you will do split DNS, but you can let the PIX work for you. Take a look to http://www.cisco.com/en/US/products/ps6120/products_configuration_example091 86a00807968d1.shtml regards _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From andy.saykao at staff.netspace.net.au Wed Sep 10 01:34:48 2008 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Wed, 10 Sep 2008 15:34:48 +1000 Subject: [c-nsp] Can the PE router take on multiple roles? Message-ID: <56F211C5E3F24F47B103EA1B253822BE036548CC@vic-cr-ex1.staff.netspace.net.au> Hi All, We have a few spare 7301's out the back and I was thinking of using one of them to be a NAT-PE router. No biggie with doing this but I was wondering if the NAT-PE router could also take on other roles which would be beneficial in a MPLS VPN environment such as using it to act as a SSL VPN Gateway for remote access. Could the same unit also be used to act as a Route Reflector to reflect VPNv4 routes? Or am I putting too much load on the router and/or putting all my eggs in one basket? At present, we don't have many MPLS VPN customers yet but the hope is to make things scalable so we can grow comfortable as the number of VPN customers grow. In summary, is it a good idea to use the 7301 to preform the following roles: - NAT-PE / Internet Gateway - SSL VPN Gateway - BGP Route Reflector Ideas, comments, personal experiences, etc most welcomed. Thanks. Andy This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From tseveendorj at gmail.com Wed Sep 10 02:38:42 2008 From: tseveendorj at gmail.com (Tseveendorj Ochirlantuu) Date: Wed, 10 Sep 2008 14:38:42 +0800 Subject: [c-nsp] dial-peer related question Message-ID: <62c908120809092338o4b7d7760p81967622626fb42e@mail.gmail.com> Hi guys I have 5350 gateway and gateway connected to internet via gigenthernet, connected to ISDN by 2 E1 ports via PRI. Dial peer looks like this : dial-peer voice 4002 voip voice-class codec 1 session target ipv4:61.250.94.66 incoming called-number 0301T dtmf-relay rtp-nte h245-signal h245-alphanumeric fax-relay ecm disable fax rate 9600 fax protocol t38 ls-redundancy 2 hs-redundancy 2 fallback none ! dial-peer voice 4003 pots destination-pattern 0301T progress_ind alert enable 8 direct-inward-dial port 2/0:D ! dial-peer voice 4006 pots destination-pattern 0301T progress_ind alert enable 8 direct-inward-dial port 2/3:D ! The call coming from dial-peer 4002 and outgoing to 4003, 4006. 30 calls came from 4002 to 4003 and 4006 it can handle when 31th call came it couldn't. I think 2E1 card can handle 60 calls. but it didn't. I think problem in configuration. How to solve it? Thanks for any help Sincerely, Tseveen. From peter at rathlev.dk Wed Sep 10 04:28:35 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Wed, 10 Sep 2008 10:28:35 +0200 Subject: [c-nsp] Errors before boot loader In-Reply-To: <81FF162258F4476DAC6190201B439281@EU.corp.clearwire.com> References: <81FF162258F4476DAC6190201B439281@EU.corp.clearwire.com> Message-ID: <1221035315.23943.5.camel@abehat> On Tue, 2008-09-09 at 16:01 +0200, Rens wrote: > Hi, > > Should I worry about errors that are sent from the boot loader? If Rodney says no, you probably shouldn't. :-) > %SYS-4-CONFIG_NEWER: Configuration from version 12.4 may not be correctly > understood > %AAAA-4-SERVUNDEF: The server-group "tacacs+" is not defined. Please define > it. > %AAAA-4-SERVUNDEF: The server-group "tacacs+" is not defined. Please define > it. > %AAAA-4-SERVUNDEF: The server-group "tacacs+" is not defined. Please define > it. > % CEF not enabled. Enable first > % CEF not enabled. Enable first > % CEF not enabled. Enable first > % CEF not enabled. Enable first > %SYS-6-BOOT_MESSAGES: Messages above this line are from the boot loader. If it's a platform with seperate boot-image (like 7200) you could update this boot loader. I don't know exactly why one would/wouldn't do that, but the first line seems to indicate that boot-image and IOS-image are different versions. We have several routers running different versions of boot and IOS, apparantly with no problems, but we've begun upgrading the boot code to match the IOS though, if not for anything else then for the looks. Any reason not to do this? Or to do it? Regards, Peter From rootnet08 at gmail.com Wed Sep 10 04:32:03 2008 From: rootnet08 at gmail.com (root net) Date: Wed, 10 Sep 2008 03:32:03 -0500 Subject: [c-nsp] NBAR & QoS Message-ID: <89944ef40809100132g387f47c2qcef4f0a2aa91598d@mail.gmail.com> Hello, I am looking into running NBAR along side with QoS in our network. I was wondering what the list was doing if running NBAR. I want to protect against excessive file sharing customers or at least throttle those specific applications. Some suggestions as the best place to configure this in a network or what you all are doing is appreciated? Maybe even running on a mirror port? My thoughts are placing on Cisco 7206 NPE-225/256MB box but am not sure if we should upgrade to a 7204VXR NPE-400/512Mb or not. This box runs terminates static (no PPPoE) DSL customers and about 20 to 30 subinterfaces. Although may move to PPPoE in the future. CPU usage is light and memory operates around 120MB free give or take. Thanks in advanced! RootNet08 From mtinka at globaltransit.net Wed Sep 10 04:51:03 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Wed, 10 Sep 2008 16:51:03 +0800 Subject: [c-nsp] Errors before boot loader In-Reply-To: <1221035315.23943.5.camel@abehat> References: <81FF162258F4476DAC6190201B439281@EU.corp.clearwire.com> <1221035315.23943.5.camel@abehat> Message-ID: <200809101651.07516.mtinka@globaltransit.net> On Wednesday 10 September 2008 16:28:35 Peter Rathlev wrote: > If it's a platform with seperate boot-image (like 7200) > you could update this boot loader. I don't know exactly > why one would/wouldn't do that, but the first line seems > to indicate that boot-image and IOS-image are different > versions. We see these kinds of logs from the boot loader on various 7200's we have in production, e.g., it says the 'mtu' command configured on one or more of the interfaces named is not supported, e.t.c., and yet we know the full IOS image supports it. It doesn't bother us, since we know the full image will have the full feature support we need. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From zivl at gilat.net Wed Sep 10 05:16:21 2008 From: zivl at gilat.net (Ziv Leyes) Date: Wed, 10 Sep 2008 12:16:21 +0300 Subject: [c-nsp] Errors before boot loader In-Reply-To: <200809101651.07516.mtinka@globaltransit.net> References: <81FF162258F4476DAC6190201B439281@EU.corp.clearwire.com> <1221035315.23943.5.camel@abehat> <200809101651.07516.mtinka@globaltransit.net> Message-ID: I had a similar problem then updated the boot loader to a newer one and the problem was solved. To this I must ask, what's the most important reason I'd want to use a boot loader AND an IOS while I can just use IOS that can boot-load too? Ziv -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Tinka Sent: Wednesday, September 10, 2008 11:51 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Errors before boot loader On Wednesday 10 September 2008 16:28:35 Peter Rathlev wrote: > If it's a platform with seperate boot-image (like 7200) you could > update this boot loader. I don't know exactly why one would/wouldn't > do that, but the first line seems to indicate that boot-image and > IOS-image are different versions. We see these kinds of logs from the boot loader on various 7200's we have in production, e.g., it says the 'mtu' command configured on one or more of the interfaces named is not supported, e.t.c., and yet we know the full IOS image supports it. It doesn't bother us, since we know the full image will have the full feature support we need. Cheers, Mark. ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From peter at rathlev.dk Wed Sep 10 05:16:42 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Wed, 10 Sep 2008 11:16:42 +0200 Subject: [c-nsp] Monitoring CPU punted traffic In-Reply-To: References: Message-ID: <1221038202.23943.18.camel@abehat> On Tue, 2008-09-09 at 16:33 -0400, Jeff Fitzwater wrote: > I am running 720CXL with SXH code and am trying to monitor the punted > traffic to the RP so that I can confirm what actually gets punted to > it. > > It appears to show packets but not positive I have configured it > correctly. Has anyone else used this tool? What kind of traffic do you see? What do you expect to see, i.e. what's missing? I don't know the SXH way (sounds fancy though) but there's the "good old" RP-inband/SP-inband way, described here: http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note 09186a00804916e0.shtml#span_inband http://tinyurl.com/5hx7pb Docs says you "have" to use the new semantics on SXH though, just like you did. You might not be able to use the above on SXH, or it might be unsupported. > This is how I configured the SPAN port.... > > (config) monitor ses 1 local (This puts me in config-mon-local mode) > > (config-mon-local) destination interface gi13/17 (THIS PORT HAS > TCPDUMP HOST ATTACHED) > > (config-mon-local) source cpu rp tx (As stated in doc traffic is from > viewpoint of ASIC, so I used TX assuming transmitted traffic to RP > CPU.) > > (config-mon-local)no shutdown (This is needed to turn on monitor) > > (config-mon-local) exit (Must exit in order for no shutdown to take > effect) Small point: According to the docs, you should rather use "local-tx" type than "local" when it's just for TX. It's apparently a matter resources and not functionality though. Regards, Peter From nimal at fnbs.net Wed Sep 10 05:24:21 2008 From: nimal at fnbs.net (Nimal David Sirimanne) Date: Wed, 10 Sep 2008 17:24:21 +0800 Subject: [c-nsp] VPN Failover Message-ID: <48C79245.8030707@fnbs.net> Hi guys, We have 2 major offices (SITEA,SITEB)running site-2-site VPN connection between them. We are now setting up a new DR site (DRSITE) for SITEB However, our constraint is that SITEB internal network addressing and DRSITE internal network addressing has to be exactly the same. If internal network addressing for SITEB is 10.10.10.0/24, then internal network addressing for DRSITE is also 10.10.10.0/24. As i understand, it is not possible to for SITEA to have 2 active vpn links to sites with the same internal network addressing. Is it then possible, if SITEA -- vpn -- SITEB fails, that it will failover to SITEA -- vpn -- DRSITE? Hope i explained that properly. Thanks! Nimal From p.mayers at imperial.ac.uk Wed Sep 10 05:36:09 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Wed, 10 Sep 2008 10:36:09 +0100 Subject: [c-nsp] VACL capture versus OAL on 6500s Message-ID: <48C79509.5010708@imperial.ac.uk> All, I know that VACL capture is mutually exclusive with OAL on 6500s. We have a chassis which currently has OAL configured i.e. logging ip access-list cache rate-limit 300 int VlanX logging ip access-list cache in logging ip access-list cache out I now need to use VACL capture; can I just disable the "logging ip" commands, and then enable VACL capture, or do I need a reboot? From sidney.boumendil at gmail.com Wed Sep 10 05:52:22 2008 From: sidney.boumendil at gmail.com (Sidney Boumendil) Date: Wed, 10 Sep 2008 11:52:22 +0200 Subject: [c-nsp] VPN Failover In-Reply-To: <48C79245.8030707@fnbs.net> References: <48C79245.8030707@fnbs.net> Message-ID: <41522e900809100252s36006053o24e262991f386ce4@mail.gmail.com> On Wed, Sep 10, 2008 at 11:24 AM, Nimal David Sirimanne wrote: > Hi guys, > Is it then possible, if SITEA -- vpn -- SITEB fails, that it will failover > to SITEA -- vpn -- DRSITE? > Hi, Have a look at DPD and RRI features. Cisco design guides: http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a0080739e7c.pdf http://www-search.cisco.com/univercd/cc/td/doc/solution/ipsecovr.pdf HTH Sidney From gert at greenie.muc.de Wed Sep 10 06:31:47 2008 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 10 Sep 2008 12:31:47 +0200 Subject: [c-nsp] BGP Route Selection In-Reply-To: <16af01c912f7$910a6750$b31f35f0$@net> References: <16af01c912f7$910a6750$b31f35f0$@net> Message-ID: <20080910103147.GG17238@greenie.muc.de> Hi, On Tue, Sep 09, 2008 at 11:44:45PM -0400, Gregory Boehnlein wrote: > 3356, (aggregated by 3356 4.69.130.12) > 4.53.194.5 from 4.53.194.5 (4.69.181.195) > Origin IGP, metric 1000, localpref 100, valid, external, > atomic-aggregate > Community: 3356:0 3356:3 3356:100 3356:123 3356:575 3356:2006 > 3356, (aggregated by 3356 4.69.130.12), (received-only) > 4.53.194.5 from 4.53.194.5 (4.69.181.195) > Origin IGP, metric 0, localpref 100, valid, external, atomic-aggregate > Community: 3356:0 3356:3 3356:100 3356:123 3356:575 3356:2006 > 2828 3356, (aggregated by 3356 4.69.130.12) > 67.106.93.233 (metric 20) from 207.166.219.2 (207.166.219.2) > Origin IGP, metric 1000, localpref 150, valid, internal, > atomic-aggregate, best "localpref 150" means "ignore path length, force this path to win". (default localpref is 100, larger numbers = better) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From peterkcc2001 at gmail.com Wed Sep 10 07:08:24 2008 From: peterkcc2001 at gmail.com (kcc) Date: Wed, 10 Sep 2008 07:08:24 -0400 Subject: [c-nsp] jumbo frame Message-ID: Hi Do I need to enable the jumbo frame in cisco eg: mtu 9000 or it can automatically learn? Thank you From mtinka at globaltransit.net Wed Sep 10 07:30:35 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Wed, 10 Sep 2008 19:30:35 +0800 Subject: [c-nsp] jumbo frame In-Reply-To: References: Message-ID: <200809101930.39160.mtinka@globaltransit.net> On Wednesday 10 September 2008 19:08:24 kcc wrote: > Do I need to enable the jumbo frame in cisco eg: mtu 9000 > or it can automatically learn? The biggest problems operators have faced with PMTUd is filtering. If this is for your backbone, this is in your control. That said, we hard-set jumbo frame MTU on all our kit. We prefer the predictability of some of these things :-). Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From cchurc05 at harris.com Wed Sep 10 07:57:04 2008 From: cchurc05 at harris.com (Church, Charles) Date: Wed, 10 Sep 2008 06:57:04 -0500 Subject: [c-nsp] NBAR & QoS In-Reply-To: <89944ef40809100132g387f47c2qcef4f0a2aa91598d@mail.gmail.com> References: <89944ef40809100132g387f47c2qcef4f0a2aa91598d@mail.gmail.com> Message-ID: We're using it on a 2821 for the same purpose - QOS to 2 upstreams, and file sharing shaping. Currently running about 10% CPU when pushing about 9mb through it. It's probably good for almost a full DS-3 on the 2821, at least in our application. If you can run 12.4 on the NPE225, I'd say enable it on a couple subints (protocol discovery) at a time, and keep an eye on the cpu. If CPU stays low, keep adding to it. I seem to remember having some weird NBAR issues with 12.3. How much traffic are you pushing through it currently? 20 to 30 customers doesn't sound like it'd be a problem. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of root net Sent: Wednesday, September 10, 2008 4:32 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] NBAR & QoS Hello, I am looking into running NBAR along side with QoS in our network. I was wondering what the list was doing if running NBAR. I want to protect against excessive file sharing customers or at least throttle those specific applications. Some suggestions as the best place to configure this in a network or what you all are doing is appreciated? Maybe even running on a mirror port? My thoughts are placing on Cisco 7206 NPE-225/256MB box but am not sure if we should upgrade to a 7204VXR NPE-400/512Mb or not. This box runs terminates static (no PPPoE) DSL customers and about 20 to 30 subinterfaces. Although may move to PPPoE in the future. CPU usage is light and memory operates around 120MB free give or take. Thanks in advanced! RootNet08 _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From gary.ciscomail at gmail.com Wed Sep 10 09:00:50 2008 From: gary.ciscomail at gmail.com (Gary Roberton) Date: Wed, 10 Sep 2008 14:00:50 +0100 Subject: [c-nsp] CLI Restricted Flag Override Message-ID: We have CUCM6.1 with a Q.931 connection from a Cisco voice gateway to a TDM PBX network. On some PBX's in the network, the CLI restricted flag is set, and this is transmitted across the Q.931 link. I can see the calling number on the gateway, but the IP Phone displays "Unknown Number". Is there any way this can be overridden either on the gateway or CUCM? Thanks From peter at rathlev.dk Wed Sep 10 09:00:45 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Wed, 10 Sep 2008 15:00:45 +0200 Subject: [c-nsp] jumbo frame In-Reply-To: References: Message-ID: <1221051645.3762.3.camel@abehat> On Wed, 2008-09-10 at 07:08 -0400, kcc wrote: > Do I need to enable the jumbo frame in cisco eg: mtu 9000 > or it can automatically learn? If you're asking whether the switch/router can automatically "sense" that it need to use a 9000 byte MTU, then the answer is no. Packets exceeding the configured (or default) MTU are discarded as errors. Default MTU is 1500 bytes, most interfaces allowing "baby giants" AFAIK, up to 1530 bytes or so. You can configure it with the config-if command "mtu X". Beware: The "small" L3 switches (e.g. 3750) needs a "system mtu jumbo X" global config command and a reload. Regards, Peter From rodunn at cisco.com Wed Sep 10 09:47:54 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Wed, 10 Sep 2008 09:47:54 -0400 Subject: [c-nsp] Can the PE router take on multiple roles? In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE036548CC@vic-cr-ex1.staff.netspace.net.au> References: <56F211C5E3F24F47B103EA1B253822BE036548CC@vic-cr-ex1.staff.netspace.net.au> Message-ID: <20080910134754.GE11984@rtp-cse-489.cisco.com> It would work fine. Watch the CPU and memory to gauge scalability as you grow. Rodney On Wed, Sep 10, 2008 at 03:34:48PM +1000, Andy Saykao wrote: > Hi All, > > We have a few spare 7301's out the back and I was thinking of using one > of them to be a NAT-PE router. No biggie with doing this but I was > wondering if the NAT-PE router could also take on other roles which > would be beneficial in a MPLS VPN environment such as using it to act as > a SSL VPN Gateway for remote access. Could the same unit also be used to > act as a Route Reflector to reflect VPNv4 routes? Or am I putting too > much load on the router and/or putting all my eggs in one basket? > > At present, we don't have many MPLS VPN customers yet but the hope is to > make things scalable so we can grow comfortable as the number of VPN > customers grow. > > In summary, is it a good idea to use the 7301 to preform the following > roles: > > - NAT-PE / Internet Gateway > - SSL VPN Gateway > - BGP Route Reflector > > Ideas, comments, personal experiences, etc most welcomed. > > Thanks. > > Andy > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. > Please notify the sender immediately by email if you have received this > email by mistake and delete this email from your system. Please note that > any views or opinions presented in this email are solely those of the > author and do not necessarily represent those of the organisation. > Finally, the recipient should check this email and any attachments for > the presence of viruses. The organisation accepts no liability for any > damage caused by any virus transmitted by this email. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rodunn at cisco.com Wed Sep 10 09:48:27 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Wed, 10 Sep 2008 09:48:27 -0400 Subject: [c-nsp] Errors before boot loader In-Reply-To: References: <81FF162258F4476DAC6190201B439281@EU.corp.clearwire.com> <1221035315.23943.5.camel@abehat> <200809101651.07516.mtinka@globaltransit.net> Message-ID: <20080910134827.GF11984@rtp-cse-489.cisco.com> If the main IOS image fails so you have tftpboot ability. On Wed, Sep 10, 2008 at 12:16:21PM +0300, Ziv Leyes wrote: > I had a similar problem then updated the boot loader to a newer one and the problem was solved. > To this I must ask, what's the most important reason I'd want to use a boot loader AND an IOS while I can just use IOS that can boot-load too? > Ziv > > > > > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Tinka > Sent: Wednesday, September 10, 2008 11:51 AM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Errors before boot loader > > On Wednesday 10 September 2008 16:28:35 Peter Rathlev wrote: > > > If it's a platform with seperate boot-image (like 7200) you could > > update this boot loader. I don't know exactly why one would/wouldn't > > do that, but the first line seems to indicate that boot-image and > > IOS-image are different versions. > > We see these kinds of logs from the boot loader on various 7200's we have in production, e.g., it says the 'mtu' > command configured on one or more of the interfaces named is not supported, e.t.c., and yet we know the full IOS image supports it. > > It doesn't bother us, since we know the full image will have the full feature support we need. > > Cheers, > > Mark. > > > > > > ************************************************************************************ > This footnote confirms that this email message has been scanned by > PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. > ************************************************************************************ > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From david at davidcoulson.net Wed Sep 10 09:59:12 2008 From: david at davidcoulson.net (David Coulson) Date: Wed, 10 Sep 2008 09:59:12 -0400 Subject: [c-nsp] BGP Route Selection In-Reply-To: <16af01c912f7$910a6750$b31f35f0$@net> References: <16af01c912f7$910a6750$b31f35f0$@net> Message-ID: <48C7D2B0.6080403@davidcoulson.net> You could fix it with a route-map and as-path. ip as-path access-list 98 permit ^3356$ route-map as-3356-inbound permit 5 match as-path 98 set local-preference 200 Then in the router bgp section, add this: neighbour 4.53.194.5 route-map as-3356-inbound in This will solve the problem for the specific route, however it may not do what you intend with all of the routes on your network. David Gregory Boehnlein wrote: > Cisco RSP4+ (R5000) processor with 262144K/2072K bytes of memory. Slave in > slot 3 is running Cisco IOS Software, RSP Software (RSP-IK91SV-M), Version > 12.2(25)S12, RELEASE SOFTWARE (fc1) > > Hello, > I'm bringing up a new BGP peer and am working at tweaking our BGP > routing configuration. In doing so, I'm noticing something weird about a > particular path, and since I'm rather tired at the moment, wanted to have a > fresh set of eyes take a look at it. Can someone explain to me the reason > why Path #3 is being chosen over the lower AS-Path #1 and #2 routing > choices? > > core1#show ip bgp 4.68.95.11 > BGP routing table entry for 4.0.0.0/9, version 6 > Paths: (4 available, best #3, table Default-IP-Routing-Table) > Multipath: eBGP > Not advertised to any peer > 3356, (aggregated by 3356 4.69.130.12) > 4.53.194.5 from 4.53.194.5 (4.69.181.195) > Origin IGP, metric 1000, localpref 100, valid, external, > atomic-aggregate > Community: 3356:0 3356:3 3356:100 3356:123 3356:575 3356:2006 > 3356, (aggregated by 3356 4.69.130.12), (received-only) > 4.53.194.5 from 4.53.194.5 (4.69.181.195) > Origin IGP, metric 0, localpref 100, valid, external, atomic-aggregate > Community: 3356:0 3356:3 3356:100 3356:123 3356:575 3356:2006 > 2828 3356, (aggregated by 3356 4.69.130.12) > 67.106.93.233 (metric 20) from 207.166.219.2 (207.166.219.2) > Origin IGP, metric 1000, localpref 150, valid, internal, > atomic-aggregate, best > 2828 3356, (aggregated by 3356 4.69.130.12), (received-only) > 67.106.93.233 (metric 20) from 207.166.219.2 (207.166.219.2) > Origin IGP, metric 3, localpref 150, valid, internal, atomic-aggregate > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jfitz at Princeton.EDU Wed Sep 10 10:04:05 2008 From: jfitz at Princeton.EDU (Jeff Fitzwater) Date: Wed, 10 Sep 2008 10:04:05 -0400 Subject: [c-nsp] FWSM shun counters followup Message-ID: <334184A0-3EAA-40DB-902A-05B64E971127@princeton.edu> This is a followup of my previous question about FWSM "show shun statistics" and the counter value being only 64K. I sent the problem to CISCO tech which returned the following response... ---------- > I have confirmed with our developers that the hit count is a two > byte counter in the NPs so the limit is actually 64K. Currently we > do not have a way to increase it beyond that. --------- My followup question to the list is.... On an ASA or PIX is the counter larger than 64K, 2 bytes? In reading a CISCO book on ASA PIX and FWSM, they show an example that has a host counter value of 21277328 which is clearly over 64K. I am guessing that maybe a PIX or ASA has a larger counter. If the FWSM truly only has 64k, which is what I see on my FWSM running 4.02, this is almost useless especially when counter wraps multiple times or even wraps to the same value (unlikely as that may be). We do some calculations on the counter to determine how long to keep the shun in place, but as we found out it is only 64K which with certain scans hits 64k quickly and wraps. Does anybody see the same problem or can you confirm the counter size on PIX ASA or FWSM? Thanks for any help. Jeff Fitzwater OIT Network Systems Princeton University From nasir.shaikh at bt.com Wed Sep 10 10:07:27 2008 From: nasir.shaikh at bt.com (nasir.shaikh at bt.com) Date: Wed, 10 Sep 2008 15:07:27 +0100 Subject: [c-nsp] Using CA certificates and pre-shared keys on the same box Message-ID: Hi, I have a 2851 working as a hub for remote VPN sites using CA certificates. I want to add other remotes which are using pre-shared keys as their authentication method. Is it possible to configure the hub router to support both the CA trustpoint and per-shared keys? Kind regards Nasir Shaikh From rens at autempspourmoi.be Wed Sep 10 10:11:09 2008 From: rens at autempspourmoi.be (Rens) Date: Wed, 10 Sep 2008 16:11:09 +0200 Subject: [c-nsp] Router reloads on it's own Message-ID: Can anyone help me with the following? How can I get more info regarding this error message?: System returned to ROM by bus error at PC 0x60995708, address 0x60995708 at 12:09:02 CET Mon Sep 8 2008 System restarted at 12:10:43 CET Mon Sep 8 2008 System image file is "disk0:c7200-p-mz.122-25.S11.bin" Cisco 7206VXR (NPE400) processor (revision A) with 491520K/32768K bytes of memory. Processor board ID 23690131 R7000 CPU at 350Mhz, Implementation 39, Rev 3.2, 256KB L2 Cache 6 slot VXR midplane, Version 2.3 Last reset from watchdog reset From damin at nacs.net Wed Sep 10 10:03:01 2008 From: damin at nacs.net (Gregory Boehnlein) Date: Wed, 10 Sep 2008 10:03:01 -0400 Subject: [c-nsp] BGP Route Selection In-Reply-To: <20080910103147.GG17238@greenie.muc.de> References: <16af01c912f7$910a6750$b31f35f0$@net> <20080910103147.GG17238@greenie.muc.de> Message-ID: <17de01c9134d$f0104f20$d030ed60$@net> Thanks to everyone that replied.. indeed, I typoed on my route-map.. core1#show route-map as-3356-incoming route-map as-3356-incoming, permit, sequence 5 Match clauses: as-path (as-path filter): 99 Set clauses: local-preference 150 Policy routing matches: 0 packets, 0 bytes route-map as-3356-incoming, permit, sequence 10 Match clauses: Set clauses: metric 1000 local-preference 100 Policy routing matches: 0 packets, 0 bytes That the as-path filter should be 97, not 99. > -----Original Message----- > From: Gert Doering [mailto:gert at greenie.muc.de] > Sent: Wednesday, September 10, 2008 6:32 AM > To: Gregory Boehnlein > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] BGP Route Selection > > Hi, > > On Tue, Sep 09, 2008 at 11:44:45PM -0400, Gregory Boehnlein wrote: > > 3356, (aggregated by 3356 4.69.130.12) > > 4.53.194.5 from 4.53.194.5 (4.69.181.195) > > Origin IGP, metric 1000, localpref 100, valid, external, > > atomic-aggregate > > Community: 3356:0 3356:3 3356:100 3356:123 3356:575 3356:2006 > > 3356, (aggregated by 3356 4.69.130.12), (received-only) > > 4.53.194.5 from 4.53.194.5 (4.69.181.195) > > Origin IGP, metric 0, localpref 100, valid, external, atomic- > aggregate > > Community: 3356:0 3356:3 3356:100 3356:123 3356:575 3356:2006 > > 2828 3356, (aggregated by 3356 4.69.130.12) > > 67.106.93.233 (metric 20) from 207.166.219.2 (207.166.219.2) > > Origin IGP, metric 1000, localpref 150, valid, internal, > > atomic-aggregate, best > > "localpref 150" means "ignore path length, force this path to win". > > (default localpref is 100, larger numbers = better) > > gert > -- > USENET is *not* the non-clickable part of WWW! > > //www.muc.de/~gert/ > Gert Doering - Munich, Germany > gert at greenie.muc.de > fax: +49-89-35655025 gert at net.informatik.tu- > muenchen.de From rodunn at cisco.com Wed Sep 10 11:26:51 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Wed, 10 Sep 2008 11:26:51 -0400 Subject: [c-nsp] Router reloads on it's own In-Reply-To: References: Message-ID: <20080910152651.GQ11984@rtp-cse-489.cisco.com> What does 'sh region' say? It's a bus error where the PC and address match. Either it's bad memory if the PC value is out of valid text space or it's a stack corruption type issue which is a software bug. 12.2(25)S throttls is end of engineering. You would need to upgrade to 12.2(33)SRC1. Rodney On Wed, Sep 10, 2008 at 04:11:09PM +0200, Rens wrote: > Can anyone help me with the following? How can I get more info regarding > this error message?: > > > > System returned to ROM by bus error at PC 0x60995708, address 0x60995708 at > 12:09:02 CET Mon Sep 8 2008 > > System restarted at 12:10:43 CET Mon Sep 8 2008 > > System image file is "disk0:c7200-p-mz.122-25.S11.bin" > > > > Cisco 7206VXR (NPE400) processor (revision A) with 491520K/32768K bytes of > memory. > > Processor board ID 23690131 > > R7000 CPU at 350Mhz, Implementation 39, Rev 3.2, 256KB L2 Cache > > 6 slot VXR midplane, Version 2.3 > > > > Last reset from watchdog reset > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rootnet08 at gmail.com Wed Sep 10 11:28:06 2008 From: rootnet08 at gmail.com (root net) Date: Wed, 10 Sep 2008 10:28:06 -0500 Subject: [c-nsp] NBAR & QoS In-Reply-To: References: <89944ef40809100132g387f47c2qcef4f0a2aa91598d@mail.gmail.com> Message-ID: <89944ef40809100828y2a9105d5v8bca0d7901e185ad@mail.gmail.com> Chuck, I am pushing about 13Mbit with the small DSL base and sub interfaces. I expect to push more here by the end of Oct and wanted to make sure we are throttling the file sharing before it gets bad. I am running 12.2 SB what advantages do I have for running 12.4? Also what does your memory look like? rootnet On Wed, Sep 10, 2008 at 6:57 AM, Church, Charles wrote: > We're using it on a 2821 for the same purpose - QOS to 2 upstreams, and > file sharing shaping. Currently running about 10% CPU when pushing > about 9mb through it. It's probably good for almost a full DS-3 on the > 2821, at least in our application. If you can run 12.4 on the NPE225, > I'd say enable it on a couple subints (protocol discovery) at a time, > and keep an eye on the cpu. If CPU stays low, keep adding to it. I > seem to remember having some weird NBAR issues with 12.3. How much > traffic are you pushing through it currently? 20 to 30 customers > doesn't sound like it'd be a problem. > > Chuck > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of root net > Sent: Wednesday, September 10, 2008 4:32 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] NBAR & QoS > > > Hello, > > I am looking into running NBAR along side with QoS in our network. I > was > wondering what the list was doing if running NBAR. I want to protect > against excessive file sharing customers or at least throttle those > specific > applications. Some suggestions as the best place to configure this in a > network or what you all are doing is appreciated? Maybe even running on > a > mirror port? > > My thoughts are placing on Cisco 7206 NPE-225/256MB box but am not sure > if > we should upgrade to a 7204VXR NPE-400/512Mb or not. This box runs > terminates static (no PPPoE) DSL customers and about 20 to 30 > subinterfaces. Although may move to PPPoE in the future. CPU usage is > light > and memory operates around 120MB free give or take. > > Thanks in advanced! > > RootNet08 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From rens at autempspourmoi.be Wed Sep 10 11:33:38 2008 From: rens at autempspourmoi.be (Rens) Date: Wed, 10 Sep 2008 17:33:38 +0200 Subject: [c-nsp] Router reloads on it's own In-Reply-To: <20080910152651.GQ11984@rtp-cse-489.cisco.com> References: <20080910152651.GQ11984@rtp-cse-489.cisco.com> Message-ID: <66DE9E928CAA445183946A2F39465B4A@EU.corp.clearwire.com> Here is sh region: show region Region Manager: Start End Size(b) Class Media Name 0x0E000000 0x0FFFFFFF 33554432 Iomem R/W iomem 0x60000000 0x7DFFFFFF 503316480 Local R/W main 0x60008DE0 0x6183C02F 25375312 IText R/O main:text 0x6183E000 0x6280387F 16537728 IData R/W main:data 0x62803880 0x62AFB89F 3112992 IBss R/W main:bss 0x62AFB8A0 0x63AFB89F 16777216 Local R/W main:heap 0x63AFB8F8 0x64AFB8F3 16777212 Local R/W main:heap 0x7E000000 0x7FFFFFFF 33554432 Iomem R/W iomem:(iomem_cwt) 0x80000000 0x8DFFFFFF 234881024 Local R/W main:(main_k0) 0xA0000000 0xADFFFFFF 234881024 Local R/W main:(main_k1) Free Region Manager: Start End Size(b) Class Media Name 0x64AFB948 0x7DFFFFFF 424691384 Local R/W heap -----Original Message----- From: Rodney Dunn [mailto:rodunn at cisco.com] Sent: mercredi 10 septembre 2008 17:27 To: Rens Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Router reloads on it's own What does 'sh region' say? It's a bus error where the PC and address match. Either it's bad memory if the PC value is out of valid text space or it's a stack corruption type issue which is a software bug. 12.2(25)S throttls is end of engineering. You would need to upgrade to 12.2(33)SRC1. Rodney On Wed, Sep 10, 2008 at 04:11:09PM +0200, Rens wrote: > Can anyone help me with the following? How can I get more info regarding > this error message?: > > > > System returned to ROM by bus error at PC 0x60995708, address 0x60995708 at > 12:09:02 CET Mon Sep 8 2008 > > System restarted at 12:10:43 CET Mon Sep 8 2008 > > System image file is "disk0:c7200-p-mz.122-25.S11.bin" > > > > Cisco 7206VXR (NPE400) processor (revision A) with 491520K/32768K bytes of > memory. > > Processor board ID 23690131 > > R7000 CPU at 350Mhz, Implementation 39, Rev 3.2, 256KB L2 Cache > > 6 slot VXR midplane, Version 2.3 > > > > Last reset from watchdog reset > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From leonardo.souza at nec.com.br Wed Sep 10 11:28:35 2008 From: leonardo.souza at nec.com.br (Leonardo Gama Souza) Date: Wed, 10 Sep 2008 12:28:35 -0300 Subject: [c-nsp] RES: Using CA certificates and pre-shared keys on the same box References: Message-ID: <9E07F8717FE8BC4FBAE6860F61EA6C1D7E0E36@spsrvmail03.nec.br> Yes. Just add another isakmp policy statement using the pre-shared authentication mode. Cheers, Leonardo Gama. ________________________________ De: cisco-nsp-bounces at puck.nether.net em nome de nasir.shaikh at bt.com Enviada: qua 10/9/2008 11:07 Para: cisco-nsp at puck.nether.net Assunto: [c-nsp] Using CA certificates and pre-shared keys on the same box Hi, I have a 2851 working as a hub for remote VPN sites using CA certificates. I want to add other remotes which are using pre-shared keys as their authentication method. Is it possible to configure the hub router to support both the CA trustpoint and per-shared keys? Kind regards Nasir Shaikh _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From cchurc05 at harris.com Wed Sep 10 11:40:28 2008 From: cchurc05 at harris.com (Church, Charles) Date: Wed, 10 Sep 2008 10:40:28 -0500 Subject: [c-nsp] NBAR & QoS In-Reply-To: <89944ef40809100828y2a9105d5v8bca0d7901e185ad@mail.gmail.com> References: <89944ef40809100132g387f47c2qcef4f0a2aa91598d@mail.gmail.com> <89944ef40809100828y2a9105d5v8bca0d7901e185ad@mail.gmail.com> Message-ID: >From what I've seen, NBAR doesn't use a whole lot of memory, it'll grab a small amount off the bat when you enable it, and that's it. Maybe 10 megs. I'm not familiar with 12.2SB though. I think you'd have to read the release notes for NBAR in the two trains. They've added more protocol support in the newer trains, that might be reason enough. Unless you can add the PDLMs to 12.2SB. I think 12.4 would be the most troublefree path though. Chuck ________________________________ From: root net [mailto:rootnet08 at gmail.com] Sent: Wednesday, September 10, 2008 11:28 AM To: Church, Charles Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] NBAR & QoS Chuck, I am pushing about 13Mbit with the small DSL base and sub interfaces. I expect to push more here by the end of Oct and wanted to make sure we are throttling the file sharing before it gets bad. I am running 12.2 SB what advantages do I have for running 12.4? Also what does your memory look like? rootnet On Wed, Sep 10, 2008 at 6:57 AM, Church, Charles wrote: We're using it on a 2821 for the same purpose - QOS to 2 upstreams, and file sharing shaping. Currently running about 10% CPU when pushing about 9mb through it. It's probably good for almost a full DS-3 on the 2821, at least in our application. If you can run 12.4 on the NPE225, I'd say enable it on a couple subints (protocol discovery) at a time, and keep an eye on the cpu. If CPU stays low, keep adding to it. I seem to remember having some weird NBAR issues with 12.3. How much traffic are you pushing through it currently? 20 to 30 customers doesn't sound like it'd be a problem. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of root net Sent: Wednesday, September 10, 2008 4:32 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] NBAR & QoS Hello, I am looking into running NBAR along side with QoS in our network. I was wondering what the list was doing if running NBAR. I want to protect against excessive file sharing customers or at least throttle those specific applications. Some suggestions as the best place to configure this in a network or what you all are doing is appreciated? Maybe even running on a mirror port? My thoughts are placing on Cisco 7206 NPE-225/256MB box but am not sure if we should upgrade to a 7204VXR NPE-400/512Mb or not. This box runs terminates static (no PPPoE) DSL customers and about 20 to 30 subinterfaces. Although may move to PPPoE in the future. CPU usage is light and memory operates around 120MB free give or take. Thanks in advanced! RootNet08 _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From rootnet08 at gmail.com Wed Sep 10 12:02:08 2008 From: rootnet08 at gmail.com (root net) Date: Wed, 10 Sep 2008 11:02:08 -0500 Subject: [c-nsp] NBAR & QoS In-Reply-To: References: <89944ef40809100132g387f47c2qcef4f0a2aa91598d@mail.gmail.com> <89944ef40809100828y2a9105d5v8bca0d7901e185ad@mail.gmail.com> Message-ID: <89944ef40809100902m3608bab2t69874bacf8a45ebc@mail.gmail.com> Ok. I will read up on it for the IOS release. I hate to upgrade since this would involve taking the router down and it has been up for over year. That's great about the memory. I will test it out and let you know my findings. rootnet On Wed, Sep 10, 2008 at 10:40 AM, Church, Charles wrote: > From what I've seen, NBAR doesn't use a whole lot of memory, it'll grab a > small amount off the bat when you enable it, and that's it. Maybe 10 megs. > I'm not familiar with 12.2SB though. I think you'd have to read the release > notes for NBAR in the two trains. They've added more protocol support in > the newer trains, that might be reason enough. Unless you can add the PDLMs > to 12.2SB. I think 12.4 would be the most troublefree path though. > > Chuck > ------------------------------ > *From:* root net [mailto:rootnet08 at gmail.com] > *Sent:* Wednesday, September 10, 2008 11:28 AM > *To:* Church, Charles > *Cc:* cisco-nsp at puck.nether.net > *Subject:* Re: [c-nsp] NBAR & QoS > > Chuck, > > I am pushing about 13Mbit with the small DSL base and sub interfaces. I > expect to push more here by the end of Oct and wanted to make sure we are > throttling the file sharing before it gets bad. I am running 12.2 SB what > advantages do I have for running 12.4? Also what does your memory look > like? > > rootnet > > On Wed, Sep 10, 2008 at 6:57 AM, Church, Charles wrote: > >> We're using it on a 2821 for the same purpose - QOS to 2 upstreams, and >> file sharing shaping. Currently running about 10% CPU when pushing >> about 9mb through it. It's probably good for almost a full DS-3 on the >> 2821, at least in our application. If you can run 12.4 on the NPE225, >> I'd say enable it on a couple subints (protocol discovery) at a time, >> and keep an eye on the cpu. If CPU stays low, keep adding to it. I >> seem to remember having some weird NBAR issues with 12.3. How much >> traffic are you pushing through it currently? 20 to 30 customers >> doesn't sound like it'd be a problem. >> >> Chuck >> >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of root net >> Sent: Wednesday, September 10, 2008 4:32 AM >> To: cisco-nsp at puck.nether.net >> Subject: [c-nsp] NBAR & QoS >> >> >> Hello, >> >> I am looking into running NBAR along side with QoS in our network. I >> was >> wondering what the list was doing if running NBAR. I want to protect >> against excessive file sharing customers or at least throttle those >> specific >> applications. Some suggestions as the best place to configure this in a >> network or what you all are doing is appreciated? Maybe even running on >> a >> mirror port? >> >> My thoughts are placing on Cisco 7206 NPE-225/256MB box but am not sure >> if >> we should upgrade to a 7204VXR NPE-400/512Mb or not. This box runs >> terminates static (no PPPoE) DSL customers and about 20 to 30 >> subinterfaces. Although may move to PPPoE in the future. CPU usage is >> light >> and memory operates around 120MB free give or take. >> >> Thanks in advanced! >> >> RootNet08 >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > From luan at netcraftsmen.net Wed Sep 10 12:21:02 2008 From: luan at netcraftsmen.net (Luan Nguyen) Date: Wed, 10 Sep 2008 12:21:02 -0400 Subject: [c-nsp] Using CA certificates and pre-shared keys on the same box In-Reply-To: References: Message-ID: <003901c91361$37eaa5d0$a7bff170$@net> You could try to configure 2 ISAKMP profiles: one use CA, one use pre-shared. Then configure 2 IPSEC profiles accordingly. -Luan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of nasir.shaikh at bt.com Sent: Wednesday, September 10, 2008 10:07 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Using CA certificates and pre-shared keys on the same box Hi, I have a 2851 working as a hub for remote VPN sites using CA certificates. I want to add other remotes which are using pre-shared keys as their authentication method. Is it possible to configure the hub router to support both the CA trustpoint and per-shared keys? Kind regards Nasir Shaikh _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ASikkema at office.unet.nl Wed Sep 10 11:28:29 2008 From: ASikkema at office.unet.nl (Andreas Sikkema) Date: Wed, 10 Sep 2008 17:28:29 +0200 Subject: [c-nsp] AS5350 and ENUM, what happens when DNS gives no results? Message-ID: Hi, We've got a Cisco AS5350 with a reasonably complex configuration with several inbound dialpeers that involve calling TCL applications. For various reasons we want to route some calls around all this configuration and send them directly to a SIP server. We've thought of doing this with ENUM because those calls are (as I mentioned before in my question about hairpins) are only recognizable by their Called Number. What I would really like to do is to lookup the destination in ENUm and when there's nothing in the DNS server for that number to use the existing configuration. Is there a way or should I just forget about this? -- Andreas Sikkema From christian at broknrobot.com Wed Sep 10 12:41:05 2008 From: christian at broknrobot.com (Christian Koch) Date: Wed, 10 Sep 2008 12:41:05 -0400 Subject: [c-nsp] Setting the Remote Syslog Port in IOS Message-ID: I know i can set the remote syslog port on ASA/PIX's, but i don't seem to see that it is possible in IOS. I wanted to segregate logs by sending them from certain devices to separate syslog ports Can anyone confirm this behavior? Has anyone had the need to do something similar? Thanks Christian From rodunn at cisco.com Wed Sep 10 12:42:48 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Wed, 10 Sep 2008 12:42:48 -0400 Subject: [c-nsp] Router reloads on it's own In-Reply-To: <66DE9E928CAA445183946A2F39465B4A@EU.corp.clearwire.com> References: <20080910152651.GQ11984@rtp-cse-489.cisco.com> <66DE9E928CAA445183946A2F39465B4A@EU.corp.clearwire.com> Message-ID: <20080910164248.GX11984@rtp-cse-489.cisco.com> It's in the text region. Almost surely a software bug. I decoded the PC and it's in the arp command code. Did you do a clear arp or any other arp commmand? If so you will see it in the command history of the crashinfo file. The code is old so it's probably already fixed. Was a crashinfo file saved in bootflash? That might give a bit more information or if you can post On Wed, Sep 10, 2008 at 05:33:38PM +0200, Rens wrote: > Here is sh region: > > show region > Region Manager: > > Start End Size(b) Class Media Name > 0x0E000000 0x0FFFFFFF 33554432 Iomem R/W iomem > 0x60000000 0x7DFFFFFF 503316480 Local R/W main > 0x60008DE0 0x6183C02F 25375312 IText R/O main:text > 0x6183E000 0x6280387F 16537728 IData R/W main:data > 0x62803880 0x62AFB89F 3112992 IBss R/W main:bss > 0x62AFB8A0 0x63AFB89F 16777216 Local R/W main:heap > 0x63AFB8F8 0x64AFB8F3 16777212 Local R/W main:heap > 0x7E000000 0x7FFFFFFF 33554432 Iomem R/W iomem:(iomem_cwt) > 0x80000000 0x8DFFFFFF 234881024 Local R/W main:(main_k0) > 0xA0000000 0xADFFFFFF 234881024 Local R/W main:(main_k1) > > > Free Region Manager: > > Start End Size(b) Class Media Name > 0x64AFB948 0x7DFFFFFF 424691384 Local R/W heap > > -----Original Message----- > From: Rodney Dunn [mailto:rodunn at cisco.com] > Sent: mercredi 10 septembre 2008 17:27 > To: Rens > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Router reloads on it's own > > What does 'sh region' say? > > It's a bus error where the PC and address match. > Either it's bad memory if the PC value is out of valid text space > or it's a stack corruption type issue which is a software bug. > > 12.2(25)S throttls is end of engineering. > > You would need to upgrade to 12.2(33)SRC1. > > Rodney > > > On Wed, Sep 10, 2008 at 04:11:09PM +0200, Rens wrote: > > Can anyone help me with the following? How can I get more info regarding > > this error message?: > > > > > > > > System returned to ROM by bus error at PC 0x60995708, address 0x60995708 > at > > 12:09:02 CET Mon Sep 8 2008 > > > > System restarted at 12:10:43 CET Mon Sep 8 2008 > > > > System image file is "disk0:c7200-p-mz.122-25.S11.bin" > > > > > > > > Cisco 7206VXR (NPE400) processor (revision A) with 491520K/32768K bytes of > > memory. > > > > Processor board ID 23690131 > > > > R7000 CPU at 350Mhz, Implementation 39, Rev 3.2, 256KB L2 Cache > > > > 6 slot VXR midplane, Version 2.3 > > > > > > > > Last reset from watchdog reset > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ From coloccia at geneseo.edu Wed Sep 10 13:45:00 2008 From: coloccia at geneseo.edu (Rick Coloccia) Date: Wed, 10 Sep 2008 13:45:00 -0400 Subject: [c-nsp] Setting the Remote Syslog Port in IOS In-Reply-To: References: Message-ID: <48C8079C.7020208@geneseo.edu> Interesting approach. I installed syslog-ng on my syslog server (CentOS 5.2) and am filtering very extensively based on source host and pattern matching inside the trap. I have lots of different files in place now based on what cisco device created the trap and what the message in the trap is. But they are all the same facility. You might find that a lot more useful. Take a look at syslog-ng, and don't let it overwhelm you - it's not as bad as it looks to set up. Assuming a linux box, you can leave your existing syslog in place, and just add this to a system to receive syslogs from over the network. Very, very configurable. -Rick Christian Koch wrote: > I know i can set the remote syslog port on ASA/PIX's, but i don't seem > to see that it is possible in IOS. > > I wanted to segregate logs by sending them from certain devices to > separate syslog ports > > Can anyone confirm this behavior? > > Has anyone had the need to do something similar? > > Thanks > > > Christian > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Rick Coloccia, Jr. Network Manager State University of NY College at Geneseo 1 College Circle, 119 South Hall Geneseo, NY 14454 V: 585-245-5577 F: 585-245-5579 From steve.mcnamara at gmail.com Wed Sep 10 14:36:54 2008 From: steve.mcnamara at gmail.com (Steve McNamara) Date: Wed, 10 Sep 2008 19:36:54 +0100 Subject: [c-nsp] 4900M 10/100/1000 management interfaces Message-ID: <494a4f80809101136u7ef0593eg8d7376842b845724@mail.gmail.com> Hi, This is going is be something every embarrasing I feel :-) I've got a Cisco 4900M running 12.2(46)SG, it has a 10/100/1000 mgt interface on the back of the switch that I want to use to manage the switch, but when I boot it up I do not see an interface corresponding to this. I see the 20x Gig interfaces from Slot 2 and the 8x 10Gig interface from Slot 1.... any ideas how to configure the 10/100/1000 mgt interface? Cheers Steve From perc69 at gmail.com Wed Sep 10 14:46:55 2008 From: perc69 at gmail.com (Pelle) Date: Wed, 10 Sep 2008 20:46:55 +0200 Subject: [c-nsp] Setting the Remote Syslog Port in IOS In-Reply-To: References: Message-ID: <746ca6da0809101146w40692ffo97e6ab49e0386eb2@mail.gmail.com> On Wed, Sep 10, 2008 at 18:41, Christian Koch wrote: > I wanted to segregate logs by sending them from certain devices to > separate syslog ports Why not simply use different facilities? -- Pelle From clane1875 at gmail.com Wed Sep 10 14:58:16 2008 From: clane1875 at gmail.com (Chris Lane) Date: Wed, 10 Sep 2008 14:58:16 -0400 Subject: [c-nsp] GSR12008 Error Message-ID: <2e1cd850809101158v27cd4427tc3d73c0bcdac6cf2@mail.gmail.com> All, GSR question, appears Cisco finally got around to updating the IOS train on 12.0.32.S ? we have been running S8 for a while but S11 just came out and it appears to have many new features! One of my routers is running 12.0.32.S6 ? its been so for 2years. I had a bad 8 port FastE lc a while back so I replaced just recently with a known good lc tested in the lab, So I sent it to replace the failed one ~ after 2 days I started getting these errors. %FABRIC-3-ERR_HANDLE: %RP-3-FABRIC_UNI %FIA-3-HALT L%LC-6-BMACMDRPLY >From what I gather this is the RP is having trouble communicating with the LC. One of these errors suggests upgrading IOS ~ but S6 to S8 isn't that big of a deal and couldn't possibly be the culprit could it? Is this RP related? And if so I could easily flip to the backup RP. Any suggestions would be super appreciative. -- //CL From christian at broknrobot.com Wed Sep 10 14:03:39 2008 From: christian at broknrobot.com (Christian Koch) Date: Wed, 10 Sep 2008 14:03:39 -0400 Subject: [c-nsp] Setting the Remote Syslog Port in IOS In-Reply-To: <48C8079C.7020208@geneseo.edu> References: <48C8079C.7020208@geneseo.edu> Message-ID: This is actually what i do now, but we are moving away from syslog-ng to splunk, basically for the ease of searching and report generation, especially for the lower tiered noc techs, so in splunk you can create multiple "virtual" instances, so what we wanted to do was separate say customer logging to its own port, sec logs to its own port and associated with the splunk instance configured to accept syslog messages on port x/y/z etc. Otherwise, I agree, syslog-ng can be very good if configured correctly and extensively Christian On Wed, Sep 10, 2008 at 1:45 PM, Rick Coloccia wrote: > Interesting approach. I installed syslog-ng on my syslog server (CentOS > 5.2) and am filtering very extensively based on source host and pattern > matching inside the trap. I have lots of different files in place now based > on what cisco device created the trap and what the message in the trap is. > But they are all the same facility. You might find that a lot more useful. > Take a look at syslog-ng, and don't let it overwhelm you - it's not as bad > as it looks to set up. Assuming a linux box, you can leave your existing > syslog in place, and just add this to a system to receive syslogs from over > the network. Very, very configurable. > > -Rick > > Christian Koch wrote: >> >> I know i can set the remote syslog port on ASA/PIX's, but i don't seem >> to see that it is possible in IOS. >> >> I wanted to segregate logs by sending them from certain devices to >> separate syslog ports >> >> Can anyone confirm this behavior? >> >> Has anyone had the need to do something similar? >> >> Thanks >> >> >> Christian >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > -- > Rick Coloccia, Jr. > Network Manager > State University of NY College at Geneseo > 1 College Circle, 119 South Hall > Geneseo, NY 14454 > V: 585-245-5577 > F: 585-245-5579 > > From jfitz at Princeton.EDU Wed Sep 10 15:14:06 2008 From: jfitz at Princeton.EDU (Jeff Fitzwater) Date: Wed, 10 Sep 2008 15:14:06 -0400 Subject: [c-nsp] 4900M 10/100/1000 management interfaces In-Reply-To: <494a4f80809101136u7ef0593eg8d7376842b845724@mail.gmail.com> References: <494a4f80809101136u7ef0593eg8d7376842b845724@mail.gmail.com> Message-ID: The interface is Fa1 and has a fixed config name of mgmtVrf What they did was set up a VRF interface so that you can have an isolated management port that resides in a separate routing domain. One problem i found is that you need the latest code that supports the new interface (12.2-46SG). I had to load it on the flash card and then boot from flash. The other trick is the default route must be entered as follows... ip route vrf mgmtVrf 0.0.0.0 0.0.0.0 n.n.n.n Also... ntp server vrf mgmtVrf Jeff Fitzwater OIT Network Systems Princeton University On Sep 10, 2008, at 2:36 PM, Steve McNamara wrote: > Hi, > > This is going is be something every embarrasing I feel :-) > > I've got a Cisco 4900M running 12.2(46)SG, it has a 10/100/1000 mgt > interface on the back of the switch that I want to use to manage the > switch, but when I boot it up I do not see an interface corresponding > to this. I see the 20x Gig interfaces from Slot 2 and the 8x 10Gig > interface from Slot 1.... any ideas how to configure the 10/100/1000 > mgt interface? > > Cheers > Steve > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From isplists at duracom.net Wed Sep 10 15:33:03 2008 From: isplists at duracom.net (Rhino Lists) Date: Wed, 10 Sep 2008 14:33:03 -0500 Subject: [c-nsp] Configure Backup Radius Server Message-ID: <036f01c9137c$0b0fff40$212ffdc0$@net> I have a 7206 terminating DSL connections currently I only have it pointed to my primary RADIUS server. I am now wanting to also point it to my backup RADIUS server for the obvious reasons. I have the following in mind: radius-server dead-criteria time 5 tries 4 radius-server host aaa.bbb.ccc.5 auth-port 1812 acct-port 1813 radius-server host aaa.bbb.ccc.6 auth-port 1812 acct-port 1813 radius-server deadtime 1 With this current config how long can the primary be down or will it always try the secondary when the primary is down? From achatz at forthnet.gr Wed Sep 10 15:55:50 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Wed, 10 Sep 2008 22:55:50 +0300 Subject: [c-nsp] Setting the Remote Syslog Port in IOS In-Reply-To: References: Message-ID: <48C82646.7040402@forthnet.gr> Have you tried "logging host XXX transport udp port Y"? -- Tassos Christian Koch wrote on 10/09/2008 19:41: > I know i can set the remote syslog port on ASA/PIX's, but i don't seem > to see that it is possible in IOS. > > I wanted to segregate logs by sending them from certain devices to > separate syslog ports > > Can anyone confirm this behavior? > > Has anyone had the need to do something similar? > > Thanks > > > Christian > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From steve.mcnamara at gmail.com Wed Sep 10 16:01:03 2008 From: steve.mcnamara at gmail.com (Steve McNamara) Date: Wed, 10 Sep 2008 21:01:03 +0100 Subject: [c-nsp] 4900M 10/100/1000 management interfaces In-Reply-To: References: <494a4f80809101136u7ef0593eg8d7376842b845724@mail.gmail.com> Message-ID: <494a4f80809101301q55545e11n1839102b84676c5@mail.gmail.com> Thanks Jeff I thought I was running 12.2(46)SG, but I forgot to change the config-register.. so it was kind of embarrasing after all :-) I now see the interface, thanks for your help. One more question though. The interface says 10/100/1000 MGT, yet it is "interface FastEthernet1" and will only let me configure the speed as 100 - but my laptop connects at 1Gig. The show interface also shows it as 100m.... any ideas on if it is definitely a 1Gig interface? Thanks again On Wed, Sep 10, 2008 at 20:14, Jeff Fitzwater wrote: > The interface is Fa1 and has a fixed config name of mgmtVrf > What they did was set up a VRF interface so that you can have an isolated > management port that resides in a separate routing domain. One problem i > found is that you need the latest code that supports the new interface > (12.2-46SG). I had to load it on the flash card and then boot from > flash. > > The other trick is the default route must be entered as follows... > > > ip route vrf mgmtVrf 0.0.0.0 0.0.0.0 n.n.n.n > > Also... ntp server vrf mgmtVrf > > > > Jeff Fitzwater > OIT Network Systems > Princeton University > > On Sep 10, 2008, at 2:36 PM, Steve McNamara wrote: > >> Hi, >> >> This is going is be something every embarrasing I feel :-) >> >> I've got a Cisco 4900M running 12.2(46)SG, it has a 10/100/1000 mgt >> interface on the back of the switch that I want to use to manage the >> switch, but when I boot it up I do not see an interface corresponding >> to this. I see the 20x Gig interfaces from Slot 2 and the 8x 10Gig >> interface from Slot 1.... any ideas how to configure the 10/100/1000 >> mgt interface? >> >> Cheers >> Steve >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From leonardo.souza at nec.com.br Wed Sep 10 16:10:04 2008 From: leonardo.souza at nec.com.br (Leonardo Gama Souza) Date: Wed, 10 Sep 2008 17:10:04 -0300 Subject: [c-nsp] RES: GSR12008 Error References: <2e1cd850809101158v27cd4427tc3d73c0bcdac6cf2@mail.gmail.com> Message-ID: <9E07F8717FE8BC4FBAE6860F61EA6C1D7E0E39@spsrvmail03.nec.br> Hi, Look for errors in "show controller fia". Maybe the LC was badly seated... Maybe you have a bad SFC... There are a lot of possibilities. Cheers, Leonardo Gama. ________________________________ De: cisco-nsp-bounces at puck.nether.net em nome de Chris Lane Enviada: qua 10/9/2008 15:58 Para: cisco-nsp at puck.nether.net Assunto: [c-nsp] GSR12008 Error All, GSR question, appears Cisco finally got around to updating the IOS train on 12.0.32.S - we have been running S8 for a while but S11 just came out and it appears to have many new features! One of my routers is running 12.0.32.S6 - its been so for 2years. I had a bad 8 port FastE lc a while back so I replaced just recently with a known good lc tested in the lab, So I sent it to replace the failed one ~ after 2 days I started getting these errors. %FABRIC-3-ERR_HANDLE: %RP-3-FABRIC_UNI %FIA-3-HALT L%LC-6-BMACMDRPLY >From what I gather this is the RP is having trouble communicating with the LC. One of these errors suggests upgrading IOS ~ but S6 to S8 isn't that big of a deal and couldn't possibly be the culprit could it? Is this RP related? And if so I could easily flip to the backup RP. Any suggestions would be super appreciative. -- //CL _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From christian at broknrobot.com Wed Sep 10 16:22:02 2008 From: christian at broknrobot.com (Christian Koch) Date: Wed, 10 Sep 2008 16:22:02 -0400 Subject: [c-nsp] Setting the Remote Syslog Port in IOS In-Reply-To: <746ca6da0809101146w40692ffo97e6ab49e0386eb2@mail.gmail.com> References: <746ca6da0809101146w40692ffo97e6ab49e0386eb2@mail.gmail.com> Message-ID: because that is not how splunk works, we want to create separate splunk instances, each instance has its own syslog port... On Wed, Sep 10, 2008 at 2:46 PM, Pelle wrote: > On Wed, Sep 10, 2008 at 18:41, Christian Koch wrote: > >> I wanted to segregate logs by sending them from certain devices to >> separate syslog ports > > Why not simply use different facilities? > > -- > Pelle > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From christian at broknrobot.com Wed Sep 10 16:24:34 2008 From: christian at broknrobot.com (Christian Koch) Date: Wed, 10 Sep 2008 16:24:34 -0400 Subject: [c-nsp] Setting the Remote Syslog Port in IOS In-Reply-To: <48C82646.7040402@forthnet.gr> References: <48C82646.7040402@forthnet.gr> Message-ID: checked for any switches after the inputting the ip address on logging host command but nothing was available #logging host 1.1.1.1 transport ? % Unrecognized command On Wed, Sep 10, 2008 at 3:55 PM, Tassos Chatzithomaoglou wrote: > Have you tried "logging host XXX transport udp port Y"? > > -- > Tassos > > Christian Koch wrote on 10/09/2008 19:41: >> >> I know i can set the remote syslog port on ASA/PIX's, but i don't seem >> to see that it is possible in IOS. >> >> I wanted to segregate logs by sending them from certain devices to >> separate syslog ports >> >> Can anyone confirm this behavior? >> >> Has anyone had the need to do something similar? >> >> Thanks >> >> >> Christian >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > From lesmith at ecsis.net Wed Sep 10 16:19:15 2008 From: lesmith at ecsis.net (Larry Smith) Date: Wed, 10 Sep 2008 15:19:15 -0500 Subject: [c-nsp] Configure Backup Radius Server In-Reply-To: <036f01c9137c$0b0fff40$212ffdc0$@net> References: <036f01c9137c$0b0fff40$212ffdc0$@net> Message-ID: <200809101519.15107.lesmith@ecsis.net> On Wed September 10 2008 14:33, Rhino Lists wrote: > I have a 7206 terminating DSL connections currently I only have it pointed > to my primary RADIUS server. I am now wanting to also point it to my > backup RADIUS server for the obvious reasons. I have the following in > mind: > > > > radius-server dead-criteria time 5 tries 4 > > radius-server host aaa.bbb.ccc.5 auth-port 1812 acct-port 1813 > > radius-server host aaa.bbb.ccc.6 auth-port 1812 acct-port 1813 > > radius-server deadtime 1 > > With this current config how long can the primary be down or will it always > try the secondary when the primary is down? Believe the "deadtime" tells the router how long to "ignore" a non-responsive radius server. The default is 0, which says always check the servers in the order given. With a deadtime of 1 (minute) your router should "ignore" that server for 1 minute if it is not responsive, and then try it again (and ignore another minute if still not responding). -- Larry Smith lesmith at ecsis.net From clane1875 at gmail.com Wed Sep 10 16:25:46 2008 From: clane1875 at gmail.com (Chris Lane) Date: Wed, 10 Sep 2008 16:25:46 -0400 Subject: [c-nsp] GSR12008 Error In-Reply-To: <9E07F8717FE8BC4FBAE6860F61EA6C1D7E0E39@spsrvmail03.nec.br> References: <2e1cd850809101158v27cd4427tc3d73c0bcdac6cf2@mail.gmail.com> <9E07F8717FE8BC4FBAE6860F61EA6C1D7E0E39@spsrvmail03.nec.br> Message-ID: <2e1cd850809101325q419cb595k16ef2c039e27d941@mail.gmail.com> No errors as you can see. cr.la1.ca#sh controller fia Fabric configuration: 2.4Gbps bandwidth, redundant fabric Master Scheduler: Slot 17 Backup Scheduler: Slot 16 >From Fabric FIA Errors ----------------------- redund fifo parity 0 redund overflow 0 cell drops 0 crc32 lkup parity 0 cell parity 0 crc32 0 Switch cards present 0x001F Slots 16 17 18 19 20 Switch cards monitored 0x001F Slots 16 17 18 19 20 Slot: 16 17 18 19 20 Name: csc0 csc1 sfc0 sfc1 sfc2 -------- -------- -------- -------- -------- los 0 0 0 0 0 state Off Off Off Off Off crc16 0 0 0 0 0 To Fabric FIA Errors ----------------------- sca not pres 0 req error 0 uni fifo overflow 0 grant parity 0 multi req 0 uni fifo undrflow 0 cntrl parity 0 uni req 0 crc32 lkup parity 0 multi fifo 0 empty dst req 0 handshake error 0 On Wed, Sep 10, 2008 at 4:10 PM, Leonardo Gama Souza < leonardo.souza at nec.com.br> wrote: > Hi, > > Look for errors in "show controller fia". > Maybe the LC was badly seated... > Maybe you have a bad SFC... > There are a lot of possibilities. > > Cheers, > Leonardo Gama. > > ------------------------------ > *De:* cisco-nsp-bounces at puck.nether.net em nome de Chris Lane > *Enviada:* qua 10/9/2008 15:58 > *Para:* cisco-nsp at puck.nether.net > *Assunto:* [c-nsp] GSR12008 Error > > All, > > GSR question, appears Cisco finally got around to updating the IOS train on > 12.0.32.S ? we have been running S8 for a while but S11 just came out and > it > appears to have many new features! One of my routers is running 12.0.32.S6 > ? > its been so for 2years. I had a bad 8 port FastE lc a while back so I > replaced just recently with a known good lc tested in the lab, So I sent > it > to replace the failed one ~ after 2 days I started getting these errors. > > %FABRIC-3-ERR_HANDLE: > > %RP-3-FABRIC_UNI > > %FIA-3-HALT > > L%LC-6-BMACMDRPLY > > > > >From what I gather this is the RP is having trouble communicating with the > LC. One of these errors suggests upgrading IOS ~ but S6 to S8 isn't that > big of a deal and couldn't possibly be the culprit could it? Is this RP > related? And if so I could easily flip to the backup RP. > > Any suggestions would be super appreciative. > > -- > //CL > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- //CL From leonardo.souza at nec.com.br Wed Sep 10 16:23:50 2008 From: leonardo.souza at nec.com.br (Leonardo Gama Souza) Date: Wed, 10 Sep 2008 17:23:50 -0300 Subject: [c-nsp] RES: GSR12008 Error References: <2e1cd850809101158v27cd4427tc3d73c0bcdac6cf2@mail.gmail.com><9E07F8717FE8BC4FBAE6860F61EA6C1D7E0E39@spsrvmail03.nec.br> <2e1cd850809101325q419cb595k16ef2c039e27d941@mail.gmail.com> Message-ID: <9E07F8717FE8BC4FBAE6860F61EA6C1D7E0E3A@spsrvmail03.nec.br> Oh. I forgot one thing. You must issue this command on all LC as well. ________________________________ De: Chris Lane [mailto:clane1875 at gmail.com] Enviada: qua 10/9/2008 17:25 Para: Leonardo Gama Souza Cc: cisco-nsp at puck.nether.net Assunto: Re: [c-nsp] GSR12008 Error No errors as you can see. cr.la1.ca#sh controller fia Fabric configuration: 2.4Gbps bandwidth, redundant fabric Master Scheduler: Slot 17 Backup Scheduler: Slot 16 >From Fabric FIA Errors ----------------------- redund fifo parity 0 redund overflow 0 cell drops 0 crc32 lkup parity 0 cell parity 0 crc32 0 Switch cards present 0x001F Slots 16 17 18 19 20 Switch cards monitored 0x001F Slots 16 17 18 19 20 Slot: 16 17 18 19 20 Name: csc0 csc1 sfc0 sfc1 sfc2 -------- -------- -------- -------- -------- los 0 0 0 0 0 state Off Off Off Off Off crc16 0 0 0 0 0 To Fabric FIA Errors ----------------------- sca not pres 0 req error 0 uni fifo overflow 0 grant parity 0 multi req 0 uni fifo undrflow 0 cntrl parity 0 uni req 0 crc32 lkup parity 0 multi fifo 0 empty dst req 0 handshake error 0 On Wed, Sep 10, 2008 at 4:10 PM, Leonardo Gama Souza wrote: Hi, Look for errors in "show controller fia". Maybe the LC was badly seated... Maybe you have a bad SFC... There are a lot of possibilities. Cheers, Leonardo Gama. ________________________________ De: cisco-nsp-bounces at puck.nether.net em nome de Chris Lane Enviada: qua 10/9/2008 15:58 Para: cisco-nsp at puck.nether.net Assunto: [c-nsp] GSR12008 Error All, GSR question, appears Cisco finally got around to updating the IOS train on 12.0.32.S - we have been running S8 for a while but S11 just came out and it appears to have many new features! One of my routers is running 12.0.32.S6 - its been so for 2years. I had a bad 8 port FastE lc a while back so I replaced just recently with a known good lc tested in the lab, So I sent it to replace the failed one ~ after 2 days I started getting these errors. %FABRIC-3-ERR_HANDLE: %RP-3-FABRIC_UNI %FIA-3-HALT L%LC-6-BMACMDRPLY >From what I gather this is the RP is having trouble communicating with the LC. One of these errors suggests upgrading IOS ~ but S6 to S8 isn't that big of a deal and couldn't possibly be the culprit could it? Is this RP related? And if so I could easily flip to the backup RP. Any suggestions would be super appreciative. -- //CL _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- //CL From sethm at rollernet.us Wed Sep 10 16:43:01 2008 From: sethm at rollernet.us (Seth Mattinen) Date: Wed, 10 Sep 2008 13:43:01 -0700 Subject: [c-nsp] IPv6 on the 877W In-Reply-To: <39F9A41A-29AF-4E51-B246-AE05264B4DA2@adhost.com> References: <8d05923216242716731b96c772f2ce0d.squirrel@webmail.rollernet.us> <39F9A41A-29AF-4E51-B246-AE05264B4DA2@adhost.com> Message-ID: <48C83155.1030006@rollernet.us> Well, I got my replacement 877W and tried all the helpful hints I recieved. Sadly, the Dot11Radio0 interface *does not* seem to support any "ipv6 ..." command, although it can be assigned an IPv4 address in the same manner. No problem for the wired segment, as the vlan 1 interface behaves as expected and it can be dual-stacked. I had kind of hoped this thing would have some very basic IPv6 support on it, but no such luck it seems for the wireless interface. ~Seth From clane1875 at gmail.com Wed Sep 10 16:44:33 2008 From: clane1875 at gmail.com (Chris Lane) Date: Wed, 10 Sep 2008 16:44:33 -0400 Subject: [c-nsp] GSR12008 Error In-Reply-To: <9E07F8717FE8BC4FBAE6860F61EA6C1D7E0E3B@spsrvmail03.nec.br> References: <2e1cd850809101158v27cd4427tc3d73c0bcdac6cf2@mail.gmail.com> <9E07F8717FE8BC4FBAE6860F61EA6C1D7E0E39@spsrvmail03.nec.br> <2e1cd850809101325q419cb595k16ef2c039e27d941@mail.gmail.com> <9E07F8717FE8BC4FBAE6860F61EA6C1D7E0E3A@spsrvmail03.nec.br> <2e1cd850809101334u3ef1363duc755c91869434db5@mail.gmail.com> <9E07F8717FE8BC4FBAE6860F61EA6C1D7E0E3B@spsrvmail03.nec.br> Message-ID: <2e1cd850809101344s3df471dv9150ea821c4a511c@mail.gmail.com> Darn, problem for me is i removed the 8 port FastE card that was causing all the grief last night because it kept reloading. I removed the one connection i had in LC and LC still continued to bounce.Here is the output anyways. ----------------------------------------- On Wed, Sep 10, 2008 at 4:33 PM, Leonardo Gama Souza < leonardo.souza at nec.com.br> wrote: > The same command. > execute-on all show controller fia > > Rgds. > > ------------------------------ > *De:* Chris Lane [mailto:clane1875 at gmail.com] > *Enviada:* qua 10/9/2008 17:34 > *Para:* Leonardo Gama Souza > > *Assunto:* Re: [c-nsp] GSR12008 Error > > You didn't add command ~ > Thanks > > On Wed, Sep 10, 2008 at 4:23 PM, Leonardo Gama Souza < > leonardo.souza at nec.com.br> wrote: > >> Oh. I forgot one thing. >> You must issue this command on all LC as well. >> >> >> ------------------------------ >> *De:* Chris Lane [mailto:clane1875 at gmail.com] >> *Enviada:* qua 10/9/2008 17:25 >> *Para:* Leonardo Gama Souza >> *Cc:* cisco-nsp at puck.nether.net >> *Assunto:* Re: [c-nsp] GSR12008 Error >> >> No errors as you can see. >> cr.la1.ca#sh controller fia >> Fabric configuration: 2.4Gbps bandwidth, redundant fabric >> Master Scheduler: Slot 17 Backup Scheduler: Slot 16 >> >> From Fabric FIA Errors >> ----------------------- >> redund fifo parity 0 redund overflow 0 cell drops 0 >> >> crc32 lkup parity 0 cell parity 0 crc32 0 >> >> Switch cards present 0x001F Slots 16 17 18 19 20 >> Switch cards monitored 0x001F Slots 16 17 18 19 20 >> Slot: 16 17 18 19 20 >> Name: csc0 csc1 sfc0 sfc1 sfc2 >> -------- -------- -------- -------- -------- >> los 0 0 0 0 0 >> state Off Off Off Off Off >> crc16 0 0 0 0 0 >> >> To Fabric FIA Errors >> ----------------------- >> sca not pres 0 req error 0 uni fifo overflow 0 >> >> grant parity 0 multi req 0 uni fifo undrflow 0 >> >> cntrl parity 0 uni req 0 crc32 lkup parity 0 >> >> multi fifo 0 empty dst req 0 handshake error 0 >> On Wed, Sep 10, 2008 at 4:10 PM, Leonardo Gama Souza < >> leonardo.souza at nec.com.br> wrote: >> >>> Hi, >>> >>> Look for errors in "show controller fia". >>> Maybe the LC was badly seated... >>> Maybe you have a bad SFC... >>> There are a lot of possibilities. >>> >>> Cheers, >>> Leonardo Gama. >>> >>> ------------------------------ >>> *De:* cisco-nsp-bounces at puck.nether.net em nome de Chris Lane >>> *Enviada:* qua 10/9/2008 15:58 >>> *Para:* cisco-nsp at puck.nether.net >>> *Assunto:* [c-nsp] GSR12008 Error >>> >>> All, >>> >>> GSR question, appears Cisco finally got around to updating the IOS train >>> on >>> 12.0.32.S ? we have been running S8 for a while but S11 just came out and >>> it >>> appears to have many new features! One of my routers is running >>> 12.0.32.S6 ? >>> its been so for 2years. I had a bad 8 port FastE lc a while back so I >>> replaced just recently with a known good lc tested in the lab, So I sent >>> it >>> to replace the failed one ~ after 2 days I started getting these errors. >>> >>> %FABRIC-3-ERR_HANDLE: >>> >>> %RP-3-FABRIC_UNI >>> >>> %FIA-3-HALT >>> >>> L%LC-6-BMACMDRPLY >>> >>> >>> >>> >From what I gather this is the RP is having trouble communicating with >>> the >>> LC. One of these errors suggests upgrading IOS ~ but S6 to S8 isn't that >>> big of a deal and couldn't possibly be the culprit could it? Is this RP >>> related? And if so I could easily flip to the backup RP. >>> >>> Any suggestions would be super appreciative. >>> >>> -- >>> //CL >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >>> >> >> >> -- >> //CL >> > > > > -- > //CL > -- //CL From clane1875 at gmail.com Wed Sep 10 16:45:32 2008 From: clane1875 at gmail.com (Chris Lane) Date: Wed, 10 Sep 2008 16:45:32 -0400 Subject: [c-nsp] GSR12008 Error In-Reply-To: <2e1cd850809101344s3df471dv9150ea821c4a511c@mail.gmail.com> References: <2e1cd850809101158v27cd4427tc3d73c0bcdac6cf2@mail.gmail.com> <9E07F8717FE8BC4FBAE6860F61EA6C1D7E0E39@spsrvmail03.nec.br> <2e1cd850809101325q419cb595k16ef2c039e27d941@mail.gmail.com> <9E07F8717FE8BC4FBAE6860F61EA6C1D7E0E3A@spsrvmail03.nec.br> <2e1cd850809101334u3ef1363duc755c91869434db5@mail.gmail.com> <9E07F8717FE8BC4FBAE6860F61EA6C1D7E0E3B@spsrvmail03.nec.br> <2e1cd850809101344s3df471dv9150ea821c4a511c@mail.gmail.com> Message-ID: <2e1cd850809101345m243e623an130c04ef8d5faecf@mail.gmail.com> Here is output. cr.la1.ca#execute-on all show controller fia ========= Line Card (Slot 3) ========= >From Fabric FIA Errors ----------------------- redund overflow 0 cell drops 0 cell parity 0 Switch cards present 0x001F Slots 16 17 18 19 20 Switch cards monitored 0x001F Slots 16 17 18 19 20 Slot: 16 17 18 19 20 Name: csc0 csc1 sfc0 sfc1 sfc2 -------- -------- -------- -------- -------- los 0 0 0 0 0 state Off Off Off Off Off crc16 0 0 0 0 0 To Fabric FIA Errors ----------------------- sca not pres 0 req error 0 uni fifo overflow 0 grant parity 0 multi req 0 uni fifo undrflow 0 cntrl parity 0 uni req 0 multi fifo 0 empty dst req 0 handshake error 0 cell parity 0 ========= Line Card (Slot 4) ========= >From Fabric FIA Errors ----------------------- redund overflow 0 cell drops 0 cell parity 0 Switch cards present 0x001F Slots 16 17 18 19 20 Switch cards monitored 0x001F Slots 16 17 18 19 20 Slot: 16 17 18 19 20 Name: csc0 csc1 sfc0 sfc1 sfc2 -------- -------- -------- -------- -------- los 0 0 0 0 0 state Off Off Off Off Off crc16 0 0 0 0 0 To Fabric FIA Errors ----------------------- sca not pres 0 req error 0 uni fifo overflow 0 grant parity 0 multi req 0 uni fifo undrflow 0 cntrl parity 0 uni req 0 multi fifo 0 empty dst req 0 handshake error 0 cell parity 0 ========= Line Card (Slot 5) ========= >From Fabric FIA Errors ----------------------- redund overflow 0 cell drops 0 cell parity 0 Switch cards present 0x001F Slots 16 17 18 19 20 Switch cards monitored 0x001F Slots 16 17 18 19 20 Slot: 16 17 18 19 20 Name: csc0 csc1 sfc0 sfc1 sfc2 -------- -------- -------- -------- -------- los 0 0 0 0 0 state Off Off Off Off Off crc16 0 0 0 0 0 To Fabric FIA Errors ----------------------- sca not pres 0 req error 0 uni fifo overflow 0 grant parity 0 multi req 0 uni fifo undrflow 0 cntrl parity 0 uni req 0 multi fifo 0 empty dst req 0 handshake error 0 cell parity 0 ========= Line Card (Slot 6) ========= >From Fabric FIA Errors ----------------------- redund overflow 0 cell drops 0 cell parity 0 Switch cards present 0x001F Slots 16 17 18 19 20 Switch cards monitored 0x001F Slots 16 17 18 19 20 Slot: 16 17 18 19 20 Name: csc0 csc1 sfc0 sfc1 sfc2 -------- -------- -------- -------- -------- los 0 0 0 0 0 state Off Off Off Off Off crc16 0 0 0 0 0 To Fabric FIA Errors ----------------------- sca not pres 0 req error 0 uni fifo overflow 0 grant parity 0 multi req 0 uni fifo undrflow 0 cntrl parity 0 uni req 0 multi fifo 0 empty dst req 0 handshake error 0 cell parity 0 On Wed, Sep 10, 2008 at 4:44 PM, Chris Lane wrote: > Darn, problem for me is i removed the 8 port FastE card that was causing > all the grief last night because it kept reloading. I removed the one > connection i had in LC and LC still continued to bounce.Here is the output > anyways. > > ----------------------------------------- > > > > On Wed, Sep 10, 2008 at 4:33 PM, Leonardo Gama Souza < > leonardo.souza at nec.com.br> wrote: > >> The same command. >> execute-on all show controller fia >> >> Rgds. >> >> ------------------------------ >> *De:* Chris Lane [mailto:clane1875 at gmail.com] >> *Enviada:* qua 10/9/2008 17:34 >> *Para:* Leonardo Gama Souza >> >> *Assunto:* Re: [c-nsp] GSR12008 Error >> >> You didn't add command ~ >> Thanks >> >> On Wed, Sep 10, 2008 at 4:23 PM, Leonardo Gama Souza < >> leonardo.souza at nec.com.br> wrote: >> >>> Oh. I forgot one thing. >>> You must issue this command on all LC as well. >>> >>> >>> ------------------------------ >>> *De:* Chris Lane [mailto:clane1875 at gmail.com] >>> *Enviada:* qua 10/9/2008 17:25 >>> *Para:* Leonardo Gama Souza >>> *Cc:* cisco-nsp at puck.nether.net >>> *Assunto:* Re: [c-nsp] GSR12008 Error >>> >>> No errors as you can see. >>> cr.la1.ca#sh controller fia >>> Fabric configuration: 2.4Gbps bandwidth, redundant fabric >>> Master Scheduler: Slot 17 Backup Scheduler: Slot 16 >>> >>> From Fabric FIA Errors >>> ----------------------- >>> redund fifo parity 0 redund overflow 0 cell drops 0 >>> >>> crc32 lkup parity 0 cell parity 0 crc32 0 >>> >>> Switch cards present 0x001F Slots 16 17 18 19 20 >>> Switch cards monitored 0x001F Slots 16 17 18 19 20 >>> Slot: 16 17 18 19 20 >>> Name: csc0 csc1 sfc0 sfc1 sfc2 >>> -------- -------- -------- -------- -------- >>> los 0 0 0 0 0 >>> state Off Off Off Off Off >>> crc16 0 0 0 0 0 >>> >>> To Fabric FIA Errors >>> ----------------------- >>> sca not pres 0 req error 0 uni fifo overflow 0 >>> >>> grant parity 0 multi req 0 uni fifo undrflow 0 >>> >>> cntrl parity 0 uni req 0 crc32 lkup parity 0 >>> >>> multi fifo 0 empty dst req 0 handshake error 0 >>> On Wed, Sep 10, 2008 at 4:10 PM, Leonardo Gama Souza < >>> leonardo.souza at nec.com.br> wrote: >>> >>>> Hi, >>>> >>>> Look for errors in "show controller fia". >>>> Maybe the LC was badly seated... >>>> Maybe you have a bad SFC... >>>> There are a lot of possibilities. >>>> >>>> Cheers, >>>> Leonardo Gama. >>>> >>>> ------------------------------ >>>> *De:* cisco-nsp-bounces at puck.nether.net em nome de Chris Lane >>>> *Enviada:* qua 10/9/2008 15:58 >>>> *Para:* cisco-nsp at puck.nether.net >>>> *Assunto:* [c-nsp] GSR12008 Error >>>> >>>> All, >>>> >>>> GSR question, appears Cisco finally got around to updating the IOS train >>>> on >>>> 12.0.32.S ? we have been running S8 for a while but S11 just came out >>>> and it >>>> appears to have many new features! One of my routers is running >>>> 12.0.32.S6 ? >>>> its been so for 2years. I had a bad 8 port FastE lc a while back so I >>>> replaced just recently with a known good lc tested in the lab, So I >>>> sent it >>>> to replace the failed one ~ after 2 days I started getting these >>>> errors. >>>> >>>> %FABRIC-3-ERR_HANDLE: >>>> >>>> %RP-3-FABRIC_UNI >>>> >>>> %FIA-3-HALT >>>> >>>> L%LC-6-BMACMDRPLY >>>> >>>> >>>> >>>> >From what I gather this is the RP is having trouble communicating with >>>> the >>>> LC. One of these errors suggests upgrading IOS ~ but S6 to S8 isn't >>>> that >>>> big of a deal and couldn't possibly be the culprit could it? Is this RP >>>> related? And if so I could easily flip to the backup RP. >>>> >>>> Any suggestions would be super appreciative. >>>> >>>> -- >>>> //CL >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> >>>> >>> >>> >>> -- >>> //CL >>> >> >> >> >> -- >> //CL >> > > > > -- > //CL > -- //CL From leonardo.souza at nec.com.br Wed Sep 10 17:00:27 2008 From: leonardo.souza at nec.com.br (Leonardo Gama Souza) Date: Wed, 10 Sep 2008 18:00:27 -0300 Subject: [c-nsp] RES: GSR12008 Error References: <2e1cd850809101158v27cd4427tc3d73c0bcdac6cf2@mail.gmail.com><9E07F8717FE8BC4FBAE6860F61EA6C1D7E0E39@spsrvmail03.nec.br><2e1cd850809101325q419cb595k16ef2c039e27d941@mail.gmail.com><9E07F8717FE8BC4FBAE6860F61EA6C1D7E0E3A@spsrvmail03.nec.br><2e1cd850809101334u3ef1363duc755c91869434db5@mail.gmail.com><9E07F8717FE8BC4FBAE6860F61EA6C1D7E0E3B@spsrvmail03.nec.br> <2e1cd850809101344s3df471dv9150ea821c4a511c@mail.gmail.com> Message-ID: <9E07F8717FE8BC4FBAE6860F61EA6C1D7E0E3C@spsrvmail03.nec.br> You can try to insert that LC into another slot and collect those commands if the issue come back. ________________________________ De: Chris Lane [mailto:clane1875 at gmail.com] Enviada: qua 10/9/2008 17:44 Para: Leonardo Gama Souza Cc: cisco-nsp at puck.nether.net Assunto: Re: [c-nsp] GSR12008 Error Darn, problem for me is i removed the 8 port FastE card that was causing all the grief last night because it kept reloading. I removed the one connection i had in LC and LC still continued to bounce. Here is the output anyways. ----------------------------------------- On Wed, Sep 10, 2008 at 4:33 PM, Leonardo Gama Souza wrote: The same command. execute-on all show controller fia Rgds. ________________________________ De: Chris Lane [mailto:clane1875 at gmail.com] Enviada: qua 10/9/2008 17:34 Para: Leonardo Gama Souza Assunto: Re: [c-nsp] GSR12008 Error You didn't add command ~ Thanks On Wed, Sep 10, 2008 at 4:23 PM, Leonardo Gama Souza wrote: Oh. I forgot one thing. You must issue this command on all LC as well. ________________________________ De: Chris Lane [mailto:clane1875 at gmail.com] Enviada: qua 10/9/2008 17:25 Para: Leonardo Gama Souza Cc: cisco-nsp at puck.nether.net Assunto: Re: [c-nsp] GSR12008 Error No errors as you can see. cr.la1.ca#sh controller fia Fabric configuration: 2.4Gbps bandwidth, redundant fabric Master Scheduler: Slot 17 Backup Scheduler: Slot 16 From Fabric FIA Errors ----------------------- redund fifo parity 0 redund overflow 0 cell drops 0 crc32 lkup parity 0 cell parity 0 crc32 0 Switch cards present 0x001F Slots 16 17 18 19 20 Switch cards monitored 0x001F Slots 16 17 18 19 20 Slot: 16 17 18 19 20 Name: csc0 csc1 sfc0 sfc1 sfc2 -------- -------- -------- -------- -------- los 0 0 0 0 0 state Off Off Off Off Off crc16 0 0 0 0 0 To Fabric FIA Errors ----------------------- sca not pres 0 req error 0 uni fifo overflow 0 grant parity 0 multi req 0 uni fifo undrflow 0 cntrl parity 0 uni req 0 crc32 lkup parity 0 multi fifo 0 empty dst req 0 handshake error 0 On Wed, Sep 10, 2008 at 4:10 PM, Leonardo Gama Souza wrote: Hi, Look for errors in "show controller fia". Maybe the LC was badly seated... Maybe you have a bad SFC... There are a lot of possibilities. Cheers, Leonardo Gama. ________________________________ De: cisco-nsp-bounces at puck.nether.net em nome de Chris Lane Enviada: qua 10/9/2008 15:58 Para: cisco-nsp at puck.nether.net Assunto: [c-nsp] GSR12008 Error All, GSR question, appears Cisco finally got around to updating the IOS train on 12.0.32.S - we have been running S8 for a while but S11 just came out and it appears to have many new features! One of my routers is running 12.0.32.S6 - its been so for 2years. I had a bad 8 port FastE lc a while back so I replaced just recently with a known good lc tested in the lab, So I sent it to replace the failed one ~ after 2 days I started getting these errors. %FABRIC-3-ERR_HANDLE: %RP-3-FABRIC_UNI %FIA-3-HALT L%LC-6-BMACMDRPLY >From what I gather this is the RP is having trouble communicating with the LC. One of these errors suggests upgrading IOS ~ but S6 to S8 isn't that big of a deal and couldn't possibly be the culprit could it? Is this RP related? And if so I could easily flip to the backup RP. Any suggestions would be super appreciative. -- //CL _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- //CL -- //CL -- //CL From fbako at africaonline.co.ke Wed Sep 10 16:00:00 2008 From: fbako at africaonline.co.ke (Felix Bako) Date: Wed, 10 Sep 2008 23:00:00 +0300 Subject: [c-nsp] Route selection in VRF Message-ID: <48C82740.3090207@africaonline.co.ke> Hey Guys, I have two routers each terminating my upstream providers.on each i have configured Internet on a VRF and doing ebgp with my providers on the the VRF. Customers connected to The PEs are importing the Internet VRFs RTs for Internet Access. The two routers are also doing IBP between them so both routers are fully aware of each other routes The challange is traffic from the customers connecting to PEs always follows the default route of each Internet PEs and i can only use one uplink at a time hence cant load share. the Internet VRF has all routes and also a default route. Any assistance on this will be highly appreciated -- Felix Bako *Ag. TECHNICAL MANAGER* Africa Online (K) LTD Tel: + 254 (20) 2792000 Fax: + 254 (20) 2710010 Email: _fbako at africaonline.co.ke <>_ AIM: felixbako * * A MEMBER OF TELKOM SOUTH AFRICA GROUP *Africa Online Disclaimer and Confidentiality Note* This e-mail, its attachments and any rights attaching hereto are, unless the context clearly indicates otherwise, the property of Africa Online Holdings (Kenya) Limited and / or its subsidiaries ("the Group"). It is confidential and intended for the addressee only. Should you not be the addressee and have received this e-mail by mistake, kindly notify the sender, delete this e-mail immediately and do not disclose or use the same in any manner whatsoever. Views and opinions expressed in this e-mail are those of the sender unless clearly stated as those of the Group. The Group accepts no liability whatsoever for any loss or damages, however incurred, resulting from the use of this e-mail or its attachments. The Group does not warrant the integrity of this e-mail, nor that it is free of errors, viruses, interception or interference. For more information about Africa Online, please visit our website at _http://www.africaonline.com _ From blahu77 at gmail.com Wed Sep 10 17:10:55 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Wed, 10 Sep 2008 22:10:55 +0100 Subject: [c-nsp] Setting the Remote Syslog Port in IOS In-Reply-To: References: <48C82646.7040402@forthnet.gr> Message-ID: <383357750809101410u51a10dc9kee2a3c1c2cf3e1ba@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 2008/9/10 Christian Koch : > checked for any switches after the inputting the ip address on logging > host command but nothing was available > > > #logging host 1.1.1.1 transport ? > % Unrecognized command How about some sort of port-forwarding? - -- - -mat -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIyDffIvBv0k5esR4RAvkUAJ9SAK+xELVl5L6ZjZnqQTTYgee2FACgiFrU ocLmsrqQ0vOF5fU6mZUb4JU= =twdB -----END PGP SIGNATURE----- From clane1875 at gmail.com Wed Sep 10 17:12:35 2008 From: clane1875 at gmail.com (Chris Lane) Date: Wed, 10 Sep 2008 17:12:35 -0400 Subject: [c-nsp] GSR12008 Error In-Reply-To: <9E07F8717FE8BC4FBAE6860F61EA6C1D7E0E3C@spsrvmail03.nec.br> References: <2e1cd850809101158v27cd4427tc3d73c0bcdac6cf2@mail.gmail.com> <9E07F8717FE8BC4FBAE6860F61EA6C1D7E0E39@spsrvmail03.nec.br> <2e1cd850809101325q419cb595k16ef2c039e27d941@mail.gmail.com> <9E07F8717FE8BC4FBAE6860F61EA6C1D7E0E3A@spsrvmail03.nec.br> <2e1cd850809101334u3ef1363duc755c91869434db5@mail.gmail.com> <9E07F8717FE8BC4FBAE6860F61EA6C1D7E0E3B@spsrvmail03.nec.br> <2e1cd850809101344s3df471dv9150ea821c4a511c@mail.gmail.com> <9E07F8717FE8BC4FBAE6860F61EA6C1D7E0E3C@spsrvmail03.nec.br> Message-ID: <2e1cd850809101412w3f34666cq3a5102bb9e939c18@mail.gmail.com> I think its safe to say its the LC. Issue is resolved with LC removed. Site is remote across country, i will get a maintenance window and get more info in the near future. Regards, Chris On Wed, Sep 10, 2008 at 5:00 PM, Leonardo Gama Souza < leonardo.souza at nec.com.br> wrote: > You can try to insert that LC into another slot and collect those > commands if the issue come back. > > > ------------------------------ > *De:* Chris Lane [mailto:clane1875 at gmail.com] > *Enviada:* qua 10/9/2008 17:44 > > *Para:* Leonardo Gama Souza > *Cc:* cisco-nsp at puck.nether.net > *Assunto:* Re: [c-nsp] GSR12008 Error > > Darn, problem for me is i removed the 8 port FastE card that was causing > all the grief last night because it kept reloading. I removed the one > connection i had in LC and LC still continued to bounce. Here is the > output anyways. > > ----------------------------------------- > > > > On Wed, Sep 10, 2008 at 4:33 PM, Leonardo Gama Souza < > leonardo.souza at nec.com.br> wrote: > >> The same command. >> execute-on all show controller fia >> >> Rgds. >> >> ------------------------------ >> *De:* Chris Lane [mailto:clane1875 at gmail.com] >> *Enviada:* qua 10/9/2008 17:34 >> *Para:* Leonardo Gama Souza >> >> *Assunto:* Re: [c-nsp] GSR12008 Error >> >> You didn't add command ~ >> Thanks >> >> On Wed, Sep 10, 2008 at 4:23 PM, Leonardo Gama Souza < >> leonardo.souza at nec.com.br> wrote: >> >>> Oh. I forgot one thing. >>> You must issue this command on all LC as well. >>> >>> >>> ------------------------------ >>> *De:* Chris Lane [mailto:clane1875 at gmail.com] >>> *Enviada:* qua 10/9/2008 17:25 >>> *Para:* Leonardo Gama Souza >>> *Cc:* cisco-nsp at puck.nether.net >>> *Assunto:* Re: [c-nsp] GSR12008 Error >>> >>> No errors as you can see. >>> cr.la1.ca#sh controller fia >>> Fabric configuration: 2.4Gbps bandwidth, redundant fabric >>> Master Scheduler: Slot 17 Backup Scheduler: Slot 16 >>> >>> From Fabric FIA Errors >>> ----------------------- >>> redund fifo parity 0 redund overflow 0 cell drops 0 >>> >>> crc32 lkup parity 0 cell parity 0 crc32 0 >>> >>> Switch cards present 0x001F Slots 16 17 18 19 20 >>> Switch cards monitored 0x001F Slots 16 17 18 19 20 >>> Slot: 16 17 18 19 20 >>> Name: csc0 csc1 sfc0 sfc1 sfc2 >>> -------- -------- -------- -------- -------- >>> los 0 0 0 0 0 >>> state Off Off Off Off Off >>> crc16 0 0 0 0 0 >>> >>> To Fabric FIA Errors >>> ----------------------- >>> sca not pres 0 req error 0 uni fifo overflow 0 >>> >>> grant parity 0 multi req 0 uni fifo undrflow 0 >>> >>> cntrl parity 0 uni req 0 crc32 lkup parity 0 >>> >>> multi fifo 0 empty dst req 0 handshake error 0 >>> On Wed, Sep 10, 2008 at 4:10 PM, Leonardo Gama Souza < >>> leonardo.souza at nec.com.br> wrote: >>> >>>> Hi, >>>> >>>> Look for errors in "show controller fia". >>>> Maybe the LC was badly seated... >>>> Maybe you have a bad SFC... >>>> There are a lot of possibilities. >>>> >>>> Cheers, >>>> Leonardo Gama. >>>> >>>> ------------------------------ >>>> *De:* cisco-nsp-bounces at puck.nether.net em nome de Chris Lane >>>> *Enviada:* qua 10/9/2008 15:58 >>>> *Para:* cisco-nsp at puck.nether.net >>>> *Assunto:* [c-nsp] GSR12008 Error >>>> >>>> All, >>>> >>>> GSR question, appears Cisco finally got around to updating the IOS train >>>> on >>>> 12.0.32.S ? we have been running S8 for a while but S11 just came out >>>> and it >>>> appears to have many new features! One of my routers is running >>>> 12.0.32.S6 ? >>>> its been so for 2years. I had a bad 8 port FastE lc a while back so I >>>> replaced just recently with a known good lc tested in the lab, So I >>>> sent it >>>> to replace the failed one ~ after 2 days I started getting these >>>> errors. >>>> >>>> %FABRIC-3-ERR_HANDLE: >>>> >>>> %RP-3-FABRIC_UNI >>>> >>>> %FIA-3-HALT >>>> >>>> L%LC-6-BMACMDRPLY >>>> >>>> >>>> >>>> >From what I gather this is the RP is having trouble communicating with >>>> the >>>> LC. One of these errors suggests upgrading IOS ~ but S6 to S8 isn't >>>> that >>>> big of a deal and couldn't possibly be the culprit could it? Is this RP >>>> related? And if so I could easily flip to the backup RP. >>>> >>>> Any suggestions would be super appreciative. >>>> >>>> -- >>>> //CL >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> >>>> >>> >>> >>> -- >>> //CL >>> >> >> >> >> -- >> //CL >> > > > > -- > //CL > -- //CL From leonardo.souza at nec.com.br Wed Sep 10 17:31:15 2008 From: leonardo.souza at nec.com.br (Leonardo Gama Souza) Date: Wed, 10 Sep 2008 18:31:15 -0300 Subject: [c-nsp] RES: GSR12008 Error References: <2e1cd850809101158v27cd4427tc3d73c0bcdac6cf2@mail.gmail.com><9E07F8717FE8BC4FBAE6860F61EA6C1D7E0E39@spsrvmail03.nec.br><2e1cd850809101325q419cb595k16ef2c039e27d941@mail.gmail.com><9E07F8717FE8BC4FBAE6860F61EA6C1D7E0E3A@spsrvmail03.nec.br><2e1cd850809101334u3ef1363duc755c91869434db5@mail.gmail.com><9E07F8717FE8BC4FBAE6860F61EA6C1D7E0E3B@spsrvmail03.nec.br><2e1cd850809101344s3df471dv9150ea821c4a511c@mail.gmail.com><9E07F8717FE8BC4FBAE6860F61EA6C1D7E0E3C@spsrvmail03.nec.br> <2e1cd850809101412w3f34666cq3a5102bb9e939c18@mail.gmail.com> Message-ID: <9E07F8717FE8BC4FBAE6860F61EA6C1D7E0E3D@spsrvmail03.nec.br> Most likely so. Could be occurred an ESD. But on other hand the LC might have been bad seated....or there is a problem with that specific slot... Cheers, Leonardo. ________________________________ De: Chris Lane [mailto:clane1875 at gmail.com] Enviada: qua 10/9/2008 18:12 Para: Leonardo Gama Souza Cc: cisco-nsp at puck.nether.net Assunto: Re: [c-nsp] GSR12008 Error I think its safe to say its the LC. Issue is resolved with LC removed. Site is remote across country, i will get a maintenance window and get more info in the near future. Regards, Chris On Wed, Sep 10, 2008 at 5:00 PM, Leonardo Gama Souza wrote: You can try to insert that LC into another slot and collect those commands if the issue come back. ________________________________ De: Chris Lane [mailto:clane1875 at gmail.com] Enviada: qua 10/9/2008 17:44 Para: Leonardo Gama Souza Cc: cisco-nsp at puck.nether.net Assunto: Re: [c-nsp] GSR12008 Error Darn, problem for me is i removed the 8 port FastE card that was causing all the grief last night because it kept reloading. I removed the one connection i had in LC and LC still continued to bounce. Here is the output anyways. ----------------------------------------- On Wed, Sep 10, 2008 at 4:33 PM, Leonardo Gama Souza wrote: The same command. execute-on all show controller fia Rgds. ________________________________ De: Chris Lane [mailto:clane1875 at gmail.com] Enviada: qua 10/9/2008 17:34 Para: Leonardo Gama Souza Assunto: Re: [c-nsp] GSR12008 Error You didn't add command ~ Thanks On Wed, Sep 10, 2008 at 4:23 PM, Leonardo Gama Souza wrote: Oh. I forgot one thing. You must issue this command on all LC as well. ________________________________ De: Chris Lane [mailto:clane1875 at gmail.com] Enviada: qua 10/9/2008 17:25 Para: Leonardo Gama Souza Cc: cisco-nsp at puck.nether.net Assunto: Re: [c-nsp] GSR12008 Error No errors as you can see. cr.la1.ca#sh controller fia Fabric configuration: 2.4Gbps bandwidth, redundant fabric Master Scheduler: Slot 17 Backup Scheduler: Slot 16 From Fabric FIA Errors ----------------------- redund fifo parity 0 redund overflow 0 cell drops 0 crc32 lkup parity 0 cell parity 0 crc32 0 Switch cards present 0x001F Slots 16 17 18 19 20 Switch cards monitored 0x001F Slots 16 17 18 19 20 Slot: 16 17 18 19 20 Name: csc0 csc1 sfc0 sfc1 sfc2 -------- -------- -------- -------- -------- los 0 0 0 0 0 state Off Off Off Off Off crc16 0 0 0 0 0 To Fabric FIA Errors ----------------------- sca not pres 0 req error 0 uni fifo overflow 0 grant parity 0 multi req 0 uni fifo undrflow 0 cntrl parity 0 uni req 0 crc32 lkup parity 0 multi fifo 0 empty dst req 0 handshake error 0 On Wed, Sep 10, 2008 at 4:10 PM, Leonardo Gama Souza wrote: Hi, Look for errors in "show controller fia". Maybe the LC was badly seated... Maybe you have a bad SFC... There are a lot of possibilities. Cheers, Leonardo Gama. ________________________________ De: cisco-nsp-bounces at puck.nether.net em nome de Chris Lane Enviada: qua 10/9/2008 15:58 Para: cisco-nsp at puck.nether.net Assunto: [c-nsp] GSR12008 Error All, GSR question, appears Cisco finally got around to updating the IOS train on 12.0.32.S - we have been running S8 for a while but S11 just came out and it appears to have many new features! One of my routers is running 12.0.32.S6 - its been so for 2years. I had a bad 8 port FastE lc a while back so I replaced just recently with a known good lc tested in the lab, So I sent it to replace the failed one ~ after 2 days I started getting these errors. %FABRIC-3-ERR_HANDLE: %RP-3-FABRIC_UNI %FIA-3-HALT L%LC-6-BMACMDRPLY >From what I gather this is the RP is having trouble communicating with the LC. One of these errors suggests upgrading IOS ~ but S6 to S8 isn't that big of a deal and couldn't possibly be the culprit could it? Is this RP related? And if so I could easily flip to the backup RP. Any suggestions would be super appreciative. -- //CL _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- //CL -- //CL -- //CL -- //CL From RTeller at deltadentalwa.com Wed Sep 10 18:38:09 2008 From: RTeller at deltadentalwa.com (Teller, Robert) Date: Wed, 10 Sep 2008 15:38:09 -0700 Subject: [c-nsp] (no subject) In-Reply-To: References: Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC01295@tiger.deltadentalwa.com> Are the routers connected to gig switches? And do the duplex and speed settings match up? -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of hawk98 TheHawk Sent: Thursday, September 04, 2008 1:04 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] (no subject) Hello All, We're noticing a large number of input errors on multiple GigE interfaces on various C720X NPE-G1 routers. These input errors match exactly with the number of overruns on those interfaces. There are a couple strange things that we've noticed: 1. this problem happens on more than 1 router (similar configuration on all routers) 2. all routers affected began exhibiting these errors roughly around the same time (same early morning) 3. All routers are G1 and ran the same IOS code 4. One of the routers was rebooted and upgraded to a different code however the problem still persists 5. we suspect it directly affects the functionality of the router as we see random lockups of the units 6. All routers are connected to redundant switches and cabling/switches have been ruled out. Below is a sample output of the show interface on one of the routers: GigabitEthernet0/1 is up, line protocol is up Hardware is BCM1250 Internal MAC, address is 00b0.c2ee.b81b (bia 00b0.c2ee.b81b) Description: XXXXXXXX MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 2/255 Encapsulation 802.1Q Virtual LAN, Vlan ID 1., loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s, media type is RJ45 output flow-control is XON, input flow-control is XON ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:00, output hang never Last clearing of 'show interface' counters never Input queue: 1/75/499528/97 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 8539000 bits/sec, 10996 packets/sec 5 minute output rate 1905000 bits/sec, 807 packets/sec 139728650 packets input, 10628478461 bytes, 92 no buffer Received 487174 broadcasts, 0 runts, 0 giants, 0 throttles 171399 input errors, 0 CRC, 0 frame, 171399 overrun, 0 ignored 0 watchdog, 1904930 multicast, 0 pause input 0 input packets with dribble condition detected 8125773 packets output, 2521690484 bytes, 0 underruns 2 output errors, 0 collisions, 1 interface resets 3842 unknown protocol drops 0 babbles, 0 late collision, 0 deferred 2 lost carrier, 0 no carrier, 0 pause output 0 output buffer failures, 0 output buffers swapped out Does anyone have any idea what might be going on? I initially suspected an IOS bug (since all devices were affected) however after the upgrade the problem still persists. Any help is appreciated. Adrian _________________________________________________________________ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ######################################################### The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. ######################################################### From tbaranski at mail.com Wed Sep 10 20:12:52 2008 From: tbaranski at mail.com (Terry Baranski) Date: Wed, 10 Sep 2008 20:12:52 -0400 Subject: [c-nsp] VPN Failover In-Reply-To: <48C79245.8030707@fnbs.net> Message-ID: <000101c913a3$226d3870$0200000a@pleth0ra> You can have multiple "set peer" statements in a given crypto map. Use the "default" keyword (http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_ipspp.ht ml) along with Dead Peer Detection to have redundancy between SITEB and DRSITE. -Terry > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Nimal > David Sirimanne > Sent: Wednesday, September 10, 2008 5:24 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] VPN Failover > > > Hi guys, > > We have 2 major offices (SITEA,SITEB)running site-2-site VPN > connection > between them. We are now setting up a new DR site (DRSITE) for SITEB > > However, our constraint is that SITEB internal network addressing and > DRSITE internal network addressing has to be exactly the same. If > internal network addressing for SITEB is 10.10.10.0/24, then internal > network addressing for DRSITE is also 10.10.10.0/24. As i > understand, it > is not possible to for SITEA to have 2 active vpn links to sites with > the same internal network addressing. > > Is it then possible, if SITEA -- vpn -- SITEB fails, that it will > failover to SITEA -- vpn -- DRSITE? > > Hope i explained that properly. Thanks! > > Nimal > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jeff-kell at utc.edu Wed Sep 10 21:58:59 2008 From: jeff-kell at utc.edu (Jeff Kell) Date: Wed, 10 Sep 2008 21:58:59 -0400 Subject: [c-nsp] 10G Xenpak 'virgin' question In-Reply-To: <48C68B1B.4010705@utc.edu> References: <48C68B1B.4010705@utc.edu> Message-ID: <48C87B63.6010200@utc.edu> Jeff Kell wrote: > We're trying to light up our first 10G Xenpak link, so far without > success, so I'm looking for a quick sanity check. > > 3750G-16TD switch with an LR Xenpak [ours], trying to link to a Ciena > [not ours] add/drop ONS. Just to "close this thread" -- the Ciena end was a Corestream with an "LR" XFP (in Ciena terminology), but that's ER in Cisco terminology (1550nm vs 1310nm). Will try again when we get our ER Xenpak. Jeff From bennetb at gmail.com Thu Sep 11 00:03:52 2008 From: bennetb at gmail.com (Brandon Bennett) Date: Wed, 10 Sep 2008 22:03:52 -0600 Subject: [c-nsp] Setting the Remote Syslog Port in IOS In-Reply-To: References: <746ca6da0809101146w40692ffo97e6ab49e0386eb2@mail.gmail.com> Message-ID: > because that is not how splunk works, we want to create separate > splunk instances, each instance has its own syslog port... You can use syslog-ng filters to dump out named pipes and have splunk read the named pipes. That way you can still filter on facility but have seperate splunk instances. syslog-ng to the win again! -Brandon From christian at broknrobot.com Thu Sep 11 00:18:49 2008 From: christian at broknrobot.com (Christian Koch) Date: Thu, 11 Sep 2008 00:18:49 -0400 Subject: [c-nsp] Setting the Remote Syslog Port in IOS In-Reply-To: References: <746ca6da0809101146w40692ffo97e6ab49e0386eb2@mail.gmail.com> Message-ID: interesting! i will try this out... thanks Brandon! Christian On Thu, Sep 11, 2008 at 12:03 AM, Brandon Bennett wrote: >> because that is not how splunk works, we want to create separate >> splunk instances, each instance has its own syslog port... > You can use syslog-ng filters to dump out named pipes and have splunk > read the named pipes. That way you can still filter on facility but > have seperate splunk instances. syslog-ng to the win again! > > -Brandon > From chale99 at gmail.com Thu Sep 11 00:34:48 2008 From: chale99 at gmail.com (Chris Hale) Date: Thu, 11 Sep 2008 00:34:48 -0400 Subject: [c-nsp] how to accomplish multiple 'native' vlans Message-ID: All - We are converting our L2 network from Riverstone to Cisco. One problem I have not been able to solve yet is the way the Riverstone and Cisco units handle untagged traffic entering a physical port. We have many connections to customers whereby we have equipment we would like to manage with management VIDs inline with untagged customer traffic. When it enters the Ethernet trunk port on the Riverstone, we are able to assign the untagged traffic to a VID and it traverses the trunk ports where allowed as tagged traffic. It doesn't seem like the Cisco switches have this ability - only one native VLAN per switch. Is there some way to accept multiple ports of untagged traffic and tag each ports' untagged traffic with separate VIDs? Example: fa0/1 - mgmt VID 10, customer traffic untagged (needs to be tagged with VID 100 for L3 routing) fa0/2 - mgmt VID 10, customer traffic untagged (needs to be tagged with VID 101 for L3 routing) etc. fa0/24 - trunk port to L3 device We are using 2960 and 3560 switches. Any other ideas are welcome, but we would prefer to minimize any CPE equipment at customer site to tag their traffic with the appropriate customer VID. It's a matter of additional cost, additional management devices, and additional points of failure. Thanks, Chris -- ------------------ Chris Hale chale99 at gmail.com From dcp at dcptech.com Thu Sep 11 00:43:50 2008 From: dcp at dcptech.com (David Prall) Date: Thu, 11 Sep 2008 00:43:50 -0400 Subject: [c-nsp] how to accomplish multiple 'native' vlans In-Reply-To: References: Message-ID: <002601c913c8$fe260020$ae0b740a@cisco.com> interface x 0/y switchport trunk native vlan Z -- http://dcp.dcptech.com > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Chris Hale > Sent: Thursday, September 11, 2008 12:35 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] how to accomplish multiple 'native' vlans > > All - > > We are converting our L2 network from Riverstone to Cisco. One > problem I have not been able to solve yet is the way the Riverstone > and Cisco units handle untagged traffic entering a physical port. We > have many connections to customers whereby we have equipment we would > like to manage with management VIDs inline with untagged customer > traffic. When it enters the Ethernet trunk port on the Riverstone, we > are able to assign the untagged traffic to a VID and it traverses the > trunk ports where allowed as tagged traffic. It doesn't seem like the > Cisco switches have this ability - only one native VLAN per switch. > Is there some way to accept multiple ports of untagged traffic and tag > each ports' untagged traffic with separate VIDs? > > Example: > > fa0/1 - mgmt VID 10, customer traffic untagged (needs to be tagged > with VID 100 for L3 routing) > fa0/2 - mgmt VID 10, customer traffic untagged (needs to be tagged > with VID 101 for L3 routing) > etc. > fa0/24 - trunk port to L3 device > > We are using 2960 and 3560 switches. Any other ideas are welcome, but > we would prefer to minimize any CPE equipment at customer site to tag > their traffic with the appropriate customer VID. It's a matter of > additional cost, additional management devices, and additional points > of failure. > > Thanks, > Chris > > -- > ------------------ > Chris Hale > chale99 at gmail.com > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From hank at efes.iucc.ac.il Thu Sep 11 01:17:24 2008 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Thu, 11 Sep 2008 08:17:24 +0300 Subject: [c-nsp] Cisco pushes 'network memory' to alleviate high-speed bottlenecks Message-ID: <5.1.0.14.2.20080911081222.00b1ef40@efes.iucc.ac.il> "On a 10Gbps link, for example, packets can arrive approximately every 50ns, while commodity memory ? for example, DRAM memory -- can only be accessed once every 50ns. Packets can also arrive in any order and require unpredictable, or random access to memory. Yet it takes two memory operations per packet every 50ns on a 10Gbps link: one to write the packet, another to read. If the memory can only do one operation every 50ns, it can?t keep up; and as link rates increase, the router vs. memory performance gap widens and the problem only becomes worse. Then end result is that routers cannot support the needs of real-time applications such as voice, video conferencing, multimedia and gaming that require guaranteed performance because it cannot ensure that packets can be written to or read from memory on time, at high line rates. But adding memory capacity in the form of specialized 10Gbps SRAMs or reduced latency DRAMs are ?extremely high in cost and unwieldy? in the number of components and power required per system, Iyer says. They also are unable to keep up with 40Gbps rates, he says." ... "The solution, according to Iyer, are network memory algorithms that combine load balancing and caching algorithms on commodity memory. Load balancing distributes the load over slower memories, and guarantee that memory is available when data needs to be accessed; caching guarantees that data is available in cache memory 100% of the time. ?They provide hard guarantees, mathematical guarantees that performance would never fail,? Iyer says. Applications for network memory include buffering, NetFlow accounting and quality-of-service (QoS). For buffering, routers must make sure that the packets it needs are always in the cache. With a small SRAM cache inside a packet processing ASIC and a slow commodity DRAM, it is possible to build a huge, fast, low power packet buffer using network memory algorithms, Iyer says. For QoS, network memory enables routers to better provide strict performance guarantees for critical applications, such as remote surgery and supercomputing. And they help maintain state for applications such as NetFlow, which collects IP traffic information for monitoring purposes. Network memory techniques are currently being designed in Cisco?s next generation port speeds of 10G and 40Gbps, Ethernet switches and enterprise routers, Iyer says." -Hank From sforcejr at yahoo.com Thu Sep 11 00:21:21 2008 From: sforcejr at yahoo.com (John Ramz) Date: Wed, 10 Sep 2008 21:21:21 -0700 (PDT) Subject: [c-nsp] Datacenter network design Message-ID: <531305.64887.qm@web110404.mail.gq1.yahoo.com> We are looking into start hosting our customers' apps and data and would like for you to provide me link to internet resources (or books) to get me started on a network design that includes: - 3rd party Compliance (security for example) - Redundancy (routers, firewalls, switches) - load balancing - VLANS - Virtual servers - Backup- SANs- - Disaster recovery - How to keep customers separated from our regular network? - How to keep customers totally isolated from each other? - Access from our network to the Datacenter network for our developers to work with our customers? Also for our IT people to service, monitor and maintain that network I have thought of getting an Internet pipe just for the Datacenter network and with all the above mentioned components and then figure out the way and procedures to connect our company network with that one for the different items I already mentioned. Has anyone been involved in a project like that could elaborate as much as possible on the subject? Please shed some light with me on where to start and build from there? Thanks From sforcejr at yahoo.com Thu Sep 11 00:58:38 2008 From: sforcejr at yahoo.com (John Ramz) Date: Wed, 10 Sep 2008 21:58:38 -0700 (PDT) Subject: [c-nsp] Datacenter Network Design Message-ID: <415492.56211.qm@web110415.mail.gq1.yahoo.com> We are looking into start hosting our customers' apps and data and would like for you to provide me link to internet resources (or books) to get me started on a network design that includes: - 3rd party Compliance (security for example) - Redundancy (routers, firewalls, switches) - load balancing - VLANS - Virtual servers - Backup- SANs- - Disaster recovery - How to keep customers separated from our regular network? - How to keep customers totally isolated from each other? - Access from our network to the Datacenter network for our developers to work with our customers? Also for our IT people to service, monitor and maintain that network I have thought of getting an Internet pipe just for the Datacenter network and with all the above mentioned components and then figure out the way and procedures to connect our company network with that one for the different items I already mentioned. Has anyone been involved in a project like that could elaborate as much as possible on the subject? Please shed some light with me on where to start and build from there? Thanks From junaid.x86 at gmail.com Thu Sep 11 02:06:25 2008 From: junaid.x86 at gmail.com (Junaid) Date: Thu, 11 Sep 2008 12:06:25 +0600 Subject: [c-nsp] EoMPLS between C7206 and C3845 In-Reply-To: References: Message-ID: Hi, I have narrowed the problem. Now EoMPLS is working between the two routers - the change is that instead of connecting CE2 to the EtherSwitch module of C3845, I have connected it on an external 2950 switch which is then dot1q trunked to C3845. The problem appears when I connect the host on the EtherSwitch port. The configuration on the routing portion of C3845 is exactly same in both cases and the config on the 2950 and EtherSwitch is similar. Does anyone has any experience of running EoMPLS on C3845 with a host on an EtherSwitch module port? Is there any special consideration that needs to be catered for in such a scenario? Will appreciate any help. Regards, Junaid On Thu, Aug 7, 2008 at 2:15 AM, Junaid wrote: > Hi, > > I am trying to make EoMPLS (VLAN mode) to work between a 7206VXR > (NPE400) running c7200-jk9s-mz.123-21.bin and a 3845 running > c3845-advipservicesk9-mz.124-15.T.bin. These two PE routers are > connected back-to-back via FastEthernet. The customers are connected > via a switch connected to each PE: > > CE1 --- Switch --- PE1 --- PE2 --- Switch --- CE2 > > The control place comes up without any issue: > > C7200-PE1#sh mpls l2transport vc de > Local interface: Fa0/0.3 up, line protocol up, Eth VLAN 3 up > Destination address: XXXXX (loopback ip of PE2), VC ID: 100, VC status: up > Next hop: XXXXXX (ip of PE2's interface connected with PE1) > Output interface: Fa3/0, imposed label stack {234} > Create time: 04:55:52, last status change time: 04:22:07 > Signaling protocol: LDP, peer XXXXX (loopback ip of PE2):0 up > MPLS VC labels: local 2207, remote 234 > Group ID: local 0, remote 0 > MTU: local 1500, remote 1500 > Remote interface description: MPLS TEST > Sequencing: receive disabled, send disabled > VC statistics: > packet totals: receive 658, send 558 > byte totals: receive 61117, send 57759 > packet drops: receive 0, send 0 > > > C3845-PE2#sh mpls l2transport vc de > Local interface: Gi4/0.3 up, line protocol up, Eth VLAN 3 up > Destination address: XXXXX (loopback ip of PE1), VC ID: 100, VC status: up > Next hop: XXXXXX (ip of PE1's interface connected with PE2) > Output interface: Gi0/0, imposed label stack {2207} > Create time: 05:06:06, last status change time: 04:42:00 > Signaling protocol: LDP, peer XXXXX (loopback ip of PE1):0 up > MPLS VC labels: local 234, remote 2207 > Group ID: local 0, remote 0 > MTU: local 1500, remote 1500 > Remote interface description: MPLS test > Sequencing: receive disabled, send disabled > VC statistics: > packet totals: receive 807, send 697 > byte totals: receive 81235, send 63925 > packet drops: receive 0, seq error 0, send 0 > > > But the data plane is having severe issue. I cannot ping end-to-end > from the CEs. It seems that when I ping CE1 from CE2 (i.e. from the CE > connected to 3845), ARP works and I am able to send a ping packet to > CE1. But CE1 never receives it. On the other side, CE2 does not get > replies to its own ARP requests. Once I statically bind the mac > address of CE2 on CE1, CE1 sends an ICMP packet to CE2 and CE2 replies > to it but CE1 never receives the reply. It seem that the communication > is one way, from CE1 (one behind C7206) to CE2 (one behind C3845) and > not the other way round. I replaced C3845 with C7206 and there was not > issue in the data plane. > > My question is with the IOS I used for C3845, is EoMPLS not supported > on it? As per Cisco's documentation, EoMPLS is supported on the IOS I > used for C3845. Any one any experience in running EoMPLS on C3845? > > Another thing I noted was in the following output from C3845, it shows > MRU=0 and also there was no outgoing interface attached: > > C3845-PE2#sh mpls forwarding-table labels 234 detail > Local Outgoing Prefix Bytes tag Outgoing Next Hop > tag tag or VC or Tunnel Id switched interface > 234 l2ckt(100) 50732 none point2point > MAC/Encaps=0/0, MRU=0, Tag Stack{} > No output feature configured > > While on C7206, the output was as it should be: > > C7200-PE1#sh mpls forwarding-table labels 2207 detail > Local Outgoing Prefix Bytes tag Outgoing Next Hop > tag tag or VC or Tunnel Id switched interface > 2207 Untagged l2ckt(100) 55853 Fa0/0.3 point2point > MAC/Encaps=0/0, MRU=1500, Tag Stack{} > No output feature configured > > > Any explanations/solutions? > > > > Regards, > > Junaid > From oboehmer at cisco.com Thu Sep 11 02:26:43 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Thu, 11 Sep 2008 08:26:43 +0200 Subject: [c-nsp] Route selection in VRF In-Reply-To: <48C82740.3090207@africaonline.co.ke> References: <48C82740.3090207@africaonline.co.ke> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405FD2E9B@xmb-ams-333.emea.cisco.com> Felix Bako <> wrote on Wednesday, September 10, 2008 10:00 PM: > Hey Guys, > > I have two routers each terminating my upstream providers.on each i > have configured Internet on a VRF and doing ebgp with my providers on > the the VRF. > Customers connected to The PEs are importing the Internet VRFs RTs for > Internet Access. Do you carry full table in the Internet VRFs? This can be very expensive as routes are duplicated on the importing PE. > The two routers are also doing IBP between them so both routers are > fully aware of each other routes Not sure I understand this. Aren't the two routers PEs? The iBGP you're referring to is the "normal" vpnv4 iBGP between PEs? This could acually be an issue if you have traffic like customer-PE -(MPLS)-> internet-PE1 -(MPLS)-> internet-PE2 --> Internet where customer-PE is following the default-route. A network diagram could help. > The challange is traffic from the customers connecting to PEs always > follows the default route of each Internet PEs and i can only use one > uplink at a time hence cant load share. have you investigated iBGP load-sharing (i.e. maximum-paths ibgp 2) to load-share across two egress PEs? oli From rootnet08 at gmail.com Thu Sep 11 03:15:35 2008 From: rootnet08 at gmail.com (root net) Date: Thu, 11 Sep 2008 02:15:35 -0500 Subject: [c-nsp] Datacenter Network Design In-Reply-To: <415492.56211.qm@web110415.mail.gq1.yahoo.com> References: <415492.56211.qm@web110415.mail.gq1.yahoo.com> Message-ID: <89944ef40809110015k28ea0ca7k219da9a68a02b374@mail.gmail.com> John, If you are going to build a Cisco network you should spend some time on www.cisco.com and look at all of their configuration examples and whitepapers for specific gear you are looking at or working on. Here are some books I would suggest: Cisco Press: Data Center Fundamentals End-to-End QoS Network Design Designing for Cisco Internetwork Solutions Designing Cisco Network Architectures Network Management Fundamentals www.cisco.com: (Research) HSRP STP InterVLAN routing IEEE Bridging BGP OSPF L2TPV3 MPLS / VPN IOS information Others: Administering Data Centers APC Data Center University (online classes) Some are FREE some are not. This is all I could think of since it's so late. DR will come when you start digging into the protocols and other information. Far as storage/backup iSCSI is your friend so build a GbE network. OpenFiler, NetApp, MyIVault. >From the start your facility will need to handle your immediate needs and growth or at least have the ability to scale (I would say maybe 10-20% growth for small budgets). Look at evironmentals, power, fire protection: HVAC (spot coolers vs. ductless split systems vs. ducted systems, chilled water vs. air cooled), Power Requirements (Single Phase, Three Phase 208V /480V, UPS, Transfer switches, portable generators, generator), Raised Flooring vs. Anti-Static VCT, Security monitoring, water monitoring, temperature monitoring, and lastly Pre-action vs. plain wet system. Getting a seperate Internet feed would be wise unless it's just cost prohibitive. Start out with maybe 10Mbit pipe and go from there. This all depends your customer's applications and servers. What they will be transfering and etc. Look into open source products as these are FREE and can help you. (e.g. nagios, jffnms, cacti, mrtg, syslog, linux, RT, rancid, and others) Rule of thumb: A good data center will have proactive measures and policies in place to monitor, maintain, and procure. With that said monitor everything (I mean everything) and have all staff alerted on all levels SMS, e-mail, phone if possible automatically. It's not about downtime so much it's how you procure the situation in a specific time frame. Customer serivce is a must. You will need to make the call on the gear you use but I use a mixture of Cisco, Extreme, and Juniper. For data centers it's a must for hot swappable gear so look in to carrier class gear with redundant process, power supplies, hot swappable line cards. I would recommend Cisco 6500 Series, Cisco 7200 Series, Cisco ASA or Pix. I am not to fond of the Juniper firewall licensing. BTW, Cisco 2800/3600 Series may even work. Depends on your throughput capabilities you are needing. Research all aspects of your gear from ram, flash, processor speeds, to throughput, modules, IOS, and hot swappable needs. The above will get you started. rootnet08 On 9/10/08, John Ramz wrote: > > We are looking into start hosting our customers' apps and data and would > like for you to provide me link to internet resources (or books) to get me > started on a network design that includes: > > - 3rd party Compliance (security for example) > - Redundancy (routers, firewalls, switches) > - load balancing > - VLANS > - Virtual servers > - Backup- SANs- > - Disaster recovery > - How to keep customers separated from our regular network? > - How to keep customers totally isolated from each other? > - Access from our network to the Datacenter network for our developers to > work with our customers? Also for our IT people to service, monitor and > maintain that network I have thought of getting an Internet pipe just for the Datacenter network > and with all the above mentioned components and then figure out the way and > procedures to connect our company network with that one for the different > items I already mentioned. > > Has anyone been involved in a project like that could elaborate as much as > possible on the subject? > Please shed some light with me on where to start and build from there? > > Thanks > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From rens at autempspourmoi.be Thu Sep 11 04:41:55 2008 From: rens at autempspourmoi.be (Rens) Date: Thu, 11 Sep 2008 10:41:55 +0200 Subject: [c-nsp] Router reloads on it's own In-Reply-To: <20080910164248.GX11984@rtp-cse-489.cisco.com> References: <20080910152651.GQ11984@rtp-cse-489.cisco.com> <66DE9E928CAA445183946A2F39465B4A@EU.corp.clearwire.com> <20080910164248.GX11984@rtp-cse-489.cisco.com> Message-ID: <3B3DD4E54BA049DBAB07245748B8B462@EU.corp.clearwire.com> Nobody performed any commands. Would you need the whole crashinfo and how do you actually decode all this stuff? -----Original Message----- From: Rodney Dunn [mailto:rodunn at cisco.com] Sent: mercredi 10 septembre 2008 18:43 To: Rens Cc: 'Rodney Dunn'; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Router reloads on it's own It's in the text region. Almost surely a software bug. I decoded the PC and it's in the arp command code. Did you do a clear arp or any other arp commmand? If so you will see it in the command history of the crashinfo file. The code is old so it's probably already fixed. Was a crashinfo file saved in bootflash? That might give a bit more information or if you can post On Wed, Sep 10, 2008 at 05:33:38PM +0200, Rens wrote: > Here is sh region: > > show region > Region Manager: > > Start End Size(b) Class Media Name > 0x0E000000 0x0FFFFFFF 33554432 Iomem R/W iomem > 0x60000000 0x7DFFFFFF 503316480 Local R/W main > 0x60008DE0 0x6183C02F 25375312 IText R/O main:text > 0x6183E000 0x6280387F 16537728 IData R/W main:data > 0x62803880 0x62AFB89F 3112992 IBss R/W main:bss > 0x62AFB8A0 0x63AFB89F 16777216 Local R/W main:heap > 0x63AFB8F8 0x64AFB8F3 16777212 Local R/W main:heap > 0x7E000000 0x7FFFFFFF 33554432 Iomem R/W iomem:(iomem_cwt) > 0x80000000 0x8DFFFFFF 234881024 Local R/W main:(main_k0) > 0xA0000000 0xADFFFFFF 234881024 Local R/W main:(main_k1) > > > Free Region Manager: > > Start End Size(b) Class Media Name > 0x64AFB948 0x7DFFFFFF 424691384 Local R/W heap > > -----Original Message----- > From: Rodney Dunn [mailto:rodunn at cisco.com] > Sent: mercredi 10 septembre 2008 17:27 > To: Rens > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Router reloads on it's own > > What does 'sh region' say? > > It's a bus error where the PC and address match. > Either it's bad memory if the PC value is out of valid text space > or it's a stack corruption type issue which is a software bug. > > 12.2(25)S throttls is end of engineering. > > You would need to upgrade to 12.2(33)SRC1. > > Rodney > > > On Wed, Sep 10, 2008 at 04:11:09PM +0200, Rens wrote: > > Can anyone help me with the following? How can I get more info regarding > > this error message?: > > > > > > > > System returned to ROM by bus error at PC 0x60995708, address 0x60995708 > at > > 12:09:02 CET Mon Sep 8 2008 > > > > System restarted at 12:10:43 CET Mon Sep 8 2008 > > > > System image file is "disk0:c7200-p-mz.122-25.S11.bin" > > > > > > > > Cisco 7206VXR (NPE400) processor (revision A) with 491520K/32768K bytes of > > memory. > > > > Processor board ID 23690131 > > > > R7000 CPU at 350Mhz, Implementation 39, Rev 3.2, 256KB L2 Cache > > > > 6 slot VXR midplane, Version 2.3 > > > > > > > > Last reset from watchdog reset > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ From dgranzer at gmail.com Thu Sep 11 08:12:27 2008 From: dgranzer at gmail.com (David Granzer) Date: Thu, 11 Sep 2008 14:12:27 +0200 Subject: [c-nsp] NPE G1, CEF and ACLs and high CPU In-Reply-To: <20080905120724.GI15736@rtp-cse-489.cisco.com> References: <383357750809041000uad21b4ag386233e3b2ea4fde@mail.gmail.com> <200809041456.01591.kratzers@pa.net> <383357750809041212h2e17aaa2i967ba4ffc3e4c3de@mail.gmail.com> <200809041546.23959.kratzers@pa.net> <20080905120724.GI15736@rtp-cse-489.cisco.com> Message-ID: <844ef89c0809110512r5ce679b4i8c7cd83c78015077@mail.gmail.com> Hello, On 9/5/08, Rodney Dunn wrote: > But make sure you do: > > config t > int null 0 > no ip unreachables > > The ACL drops are, last I checked, rate limit punts. > > If it's high CPU at IP Input really need 12.4(20)T and get > a sniffer trace in the punt path to see what traffic it really is. How to sniff traffic punted to CPU (control-plane) on 7200/7301 platform ? Is there something like rp-inband/sp-inband for 6500 ? Thanks, David On the 6500 is available SPAN RP-Inband and SP-Inband > > > Rodney > > > On Thu, Sep 04, 2008 at 03:46:23PM -0400, Stephen Kratzer wrote: > > On Thursday 04 September 2008 15:12:12 Mateusz B??aszczyk wrote: > > > 2008/9/4 Stephen Kratzer : > > > > The 'log' keyword will cause matching packets to not be CEF switched. > > > > > > nope, log is not present. > > > > > > > Also, if > > > > you're denying a lot of traffic from a certain source, you might want to > > > > just bit-bucket it rather than sending ICMP responses. > > > > > > you mean - "no ip unreachables"? > > > > You could match the access list in a route map and set the outbound interface > > to Null0. > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From blahu77 at gmail.com Thu Sep 11 08:19:07 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Thu, 11 Sep 2008 13:19:07 +0100 Subject: [c-nsp] NPE G1, CEF and ACLs and high CPU In-Reply-To: <844ef89c0809110512r5ce679b4i8c7cd83c78015077@mail.gmail.com> References: <383357750809041000uad21b4ag386233e3b2ea4fde@mail.gmail.com> <200809041456.01591.kratzers@pa.net> <383357750809041212h2e17aaa2i967ba4ffc3e4c3de@mail.gmail.com> <200809041546.23959.kratzers@pa.net> <20080905120724.GI15736@rtp-cse-489.cisco.com> <844ef89c0809110512r5ce679b4i8c7cd83c78015077@mail.gmail.com> Message-ID: <383357750809110519p3fb19f3at2754a9b197130af@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> If it's high CPU at IP Input really need 12.4(20)T and get >> a sniffer trace in the punt path to see what traffic it really is. > > How to sniff traffic punted to CPU (control-plane) on 7200/7301 > platform ? Is there something like rp-inband/sp-inband for 6500 ? > I am not sure how, but I read the Release notes for 12.4.20T and they have some sort of packet dumper that can be attached to the punted path. - -- - -mat -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIyQy6IvBv0k5esR4RAvzFAJ9syLTK4/i+6+JHAcvJW7lkp8W51gCgwZbg tQRptD54RcRxdhTqxsPEBDU= =Ft9Z -----END PGP SIGNATURE----- From blahu77 at gmail.com Thu Sep 11 08:23:49 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Thu, 11 Sep 2008 13:23:49 +0100 Subject: [c-nsp] NPE G1, CEF and ACLs and high CPU In-Reply-To: <383357750809110519p3fb19f3at2754a9b197130af@mail.gmail.com> References: <383357750809041000uad21b4ag386233e3b2ea4fde@mail.gmail.com> <200809041456.01591.kratzers@pa.net> <383357750809041212h2e17aaa2i967ba4ffc3e4c3de@mail.gmail.com> <200809041546.23959.kratzers@pa.net> <20080905120724.GI15736@rtp-cse-489.cisco.com> <844ef89c0809110512r5ce679b4i8c7cd83c78015077@mail.gmail.com> <383357750809110519p3fb19f3at2754a9b197130af@mail.gmail.com> Message-ID: <383357750809110523j3c43f2ebnf2f4c17f37b71f9d@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > I am not sure how, but I read the Release notes for 12.4.20T and they > have some sort of packet dumper that can be attached to the punted > path. the presentation: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6968/ps6441/ps9497/prod_presentation_12_4_20T.pdf - -- - -mat -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIyQ3UIvBv0k5esR4RApR/AKC//Q5CewDipxzj/UKSmY26e3yt0ACgvIb1 JYton0T0TshQxKXnbcTyVOo= =EzOY -----END PGP SIGNATURE----- From blahu77 at gmail.com Thu Sep 11 08:29:05 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Thu, 11 Sep 2008 13:29:05 +0100 Subject: [c-nsp] NPE G1, CEF and ACLs and high CPU In-Reply-To: <844ef89c0809110512r5ce679b4i8c7cd83c78015077@mail.gmail.com> References: <383357750809041000uad21b4ag386233e3b2ea4fde@mail.gmail.com> <200809041456.01591.kratzers@pa.net> <383357750809041212h2e17aaa2i967ba4ffc3e4c3de@mail.gmail.com> <200809041546.23959.kratzers@pa.net> <20080905120724.GI15736@rtp-cse-489.cisco.com> <844ef89c0809110512r5ce679b4i8c7cd83c78015077@mail.gmail.com> Message-ID: <383357750809110529y67490054j95b48a53b56d8d1@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > How to sniff traffic punted to CPU (control-plane) on 7200/7301 > platform ? Is there something like rp-inband/sp-inband for 6500 ? seems 7301 is not "there yet" http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6968/ps6441/product_bulletin_c25-409474.html#wp9002099 - -> supported hardware = Cisco Integrated Services Routers, Cisco 7200 Series Routers - -- - -mat -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIyQ8PIvBv0k5esR4RAgbqAKCCsuNAoMvXfalc3lux6uUEjXd9EQCdFEJ4 +nA2PXfs/XbNHAaUgAXQ/GQ= =1+wU -----END PGP SIGNATURE----- From branto at branto.com Thu Sep 11 09:00:04 2008 From: branto at branto.com (Brant I. Stevens) Date: Thu, 11 Sep 2008 09:00:04 -0400 Subject: [c-nsp] Datacenter Network Design In-Reply-To: <89944ef40809110015k28ea0ca7k219da9a68a02b374@mail.gmail.com> Message-ID: The Solutions Reference Network Design page on Cisco's site is a good resource for network designs. http://www.cisco.com/go/srnd -Brant On 9/11/08 3:15 AM, "root net" wrote: > John, > > If you are going to build a Cisco network you should spend some time on > www.cisco.com and look at all of their configuration examples and > whitepapers for specific gear you are looking at or working on. Here are > some books I would suggest: > > Cisco Press: > Data Center Fundamentals > End-to-End QoS Network Design > Designing for Cisco Internetwork Solutions > Designing Cisco Network Architectures > Network Management Fundamentals > > www.cisco.com: (Research) > > HSRP > STP > InterVLAN routing > IEEE Bridging > BGP > OSPF > L2TPV3 > MPLS / VPN > IOS information > > Others: > Administering Data Centers > > APC Data Center University (online classes) Some are FREE some are not. > > This is all I could think of since it's so late. DR will come when you > start digging into the protocols and other information. Far as > storage/backup iSCSI is your friend so build a GbE network. OpenFiler, > NetApp, MyIVault. > >> From the start your facility will need to handle your immediate needs and > growth or at least have the ability to scale (I would say maybe 10-20% > growth for small budgets). Look at evironmentals, power, fire protection: > HVAC (spot coolers vs. ductless split systems vs. ducted systems, chilled > water vs. air cooled), Power Requirements (Single Phase, Three Phase 208V > /480V, UPS, Transfer switches, portable generators, generator), Raised > Flooring vs. Anti-Static VCT, Security monitoring, water monitoring, > temperature monitoring, and lastly Pre-action vs. plain wet system. > > Getting a seperate Internet feed would be wise unless it's just cost > prohibitive. Start out with maybe 10Mbit pipe and go from there. This all > depends your customer's applications and servers. What they will be > transfering and etc. > > Look into open source products as these are FREE and can help you. (e.g. > nagios, jffnms, cacti, mrtg, syslog, linux, RT, rancid, and others) > > Rule of thumb: A good data center will have proactive measures and policies > in place to monitor, maintain, and procure. With that said monitor > everything (I mean everything) and have all staff alerted on all levels SMS, > e-mail, phone if possible automatically. It's not about downtime so much > it's how you procure the situation in a specific time frame. Customer > serivce is a must. > > You will need to make the call on the gear you use but I use a mixture of > Cisco, Extreme, and Juniper. For data centers it's a must for hot swappable > gear so look in to carrier class gear with redundant process, power > supplies, hot swappable line cards. I would recommend Cisco 6500 Series, > Cisco 7200 Series, Cisco ASA or Pix. I am not to fond of the Juniper > firewall licensing. BTW, Cisco 2800/3600 Series may even work. Depends on > your throughput capabilities you are needing. Research all aspects of your > gear from ram, flash, processor speeds, to throughput, modules, IOS, and hot > swappable needs. > > > The above will get you started. > > rootnet08 > > On 9/10/08, John Ramz wrote: >> >> We are looking into start hosting our customers' apps and data and would >> like for you to provide me link to internet resources (or books) to get me >> started on a network design that includes: >> >> - 3rd party Compliance (security for example) >> - Redundancy (routers, firewalls, switches) >> - load balancing >> - VLANS >> - Virtual servers >> - Backup- SANs- >> - Disaster recovery >> - How to keep customers separated from our regular network? >> - How to keep customers totally isolated from each other? >> - Access from our network to the Datacenter network for our developers to >> work with our customers? Also for our IT people to service, monitor and >> maintain that network > > I have thought of getting an Internet pipe just for the Datacenter network >> and with all the above mentioned components and then figure out the way and >> procedures to connect our company network with that one for the different >> items I already mentioned. >> >> Has anyone been involved in a project like that could elaborate as much as >> possible on the subject? >> > Please shed some light with me on where to start and build from there? >> >> Thanks >> >> >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rodunn at cisco.com Thu Sep 11 09:03:30 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Thu, 11 Sep 2008 09:03:30 -0400 Subject: [c-nsp] NPE G1, CEF and ACLs and high CPU In-Reply-To: <844ef89c0809110512r5ce679b4i8c7cd83c78015077@mail.gmail.com> References: <383357750809041000uad21b4ag386233e3b2ea4fde@mail.gmail.com> <200809041456.01591.kratzers@pa.net> <383357750809041212h2e17aaa2i967ba4ffc3e4c3de@mail.gmail.com> <200809041546.23959.kratzers@pa.net> <20080905120724.GI15736@rtp-cse-489.cisco.com> <844ef89c0809110512r5ce679b4i8c7cd83c78015077@mail.gmail.com> Message-ID: <20080911130330.GB23118@rtp-cse-489.cisco.com> You go to 12.4(20)T and do an EPC capture on the punt path. I'm going to type up a wiki showing some examples today I hope. I'll try to post it back out. Rodney On Thu, Sep 11, 2008 at 02:12:27PM +0200, David Granzer wrote: > Hello, > > On 9/5/08, Rodney Dunn wrote: > > But make sure you do: > > > > config t > > int null 0 > > no ip unreachables > > > > The ACL drops are, last I checked, rate limit punts. > > > > If it's high CPU at IP Input really need 12.4(20)T and get > > a sniffer trace in the punt path to see what traffic it really is. > > How to sniff traffic punted to CPU (control-plane) on 7200/7301 > platform ? Is there something like rp-inband/sp-inband for 6500 ? > > Thanks, > David > > > > On the 6500 is available SPAN RP-Inband and SP-Inband > > > > > > > Rodney > > > > > > On Thu, Sep 04, 2008 at 03:46:23PM -0400, Stephen Kratzer wrote: > > > On Thursday 04 September 2008 15:12:12 Mateusz B??aszczyk wrote: > > > > 2008/9/4 Stephen Kratzer : > > > > > The 'log' keyword will cause matching packets to not be CEF switched. > > > > > > > > nope, log is not present. > > > > > > > > > Also, if > > > > > you're denying a lot of traffic from a certain source, you might want to > > > > > just bit-bucket it rather than sending ICMP responses. > > > > > > > > you mean - "no ip unreachables"? > > > > > > You could match the access list in a route map and set the outbound interface > > > to Null0. > > > _______________________________________________ > > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From rodunn at cisco.com Thu Sep 11 09:06:26 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Thu, 11 Sep 2008 09:06:26 -0400 Subject: [c-nsp] NPE G1, CEF and ACLs and high CPU In-Reply-To: <383357750809110529y67490054j95b48a53b56d8d1@mail.gmail.com> References: <383357750809041000uad21b4ag386233e3b2ea4fde@mail.gmail.com> <200809041456.01591.kratzers@pa.net> <383357750809041212h2e17aaa2i967ba4ffc3e4c3de@mail.gmail.com> <200809041546.23959.kratzers@pa.net> <20080905120724.GI15736@rtp-cse-489.cisco.com> <844ef89c0809110512r5ce679b4i8c7cd83c78015077@mail.gmail.com> <383357750809110529y67490054j95b48a53b56d8d1@mail.gmail.com> Message-ID: <20080911130626.GC23118@rtp-cse-489.cisco.com> That's wrong. The 7301 is basically a 1RU 72xx/G2 combo. It's there so try it. The code is on Cisco.com as I just checked. Rodney On Thu, Sep 11, 2008 at 01:29:05PM +0100, Mateusz B?aszczyk wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > > > How to sniff traffic punted to CPU (control-plane) on 7200/7301 > > platform ? Is there something like rp-inband/sp-inband for 6500 ? > > seems 7301 is not "there yet" > > http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6968/ps6441/product_bulletin_c25-409474.html#wp9002099 > > - -> supported hardware = Cisco Integrated Services Routers, Cisco 7200 > Series Routers > > - -- > - -mat > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFIyQ8PIvBv0k5esR4RAgbqAKCCsuNAoMvXfalc3lux6uUEjXd9EQCdFEJ4 > +nA2PXfs/XbNHAaUgAXQ/GQ= > =1+wU > -----END PGP SIGNATURE----- From Kevin.X.White at corusgroup.com Thu Sep 11 09:20:03 2008 From: Kevin.X.White at corusgroup.com (Kevin.X.White at corusgroup.com) Date: Thu, 11 Sep 2008 14:20:03 +0100 Subject: [c-nsp] 100FX Ports or Media Convertors? In-Reply-To: Message-ID: Hi, we have quite a lot of 100Mb fibre distribution but it is spread across many locations so 24 fibre ports out from any location is just about enough. My question is now, the 3550-FX has gone and I need to replace some units the way forward with integrated ports is the 3750 with 24FX + 4 SFP @ ~ $7000 A 3650 with 24x Media convertors with dual PSU shelves @ ~ $5000 We have had quite a few 3550 MTRJ 100FX ports partially fail (high RX drops) in the past causing all kinds of fun and games with STP So even with the extra points of failure the Media convertors are looking tempting as failed units can be simply replaced. Any comments welcomed. Kevin ********************************************************************** This transmission is confidential and must not be used or disclosed by anyone other than the intended recipient. Neither Tata Steel UK Limited nor any of its subsidiaries can accept any responsibility for any use or misuse of the transmission by anyone. For address and company registration details of certain entities within the Corus group of companies, please visit http://www.corusgroup.com/entities ********************************************************************** From justin at justinshore.com Thu Sep 11 09:39:39 2008 From: justin at justinshore.com (Justin Shore) Date: Thu, 11 Sep 2008 08:39:39 -0500 Subject: [c-nsp] Setting the Remote Syslog Port in IOS In-Reply-To: References: <48C82646.7040402@forthnet.gr> Message-ID: <48C91F9B.90606@justinshore.com> I have it on a 7206VXR running 12.4(15)T2. 7206-1.clr(config)#logging host ? Hostname or A.B.C.D IP address of the syslog server ipv6 Configure IPv6 syslog server 7206-1.clr(config)#logging host 1.2.3.4 ? discriminator Specify a message discriminator indentifier for this logging session filtered Enable filtered logging sequence-num-session Include session sequence number tag in syslog message session-id Specify syslog message session ID tagging transport Specify the transport protocol (default=UDP) vrf Set VRF option xml Enable logging in XML 7206-1.clr(config)#logging host 1.2.3.4 tr 7206-1.clr(config)#logging host 1.2.3.4 transport ? beep Blocks Extensible Exchange Protocol tcp Transport Control Protocol udp User Datagram Protocol 7206-1.clr(config)#logging host 1.2.3.4 transport udp ? discriminator Specify a message discriminator indentifier for this logging session filtered Enable filtered logging port Specify the UDP port number (default=514) sequence-num-session Include session sequence number tag in syslog message session-id Specify syslog message session ID tagging xml Enable logging in XML 7206-1.clr(config)#logging host 1.2.3.4 transport udp port ? <1-65535> Port number I also see the command on a 3660 running 12.3(14)T7. I have it on a 3560E running 12.2(44)SE2 but not on a 3750 running 12.2(25)SEB. I do however have it on a 3560G and a basic 3560 running 12.2(44)SE2. I also have it on a Sup720-3BXL in a 7600 running SRB1. Looks like it's available for the older platforms with the right IOS. Justin Christian Koch wrote: > checked for any switches after the inputting the ip address on logging > host command but nothing was available > > > #logging host 1.1.1.1 transport ? > % Unrecognized command > > > On Wed, Sep 10, 2008 at 3:55 PM, Tassos Chatzithomaoglou > wrote: >> Have you tried "logging host XXX transport udp port Y"? >> >> -- >> Tassos >> >> Christian Koch wrote on 10/09/2008 19:41: >>> I know i can set the remote syslog port on ASA/PIX's, but i don't seem >>> to see that it is possible in IOS. >>> >>> I wanted to segregate logs by sending them from certain devices to >>> separate syslog ports >>> >>> Can anyone confirm this behavior? >>> >>> Has anyone had the need to do something similar? >>> >>> Thanks >>> >>> >>> Christian >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jeff-kell at utc.edu Thu Sep 11 09:50:51 2008 From: jeff-kell at utc.edu (Jeff Kell) Date: Thu, 11 Sep 2008 09:50:51 -0400 Subject: [c-nsp] 100FX Ports or Media Convertors? In-Reply-To: References: Message-ID: <48C9223B.5030502@utc.edu> Kevin.X.White at corusgroup.com wrote: > Hi, we have quite a lot of 100Mb fibre distribution but it is spread across > many locations so 24 fibre ports out from any location is just about > enough. > > My question is now, the 3550-FX has gone and I need to replace some units > the way forward with integrated ports is the 3750 with 24FX + 4 SFP There is the SFP-only version WS-C3750G-12S. Or find some used 2912MF-XLs :-) Jeff From streiner at cluebyfour.org Thu Sep 11 09:58:38 2008 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Thu, 11 Sep 2008 09:58:38 -0400 (EDT) Subject: [c-nsp] 100FX Ports or Media Convertors? In-Reply-To: References: Message-ID: On Thu, 11 Sep 2008, Kevin.X.White at corusgroup.com wrote: > My question is now, the 3550-FX has gone and I need to replace some units > the way forward with integrated ports is the 3750 with 24FX + 4 SFP @ ~ > $7000 > A 3650 with 24x Media convertors with dual PSU shelves @ ~ $5000 > > We have had quite a few 3550 MTRJ 100FX ports partially fail (high RX > drops) in the past causing all kinds of fun and games with STP > So even with the extra points of failure the Media convertors are looking > tempting as failed units can be simply replaced. I have a few devices and buildings on campus that I feed at 100FX, both from 4500s with MTRJ blades and from 3750s with the 100FX SFPs and both seem to be pretty reliable. I haven't seen the 'live' failure rates on the 100FX SFPs to be much better or worse than the GE SFPs we use all over the place. My personal choice is to go with the SFPs, rather than something that requires additional external pieces of gear, however I've never used the 3650 + media converters, so I can't speak to their reliability. jms From s00664233 at gmail.com Thu Sep 11 09:57:47 2008 From: s00664233 at gmail.com (cc loo) Date: Thu, 11 Sep 2008 21:57:47 +0800 Subject: [c-nsp] Inter VRF Routing help needed Message-ID: <49999c420809110657k2b66807dqa670b30e1c01a3ef@mail.gmail.com> Hi All, im pretty new to networking and require some assistance here with VRF-lite Scenario : i would like to establish a hub-and-spoke topology with multiple VRFs. vrf_Hub is created, with interface fa0/0 and ip address of 10.0.0.1/24 vrf_customer_A is created with interface fa0/1.1 and ip address of 192.168.1.1/24 vrf_customer_B is created with interface fa0/1.2 and ip address of 192.168.2.1/24 I would like vrf_customer_A to exchange routes with vrf_HUB but not vrf_customer_B, and vrf_customer_B with vrf_Hub but not vrf_customerA. Basically, each customer vrf can only see the hub, but not each other. I tried following the guide at http://www.cisco.com/univercd/cc/td/doc/product/ong/15400/r60docs/r60ethgd/546vrf.htm i created afew instances of vrf, tried import/export the RDs but my routing table still only show routes that are "connected" in the vrf only. I've heard that i require ospf or bgp to exchange routes between vrf (within the same router). What is the simplest method to achieve my desired scenario ? From rootnet08 at gmail.com Thu Sep 11 10:12:24 2008 From: rootnet08 at gmail.com (root net) Date: Thu, 11 Sep 2008 09:12:24 -0500 Subject: [c-nsp] 100FX Ports or Media Convertors? In-Reply-To: <48C9223B.5030502@utc.edu> References: <48C9223B.5030502@utc.edu> Message-ID: <89944ef40809110712h6fe21165w615ae8fafefdd5ed@mail.gmail.com> I seconded the 2912MF...or Catalyst 5500 with fiber cards. I am sure you can pick up dirt cheap. rootnet On Thu, Sep 11, 2008 at 8:50 AM, Jeff Kell wrote: > Kevin.X.White at corusgroup.com wrote: > > Hi, we have quite a lot of 100Mb fibre distribution but it is spread > across > > many locations so 24 fibre ports out from any location is just about > > enough. > > > > My question is now, the 3550-FX has gone and I need to replace some units > > the way forward with integrated ports is the 3750 with 24FX + 4 SFP > > There is the SFP-only version WS-C3750G-12S. Or find some used > 2912MF-XLs :-) > > Jeff > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From philxor at gmail.com Thu Sep 11 10:39:54 2008 From: philxor at gmail.com (Phil Bedard) Date: Thu, 11 Sep 2008 10:39:54 -0400 Subject: [c-nsp] Datacenter Network Design In-Reply-To: References: Message-ID: This is a good guide from Cisco. http://www.cisco.com/univercd/cc/td/doc/solution/dcidg21.pdf Phil On Sep 11, 2008, at 9:00 AM, Brant I. Stevens wrote: > The Solutions Reference Network Design page on Cisco's site is a good > resource for network designs. http://www.cisco.com/go/srnd > > -Brant > > On 9/11/08 3:15 AM, "root net" wrote: > >> John, >> >> If you are going to build a Cisco network you should spend some >> time on >> www.cisco.com and look at all of their configuration examples and >> whitepapers for specific gear you are looking at or working on. >> Here are >> some books I would suggest: >> >> Cisco Press: >> Data Center Fundamentals >> End-to-End QoS Network Design >> Designing for Cisco Internetwork Solutions >> Designing Cisco Network Architectures >> Network Management Fundamentals >> >> www.cisco.com: (Research) >> >> HSRP >> STP >> InterVLAN routing >> IEEE Bridging >> BGP >> OSPF >> L2TPV3 >> MPLS / VPN >> IOS information >> >> Others: >> Administering Data Centers >> >> APC Data Center University (online classes) Some are FREE some are >> not. >> >> This is all I could think of since it's so late. DR will come when >> you >> start digging into the protocols and other information. Far as >> storage/backup iSCSI is your friend so build a GbE network. >> OpenFiler, >> NetApp, MyIVault. >> >>> From the start your facility will need to handle your immediate >>> needs and >> growth or at least have the ability to scale (I would say maybe >> 10-20% >> growth for small budgets). Look at evironmentals, power, fire >> protection: >> HVAC (spot coolers vs. ductless split systems vs. ducted systems, >> chilled >> water vs. air cooled), Power Requirements (Single Phase, Three >> Phase 208V >> /480V, UPS, Transfer switches, portable generators, generator), >> Raised >> Flooring vs. Anti-Static VCT, Security monitoring, water monitoring, >> temperature monitoring, and lastly Pre-action vs. plain wet system. >> >> Getting a seperate Internet feed would be wise unless it's just cost >> prohibitive. Start out with maybe 10Mbit pipe and go from there. >> This all >> depends your customer's applications and servers. What they will be >> transfering and etc. >> >> Look into open source products as these are FREE and can help you. >> (e.g. >> nagios, jffnms, cacti, mrtg, syslog, linux, RT, rancid, and others) >> >> Rule of thumb: A good data center will have proactive measures and >> policies >> in place to monitor, maintain, and procure. With that said monitor >> everything (I mean everything) and have all staff alerted on all >> levels SMS, >> e-mail, phone if possible automatically. It's not about downtime >> so much >> it's how you procure the situation in a specific time frame. >> Customer >> serivce is a must. >> >> You will need to make the call on the gear you use but I use a >> mixture of >> Cisco, Extreme, and Juniper. For data centers it's a must for hot >> swappable >> gear so look in to carrier class gear with redundant process, power >> supplies, hot swappable line cards. I would recommend Cisco 6500 >> Series, >> Cisco 7200 Series, Cisco ASA or Pix. I am not to fond of the Juniper >> firewall licensing. BTW, Cisco 2800/3600 Series may even work. >> Depends on >> your throughput capabilities you are needing. Research all aspects >> of your >> gear from ram, flash, processor speeds, to throughput, modules, >> IOS, and hot >> swappable needs. >> >> >> The above will get you started. >> >> rootnet08 >> >> On 9/10/08, John Ramz wrote: >>> >>> We are looking into start hosting our customers' apps and data and >>> would >>> like for you to provide me link to internet resources (or books) >>> to get me >>> started on a network design that includes: >>> >>> - 3rd party Compliance (security for example) >>> - Redundancy (routers, firewalls, switches) >>> - load balancing >>> - VLANS >>> - Virtual servers >>> - Backup- SANs- >>> - Disaster recovery >>> - How to keep customers separated from our regular network? >>> - How to keep customers totally isolated from each other? >>> - Access from our network to the Datacenter network for our >>> developers to >>> work with our customers? Also for our IT people to service, >>> monitor and >>> maintain that network >> >> I have thought of getting an Internet pipe just for the Datacenter >> network >>> and with all the above mentioned components and then figure out >>> the way and >>> procedures to connect our company network with that one for the >>> different >>> items I already mentioned. >>> >>> Has anyone been involved in a project like that could elaborate as >>> much as >>> possible on the subject? >>> >> Please shed some light with me on where to start and build from >> there? >>> >>> Thanks >>> >>> >>> >>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From oboehmer at cisco.com Thu Sep 11 10:41:36 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Thu, 11 Sep 2008 16:41:36 +0200 Subject: [c-nsp] Inter VRF Routing help needed In-Reply-To: <49999c420809110657k2b66807dqa670b30e1c01a3ef@mail.gmail.com> References: <49999c420809110657k2b66807dqa670b30e1c01a3ef@mail.gmail.com> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED784060258F9@xmb-ams-333.emea.cisco.com> cc loo <> wrote on Thursday, September 11, 2008 3:58 PM: > Hi All, > im pretty new to networking and require some assistance here with > VRF-lite > > Scenario : > > i would like to establish a hub-and-spoke topology with multiple VRFs. > ... > > I would like vrf_customer_A to exchange routes with vrf_HUB but not > vrf_customer_B, > and vrf_customer_B with vrf_Hub but not vrf_customerA. > > Basically, each customer vrf can only see the hub, but not each other. > I tried following the guide at > http://www.cisco.com/univercd/cc/td/doc/product/ong/15400/r60docs/r60eth gd/546vrf.htm > > i created afew instances of vrf, tried import/export the RDs but my > routing table still only show routes that are "connected" in the vrf > only. > I've heard that i require ospf or bgp to exchange routes between vrf > (within the same router). > > What is the simplest method to achieve my desired scenario ? > I guess you are talking about vrf-lite (i.e. no mpls involved). you can do it like that: ip vrf customer_A rd 1:1 route-target export 1:100 route-target import 1:900 ! ip vrf customer_B rd 1:2 route-target export 1:200 route-target import 1:900 ! ip vrf Hub rd 1:9 route-target export 1:900 route-target import 1:100 route-target import 1:200 ! router bgp 65000 address-fam ipv4 vrf customer_A redistribute static redistribute connected address-fam ipv4 vrf customer_B redistribute static redistribute connected address-fam ipv4 vrf Hub redistribute static redistribute connected If you add routing protocols to it, you also need to redistribute those into BGP. all the import/export stuff is done via BGP.. oli From s00664233 at gmail.com Thu Sep 11 11:05:18 2008 From: s00664233 at gmail.com (cc loo) Date: Thu, 11 Sep 2008 23:05:18 +0800 Subject: [c-nsp] Inter VRF Routing help needed In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED784060258F9@xmb-ams-333.emea.cisco.com> References: <49999c420809110657k2b66807dqa670b30e1c01a3ef@mail.gmail.com> <70B7A1CCBFA5C649BD562B6D9F7ED784060258F9@xmb-ams-333.emea.cisco.com> Message-ID: <49999c420809110805s23458537j90da85133d06790a@mail.gmail.com> Hi Oliver, Thanks for the quick reply. Indeed i was referring to VRF-LITE In the cisco.com example, they gave this Router(config)# *ip vrf customer_a* Router(config-vrf)# *rd 1:1 <----* Router(config-vrf)# *route-target both 1:1 <----* Router(config)# *interface fastEthernet 0.1* Router(config-subif)# ip vrf forwarding customer_a is there any specific reason why cisco recommends using "both" (export/import) for its own RD ? Oliver's example is here, but i would like to confirm if 1:100 is a typo or should it be 1:1 (like its own RD?): ip vrf customer_A rd 1:1 <----- route-target export 1:100 <---- route-target import 1:900 I wonder wondering if this is the correct place to post newbie questions like these ? Im a junior engineer in a singaporean isp, hoping to learn more tricks and tips in the field of IP planning :D On Thu, Sep 11, 2008 at 10:41 PM, Oliver Boehmer (oboehmer) < oboehmer at cisco.com> wrote: > cc loo <> wrote on Thursday, September 11, 2008 3:58 PM: > > > Hi All, > > im pretty new to networking and require some assistance here with > > VRF-lite > > > > Scenario : > > > > i would like to establish a hub-and-spoke topology with multiple VRFs. > > > ... > > > > I would like vrf_customer_A to exchange routes with vrf_HUB but not > > vrf_customer_B, > > and vrf_customer_B with vrf_Hub but not vrf_customerA. > > > > Basically, each customer vrf can only see the hub, but not each other. > > I tried following the guide at > > > http://www.cisco.com/univercd/cc/td/doc/product/ong/15400/r60docs/r60eth > gd/546vrf.htm > > > > i created afew instances of vrf, tried import/export the RDs but my > > routing table still only show routes that are "connected" in the vrf > > only. > > I've heard that i require ospf or bgp to exchange routes between vrf > > (within the same router). > > > > What is the simplest method to achieve my desired scenario ? > > > > I guess you are talking about vrf-lite (i.e. no mpls involved). you can > do it like that: > > ip vrf customer_A > rd 1:1 > route-target export 1:100 > route-target import 1:900 > ! > ip vrf customer_B > rd 1:2 > route-target export 1:200 > route-target import 1:900 > ! > ip vrf Hub > rd 1:9 > route-target export 1:900 > route-target import 1:100 > route-target import 1:200 > ! > router bgp 65000 > address-fam ipv4 vrf customer_A > redistribute static > redistribute connected > address-fam ipv4 vrf customer_B > redistribute static > redistribute connected > address-fam ipv4 vrf Hub > redistribute static > redistribute connected > > > If you add routing protocols to it, you also need to redistribute those > into BGP. all the import/export stuff is done via BGP.. > > oli > From oboehmer at cisco.com Thu Sep 11 11:14:24 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Thu, 11 Sep 2008 17:14:24 +0200 Subject: [c-nsp] Inter VRF Routing help needed In-Reply-To: <49999c420809110805s23458537j90da85133d06790a@mail.gmail.com> References: <49999c420809110657k2b66807dqa670b30e1c01a3ef@mail.gmail.com> <70B7A1CCBFA5C649BD562B6D9F7ED784060258F9@xmb-ams-333.emea.cisco.com> <49999c420809110805s23458537j90da85133d06790a@mail.gmail.com> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406025945@xmb-ams-333.emea.cisco.com> cc loo wrote on Thursday, September 11, 2008 5:05 PM: > Hi Oliver, > > Thanks for the quick reply. > > Indeed i was referring to VRF-LITE > > In the cisco.com example, they gave this > Router(config)# ip vrf customer_a > Router(config-vrf)# rd 1:1 <---- > Router(config-vrf)# route-target both 1:1 <---- > Router(config)# interface fastEthernet 0.1 > Router(config-subif)# ip vrf forwarding customer_a > > is there any specific reason why cisco recommends using "both" > (export/import) for its own RD ? the RD is not exported, the RT is. see answer to next question. Well, the "import" is not really needed in this specific case as there is no other VRF exporting routes with this route-target (so no point importing it). > > Oliver's example is here, but i would like to confirm if 1:100 is a > typo or should it be 1:1 (like its own RD?): ip vrf customer_A > rd 1:1 <----- > route-target export 1:100 <---- > route-target import 1:900 RD and route-target are different things. They can be the same, but they must not be (in an mpls-vpn, they usually aren't the same as the RD is unique per PE per VRF). > I wonder wondering if this is the correct place to post newbie > questions like these ? > Im a junior engineer in a singaporean isp, hoping to learn more > tricks and tips in the field of IP planning :D well, I guess it's like all lists where folks help each other: If people see that you haven't done your homework, you might not get a reply. oli From claes at gastabud.com Thu Sep 11 10:57:29 2008 From: claes at gastabud.com (Claes Jansson) Date: Thu, 11 Sep 2008 16:57:29 +0200 Subject: [c-nsp] 100FX Ports or Media Convertors? In-Reply-To: References: Message-ID: <200809111457.m8BEvaRj013107@ns.gastabud.com> Hi, i highly recommend using the ME-3400-24FS-A with GLC-FE-100FX SFPs. Swtich cost about 1500$ and the SFPs about 65$ a piece. The 3550s lack some features that the me3400 series has. And it handles 'ip arp inspection' much better... Using media converters has several disadvantages. More complex installation, uses more rack-space, more power and generates quite a lot of heat... And some switching media-converters also "hides" packet errors on the fiber side. And some generate not-wanted pause frames, disrupting traffic... //Claes At 15:20 2008-09-11, you wrote: >Hi, we have quite a lot of 100Mb fibre distribution but it is spread across >many locations so 24 fibre ports out from any location is just about >enough. > >My question is now, the 3550-FX has gone and I need to replace some units >the way forward with integrated ports is the 3750 with 24FX + 4 SFP @ ~ >$7000 >A 3650 with 24x Media convertors with dual PSU shelves @ ~ $5000 > >We have had quite a few 3550 MTRJ 100FX ports partially fail (high RX >drops) in the past causing all kinds of fun and games with STP >So even with the extra points of failure the Media convertors are looking >tempting as failed units can be simply replaced. > >Any comments welcomed. > >Kevin >********************************************************************** >This transmission is confidential and must not be used or disclosed by >anyone other than the intended recipient. Neither Tata Steel UK Limited nor >any of its subsidiaries can accept any responsibility for any use or >misuse of the transmission by anyone. > >For address and company registration details of certain entities >within the Corus group of companies, please visit >http://www.corusgroup.com/entities > >********************************************************************** > >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ From justin at justinshore.com Thu Sep 11 11:28:50 2008 From: justin at justinshore.com (Justin Shore) Date: Thu, 11 Sep 2008 10:28:50 -0500 Subject: [c-nsp] EoMPLS between C7206 and C3845 In-Reply-To: References: Message-ID: <48C93932.4080308@justinshore.com> Is that an EtherSwitch "Network" module or "Service" module? They are very different beasts. I'd imagine that you were using the Network module and that the problem could have been avoided with a Service module. http://tinyurl.com/2ok8ox The Service module literally acts as an independent switch that happens to be mounted inside the ISR chassis. I don't have a solution for your EoMPLS problem when using the Network module unfortunately. Maybe someone from Cisco can chime in on that one. Justin Junaid wrote: > Hi, > > I have narrowed the problem. Now EoMPLS is working between the two > routers - the change is that instead of connecting CE2 to the > EtherSwitch module of C3845, I have connected it on an external 2950 > switch which is then dot1q trunked to C3845. The problem appears when > I connect the host on the EtherSwitch port. The configuration on the > routing portion of C3845 is exactly same in both cases and the config > on the 2950 and EtherSwitch is similar. Does anyone has any experience > of running EoMPLS on C3845 with a host on an EtherSwitch module port? > Is there any special consideration that needs to be catered for in > such a scenario? > > Will appreciate any help. > > Regards, > Junaid > > > On Thu, Aug 7, 2008 at 2:15 AM, Junaid wrote: >> Hi, >> >> I am trying to make EoMPLS (VLAN mode) to work between a 7206VXR >> (NPE400) running c7200-jk9s-mz.123-21.bin and a 3845 running >> c3845-advipservicesk9-mz.124-15.T.bin. These two PE routers are >> connected back-to-back via FastEthernet. The customers are connected >> via a switch connected to each PE: >> >> CE1 --- Switch --- PE1 --- PE2 --- Switch --- CE2 >> >> The control place comes up without any issue: >> >> C7200-PE1#sh mpls l2transport vc de >> Local interface: Fa0/0.3 up, line protocol up, Eth VLAN 3 up >> Destination address: XXXXX (loopback ip of PE2), VC ID: 100, VC status: up >> Next hop: XXXXXX (ip of PE2's interface connected with PE1) >> Output interface: Fa3/0, imposed label stack {234} >> Create time: 04:55:52, last status change time: 04:22:07 >> Signaling protocol: LDP, peer XXXXX (loopback ip of PE2):0 up >> MPLS VC labels: local 2207, remote 234 >> Group ID: local 0, remote 0 >> MTU: local 1500, remote 1500 >> Remote interface description: MPLS TEST >> Sequencing: receive disabled, send disabled >> VC statistics: >> packet totals: receive 658, send 558 >> byte totals: receive 61117, send 57759 >> packet drops: receive 0, send 0 >> >> >> C3845-PE2#sh mpls l2transport vc de >> Local interface: Gi4/0.3 up, line protocol up, Eth VLAN 3 up >> Destination address: XXXXX (loopback ip of PE1), VC ID: 100, VC status: up >> Next hop: XXXXXX (ip of PE1's interface connected with PE2) >> Output interface: Gi0/0, imposed label stack {2207} >> Create time: 05:06:06, last status change time: 04:42:00 >> Signaling protocol: LDP, peer XXXXX (loopback ip of PE1):0 up >> MPLS VC labels: local 234, remote 2207 >> Group ID: local 0, remote 0 >> MTU: local 1500, remote 1500 >> Remote interface description: MPLS test >> Sequencing: receive disabled, send disabled >> VC statistics: >> packet totals: receive 807, send 697 >> byte totals: receive 81235, send 63925 >> packet drops: receive 0, seq error 0, send 0 >> >> >> But the data plane is having severe issue. I cannot ping end-to-end >> from the CEs. It seems that when I ping CE1 from CE2 (i.e. from the CE >> connected to 3845), ARP works and I am able to send a ping packet to >> CE1. But CE1 never receives it. On the other side, CE2 does not get >> replies to its own ARP requests. Once I statically bind the mac >> address of CE2 on CE1, CE1 sends an ICMP packet to CE2 and CE2 replies >> to it but CE1 never receives the reply. It seem that the communication >> is one way, from CE1 (one behind C7206) to CE2 (one behind C3845) and >> not the other way round. I replaced C3845 with C7206 and there was not >> issue in the data plane. >> >> My question is with the IOS I used for C3845, is EoMPLS not supported >> on it? As per Cisco's documentation, EoMPLS is supported on the IOS I >> used for C3845. Any one any experience in running EoMPLS on C3845? >> >> Another thing I noted was in the following output from C3845, it shows >> MRU=0 and also there was no outgoing interface attached: >> >> C3845-PE2#sh mpls forwarding-table labels 234 detail >> Local Outgoing Prefix Bytes tag Outgoing Next Hop >> tag tag or VC or Tunnel Id switched interface >> 234 l2ckt(100) 50732 none point2point >> MAC/Encaps=0/0, MRU=0, Tag Stack{} >> No output feature configured >> >> While on C7206, the output was as it should be: >> >> C7200-PE1#sh mpls forwarding-table labels 2207 detail >> Local Outgoing Prefix Bytes tag Outgoing Next Hop >> tag tag or VC or Tunnel Id switched interface >> 2207 Untagged l2ckt(100) 55853 Fa0/0.3 point2point >> MAC/Encaps=0/0, MRU=1500, Tag Stack{} >> No output feature configured >> >> >> Any explanations/solutions? >> >> >> >> Regards, >> >> Junaid >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jlewis at lewis.org Thu Sep 11 11:50:44 2008 From: jlewis at lewis.org (Jon Lewis) Date: Thu, 11 Sep 2008 11:50:44 -0400 (EDT) Subject: [c-nsp] 6500 netflow export and the switch cpu Message-ID: I've got a 6509 with sup720-3bxl running 12.2(18)SXD7b. It's forwarding several hundred mbit/s across a number of gig ports on WS-X6416-GBIC cards. I've noticed it's gotten very slow at certain things (like write mem), and when looking at the switch (remote command switch show proc cpu), I was kind of shocked to see 85% CPU utilization or higher across all time avgs. The biggest CPU eating process seems to be netflow export 223 2563111984 126342970 20287 38.27% 42.39% 42.03% 0 NDE - IPV4 Other than disabling export or moving traffic off this device, are there things I can do to tone this down? The couple hundred mbit/s this switch is forwarding is supposed to be no big deal for this platform. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From p.mayers at imperial.ac.uk Thu Sep 11 12:28:23 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Thu, 11 Sep 2008 17:28:23 +0100 Subject: [c-nsp] 6500 netflow export and the switch cpu In-Reply-To: References: Message-ID: <48C94727.4030002@imperial.ac.uk> Jon Lewis wrote: > I've got a 6509 with sup720-3bxl running 12.2(18)SXD7b. It's forwarding > several hundred mbit/s across a number of gig ports on WS-X6416-GBIC cards. That's an old IOS. You should probably consider an upgrade to the later SXF release (e.g. 10, 11, 14) There are a number of netflow related bugs referenced in the release notes. > > I've noticed it's gotten very slow at certain things (like write mem), > and when looking at the switch (remote command switch show proc cpu), I > was kind of shocked to see 85% CPU utilization or higher across all time > avgs. The biggest CPU eating process seems to be netflow export > > 223 2563111984 126342970 20287 38.27% 42.39% 42.03% 0 NDE - IPV4 > > Other than disabling export or moving traffic off this device, are there > things I can do to tone this down? The couple hundred mbit/s this > switch is forwarding is supposed to be no big deal for this platform. It's likely number of flows, rather than bit rate. What do the following say: sh mls netflow table-contention detailed sh mls netflow flowmask sh mls nde sh platform hardware capacity netflow From asadh at comcast.net Thu Sep 11 12:38:48 2008 From: asadh at comcast.net (Asad) Date: Thu, 11 Sep 2008 16:38:48 +0000 Subject: [c-nsp] 6500 netflow export and the switch cpu In-Reply-To: References: Message-ID: <1836781474-1221151128-cardhu_decombobulator_blackberry.rim.net-959829273-@bxe252.bisx.prod.on.blackberry> You can enable sampling if it is not enabled. It should help some. Asad Sent from my Verizon Wireless BlackBerry -----Original Message----- From: Jon Lewis Date: Thu, 11 Sep 2008 11:50:44 To: Subject: [c-nsp] 6500 netflow export and the switch cpu I've got a 6509 with sup720-3bxl running 12.2(18)SXD7b. It's forwarding several hundred mbit/s across a number of gig ports on WS-X6416-GBIC cards. I've noticed it's gotten very slow at certain things (like write mem), and when looking at the switch (remote command switch show proc cpu), I was kind of shocked to see 85% CPU utilization or higher across all time avgs. The biggest CPU eating process seems to be netflow export 223 2563111984 126342970 20287 38.27% 42.39% 42.03% 0 NDE - IPV4 Other than disabling export or moving traffic off this device, are there things I can do to tone this down? The couple hundred mbit/s this switch is forwarding is supposed to be no big deal for this platform. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From jlewis at lewis.org Thu Sep 11 12:51:17 2008 From: jlewis at lewis.org (Jon Lewis) Date: Thu, 11 Sep 2008 12:51:17 -0400 (EDT) Subject: [c-nsp] 6500 netflow export and the switch cpu In-Reply-To: <48C94727.4030002@imperial.ac.uk> References: <48C94727.4030002@imperial.ac.uk> Message-ID: On Thu, 11 Sep 2008, Phil Mayers wrote: > What do the following say: > > sh mls netflow table-contention detailed Earl in Module 5 Detailed Netflow CAM (TCAM and ICAM) Utilization ================================================ TCAM Utilization : 100% ICAM Utilization : 7% Netflow TCAM count : 262026 Netflow ICAM count : 10 Netflow Creation Failures : 456680 Netflow CAM aliases : 0 I guess I need to get more aggressive on the flow aging. I've been using mls aging fast time 8 threshold 3 mls aging long 480 mls aging normal 32 > sh mls netflow flowmask current ip flowmask for unicast: if-full current ipv6 flowmask for unicast: null > sh mls nde Netflow Data Export enabled Exporting flows to [removed] Exporting flows from [removed] Version: 5 Include Filter not configured Exclude Filter not configured Total Netflow Data Export Packets are: 3738467024 packets, 0 no packets, 1041361295 records Total Netflow Data Export Send Errors: IPWRITE_NO_FIB = 0 IPWRITE_ADJ_FAILED = 0 IPWRITE_PROCESS = 0 IPWRITE_ENQUEUE_FAILED = 0 IPWRITE_IPC_FAILED = 0 IPWRITE_OUTPUT_FAILED = 0 IPWRITE_MTU_FAILED = 0 IPWRITE_ENCAPFIX_FAILED = 0 Netflow Aggregation Disabled > sh platform hardware capacity netflow #sh platform hardware capacity netflow ^ % Invalid input detected at '^' marker. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From s00664233 at gmail.com Thu Sep 11 13:09:05 2008 From: s00664233 at gmail.com (cc loo) Date: Fri, 12 Sep 2008 01:09:05 +0800 Subject: [c-nsp] 6500 netflow export and the switch cpu In-Reply-To: References: Message-ID: <49999c420809111009ga56f9a1ie60f163c4b87748e@mail.gmail.com> I was wondering if mirroring the traffic into a server with Netflow probes (such as fprobe) to help relieving the stress on router's CPU would be a wise move ? Is this move common in ISP environments or do most of the big guys just leave the exporting from routers to collectors ? On Thu, Sep 11, 2008 at 11:50 PM, Jon Lewis wrote: > I've got a 6509 with sup720-3bxl running 12.2(18)SXD7b. It's forwarding > several hundred mbit/s across a number of gig ports on WS-X6416-GBIC cards. > > I've noticed it's gotten very slow at certain things (like write mem), and > when looking at the switch (remote command switch show proc cpu), I was kind > of shocked to see 85% CPU utilization or higher across all time avgs. The > biggest CPU eating process seems to be netflow export > > 223 2563111984 126342970 20287 38.27% 42.39% 42.03% 0 NDE - IPV4 > > Other than disabling export or moving traffic off this device, are there > things I can do to tone this down? The couple hundred mbit/s this switch is > forwarding is supposed to be no big deal for this platform. > > ---------------------------------------------------------------------- > Jon Lewis | I route > Senior Network Engineer | therefore you are > Atlantic Net | > _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From p.mayers at imperial.ac.uk Thu Sep 11 13:09:57 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Thu, 11 Sep 2008 18:09:57 +0100 Subject: [c-nsp] 6500 netflow export and the switch cpu In-Reply-To: References: <48C94727.4030002@imperial.ac.uk> Message-ID: <48C950E5.902@imperial.ac.uk> Jon Lewis wrote: > On Thu, 11 Sep 2008, Phil Mayers wrote: > >> What do the following say: >> >> sh mls netflow table-contention detailed > > Earl in Module 5 > Detailed Netflow CAM (TCAM and ICAM) Utilization > ================================================ > TCAM Utilization : 100% > ICAM Utilization : 7% > Netflow TCAM count : 262026 > Netflow ICAM count : 10 > Netflow Creation Failures : 456680 > Netflow CAM aliases : 0 Ah. Yes, you're overflowing quite considerably. There's probably not a lot you can do about this other than drop the flowmask. > > I guess I need to get more aggressive on the flow aging. I've been using > mls aging fast time 8 threshold 3 > mls aging long 480 > mls aging normal 32 > > >> sh mls netflow flowmask > > current ip flowmask for unicast: if-full > current ipv6 flowmask for unicast: null Do you need the full mask? It includes tcp/udp ports. Dropping to destination-source may save you a lot of flows (but obviously lose you a lot of info) > >> sh mls nde > > Netflow Data Export enabled > Exporting flows to [removed] > Exporting flows from [removed] > Version: 5 > Include Filter not configured > Exclude Filter not configured > Total Netflow Data Export Packets are: > 3738467024 packets, 0 no packets, 1041361295 records > Total Netflow Data Export Send Errors: > IPWRITE_NO_FIB = 0 > IPWRITE_ADJ_FAILED = 0 > IPWRITE_PROCESS = 0 > IPWRITE_ENQUEUE_FAILED = 0 > IPWRITE_IPC_FAILED = 0 > IPWRITE_OUTPUT_FAILED = 0 > IPWRITE_MTU_FAILED = 0 > IPWRITE_ENCAPFIX_FAILED = 0 > Netflow Aggregation Disabled > >> sh platform hardware capacity netflow > #sh platform hardware capacity netflow > ^ Come to think of it, that's an SXF command. From sthaug at nethelp.no Thu Sep 11 13:34:36 2008 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Thu, 11 Sep 2008 19:34:36 +0200 (CEST) Subject: [c-nsp] 6500 netflow export and the switch cpu In-Reply-To: <1836781474-1221151128-cardhu_decombobulator_blackberry.rim.net-959829273-@bxe252.bisx.prod.on.blackberry> References: <1836781474-1221151128-cardhu_decombobulator_blackberry.rim.net-959829273-@bxe252.bisx.prod.on.blackberry> Message-ID: <20080911.193436.41659240.sthaug@nethelp.no> > You can enable sampling if it is not enabled. It should help some. Highly unlikely. Sampling on the 6500 is performed interely in software, *after* the full set of flows has been received. Steinar Haug, Nethelp consulting, sthaug at nethelp.no From jlewis at lewis.org Thu Sep 11 13:52:57 2008 From: jlewis at lewis.org (Jon Lewis) Date: Thu, 11 Sep 2008 13:52:57 -0400 (EDT) Subject: [c-nsp] 6500 netflow export and the switch cpu In-Reply-To: <48C950E5.902@imperial.ac.uk> References: <48C94727.4030002@imperial.ac.uk> <48C950E5.902@imperial.ac.uk> Message-ID: On Thu, 11 Sep 2008, Phil Mayers wrote: >> current ip flowmask for unicast: if-full >> current ipv6 flowmask for unicast: null > > Do you need the full mask? It includes tcp/udp ports. Dropping to > destination-source may save you a lot of flows (but obviously lose you a lot > of info) I'd really like to keep ip-full. It's quite handy when tracking down what an IP has been up to (like when trying to verify infection/scanning complaints). ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From vikassharmas at gmail.com Thu Sep 11 14:08:08 2008 From: vikassharmas at gmail.com (Vikas Sharma) Date: Thu, 11 Sep 2008 23:38:08 +0530 Subject: [c-nsp] F5 BIG IP and FWSM Message-ID: Hi, Did any one have worked on F5 BIG IP and FWSM? If yes please help me. As this point I wanted to know BIG IP and how it should be conected to fwsm, specially in routed mode. My understanding - 6509 (MSFC) --> outside interface of LB --> Inside interface of LB -> FWSM context (multiple context) How bigip will be able to do loadbalancing, when it is not directly connected to servers. All servers d/g is fwsm context. Regards, Vikas Sharma From Gregori.Parker at theplatform.com Thu Sep 11 14:28:40 2008 From: Gregori.Parker at theplatform.com (Gregori Parker) Date: Thu, 11 Sep 2008 11:28:40 -0700 Subject: [c-nsp] F5 BIG IP and FWSM In-Reply-To: References: Message-ID: <1A9866F953006D45AEE0166066114E09131ECC3F@TPMAIL02.corp.theplatform.com> That looks backwards...why not have the DG for internal hosts be the BigIP, and DG the BigIP to the inside of the FWSM? The BigIP does a good job of performing NAT, and doesn't need to be directly connected to the nodes in its pools...in fact, I would highly recommend against connecting nodes directly to the BigIP - you should utilize a core switch block for that and default route to a floating internal ip on the BigIP, from there, upstream to the FWSM and let it handle security out front. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Vikas Sharma Sent: Thursday, September 11, 2008 11:08 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] F5 BIG IP and FWSM Hi, Did any one have worked on F5 BIG IP and FWSM? If yes please help me. As this point I wanted to know BIG IP and how it should be conected to fwsm, specially in routed mode. My understanding - 6509 (MSFC) --> outside interface of LB --> Inside interface of LB -> FWSM context (multiple context) How bigip will be able to do loadbalancing, when it is not directly connected to servers. All servers d/g is fwsm context. Regards, Vikas Sharma _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From jloiacon at csc.com Thu Sep 11 14:41:52 2008 From: jloiacon at csc.com (Joe Loiacono) Date: Thu, 11 Sep 2008 14:41:52 -0400 Subject: [c-nsp] 6500 netflow export and the switch cpu In-Reply-To: Message-ID: I wonder if it is not something in the config, rather than the traffic. I collect netflow from an old 6509 with upwards of 800M out one interface and I haven't seen any problems.Using if-full too. Granted a lot of our flows are data set transfers though. (I can't get the IOS version right now as it is managed by a different group - but it is probably fairly vanilla.) The number of flows was mentioned, is there alot of VoIP going through your switch, or something like that? What happens if you reduce the aging values? The 'long' one looks high. It just seems that with the load you are quoting, you should be able to get everything... Joe Jon Lewis Sent by: cisco-nsp-bounces at puck.nether.net 09/11/2008 01:52 PM To Phil Mayers cc cisco-nsp at puck.nether.net Subject Re: [c-nsp] 6500 netflow export and the switch cpu On Thu, 11 Sep 2008, Phil Mayers wrote: >> current ip flowmask for unicast: if-full >> current ipv6 flowmask for unicast: null > > Do you need the full mask? It includes tcp/udp ports. Dropping to > destination-source may save you a lot of flows (but obviously lose you a lot > of info) I'd really like to keep ip-full. It's quite handy when tracking down what an IP has been up to (like when trying to verify infection/scanning complaints). ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From paul at paulstewart.org Thu Sep 11 15:10:33 2008 From: paul at paulstewart.org (Paul Stewart) Date: Thu, 11 Sep 2008 15:10:33 -0400 Subject: [c-nsp] IPv6 Subnetting - Service Provider Message-ID: <004401c91442$1170c510$34524f30$@org> Hi there... In a SP environment, what's common practice so far with subnetting? Typically, in IPv4 today we use a /30 or /29 for point to point and each device has a /32 loopback... I've been reading a lot of different opinions and everyone seems to recommend a /64 for each link (router) or a server - why so large? I'd love to see a layout of a few routers in a SP core network and how they've subnetted them....;) Appreciate it, Paul From rodunn at cisco.com Thu Sep 11 15:25:49 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Thu, 11 Sep 2008 15:25:49 -0400 Subject: [c-nsp] 12.4(20)T packet capture feature example Message-ID: <20080911192549.GT23118@rtp-cse-489.cisco.com> I showed a troubleshooting example on the support wiki: http://supportwiki.cisco.com/wiki/index.php/Tech_Insights:Utilizing_the_New_Packet_Capture_Feature If you want the capture in the punt path for process level you set the capture point to: monitor capture point ip process-switched .... Rodney From mohacsi at niif.hu Thu Sep 11 15:36:54 2008 From: mohacsi at niif.hu (Mohacsi Janos) Date: Thu, 11 Sep 2008 21:36:54 +0200 (CEST) Subject: [c-nsp] IPv6 Subnetting - Service Provider In-Reply-To: <004401c91442$1170c510$34524f30$@org> References: <004401c91442$1170c510$34524f30$@org> Message-ID: On Thu, 11 Sep 2008, Paul Stewart wrote: > Hi there... > > In a SP environment, what's common practice so far with subnetting? > Typically, in IPv4 today we use a /30 or /29 for point to point and each > device has a /32 loopback... > > I've been reading a lot of different opinions and everyone seems to > recommend a /64 for each link (router) or a server - why so large? I'd love > to see a layout of a few routers in a SP core network and how they've > subnetted them....;) - /64 if you have any chance that you want to use autoconfiguration (may be in the future) - for subnets containing lots of computers I definitiely would go for /64 - /126 you got similar to /30 - /122 in between /64 and /126 - with nice : boundary - or nothing if you are satisfied by link locals - OSPFv3, IS-IS can work without global IPv6 address (even BGP can work on Cisco) Regards, Janos Mohacsi > > > Appreciate it, > > Paul > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From streiner at cluebyfour.org Thu Sep 11 16:05:17 2008 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Thu, 11 Sep 2008 16:05:17 -0400 (EDT) Subject: [c-nsp] IPv6 Subnetting - Service Provider In-Reply-To: <004401c91442$1170c510$34524f30$@org> References: <004401c91442$1170c510$34524f30$@org> Message-ID: On Thu, 11 Sep 2008, Paul Stewart wrote: > In a SP environment, what's common practice so far with subnetting? > Typically, in IPv4 today we use a /30 or /29 for point to point and each > device has a /32 loopback... > > I've been reading a lot of different opinions and everyone seems to > recommend a /64 for each link (router) or a server - why so large? I'd love > to see a layout of a few routers in a SP core network and how they've > subnetted them....;) This debate rolled on NANOG a few weeks ago. People generally broke into two camps - one advocated using /64s on point-to-point links, and the other advocated smaller subnets such as /126 for point-to-points and /128s for loopbacks. So, I guess the consensus is that there isn't one :) jms From paul at paulstewart.org Thu Sep 11 16:11:20 2008 From: paul at paulstewart.org (Paul Stewart) Date: Thu, 11 Sep 2008 16:11:20 -0400 Subject: [c-nsp] IPv6 Subnetting - Service Provider In-Reply-To: References: <004401c91442$1170c510$34524f30$@org> Message-ID: <004501c9144a$8e4d0f00$aae72d00$@org> Thanks for the replies... Yeah, I'm getting various pieces of feedback - I'm going with the /126 for point to point and /128 for loopback on core devices at this point. I don't trust the autoconfiguration ideas at this point (call it old school) anyways...;) Paul -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin M. Streiner Sent: Thursday, September 11, 2008 4:05 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] IPv6 Subnetting - Service Provider On Thu, 11 Sep 2008, Paul Stewart wrote: > In a SP environment, what's common practice so far with subnetting? > Typically, in IPv4 today we use a /30 or /29 for point to point and each > device has a /32 loopback... > > I've been reading a lot of different opinions and everyone seems to > recommend a /64 for each link (router) or a server - why so large? I'd love > to see a layout of a few routers in a SP core network and how they've > subnetted them....;) This debate rolled on NANOG a few weeks ago. People generally broke into two camps - one advocated using /64s on point-to-point links, and the other advocated smaller subnets such as /126 for point-to-points and /128s for loopbacks. So, I guess the consensus is that there isn't one :) jms _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From rsnyder at toontown.erial.nj.us Thu Sep 11 16:27:27 2008 From: rsnyder at toontown.erial.nj.us (Bob Snyder) Date: Thu, 11 Sep 2008 16:27:27 -0400 Subject: [c-nsp] IPv6 Subnetting - Service Provider In-Reply-To: <004501c9144a$8e4d0f00$aae72d00$@org> References: <004401c91442$1170c510$34524f30$@org> <004501c9144a$8e4d0f00$aae72d00$@org> Message-ID: <20080911202727.GA9212@toontown.erial.nj.us> On Thu, Sep 11, 2008 at 04:11:20PM -0400, Paul Stewart wrote: > Thanks for the replies... > > Yeah, I'm getting various pieces of feedback - I'm going with the /126 for > point to point and /128 for loopback on core devices at this point. I don't > trust the autoconfiguration ideas at this point (call it old school) > anyways...;) One issue we ran into was that not all the networking gear we had could support /126. The vendor's (not Cisco) immature support for IPv6 could only understand the concept of /128 loopbacks and /64 subnets. Device in question was a CMTS. Bob From paul at paulstewart.org Thu Sep 11 16:39:54 2008 From: paul at paulstewart.org (Paul Stewart) Date: Thu, 11 Sep 2008 16:39:54 -0400 Subject: [c-nsp] IPv6 Subnetting - Service Provider In-Reply-To: <20080911202727.GA9212@toontown.erial.nj.us> References: <004401c91442$1170c510$34524f30$@org> <004501c9144a$8e4d0f00$aae72d00$@org> <20080911202727.GA9212@toontown.erial.nj.us> Message-ID: <004a01c9144e$8c30c1e0$a49245a0$@org> Thanks .. so far we've only ventured into 7600/6500 core equipment but we do have CMTS to look at in the future .... ;) -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Bob Snyder Sent: Thursday, September 11, 2008 4:27 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] IPv6 Subnetting - Service Provider On Thu, Sep 11, 2008 at 04:11:20PM -0400, Paul Stewart wrote: > Thanks for the replies... > > Yeah, I'm getting various pieces of feedback - I'm going with the /126 for > point to point and /128 for loopback on core devices at this point. I don't > trust the autoconfiguration ideas at this point (call it old school) > anyways...;) One issue we ran into was that not all the networking gear we had could support /126. The vendor's (not Cisco) immature support for IPv6 could only understand the concept of /128 loopbacks and /64 subnets. Device in question was a CMTS. Bob _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From christian at broknrobot.com Thu Sep 11 16:43:16 2008 From: christian at broknrobot.com (Christian Koch) Date: Thu, 11 Sep 2008 16:43:16 -0400 Subject: [c-nsp] Setting the Remote Syslog Port in IOS In-Reply-To: <48C91F9B.90606@justinshore.com> References: <48C82646.7040402@forthnet.gr> <48C91F9B.90606@justinshore.com> Message-ID: hmm interesting darn, im out of luck i dont have it on on my 12ks running 12.0(32)SY4 i do have it on a rsp720/7600 runnng 12.2(33)SRB2 dont have it on sup720/7600 runnin SX7 either just not enough boxes have it, to do what i want i guess.. christian On Thu, Sep 11, 2008 at 9:39 AM, Justin Shore wrote: > I have it on a 7206VXR running 12.4(15)T2. > > 7206-1.clr(config)#logging host ? > Hostname or A.B.C.D IP address of the syslog server > ipv6 Configure IPv6 syslog server > > 7206-1.clr(config)#logging host 1.2.3.4 ? > discriminator Specify a message discriminator indentifier for this > logging session > filtered Enable filtered logging > sequence-num-session Include session sequence number tag in syslog message > session-id Specify syslog message session ID tagging > transport Specify the transport protocol (default=UDP) > vrf Set VRF option > xml Enable logging in XML > > > 7206-1.clr(config)#logging host 1.2.3.4 tr > 7206-1.clr(config)#logging host 1.2.3.4 transport ? > beep Blocks Extensible Exchange Protocol > tcp Transport Control Protocol > udp User Datagram Protocol > > 7206-1.clr(config)#logging host 1.2.3.4 transport udp ? > discriminator Specify a message discriminator indentifier for this > logging session > filtered Enable filtered logging > port Specify the UDP port number (default=514) > sequence-num-session Include session sequence number tag in syslog message > session-id Specify syslog message session ID tagging > xml Enable logging in XML > > > 7206-1.clr(config)#logging host 1.2.3.4 transport udp port ? > <1-65535> Port number > > > I also see the command on a 3660 running 12.3(14)T7. I have it on a 3560E > running 12.2(44)SE2 but not on a 3750 running 12.2(25)SEB. I do however > have it on a 3560G and a basic 3560 running 12.2(44)SE2. I also have it on > a Sup720-3BXL in a 7600 running SRB1. > > Looks like it's available for the older platforms with the right IOS. > > Justin > > Christian Koch wrote: >> >> checked for any switches after the inputting the ip address on logging >> host command but nothing was available >> >> >> #logging host 1.1.1.1 transport ? >> % Unrecognized command >> >> >> On Wed, Sep 10, 2008 at 3:55 PM, Tassos Chatzithomaoglou >> wrote: >>> >>> Have you tried "logging host XXX transport udp port Y"? >>> >>> -- >>> Tassos >>> >>> Christian Koch wrote on 10/09/2008 19:41: >>>> >>>> I know i can set the remote syslog port on ASA/PIX's, but i don't seem >>>> to see that it is possible in IOS. >>>> >>>> I wanted to segregate logs by sending them from certain devices to >>>> separate syslog ports >>>> >>>> Can anyone confirm this behavior? >>>> >>>> Has anyone had the need to do something similar? >>>> >>>> Thanks >>>> >>>> >>>> Christian >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> >>> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > From sethm at rollernet.us Thu Sep 11 17:21:22 2008 From: sethm at rollernet.us (Seth Mattinen) Date: Thu, 11 Sep 2008 14:21:22 -0700 Subject: [c-nsp] IPv6 Subnetting - Service Provider In-Reply-To: <004401c91442$1170c510$34524f30$@org> References: <004401c91442$1170c510$34524f30$@org> Message-ID: <48C98BD2.9010800@rollernet.us> Paul Stewart wrote: > Hi there... > > In a SP environment, what's common practice so far with subnetting? > Typically, in IPv4 today we use a /30 or /29 for point to point and each > device has a /32 loopback... > > I've been reading a lot of different opinions and everyone seems to > recommend a /64 for each link (router) or a server - why so large? I'd love > to see a layout of a few routers in a SP core network and how they've > subnetted them....;) > I just ran into an issue in my network (testing a 3750) where an IPv6 ACL only accepts down to a /64 for matching and only EUI-64 hosts. And there's my 877W I've mentioned a few times this week that has its own exciting quirks. Other than that, I use /64 for subnets and /128 loopbacks out of a /64 reserved for loopbacks. Using /64 and /128 is almost guaranteed to be safe at this early stage; plenty of IPv6 support just isn't that mature yet. There's an RFC or something out there (too lazy to look it up) that says use /64 for subnets, so it's the magic number for a lot of IPv6 implementations. ~Seth From A.L.M.Buxey at lboro.ac.uk Thu Sep 11 17:29:55 2008 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Thu, 11 Sep 2008 22:29:55 +0100 Subject: [c-nsp] IPv6 Subnetting - Service Provider In-Reply-To: <48C98BD2.9010800@rollernet.us> References: <004401c91442$1170c510$34524f30$@org> <48C98BD2.9010800@rollernet.us> Message-ID: <20080911212955.GA2486@lboro.ac.uk> Hi, > yet. There's an RFC or something out there (too lazy to look it up) that > says use /64 for subnets, so it's the magic number for a lot of IPv6 > implementations. my initial (and, i guess, current) IPv6 deployment plan was based on /64 subnets. yes, thats a ridiculous amount of hosts per subnet...nasty software coded in 'the old style' might make these very big collision domains and i do worry about how ISC DHCPv6 will handle such large numbers of leases - recalling how it deals with /16's in IPv4 land. however, for router likn-link, non IP-based routing protocols - as mentioned IS-IS or OSPFv3 on the link-layer avoids the legacy issue (and wasting /64's for such trivialities) alan From max.reid at saikonetworks.com Thu Sep 11 18:06:18 2008 From: max.reid at saikonetworks.com (Max Reid) Date: Thu, 11 Sep 2008 15:06:18 -0700 (PDT) Subject: [c-nsp] F5 BIG IP and FWSM In-Reply-To: <1A9866F953006D45AEE0166066114E09131ECC3F@TPMAIL02.corp.theplatform.co m> References: <1A9866F953006D45AEE0166066114E09131ECC3F@TPMAIL02.corp.theplatform.com> Message-ID: <38521.64.122.164.5.1221170778.squirrel@webmail-devel.integra.net> > That looks backwards...why not have the DG for internal hosts be the > BigIP, and DG the BigIP to the inside of the FWSM? > > The BigIP does a good job of performing NAT, and doesn't need to be > directly connected to the nodes in its pools...in fact, I would highly > recommend against connecting nodes directly to the BigIP - you should > utilize a core switch block for that and default route to a floating > internal ip on the BigIP, from there, upstream to the FWSM and let it > handle security out front. I concur with this advice, esp. the note about having an L3 connected network between the back end hosts and the 'Inside' interface of the big IP. Main Benefit is failover (no arp issues on clients or F5); when dealing with large load balanced farms. ~Max > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Vikas Sharma > Sent: Thursday, September 11, 2008 11:08 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] F5 BIG IP and FWSM > > Hi, > > Did any one have worked on F5 BIG IP and FWSM? If yes please help me. As > this point I wanted to know BIG IP and how it should be conected to > fwsm, > specially in routed mode. > > My understanding - > > 6509 (MSFC) --> outside interface of LB --> Inside interface of LB -> > FWSM > context (multiple context) > > How bigip will be able to do loadbalancing, when it is not directly > connected to servers. All servers d/g is fwsm context. > > Regards, > Vikas Sharma > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From daltons at panix.com Thu Sep 11 18:26:22 2008 From: daltons at panix.com (dalton) Date: Thu, 11 Sep 2008 18:26:22 -0400 (EDT) Subject: [c-nsp] site to site and remote access on pix 506e Message-ID: <54756.66.27.68.33.1221171982.squirrel@mail.panix.com> Hi, I'm wondering if anyone has a working config for a pix 506e running 6.3 or so, to do both site to site and remote access vpn. I assume this is possible? I have a pix running a few site to sites, however when i added the remote access config, it caused the tunnels to fail leaving them in a state of Xauth config or something of the like (don't have the exact error). Things fail when I add these 2 lines to the crypto map crypto map toCLIENT client configuration address initiate crypto map toCLIENT client authentication LOCAL config is below, thanks. -dalton PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 hostname client-pix domain-name client.logicworks.net fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 no fixup protocol sip 5060 no fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list toCLIENT permit ip host 10.10.1.49 host 205.200.125.1 access-list toCLIENT permit ip host 10.10.1.49 host 205.200.125.2 access-list toCLIENT permit ip host 10.10.1.60 host 205.200.125.1 access-list toCLIENT permit ip host 10.10.1.60 host 205.200.125.2 access-list toCLIENT permit ip host 10.10.1.51 host 205.200.125.1 access-list toCLIENT permit ip host 10.10.1.51 host 205.200.125.2 access-list DENY-NAT permit ip 10.10.1.0 255.255.255.0 10.177.187.0 255.255.255.0 access-list DENY-NAT permit ip host 10.10.1.49 host 205.200.125.1 access-list DENY-NAT permit ip host 10.10.1.49 host 205.200.125.2 access-list DENY-NAT permit ip host 10.10.1.60 host 205.200.125.1 access-list DENY-NAT permit ip host 10.10.1.60 host 205.200.125.2 access-list DENY-NAT permit ip host 10.10.1.51 host 205.200.125.1 access-list DENY-NAT permit ip host 10.10.1.51 host 205.200.125.2 access-list DENY-NAT permit ip 10.10.1.0 255.255.255.0 10.254.10.0 255.255.255.0 access-list splittunnelACL permit ip 10.10.1.0 255.255.255.0 10.254.10.0 255.255.255.0 pager lines 24 logging on logging timestamp logging standby logging console alerts logging monitor alerts logging buffered debugging logging history alerts mtu outside 1500 mtu inside 1500 ip audit info action alarm ip audit attack action alarm ip local pool REMOTEPOOL 10.254.10.10-10.254.10.20 mask 255.255.255.0 pdm history enable arp timeout 14400 nat (inside) 0 access-list DENY-NAT conduit permit ip any any timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local no snmp-server location no snmp-server contact no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set strong esp-3des esp-sha-hmac crypto ipsec transform-set mytrans esp-aes esp-sha-hmac crypto dynamic-map dynmap 10 set transform-set mytrans crypto map toCLIENT 20 ipsec-isakmp crypto map toCLIENT 20 match address toCLIENT crypto map toCLIENT 20 set peer x.x.x.x crypto map toCLIENT 20 set transform-set strong crypto map toCLIENT 999 ipsec-isakmp dynamic dynmap crypto map toCLIENT client configuration address initiate crypto map toCLIENT client authentication LOCAL crypto map toCLIENT interface outside isakmp enable outside isakmp key ******** address x.x.x.x netmask 255.255.255.255 isakmp identity address isakmp policy 8 authentication pre-share isakmp policy 8 encryption 3des isakmp policy 8 hash sha isakmp policy 8 group 2 isakmp policy 8 lifetime 86400 vpngroup client address-pool REMOTEPOOL vpngroup client dns-server x.x.x.x vpngroup client default-domain client.logicworks.net vpngroup client split-tunnel splittunnelACL vpngroup client split-dns logicworks.net vpngroup client idle-time 3600 vpngroup client password ******** vpngroup idle-time idle-time 1800 From mksmith at adhost.com Thu Sep 11 18:43:26 2008 From: mksmith at adhost.com (Michael K. Smith - Adhost) Date: Thu, 11 Sep 2008 15:43:26 -0700 Subject: [c-nsp] site to site and remote access on pix 506e In-Reply-To: <54756.66.27.68.33.1221171982.squirrel@mail.panix.com> References: <54756.66.27.68.33.1221171982.squirrel@mail.panix.com> Message-ID: <17838240D9A5544AAA5FF95F8D52031604A63F5B@ad-exh01.adhost.lan> Hello Dalton: Here are a couple of ideas. 1) Change: isakmp key ******** address x.x.x.x netmask 255.255.255.255 to isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode 2) You might want to add: isakmp nat-traversal 20 3) I'm assuming you have a LOCAL username specified? Regards, Mike > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of dalton > Sent: Thursday, September 11, 2008 3:26 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] site to site and remote access on pix 506e > > > Hi, > > I'm wondering if anyone has a working config for a pix 506e running 6.3 or > so, to do both site to site > and remote access vpn. I assume this is possible? > > I have a pix running a few site to sites, however when i added the remote > access config, it caused > the tunnels to fail leaving them in a state of Xauth config or something > of the like (don't have the exact error). > > Things fail when I add these 2 lines to the crypto map > > crypto map toCLIENT client configuration address initiate > crypto map toCLIENT client authentication LOCAL > > > config is below, thanks. > > -dalton > > PIX Version 6.3(4) > interface ethernet0 auto > interface ethernet1 auto > nameif ethernet0 outside security0 > nameif ethernet1 inside security100 > hostname client-pix > domain-name client.logicworks.net > fixup protocol dns maximum-length 512 > fixup protocol ftp 21 > fixup protocol h323 h225 1720 > fixup protocol h323 ras 1718-1719 > fixup protocol http 80 > fixup protocol rsh 514 > fixup protocol rtsp 554 > no fixup protocol sip 5060 > no fixup protocol sip udp 5060 > fixup protocol skinny 2000 > fixup protocol smtp 25 > fixup protocol sqlnet 1521 > fixup protocol tftp 69 > names > access-list toCLIENT permit ip host 10.10.1.49 host 205.200.125.1 > access-list toCLIENT permit ip host 10.10.1.49 host 205.200.125.2 > access-list toCLIENT permit ip host 10.10.1.60 host 205.200.125.1 > access-list toCLIENT permit ip host 10.10.1.60 host 205.200.125.2 > access-list toCLIENT permit ip host 10.10.1.51 host 205.200.125.1 > access-list toCLIENT permit ip host 10.10.1.51 host 205.200.125.2 > access-list DENY-NAT permit ip 10.10.1.0 255.255.255.0 10.177.187.0 > 255.255.255.0 > access-list DENY-NAT permit ip host 10.10.1.49 host 205.200.125.1 > access-list DENY-NAT permit ip host 10.10.1.49 host 205.200.125.2 > access-list DENY-NAT permit ip host 10.10.1.60 host 205.200.125.1 > access-list DENY-NAT permit ip host 10.10.1.60 host 205.200.125.2 > access-list DENY-NAT permit ip host 10.10.1.51 host 205.200.125.1 > access-list DENY-NAT permit ip host 10.10.1.51 host 205.200.125.2 > access-list DENY-NAT permit ip 10.10.1.0 255.255.255.0 10.254.10.0 > 255.255.255.0 > access-list splittunnelACL permit ip 10.10.1.0 255.255.255.0 10.254.10.0 > 255.255.255.0 > pager lines 24 > logging on > logging timestamp > logging standby > logging console alerts > logging monitor alerts > logging buffered debugging > logging history alerts > mtu outside 1500 > mtu inside 1500 > ip audit info action alarm > ip audit attack action alarm > ip local pool REMOTEPOOL 10.254.10.10-10.254.10.20 mask 255.255.255.0 > pdm history enable > arp timeout 14400 > nat (inside) 0 access-list DENY-NAT > conduit permit ip any any > timeout xlate 3:00:00 > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 > timeout uauth 0:05:00 absolute > aaa-server TACACS+ protocol tacacs+ > aaa-server TACACS+ max-failed-attempts 3 > aaa-server TACACS+ deadtime 10 > aaa-server RADIUS protocol radius > aaa-server RADIUS max-failed-attempts 3 > aaa-server RADIUS deadtime 10 > aaa-server LOCAL protocol local > no snmp-server location > no snmp-server contact > no snmp-server enable traps > floodguard enable > sysopt connection permit-ipsec > crypto ipsec transform-set strong esp-3des esp-sha-hmac > crypto ipsec transform-set mytrans esp-aes esp-sha-hmac > crypto dynamic-map dynmap 10 set transform-set mytrans > crypto map toCLIENT 20 ipsec-isakmp > crypto map toCLIENT 20 match address toCLIENT > crypto map toCLIENT 20 set peer x.x.x.x > crypto map toCLIENT 20 set transform-set strong > crypto map toCLIENT 999 ipsec-isakmp dynamic dynmap > crypto map toCLIENT client configuration address initiate > crypto map toCLIENT client authentication LOCAL > crypto map toCLIENT interface outside > isakmp enable outside > isakmp key ******** address x.x.x.x netmask 255.255.255.255 > isakmp identity address > isakmp policy 8 authentication pre-share > isakmp policy 8 encryption 3des > isakmp policy 8 hash sha > isakmp policy 8 group 2 > isakmp policy 8 lifetime 86400 > vpngroup client address-pool REMOTEPOOL > vpngroup client dns-server x.x.x.x > vpngroup client default-domain client.logicworks.net > vpngroup client split-tunnel splittunnelACL > vpngroup client split-dns logicworks.net > vpngroup client idle-time 3600 > vpngroup client password ******** > vpngroup idle-time idle-time 1800 > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 474 bytes Desc: not available URL: From andy.saykao at staff.netspace.net.au Thu Sep 11 18:48:15 2008 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Fri, 12 Sep 2008 08:48:15 +1000 Subject: [c-nsp] Inter VRF Routing help needed Message-ID: <56F211C5E3F24F47B103EA1B253822BE036548D4@vic-cr-ex1.staff.netspace.net.au> Hi cc loo - It took me a while to understand the difference between RD and RT's too. Most literature will have examples of where the RD and RT are exactly the same and you can't help but be confused when you see them being different and you'll start to ask yourself "what's the point of having this RT statement when it's identicle to the RD - seems like a waste of time". But they do play a very important role when you start moving away from simple VRF design. What's most important to remember is that the RD and RT can be the same or can be totally different and that they both serve completely different purposes. Generally, in a very simple VRF set up (eg: one customer with 3 sites all being able to talk with each other and exchange data), the RD and RT will be the same because you probably won't be leaking routes between VRF's because this isn't a requirement. The RD is basically a way to allow overlapping IP addresses to exist. If we take the example of vrf_customer_A (RD 1:1) and vrf_customer_B (RD 1:2) - both can choose to use 192.168.1.0/24 and the address space will be completely unique because the RD is combined with the IPv4 address to produce the VPNv4 address like so - RD:192.168.1.1. The RT on the other hand is a BGP extended-community attribute that is also tagged onto the VPNv4 address to allow you to be able to import/export these routes to other VRF's. ip vrf customer_A rd 1:1 route-target export 1:100 route-target import 1:900 ! ip vrf customer_B rd 1:2 route-target export 1:200 route-target import 1:900 ! ip vrf Hub rd 1:9 route-target export 1:900 route-target import 1:100 route-target import 1:200 So in Oli's example, a host of vrf_customer_A might have a VPNv4 addresses of 1:1:192.168.1.1 and RT 1:100. Likewise a host of vrf_customer_B might have the VPNv4 address of 1:2:192.168.2.1 and RT 1:200. The routes with the corresponding RT's of 1:100 (vrf_customer_A) and 1:200 (vrf_customer_B) are imported by the Hub and so the Hub will end up with the routes of 192.168.1.1 and 192.168.2.1 in it's own routing table and will be able to reach these two hosts eventhough they are in different VRF's. Similarly, vrf_customer_A and vrf_customer_B need to import the RT that the Hub is exporting (1:900) so they too can reach the Hub. I've deliberately used different IP space for customer_A and customer_B. Just be careful if you plan to import/export route's between different VRF's because you'll need to make sure the routes are unique in this case. Imagine if customer_A and customer_B were both using 192.168.1.0/24. How would the Hub be able to distinguish if it should be sending to customer_A or customer_B - hence why you need to do some planning so as not to run into this problem. Sorry if it was a bit long winded. I'm new to all this too ;) Cheers. Andy cc loo wrote on Thursday, September 11, 2008 5:05 PM: > Hi Oliver, > > Thanks for the quick reply. > > Indeed i was referring to VRF-LITE > > In the cisco.com example, they gave this Router(config)# ip vrf > customer_a > Router(config-vrf)# rd 1:1 <---- > Router(config-vrf)# route-target both 1:1 <---- Router(config)# > interface fastEthernet 0.1 Router(config-subif)# ip vrf forwarding > customer_a > > is there any specific reason why cisco recommends using "both" > (export/import) for its own RD ? the RD is not exported, the RT is. see answer to next question. Well, the "import" is not really needed in this specific case as there is no other VRF exporting routes with this route-target (so no point importing it). > > Oliver's example is here, but i would like to confirm if 1:100 is a > typo or should it be 1:1 (like its own RD?): ip vrf customer_A > rd 1:1 <----- > route-target export 1:100 <---- > route-target import 1:900 RD and route-target are different things. They can be the same, but they must not be (in an mpls-vpn, they usually aren't the same as the RD is unique per PE per VRF). > I wonder wondering if this is the correct place to post newbie > questions like these ? > Im a junior engineer in a singaporean isp, hoping to learn more tricks > and tips in the field of IP planning :D well, I guess it's like all lists where folks help each other: If people see that you haven't done your homework, you might not get a reply. oli ------------------------------ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp End of cisco-nsp Digest, Vol 70, Issue 57 ***************************************** ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From jlewis at lewis.org Thu Sep 11 19:01:38 2008 From: jlewis at lewis.org (Jon Lewis) Date: Thu, 11 Sep 2008 19:01:38 -0400 (EDT) Subject: [c-nsp] 6500 netflow export and the switch cpu In-Reply-To: References: <48C94727.4030002@imperial.ac.uk> Message-ID: On Thu, 11 Sep 2008, Jon Lewis wrote: > On Thu, 11 Sep 2008, Phil Mayers wrote: > >> What do the following say: >> >> sh mls netflow table-contention detailed > > Earl in Module 5 > Detailed Netflow CAM (TCAM and ICAM) Utilization > ================================================ > TCAM Utilization : 100% > ICAM Utilization : 7% > Netflow TCAM count : 262026 > Netflow ICAM count : 10 > Netflow Creation Failures : 456680 > Netflow CAM aliases : 0 > > I guess I need to get more aggressive on the flow aging. I've been using > mls aging fast time 8 threshold 3 > mls aging long 480 > mls aging normal 32 It looks like the fix was to enable flow-sampling. mls sampling time-based 64 has our cpu usage back down to about nothing and tcam usage down around 50%. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From rootnet08 at gmail.com Thu Sep 11 20:54:45 2008 From: rootnet08 at gmail.com (root net) Date: Thu, 11 Sep 2008 19:54:45 -0500 Subject: [c-nsp] Check bandwidth on router Message-ID: <89944ef40809111754s49466f26w38d25fc90df0b4f5@mail.gmail.com> Hi List, Is there some sort of tool you can load into the IOS on a router to check bandwidth? Or if not what are you all doing these days in this situation. Like for example things are running slow and you think the Internet feed may be the problem is there a way to do speed tests on the router itself? rootnet From ben.steele at internode.on.net Thu Sep 11 20:56:00 2008 From: ben.steele at internode.on.net (Ben Steele) Date: Fri, 12 Sep 2008 10:26:00 +0930 Subject: [c-nsp] 6500 netflow export and the switch cpu In-Reply-To: References: <48C94727.4030002@imperial.ac.uk> Message-ID: <001b01c91472$5398cd40$faca67c0$@steele@internode.on.net> "It looks like the fix was to enable flow-sampling." Out of curiosity what are you using your netflow for? I'm asking because sampling obviously isn't ideal when you are trying to get completely accurate data for accounting. I am interested in hearing people's opinion on their methods of accounting when data hits well beyond the TCAM limit(and you're already on DFC's) and you are in an all Ethernet switched world (ie not broadband ppp radius accounting), do you try and distribute the netflow onto multiple boxes closer to the edge or do you opt for another method? There is the easy option of byte counting switchports via snmp, but if people are wanting statistics of who's been where(possible legal reasons) or where the majority of traffic is coming from then that is not enough, maybe a mix of sampled netflow and switchport byte counting? It feels a shame using DFC's for a margin of their capacity purely because you need the TCAM space to produce netflow. Ben From sforcejr at yahoo.com Thu Sep 11 21:47:23 2008 From: sforcejr at yahoo.com (John Ramz) Date: Thu, 11 Sep 2008 18:47:23 -0700 (PDT) Subject: [c-nsp] Datacenter Network Design In-Reply-To: Message-ID: <384477.9224.qm@web110414.mail.gq1.yahoo.com> Thanks guys for your replies. I sure have a lot to chew on. I am sure I will post back more questions once I get into it John --- On Thu, 9/11/08, Phil Bedard wrote: > From: Phil Bedard > Subject: Re: [c-nsp] Datacenter Network Design > To: "Brant I. Stevens" > Cc: "root net" , sforcejr at yahoo.com, cisco-nsp at puck.nether.net > Date: Thursday, September 11, 2008, 9:39 AM > This is a good guide from Cisco. > > http://www.cisco.com/univercd/cc/td/doc/solution/dcidg21.pdf > > Phil > > > On Sep 11, 2008, at 9:00 AM, Brant I. Stevens wrote: > > > The Solutions Reference Network Design page on > Cisco's site is a good > > resource for network designs. > http://www.cisco.com/go/srnd > > > > -Brant > > > > On 9/11/08 3:15 AM, "root net" > wrote: > > > >> John, > >> > >> If you are going to build a Cisco network you > should spend some > >> time on > >> www.cisco.com and look at all of their > configuration examples and > >> whitepapers for specific gear you are looking at > or working on. > >> Here are > >> some books I would suggest: > >> > >> Cisco Press: > >> Data Center Fundamentals > >> End-to-End QoS Network Design > >> Designing for Cisco Internetwork Solutions > >> Designing Cisco Network Architectures > >> Network Management Fundamentals > >> > >> www.cisco.com: (Research) > >> > >> HSRP > >> STP > >> InterVLAN routing > >> IEEE Bridging > >> BGP > >> OSPF > >> L2TPV3 > >> MPLS / VPN > >> IOS information > >> > >> Others: > >> Administering Data Centers > >> > >> APC Data Center University (online classes) Some > are FREE some are > >> not. > >> > >> This is all I could think of since it's so > late. DR will come when > >> you > >> start digging into the protocols and other > information. Far as > >> storage/backup iSCSI is your friend so build a GbE > network. > >> OpenFiler, > >> NetApp, MyIVault. > >> > >>> From the start your facility will need to > handle your immediate > >>> needs and > >> growth or at least have the ability to scale (I > would say maybe > >> 10-20% > >> growth for small budgets). Look at evironmentals, > power, fire > >> protection: > >> HVAC (spot coolers vs. ductless split systems vs. > ducted systems, > >> chilled > >> water vs. air cooled), Power Requirements (Single > Phase, Three > >> Phase 208V > >> /480V, UPS, Transfer switches, portable > generators, generator), > >> Raised > >> Flooring vs. Anti-Static VCT, Security monitoring, > water monitoring, > >> temperature monitoring, and lastly Pre-action vs. > plain wet system. > >> > >> Getting a seperate Internet feed would be wise > unless it's just cost > >> prohibitive. Start out with maybe 10Mbit pipe and > go from there. > >> This all > >> depends your customer's applications and > servers. What they will be > >> transfering and etc. > >> > >> Look into open source products as these are FREE > and can help you. > >> (e.g. > >> nagios, jffnms, cacti, mrtg, syslog, linux, RT, > rancid, and others) > >> > >> Rule of thumb: A good data center will have > proactive measures and > >> policies > >> in place to monitor, maintain, and procure. With > that said monitor > >> everything (I mean everything) and have all staff > alerted on all > >> levels SMS, > >> e-mail, phone if possible automatically. It's > not about downtime > >> so much > >> it's how you procure the situation in a > specific time frame. > >> Customer > >> serivce is a must. > >> > >> You will need to make the call on the gear you use > but I use a > >> mixture of > >> Cisco, Extreme, and Juniper. For data centers > it's a must for hot > >> swappable > >> gear so look in to carrier class gear with > redundant process, power > >> supplies, hot swappable line cards. I would > recommend Cisco 6500 > >> Series, > >> Cisco 7200 Series, Cisco ASA or Pix. I am not to > fond of the Juniper > >> firewall licensing. BTW, Cisco 2800/3600 Series > may even work. > >> Depends on > >> your throughput capabilities you are needing. > Research all aspects > >> of your > >> gear from ram, flash, processor speeds, to > throughput, modules, > >> IOS, and hot > >> swappable needs. > >> > >> > >> The above will get you started. > >> > >> rootnet08 > >> > >> On 9/10/08, John Ramz > wrote: > >>> > >>> We are looking into start hosting our > customers' apps and data and > >>> would > >>> like for you to provide me link to internet > resources (or books) > >>> to get me > >>> started on a network design that includes: > >>> > >>> - 3rd party Compliance (security for example) > >>> - Redundancy (routers, firewalls, switches) > >>> - load balancing > >>> - VLANS > >>> - Virtual servers > >>> - Backup- SANs- > >>> - Disaster recovery > >>> - How to keep customers separated from our > regular network? > >>> - How to keep customers totally isolated from > each other? > >>> - Access from our network to the Datacenter > network for our > >>> developers to > >>> work with our customers? Also for our IT > people to service, > >>> monitor and > >>> maintain that network > >> > >> I have thought of getting an Internet pipe just > for the Datacenter > >> network > >>> and with all the above mentioned components > and then figure out > >>> the way and > >>> procedures to connect our company network with > that one for the > >>> different > >>> items I already mentioned. > >>> > >>> Has anyone been involved in a project like > that could elaborate as > >>> much as > >>> possible on the subject? > >>> > >> Please shed some light with me on where to start > and build from > >> there? > >>> > >>> Thanks > >>> > >>> > >>> > >>> > >>> > _______________________________________________ > >>> cisco-nsp mailing list > cisco-nsp at puck.nether.net > >>> > https://puck.nether.net/mailman/listinfo/cisco-nsp > >>> archive at > http://puck.nether.net/pipermail/cisco-nsp/ > >>> > >> _______________________________________________ > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at > http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ From adriankok2000 at yahoo.com.hk Thu Sep 11 21:23:51 2008 From: adriankok2000 at yahoo.com.hk (adrian kok) Date: Fri, 12 Sep 2008 09:23:51 +0800 (CST) Subject: [c-nsp] console port Message-ID: <539377.98418.qm@web33306.mail.mud.yahoo.com> Hi I want to connect to the console port but my laptop is only having the USB without the com (serial port) Now i try to use the usb to serial port cable + serial to console cable to connect this console box of the router does it work? Thank you Send instant messages to your online friends http://uk.messenger.yahoo.com From danletkeman at gmail.com Thu Sep 11 21:51:34 2008 From: danletkeman at gmail.com (Dan Letkeman) Date: Thu, 11 Sep 2008 20:51:34 -0500 Subject: [c-nsp] load-sharing round robin time? Message-ID: Hello, I'm doing load-sharing on a 2621 router with ios 12.3(26). ip route 0.0.0.0 0.0.0.0 192.168.11.251 ip route 0.0.0.0 0.0.0.0 192.168.11.252 ip route 0.0.0.0 0.0.0.0 192.168.11.253 This was working just fine, but now we implemented a squid cache just behind the router and it strips the source ip, so all of the requests through the router all look like they are coming from the squid box now. What is happening now is the squid box is randomly switching from route to route, but it's taking about 10 minutes to switch from each route. So watching the graphs on the three routers and its only really using one route at a time. Is there a way to change the time limit for switching routes to make it switch faster? Thanks, Dan. From john at fluidhosting.com Thu Sep 11 22:02:48 2008 From: john at fluidhosting.com (John T. Yocum) Date: Thu, 11 Sep 2008 19:02:48 -0700 Subject: [c-nsp] console port In-Reply-To: <539377.98418.qm@web33306.mail.mud.yahoo.com> References: <539377.98418.qm@web33306.mail.mud.yahoo.com> Message-ID: <48C9CDC8.6050205@fluidhosting.com> A USB to Serial adapter will work. I've used them without any problems. --John adrian kok wrote: > Hi > > I want to connect to the console port > > but my laptop is only having the USB without the com > (serial port) > > Now i try to use the usb to serial port cable > + serial to console cable > > to connect this console box of the router > > does it work? > > Thank you > > Send instant messages to your online friends http://uk.messenger.yahoo.com > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From david at davidcoulson.net Thu Sep 11 22:12:05 2008 From: david at davidcoulson.net (David Coulson) Date: Thu, 11 Sep 2008 22:12:05 -0400 Subject: [c-nsp] load-sharing round robin time? In-Reply-To: References: Message-ID: <48C9CFF5.8060907@davidcoulson.net> You can set it to use per-packet load balancing instead, assuming all of the paths are essentially the same (otherwise you get out of order packets, which may not be what you want). Is the squid box on the 192.168.11.x subnet? If you have ip redirects enabled, then the squid box will actually route directly to one of the gateways, rather than through the 2621... Not sure how your environment is build - Maybe a routing table and some other interface configs would help? Dan Letkeman wrote: > Hello, > > I'm doing load-sharing on a 2621 router with ios 12.3(26). > > ip route 0.0.0.0 0.0.0.0 192.168.11.251 > ip route 0.0.0.0 0.0.0.0 192.168.11.252 > ip route 0.0.0.0 0.0.0.0 192.168.11.253 > > This was working just fine, but now we implemented a squid cache just > behind the router and it strips the source ip, so all of the requests > through the router all look like they are coming from the squid box > now. What is happening now is the squid box is randomly switching > from route to route, but it's taking about 10 minutes to switch from > each route. So watching the graphs on the three routers and its only > really using one route at a time. Is there a way to change the time > limit for switching routes to make it switch faster? > > Thanks, > Dan. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From adriankok2000 at yahoo.com.hk Thu Sep 11 21:16:34 2008 From: adriankok2000 at yahoo.com.hk (adrian kok) Date: Fri, 12 Sep 2008 09:16:34 +0800 (CST) Subject: [c-nsp] console port Message-ID: <454720.94740.qm@web33306.mail.mud.yahoo.com> Hi I want to connect to the console port but my laptop is only having the USB without the com (serial port) Now i try to use the usb to serial port cable + serial to console cable to connect this console box of the router does it work? Thank you Send instant messages to your online friends http://uk.messenger.yahoo.com From s00664233 at gmail.com Thu Sep 11 22:43:35 2008 From: s00664233 at gmail.com (cc loo) Date: Fri, 12 Sep 2008 10:43:35 +0800 Subject: [c-nsp] console port In-Reply-To: <539377.98418.qm@web33306.mail.mud.yahoo.com> References: <539377.98418.qm@web33306.mail.mud.yahoo.com> Message-ID: <49999c420809111943j566d0b01j30cc70959b9d8f24@mail.gmail.com> Hi Adrain, Yup im on OSX / ubuntu as well and a RS232-USB converter will work fine once you install the drivers On Fri, Sep 12, 2008 at 9:23 AM, adrian kok wrote: > Hi > > I want to connect to the console port > > but my laptop is only having the USB without the com > (serial port) > > Now i try to use the usb to serial port cable > + serial to console cable > > to connect this console box of the router > > does it work? > > Thank you > > Send instant messages to your online friends http://uk.messenger.yahoo.com > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From s00664233 at gmail.com Thu Sep 11 22:50:15 2008 From: s00664233 at gmail.com (cc loo) Date: Fri, 12 Sep 2008 10:50:15 +0800 Subject: [c-nsp] Inter VRF Routing help needed In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE036548D4@vic-cr-ex1.staff.netspace.net.au> References: <56F211C5E3F24F47B103EA1B253822BE036548D4@vic-cr-ex1.staff.netspace.net.au> Message-ID: <49999c420809111950x2c064a67ifed632b09b0296bc@mail.gmail.com> Hi, Thanks for all the replies, i will go do more homework/reading up and practice in my work place :D On Fri, Sep 12, 2008 at 6:48 AM, Andy Saykao < andy.saykao at staff.netspace.net.au> wrote: > Hi cc loo - It took me a while to understand the difference between RD > and RT's too. > > Most literature will have examples of where the RD and RT are exactly > the same and you can't help but be confused when you see them being > different and you'll start to ask yourself "what's the point of having > this RT statement when it's identicle to the RD - seems like a waste of > time". But they do play a very important role when you start moving away > from simple VRF design. > > What's most important to remember is that the RD and RT can be the same > or can be totally different and that they both serve completely > different purposes. Generally, in a very simple VRF set up (eg: one > customer with 3 sites all being able to talk with each other and > exchange data), the RD and RT will be the same because you probably > won't be leaking routes between VRF's because this isn't a requirement. > The RD is basically a way to allow overlapping IP addresses to exist. If > we take the example of vrf_customer_A (RD 1:1) and vrf_customer_B (RD > 1:2) - both can choose to use 192.168.1.0/24 and the address space will > be completely unique because the RD is combined with the IPv4 address to > produce the VPNv4 address like so - RD:192.168.1.1. > > The RT on the other hand is a BGP extended-community attribute that is > also tagged onto the VPNv4 address to allow you to be able to > import/export these routes to other VRF's. > > ip vrf customer_A > rd 1:1 > route-target export 1:100 > route-target import 1:900 > ! > ip vrf customer_B > rd 1:2 > route-target export 1:200 > route-target import 1:900 > ! > ip vrf Hub > rd 1:9 > route-target export 1:900 > route-target import 1:100 > route-target import 1:200 > > So in Oli's example, a host of vrf_customer_A might have a VPNv4 > addresses of 1:1:192.168.1.1 and RT 1:100. Likewise a host of > vrf_customer_B might have the VPNv4 address of 1:2:192.168.2.1 and RT > 1:200. The routes with the corresponding RT's of 1:100 (vrf_customer_A) > and 1:200 (vrf_customer_B) are imported by the Hub and so the Hub will > end up with the routes of 192.168.1.1 and 192.168.2.1 in it's own > routing table and will be able to reach these two hosts eventhough they > are in different VRF's. Similarly, vrf_customer_A and vrf_customer_B > need to import the RT that the Hub is exporting (1:900) so they too can > reach the Hub. > > I've deliberately used different IP space for customer_A and customer_B. > Just be careful if you plan to import/export route's between different > VRF's because you'll need to make sure the routes are unique in this > case. Imagine if customer_A and customer_B were both using > 192.168.1.0/24. How would the Hub be able to distinguish if it should be > sending to customer_A or customer_B - hence why you need to do some > planning so as not to run into this problem. > > Sorry if it was a bit long winded. I'm new to all this too ;) > > Cheers. > > Andy > > cc loo wrote on Thursday, September 11, > 2008 5:05 PM: > > > Hi Oliver, > > > > Thanks for the quick reply. > > > > Indeed i was referring to VRF-LITE > > > > In the cisco.com example, they gave this Router(config)# ip vrf > > customer_a > > Router(config-vrf)# rd 1:1 <---- > > Router(config-vrf)# route-target both 1:1 <---- Router(config)# > > interface fastEthernet 0.1 Router(config-subif)# ip vrf forwarding > > customer_a > > > > is there any specific reason why cisco recommends using "both" > > (export/import) for its own RD ? > > the RD is not exported, the RT is. see answer to next question. > > Well, the "import" is not really needed in this specific case as there > is no other VRF exporting routes with this route-target (so no point > importing it). > > > > > Oliver's example is here, but i would like to confirm if 1:100 is a > > typo or should it be 1:1 (like its own RD?): ip vrf customer_A > > rd 1:1 <----- > > route-target export 1:100 <---- > > route-target import 1:900 > > RD and route-target are different things. They can be the same, but they > must not be (in an mpls-vpn, they usually aren't the same as the RD is > unique per PE per VRF). > > > I wonder wondering if this is the correct place to post newbie > > questions like these ? > > Im a junior engineer in a singaporean isp, hoping to learn more tricks > > > and tips in the field of IP planning :D > > well, I guess it's like all lists where folks help each other: If people > see that you haven't done your homework, you might not get a reply. > > oli > > > ------------------------------ > > _______________________________________________ > cisco-nsp mailing list > cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > > End of cisco-nsp Digest, Vol 70, Issue 57 > ***************************************** > > ______________________________________________________________________ > This email has been scanned by the MessageLabs Email Security System. > For more information please visit http://www.messagelabs.com/email > ______________________________________________________________________ > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. > Please notify the sender immediately by email if you have received this > email by mistake and delete this email from your system. Please note that > any views or opinions presented in this email are solely those of the > author and do not necessarily represent those of the organisation. > Finally, the recipient should check this email and any attachments for > the presence of viruses. The organisation accepts no liability for any > damage caused by any virus transmitted by this email. > > From david at davidcoulson.net Thu Sep 11 22:54:22 2008 From: david at davidcoulson.net (David Coulson) Date: Thu, 11 Sep 2008 22:54:22 -0400 Subject: [c-nsp] console port In-Reply-To: <454720.94740.qm@web33306.mail.mud.yahoo.com> References: <454720.94740.qm@web33306.mail.mud.yahoo.com> Message-ID: <48C9D9DE.6080008@davidcoulson.net> Yep, but remember, if you move the serial port adaptor from one USB port to another, it will end up with a different COM port name - At least on Windows. adrian kok wrote: > Hi > > I want to connect to the console port > > but my laptop is only having the USB without the com > (serial port) > > Now i try to use the usb to serial port cable > + serial to console cable > > to connect this console box of the router > > does it work? > > Thank you > > Send instant messages to your online friends http://uk.messenger.yahoo.com > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From danletkeman at gmail.com Thu Sep 11 23:18:57 2008 From: danletkeman at gmail.com (Dan Letkeman) Date: Thu, 11 Sep 2008 22:18:57 -0500 Subject: [c-nsp] load-sharing round robin time? In-Reply-To: <48C9CFF5.8060907@davidcoulson.net> References: <48C9CFF5.8060907@davidcoulson.net> Message-ID: I have tried enabling per-packet load balancing, but if I do that then no pages come up in the browser. So I did a tcp-mss adjust on the interface and still no difference. topology: lan----squid box----2621 router-------4 827 modem's(nat & adsl) Dan. On Thu, Sep 11, 2008 at 9:12 PM, David Coulson wrote: > You can set it to use per-packet load balancing instead, assuming all of the > paths are essentially the same (otherwise you get out of order packets, > which may not be what you want). > > Is the squid box on the 192.168.11.x subnet? If you have ip redirects > enabled, then the squid box will actually route directly to one of the > gateways, rather than through the 2621... Not sure how your environment is > build - Maybe a routing table and some other interface configs would help? > > Dan Letkeman wrote: >> >> Hello, >> >> I'm doing load-sharing on a 2621 router with ios 12.3(26). >> >> ip route 0.0.0.0 0.0.0.0 192.168.11.251 >> ip route 0.0.0.0 0.0.0.0 192.168.11.252 >> ip route 0.0.0.0 0.0.0.0 192.168.11.253 >> >> This was working just fine, but now we implemented a squid cache just >> behind the router and it strips the source ip, so all of the requests >> through the router all look like they are coming from the squid box >> now. What is happening now is the squid box is randomly switching >> from route to route, but it's taking about 10 minutes to switch from >> each route. So watching the graphs on the three routers and its only >> really using one route at a time. Is there a way to change the time >> limit for switching routes to make it switch faster? >> >> Thanks, >> Dan. >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > From mylists at battleop.com Thu Sep 11 23:38:18 2008 From: mylists at battleop.com (Richey) Date: Thu, 11 Sep 2008 23:38:18 -0400 Subject: [c-nsp] 7206vxr npe300 throughput Message-ID: <071c01c91489$006da2f0$0148e8d0$@com> I've got a 7206VXR with an NPE 300. It does not run BGP. The majority of the traffic on this router will be is streaming media. The only ACLs on this router are there to protect the router it's self. We are talking about switching the full DS3 that is in this router out for a 100Mb FE feed. Should I worry about this router being able to handle 80 to 100mb of traffic? Richey From mtinka at globaltransit.net Fri Sep 12 00:16:02 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Fri, 12 Sep 2008 12:16:02 +0800 Subject: [c-nsp] IPv6 Subnetting - Service Provider In-Reply-To: <20080911212955.GA2486@lboro.ac.uk> References: <004401c91442$1170c510$34524f30$@org> <48C98BD2.9010800@rollernet.us> <20080911212955.GA2486@lboro.ac.uk> Message-ID: <200809121216.06089.mtinka@globaltransit.net> On Friday 12 September 2008 05:29:55 A.L.M.Buxey at lboro.ac.uk wrote: > my initial (and, i guess, current) IPv6 deployment plan > was based on /64 subnets. yes, thats a ridiculous amount > of hosts per subnet...nasty software coded in 'the old > style' might make these very big collision domains and i > do worry about how ISC DHCPv6 will handle such large > numbers of leases - recalling how it deals with /16's in > IPv4 land. As has been mentioned by some others on the list, we use: * /112 - for subnets * /126 - for point-to-points * /128 - for Loopbacks. We don't believe in using /64's for point-to-points, as some of the peering/transit we do on v6 has shown (the other party's assignment) - I simply fail to understand how many other hosts you could possibly have on a point-to-point link, between 2 routers, to warrant a /64. We are not big on /64's ability for autoconf, like someone else has mentioned. There's a certain satisfaction to be had when I go to bed knowing that the v6 address I coded onto the router/server interface will still be the same one when I wake up the following day. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From mtinka at globaltransit.net Fri Sep 12 00:22:19 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Fri, 12 Sep 2008 12:22:19 +0800 Subject: [c-nsp] NPE G1, CEF and ACLs and high CPU In-Reply-To: <20080911130626.GC23118@rtp-cse-489.cisco.com> References: <383357750809041000uad21b4ag386233e3b2ea4fde@mail.gmail.com> <383357750809110529y67490054j95b48a53b56d8d1@mail.gmail.com> <20080911130626.GC23118@rtp-cse-489.cisco.com> Message-ID: <200809121222.19526.mtinka@globaltransit.net> On Thursday 11 September 2008 21:06:26 Rodney Dunn wrote: > That's wrong. > > The 7301 is basically a 1RU 72xx/G2 combo. I thought that's the 72xx/NPE-G1 combo; the 7201 would be the -G2 combo, right? Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From avayner at cisco.com Fri Sep 12 00:32:05 2008 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Fri, 12 Sep 2008 06:32:05 +0200 Subject: [c-nsp] NPE G1, CEF and ACLs and high CPU In-Reply-To: <200809121222.19526.mtinka@globaltransit.net> References: <383357750809041000uad21b4ag386233e3b2ea4fde@mail.gmail.com><383357750809110529y67490054j95b48a53b56d8d1@mail.gmail.com><20080911130626.GC23118@rtp-cse-489.cisco.com> <200809121222.19526.mtinka@globaltransit.net> Message-ID: <67F7C1FAF83A074AA3520D8F155782A501D79780@xmb-ams-331.emea.cisco.com> Yes. The 1RU version for 7200/NPE-G1 is called 7301 Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Tinka Sent: Friday, September 12, 2008 07:22 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] NPE G1, CEF and ACLs and high CPU On Thursday 11 September 2008 21:06:26 Rodney Dunn wrote: > That's wrong. > > The 7301 is basically a 1RU 72xx/G2 combo. I thought that's the 72xx/NPE-G1 combo; the 7201 would be the -G2 combo, right? Mark. From avayner at cisco.com Fri Sep 12 00:35:31 2008 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Fri, 12 Sep 2008 06:35:31 +0200 Subject: [c-nsp] Datacenter Network Design In-Reply-To: References: <89944ef40809110015k28ea0ca7k219da9a68a02b374@mail.gmail.com> Message-ID: <67F7C1FAF83A074AA3520D8F155782A501D79781@xmb-ams-331.emea.cisco.com> Another very relevant resource (relatively new one) is: www.cisco.com/go/designzone Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brant I. Stevens Sent: Thursday, September 11, 2008 16:00 PM To: root net; sforcejr at yahoo.com Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Datacenter Network Design The Solutions Reference Network Design page on Cisco's site is a good resource for network designs. http://www.cisco.com/go/srnd -Brant On 9/11/08 3:15 AM, "root net" wrote: > John, > > If you are going to build a Cisco network you should spend some time > on www.cisco.com and look at all of their configuration examples and > whitepapers for specific gear you are looking at or working on. Here > are some books I would suggest: > > Cisco Press: > Data Center Fundamentals > End-to-End QoS Network Design > Designing for Cisco Internetwork Solutions Designing Cisco Network > Architectures Network Management Fundamentals > > www.cisco.com: (Research) > > HSRP > STP > InterVLAN routing > IEEE Bridging > BGP > OSPF > L2TPV3 > MPLS / VPN > IOS information > > Others: > Administering Data Centers > > APC Data Center University (online classes) Some are FREE some are not. > > This is all I could think of since it's so late. DR will come when > you start digging into the protocols and other information. Far as > storage/backup iSCSI is your friend so build a GbE network. > OpenFiler, NetApp, MyIVault. > >> From the start your facility will need to handle your immediate needs >> and > growth or at least have the ability to scale (I would say maybe 10-20% > growth for small budgets). Look at evironmentals, power, fire protection: > HVAC (spot coolers vs. ductless split systems vs. ducted systems, > chilled water vs. air cooled), Power Requirements (Single Phase, Three > Phase 208V /480V, UPS, Transfer switches, portable generators, > generator), Raised Flooring vs. Anti-Static VCT, Security monitoring, > water monitoring, temperature monitoring, and lastly Pre-action vs. plain wet system. > > Getting a seperate Internet feed would be wise unless it's just cost > prohibitive. Start out with maybe 10Mbit pipe and go from there. > This all depends your customer's applications and servers. What they > will be transfering and etc. > > Look into open source products as these are FREE and can help you. (e.g. > nagios, jffnms, cacti, mrtg, syslog, linux, RT, rancid, and others) > > Rule of thumb: A good data center will have proactive measures and > policies in place to monitor, maintain, and procure. With that said > monitor everything (I mean everything) and have all staff alerted on > all levels SMS, e-mail, phone if possible automatically. It's not > about downtime so much it's how you procure the situation in a > specific time frame. Customer serivce is a must. > > You will need to make the call on the gear you use but I use a mixture > of Cisco, Extreme, and Juniper. For data centers it's a must for hot > swappable gear so look in to carrier class gear with redundant > process, power supplies, hot swappable line cards. I would recommend > Cisco 6500 Series, Cisco 7200 Series, Cisco ASA or Pix. I am not to > fond of the Juniper firewall licensing. BTW, Cisco 2800/3600 Series > may even work. Depends on your throughput capabilities you are > needing. Research all aspects of your gear from ram, flash, processor > speeds, to throughput, modules, IOS, and hot swappable needs. > > > The above will get you started. > > rootnet08 > > On 9/10/08, John Ramz wrote: >> >> We are looking into start hosting our customers' apps and data and >> would like for you to provide me link to internet resources (or >> books) to get me started on a network design that includes: >> >> - 3rd party Compliance (security for example) >> - Redundancy (routers, firewalls, switches) >> - load balancing >> - VLANS >> - Virtual servers >> - Backup- SANs- >> - Disaster recovery >> - How to keep customers separated from our regular network? >> - How to keep customers totally isolated from each other? >> - Access from our network to the Datacenter network for our >> developers to work with our customers? Also for our IT people to >> service, monitor and maintain that network > > I have thought of getting an Internet pipe just for the Datacenter > network >> and with all the above mentioned components and then figure out the >> way and procedures to connect our company network with that one for >> the different items I already mentioned. >> >> Has anyone been involved in a project like that could elaborate as >> much as possible on the subject? >> > Please shed some light with me on where to start and build from there? >> >> Thanks >> >> >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From gkg at gmx.de Thu Sep 11 23:51:39 2008 From: gkg at gmx.de (Garry) Date: Fri, 12 Sep 2008 05:51:39 +0200 Subject: [c-nsp] load-sharing round robin time? In-Reply-To: References: <48C9CFF5.8060907@davidcoulson.net> Message-ID: <48C9E74B.6050205@gmx.de> Dan Letkeman wrote: > I have tried enabling per-packet load balancing, but if I do that then > no pages come up in the browser. So I did a tcp-mss adjust on the > interface and still no difference. With every line being a separate NAT (I assume) your outgoing packets streams are more or less torn up now, resulting already in the initial TCP handshake being impossible ... (SYN goes out with IP1, SYN ACK returns on that line, ACK goes out with IP2 ...) The delay in switching links comes from the router setting up a traffic flow and remembering the IP-to-line assignment for a while ... Only thing I could suggest for now is using three squids (could be done on that single machine) with three different outgoing IPs, which in turn can be routed statically to one line each through route maps ... then use a fourth squid instance (towards the users) to use the other three round-robin ... -garry From vikassharmas at gmail.com Fri Sep 12 01:11:18 2008 From: vikassharmas at gmail.com (Vikas Sharma) Date: Fri, 12 Sep 2008 10:41:18 +0530 Subject: [c-nsp] F5 BIG IP and FWSM In-Reply-To: <38521.64.122.164.5.1221170778.squirrel@webmail-devel.integra.net> References: <1A9866F953006D45AEE0166066114E09131ECC3F@TPMAIL02.corp.theplatform.com> <38521.64.122.164.5.1221170778.squirrel@webmail-devel.integra.net> Message-ID: Hi, Thanks for the quick reply. I agree with your advice. But it might be required to loadbalance other devices those are sitting somewhere in my MPLS network. To do this mandatory condition is - LB internal interface should be able to ping / reach that. If I am using first DG to LB VIP and from LB 2nd DG to fwsm context failover ip, how can I achieve reachability from LB internal interface to servers somewhere in my MPLS network as to reach LB one have to pass through FWSM. Do i need to create a separate context for LB reachability to servers outside in MPLS network? Regards, Vikas Sharma On 9/12/08, Max Reid wrote: > > > That looks backwards...why not have the DG for internal hosts be the > > BigIP, and DG the BigIP to the inside of the FWSM? > > > > The BigIP does a good job of performing NAT, and doesn't need to be > > directly connected to the nodes in its pools...in fact, I would highly > > recommend against connecting nodes directly to the BigIP - you should > > utilize a core switch block for that and default route to a floating > > internal ip on the BigIP, from there, upstream to the FWSM and let it > > handle security out front. > > I concur with this advice, esp. the note about having an L3 connected > network between the back end hosts and the 'Inside' interface of the big > IP. > > > Main Benefit is failover (no arp issues on clients or F5); when dealing > with large load balanced farms. > > ~Max > > > > > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net > > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Vikas Sharma > > Sent: Thursday, September 11, 2008 11:08 AM > > To: cisco-nsp at puck.nether.net > > Subject: [c-nsp] F5 BIG IP and FWSM > > > > Hi, > > > > Did any one have worked on F5 BIG IP and FWSM? If yes please help me. As > > this point I wanted to know BIG IP and how it should be conected to > > fwsm, > > specially in routed mode. > > > > My understanding - > > > > 6509 (MSFC) --> outside interface of LB --> Inside interface of LB -> > > FWSM > > context (multiple context) > > > > How bigip will be able to do loadbalancing, when it is not directly > > connected to servers. All servers d/g is fwsm context. > > > > Regards, > > Vikas Sharma > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > From swmike at swm.pp.se Fri Sep 12 02:06:45 2008 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Fri, 12 Sep 2008 08:06:45 +0200 (CEST) Subject: [c-nsp] 7206vxr npe300 throughput In-Reply-To: <071c01c91489$006da2f0$0148e8d0$@com> References: <071c01c91489$006da2f0$0148e8d0$@com> Message-ID: On Thu, 11 Sep 2008, Richey wrote: > I've got a 7206VXR with an NPE 300. It does not run BGP. The majority of > the traffic on this router will be is streaming media. The only ACLs on > this router are there to protect the router it's self. We are talking > about switching the full DS3 that is in this router out for a 100Mb FE feed. > Should I worry about this router being able to handle 80 to 100mb of > traffic? NPE300 will do bidir approximately OC3 with i-mix traffic in my experience. So unless the traffic consists of really small packets only, you should be fine with quite a lot of headroom to do DS3. -- Mikael Abrahamsson email: swmike at swm.pp.se From adrian at creative.net.au Fri Sep 12 02:13:55 2008 From: adrian at creative.net.au (Adrian Chadd) Date: Fri, 12 Sep 2008 14:13:55 +0800 Subject: [c-nsp] load-sharing round robin time? In-Reply-To: <48C9E74B.6050205@gmx.de> References: <48C9CFF5.8060907@davidcoulson.net> <48C9E74B.6050205@gmx.de> Message-ID: <20080912061355.GL15118@skywalker.creative.net.au> On Fri, Sep 12, 2008, Garry wrote: > Only thing I could suggest for now is using three squids (could be done > on that single machine) with three different outgoing IPs, which in turn > can be routed statically to one line each through route maps ... then > use a fourth squid instance (towards the users) to use the other three > round-robin ... You can tell Squid to use >1 outgoing address, and if you asked me -really- nicely I could probably even write up some code to round-robin load balance between them.. Adrian (My favourite beer is ...) From dmitry at dmitry.net Fri Sep 12 02:25:44 2008 From: dmitry at dmitry.net (Dmitry Kiselev) Date: Fri, 12 Sep 2008 09:25:44 +0300 Subject: [c-nsp] IPv6 Subnetting - Service Provider In-Reply-To: <20080911212955.GA2486@lboro.ac.uk> References: <004401c91442$1170c510$34524f30$@org> <48C98BD2.9010800@rollernet.us> <20080911212955.GA2486@lboro.ac.uk> Message-ID: <20080912062544.GQ14724@f17.dmitry.net> Hello! On Thu, Sep 11, 2008 at 10:29:55PM +0100, A.L.M.Buxey at lboro.ac.uk wrote: > my initial (and, i guess, current) IPv6 deployment plan > was based on /64 subnets. yes, thats a ridiculous amount > of hosts per subnet...nasty software coded in 'the old style' > might make these very big collision domains and i do worry about > how ISC DHCPv6 will handle such large numbers of leases - > recalling how it deals with /16's in IPv4 land. Don't worry. :) ISC made pretty well dhcp server. We run it to serve huge amount of IPv4 hosts without significant performance patches. Fast and rock-stable. $ cat dhcpd.leases | grep ^lease | wc -l 756910 $ -- Dmitry Kiselev From fweimer at bfk.de Fri Sep 12 03:50:33 2008 From: fweimer at bfk.de (Florian Weimer) Date: Fri, 12 Sep 2008 09:50:33 +0200 Subject: [c-nsp] IPv6 Subnetting - Service Provider In-Reply-To: <20080911202727.GA9212@toontown.erial.nj.us> (Bob Snyder's message of "Thu, 11 Sep 2008 16:27:27 -0400") References: <004401c91442$1170c510$34524f30$@org> <004501c9144a$8e4d0f00$aae72d00$@org> <20080911202727.GA9212@toontown.erial.nj.us> Message-ID: <82sks5x0om.fsf@mid.bfk.de> * Bob Snyder: > One issue we ran into was that not all the networking gear we had > could support /126. The vendor's (not Cisco) immature support for > IPv6 could only understand the concept of /128 loopbacks and /64 > subnets. Subnets smaller than /64 containing (conceptually) global unicast addresses are not allowed per the IPv6 addressing architecture RFC. So it's just another case of vendors got bitten by RFCs that don't match customer requirements. 8-/ -- Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstra?e 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 From avayner at cisco.com Fri Sep 12 04:19:21 2008 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Fri, 12 Sep 2008 10:19:21 +0200 Subject: [c-nsp] Check bandwidth on router In-Reply-To: <89944ef40809111754s49466f26w38d25fc90df0b4f5@mail.gmail.com> References: <89944ef40809111754s49466f26w38d25fc90df0b4f5@mail.gmail.com> Message-ID: <67F7C1FAF83A074AA3520D8F155782A501D79823@xmb-ams-331.emea.cisco.com> Dear rootnet, Not a direct solution to what you want, but did you consider using IP SLA for constant performance monitoring? You can setup a few IP SLA HTTP probes to well known sites and monitor the performance trend. This would give you a real indication of the "quality of experience". Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of root net Sent: Friday, September 12, 2008 03:55 AM To: cisco-nsp Subject: [c-nsp] Check bandwidth on router Hi List, Is there some sort of tool you can load into the IOS on a router to check bandwidth? Or if not what are you all doing these days in this situation. Like for example things are running slow and you think the Internet feed may be the problem is there a way to do speed tests on the router itself? rootnet _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From lists at memetic.org Fri Sep 12 04:58:42 2008 From: lists at memetic.org (Adam Armstrong) Date: Fri, 12 Sep 2008 09:58:42 +0100 Subject: [c-nsp] Can the PE router take on multiple roles? In-Reply-To: <20080910134754.GE11984@rtp-cse-489.cisco.com> References: <56F211C5E3F24F47B103EA1B253822BE036548CC@vic-cr-ex1.staff.netspace.net.au> <20080910134754.GE11984@rtp-cse-489.cisco.com> Message-ID: <48CA2F42.5050605@memetic.org> Yeah, and be aware that the more things you put on a device, the more likely it is to die. I've heard some scary things about the NAT-PT implementation on cisco kit, it's apparently very very slow and a bit unstable. Make sure you don't mind if all of the services on that device go down because of NAT-PT (i'm assuming this is *not* the case with BGP-RR!) adam. > It would work fine. Watch the CPU and memory to gauge scalability > as you grow. > > > Rodney > > On Wed, Sep 10, 2008 at 03:34:48PM +1000, Andy Saykao wrote: > >> Hi All, >> >> We have a few spare 7301's out the back and I was thinking of using one >> of them to be a NAT-PE router. No biggie with doing this but I was >> wondering if the NAT-PE router could also take on other roles which >> would be beneficial in a MPLS VPN environment such as using it to act as >> a SSL VPN Gateway for remote access. Could the same unit also be used to >> act as a Route Reflector to reflect VPNv4 routes? Or am I putting too >> much load on the router and/or putting all my eggs in one basket? >> >> At present, we don't have many MPLS VPN customers yet but the hope is to >> make things scalable so we can grow comfortable as the number of VPN >> customers grow. >> >> In summary, is it a good idea to use the 7301 to preform the following >> roles: >> >> - NAT-PE / Internet Gateway >> - SSL VPN Gateway >> - BGP Route Reflector >> >> Ideas, comments, personal experiences, etc most welcomed. >> >> Thanks. >> >> Andy >> >> This email and any files transmitted with it are confidential and intended >> solely for the use of the individual or entity to whom they are addressed. >> Please notify the sender immediately by email if you have received this >> email by mistake and delete this email from your system. Please note that >> any views or opinions presented in this email are solely those of the >> author and do not necessarily represent those of the organisation. >> Finally, the recipient should check this email and any attachments for >> the presence of viruses. The organisation accepts no liability for any >> damage caused by any virus transmitted by this email. >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From SamHall at wiseman-dairies.co.uk Fri Sep 12 05:01:40 2008 From: SamHall at wiseman-dairies.co.uk (Sam Hall) Date: Fri, 12 Sep 2008 10:01:40 +0100 Subject: [c-nsp] Sam Hall is out of the office. Message-ID: I will be out of the office starting 05/09/2008 and will not return until 18/09/2008. I will respond to your message when I return. Kind Regards ********************************************************************************* Disclaimer: This electronic mail, together with any attachments, is for the exclusive and confidential use of the recipient addressee. Any other distribution, use or reproduction without our prior consent is unauthorised and strictly prohibited. If you have received this message in error, please delete it immediately and contact the sender directly or the Robert Wiseman & Sons Ltd IT Helpdesk on +44 (0)1355 270634. Any views or opinions expressed in this message are those of the author and do not necessarily represent those of Robert Wiseman & Sons Ltd or of any of its associated companies. No reliance may be placed on this message without written confirmation from an authorised representative of the company. Robert Wiseman & Sons Limited reserves the right to monitor all e-mail communications through its network. This message has been checked for viruses but the recipient is strongly advised to re-scan the message before opening any attachments or attached executable files. ROBERT WISEMAN & SONS LIMITED Registered Number: 87376 Scotland Registered Office: 159 Glasgow Road, East Kilbride, Glasgow, G74 4PA ******************************************************************************** From julien.leroiso at gmail.com Fri Sep 12 07:20:01 2008 From: julien.leroiso at gmail.com (julien leroiso) Date: Fri, 12 Sep 2008 13:20:01 +0200 Subject: [c-nsp] do I need acl on wan bgp port ? Message-ID: Hi, I blocked BGP bogons announces[1] like many other admins (I hope). I want to know if it's common that ISP add an ACL to the wan port to block at least rfc1918 IP addresses. And in the contrary ACL to prevent outgoing spoofing. [1] http://www.cymru.com/Documents/secure-bgp-template.html From mailinglist at bangky.net Fri Sep 12 07:39:27 2008 From: mailinglist at bangky.net (Ang Kah Yik) Date: Fri, 12 Sep 2008 19:39:27 +0800 Subject: [c-nsp] do I need acl on wan bgp port ? In-Reply-To: References: Message-ID: <2ad168fd0809120439n778bdd18jd8d354e9bcf11450@mail.gmail.com> Hi Julien, This topic may actually be more suited to other mailing lists such as NANOG rather than a Cisco specific list. Anyway, I believe it is more common that ISPs deploy the use of uRPF (unicast reverse path forwarding) rather than ACLs. At the very least, the use of loose mode RPF ensures that the prefix from which a packet is sourced exists within the routing table. Thus, packets sourced from RFC1918 addresses ought to be blocked since they should not be appearing in the routing tables of most BGP routers. This also applies to packets that you are null routing (such as the bogon prefixes that you have mentioned). In terms of performance, there are specific performance gains if RPF is used rather than a long ACL to block prefixes. The more experienced members on this list may wish to share their opinion and correct me if I'm wrong. Cheers. On Fri, Sep 12, 2008 at 7:20 PM, julien leroiso wrote: > Hi, > > I blocked BGP bogons announces[1] like many other admins (I hope). > > I want to know if it's common that ISP add an ACL to the wan port to block > at least rfc1918 IP addresses. > And in the contrary ACL to prevent outgoing spoofing. > > > [1] http://www.cymru.com/Documents/secure-bgp-template.html > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Ang Kah Yik (bangky) - http://blog.bangky.net From rodunn at cisco.com Fri Sep 12 07:57:01 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Fri, 12 Sep 2008 07:57:01 -0400 Subject: [c-nsp] NPE G1, CEF and ACLs and high CPU In-Reply-To: <200809121222.19526.mtinka@globaltransit.net> References: <383357750809041000uad21b4ag386233e3b2ea4fde@mail.gmail.com> <383357750809110529y67490054j95b48a53b56d8d1@mail.gmail.com> <20080911130626.GC23118@rtp-cse-489.cisco.com> <200809121222.19526.mtinka@globaltransit.net> Message-ID: <20080912115701.GC3386@rtp-cse-489.cisco.com> Yep...typo. On Fri, Sep 12, 2008 at 12:22:19PM +0800, Mark Tinka wrote: > On Thursday 11 September 2008 21:06:26 Rodney Dunn wrote: > > > That's wrong. > > > > The 7301 is basically a 1RU 72xx/G2 combo. > > I thought that's the 72xx/NPE-G1 combo; the 7201 would be > the -G2 combo, right? > > Mark. From adriankok2000 at yahoo.com.hk Fri Sep 12 07:14:35 2008 From: adriankok2000 at yahoo.com.hk (adrian kok) Date: Fri, 12 Sep 2008 19:14:35 +0800 (CST) Subject: [c-nsp] console port In-Reply-To: <48C9D769.60903@altzman.com> Message-ID: <69219.34362.qm@web33308.mail.mud.yahoo.com> Great. but my winxp is showing ? in the usb of the system. It needs the driver. Do you know any realiable site to download this driver Thank you again --- "Jerry B. Altzman" wrote: > on 2008-09-11 21:23 adrian kok said the following: > > I want to connect to the console port > > but my laptop is only having the USB without the > com > > (serial port) > > Now i try to use the usb to serial port cable > > + serial to console cable > > to connect this console box of the router > > does it work? > > I do it all the time. It works a charm! > > //jbaltz > -- > jerry b. altzman jbaltz at altzman.com > www.jbaltz.com > thank you for contributing to the heat death of the > universe. > > Send instant messages to your online friends http://uk.messenger.yahoo.com From doon.bulk at inoc.net Fri Sep 12 08:27:19 2008 From: doon.bulk at inoc.net (Patrick Muldoon) Date: Fri, 12 Sep 2008 08:27:19 -0400 Subject: [c-nsp] console port In-Reply-To: <69219.34362.qm@web33308.mail.mud.yahoo.com> References: <69219.34362.qm@web33308.mail.mud.yahoo.com> Message-ID: On Sep 12, 2008, at 7:14 AM, adrian kok wrote: > Great. but my winxp is showing ? in the usb of the > system. It needs the driver. > > Do you know any realiable site to download this driver As there are probably hundreds (if not more) random USB2Serial Devices, not knowing which one you have will make it rough to help. Try google? FWIW: I've been happy with my keyspan.. http://www.keyspan.com/products/usa19hs/ Use it all the time, and have had zero issues with it.. -Patrick -- Patrick Muldoon Network/Software Engineer INOC (http://www.inoc.net) PGPKEY (http://www.inoc.net/~doon) Key ID: 0x370D752C Mac OS X. Because making Unix user-friendly is easier than debugging Windows. From maillist at webjogger.net Fri Sep 12 09:17:25 2008 From: maillist at webjogger.net (Adam Greene) Date: Fri, 12 Sep 2008 09:17:25 -0400 Subject: [c-nsp] console port References: <69219.34362.qm@web33308.mail.mud.yahoo.com> Message-ID: <074672C37DDB4EDDA544301AE3D000EC@GINKGO> I can second the good results with the Keyspan ... ----- Original Message ----- From: "Patrick Muldoon" To: "adrian kok" Cc: Sent: Friday, September 12, 2008 8:27 AM Subject: Re: [c-nsp] console port > On Sep 12, 2008, at 7:14 AM, adrian kok wrote: > >> Great. but my winxp is showing ? in the usb of the >> system. It needs the driver. >> >> Do you know any realiable site to download this driver > > As there are probably hundreds (if not more) random USB2Serial > Devices, not knowing which one you have will make it rough to help. > Try google? > > FWIW: > I've been happy with my keyspan.. > > http://www.keyspan.com/products/usa19hs/ > > Use it all the time, and have had zero issues with it.. > > -Patrick > > -- > Patrick Muldoon > Network/Software Engineer > INOC (http://www.inoc.net) > PGPKEY (http://www.inoc.net/~doon) > Key ID: 0x370D752C > > Mac OS X. Because making Unix user-friendly is easier than debugging > Windows. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From chale99 at gmail.com Fri Sep 12 09:36:14 2008 From: chale99 at gmail.com (Chris Hale) Date: Fri, 12 Sep 2008 09:36:14 -0400 Subject: [c-nsp] how to accomplish multiple 'native' vlans In-Reply-To: References: Message-ID: Thanks Frank. This looks almost exactly what I was looking for, but the VLANs would be switched around: VID 10 would come through tagged (i.e. equipment mgmt VID) and VID 100/101 (i.e. customer VID) would come through untagged. Is this only on the newer switches? I seem to remember I had to carry the native vlan throughout the uplinks on an older 3550. Thanks, Chris On Thu, Sep 11, 2008 at 12:54 AM, Frank Bulk wrote: > Chris: > > Each port can be assigned a unique untagged VLAN (switchport trunk native > vlan xx). You can limit which VLANs are trunked by assigning the allowed > VLANs (switchport trunk allowed vlan yy). You can then create an uplink > port with all those trunks. > > I think this is what you're looking for. > > Here's an example: > > interface FastEthernet0/1 > description Customer A > switchport mode trunk > switchport nonegotiate > switchport trunk native vlan 10 > switchport trunk allowed vlan 100 > ! > interface FastEthernet0/2 > description Customer B > switchport mode trunk > switchport nonegotiate > switchport trunk native vlan 10 > switchport trunk allowed vlan 101 > ! > interface FastEthernet0/24 > description Uplink > switchport mode trunk > switchport nonegotiate > switchport trunk allowed vlan 10, 100, 101 > ! > > Frank > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Chris Hale > Sent: Wednesday, September 10, 2008 11:35 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] how to accomplish multiple 'native' vlans > > All - > > We are converting our L2 network from Riverstone to Cisco. One > problem I have not been able to solve yet is the way the Riverstone > and Cisco units handle untagged traffic entering a physical port. We > have many connections to customers whereby we have equipment we would > like to manage with management VIDs inline with untagged customer > traffic. When it enters the Ethernet trunk port on the Riverstone, we > are able to assign the untagged traffic to a VID and it traverses the > trunk ports where allowed as tagged traffic. It doesn't seem like the > Cisco switches have this ability - only one native VLAN per switch. > Is there some way to accept multiple ports of untagged traffic and tag > each ports' untagged traffic with separate VIDs? > > Example: > > fa0/1 - mgmt VID 10, customer traffic untagged (needs to be tagged > with VID 100 for L3 routing) > fa0/2 - mgmt VID 10, customer traffic untagged (needs to be tagged > with VID 101 for L3 routing) > etc. > fa0/24 - trunk port to L3 device > > We are using 2960 and 3560 switches. Any other ideas are welcome, but > we would prefer to minimize any CPE equipment at customer site to tag > their traffic with the appropriate customer VID. It's a matter of > additional cost, additional management devices, and additional points > of failure. > > Thanks, > Chris > > -- > ------------------ > Chris Hale > chale99 at gmail.com > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > -- ------------------ Chris Hale chale99 at gmail.com From schmid at dfn.de Fri Sep 12 09:14:44 2008 From: schmid at dfn.de (Thomas Schmid) Date: Fri, 12 Sep 2008 15:14:44 +0200 Subject: [c-nsp] BFD on 12.2.33 SRA and SRB Message-ID: <48CA6B44.7010204@dfn.de> Hi, since we're in a situation where we may have to implement BFD soon on a number of links, I did a test with 12.2(33)SRA4 in a half-test environment. The result was that after max. 5 min the router (SUP720-3BXL) crashed without memory (small buffers) left. This was easily reproducible by just turning on BFD for a eBGP session. Even though I provided lots of crashinfo files and logs to the TAC, they were not able to reproduce it in the lab and nail down the problem or find the trigger for the mem leaks. The closest they came up with was CSCsh37272. Recommendation was to go for SRB and see if the problem is also there. Well, I tried SRB4 and wasn't yet able to reproduce the crashes. While this is a strong hint that we won't see the crashes with SRB, I'm not 100% conviced and so my question is if someone saw any memory related problems with SRB and BFD recently? Thanks, Thomas From rootnet08 at gmail.com Fri Sep 12 09:53:08 2008 From: rootnet08 at gmail.com (root net) Date: Fri, 12 Sep 2008 08:53:08 -0500 Subject: [c-nsp] Check bandwidth on router In-Reply-To: <67F7C1FAF83A074AA3520D8F155782A501D79823@xmb-ams-331.emea.cisco.com> References: <89944ef40809111754s49466f26w38d25fc90df0b4f5@mail.gmail.com> <67F7C1FAF83A074AA3520D8F155782A501D79823@xmb-ams-331.emea.cisco.com> Message-ID: <89944ef40809120653i59281e97h22d206ca3b6092e6@mail.gmail.com> IP SLA seems to be the best option at present. Although we monitor with some open source tools. I would like to have a way to check that I am getting what (bandwidth) I am paying for if this makes sense. It seems to me that these programs only monitor the circuits not test throughput. I want to be able to test throughput on the circuit. These third party sites are ok but I am sure there is someway providers are doing this with out using speedtest sites? rootnet On Fri, Sep 12, 2008 at 3:19 AM, Arie Vayner (avayner) wrote: > Dear rootnet, > > Not a direct solution to what you want, but did you consider using IP > SLA for constant performance monitoring? > You can setup a few IP SLA HTTP probes to well known sites and monitor > the performance trend. This would give you a real indication of the > "quality of experience". > > Arie > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of root net > Sent: Friday, September 12, 2008 03:55 AM > To: cisco-nsp > Subject: [c-nsp] Check bandwidth on router > > Hi List, > > Is there some sort of tool you can load into the IOS on a router to > check bandwidth? Or if not what are you all doing these days in this > situation. > Like for example things are running slow and you think the Internet feed > may be the problem is there a way to do speed tests on the router > itself? > > rootnet > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From Robert.Smales at cw.com Fri Sep 12 09:56:37 2008 From: Robert.Smales at cw.com (Smales, Robert) Date: Fri, 12 Sep 2008 14:56:37 +0100 Subject: [c-nsp] do I need acl on wan bgp port ? In-Reply-To: <2ad168fd0809120439n778bdd18jd8d354e9bcf11450@mail.gmail.com> Message-ID: <602ACF092EFFB044931BD8746C19AD2F8427E2@gbcwswiem006.ad.plc.cwintra.com> Hi All > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Ang Kah Yik > Sent: 12 September 2008 12:39 > To: julien leroiso > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] do I need acl on wan bgp port ? > > > Hi Julien, > > This topic may actually be more suited to other mailing lists such as > NANOG rather than a Cisco specific list. > Anyway, I believe it is more common that ISPs deploy the use of uRPF > (unicast reverse path forwarding) rather than ACLs. > We use route-maps/prefix-lists to filter incoming BGP, that is more manageable than having to rewrite a single access-list when the bogons list changes, for example. Robert Robert Smales IP Provide Engineer Cable&Wireless Europe, Asia & US www.cw.com This e-mail has been scanned for viruses by the Cable & Wireless e-mail security system - powered by MessageLabs. For more information on a proactive managed e-mail security service, visit http://www.cw.com/uk/emailprotection/ The information contained in this e-mail is confidential and may also be subject to legal privilege. It is intended only for the recipient(s) named above. If you are not named above as a recipient, you must not read, copy, disclose, forward or otherwise use the information contained in this email. If you have received this e-mail in error, please notify the sender (whose contact details are above) immediately by reply e-mail and delete the message and any attachments without retaining any copies. Cable and Wireless plc Registered in England and Wales.Company Number 238525 Registered office: 3rd Floor, 26 Red Lion Square, London WC1R 4HQ From eric at atlantech.net Fri Sep 12 09:58:46 2008 From: eric at atlantech.net (Eric Van Tol) Date: Fri, 12 Sep 2008 09:58:46 -0400 Subject: [c-nsp] ME3750 Shaping Message-ID: <2C05E949E19A9146AF7BDF9D44085B86350AECC47E@exchange.aoihq.local> Hi all, Does anyone know if the ME3750 can do egress shaping of a particular queue to a limit of >40Mb/s? If so, any examples anyone can share? The goal is to not only police on ingress at a certain limit (25M, 50M, 75M), but also to egress shape at the same limit. I've got the inbound policing just fine, but it seems that the method I found to shape will only do a limit of about 40-50Mb/s. I need to do this on not only non-ES routed ports, but also on non-ES ports that have two VLANs assigned to them, one of which is rate-limited/shaped and one that has WRR with priority queuing. Thanks, evt From s00664233 at gmail.com Fri Sep 12 10:26:46 2008 From: s00664233 at gmail.com (cc loo) Date: Fri, 12 Sep 2008 22:26:46 +0800 Subject: [c-nsp] console port In-Reply-To: <69219.34362.qm@web33308.mail.mud.yahoo.com> References: <48C9D769.60903@altzman.com> <69219.34362.qm@web33308.mail.mud.yahoo.com> Message-ID: <49999c420809120726q48b45593m6d25ea68dbd3140d@mail.gmail.com> I use ATEN brand RS232/USB adapter and windows update was able to get the driver for itFYI :) Try googling brand of your adapter, you might find something On Fri, Sep 12, 2008 at 7:14 PM, adrian kok wrote: > Great. but my winxp is showing ? in the usb of the > system. It needs the driver. > > Do you know any realiable site to download this driver > > Thank you again > > > --- "Jerry B. Altzman" wrote: > > > on 2008-09-11 21:23 adrian kok said the following: > > > I want to connect to the console port > > > but my laptop is only having the USB without the > > com > > > (serial port) > > > Now i try to use the usb to serial port cable > > > + serial to console cable > > > to connect this console box of the router > > > does it work? > > > > I do it all the time. It works a charm! > > > > //jbaltz > > -- > > jerry b. altzman jbaltz at altzman.com > > www.jbaltz.com > > thank you for contributing to the heat death of the > > universe. > > > > > > > Send instant messages to your online friends http://uk.messenger.yahoo.com > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From dhooper at emerge.net.au Fri Sep 12 10:37:46 2008 From: dhooper at emerge.net.au (Daniel Hooper) Date: Fri, 12 Sep 2008 22:37:46 +0800 Subject: [c-nsp] Check bandwidth on router In-Reply-To: <89944ef40809120653i59281e97h22d206ca3b6092e6@mail.gmail.com> References: <89944ef40809111754s49466f26w38d25fc90df0b4f5@mail.gmail.com><67F7C1FAF83A074AA3520D8F155782A501D79823@xmb-ams-331.emea.cisco.com> <89944ef40809120653i59281e97h22d206ca3b6092e6@mail.gmail.com> Message-ID: You can use netperf to test bandwidth, cron it to run daily for 10 seconds and it will report the bandwidth on your circuits. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of root net Sent: Friday, 12 September 2008 9:53 PM To: Arie Vayner (avayner) Cc: cisco-nsp Subject: Re: [c-nsp] Check bandwidth on router IP SLA seems to be the best option at present. Although we monitor with some open source tools. I would like to have a way to check that I am getting what (bandwidth) I am paying for if this makes sense. It seems to me that these programs only monitor the circuits not test throughput. I want to be able to test throughput on the circuit. These third party sites are ok but I am sure there is someway providers are doing this with out using speedtest sites? rootnet On Fri, Sep 12, 2008 at 3:19 AM, Arie Vayner (avayner) wrote: > Dear rootnet, > > Not a direct solution to what you want, but did you consider using IP > SLA for constant performance monitoring? > You can setup a few IP SLA HTTP probes to well known sites and monitor > the performance trend. This would give you a real indication of the > "quality of experience". > > Arie > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of root net > Sent: Friday, September 12, 2008 03:55 AM > To: cisco-nsp > Subject: [c-nsp] Check bandwidth on router > > Hi List, > > Is there some sort of tool you can load into the IOS on a router to > check bandwidth? Or if not what are you all doing these days in this > situation. > Like for example things are running slow and you think the Internet feed > may be the problem is there a way to do speed tests on the router > itself? > > rootnet > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From tom at snnap.net Fri Sep 12 10:46:04 2008 From: tom at snnap.net (Tom Storey) Date: Sat, 13 Sep 2008 00:16:04 +0930 Subject: [c-nsp] console port In-Reply-To: <074672C37DDB4EDDA544301AE3D000EC@GINKGO> References: <69219.34362.qm@web33308.mail.mud.yahoo.com> <074672C37DDB4EDDA544301AE3D000EC@GINKGO> Message-ID: <9D077D04-A1CD-465F-A6B7-A720A7606254@snnap.net> My vote for Keyspan aswell, though I have seen some very strange things happen with them. Personally, mine is working flawless, and it gets a good workout... I use a Mac with Minicom, doesnt matter which USB port I have it plugged into, it always works. Tom On 12/09/2008, at 10:47 PM, Adam Greene wrote: > I can second the good results with the Keyspan ... > > ----- Original Message ----- From: "Patrick Muldoon" > > To: "adrian kok" > Cc: > Sent: Friday, September 12, 2008 8:27 AM > Subject: Re: [c-nsp] console port > > >> On Sep 12, 2008, at 7:14 AM, adrian kok wrote: >>> Great. but my winxp is showing ? in the usb of the >>> system. It needs the driver. >>> >>> Do you know any realiable site to download this driver >> As there are probably hundreds (if not more) random USB2Serial >> Devices, not knowing which one you have will make it rough to >> help. Try google? >> FWIW: >> I've been happy with my keyspan.. >> http://www.keyspan.com/products/usa19hs/ >> Use it all the time, and have had zero issues with it.. >> -Patrick >> -- >> Patrick Muldoon >> Network/Software Engineer >> INOC (http://www.inoc.net) >> PGPKEY (http://www.inoc.net/~doon) >> Key ID: 0x370D752C >> Mac OS X. Because making Unix user-friendly is easier than >> debugging Windows. >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From doon.bulk at inoc.net Fri Sep 12 10:55:40 2008 From: doon.bulk at inoc.net (Patrick Muldoon) Date: Fri, 12 Sep 2008 10:55:40 -0400 Subject: [c-nsp] console port In-Reply-To: <9D077D04-A1CD-465F-A6B7-A720A7606254@snnap.net> References: <69219.34362.qm@web33308.mail.mud.yahoo.com> <074672C37DDB4EDDA544301AE3D000EC@GINKGO> <9D077D04-A1CD-465F-A6B7-A720A7606254@snnap.net> Message-ID: <9A95A1F8-94BF-4ED7-B9D8-68E964D1AECD@inoc.net> On Sep 12, 2008, at 10:46 AM, Tom Storey wrote: > My vote for Keyspan aswell, though I have seen some very strange > things happen with them. > > Personally, mine is working flawless, and it gets a good workout... > > I use a Mac with Minicom, doesnt matter which USB port I have it > plugged into, it always works. > > Tom Same Here, using a Mac With Minicom.. Drivers default to creating /dev/cu.KeySerial1 for the first on you plug-in. (they used to not, so you always had to use the same USB port, or manual adjust symlink, etc...) I cannot speak to how they work on windows though... -Patrick -- Patrick Muldoon Network/Software Engineer INOC (http://www.inoc.net) PGPKEY (http://www.inoc.net/~doon) Key ID: 0x370D752C NOTICE: alloc: /dev/null: filesystem full From gert at greenie.muc.de Fri Sep 12 10:56:19 2008 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 12 Sep 2008 16:56:19 +0200 Subject: [c-nsp] IPv6 Subnetting - Service Provider In-Reply-To: <82sks5x0om.fsf@mid.bfk.de> References: <004401c91442$1170c510$34524f30$@org> <004501c9144a$8e4d0f00$aae72d00$@org> <20080911202727.GA9212@toontown.erial.nj.us> <82sks5x0om.fsf@mid.bfk.de> Message-ID: <20080912145619.GS17238@greenie.muc.de> Hi, On Fri, Sep 12, 2008 at 09:50:33AM +0200, Florian Weimer wrote: > Subnets smaller than /64 containing (conceptually) global unicast > addresses are not allowed per the IPv6 addressing architecture RFC. > So it's just another case of vendors got bitten by RFCs that don't > match customer requirements. 8-/ I can't really see what's "customer requirements" here, except "we don't like the RFC, so we decide to ignore it, and then we're surprised that the result is not what we expect". It's not like anybody being short on IPv6 addresses. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From rodunn at cisco.com Fri Sep 12 10:59:49 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Fri, 12 Sep 2008 10:59:49 -0400 Subject: [c-nsp] BFD on 12.2.33 SRA and SRB In-Reply-To: <48CA6B44.7010204@dfn.de> References: <48CA6B44.7010204@dfn.de> Message-ID: <20080912145949.GA4860@rtp-cse-489.cisco.com> I'd strongly encourage anyone to go for SRB3 and later. We had a huge bug fix push on the SRB throttle after SRB2 and it's been extremely stable and that is where we are enouraging customers to go. There were a lot of changes to BFD in the SRB timeframe for a lot of bugs. Rodney On Fri, Sep 12, 2008 at 03:14:44PM +0200, Thomas Schmid wrote: > Hi, > > since we're in a situation where we may have to implement BFD soon on > a number of links, I did a test with 12.2(33)SRA4 in a half-test environment. > > The result was that after max. 5 min the router (SUP720-3BXL) crashed > without memory (small buffers) left. This was easily reproducible > by just turning on BFD for a eBGP session. > > Even though I provided lots of crashinfo files and logs to the TAC, they were > not able to reproduce it in the lab and nail down the problem or find the > trigger for the mem leaks. The closest they came up with was CSCsh37272. > > Recommendation was to go for SRB and see if the problem is also there. > > Well, I tried SRB4 and wasn't yet able to reproduce the crashes. While > this is a strong hint that we won't see the crashes with SRB, I'm not > 100% conviced and so my question is if someone saw any memory related > problems with SRB and BFD recently? > > Thanks, > > Thomas > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From ivan at ig.sk Fri Sep 12 10:12:15 2008 From: ivan at ig.sk (Ivan Gasparik) Date: Fri, 12 Sep 2008 16:12:15 +0200 Subject: [c-nsp] 6500 netflow export and the switch cpu In-Reply-To: <20080911.193436.41659240.sthaug@nethelp.no> References: <1836781474-1221151128-cardhu_decombobulator_blackberry.rim.net-959829273-@bxe252.bisx.prod.on.blackberry> <20080911.193436.41659240.sthaug@nethelp.no> Message-ID: <200809121612.16093.ivan@ig.sk> On Thursday 11 September 2008, sthaug at nethelp.no wrote: > > You can enable sampling if it is not enabled. It should help > > some. > > Highly unlikely. Sampling on the 6500 is performed interely in > software, *after* the full set of flows has been received. You have to distinguish between the cpu load seen as interrupt load (caused mostly by walking through the TCAM, collecting statistics and storing them in netflow cache) and the cpu load caused by NDE process (packet generation). Enabling netflow sampling you can decrease the second part of the load - the cpu will generate significantly less packets of export statistics. Ivan From benny+usenet at amorsen.dk Fri Sep 12 10:22:43 2008 From: benny+usenet at amorsen.dk (Benny Amorsen) Date: Fri, 12 Sep 2008 16:22:43 +0200 Subject: [c-nsp] IPv6 Subnetting - Service Provider In-Reply-To: <82sks5x0om.fsf@mid.bfk.de> (Florian Weimer's message of "Fri\, 12 Sep 2008 09\:50\:33 +0200") References: <004401c91442$1170c510$34524f30$@org> <004501c9144a$8e4d0f00$aae72d00$@org> <20080911202727.GA9212@toontown.erial.nj.us> <82sks5x0om.fsf@mid.bfk.de> Message-ID: Florian Weimer writes: > * Bob Snyder: > >> One issue we ran into was that not all the networking gear we had >> could support /126. The vendor's (not Cisco) immature support for >> IPv6 could only understand the concept of /128 loopbacks and /64 >> subnets. > > Subnets smaller than /64 containing (conceptually) global unicast > addresses are not allowed per the IPv6 addressing architecture RFC. > So it's just another case of vendors got bitten by RFCs that don't > match customer requirements. 8-/ You could also call it unreasonable customer requirements. If you spend a /40 on linknets you can have 2^24 of them. A /40 is nothing to an ISP. An enterprise would be a bit more cramped, but any enterprise needing more than say 10000 linknets should probably get an AS-number and some provider-independent space -- and then there's plenty of space again. /Benny From clayton at MNSi.Net Fri Sep 12 12:50:29 2008 From: clayton at MNSi.Net (Clayton Zekelman) Date: Fri, 12 Sep 2008 12:50:29 -0400 Subject: [c-nsp] NPE-G2 Gigabit Ignored Errors Message-ID: <200809121649.m8CGngEV013138@e450.mnsi.net> I'm running a Cisco 7206/VXR with an NPE G2, Version 12.4(4)XD4 acting as an LNS. I'm getting input errors consistently incrementing on the Gig interface (ignored errors) Any way to fix this? I saw some discussion a while back about this, and it seemed to have to do with buffers - but I can't find any definitive recommendations on what the settings should be. GigabitEthernet0/1 is up, line protocol is up Hardware is MV64460 Internal MAC, address is 001a.6d30.091b (bia 001a.6d30.091b) Description: to gig-fastiron Ethernet11 MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 22/255, rxload 46/255 Encapsulation 802.1Q Virtual LAN, Vlan ID 1., loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s, media type is RJ45 output flow-control is XON, input flow-control is XON ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:00, output hang never Last clearing of "show interface" counters 00:22:17 Input queue: 0/75/1191/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 30 second input rate 181384000 bits/sec, 29001 packets/sec 30 second output rate 86319000 bits/sec, 26045 packets/sec 38605963 packets input, 4274358612 bytes, 1 no buffer Received 230 broadcasts, 0 runts, 0 giants, 0 throttles 2677 input errors, 0 CRC, 0 frame, 0 overrun, 2677 ignored 0 watchdog, 2196 multicast, 0 pause input 0 input packets with dribble condition detected 34556615 packets output, 1656923135 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 pause output 0 output buffer failures, 0 output buffers swapped out --- Clayton Zekelman Managed Network Systems Inc. (MNSi) 344-300 Tecumseh Rd. E. Windsor, Ontario N8X 5E8 tel. 519-985-8410 fax. 519-985-8409 From leonardo.souza at nec.com.br Fri Sep 12 12:51:50 2008 From: leonardo.souza at nec.com.br (Leonardo Gama Souza) Date: Fri, 12 Sep 2008 13:51:50 -0300 Subject: [c-nsp] ELAM capture on SRB Message-ID: <9E07F8717FE8BC4FBAE6860F61EA6C1D7E0E42@spsrvmail03.nec.br> Hi... Does anyone know if it's feasible to use ELAM capture on SRB throttle? I haven't been able to find it. I'd appreciate if someone can share additional information about it. Thanks much! From sthaug at nethelp.no Fri Sep 12 12:53:51 2008 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Fri, 12 Sep 2008 18:53:51 +0200 (CEST) Subject: [c-nsp] 6500 netflow export and the switch cpu In-Reply-To: <200809121612.16093.ivan@ig.sk> References: <1836781474-1221151128-cardhu_decombobulator_blackberry.rim.net-959829273-@bxe252.bisx.prod.on.blackberry> <20080911.193436.41659240.sthaug@nethelp.no> <200809121612.16093.ivan@ig.sk> Message-ID: <20080912.185351.74695090.sthaug@nethelp.no> > > Highly unlikely. Sampling on the 6500 is performed interely in > > software, *after* the full set of flows has been received. > > You have to distinguish between the cpu load seen as interrupt load > (caused mostly by walking through the TCAM, collecting statistics and > storing them in netflow cache) and the cpu load caused by NDE process > (packet generation). Enabling netflow sampling you can decrease the > second part of the load - the cpu will generate significantly less > packets of export statistics. Good point. And it doesn't help, of course, that the CPU in question is severely underpowered... Steinar Haug, Nethelp consulting, sthaug at nethelp.no From abalashov at evaristesys.com Fri Sep 12 14:14:32 2008 From: abalashov at evaristesys.com (Alex Balashov) Date: Fri, 12 Sep 2008 14:14:32 -0400 Subject: [c-nsp] 7206vxr npe300 throughput In-Reply-To: <071c01c91489$006da2f0$0148e8d0$@com> References: <071c01c91489$006da2f0$0148e8d0$@com> Message-ID: <48CAB188.5020004@evaristesys.com> Richey wrote: > I've got a 7206VXR with an NPE 300. It does not run BGP. The majority of > the traffic on this router will be is streaming media. The only ACLs on > this router are there to protect the router it's self. We are talking > about switching the full DS3 that is in this router out for a 100Mb FE feed. > Should I worry about this router being able to handle 80 to 100mb of > traffic? Based on my experience using the same for an edge router of a fairly large company pushing a lot of web traffic and VoIP (well over 100 mbps), no. Just make sure you have CEF enabled and such. -- Alex Balashov Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599 From rodunn at cisco.com Fri Sep 12 14:16:07 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Fri, 12 Sep 2008 14:16:07 -0400 Subject: [c-nsp] NPE-G2 Gigabit Ignored Errors In-Reply-To: <200809121649.m8CGngEV013138@e450.mnsi.net> References: <200809121649.m8CGngEV013138@e450.mnsi.net> Message-ID: <20080912181607.GR4860@rtp-cse-489.cisco.com> Can you bump up your input queue depth: hold-queue 4096 in and see if they stop. I don't suspect that is going to help because the ignores are not increasing that would point to: CSCse05447 Externally found moderate defect: Resolved (R) 7200 ethernet interfaces should not throttle on input queue full drops Most likely you are seeing micro burst that are coming in faster than the CPU can drain the rx ring. Rodney On Fri, Sep 12, 2008 at 12:50:29PM -0400, Clayton Zekelman wrote: > > I'm running a Cisco 7206/VXR with an NPE G2, Version 12.4(4)XD4 > acting as an LNS. > > I'm getting input errors consistently incrementing on the Gig > interface (ignored errors) > > Any way to fix this? I saw some discussion a while back about this, > and it seemed to have to do with buffers - but I can't find any > definitive recommendations on what the settings should be. > > > > GigabitEthernet0/1 is up, line protocol is up > Hardware is MV64460 Internal MAC, address is 001a.6d30.091b (bia > 001a.6d30.091b) > Description: to gig-fastiron Ethernet11 > MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, > reliability 255/255, txload 22/255, rxload 46/255 > Encapsulation 802.1Q Virtual LAN, Vlan ID 1., loopback not set > Keepalive set (10 sec) > Full-duplex, 1000Mb/s, media type is RJ45 > output flow-control is XON, input flow-control is XON > ARP type: ARPA, ARP Timeout 04:00:00 > Last input 00:00:00, output 00:00:00, output hang never > Last clearing of "show interface" counters 00:22:17 > Input queue: 0/75/1191/0 (size/max/drops/flushes); Total output drops: 0 > Queueing strategy: fifo > Output queue: 0/40 (size/max) > 30 second input rate 181384000 bits/sec, 29001 packets/sec > 30 second output rate 86319000 bits/sec, 26045 packets/sec > 38605963 packets input, 4274358612 bytes, 1 no buffer > Received 230 broadcasts, 0 runts, 0 giants, 0 throttles > 2677 input errors, 0 CRC, 0 frame, 0 overrun, 2677 ignored > 0 watchdog, 2196 multicast, 0 pause input > 0 input packets with dribble condition detected > 34556615 packets output, 1656923135 bytes, 0 underruns > 0 output errors, 0 collisions, 0 interface resets > 0 babbles, 0 late collision, 0 deferred > 0 lost carrier, 0 no carrier, 0 pause output > 0 output buffer failures, 0 output buffers swapped > out > > > > --- > Clayton Zekelman > Managed Network Systems Inc. (MNSi) > 344-300 Tecumseh Rd. E. > Windsor, Ontario > N8X 5E8 > > tel. 519-985-8410 > fax. 519-985-8409 > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rodunn at cisco.com Fri Sep 12 14:17:05 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Fri, 12 Sep 2008 14:17:05 -0400 Subject: [c-nsp] ELAM capture on SRB In-Reply-To: <9E07F8717FE8BC4FBAE6860F61EA6C1D7E0E42@spsrvmail03.nec.br> References: <9E07F8717FE8BC4FBAE6860F61EA6C1D7E0E42@spsrvmail03.nec.br> Message-ID: <20080912181705.GS4860@rtp-cse-489.cisco.com> Yes. We use it all the time to match on ingress ip/mpls frames and see what the rewrites are. The complexity comes when you have to understand all the internal dst_indx and internal VLAN allocation details. Rodney On Fri, Sep 12, 2008 at 01:51:50PM -0300, Leonardo Gama Souza wrote: > Hi... > > Does anyone know if it's feasible to use ELAM capture on SRB throttle? > I haven't been able to find it. > I'd appreciate if someone can share additional information about it. > > Thanks much! > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From avayner at cisco.com Fri Sep 12 14:32:50 2008 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Fri, 12 Sep 2008 20:32:50 +0200 Subject: [c-nsp] Check bandwidth on router In-Reply-To: References: <89944ef40809111754s49466f26w38d25fc90df0b4f5@mail.gmail.com><67F7C1FAF83A074AA3520D8F155782A501D79823@xmb-ams-331.emea.cisco.com> <89944ef40809120653i59281e97h22d206ca3b6092e6@mail.gmail.com> Message-ID: <67F7C1FAF83A074AA3520D8F155782A501D79ACD@xmb-ams-331.emea.cisco.com> Actually, you can use IP SLA for bandwidth testing too. You just need to find some file which can be pulled off the internet via HTTP/FTP, and use IP SLA to get it. The only thing is that you would be killing your user's access to the net at the time of the test, so testing during peak hours would be out of the question, while testing the bandwidth in off-peak hours does not mean much, as the ISP would have extra BW... I would monitor the response time for HTTP for small web sites, and just monitor the trend. The bottom line is that your end users do not really care about the raw amount of bandwidth, but are really looking for good response time and consistent service level. Its called "Quality of Experience" as opposed to "Quality of Service". http://en.wikipedia.org/wiki/Quality_of_Experience Arie -----Original Message----- From: Daniel Hooper [mailto:dhooper at emerge.net.au] Sent: Friday, September 12, 2008 17:38 PM To: root net; Arie Vayner (avayner) Cc: cisco-nsp Subject: RE: [c-nsp] Check bandwidth on router You can use netperf to test bandwidth, cron it to run daily for 10 seconds and it will report the bandwidth on your circuits. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of root net Sent: Friday, 12 September 2008 9:53 PM To: Arie Vayner (avayner) Cc: cisco-nsp Subject: Re: [c-nsp] Check bandwidth on router IP SLA seems to be the best option at present. Although we monitor with some open source tools. I would like to have a way to check that I am getting what (bandwidth) I am paying for if this makes sense. It seems to me that these programs only monitor the circuits not test throughput. I want to be able to test throughput on the circuit. These third party sites are ok but I am sure there is someway providers are doing this with out using speedtest sites? rootnet On Fri, Sep 12, 2008 at 3:19 AM, Arie Vayner (avayner) wrote: > Dear rootnet, > > Not a direct solution to what you want, but did you consider using IP > SLA for constant performance monitoring? > You can setup a few IP SLA HTTP probes to well known sites and monitor > the performance trend. This would give you a real indication of the > "quality of experience". > > Arie > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of root net > Sent: Friday, September 12, 2008 03:55 AM > To: cisco-nsp > Subject: [c-nsp] Check bandwidth on router > > Hi List, > > Is there some sort of tool you can load into the IOS on a router to > check bandwidth? Or if not what are you all doing these days in this > situation. > Like for example things are running slow and you think the Internet feed > may be the problem is there a way to do speed tests on the router > itself? > > rootnet > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From avayner at cisco.com Fri Sep 12 14:38:17 2008 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Fri, 12 Sep 2008 20:38:17 +0200 Subject: [c-nsp] ME3750 Shaping In-Reply-To: <2C05E949E19A9146AF7BDF9D44085B86350AECC47E@exchange.aoihq.local> References: <2C05E949E19A9146AF7BDF9D44085B86350AECC47E@exchange.aoihq.local> Message-ID: <67F7C1FAF83A074AA3520D8F155782A501D79ACF@xmb-ams-331.emea.cisco.com> Eric, This should be possible. Take a look here: http://www.cisco.com/en/US/docs/switches/metro/catalyst3750m/software/re lease/12.2_46_se/configuration/guide/swqos.html Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Eric Van Tol Sent: Friday, September 12, 2008 16:59 PM To: 'cisco-nsp at puck.nether.net' Subject: [c-nsp] ME3750 Shaping Hi all, Does anyone know if the ME3750 can do egress shaping of a particular queue to a limit of >40Mb/s? If so, any examples anyone can share? The goal is to not only police on ingress at a certain limit (25M, 50M, 75M), but also to egress shape at the same limit. I've got the inbound policing just fine, but it seems that the method I found to shape will only do a limit of about 40-50Mb/s. I need to do this on not only non-ES routed ports, but also on non-ES ports that have two VLANs assigned to them, one of which is rate-limited/shaped and one that has WRR with priority queuing. Thanks, evt _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From clayton at MNSi.Net Fri Sep 12 14:40:04 2008 From: clayton at MNSi.Net (Clayton Zekelman) Date: Fri, 12 Sep 2008 14:40:04 -0400 Subject: [c-nsp] NPE-G2 Gigabit Ignored Errors In-Reply-To: <20080912181607.GR4860@rtp-cse-489.cisco.com> References: <200809121649.m8CGngEV013138@e450.mnsi.net> <20080912181607.GR4860@rtp-cse-489.cisco.com> Message-ID: <200809121839.m8CIdHD3029666@e450.mnsi.net> No luck... didn't fix it. Is it fixed in a subsequent release? Are there any other parameters I can tune? GigabitEthernet0/1 is up, line protocol is up Hardware is MV64460 Internal MAC, address is 001a.6d30.091b (bia 001a.6d30.091b) Description: to gig-fastiron Ethernet11 MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 23/255, rxload 48/255 Encapsulation 802.1Q Virtual LAN, Vlan ID 1., loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s, media type is RJ45 output flow-control is XON, input flow-control is XON ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:00, output hang never Last clearing of "show interface" counters 00:10:09 Input queue: 0/4096/533/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 30 second input rate 189692000 bits/sec, 30246 packets/sec 30 second output rate 91448000 bits/sec, 27197 packets/sec 18432915 packets input, 1555851456 bytes, 0 no buffer Received 65 broadcasts, 0 runts, 0 giants, 0 throttles 1117 input errors, 0 CRC, 0 frame, 0 overrun, 1117 ignored 0 watchdog, 1034 multicast, 0 pause input 0 input packets with dribble condition detected At 02:16 PM 9/12/2008, Rodney Dunn wrote: >Can you bump up your input queue depth: > >hold-queue 4096 in > >and see if they stop. > >I don't suspect that is going to help because the ignores >are not increasing that would point to: > >CSCse05447 >Externally found moderate defect: Resolved (R) >7200 ethernet interfaces should not throttle on input queue full drops > >Most likely you are seeing micro burst that are coming in faster >than the CPU can drain the rx ring. > >Rodney > > > >On Fri, Sep 12, 2008 at 12:50:29PM -0400, Clayton Zekelman wrote: > > > > I'm running a Cisco 7206/VXR with an NPE G2, Version 12.4(4)XD4 > > acting as an LNS. > > > > I'm getting input errors consistently incrementing on the Gig > > interface (ignored errors) > > > > Any way to fix this? I saw some discussion a while back about this, > > and it seemed to have to do with buffers - but I can't find any > > definitive recommendations on what the settings should be. > > > > > > > > GigabitEthernet0/1 is up, line protocol is up > > Hardware is MV64460 Internal MAC, address is 001a.6d30.091b (bia > > 001a.6d30.091b) > > Description: to gig-fastiron Ethernet11 > > MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, > > reliability 255/255, txload 22/255, rxload 46/255 > > Encapsulation 802.1Q Virtual LAN, Vlan ID 1., loopback not set > > Keepalive set (10 sec) > > Full-duplex, 1000Mb/s, media type is RJ45 > > output flow-control is XON, input flow-control is XON > > ARP type: ARPA, ARP Timeout 04:00:00 > > Last input 00:00:00, output 00:00:00, output hang never > > Last clearing of "show interface" counters 00:22:17 > > Input queue: 0/75/1191/0 (size/max/drops/flushes); Total output drops: 0 > > Queueing strategy: fifo > > Output queue: 0/40 (size/max) > > 30 second input rate 181384000 bits/sec, 29001 packets/sec > > 30 second output rate 86319000 bits/sec, 26045 packets/sec > > 38605963 packets input, 4274358612 bytes, 1 no buffer > > Received 230 broadcasts, 0 runts, 0 giants, 0 throttles > > 2677 input errors, 0 CRC, 0 frame, 0 overrun, 2677 ignored > > 0 watchdog, 2196 multicast, 0 pause input > > 0 input packets with dribble condition detected > > 34556615 packets output, 1656923135 bytes, 0 underruns > > 0 output errors, 0 collisions, 0 interface resets > > 0 babbles, 0 late collision, 0 deferred > > 0 lost carrier, 0 no carrier, 0 pause output > > 0 output buffer failures, 0 output buffers swapped > > out > > > > > > > > --- > > Clayton Zekelman > > Managed Network Systems Inc. (MNSi) > > 344-300 Tecumseh Rd. E. > > Windsor, Ontario > > N8X 5E8 > > > > tel. 519-985-8410 > > fax. 519-985-8409 > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ --- Clayton Zekelman Managed Network Systems Inc. (MNSi) 344-300 Tecumseh Rd. E. Windsor, Ontario N8X 5E8 tel. 519-985-8410 fax. 519-985-8409 From rodunn at cisco.com Fri Sep 12 14:43:04 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Fri, 12 Sep 2008 14:43:04 -0400 Subject: [c-nsp] NPE-G2 Gigabit Ignored Errors In-Reply-To: <200809121839.m8CIdHD3029666@e450.mnsi.net> References: <200809121649.m8CGngEV013138@e450.mnsi.net> <20080912181607.GR4860@rtp-cse-489.cisco.com> <200809121839.m8CIdHD3029666@e450.mnsi.net> Message-ID: <20080912184304.GA4860@rtp-cse-489.cisco.com> On Fri, Sep 12, 2008 at 02:40:04PM -0400, Clayton Zekelman wrote: > > No luck... didn't fix it. Is it fixed in a subsequent release? Are > there any other parameters I can tune? Not really because you can't tune the rx ring depth. Check 'sh controller'. What does 'sh proc cpu sort | excl 0.00' say? Can you post the configuration..I'm curious what your features look like because the more you have the less pps you get through this box..it's all done in software and can't do all features at line rate during a microburst. sh int stat Rodney > > GigabitEthernet0/1 is up, line protocol is up > Hardware is MV64460 Internal MAC, address is 001a.6d30.091b (bia > 001a.6d30.091b) > Description: to gig-fastiron Ethernet11 > MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, > reliability 255/255, txload 23/255, rxload 48/255 > Encapsulation 802.1Q Virtual LAN, Vlan ID 1., loopback not set > Keepalive set (10 sec) > Full-duplex, 1000Mb/s, media type is RJ45 > output flow-control is XON, input flow-control is XON > ARP type: ARPA, ARP Timeout 04:00:00 > Last input 00:00:00, output 00:00:00, output hang never > Last clearing of "show interface" counters 00:10:09 > Input queue: 0/4096/533/0 (size/max/drops/flushes); Total output drops: 0 > Queueing strategy: fifo > Output queue: 0/40 (size/max) > 30 second input rate 189692000 bits/sec, 30246 packets/sec > 30 second output rate 91448000 bits/sec, 27197 packets/sec > 18432915 packets input, 1555851456 bytes, 0 no buffer > Received 65 broadcasts, 0 runts, 0 giants, 0 throttles > 1117 input errors, 0 CRC, 0 frame, 0 overrun, 1117 ignored > 0 watchdog, 1034 multicast, 0 pause input > 0 input packets with dribble condition detected > > > > At 02:16 PM 9/12/2008, Rodney Dunn wrote: > >Can you bump up your input queue depth: > > > >hold-queue 4096 in > > > >and see if they stop. > > > >I don't suspect that is going to help because the ignores > >are not increasing that would point to: > > > >CSCse05447 > >Externally found moderate defect: Resolved (R) > >7200 ethernet interfaces should not throttle on input queue full drops > > > >Most likely you are seeing micro burst that are coming in faster > >than the CPU can drain the rx ring. > > > >Rodney > > > > > > > >On Fri, Sep 12, 2008 at 12:50:29PM -0400, Clayton Zekelman wrote: > >> > >> I'm running a Cisco 7206/VXR with an NPE G2, Version 12.4(4)XD4 > >> acting as an LNS. > >> > >> I'm getting input errors consistently incrementing on the Gig > >> interface (ignored errors) > >> > >> Any way to fix this? I saw some discussion a while back about this, > >> and it seemed to have to do with buffers - but I can't find any > >> definitive recommendations on what the settings should be. > >> > >> > >> > >> GigabitEthernet0/1 is up, line protocol is up > >> Hardware is MV64460 Internal MAC, address is 001a.6d30.091b (bia > >> 001a.6d30.091b) > >> Description: to gig-fastiron Ethernet11 > >> MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, > >> reliability 255/255, txload 22/255, rxload 46/255 > >> Encapsulation 802.1Q Virtual LAN, Vlan ID 1., loopback not set > >> Keepalive set (10 sec) > >> Full-duplex, 1000Mb/s, media type is RJ45 > >> output flow-control is XON, input flow-control is XON > >> ARP type: ARPA, ARP Timeout 04:00:00 > >> Last input 00:00:00, output 00:00:00, output hang never > >> Last clearing of "show interface" counters 00:22:17 > >> Input queue: 0/75/1191/0 (size/max/drops/flushes); Total output drops: > >0 > >> Queueing strategy: fifo > >> Output queue: 0/40 (size/max) > >> 30 second input rate 181384000 bits/sec, 29001 packets/sec > >> 30 second output rate 86319000 bits/sec, 26045 packets/sec > >> 38605963 packets input, 4274358612 bytes, 1 no buffer > >> Received 230 broadcasts, 0 runts, 0 giants, 0 throttles > >> 2677 input errors, 0 CRC, 0 frame, 0 overrun, 2677 ignored > >> 0 watchdog, 2196 multicast, 0 pause input > >> 0 input packets with dribble condition detected > >> 34556615 packets output, 1656923135 bytes, 0 underruns > >> 0 output errors, 0 collisions, 0 interface resets > >> 0 babbles, 0 late collision, 0 deferred > >> 0 lost carrier, 0 no carrier, 0 pause output > >> 0 output buffer failures, 0 output buffers swapped > >> out > >> > >> > >> > >> --- > >> Clayton Zekelman > >> Managed Network Systems Inc. (MNSi) > >> 344-300 Tecumseh Rd. E. > >> Windsor, Ontario > >> N8X 5E8 > >> > >> tel. 519-985-8410 > >> fax. 519-985-8409 > >> > >> _______________________________________________ > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > --- > Clayton Zekelman > Managed Network Systems Inc. (MNSi) > 344-300 Tecumseh Rd. E. > Windsor, Ontario > N8X 5E8 > > tel. 519-985-8410 > fax. 519-985-8409 From jackson.tim at gmail.com Fri Sep 12 14:46:08 2008 From: jackson.tim at gmail.com (Tim Jackson) Date: Fri, 12 Sep 2008 13:46:08 -0500 Subject: [c-nsp] ELAM capture on SRB In-Reply-To: <20080912181705.GS4860@rtp-cse-489.cisco.com> References: <9E07F8717FE8BC4FBAE6860F61EA6C1D7E0E42@spsrvmail03.nec.br> <20080912181705.GS4860@rtp-cse-489.cisco.com> Message-ID: <4407932e0809121146y52d9781dpe3deba769dc7988c@mail.gmail.com> The ELAM syntax that worked on SXF doesn't work on SRB though... Mind sharing how to do captures in SRB? -- Tim On Fri, Sep 12, 2008 at 1:17 PM, Rodney Dunn wrote: > Yes. We use it all the time to match on ingress ip/mpls frames and see > what the rewrites are. > > The complexity comes when you have to understand all the internal > dst_indx and internal VLAN allocation details. > > > Rodney > > On Fri, Sep 12, 2008 at 01:51:50PM -0300, Leonardo Gama Souza wrote: > > Hi... > > > > Does anyone know if it's feasible to use ELAM capture on SRB throttle? > > I haven't been able to find it. > > I'd appreciate if someone can share additional information about it. > > > > Thanks much! > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From clayton at MNSi.Net Fri Sep 12 15:02:07 2008 From: clayton at MNSi.Net (Clayton Zekelman) Date: Fri, 12 Sep 2008 15:02:07 -0400 Subject: [c-nsp] NPE-G2 Gigabit Ignored Errors In-Reply-To: <20080912184304.GA4860@rtp-cse-489.cisco.com> References: <200809121649.m8CGngEV013138@e450.mnsi.net> <20080912181607.GR4860@rtp-cse-489.cisco.com> <200809121839.m8CIdHD3029666@e450.mnsi.net> <20080912184304.GA4860@rtp-cse-489.cisco.com> Message-ID: <200809121901.m8CJ1KFO022297@e450.mnsi.net> Here are the sh controller and sh proc results. I'll send the config directly - too much to sanitize ... Thanks! Hardware is MV64460 Internal MAC (Revision MV64460-Ethernet) network link is up Config is 1Gbps, Full Duplex Selected media-type is RJ45 GBIC is not present Ethernet Unit Global Registers: PHY Address = 0x00000820 SMI (PHY Control) = 0x0C001000 Default Address (Err) = 0xFE200000 Default ID (Err) = 0x000001D1 Inter