From arnolditya at hotmail.com Wed Apr 1 01:30:10 2009 From: arnolditya at hotmail.com (arnoldus Subiyanto) Date: Wed, 1 Apr 2009 13:30:10 +0800 Subject: [c-nsp] BGP convergence Message-ID: Hello.. I'am is new member here.. My name aditya from bali-indonesia.. I want to conduct research to examine the speed of convergence in BGP. What's his friends all know that there is software that can be used to view the update process of the BGP routing table. things that i want to know is : 1. Large table; 2. Large memory is used; 3. Speed peering; 4. AS-PATH length Or in cisco router have command to see that ? One more,, whether there is a standard speed needed to make a BGP router convergence? thanks for your help .. _________________________________________________________________ See all the ways you can stay connected to friends and family http://www.microsoft.com/windows/windowslive/default.aspx From gert at greenie.muc.de Wed Apr 1 02:22:09 2009 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 1 Apr 2009 08:22:09 +0200 Subject: [c-nsp] 3750/3750E stack upgrade downtime? In-Reply-To: <1238536244.3604.0.camel@localhost.localdomain> References: <49D1297B.2080106@utc.edu> <1238445916.4440.7.camel@localhost.localdomain> <1238536244.3604.0.camel@localhost.localdomain> Message-ID: <20090401062209.GG290@greenie.muc.de> Hi, On Tue, Mar 31, 2009 at 11:50:44PM +0200, Peter Rathlev wrote: > On Tue, 2009-03-31 at 22:44 +0200, Dirk-Jan van Helmond wrote: > > I've asked my accountmanager @Cisco, so you please ask yours. Maybe if > > we ask kind enough, they will think about it ;) > > Yeah, that usually works like a charm. Remember BFD for SVIs? ;-) Gah. I had all forgotten about it... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From sandmaier at schlund.net Wed Apr 1 02:44:33 2009 From: sandmaier at schlund.net (Jan Sandmaier) Date: Wed, 01 Apr 2009 08:44:33 +0200 Subject: [c-nsp] 10GE card for 7609 In-Reply-To: References: <863386.41277.qm@web44809.mail.sp1.yahoo.com> Message-ID: <49D30D51.4060304@schlund.net> Geoffrey Pendery schrieb: > The stuff we've been reading (look at "Supervisor Engines Supported" > on the data sheets for "Cisco Catalyst 6500 Series 10 Gigabit Ethernet > Interface Modules", or browse the line cards for the 7600, or go into > Configurator tool) claims that the RSP 720 won't support the X6704 or > X6708 10 Gig "LAN" cards, only the SIP/SPA/ES "WAN" type cards. > > I don't mean to kick off a big "6500 vs 7600" storm again, but does > anyone know if this is incorrect? > Can we buy a new 7609-S chassis, put a new RSP 720 in it, put 7600 IOS > on that Sup, then plug in a WS-X6708-10G-3C and have it work? > X6708-10G-3C works definitly. X6704 also. You have to check the release notes or software advisor for the suitable IOS. Jan > > -Geoff > > > On Mon, Mar 30, 2009 at 4:41 AM, Mark Tech wrote: > >> Hi >> I have a prospect for a 10G upstream customer and Upstream ISP connections. I would need to connect these into our 7609s running RSP 720-3CXL's, at the moment I have found that the WS-X6704-10GE card may be suitable. >> >> My technical requirements are: >> 10Gbps line rate >> IPv4 >> Able to handle full Internet routing table >> Potentially IPv6 and MPLS in the future >> >> With the WS-X6704-10GE, there seems to be several options that are available with it i.e. >> >> Memory Option: >> MEM-XCEF720-256M >> Catalyst 6500 256MB DDR, xCEF720 (67xx interface, DFC3A) >> MEM-XCEF720-512M >> Cat 6500 512MB DDR, xCEF720 (67xx interface, DFC3A/DFC3B) >> MEM-XCEF720-1GB >> Catalyst 6500 1GB DDR, xCEF720 (67xx interface, DFC3BXL) >> >> ==================================================== >> Distributed Forwarding Card Option >> >> WS-F6700-CFC >> Catalyst 6500 Central Fwd Card for WS-X67xx modules >> WS-F6700-DFC3B >> Catalyst 6500 Dist Fwd Card, 256K Routes for WS-X67xx >> WS-F6700-DFC3A >> Catalyst 6500 Dist Fwd Card for WS-X67xx modules >> WS-F6700-DFC3BXL >> Catalyst 6500 Dist Fwd Card- 3BXL, for WS-X67xx >> WS-F6700-DFC3C >> Catalyst 6500 Dist Fwd Card for WS-X67xx modules >> WS-F6700-DFC3CXL >> Catalyst 6500 Dist Fwd Card- 3CXL, for WS-X67xx >> >> I assume that I would need MEM-XCEF720-1GB and WS-F6700-DFC3CXL? >> >> Regards >> >> Mark >> >> >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > -- Jan Sandmaier Network Engineer 1und1 Internet AG Mail: jan.sandmaier at 1und1.de Brauerstrasse 48 Tel.: +49 721/91374-4213 D-76135 Karlsruhe Fax : +49 721/91374-212 http://www.1und1.de (AS8560) Handelsregister Amtsgericht Montabaur, HRB 6484 USt-IdNr. DE811247114 Vorstand: Henning Ahlert, Ralph Dommermuth, Matthias Ehrlich, Thomas Gottschlich, Matthias Greve, Robert Hoffmann, Markus Huhn, Oliver Mauss, Achim Weiss Aufsichtsratsvorsitzender: Michael Scheeren From asad747 at cyber.net.pk Wed Apr 1 03:56:04 2009 From: asad747 at cyber.net.pk (Asad Ul-Islam) Date: Wed, 01 Apr 2009 12:56:04 +0500 Subject: [c-nsp] Problem with L2TP !! Message-ID: <002801c9b29f$4e94d250$ebbe76f0$@net.pk> Dear friends! I am trying to establish a L2TP tunnel between a LAC (Which is also Acting as BRAS) and LNS (Which is also acting as BRAS). User ---------[Cisco 3640 LAC]----- IP Cloud-------[Cisco 3845 LNS] The problem I am facing is that the scenario is working fine as long as I am using user account created locally on LNS. However as soon as I enable radius parameters, LAC stops establishing tunnel with LNS and connects the user on LAC as pppoe user. After investigation I have found that If I remove following line from the configuration L2TP Tunnels works perfectly fine; aaa authorization network default group radius Can someone tell me Why its happening?? Since I am using @domain in user ids for L2TP users, LAC should not even refer to Radius. And I need this aaa authorization parameter since both my LAC and LNS also have PPPoE users terminated on them. Following is my LAC and LNS configuration after including my radius parameteres, same configuration works fine without radius parameters. LAC Configuration aaa authentication login default local aaa authentication ppp default group radius local aaa authorization network default group radius local aaa accounting delay-start aaa accounting session-duration ntp-adjusted aaa accounting update periodic 15 aaa accounting network default start-stop group radius aaa nas port extended aaa session-id common ! ip cef vpdn enable vpdn multihop ! vpdn-group 1 request-dialin protocol l2tp multihop hostname DSL-LNS domain cybernet initiate-to ip 1.1.1.1 source-ip 2.2.2.2 local name DSL-LAC no l2tp tunnel authentication ! bba-group pppoe global virtual-template 1 ! interface Serial2/1 description *** Connected to LNS *** ip address 2.2.2.2 255.255.255.252 encapsulation ppp interface ATM3/0.2 multipoint pvc vpdn 0/36 encapsulation aal5snap protocol pppoe group global interface Virtual-Template1 ip unnumbered Serial2/1 peer default ip address pool home-dsl ppp authentication pap LNS Configuration aaa authentication login default local aaa authentication ppp default group radius local aaa authorization network default group radius aaa accounting delay-start aaa accounting session-duration ntp-adjusted aaa accounting update periodic 15 aaa session-id common ! vpdn enable vpdn multihop ! vpdn-group 1 accept-dialin protocol l2tp virtual-template 1 terminate-from hostname DSL-LAC local name DSL-LNS lcp renegotiation on-mismatch no l2tp tunnel authentication ! interface GigabitEthernet0/1.7 description *** LAC Management *** encapsulation dot1Q 7 ip address 1.1.1.1 255.255.255.252 ! interface Virtual-Template1 ip unnumbered GigabitEthernet0/1.7 peer default ip address pool PPPoE ppp authentication pap From alex at alexfisher.me.uk Wed Apr 1 05:42:52 2009 From: alex at alexfisher.me.uk (Alexander Fisher) Date: Wed, 1 Apr 2009 10:42:52 +0100 Subject: [c-nsp] dhcprelay regression on latest pix 515 firmware (8.0.4) Message-ID: <5449aac20904010242q65b3cbd3o69e7ee56c95d749@mail.gmail.com> Hi I've uncovered a problem with the latest pix 515 firmware (asa-8.0.4) which didn't exist in 8.0.3. The dhcprelay function no longer works in some circumstances. Specifically, I can no longer do automated linux client installs over the network (FAI). The initial dhcp at pxeboot time works fine, but the later dhcp operation after kernel boot fails. The client sends a DHCP Request and this gets relayed to the server without problems, but the returned DHCP Ack is not forwarded back to the client. Turning on debug dhcprelay error etc gives... DHCPRA: relay binding created for client 001d.09fa.6f13. DHCPD: setting giaddr to 192.168.63.1. dhcpd_forward_request: request from 001d.09fa.6f13 forwarded to shadowcat. DHCPD/RA: Punt shadowcat/17152 --> 192.168.63.1/17152 to CP DHCPRA: Received a BOOTREPLY from interface 2 DHCPRA: relay binding found for client 001d.09fa.6f13. DHCPRA: Adding rule to allow client to respond using offered address dmz2 DHCPRA: forwarding reply to client 001d.09fa.6f13. DHCPRA: relay binding found for client 001d.09fa.6f13. DHCPD: setting giaddr to 192.168.63.1. dhcpd_forward_request: request from 001d.09fa.6f13 forwarded to shadowcat. DHCPD/RA: Punt shadowcat/17152 --> 192.168.63.1/17152 to CP DHCPRA: Received a BOOTREPLY from interface 2 DHCPRA: relay binding found for client 001d.09fa.6f13. DHCPRA: exchange complete - relay binding deleted for client 001d.09fa.6f13. DHCPD: returned relay binding 192.168.63.1/001d.09fa.6f13 to address pool. dhcpd_destroy_binding() removing NP rule for client 192.168.63.1 DHCPRA: forwarding reply to client 001d.09fa.6f13. DHCPRA: Can't Create binding DHCPD: setting giaddr to 192.168.63.1. dhcpd_forward_request: request from 001d.09fa.6f13 forwarded to shadowcat. DHCPD/RA: Punt shadowcat/17152 --> 192.168.63.1/17152 to CP DHCPRA: Received a BOOTREPLY from interface 2 DHCPRA: dhcp_relay_agent_receiver:can't find binding DHCPRA: Can't Create binding DHCPD: setting giaddr to 192.168.63.1. dhcpd_forward_request: request from 001d.09fa.6f13 forwarded to shadowcat. DHCPD/RA: Punt shadowcat/17152 --> 192.168.63.1/17152 to CP DHCPRA: Received a BOOTREPLY from interface 2 DHCPRA: dhcp_relay_agent_receiver:can't find binding DHCPRA: Can't Create binding DHCPD: setting giaddr to 192.168.63.1. dhcpd_forward_request: request from 001d.09fa.6f13 forwarded to shadowcat. DHCPD/RA: Punt shadowcat/17152 --> 192.168.63.1/17152 to CP DHCPRA: Received a BOOTREPLY from interface 2 DHCPRA: dhcp_relay_agent_receiver:can't find binding Googling turned up nothing, so hopefully this post might be of help to someone. Does anybody know what could cause the "DHCPRA: Can't Create binding" error? Kind Regards, Alex From lists at memetic.org Wed Apr 1 05:12:03 2009 From: lists at memetic.org (Adam Armstrong) Date: Wed, 01 Apr 2009 10:12:03 +0100 Subject: [c-nsp] 6500/7600 Pseudowires Message-ID: <49D32FE3.9050806@memetic.org> Hi All, I have a pseudowire running between an IX and my peering router in another country. There's a SIP600 in a 7606/SUP7203B at the far end facing the IX and a WS-X6748-GE-TX + DFC3B in a 7613/SUP7203B at this end facing the peering router. The local 7613 is connected to the remote 7606 with a pair of long GE links. Occasionally something along the chain reflects a couple of frames back to the IX, who shuts the port down automatically (killing off all of my peering sessions!) Has anyone had anything similar, and found out the cause for it? I can verify that neither the IS-IS route to the 7606 nor the LSP for the pseudowire was changed during the issue. Thanks, adam. From linux.yahoo at gmail.com Wed Apr 1 06:26:16 2009 From: linux.yahoo at gmail.com (Manu Chao) Date: Wed, 1 Apr 2009 12:26:16 +0200 Subject: [c-nsp] how to filter some specific logging message Message-ID: <7100ed370904010326n1e1a28b1i5def36ee24348037@mail.gmail.com> Is it possible to filter some specific syslog message with logging filter command or with logging discriminator? There are some "cosmetic" bugs that I need to filter... Example: i don't want the specific message message including "fem" to be sent to my remote syslog server. I try that configuration but no way :( may be a syntax problem may be not possible to filter? logging discriminator nolog msg-body drops *fem logging host x.x.x.x discriminator nolog Thanks for your help From ioan.branet at gmail.com Wed Apr 1 06:29:14 2009 From: ioan.branet at gmail.com (Ioan Branet) Date: Wed, 1 Apr 2009 13:29:14 +0300 Subject: [c-nsp] Cisco 3750 high CPU utilization HL3U bkgrd] In-Reply-To: <257d19980903310543n644d75fdsff69326f6bc1ca2f@mail.gmail.com> References: <257d19980903310543n644d75fdsff69326f6bc1ca2f@mail.gmail.com> Message-ID: <257d19980904010329p640a27b5yf9c5fbdf47ed98e6@mail.gmail.com> Hello All, Have you encountered a similar situation? Thank you, On Tue, Mar 31, 2009 at 3:43 PM, Ioan Branet wrote: > Hello, > > We have many Cisco 3750 switches in our network which have high CPU > utilization.It seems that the process that cause this high load is:HL3U > bkgrd process. > > The problem is solved after a reload but appears again after 3-4 months. > > We changed also the IOS but with no results. > > It seems that it is a bug but I am not very sure. > > > > sh processes cpu sorted | ex 0.00 > CPU utilization for five seconds: 99%/28%; one minute: 85%; five minutes: > 81% > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process > 108 389775804 4389443 88799 57.57% 40.01% 39.39% 0 HL3U bkgrd > proce > 58 11854779 72185839 164 3.50% 2.77% 2.31% 0 HLFM address > lea > 292 689 192 3588 1.91% 0.33% 0.07% 1 Virtual > Exec 47 12845296 2142151 5996 1.11% 1.00% 1.04% 0 FE > free chunk 245 17376827 532655 32623 0.63% 0.51% 0.52% 0 > MFI LFD Stats Pr > 107 5476276 58476944 93 0.63% 0.62% 0.58% 0 Hulc LED > Process > 74 768210 21312879 36 0.31% 0.09% 0.08% 0 hpm main > process > 135 6540410 20282165 322 0.15% 0.18% 0.22% 0 IP > Input 143 3566619 27781902 128 0.15% 0.24% 0.20% 0 > Spanning Tree 45 1004640 128285520 7 0.15% 0.15% 0.13% > 0 Fifo Error Detec > 138 1152329 2735155 421 0.15% 0.13% 0.12% 0 PI MATM Aging > Pr > > > sh version > Cisco IOS Software, C3750ME Software (C3750ME-I5-M), Version 12.2(37)SE1, > RELEASE SOFTWARE (fc1) > Copyright (c) 1986-2007 by Cisco Systems, Inc. > Compiled Thu 05-Jul-07 20:06 by antonino > Image text-base: 0x00003000, data-base: 0x0163F400 > > ROM: Bootstrap program is C3750 boot loader > BOOTLDR: C3750ME Boot Loader (C3750ME-HBOOT-M) Version 12.1(14r)AX, RELEASE > SOFTWARE (fc1) > > vic102 uptime is 4 weeks, 4 days, 10 hours, 9 minutes > System returned to ROM by power-on > System restarted at 03:01:54 GMT Fri Feb 27 2009 > System image file is "flash:c3750me-i5-mz.122-37.SE1.bin" > > cisco ME-C3750-24TE (PowerPC405) processor (revision F0) with > 118784K/12280K bytes of memory. > Processor board ID CAT1043NM05 > Last reset from power-on > 8 Virtual Ethernet interfaces > 24 FastEthernet interfaces > 4 Gigabit Ethernet interfaces > The password-recovery mechanism is enabled. > > 1024K bytes of flash-simulated non-volatile configuration memory. > Base ethernet MAC Address : 00:19:E8:87:23:00 > Motherboard assembly number : 73-9938-04 > Motherboard serial number : CAT104356B7 > Model revision number : F0 > Motherboard revision number : A0 > Model number : ME-C3750-24TE-M > Daughterboard assembly number : 73-9939-02 > Daughterboard serial number : CAT104355CQ > System serial number : CAT1043NM05 > Top Assembly Part Number : 800-25952-04 > Top Assembly Revision Number : C0 > Version ID : V05 > CLEI Code Number : COM1510ARA > Daughterboard revision number : A0 > Hardware Board Revision Number : 0x09 > > > Switch Ports Model SW Version SW > Image ------ ----- ----- ---------- > ---------- * 1 28 ME-C3750-24TE > 12.2(37)SE1 C3750ME-I5-M > Configuration register is 0xF > > #sh memory | i HL > 030C8118 0000005000 030C804C 030C94CC 001 -------- -------- 005CF8E4 HLFM > MAC > 030C94CC 0000000808 030C8118 030C9820 001 -------- -------- 005CF93C HLFM > IP > 0320A434 0000000808 0320A008 0320A788 001 -------- -------- 00CB2F74 > HL3U_IPV4_TABLE_CHUNK > 0320A788 0000020000 0320A434 0320F5D4 001 -------- -------- 00CB2F9C > HL3U_FIB_TYPE_CHUNK > 0320F5D4 0000032768 0320A788 03217600 001 -------- -------- 00CB2FC4 > HL3U_MPATH_ADJ_TYPE_CHUNK > 03217600 0000000808 0320F5D4 03217954 001 -------- -------- 00CB2FEC > HL3U_FIB_WITH_ADJ_OR_TCAM_FAIL_CHUNK > 03217954 0000002000 03217600 03218150 001 -------- -------- 00CB3014 > HL3U_COVERING_FIB_CHUNK > 03218150 0000000808 03217954 032184A4 001 -------- -------- 00CB303C > HL3U_ARP_HRPC_THROTTLE_CHUNKS > 032184A4 0000000432 03218150 03218680 001 -------- -------- 00CB3064 > HL3U_HSRP_RETRY_CHUNKS > 03218680 0000000808 032184A4 032189D4 001 -------- -------- 00CB308C > HL3U_PROXY_ARP_CHUNKS > 032189D4 0000000432 03218680 03218BB0 001 -------- -------- 00CB30B4 > HL3U_QUERIER_INFO_CHUNKS > 03218BB0 0000003620 032189D4 03219A00 001 -------- -------- 00CB30DC > HL3U_ICMP_REDIRECT_Q_CHUNK > 03219A00 0000000296 03218BB0 03219B54 001 -------- -------- 00CB3104 > HL3U_OUT_ACL_FULL_CHUNKS > 032F2BCC 0000000960 032F252C 032F2FB8 001 -------- -------- 00CBE090 > HL3U_FIB_WITH_ > 0330BD38 0000000176 0330B698 0330BE14 001 -------- -------- 00B18A5C > HL2MCM > 0330C174 0000000160 0330C0C0 0330C240 001 -------- -------- 01622A8C > HL2MCM > 036F9C6C 0000000972 036F9A8C 036FA064 001 -------- -------- 00CB7108 > HL3U_FIB_WITH_ > 036FA064 0000000872 036F9C6C 036FA3F8 001 -------- -------- 00CBE090 > HL3U_FIB_WITH_ > 0390629C 0000000024 03906258 039062E0 001 -------- -------- 00B1AFAC > HL2MCM > 039906D8 0000001292 0399008C 03990C10 001 -------- -------- 00CBE090 > HL3U_FIB_WITH_ > 03993CC4 0000000808 03993690 03994018 001 -------- -------- 00CBE090 > HL3U_FIB_WITH_ > 0399C258 0000001476 0399BC14 0399C848 001 -------- -------- 00CB7108 > HL3U_FIB_WITH_ > 0399C964 0000005000 0399C848 0399DD18 001 -------- -------- 005CB1E0 HLFM > MAC > 03A0A610 0000001096 03A0A3EC 03A0AA84 001 -------- -------- 00CBE090 > HL3U_FIB_WITH_ > 03A2B8E4 0000000808 03A2B858 03A2BC38 001 -------- -------- 00CBE090 > HL3U_FIB_WITH_ > 03A2BC38 0000000872 03A2B8E4 03A2BFCC 001 -------- -------- 00CBE090 > HL3U_FIB_WITH_ > 03A2E864 0000007768 03A2E624 03A306E8 001 -------- -------- 005CB1E0 HLFM > MAC > 03A30D28 0000000808 03A30CBC 03A3107C 001 -------- -------- 00CBE090 > HL3U_FIB_WITH_ > 03A92BD4 0000000808 03A92590 03A92F28 001 -------- -------- 00CBE090 > HL3U_FIB_WITH_ > 03EE36A8 0000005000 03EE3634 03EE4A5C 001 -------- -------- 005CB1E0 HLFM > MAC > 03F24DCC 0000001008 03F24D54 03F251E8 001 -------- -------- 00CBE090 > HL3U_FIB_WITH_ > 03F43C34 0000008200 03F43BE8 03F45C68 001 -------- -------- 005CB1E0 HLFM > MAC > 03F4C260 0000000808 03F4C1CC 03F4C5B4 001 -------- -------- 005CB5B8 HLFM > IP > 03F85410 0000000808 03F84DBC 03F85764 001 -------- -------- 00CBE090 > HL3U_FIB_WITH_ > 03F85EF0 0000001008 03F85764 03F8630C 001 -------- -------- 00CBE090 > HL3U_FIB_WITH_ > 03F872A8 0000001288 03F86F08 03F877DC 001 -------- -------- 00CBE090 > HL3U_FIB_WITH_ > 03FEBD34 0000000808 03FEB5A8 03FEC088 001 -------- -------- 00CB7108 > HL3U_FIB_WITH_ > 03FEC088 0000001076 03FEBD34 03FEC4E8 001 -------- -------- 00CB7108 > HL3U_FIB_WITH_ > 03FEEF64 0000000808 03FEE7D8 03FEF2B8 001 -------- -------- 00CBE090 > HL3U_FIB_WITH_ > 03FEF2B8 0000000832 03FEEF64 03FEF624 001 -------- -------- 00CBE090 > HL3U_FIB_WITH_ > 03FF05F0 0000005944 03FF04FC 03FF1D54 001 -------- -------- 005CB1E0 HLFM > MAC > > > #sh sdm prefer > The current template is "desktop routing" template. > The selected template optimizes the resources in > the switch to support this level of features for > 8 routed interfaces and 1024 VLANs. > > number of unicast mac addresses: 3K > number of IPv4 IGMP groups + multicast routes: 1K > number of IPv4 unicast routes: 11K > number of directly-connected IPv4 hosts: 3K > number of indirect IPv4 routes: 8K > number of IPv4 policy based routing aces: 0.5K > number of IPv4/MAC qos aces: 0.5K > number of IPv4/MAC security aces: 1K > > Mar 31 12:48:11: %OCE-3-MISSING_HANDLER_FOR_SW_OBJ_TYPE: Missing handler > for 'non choice oce get next' function for type Midchain > Mar 31 12:48:17: %OCE-3-MISSING_HANDLER_FOR_SW_OBJ_TYPE: Missing handler > for 'non choice oce get next' function for type Midchain > Mar 31 12:48:28: %OCE-3-MISSING_HANDLER_FOR_SW_OBJ_TYPE: Missing handler > for 'non choice oce get next' function for type Midchain > Mar 31 12:48:46: %OCE-3-MISSING_HANDLER_FOR_SW_OBJ_TYPE: Missing handler > for 'non choice oce get next' function for type Midchain > Mar 31 12:49:00: %OCE-3-MISSING_HANDLER_FOR_SW_OBJ_TYPE: Missing handler > for 'non choice oce get next' function for type Midchain > Mar 31 12:49:47: %OCE-3-MISSING_HANDLER_FOR_SW_OBJ_TYPE: Missing handler > for 'non choice oce get next' function for type Midchain > Mar 31 12:50:39: %OCE-3-MISSING_HANDLER_FOR_SW_OBJ_TYPE: Missing handler > for 'non choice oce get next' function for type Midchain > Mar 31 12:51:02: %OCE-3-MISSING_HANDLER_FOR_SW_OBJ_TYPE: Missing handler > for 'non choice oce get next' function for type Midchain > Mar 31 12:51:34: %OCE-3-MISSING_HANDLER_FOR_SW_OBJ_TYPE: Missing handler > for 'non choice oce get next' function for type Midchain > Mar 31 12:51:55: %OCE-3-MISSING_HANDLER_FOR_SW_OBJ_TYPE: Missing handler > for 'non choice oce get next' function for type Midchain > Mar 31 12:53:11: %OCE-3-MISSING_HANDLER_FOR_SW_OBJ_TYPE: Missing handler > for 'non choice oce get next' function for type Midchain > Mar 31 12:53:25: %OCE-3-MISSING_HANDLER_FOR_SW_OBJ_TYPE: Missing handler > for 'non choice oce get next' function for type Midchain > Mar 31 12:53:37: %OCE-3-MISSING_HANDLER_FOR_SW_OBJ_TYPE: Missing handler > for 'non choice oce get next' function for type Midchain > Mar 31 12:54:36: %OCE-3-MISSING_HANDLER_FOR_SW_OBJ_TYPE: Missing handler > for 'non choice oce get next' function for type Midchain > Mar 31 12:56:44: %OCE-3-MISSING_HANDLER_FOR_SW_OBJ_TYPE: Missing handler > for 'non choice oce get next' function for type Midchain > Mar 31 12:57:48: %OCE-3-MISSING_HANDLER_FOR_SW_OBJ_TYPE: Missing handler > for 'non choice oce get next' function for type Midchain > Mar 31 13:02:22: %OCE-3-MISSING_HANDLER_FOR_SW_OBJ_TYPE: Missing handler > for 'non choice oce get next' function for type Midchain > Mar 31 13:02:48: %OCE-3-MISSING_HANDLER_FOR_SW_OBJ_TYPE: Missing handler > for 'non choice oce get next' function for type Midchain > Mar 31 13:03:56: %OCE-3-MISSING_HANDLER_FOR_SW_OBJ_TYPE: Missing handler > for 'non choice oce get next' function for type Midchain > Mar 31 13:07:31: %OCE-3-MISSING_HANDLER_FOR_SW_OBJ_TYPE: Missing handler > for 'non choice oce get next' function for type Midchain > Mar 31 13:30:37: %OCE-3-MISSING_HANDLER_FOR_SW_OBJ_TYPE: Missing handler > for 'non choice oce get next' function for type Midchain > > > On other 3750 from our network: > > sh processes cpu sorted | ex 0.00 > CPU utilization for five seconds: 43%/2%; one minute: 58%; five minutes: > 59% > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process > 108 2635783702 47442165 55558 30.55% 48.37% 49.28% 0 HL3U bkgrd > proce > 294 500 2692 185 3.19% 0.55% 0.13% 1 Virtual > Exec 47 296813504 43714587 6789 1.43% 1.70% 1.74% 0 FE > free chunk 107 58156203 265066803 219 0.63% 0.42% 0.37% 0 > Hulc LED Process > 247 88726248 2800468 31682 0.47% 0.45% 0.47% 0 MFI LFD Stats > Pr > 117 3310849 6664259 496 0.15% 0.04% 0.03% 0 HRPC qos > request > 135 8065160 45776840 176 0.15% 0.07% 0.04% 0 IP > Input 243 28572622 56335656 507 0.15% 0.17% 0.18% 0 > ISIS Upd > #sh ver > Cisco IOS Software, C3750ME Software (C3750ME-I5-M), Version 12.2(37)SE1, > RELEASE SOFTWARE (fc1) > Copyright (c) 1986-2007 by Cisco Systems, Inc. > Compiled Thu 05-Jul-07 20:06 by antonino > Image text-base: 0x00003000, data-base: 0x0163F400 > > ROM: Bootstrap program is C3750 boot loader > BOOTLDR: C3750ME Boot Loader (C3750ME-HBOOT-M) Version 12.1(14r)AX, RELEASE > SOFTWARE (fc1) > > rom101 uptime is 27 weeks, 5 days, 18 hours, 13 minutes > System returned to ROM by power-on > System restarted at 20:03:10 CETDST Wed Sep 17 2008 > System image file is "flash:c3750me-i5-mz.122-37.SE1.bin" > > cisco ME-C3750-24TE (PowerPC405) processor (revision F0) with > 118784K/12280K bytes of memory. > Processor board ID CAT1111NLH3 > Last reset from power-on > 3 Virtual Ethernet interfaces > 24 FastEthernet interfaces > 4 Gigabit Ethernet interfaces > The password-recovery mechanism is enabled. > > 1024K bytes of flash-simulated non-volatile configuration memory. > Base ethernet MAC Address : 00:1B:2B:E6:4B:00 > Motherboard assembly number : 73-9938-04 > Motherboard serial number : CAT11115HNX > Model revision number : F0 > Motherboard revision number : B0 > Model number : ME-C3750-24TE-M > Daughterboard assembly number : 73-9939-02 > Daughterboard serial number : CAT11115KVD > System serial number : CAT1111NLH3 > Top Assembly Part Number : 800-25952-04 > Top Assembly Revision Number : C0 > Version ID : V05 > CLEI Code Number : COM1510ARA > Daughterboard revision number : A0 > Hardware Board Revision Number : 0x09 > > > Switch Ports Model SW Version SW > Image ------ ----- ----- ---------- > ---------- * 1 28 ME-C3750-24TE > 12.2(37)SE1 C3750ME-I5-M > Configuration register is 0xF > Do you have any idea what is the root cause of this issue? > > > > > Thnak you, > > -- > Ioan Branet > > -- Ioan Branet CCIE #23474 R&S From ip at ioshints.info Wed Apr 1 06:55:52 2009 From: ip at ioshints.info (Ivan Pepelnjak) Date: Wed, 1 Apr 2009 12:55:52 +0200 Subject: [c-nsp] how to filter some specific logging message In-Reply-To: <7100ed370904010326n1e1a28b1i5def36ee24348037@mail.gmail.com> References: <7100ed370904010326n1e1a28b1i5def36ee24348037@mail.gmail.com> Message-ID: <002f01c9b2b8$6d5f0480$0a00000a@nil.si> The "drops" keyword expects a regular expression. You should use "fem" instead of "*fem" (or maybe ".*fem"). Ivan http://www.ioshints.info/about http://blog.ioshints.info/ > -----Original Message----- > From: Manu Chao [mailto:linux.yahoo at gmail.com] > Sent: Wednesday, April 01, 2009 12:26 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] how to filter some specific logging message > > Is it possible to filter some specific syslog message with > logging filter command or with logging discriminator? > > There are some "cosmetic" bugs that I need to filter... > > Example: i don't want the specific message message including > "fem" to be sent to my remote syslog server. > > I try that configuration but no way :( may be a syntax > problem may be not possible to filter? > > logging discriminator nolog msg-body drops *fem logging host > x.x.x.x discriminator nolog > > Thanks for your help > > From achatz at forthnet.gr Wed Apr 1 10:50:01 2009 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Wed, 01 Apr 2009 17:50:01 +0300 Subject: [c-nsp] SXI1 is out Message-ID: <49D37F19.4060201@forthnet.gr> ...but release notes haven't been updated yet. I'm having a maintenance window tomorrow and i was planning to upgrade 3 6500s from SXF9 to SXI, but since SXI1 came out, i'm thinking of moving directly to it. Anyone know what is fixed from SXI to SXI1? PS: I was running SXI in a lab for a few weeks without any major issues. -- Tassos From jared at puck.nether.net Wed Apr 1 11:02:02 2009 From: jared at puck.nether.net (Jared Mauch) Date: Wed, 1 Apr 2009 11:02:02 -0400 Subject: [c-nsp] SXI1 is out In-Reply-To: <49D37F19.4060201@forthnet.gr> References: <49D37F19.4060201@forthnet.gr> Message-ID: <718BAA5A-B96A-462E-98A3-55C9D059A532@puck.nether.net> On Apr 1, 2009, at 10:50 AM, Tassos Chatzithomaoglou wrote: > ...but release notes haven't been updated yet. > > I'm having a maintenance window tomorrow and i was planning to > upgrade 3 6500s from SXF9 to SXI, but since SXI1 came out, i'm > thinking of moving directly to it. Anyone know what is fixed from > SXI to SXI1? > > PS: I was running SXI in a lab for a few weeks without any major > issues. I know this image has 4-byte ASN support and fixes for at least one bgp related bug. I've been toying with it for a few hours now with no significant problems. I know at least one of my bugs did not make it to SXI1 making the modular unusable in our environment. - Jared From oboehmer at cisco.com Wed Apr 1 11:08:21 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Wed, 1 Apr 2009 17:08:21 +0200 Subject: [c-nsp] Problem with L2TP !! In-Reply-To: <002801c9b29f$4e94d250$ebbe76f0$@net.pk> References: <002801c9b29f$4e94d250$ebbe76f0$@net.pk> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED7840723AEAE@xmb-ams-333.emea.cisco.com> > Dear friends! > > I am trying to establish a L2TP tunnel between a LAC (Which is also > Acting as BRAS) and LNS (Which is also acting as BRAS). > > User ---------[Cisco 3640 LAC]----- IP Cloud-------[Cisco 3845 LNS] > > The problem I am facing is that the scenario is working fine as long > as I am using user account created locally on LNS. However as soon > as I enable radius parameters, LAC stops establishing tunnel with LNS > and connects the user on LAC as pppoe user. After investigation I > have found that If I remove following line from the configuration > L2TP Tunnels works perfectly fine; > aaa authorization network default group radius > > Can someone tell me Why its happening?? Since I am using @domain in > user ids for L2TP users, LAC should not even refer to Radius. And I > need this aaa authorization parameter since both my LAC and LNS also > have PPPoE users terminated on them. well, you need to decide whether you want to authorize via Radius or not. If you are using domains, you can define cybernet Password = "cisco" Service-Type = Outbound-User, cisco-avpair = "vpdn:tunnel-id=DSL-LNS", cisco-avpair = "vpdn:tunnel-type=l2tp", cisco-avpair = "vpdn:ip-addresses=1.1.1.1", cisco-avpair = "vpdn:source-ip=2.2.2.2" Once you configure vpdn multihop (turning the LNS into a LAC), the node will perform network authorization for all connections, including for users with domains. There is a special authorization for domains where the domain will be authorized with Radius (using the fixed "cisco" password), and if the profile exists, the LAC/LNS will search for tunnel information and forward the session (if found). If there is no domain/tunnel profile, the LAC/LNS will authorize the full username to terminate the session locally. Hope this helps.. oli From justin at justinshore.com Wed Apr 1 11:57:36 2009 From: justin at justinshore.com (Justin Shore) Date: Wed, 01 Apr 2009 10:57:36 -0500 Subject: [c-nsp] Bridging DS1s from Overture ISGs back to Cisco channelized DS3 interfaces Message-ID: <49D38EF0.5050307@justinshore.com> Has anyone ever successfully terminated a group of bonded DS1s from an Overture device such as an ISG 140 back to a PA-MC-2T3-EC? Talking to Overture's support they're saying that even though they use MLPPP they also require the use of BCP (Bridge Control Protocol) which I personally hadn't heard of until today. They're saying that I need to be able to pass 1Q tagged frames down the MLPPP bundle to the ISG on the remote end. The SE they have onsite here has a document that shows an example config but it apparently requires IP routing to be disabled (no ip routing). That's not cool. That kind of defeats the purpose of buying a shiny new router if you have to turn off routing... So has anyone ever bridged DS1s between a Cisco and Overture box? Why would routing have to be disabled for BCP to work? Thanks Justin From MLouis at nwnit.com Wed Apr 1 12:33:04 2009 From: MLouis at nwnit.com (Mike Louis) Date: Wed, 1 Apr 2009 12:33:04 -0400 Subject: [c-nsp] SXI1 is out In-Reply-To: <718BAA5A-B96A-462E-98A3-55C9D059A532@puck.nether.net> References: <49D37F19.4060201@forthnet.gr> <718BAA5A-B96A-462E-98A3-55C9D059A532@puck.nether.net> Message-ID: SXI didn't support Netflow export from a VRF other than the global table. The command option wasn't available in the ip flow export command syntax. Here is what I am seeing in SXI 6509(config)#ip flow-export destination 10.1.1.3 9996 ? The vrf flag was available in SXH. Has that been fixed in SXI1? Mike Louis Senior Solutions Architect CCIE #17082 (R&S) -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jared Mauch Sent: Wednesday, April 01, 2009 11:02 AM To: Tassos Chatzithomaoglou Cc: cisco-nsp Subject: Re: [c-nsp] SXI1 is out On Apr 1, 2009, at 10:50 AM, Tassos Chatzithomaoglou wrote: > ...but release notes haven't been updated yet. > > I'm having a maintenance window tomorrow and i was planning to > upgrade 3 6500s from SXF9 to SXI, but since SXI1 came out, i'm > thinking of moving directly to it. Anyone know what is fixed from > SXI to SXI1? > > PS: I was running SXI in a lab for a few weeks without any major > issues. I know this image has 4-byte ASN support and fixes for at least one bgp related bug. I've been toying with it for a few hours now with no significant problems. I know at least one of my bugs did not make it to SXI1 making the modular unusable in our environment. - Jared _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. From p.mayers at imperial.ac.uk Wed Apr 1 12:40:33 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Wed, 01 Apr 2009 17:40:33 +0100 Subject: [c-nsp] SXI1 is out In-Reply-To: References: <49D37F19.4060201@forthnet.gr> <718BAA5A-B96A-462E-98A3-55C9D059A532@puck.nether.net> Message-ID: <49D39901.7090903@imperial.ac.uk> Mike Louis wrote: > SXI didn't support Netflow export from a VRF other than the global table. The command option wasn't available in the ip flow export command syntax. > > Here is what I am seeing in SXI > > 6509(config)#ip flow-export destination 10.1.1.3 9996 ? > > > The vrf flag was available in SXH. It didn't work properly in SXH. It only exported MSFC-switched flows. > > Has that been fixed in SXI1? > From MLouis at nwnit.com Wed Apr 1 12:42:46 2009 From: MLouis at nwnit.com (Mike Louis) Date: Wed, 1 Apr 2009 12:42:46 -0400 Subject: [c-nsp] SXI1 is out In-Reply-To: <49D39901.7090903@imperial.ac.uk> References: <49D37F19.4060201@forthnet.gr> <718BAA5A-B96A-462E-98A3-55C9D059A532@puck.nether.net> <49D39901.7090903@imperial.ac.uk> Message-ID: Good to know. I didn't it much in SXH, just installed SXH enough long enough to see the command was there. We had a multi-VRF deployment and SXH crashed and went to ROMMON once we configured 3 or more EIGRP AS #s in VRF-Lite deployment. We had to go to SXI for stability with EIGRP and VRF-lite. Then we lost Netflow commands again outside the global VRF. Mike -----Original Message----- From: Phil Mayers [mailto:p.mayers at imperial.ac.uk] Sent: Wednesday, April 01, 2009 12:41 PM To: Mike Louis Cc: Jared Mauch; Tassos Chatzithomaoglou; cisco-nsp Subject: Re: [c-nsp] SXI1 is out Mike Louis wrote: > SXI didn't support Netflow export from a VRF other than the global table. The command option wasn't available in the ip flow export command syntax. > > Here is what I am seeing in SXI > > 6509(config)#ip flow-export destination 10.1.1.3 9996 ? > > > The vrf flag was available in SXH. It didn't work properly in SXH. It only exported MSFC-switched flows. > > Has that been fixed in SXI1? > Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. From lists.james.edwards at gmail.com Wed Apr 1 12:44:04 2009 From: lists.james.edwards at gmail.com (james edwards) Date: Wed, 1 Apr 2009 10:44:04 -0600 Subject: [c-nsp] Problems bringing up BGP session Message-ID: I moved the BGP session to a new router for my Quagga route server. It was working before the move but now it comes up, the RS gets all the routes and in ~5 mins. the session goes down. This looks like bug CSCsv33977. I can't apply the workaround as I do not have the command "dont-capability-negotiate": Enter configuration commands, one per line. End with CNTL/Z. edge-router1(config)#router bgp 22523 edge-router1(config-router)#neighbor 198.59.128.243 ? activate Enable the Address Family for this Neighbor advertise-map specify route-map for conditional advertisement advertisement-interval Minimum interval between sending BGP routing updates allowas-in Accept as-path with my AS present in it capability Advertise capability to the peer default-originate Originate default route to this neighbor description Neighbor specific description disable-connected-check one-hop away EBGP peer using loopback address distribute-list Filter updates to/from this neighbor dmzlink-bw Propagate the DMZ link bandwidth ebgp-multihop Allow EBGP neighbors not on directly connected networks fall-over session fall on peer route lost filter-list Establish BGP filters ha-mode high availability mode inherit Inherit a template local-as Specify a local-as number maximum-prefix Maximum number of prefixes accepted from this peer next-hop-self Disable the next hop calculation for this neighbor next-hop-unchanged Propagate next hop unchanged for iBGP paths to this neighbor password Set a password peer-group Member of the peer-group prefix-list Filter updates to/from this neighbor remote-as Specify a BGP neighbor remove-private-as Remove private AS number from outbound updates route-map Apply route map to neighbor route-reflector-client Configure a neighbor as Route Reflector client send-community Send Community attribute to this neighbor send-label Send NLRI + MPLS Label to this peer shutdown Administratively shut down this neighbor soft-reconfiguration Per neighbor soft reconfiguration soo Site-of-Origin extended community timers BGP per neighbor timers translate-update Translate Update to MBGP format transport Transport options ttl-security BGP ttl security check unsuppress-map Route-map to selectively unsuppress suppressed routes update-source Source of routing updates version Set the BGP version to match a neighbor weight Set default weight for routes from this neighbor Cisco Router is running c7200p-adventerprisek9-mz.122-33.SRC2.bin Config looks like this: neighbor 198.59.128.243 remote-as 22523 neighbor 198.59.128.243 description iBGP WITH HOMER neighbor 198.59.128.243 shutdown neighbor 198.59.128.243 update-source Loopback1 neighbor 198.59.128.243 next-hop-self neighbor 198.59.128.243 prefix-list DENY-ALL-ROUTES in Logs: Apr 1 10:14:44.062 mdt: %BGP-5-ADJCHANGE: neighbor 198.59.128.243 Up Apr 1 10:18:23.462 mdt: %SYS-5-CONFIG_I: Configured from console by james on vty0 (198.59.128.254) Apr 1 10:21:44.765 mdt: %BGP-5-ADJCHANGE: neighbor 198.59.128.243 Down BGP Notification sent Apr 1 10:21:44.765 mdt: %BGP-3-NOTIFICATION: sent to neighbor 198.59.128.243 4/0 (hold time expired) 0 bytes Apr 1 10:21:49 mdt: BGP notification suppress timer expired, old send notification: Apr 1 10:21:49 mdt: BGP April 01 16:20:49.913: BGP: 198.59.128.243 passive send NOTIFICATION 2/8 (no supported AFI/SAFI) afi 0 safi 0 Any clues ? James H. Edwards Senior Network Systems Administrator Judicial Information Division jedwards at nmcourts.gov From lists.james.edwards at gmail.com Wed Apr 1 13:51:04 2009 From: lists.james.edwards at gmail.com (james edwards) Date: Wed, 1 Apr 2009 11:51:04 -0600 Subject: [c-nsp] Problems bringing up BGP session In-Reply-To: <9E07F8717FE8BC4FBAE6860F61EA6C1D022B259F@spsrvmail03.nec.br> References: <9E07F8717FE8BC4FBAE6860F61EA6C1D022B259F@spsrvmail03.nec.br> Message-ID: On Wed, Apr 1, 2009 at 11:08 AM, Leonardo Gama Souza < leonardo.souza at nec.com.br> wrote: > Hi... > Try again. > It is a hidden command. > > Thanks, yep it was there. But is did not fix my problem: pr 1 11:40:44.351 mdt: %BGP-5-ADJCHANGE: neighbor 198.59.128.243 Up Apr 1 11:47:44.994 mdt: %BGP-5-ADJCHANGE: neighbor 198.59.128.243 Down BGP Notification sent Apr 1 11:47:44.994 mdt: %BGP-3-NOTIFICATION: sent to neighbor 198.59.128.243 4/0 (hold time expired) 0 bytes Apr 1 11:48:20 mdt: BGP notification suppress timer expired, old send notification: Apr 1 11:48:20 mdt: BGP April 01 17:47:21.208: BGP: 198.59.128.243 passive send NOTIFICATION 2/8 (no supported AFI/SAFI) afi 1 safi 1 james From jared at puck.nether.net Wed Apr 1 14:01:21 2009 From: jared at puck.nether.net (Jared Mauch) Date: Wed, 1 Apr 2009 14:01:21 -0400 Subject: [c-nsp] SXI1 is out In-Reply-To: References: <49D37F19.4060201@forthnet.gr> <718BAA5A-B96A-462E-98A3-55C9D059A532@puck.nether.net> <49D39901.7090903@imperial.ac.uk> Message-ID: <4B862218-6A6C-4ACB-8231-DC6887750485@puck.nether.net> netflow on the 65xx is broken enough i'm surprised it gave you any data of value. - jared On Apr 1, 2009, at 12:42 PM, Mike Louis wrote: > Good to know. I didn't it much in SXH, just installed SXH enough > long enough to see the command was there. We had a multi-VRF > deployment and SXH crashed and went to ROMMON once we configured 3 > or more EIGRP AS #s in VRF-Lite deployment. We had to go to SXI for > stability with EIGRP and VRF-lite. Then we lost Netflow commands > again outside the global VRF. > > Mike > > > -----Original Message----- > From: Phil Mayers [mailto:p.mayers at imperial.ac.uk] > Sent: Wednesday, April 01, 2009 12:41 PM > To: Mike Louis > Cc: Jared Mauch; Tassos Chatzithomaoglou; cisco-nsp > Subject: Re: [c-nsp] SXI1 is out > > Mike Louis wrote: >> SXI didn't support Netflow export from a VRF other than the global >> table. The command option wasn't available in the ip flow export >> command syntax. >> >> Here is what I am seeing in SXI >> >> 6509(config)#ip flow-export destination 10.1.1.3 9996 ? >> >> >> The vrf flag was available in SXH. > > It didn't work properly in SXH. It only exported MSFC-switched flows. > >> >> Has that been fixed in SXI1? >> > > > Note: This message and any attachments is intended solely for the > use of the individual or entity to which it is addressed and may > contain information that is non-public, proprietary, legally > privileged, confidential, and/or exempt from disclosure. If you are > not the intended recipient, you are hereby notified that any use, > dissemination, distribution, or copying of this communication is > strictly prohibited. If you have received this communication in > error, please notify the original sender immediately by telephone or > return email and destroy or delete this message along with any > attachments immediately. From leonardo.souza at nec.com.br Wed Apr 1 13:08:19 2009 From: leonardo.souza at nec.com.br (Leonardo Gama Souza) Date: Wed, 1 Apr 2009 14:08:19 -0300 Subject: [c-nsp] RES: Problems bringing up BGP session In-Reply-To: References: Message-ID: <9E07F8717FE8BC4FBAE6860F61EA6C1D022B259F@spsrvmail03.nec.br> Hi... Try again. It is a hidden command. -----Mensagem original----- De: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] Em nome de james edwards Enviada em: quarta-feira, 1 de abril de 2009 13:44 Para: cisco-nsp at puck.nether.net Assunto: [c-nsp] Problems bringing up BGP session I moved the BGP session to a new router for my Quagga route server. It was working before the move but now it comes up, the RS gets all the routes and in ~5 mins. the session goes down. This looks like bug CSCsv33977. I can't apply the workaround as I do not have the command "dont-capability-negotiate": Enter configuration commands, one per line. End with CNTL/Z. edge-router1(config)#router bgp 22523 edge-router1(config-router)#neighbor 198.59.128.243 ? activate Enable the Address Family for this Neighbor advertise-map specify route-map for conditional advertisement advertisement-interval Minimum interval between sending BGP routing updates allowas-in Accept as-path with my AS present in it capability Advertise capability to the peer default-originate Originate default route to this neighbor description Neighbor specific description disable-connected-check one-hop away EBGP peer using loopback address distribute-list Filter updates to/from this neighbor dmzlink-bw Propagate the DMZ link bandwidth ebgp-multihop Allow EBGP neighbors not on directly connected networks fall-over session fall on peer route lost filter-list Establish BGP filters ha-mode high availability mode inherit Inherit a template local-as Specify a local-as number maximum-prefix Maximum number of prefixes accepted from this peer next-hop-self Disable the next hop calculation for this neighbor next-hop-unchanged Propagate next hop unchanged for iBGP paths to this neighbor password Set a password peer-group Member of the peer-group prefix-list Filter updates to/from this neighbor remote-as Specify a BGP neighbor remove-private-as Remove private AS number from outbound updates route-map Apply route map to neighbor route-reflector-client Configure a neighbor as Route Reflector client send-community Send Community attribute to this neighbor send-label Send NLRI + MPLS Label to this peer shutdown Administratively shut down this neighbor soft-reconfiguration Per neighbor soft reconfiguration soo Site-of-Origin extended community timers BGP per neighbor timers translate-update Translate Update to MBGP format transport Transport options ttl-security BGP ttl security check unsuppress-map Route-map to selectively unsuppress suppressed routes update-source Source of routing updates version Set the BGP version to match a neighbor weight Set default weight for routes from this neighbor Cisco Router is running c7200p-adventerprisek9-mz.122-33.SRC2.bin Config looks like this: neighbor 198.59.128.243 remote-as 22523 neighbor 198.59.128.243 description iBGP WITH HOMER neighbor 198.59.128.243 shutdown neighbor 198.59.128.243 update-source Loopback1 neighbor 198.59.128.243 next-hop-self neighbor 198.59.128.243 prefix-list DENY-ALL-ROUTES in Logs: Apr 1 10:14:44.062 mdt: %BGP-5-ADJCHANGE: neighbor 198.59.128.243 Up Apr 1 10:18:23.462 mdt: %SYS-5-CONFIG_I: Configured from console by james on vty0 (198.59.128.254) Apr 1 10:21:44.765 mdt: %BGP-5-ADJCHANGE: neighbor 198.59.128.243 Down BGP Notification sent Apr 1 10:21:44.765 mdt: %BGP-3-NOTIFICATION: sent to neighbor 198.59.128.243 4/0 (hold time expired) 0 bytes Apr 1 10:21:49 mdt: BGP notification suppress timer expired, old send notification: Apr 1 10:21:49 mdt: BGP April 01 16:20:49.913: BGP: 198.59.128.243 passive send NOTIFICATION 2/8 (no supported AFI/SAFI) afi 0 safi 0 Any clues ? James H. Edwards Senior Network Systems Administrator Judicial Information Division jedwards at nmcourts.gov _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From marco at linuxgoeroe.dhs.org Wed Apr 1 13:44:21 2009 From: marco at linuxgoeroe.dhs.org (Marco van den Bovenkamp) Date: Wed, 01 Apr 2009 19:44:21 +0200 Subject: [c-nsp] SXI1 is out In-Reply-To: References: <49D37F19.4060201@forthnet.gr> <718BAA5A-B96A-462E-98A3-55C9D059A532@puck.nether.net> Message-ID: <49D3A7F5.10105@linuxgoeroe.dhs.org> Mike Louis wrote: > SXI didn't support Netflow export from a VRF other than the global table. The command option wasn't available in the ip flow export command syntax. > > Here is what I am seeing in SXI > > 6509(config)#ip flow-export destination 10.1.1.3 9996 ? > > > The vrf flag was available in SXH. > > Has that been fixed in SXI1? Probably not. I ran into the same thing when trying to run NetFlow on a number of ME6524s. SXH had it, SXI didn't. TAC said: 'It wasn't fully functional in SXH and worked only for software flows. It's removed in SXI and there are no plans to bring it back'. Bummer :-( Regards, Marco. From ralvarez.list at gmail.com Wed Apr 1 16:10:31 2009 From: ralvarez.list at gmail.com (=?iso-8859-1?Q?Ram=F3n_Alvarez_R.?=) Date: Wed, 1 Apr 2009 14:10:31 -0600 Subject: [c-nsp] Unknown Multicast Traffic cause High CPU In-Reply-To: <30697BA326C8DC4B863C69C819A56DED490D25@ORION.enitel.net> References: <30697BA326C8DC4B863C69C819A56DED490D25@ORION.enitel.net> Message-ID: <24CEC61E8ADF4403A8B14AA6617CC4D3@ADMONPC> Hello, We have a metrothernet customer using vlan 993, we are experimenting high CPU usage by unknown multicast traffic coming from this vlan id 993 and this expand over several switches on the network, but when we remove the vlan from some pop sites the behavior stop. After that we add the vlan id, again, and the behavior is normal. We setup a multicast filter to this equipment but this issue is showing every few days. The multicast filter is: ip igmp profile 1 range 224.0.0.0 239.255.255.255 interface FastEthernet2/30 switchport access vlan 704 switchport trunk encapsulation dot1q switchport trunk allowed vlan 100,199,269,270,291,292,378,379,474,475,535,536 switchport trunk allowed vlan add 615-620,677,678,703-705,715-735,805,826,829 switchport trunk allowed vlan add 856,864,867,869,890,916,922,943,958,992,993 switchport trunk allowed vlan add 996,1108-1110,1120-1122,1183-1185,1353,1354 switchport trunk allowed vlan add 1363,1364,1375,1376,2513,2514 switchport mode trunk switchport nonegotiate no cdp enable spanning-tree portfast spanning-tree bpdufilter enable spanning-tree bpduguard enable ip igmp filter 1 SW_4503#sh processes cpu | e 0.0 CPU utilization for five seconds: 99%/0%; one minute: 98%; five minutes: 91% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 30 17955901802907757383 617 69.35% 68.33% 63.77% 0 Cat4k Mgmt LoPri 71 7245976 48021324 150 2.00% 2.31% 2.12% 0 MRD 72 42231304 74816636 564 23.11% 21.86% 20.34% 0 IGMPSN SW_4503#sh ip igmp snooping mrouter Vlan ports ---- ----- 993 Fa2/30(dynamic), Gi3/2(dynamic) SW_4503#sh run int fa2/30 Building configuration... Current configuration : 681 bytes ! interface FastEthernet2/30 switchport access vlan 704 switchport trunk encapsulation dot1q switchport trunk allowed vlan 100,199,269,270,291,292,378,379,474,475,535,536 switchport trunk allowed vlan add 615-620,677,678,703-705,715-735,805,826,829 switchport trunk allowed vlan add 856,864,867,869,890,916,922,943,958,992,993 switchport trunk allowed vlan add 996,1108-1110,1120-1122,1183-1185,1353,1354 switchport trunk allowed vlan add 1363,1364,1375,1376,2513,2514 switchport mode trunk switchport nonegotiate no cdp enable spanning-tree portfast spanning-tree bpdufilter enable spanning-tree bpduguard enable ip igmp filter 1 end SW_4503#conf ter Enter configuration commands, one per line. End with CNTL/Z. SW_4503(config)#int fa2/30 SW_4503(config-if)# switchport trunk allowed vlan remove 993 SW_4503# SW_4503#sh processes cpu | e 0.0 CPU utilization for five seconds: 14%/0%; one minute: 82%; five minutes: 89% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 29 2352303324 512512734 4589 2.87% 3.54% 3.72% 0 Cat4k Mgmt HiPri 30 17956380562907774138 617 8.63% 56.76% 61.92% 0 Cat4k Mgmt LoPri 72 42246460 74829450 564 0.71% 17.40% 19.51% 0 IGMPSN 115 41220440 58103914 709 0.47% 0.14% 0.12% 0 SNMP ENGINE From charles at thewybles.com Wed Apr 1 16:20:11 2009 From: charles at thewybles.com (Charles Wyble) Date: Wed, 01 Apr 2009 13:20:11 -0700 Subject: [c-nsp] Unknown Multicast Traffic cause High CPU In-Reply-To: <24CEC61E8ADF4403A8B14AA6617CC4D3@ADMONPC> References: <30697BA326C8DC4B863C69C819A56DED490D25@ORION.enitel.net> <24CEC61E8ADF4403A8B14AA6617CC4D3@ADMONPC> Message-ID: <49D3CC7B.9010404@thewybles.com> What does a network packet dump tell you? From peter at rathlev.dk Wed Apr 1 16:25:31 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Wed, 01 Apr 2009 22:25:31 +0200 Subject: [c-nsp] SXI1 is out In-Reply-To: <4B862218-6A6C-4ACB-8231-DC6887750485@puck.nether.net> References: <49D37F19.4060201@forthnet.gr> <718BAA5A-B96A-462E-98A3-55C9D059A532@puck.nether.net> <49D39901.7090903@imperial.ac.uk> <4B862218-6A6C-4ACB-8231-DC6887750485@puck.nether.net> Message-ID: <1238617531.5087.6.camel@localhost.localdomain> On Wed, 2009-04-01 at 14:01 -0400, Jared Mauch wrote: > netflow on the 65xx is broken enough i'm surprised it gave you any > data of value. Hm, I thought it worked okay. Out of curiosity, what should one be careful about with it, if one's network was dominated by 6500s? We only use it for troubleshooting though, so precision is less important for us if that's the problem. Regards, Peter From lists.james.edwards at gmail.com Wed Apr 1 16:36:34 2009 From: lists.james.edwards at gmail.com (james edwards) Date: Wed, 1 Apr 2009 14:36:34 -0600 Subject: [c-nsp] HWIC-1GE-SFP hot insert ? Message-ID: Does anyone know if this module can be hot inserted ? Cisco says SFP's can be hot inserted but I can't find anything about the HWIC-1GE-SFP itself. Thanks, -- James H. Edwards Senior Network Systems Administrator Judicial Information Division jedwards at nmcourts.gov From gabszabo at cisco.com Wed Apr 1 16:38:47 2009 From: gabszabo at cisco.com (Gabor Szabo (gabszabo)) Date: Wed, 1 Apr 2009 22:38:47 +0200 Subject: [c-nsp] 10GE card for 7609 In-Reply-To: <49D30D51.4060304@schlund.net> References: <863386.41277.qm@web44809.mail.sp1.yahoo.com> <49D30D51.4060304@schlund.net> Message-ID: RSP720 supervisor is supported from 12.2(33)SRB and supports X6704 from the beginning. X6708 is supported from 12.2(33)SRC for both SUP720 and RSP720 in the SR train. Regards, Gabor -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jan Sandmaier Sent: 2009. ?prilis 1. 8:45 To: Geoffrey Pendery Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 10GE card for 7609 Geoffrey Pendery schrieb: > The stuff we've been reading (look at "Supervisor Engines Supported" > on the data sheets for "Cisco Catalyst 6500 Series 10 Gigabit Ethernet > Interface Modules", or browse the line cards for the 7600, or go into > Configurator tool) claims that the RSP 720 won't support the X6704 or > X6708 10 Gig "LAN" cards, only the SIP/SPA/ES "WAN" type cards. > > I don't mean to kick off a big "6500 vs 7600" storm again, but does > anyone know if this is incorrect? > Can we buy a new 7609-S chassis, put a new RSP 720 in it, put 7600 IOS > on that Sup, then plug in a WS-X6708-10G-3C and have it work? > X6708-10G-3C works definitly. X6704 also. You have to check the release notes or software advisor for the suitable IOS. Jan > > -Geoff > > > On Mon, Mar 30, 2009 at 4:41 AM, Mark Tech wrote: > >> Hi >> I have a prospect for a 10G upstream customer and Upstream ISP connections. I would need to connect these into our 7609s running RSP 720-3CXL's, at the moment I have found that the WS-X6704-10GE card may be suitable. >> >> My technical requirements are: >> 10Gbps line rate >> IPv4 >> Able to handle full Internet routing table >> Potentially IPv6 and MPLS in the future >> >> With the WS-X6704-10GE, there seems to be several options that are available with it i.e. >> >> Memory Option: >> MEM-XCEF720-256M >> Catalyst 6500 256MB DDR, xCEF720 (67xx interface, DFC3A) >> MEM-XCEF720-512M >> Cat 6500 512MB DDR, xCEF720 (67xx interface, DFC3A/DFC3B) >> MEM-XCEF720-1GB >> Catalyst 6500 1GB DDR, xCEF720 (67xx interface, DFC3BXL) >> >> ==================================================== >> Distributed Forwarding Card Option >> >> WS-F6700-CFC >> Catalyst 6500 Central Fwd Card for WS-X67xx modules >> WS-F6700-DFC3B >> Catalyst 6500 Dist Fwd Card, 256K Routes for WS-X67xx >> WS-F6700-DFC3A >> Catalyst 6500 Dist Fwd Card for WS-X67xx modules >> WS-F6700-DFC3BXL >> Catalyst 6500 Dist Fwd Card- 3BXL, for WS-X67xx >> WS-F6700-DFC3C >> Catalyst 6500 Dist Fwd Card for WS-X67xx modules >> WS-F6700-DFC3CXL >> Catalyst 6500 Dist Fwd Card- 3CXL, for WS-X67xx >> >> I assume that I would need MEM-XCEF720-1GB and WS-F6700-DFC3CXL? >> >> Regards >> >> Mark >> >> >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > -- Jan Sandmaier Network Engineer 1und1 Internet AG Mail: jan.sandmaier at 1und1.de Brauerstrasse 48 Tel.: +49 721/91374-4213 D-76135 Karlsruhe Fax : +49 721/91374-212 http://www.1und1.de (AS8560) Handelsregister Amtsgericht Montabaur, HRB 6484 USt-IdNr. DE811247114 Vorstand: Henning Ahlert, Ralph Dommermuth, Matthias Ehrlich, Thomas Gottschlich, Matthias Greve, Robert Hoffmann, Markus Huhn, Oliver Mauss, Achim Weiss Aufsichtsratsvorsitzender: Michael Scheeren _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From c-nsp at djvh.nl Wed Apr 1 17:31:20 2009 From: c-nsp at djvh.nl (Dirk-Jan van Helmond) Date: Wed, 1 Apr 2009 23:31:20 +0200 Subject: [c-nsp] 3750/3750E stack upgrade downtime? In-Reply-To: <20090401081546.GE74388@ronin.4ever.de> References: <49D1297B.2080106@utc.edu> <1238445916.4440.7.camel@localhost.localdomain> <20090401081546.GE74388@ronin.4ever.de> Message-ID: <37FF646A-6ED6-4331-9AF3-341953AB03B4@djvh.nl> I'd rather live in cable-hell than use pass-trough modules.... On Apr 1, 2009, at 10:15 , Elmar K. Bins wrote: > Dirk, > > c-nsp at djvh.nl (Dirk-Jan van Helmond) wrote: > >> We're thinking about getting some Cisco CBS 3110 blade switches to >> aggeregate the interfaces from the bladeservers. The CBS3110 can >> stack >> and is factually just an 3750 in a blade enclosure and has the same >> roadmap as the 3750. >> I would very much like to have ISSU on these switches, otherwise an >> IOS upgrade means downtime for an entire bladechassis, which is >> unacceptable. >> Unfortunately ISSU is not supported and not on the roadmap :( >> >> I've asked my accountmanager @Cisco, so you please ask yours. Maybe >> if >> we ask kind enough, they will think about it ;) > > Your best bet might be to buy pass-through modules and use a couple > of unstacked 3750s (or 3560s)...it's also a hell of a lot cheaper. > > Elmar. From lowen at pari.edu Wed Apr 1 17:31:24 2009 From: lowen at pari.edu (Lamar Owen) Date: Wed, 1 Apr 2009 17:31:24 -0400 Subject: [c-nsp] HWIC-1GE-SFP hot insert ? In-Reply-To: References: Message-ID: <200904011731.25332.lowen@pari.edu> On Wednesday 01 April 2009 16:36:34 james edwards wrote: > Does anyone know if this module can be hot inserted ? Cisco says SFP's can > be hot inserted > but I can't find anything about the HWIC-1GE-SFP itself. AFAIK, and according to the panel on the 3845 here, OIR is not supported by any WIC or HWIC. -- Lamar Owen Chief Information Officer Pisgah Astronomical Research Institute 1 PARI Drive Rosman, NC 28772 http://www.pari.edu From elmi at 4ever.de Wed Apr 1 17:44:17 2009 From: elmi at 4ever.de (Elmar K. Bins) Date: Wed, 1 Apr 2009 23:44:17 +0200 Subject: [c-nsp] 3750/3750E stack upgrade downtime? In-Reply-To: <37FF646A-6ED6-4331-9AF3-341953AB03B4@djvh.nl> References: <49D1297B.2080106@utc.edu> <1238445916.4440.7.camel@localhost.localdomain> <20090401081546.GE74388@ronin.4ever.de> <37FF646A-6ED6-4331-9AF3-341953AB03B4@djvh.nl> Message-ID: <20090401214417.GL74388@ronin.4ever.de> c-nsp at djvh.nl (Dirk-Jan van Helmond) wrote: > I'd rather live in cable-hell than use pass-trough modules.... Then, please: Good luck with your account manager. Oh, and someone tell me as soon as the 3750s do ISSU... From ralvarez.list at gmail.com Wed Apr 1 18:16:22 2009 From: ralvarez.list at gmail.com (=?iso-8859-1?Q?Ram=F3n_Alvarez_R.?=) Date: Wed, 1 Apr 2009 16:16:22 -0600 Subject: [c-nsp] Unknown Multicast Traffic cause High CPU References: <30697BA326C8DC4B863C69C819A56DED490D25@ORION.enitel.net> <24CEC61E8ADF4403A8B14AA6617CC4D3@ADMONPC> <49D3CC7B.9010404@thewybles.com> Message-ID: <6356F99CD8104F89B63CE9FE163770FD@ADMONPC> Charles, In this case we didn't do a packet dump due the network is equipment have the cpu very high and this affect several equipments at the same time due this behavior do not allow to made additional testing. The equipments are cat4503, cat6506 and cat3750. Thanks, -----Mensaje original----- De: Charles Wyble [mailto:charles at thewybles.com] Enviado el: mi?rcoles, 01 de abril de 2009 02:20 p.m. Para: "Ram?n Alvarez R." CC: cisco-nsp at puck.nether.net Asunto: Re: [c-nsp] Unknown Multicast Traffic cause High CPU What does a network packet dump tell you? From tvarriale at comcast.net Wed Apr 1 18:28:24 2009 From: tvarriale at comcast.net (Tony Varriale) Date: Wed, 1 Apr 2009 17:28:24 -0500 Subject: [c-nsp] 3750/3750E stack upgrade downtime? References: <49D1297B.2080106@utc.edu><1238445916.4440.7.camel@localhost.localdomain><20090401081546.GE74388@ronin.4ever.de><37FF646A-6ED6-4331-9AF3-341953AB03B4@djvh.nl> <20090401214417.GL74388@ronin.4ever.de> Message-ID: <2F47563BDFE542548FB2A78C99E5723F@flamdt01> The 6500 barely supports it. In fact, I don't know any customers running mod due to the train wreck it is. Anyone here running mod successfully? If so, how long? But, you can upgrade separate 3750 members and do one switch at a time today. What does ISSU get you on the 3750? tv ----- Original Message ----- From: "Elmar K. Bins" To: "Dirk-Jan van Helmond" Cc: "cisco-nsp" Sent: Wednesday, April 01, 2009 4:44 PM Subject: Re: [c-nsp] 3750/3750E stack upgrade downtime? > c-nsp at djvh.nl (Dirk-Jan van Helmond) wrote: > >> I'd rather live in cable-hell than use pass-trough modules.... > > Then, please: Good luck with your account manager. Oh, and someone > tell me as soon as the 3750s do ISSU... > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From vegasnetman at gmail.com Wed Apr 1 18:35:46 2009 From: vegasnetman at gmail.com (Ozar) Date: Wed, 1 Apr 2009 15:35:46 -0700 Subject: [c-nsp] Pseudowire and EtherChannel Message-ID: <8cd002180904011535n13d9327w1e6ed31c5050e367@mail.gmail.com> Quick question on PS and EtherChannel. Lets say I have customer who needs 2 gig from A to Z that I am going to transport by Pseudowire... Should I etherchannel the ports and make my xconnect in the Port Channel interface, or just transport each gig interface separately, and customer handles all the aggregation? Thanks, Ozar From chris at netops.t3com.net Wed Apr 1 18:08:20 2009 From: chris at netops.t3com.net (Chris Wallace) Date: Wed, 1 Apr 2009 18:08:20 -0400 Subject: [c-nsp] IP Address management software In-Reply-To: References: Message-ID: <7ADF655F-D80E-4AD4-A02B-205D4F8CC1CB@netops.t3com.net> IPPlan here as well... If you are running an RWHOIS server there is also a nice script that someone wrote to automatically pull the data from IPPlan and build the RWHOIS data files. http://gregsowell.com/?p=223 On Mar 31, 2009, at 4:17 AM, Gary Roberton wrote: > Hello all > > What IP address management software do you use to control the > allocation of > subnets to your customers/department? > > Thanks > > Gary > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jeff-kell at utc.edu Wed Apr 1 19:39:17 2009 From: jeff-kell at utc.edu (Jeff Kell) Date: Wed, 01 Apr 2009 19:39:17 -0400 Subject: [c-nsp] 3750/3750E stack upgrade downtime? In-Reply-To: <2F47563BDFE542548FB2A78C99E5723F@flamdt01> References: <49D1297B.2080106@utc.edu><1238445916.4440.7.camel@localhost.localdomain><20090401081546.GE74388@ronin.4ever.de><37FF646A-6ED6-4331-9AF3-341953AB03B4@djvh.nl> <20090401214417.GL74388@ronin.4ever.de> <2F47563BDFE542548FB2A78C99E5723F@flamdt01> Message-ID: <49D3FB25.6050703@utc.edu> Tony Varriale wrote: > But, you can upgrade separate 3750 members and do one switch at a time > today. You can? Doesn't the "reload" crash the whole stack? Jeff From kloch at kl.net Wed Apr 1 19:46:38 2009 From: kloch at kl.net (Kevin Loch) Date: Wed, 01 Apr 2009 19:46:38 -0400 Subject: [c-nsp] SXI1 is out In-Reply-To: <1238617531.5087.6.camel@localhost.localdomain> References: <49D37F19.4060201@forthnet.gr> <718BAA5A-B96A-462E-98A3-55C9D059A532@puck.nether.net> <49D39901.7090903@imperial.ac.uk> <4B862218-6A6C-4ACB-8231-DC6887750485@puck.nether.net> <1238617531.5087.6.camel@localhost.localdomain> Message-ID: <49D3FCDE.7080705@kl.net> Peter Rathlev wrote: > On Wed, 2009-04-01 at 14:01 -0400, Jared Mauch wrote: >> netflow on the 65xx is broken enough i'm surprised it gave you any >> data of value. > > Hm, I thought it worked okay. Out of curiosity, what should one be > careful about with it, if one's network was dominated by 6500s? > > We only use it for troubleshooting though, so precision is less > important for us if that's the problem. I wouldn't use it for accounting but with the right sampling it can be used to see how much traffic you are sending to/from other ASN's. I use: mls sampling packet-based 1024 8192 Which gives a convenient ~1000 conversion factor from indicated bandwidth to actual. - Kevin From David at hughes.com.au Wed Apr 1 19:01:47 2009 From: David at hughes.com.au (David Hughes) Date: Thu, 2 Apr 2009 09:01:47 +1000 Subject: [c-nsp] SXI1 is out In-Reply-To: <4B862218-6A6C-4ACB-8231-DC6887750485@puck.nether.net> References: <49D37F19.4060201@forthnet.gr> <718BAA5A-B96A-462E-98A3-55C9D059A532@puck.nether.net> <49D39901.7090903@imperial.ac.uk> <4B862218-6A6C-4ACB-8231-DC6887750485@puck.nether.net> Message-ID: <6AE6AC4E-61BA-4437-BC58-B3C9485B4671@Hughes.com.au> Is anyone happily using per-interface NDE on SXI? That would be a huge leap in usefulness. David ... On 02/04/2009, at 4:01 AM, Jared Mauch wrote: > netflow on the 65xx is broken enough i'm surprised it gave you any > data of value. > > - jared From jmaimon at ttec.com Wed Apr 1 21:09:50 2009 From: jmaimon at ttec.com (Joe Maimon) Date: Wed, 01 Apr 2009 21:09:50 -0400 Subject: [c-nsp] vrf aware cluster-id Message-ID: <49D4105E.6020002@ttec.com> Running 124T to take advantage of per vrf bgp router id so that the router can have "loopback" bgp connections. However, route-reflector-client is not taking effect, the neighbor reports denied CLUSTER_LIST loop. Apparently cluster-id needs to be vrf aware as well for this to work. Is this in the offing or am I on the wrong track? Thanks, Joe From alex.wilkinson at dsto.defence.gov.au Wed Apr 1 22:57:57 2009 From: alex.wilkinson at dsto.defence.gov.au (Wilkinson, Alex) Date: Thu, 2 Apr 2009 10:57:57 +0800 Subject: [c-nsp] SXI1 is out In-Reply-To: <49D37F19.4060201@forthnet.gr> References: <49D37F19.4060201@forthnet.gr> Message-ID: <20090402025756.GE2351@stlux503.dsto.defence.gov.au> 0n Wed, Apr 01, 2009 at 05:50:01PM +0300, Tassos Chatzithomaoglou wrote: >...but release notes haven't been updated yet. >I'm having a maintenance window tomorrow and i was planning to upgrade 3 6500s from SXF9 to SXI, but since SXI1 came >out, i'm thinking of moving directly to it. Anyone know what is fixed from SXI to SXI1? What is SXI1 ? -aW IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this email in error, you are requested to contact the sender and delete the email. From achatz at forthnet.gr Thu Apr 2 01:13:22 2009 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Thu, 02 Apr 2009 08:13:22 +0300 Subject: [c-nsp] WS-X6724-SFP & SXI = high cpu usage? Message-ID: <49D44972.9010202@forthnet.gr> Anyone running SXI with a WS-X6724-SFP module (DFC or non DFC), showing high cpu usage due to the fw_lcp process? 6500#remote command module 1 sh proc cpu sort | exc 0.00 CPU utilization for five seconds: 32%/1%; one minute: 31%; five minutes: 31% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 187 1949496 613964 3175 31.19% 30.47% 30.45% 0 fw_lcp process 6500#sh platform hardware capacity cpu CPU Resources CPU utilization: Module 5 seconds 1 minute 5 minutes 1 28% / 0% 28% 28% 6 RP 1% / 1% 1% 1% 6 SP 18% / 0% 15% 14% 6500#sh mod Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ ----------- 1 24 CEF720 24 port 1000mb SFP WS-X6724-SFP XXXXXXXXXXX 6 2 Supervisor Engine 720 (Active) WS-SUP720-3B XXXXXXXXXXX SXH, SXF do not seem to have this problem. -- Tassos From achatz at forthnet.gr Thu Apr 2 01:31:02 2009 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Thu, 02 Apr 2009 08:31:02 +0300 Subject: [c-nsp] WS-X6724-SFP & SXI = high cpu usage? In-Reply-To: <49D44972.9010202@forthnet.gr> References: <49D44972.9010202@forthnet.gr> Message-ID: <49D44D96.2000904@forthnet.gr> ...small correction : a DFC must be present -- Tassos Tassos Chatzithomaoglou wrote on 02/04/2009 08:13: > Anyone running SXI with a WS-X6724-SFP module (DFC or non DFC), showing > high cpu usage due to the fw_lcp process? > > > 6500#remote command module 1 sh proc cpu sort | exc 0.00 > > CPU utilization for five seconds: 32%/1%; one minute: 31%; five minutes: > 31% > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process > 187 1949496 613964 3175 31.19% 30.47% 30.45% 0 fw_lcp > process > > > 6500#sh platform hardware capacity cpu > CPU Resources > CPU utilization: Module 5 seconds 1 minute 5 > minutes > 1 28% / 0% > 28% 28% > 6 RP 1% / 1% > 1% 1% > 6 SP 18% / 0% > 15% 14% > 6500#sh mod > Mod Ports Card Type Model > Serial No. > --- ----- -------------------------------------- ------------------ > ----------- > 1 24 CEF720 24 port 1000mb SFP WS-X6724-SFP > XXXXXXXXXXX > 6 2 Supervisor Engine 720 (Active) WS-SUP720-3B > XXXXXXXXXXX > > > SXH, SXF do not seem to have this problem. > From gert at greenie.muc.de Thu Apr 2 02:04:22 2009 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 2 Apr 2009 08:04:22 +0200 Subject: [c-nsp] SXI1 is out In-Reply-To: <6AE6AC4E-61BA-4437-BC58-B3C9485B4671@Hughes.com.au> References: <49D37F19.4060201@forthnet.gr> <718BAA5A-B96A-462E-98A3-55C9D059A532@puck.nether.net> <49D39901.7090903@imperial.ac.uk> <4B862218-6A6C-4ACB-8231-DC6887750485@puck.nether.net> <6AE6AC4E-61BA-4437-BC58-B3C9485B4671@Hughes.com.au> Message-ID: <20090402060422.GH290@greenie.muc.de> Hi, On Thu, Apr 02, 2009 at 09:01:47AM +1000, David Hughes wrote: > Is anyone happily using per-interface NDE on SXI? That would be a > huge leap in usefulness. We do (SXH3a and SXI) and it works. That is, we haven't uncovered any nasties yet, and the amount of data is matching our expectations. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From illcritikz at gmail.com Thu Apr 2 02:10:04 2009 From: illcritikz at gmail.com (Ben Steele) Date: Thu, 2 Apr 2009 16:40:04 +1030 Subject: [c-nsp] SXI1 is out In-Reply-To: <20090402025756.GE2351@stlux503.dsto.defence.gov.au> References: <49D37F19.4060201@forthnet.gr> <20090402025756.GE2351@stlux503.dsto.defence.gov.au> Message-ID: <4422cf660904012310l1eb2839cx71c9d494eb85c9d7@mail.gmail.com> In fear of prosecution from section 70 of the CRIMES ACT 1914 I will simply say it is the successor to SXI, the SX series is an IOS available for the 6500 Platform. http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6970/ps6017/ps9673/product_bulletin_c25-503086.html Ben On Thu, Apr 2, 2009 at 1:27 PM, Wilkinson, Alex < alex.wilkinson at dsto.defence.gov.au> wrote: > > 0n Wed, Apr 01, 2009 at 05:50:01PM +0300, Tassos Chatzithomaoglou wrote: > > >...but release notes haven't been updated yet. > >I'm having a maintenance window tomorrow and i was planning to upgrade > 3 6500s from SXF9 to SXI, but since SXI1 came > >out, i'm thinking of moving directly to it. Anyone know what is fixed > from SXI to SXI1? > > What is SXI1 ? > > -aW > > IMPORTANT: This email remains the property of the Australian Defence > Organisation and is subject to the jurisdiction of section 70 of the CRIMES > ACT 1914. If you have received this email in error, you are requested to > contact the sender and delete the email. > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ras at e-gerbil.net Thu Apr 2 03:24:23 2009 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Thu, 2 Apr 2009 02:24:23 -0500 Subject: [c-nsp] SXI1 is out In-Reply-To: <4422cf660904012310l1eb2839cx71c9d494eb85c9d7@mail.gmail.com> References: <49D37F19.4060201@forthnet.gr> <20090402025756.GE2351@stlux503.dsto.defence.gov.au> <4422cf660904012310l1eb2839cx71c9d494eb85c9d7@mail.gmail.com> Message-ID: <20090402072423.GR51443@gerbil.cluepon.net> On Thu, Apr 02, 2009 at 04:40:04PM +1030, Ben Steele wrote: > In fear of prosecution from section 70 of the CRIMES ACT 1914 I will simply > say it is the successor to SXI, the SX series is an IOS available for the > 6500 Platform. I still say the name "SXI1" is a sexual harassment complaint just waiting to happen. :) -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From elmi at 4ever.de Thu Apr 2 03:48:32 2009 From: elmi at 4ever.de (Elmar K. Bins) Date: Thu, 2 Apr 2009 09:48:32 +0200 Subject: [c-nsp] Pseudowire and EtherChannel In-Reply-To: <8cd002180904011535n13d9327w1e6ed31c5050e367@mail.gmail.com> References: <8cd002180904011535n13d9327w1e6ed31c5050e367@mail.gmail.com> Message-ID: <20090402074832.GM74388@ronin.4ever.de> vegasnetman at gmail.com (Ozar) wrote: > Lets say I have customer who needs 2 gig from A to Z that I am going to > transport by Pseudowire... > > Should I etherchannel the ports and make my xconnect in the Port Channel > interface, or just transport each gig interface separately, and customer > handles all the aggregation? I would not count on the packets arriving in-order. Pseudowire is usually based on MPLS-switching, but it could also be tunnelled. I'd do some dynamic routing including Multipath (for the balancing) on the links. From peter at rathlev.dk Thu Apr 2 04:25:08 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Thu, 02 Apr 2009 10:25:08 +0200 Subject: [c-nsp] 3750/3750E stack upgrade downtime? In-Reply-To: <49D3FB25.6050703@utc.edu> References: <49D1297B.2080106@utc.edu> <1238445916.4440.7.camel@localhost.localdomain> <20090401081546.GE74388@ronin.4ever.de> <37FF646A-6ED6-4331-9AF3-341953AB03B4@djvh.nl> <20090401214417.GL74388@ronin.4ever.de> <2F47563BDFE542548FB2A78C99E5723F@flamdt01> <49D3FB25.6050703@utc.edu> Message-ID: <1238660708.3408.2.camel@localhost.localdomain> On Wed, 2009-04-01 at 19:39 -0400, Jeff Kell wrote: > Tony Varriale wrote: > > But, you can upgrade separate 3750 members and do one switch at a time > > today. > > You can? Doesn't the "reload" crash the whole stack? If anybody knows how to do this we need to know. :-) When I have tried, the first switch to reload will never become active since it has version incompatibilities. So you can't reload the second, since there aren't any to take over. Not without downtime at least. Regards, Peter From hegedus.gabor at euroway.hu Thu Apr 2 04:36:35 2009 From: hegedus.gabor at euroway.hu (Hegedus Gabor) Date: Thu, 02 Apr 2009 10:36:35 +0200 Subject: [c-nsp] c3560, priv-lvl=15, authorization level problem Message-ID: <49D47913.5020902@euroway.hu> Hi all! I have a problem: I want use aaa authentication with radius in c3560, I try to authenticate my user to the priv level 15. The authentication is succes, but the user is just on the level 1. radius send back the priv-lvl=15, I can see in the radius debug. the configurations of the radius and the switch are correct, because I have c2960 with the same configuration, and the priv-level 15 authentication works on it. here is my config sample: aaa group server radius rad_group server *.*.*.* auth-port 1812 acct-port 1813 aaa authentication login method_line group rad_group local aaa authentication enable default group rad_group enable aaa authorization console aaa authorization exec method_line if-authenticated group rad_group local aaa session-id common line vty 0 4 authorization exec method_line login authentication method_line radius-server attribute 6 on-for-login-auth radius-server attribute 32 include-in-access-req radius-server attribute 32 include-in-accounting-req radius-server attribute 25 access-request include radius-server host *.*.*.* auth-port 1812 acct-port 1813 key * debug log: Apr 2 10:29:54.547 MET: RADIUS: Received from id 1645/*.*.*.*:1812, Access-Accept, len 91 Apr 2 10:29:54.547 MET: RADIUS: authenticator 96 55 55 96 42 75 94 F0 - 72 55 71 BA 55 51 35 D2 Apr 2 10:29:54.547 MET: RADIUS: Unsupported [87] 6 Apr 2 10:29:54.547 MET: RADIUS: 74 74 79 32 [tty2] Apr 2 10:29:54.547 MET: RADIUS: Service-Type [6] 6 Administrative [6] Apr 2 10:29:54.547 MET: RADIUS: Vendor, Cisco [26] 25 Apr 2 10:29:54.547 MET: RADIUS: Cisco AVpair [1] 19 "shell:priv-lvl=15" Apr 2 10:29:54.547 MET: RADIUS: Reply-Message [18] 34 Apr 2 10:29:54.547 MET: RADIUS: 0A 25 20 52 61 64 69 75 73 20 41 75 74 68 65 6E [?? Radius Authen] Apr 2 10:29:54.547 MET: RADIUS: 74 69 63 61 74 69 6F 6E 20 73 75 63 63 65 73 73 [tication success] Apr 2 10:29:54.547 MET: RADIUS: saved authorization data for user 2430320 at 27437E8 Apr 2 10:29:54.547 MET: AAA/AUTHEN (971040830): status = PASS Apr 2 10:29:54.547 MET: tty2 AAA/AUTHOR/EXEC (3224620906): Port='tty2' list='method_line' service=EXEC Apr 2 10:29:54.547 MET: AAA/AUTHOR/EXEC: tty2 (3224620906) user='XXXXXX' Apr 2 10:29:54.547 MET: tty2 AAA/AUTHOR/EXEC (3224620906): send AV service=shell Apr 2 10:29:54.547 MET: tty2 AAA/AUTHOR/EXEC (3224620906): send AV cmd* Apr 2 10:29:54.547 MET: tty2 AAA/AUTHOR/EXEC (3224620906): found list "method_line" Apr 2 10:29:54.547 MET: tty2 AAA/AUTHOR/EXEC (3224620906): Method=IF_AUTHEN Apr 2 10:29:54.547 MET: AAA/AUTHOR (3224620906): Post authorization status = PASS_ADD Apr 2 10:29:54.547 MET: AAA/AUTHOR/EXEC: Authorization successful please help me, thank you! br, Gabor From ardabalkanay at gmail.com Thu Apr 2 06:45:23 2009 From: ardabalkanay at gmail.com (Arda Balkanay) Date: Thu, 2 Apr 2009 13:45:23 +0300 Subject: [c-nsp] Pseudowire and EtherChannel In-Reply-To: <20090402074832.GM74388@ronin.4ever.de> References: <8cd002180904011535n13d9327w1e6ed31c5050e367@mail.gmail.com> <20090402074832.GM74388@ronin.4ever.de> Message-ID: <9af987420904020345u74024293t10a3baef94aa2b5d@mail.gmail.com> you can configure xconnect at portchannel interfaces. But for load-balance ether-channel makes load balance as follows: c076_01#sh etherchannel load-balance EtherChannel Load-Balancing Configuration: dst-mac mpls label-ip EtherChannel Load-Balancing Addresses Used Per-Protocol: Non-IP: Destination MAC address IPv4: Destination MAC address IPv6: Destination MAC address (routed packets) Destination IP address (bridged packets) MPLS: Label or IP c076_01# For eompls you can only make load balance with label. I'm not sure if it is mpls header (with exp bits) or just the label value but if it is just the label value, you can not load balance that traffic in my opinion, if it is mpls header you can load balance by changing exp bits according to the volume of traffic but it is not the real load balancing it is just a work around. Please correct me if I am wrong. Kind Regards Arda On Thu, Apr 2, 2009 at 10:48 AM, Elmar K. Bins wrote: > vegasnetman at gmail.com (Ozar) wrote: > > > Lets say I have customer who needs 2 gig from A to Z that I am going to > > transport by Pseudowire... > > > > Should I etherchannel the ports and make my xconnect in the Port Channel > > interface, or just transport each gig interface separately, and customer > > handles all the aggregation? > > I would not count on the packets arriving in-order. Pseudowire is usually > based on MPLS-switching, but it could also be tunnelled. > > I'd do some dynamic routing including Multipath (for the balancing) on > the links. > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From James.Munroe at gnb.ca Thu Apr 2 07:42:52 2009 From: James.Munroe at gnb.ca (Munroe, James (DSS/MAS)) Date: Thu, 2 Apr 2009 08:42:52 -0300 Subject: [c-nsp] WS-X6724-SFP & SXI = high cpu usage? In-Reply-To: <49D44972.9010202@forthnet.gr> References: <49D44972.9010202@forthnet.gr> Message-ID: <458B3EC21E4A3044998E917199AACB2F01A646D5@GNBEX02.gnb.ca> I've got two 6509's with WS-X6724-SFP (w/ CFC) running SXI and I'm not seeing that problem: 6509 #1: XX#sh mod Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ ----------- 1 24 CEF720 24 port 1000mb SFP WS-X6724-SFP XX#remote command module 1 sh proc cpu sort CPU utilization for five seconds: 0%/0%; one minute: 1%; five minutes: 1% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 187 13802188 547904699 25 0.15% 0.19% 0.18% 0 fw_lcp process 1 0 3 0 0.00% 0.00% 0.00% 0 Chunk Manager 2 204 1277786 0 0.00% 0.00% 0.00% 0 Load Meter 3 4 779932 0 0.00% 0.00% 0.00% 0 MFI LFD Timer Pr 5 0 10 0 0.00% 0.00% 0.00% 0 IPC ISSU Dispatc 4 0 43 0 0.00% 0.00% 0.00% 0 Retransmission o XX#sh platform hardware capacity cpu CPU Resources CPU utilization: Module 5 seconds 1 minute 5 minutes 1 0% / 0% 1% 1% 6509 #2: XY#remote command module 2 sh proc cpu sort CPU utilization for five seconds: 0%/0%; one minute: 1%; five minutes: 1% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 187 10049120 536549944 18 0.15% 0.17% 0.15% 0 fw_lcp process XY#sh platform hardware capacity cpu CPU Resources CPU utilization: Module 5 seconds 1 minute 5 minutes 2 2% / 0% 1% 1% Jim -----Original Message----- From: Tassos Chatzithomaoglou [mailto:achatz at forthnet.gr] Sent: Thursday, April 02, 2009 2:13 AM To: cisco-nsp Subject: [c-nsp] WS-X6724-SFP & SXI = high cpu usage? Anyone running SXI with a WS-X6724-SFP module (DFC or non DFC), showing high cpu usage due to the fw_lcp process? 6500#remote command module 1 sh proc cpu sort | exc 0.00 CPU utilization for five seconds: 32%/1%; one minute: 31%; five minutes: 31% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 187 1949496 613964 3175 31.19% 30.47% 30.45% 0 fw_lcp process 6500#sh platform hardware capacity cpu CPU Resources CPU utilization: Module 5 seconds 1 minute 5 minutes 1 28% / 0% 28% 28% 6 RP 1% / 1% 1% 1% 6 SP 18% / 0% 15% 14% 6500#sh mod Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ ----------- 1 24 CEF720 24 port 1000mb SFP WS-X6724-SFP XXXXXXXXXXX 6 2 Supervisor Engine 720 (Active) WS-SUP720-3B XXXXXXXXXXX SXH, SXF do not seem to have this problem. -- Tassos From acm at axians.de Thu Apr 2 08:25:51 2009 From: acm at axians.de (Cheikh-Moussa Ahmad) Date: Thu, 2 Apr 2009 14:25:51 +0200 Subject: [c-nsp] 4948 MAX Arp entries Message-ID: Hi Guys, I have searched a lot of sites and unfortunately didn't find a answer. Can someone tell me, how much arp entries (adjacencies) a 4948 switch can handle ? For L2 switching it can has up to 32K or the 4948-10g up to 55k entries, but I could not find anything about the max arp entries. As far as I know this arp entries or adjacencies are stored in TCAM. So the 4948 series can have 64k entries in the TCAM. Am I right, when I say : TCAM 64K = 32K IPv4 unicast routes 32K Unicast arp entries (adjacencies) What about the acls and qos configuration ? These are also stored in TCAM, right ? So if this right, then I never reach this, what I can found on the datasheets of the switches : * Unicast and multicast routing entries: 32,000 * Policers: 512 ingress and 512 egress * Access control list (ACL) and QoS entries: 32,000 Could it be that all these features share the same TCAM ? I'am little bit confused. Regards, Ahmad Ahmad Cheikh-Moussa Consultant Business Unit Carrier & Service Provider AXIANS NK Networks & Services GmbH Fischertwiete 2, Chilehaus A 20095 Hamburg Tel.: +49 40 237 899 - 72 Fax: +49 40 237 899 - 69 Ahmad.cheikh-moussa at axians.de Acheikh-moussa at axians.de acm at axians.de www.axians.com -------------- next part -------------- Sitz der NK Networks & Services GmbH: Von-der-Wettern-Stra?e 15, 51149 K?ln Registergericht: Amtsgericht K?ln, Registernummer HRB 30805 Gesch?ftsf?hrer: Tonis R?sche From peter.nyamukusa at africaonline.co.tz Thu Apr 2 08:23:36 2009 From: peter.nyamukusa at africaonline.co.tz (Peter Nyamukusa) Date: Thu, 2 Apr 2009 15:23:36 +0300 (EAT) Subject: [c-nsp] IP Address management software In-Reply-To: Message-ID: <7988720.651238675012717.JavaMail.peter@petergunz> Hi Gary, you can try this http://www.brownkid.net/NorthStar/ cheers, -- Peter Nyamukusa Technical Manager Africa Online (T) Ltd. Tel: +255 (22) 211 6090 Fax:+255 (22) 211 6089 Email: peter.nyamukusa at africaonline.co.tz A member of the Telkom South Africa Group ----- Original Message ----- From: "Gary Roberton" To: cisco-nsp at puck.nether.net Sent: Tuesday, March 31, 2009 11:17:50 AM GMT +03:00 Iraq Subject: [c-nsp] IP Address management software Hello all What IP address management software do you use to control the allocation of subnets to your customers/department? Thanks Gary _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From nockhi at gmail.com Thu Apr 2 10:14:58 2009 From: nockhi at gmail.com (Asif Gul Khan) Date: Thu, 2 Apr 2009 19:14:58 +0500 Subject: [c-nsp] IP Address management software In-Reply-To: <7988720.651238675012717.JavaMail.peter@petergunz> References: <7988720.651238675012717.JavaMail.peter@petergunz> Message-ID: PHPIP works lyk charm for us...n the best part it..its an open source! http://www.phpip.net/console.php On Thu, Apr 2, 2009 at 5:23 PM, Peter Nyamukusa < peter.nyamukusa at africaonline.co.tz> wrote: > Hi Gary, > you can try this > > http://www.brownkid.net/NorthStar/ > > cheers, > > -- > > > Peter Nyamukusa > > Technical Manager > Africa Online (T) Ltd. > Tel: +255 (22) 211 6090 > Fax:+255 (22) 211 6089 > Email: peter.nyamukusa at africaonline.co.tz > > > A member of the Telkom South Africa Group > > ----- Original Message ----- > From: "Gary Roberton" > To: cisco-nsp at puck.nether.net > Sent: Tuesday, March 31, 2009 11:17:50 AM GMT +03:00 Iraq > Subject: [c-nsp] IP Address management software > > Hello all > > What IP address management software do you use to control the allocation of > subnets to your customers/department? > > Thanks > > Gary > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From chris at chrisserafin.com Thu Apr 2 11:59:25 2009 From: chris at chrisserafin.com (ChrisSerafin) Date: Thu, 02 Apr 2009 10:59:25 -0500 Subject: [c-nsp] VRF-lite question on RD's Message-ID: <49D4E0DD.1050904@chrisserafin.com> I have 3 VRF's on a CE router: ip vrf xxx-General rd 1:10 route-target export 1:10 route-target import 1:10 ! ip vrf xxx-Guest rd 1:30 route-target export 1:30 route-target import 1:30 ! ip vrf xxx-Voice rd 1:20 route-target export 1:20 route-target import 1:20 I just got 3 new VRF's from the ISP confgured, and I'm wondering what numbers I need to have for the 'rd' and 'route-target xxport' commands...? Are these arbitrary, come from the ISP, or can I just use 40, 50, and 60? Thanks, chris From bennetb at gmail.com Thu Apr 2 12:08:44 2009 From: bennetb at gmail.com (Brandon Bennett) Date: Thu, 2 Apr 2009 10:08:44 -0600 Subject: [c-nsp] SXI1 is out In-Reply-To: <20090402072423.GR51443@gerbil.cluepon.net> References: <49D37F19.4060201@forthnet.gr> <20090402025756.GE2351@stlux503.dsto.defence.gov.au> <4422cf660904012310l1eb2839cx71c9d494eb85c9d7@mail.gmail.com> <20090402072423.GR51443@gerbil.cluepon.net> Message-ID: So anyone try out an ISSU upgrade from SXI to SXI1 yet? I'd really like to see if it works as advertised. -Brandon From bennetb at gmail.com Thu Apr 2 12:23:14 2009 From: bennetb at gmail.com (Brandon Bennett) Date: Thu, 2 Apr 2009 10:23:14 -0600 Subject: [c-nsp] VRF-lite question on RD's In-Reply-To: <49D4E0DD.1050904@chrisserafin.com> References: <49D4E0DD.1050904@chrisserafin.com> Message-ID: My guess is they are doing vrf-lite and using frame-relay or dot1q to bring these 3 VRFs to you. Which means the RD (used for MPLS L3VPNs) are only locally significant in the case of vrf-lite and are arbitrary numbers. It would be nice if Cisco didn't require RD's for vrf-lite cause they service no purpose. Now the import and export statements in vrf-lite also serve no purpose, but also not required. Interesting that they exist in the config. As long as no interfaces are configured with 'mpls ip' and you don't have a 'address-family vpnv4' configured under BGP those values are meaningless outside of the local router. HTH, Brandon On Thu, Apr 2, 2009 at 9:59 AM, ChrisSerafin wrote: > I have 3 VRF's on a CE router: > > > > ip vrf xxx-General > rd 1:10 > route-target export 1:10 > route-target import 1:10 > ! > ip vrf xxx-Guest > rd 1:30 > route-target export 1:30 > route-target import 1:30 > ! > ip vrf xxx-Voice > rd 1:20 > route-target export 1:20 > route-target import 1:20 > > I just got 3 new VRF's from the ISP confgured, and I'm wondering what > numbers I need to have for the 'rd' and 'route-target xxport' commands...? > Are these arbitrary, come from the ISP, or can I just use 40, 50, and 60? > > > Thanks, > > chris > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From oboehmer at cisco.com Thu Apr 2 12:30:18 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Thu, 2 Apr 2009 18:30:18 +0200 Subject: [c-nsp] c3560, priv-lvl=15, authorization level problem In-Reply-To: <49D47913.5020902@euroway.hu> References: <49D47913.5020902@euroway.hu> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED7840727DD67@xmb-ams-333.emea.cisco.com> Hegedus Gabor <> wrote on Thursday, April 02, 2009 10:37: > Hi all! > > I have a problem: > > I want use aaa authentication with radius in c3560, I try to > authenticate my user to the priv level 15. > The authentication is succes, but the user is just on the level 1. > > radius send back the priv-lvl=15, I can see in the radius debug. > > the configurations of the radius and the switch are correct, because > I have c2960 with the same configuration, and the priv-level 15 > authentication works on it. > > here is my config sample: > > aaa authentication login method_line group rad_group local > aaa authorization exec method_line if-authenticated group rad_group why do you use if-authenticated before radius? if-authenticated method succeeds if the user is authenticated, so it doesn't even bother checking radius attributes for authorization information. Please try aaa authorization exec method_line group rad_group if-authenticated or aaa authorization exec method_line group rad_group local whatever fallback method you want to use.. oli From sthaug at nethelp.no Thu Apr 2 12:30:52 2009 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Thu, 02 Apr 2009 18:30:52 +0200 (CEST) Subject: [c-nsp] VRF-lite question on RD's In-Reply-To: <49D4E0DD.1050904@chrisserafin.com> References: <49D4E0DD.1050904@chrisserafin.com> Message-ID: <20090402.183052.112623136.sthaug@nethelp.no> > I just got 3 new VRF's from the ISP confgured, and I'm wondering what > numbers I need to have for the 'rd' and 'route-target xxport' > commands...? Are these arbitrary, come from the ISP, or can I just use > 40, 50, and 60? As long as you're using VRF-lite and not full MPLS, they are arbitrary in the sense that they're not part of any protocol between you and the ISP. Steinar Haug, Nethelp consulting, sthaug at nethelp.no From oboehmer at cisco.com Thu Apr 2 12:32:16 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Thu, 2 Apr 2009 18:32:16 +0200 Subject: [c-nsp] VRF-lite question on RD's In-Reply-To: <49D4E0DD.1050904@chrisserafin.com> References: <49D4E0DD.1050904@chrisserafin.com> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED7840727DD6C@xmb-ams-333.emea.cisco.com> ChrisSerafin <> wrote on Thursday, April 02, 2009 17:59: > I have 3 VRF's on a CE router: > > > > ip vrf xxx-General > rd 1:10 > route-target export 1:10 > route-target import 1:10 > ! > ip vrf xxx-Guest > rd 1:30 > route-target export 1:30 > route-target import 1:30 > ! > ip vrf xxx-Voice > rd 1:20 > route-target export 1:20 > route-target import 1:20 > > I just got 3 new VRF's from the ISP confgured, and I'm wondering what > numbers I need to have for the 'rd' and 'route-target xxport' > commands...? Are these arbitrary, come from the ISP, or can I just use > 40, 50, and 60? In a vrf-lite environment, RDs are local to the router, so you can pick any (as long as it's unique on the router). you only need route-target if you're running BGP on the node to leak routes from one VRF to another.. doesn't look like you're doing any leaking, so I don't think you need any route-targets oli From chris at chrisserafin.com Thu Apr 2 12:32:16 2009 From: chris at chrisserafin.com (ChrisSerafin) Date: Thu, 02 Apr 2009 11:32:16 -0500 Subject: [c-nsp] VRF-lite question on RD's In-Reply-To: References: <49D4E0DD.1050904@chrisserafin.com> Message-ID: <49D4E890.1010108@chrisserafin.com> I spoke too soon. I found this right after posting http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/20ew/configuration/guide/vrf.pdf Switch(config-vrf)# rd route-distinguisher Creates a VRF table by specifying a route distinguisher. Enter either an AS number and an arbitrary number (xxx:y) or an IP address and arbitrary number (A.B.C.D:y). Step 5 Switch(config-vrf)# route-target {export | import | both} route-target-ext-community Creates a list of import, export, or import and export route target communities for the specified VRF. Enter either an AS system number and an arbitrary number (xxx:y) or an IP address and an arbitrary number (A.B.C.D:y). Note This command is effective only if BGP is running. Step 6 Switch(config-vrf)# import map route-map (Optional) Associates a route map with the VRF. I just added different numbers and they came right up. THANKS! Brandon Bennett wrote: > My guess is they are doing vrf-lite and using frame-relay or dot1q to > bring these 3 VRFs to you. Which means the RD (used for MPLS L3VPNs) > are only locally significant in the case of vrf-lite and are arbitrary > numbers. It would be nice if Cisco didn't require RD's for vrf-lite > cause they service no purpose. > > Now the import and export statements in vrf-lite also serve no > purpose, but also not required. Interesting that they exist in the > config. > > As long as no interfaces are configured with 'mpls ip' and you don't > have a 'address-family vpnv4' configured under BGP those values are > meaningless outside of the local router. > > HTH, > > Brandon > > On Thu, Apr 2, 2009 at 9:59 AM, ChrisSerafin > wrote: > > I have 3 VRF's on a CE router: > > > > ip vrf xxx-General > rd 1:10 > route-target export 1:10 > route-target import 1:10 > ! > ip vrf xxx-Guest > rd 1:30 > route-target export 1:30 > route-target import 1:30 > ! > ip vrf xxx-Voice > rd 1:20 > route-target export 1:20 > route-target import 1:20 > > I just got 3 new VRF's from the ISP confgured, and I'm wondering > what numbers I need to have for the 'rd' and 'route-target xxport' > commands...? Are these arbitrary, come from the ISP, or can I just > use 40, 50, and 60? > > > Thanks, > > chris > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > ------------------------------------------------------------------------ > > > No virus found in this incoming message. > Checked by AVG - www.avg.com > Version: 8.0.238 / Virus Database: 270.11.38/2037 - Release Date: 04/02/09 06:09:00 > > From chris at chrisserafin.com Thu Apr 2 12:36:59 2009 From: chris at chrisserafin.com (ChrisSerafin) Date: Thu, 02 Apr 2009 11:36:59 -0500 Subject: [c-nsp] VRF-lite question on RD's In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED7840727DD6C@xmb-ams-333.emea.cisco.com> References: <49D4E0DD.1050904@chrisserafin.com> <70B7A1CCBFA5C649BD562B6D9F7ED7840727DD6C@xmb-ams-333.emea.cisco.com> Message-ID: <49D4E9AB.90206@chrisserafin.com> Oliver Boehmer (oboehmer) wrote: > ChrisSerafin <> wrote on Thursday, April 02, 2009 17:59: > > >> I have 3 VRF's on a CE router: >> >> >> >> ip vrf xxx-General >> rd 1:10 >> route-target export 1:10 >> route-target import 1:10 >> ! >> ip vrf xxx-Guest >> rd 1:30 >> route-target export 1:30 >> route-target import 1:30 >> ! >> ip vrf xxx-Voice >> rd 1:20 >> route-target export 1:20 >> route-target import 1:20 >> >> I just got 3 new VRF's from the ISP confgured, and I'm wondering what >> numbers I need to have for the 'rd' and 'route-target xxport' >> commands...? Are these arbitrary, come from the ISP, or can I just use >> 40, 50, and 60? >> > > In a vrf-lite environment, RDs are local to the router, so you can pick > any (as long as it's unique on the router). you only need route-target > if you're running BGP on the node to leak routes from one VRF to > another.. doesn't look like you're doing any leaking, so I don't think > you need any route-targets > > oli > Excellent explanation, thank you! > ------------------------------------------------------------------------ > > > No virus found in this incoming message. > Checked by AVG - www.avg.com > Version: 8.0.238 / Virus Database: 270.11.38/2037 - Release Date: 04/02/09 06:09:00 > > From rshughes at gmail.com Thu Apr 2 14:09:35 2009 From: rshughes at gmail.com (Ryan Hughes) Date: Thu, 2 Apr 2009 14:09:35 -0400 Subject: [c-nsp] SXI1 is out In-Reply-To: References: <49D37F19.4060201@forthnet.gr> <20090402025756.GE2351@stlux503.dsto.defence.gov.au> <4422cf660904012310l1eb2839cx71c9d494eb85c9d7@mail.gmail.com> <20090402072423.GR51443@gerbil.cluepon.net> Message-ID: I believe that SXI introduces eFSU and not ISSU - which requires a linecard reload if the line card is not supported. * http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/issu_efsu.html The following modules support eFSU preload: ?WS-X67*xx* modules ?SIP-400 and SIP-600 I think we're still waiting on ISSU which is curiously not mentioned in the SXI1 release notes - maybe still on the dev/bug table? But I'm with Brandon - anyone give it a go yet? Ryan On Thu, Apr 2, 2009 at 12:08 PM, Brandon Bennett wrote: > So anyone try out an ISSU upgrade from SXI to SXI1 yet? I'd really like > to > see if it works as advertised. > > -Brandon > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From A.L.M.Buxey at lboro.ac.uk Thu Apr 2 17:07:46 2009 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Thu, 2 Apr 2009 22:07:46 +0100 Subject: [c-nsp] SXI1 is out In-Reply-To: References: <49D37F19.4060201@forthnet.gr> <20090402025756.GE2351@stlux503.dsto.defence.gov.au> <4422cf660904012310l1eb2839cx71c9d494eb85c9d7@mail.gmail.com> <20090402072423.GR51443@gerbil.cluepon.net> Message-ID: <20090402210746.GB23687@lboro.ac.uk> Hi, > So anyone try out an ISSU upgrade from SXI to SXI1 yet? I'd really like to > see if it works as advertised. hmmm, good call - I may have to check this out as when we did our SXF and SXH to SXI upgrade it thought it had been done via ISSU (why? dont know - hopefully fixed in SXI1 !) and therefore borked our dual sup720 setups which led to 3 other issues. alan From tvarriale at comcast.net Thu Apr 2 18:58:41 2009 From: tvarriale at comcast.net (Tony Varriale) Date: Thu, 2 Apr 2009 17:58:41 -0500 Subject: [c-nsp] 3750/3750E stack upgrade downtime? References: <49D1297B.2080106@utc.edu><1238445916.4440.7.camel@localhost.localdomain><20090401081546.GE74388@ronin.4ever.de><37FF646A-6ED6-4331-9AF3-341953AB03B4@djvh.nl> <20090401214417.GL74388@ronin.4ever.de> <2F47563BDFE542548FB2A78C99E5723F@flamdt01> <49D3FB25.6050703@utc.edu> Message-ID: <4340918886AC4B07AD08DC4DE8A740E0@flamdt01> Sure. You can reload certain members too. tv ----- Original Message ----- From: "Jeff Kell" To: "Tony Varriale" ; "'NSP List'" Sent: Wednesday, April 01, 2009 6:39 PM Subject: Re: [c-nsp] 3750/3750E stack upgrade downtime? > Tony Varriale wrote: >> But, you can upgrade separate 3750 members and do one switch at a time >> today. > > You can? Doesn't the "reload" crash the whole stack? > > Jeff From James.Baker at chelmer.co.nz Thu Apr 2 19:10:05 2009 From: James.Baker at chelmer.co.nz (James Baker) Date: Fri, 3 Apr 2009 12:10:05 +1300 Subject: [c-nsp] 3750/3750E stack upgrade downtime? In-Reply-To: <4340918886AC4B07AD08DC4DE8A740E0@flamdt01> References: <49D1297B.2080106@utc.edu><1238445916.4440.7.camel@localhost.localdomain><20090401081546.GE74388@ronin.4ever.de><37FF646A-6ED6-4331-9AF3-341953AB03B4@djvh.nl> <20090401214417.GL74388@ronin.4ever.de><2F47563BDFE542548FB2A78C99E5723F@flamdt01><49D3FB25.6050703@utc.edu> <4340918886AC4B07AD08DC4DE8A740E0@flamdt01> Message-ID: <64396C74FCE435468BE2AF5A73F9C2FDCE07A3@chmaexch.chelmer.co.nz> ime reload on the master does the whole stack reload on the slave does the slave reload slot X does the slot (if done on the master will only take down the master) -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale Sent: Friday, 3 April 2009 11:59 a.m. To: 'NSP List' Subject: Re: [c-nsp] 3750/3750E stack upgrade downtime? Sure. You can reload certain members too. tv ----- Original Message ----- From: "Jeff Kell" To: "Tony Varriale" ; "'NSP List'" Sent: Wednesday, April 01, 2009 6:39 PM Subject: Re: [c-nsp] 3750/3750E stack upgrade downtime? > Tony Varriale wrote: >> But, you can upgrade separate 3750 members and do one switch at a time >> today. > > You can? Doesn't the "reload" crash the whole stack? > > Jeff _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ---------- The information contained in this e-mail and any attachments is confidential and is intended for the attention and use of the named addressee(s) only. Any views expressed in this message are those of the individual sender and may not necessarily reflect the views of Chelmer Limited. ##################################################################################### This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal ##################################################################################### From rshughes at gmail.com Thu Apr 2 19:51:16 2009 From: rshughes at gmail.com (Ryan Hughes) Date: Thu, 2 Apr 2009 19:51:16 -0400 Subject: [c-nsp] Redundant switch fabric In-Reply-To: <49D259C1.3020901@usgs.gov> References: <49D24A2E.8010200@usgs.gov> <980303CA84BD4FAC978E53062A1EFE1A@flamdt01> <49D259C1.3020901@usgs.gov> Message-ID: To clarify the issue on the upgrade from 4.0.4 to 4.1.3 - there was more of a "distribution" error in that the CMP module was shipped read-only. Required assistance from a DE to resolve and work around which basically involved flashing the rom to make it read-write and then I was able to upgrade the CMP manually. This same problem appeared on a different and separate customer's gear at roughly the same time. Required the same fix so more than likely it was a "bad lot" type scenario. Service impacting? Not at all. Absolutely stupid and frustrating? Absolutely. Ryan On Tue, Mar 31, 2009 at 1:58 PM, Justin C. Darby wrote: > We had issues with 4.0(?) releases, mostly related to strange behavior of a > few features (dhcp relay, DAI, port security, etc) that required a full > reload after a software upgrade to clear up completely. 4.1(?) has been fine > so far, and the last upgrade we did was 4.1(2) to 4.1(4) and it went through > without any downtime. We skipped over 4.1(3) since we never got around to > scheduling it. > > Justin > > > Tony Varriale wrote: > >> I've had a colleague run into an issue going to 4.1.3 (long story but it's >> intrusive either way you slice it and is how all boxes are). What was your >> upgrade from and to? >> >> tv >> ----- Original Message ----- From: "Justin C. Darby" >> To: "Brad Hedlund" >> Cc: >> Sent: Tuesday, March 31, 2009 11:51 AM >> Subject: Re: [c-nsp] Redundant switch fabric >> >> >> Mike, >>> >>> Just to chime in here a bit with some experience - we've had Nexus 7K >>> switch backplane modules fail - unless you are pushing near 100% backplane >>> utilization you don't even notice until it emails you or your config >>> monitoring program notices the failed module. In recent NX-OS releases, In >>> Service Software Upgrades are working properly 100% of the time for us, and >>> outside of the fact it can take 3-4 hours to upgrade a fully loaded switch, >>> there's no real downtime if you've got working port redundancy across >>> modules, and modules only go down one at a time like they're supposed to. >>> >>> Considering how distributed and redundant components of the switch are - >>> it's pretty unlikely you'd run into huge redundancy problems with any single >>> component. I don't have enough N7K's to play with Virtual Port Channels >>> (vPCs), but it'd be interesting to see if they have any issues when >>> upgrading switches. vPCs can add extreme (and usable) redundancy to >>> multi-chassis design, if you want to go a step farther. >>> >>> Justin >>> >>> P.S. Comments made here are my own and should not in any way be >>> considered an endorsement by the U.S. Federal Government. >>> >>> Brad Hedlund wrote: >>> >>>> Mike, >>>> The 6500 and 4500 have the "switch fabric" on the supervisor engines, so >>>> by >>>> having dual supervisors, you in effect have a redundant fabric. >>>> >>>> The 6748 actually has 4 traces, each 20G. 2 traces connect to the >>>> active >>>> supervisor containing the active switch fabric. The remaining 2 traces >>>> are >>>> standby connections to the standby supervisor/fabric. So, when a >>>> supervisor >>>> engine and its fabric fails, the 2 standby traces are enabled and the >>>> full >>>> 40G of bandwidth remains. You never, under normal circumstances, have >>>> only >>>> a single trace active on 6748. Newer versions of IOS provide a "hot >>>> standby" fabric feature which allows this fabric trace switch over to >>>> happen >>>> faster - roughly 50ms. >>>> >>>> For the best in redundant designs, consider the Nexus 7000, where the >>>> switch >>>> fabric is decoupled from the supervisor engines into a series redundant >>>> "fabric modules" installed into the back of the switch. Should a >>>> supervisor >>>> engine fail in Nexus 7000 there is ZERO impact to the switch fabric, >>>> because >>>> the supervisor engine does not forward data plane traffic. >>>> >>>> Cheers, >>>> >>>> Brad Hedlund >>>> bhedlund at cisco.com >>>> http://www.internetworkexpert.org >>>> >>>> >>>> On 3/31/09 9:05 AM, "Mike Louis" wrote: >>>> >>>> >>>> I have a solution design that requires redundant switch fabrics. I am >>>>> interpreting this beyond just have redundant supervisors meaning >>>>> redundant >>>>> backplanes on the switch cards. Do the 6500 and 4500 support redundant >>>>> fabrics? Will a 6748 function with one trace failed? >>>>> ________________________________ >>>>> Note: This message and any attachments is intended solely for the use >>>>> of the >>>>> individual or entity to which it is addressed and may contain >>>>> information that >>>>> is non-public, proprietary, legally privileged, confidential, and/or >>>>> exempt >>>>> from disclosure. If you are not the intended recipient, you are hereby >>>>> notified that any use, dissemination, distribution, or copying of this >>>>> communication is strictly prohibited. If you have received this >>>>> communication >>>>> in error, please notify the original sender immediately by telephone or >>>>> return >>>>> email and destroy or delete this message along with any attachments >>>>> immediately. >>>>> _______________________________________________ >>>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>>> >>>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> >>>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From peter at rathlev.dk Thu Apr 2 20:20:28 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Fri, 03 Apr 2009 02:20:28 +0200 Subject: [c-nsp] 3750/3750E stack upgrade downtime? In-Reply-To: <4340918886AC4B07AD08DC4DE8A740E0@flamdt01> References: <49D1297B.2080106@utc.edu> <1238445916.4440.7.camel@localhost.localdomain> <20090401081546.GE74388@ronin.4ever.de> <37FF646A-6ED6-4331-9AF3-341953AB03B4@djvh.nl> <20090401214417.GL74388@ronin.4ever.de> <2F47563BDFE542548FB2A78C99E5723F@flamdt01> <49D3FB25.6050703@utc.edu> <4340918886AC4B07AD08DC4DE8A740E0@flamdt01> Message-ID: <1238718028.6115.48.camel@localhost.localdomain> On Thu, 2009-04-02 at 17:58 -0500, Tony Varriale wrote: > Sure. > > You can reload certain members too. You can reload it yes, but you can't upgrade it during this reload. If a member comes up with another version than the master it is either automatically downgraded or placed in a disabled state. And you can't reload the master without taking down the whole stack. So you can't upgrade the stack w/o downtime. I really wish you could though. :-( Regards, Peter From tvarriale at comcast.net Thu Apr 2 20:26:36 2009 From: tvarriale at comcast.net (Tony Varriale) Date: Thu, 2 Apr 2009 19:26:36 -0500 Subject: [c-nsp] 3750/3750E stack upgrade downtime? References: <49D1297B.2080106@utc.edu> <1238445916.4440.7.camel@localhost.localdomain> <20090401081546.GE74388@ronin.4ever.de> <37FF646A-6ED6-4331-9AF3-341953AB03B4@djvh.nl> <20090401214417.GL74388@ronin.4ever.de> <2F47563BDFE542548FB2A78C99E5723F@flamdt01> <49D3FB25.6050703@utc.edu> <4340918886AC4B07AD08DC4DE8A740E0@flamdt01> <1238718028.6115.48.camel@localhost.localdomain> Message-ID: You can reload the master without doing the whole stack. tv ----- Original Message ----- From: "Peter Rathlev" To: "Tony Varriale" Cc: "cisco-nsp" Sent: Thursday, April 02, 2009 7:20 PM Subject: Re: [c-nsp] 3750/3750E stack upgrade downtime? > On Thu, 2009-04-02 at 17:58 -0500, Tony Varriale wrote: >> Sure. >> >> You can reload certain members too. > > You can reload it yes, but you can't upgrade it during this reload. If a > member comes up with another version than the master it is either > automatically downgraded or placed in a disabled state. > > And you can't reload the master without taking down the whole stack. > > So you can't upgrade the stack w/o downtime. I really wish you could > though. :-( > > Regards, > Peter > > From ray at oneunified.net Thu Apr 2 22:46:16 2009 From: ray at oneunified.net (Ray Burkholder) Date: Thu, 2 Apr 2009 23:46:16 -0300 Subject: [c-nsp] Open Source solution to deploy a radius server against Cisco devices? In-Reply-To: <49B65BBF.5000204@thingy.com> References: <1236449092.8327.12.camel@dsba-ipso><49B336CE.3090608@umn.edu> <60C56285-9584-478B-A7CD-C402CBF2ED82@Hughes.com.au> <20090309090932.GB14149@lboro.ac.uk> <1236594848.10690.1.camel@dsba-ipso> <49B65BBF.5000204@thingy.com> Message-ID: > Jon Lewis wrote: > > Another option is Cistron Radius > http://www.radius.cistron.nl/ which > > is probably going to be pretty similar to Freeradius, since > the latter > > is apparently a fork of the former. > > > > Radiator is perl, so you get the 'source code', but it's not open > > source and you do need to buy a license to use it. > The perl aspect also makes it pretty easy to add new > functionality or backends too (assuming you have some perl > experience!) - we added some stuff to restrict what IP > addresses could appear in a Framed-IP-Address entry in about > an hour or so, for example. > FreeRadius has an in-process perl module for handling authetication, authorization, accouting pre and post processing. By filling in the skeleton, it is pretty easy to get customizations done. I had to work a bit with the radius.conf files to get things in the right order, but things worked out nicely. It provides a mechanism for returning customized vendor attributes such as the Framed-IP-Address attribute. -- Scanned for viruses and dangerous content at http://www.oneunified.net and is believed to be clean. From ariemer at wesenergy.com.au Fri Apr 3 00:50:03 2009 From: ariemer at wesenergy.com.au (Aaron Riemer) Date: Fri, 3 Apr 2009 12:50:03 +0800 Subject: [c-nsp] Monitoring External Web Server Message-ID: <0867622C64B50C4B878AB45C95F43F1106A1D55B@MAILWA01.wesenergy.local> Hey guys, We have a requirement to monitor the external availability of a web server that hangs off our ASA DMZ interface. I was thinking of running an IP SLA probe from our external router to test the web requests but I was wondering if anyone had done something with EEM that could possibly try to establish a TCP connection to the web server and report the statistics somehow. I don't want to place a machine outside for the monitoring so would prefer to do it from our router if possible. Any thoughts? Thanks, Aaron. LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. From mtinka at globaltransit.net Fri Apr 3 02:00:52 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Fri, 3 Apr 2009 14:00:52 +0800 Subject: [c-nsp] IS-IS LSP Generation/Expiry + Database Optimization - Issue - Update! In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78406EFE053@xmb-ams-333.emea.cisco.com> References: <200902221357.04134.mtinka@globaltransit.net> <200902222330.46372.mtinka@globaltransit.net> <70B7A1CCBFA5C649BD562B6D9F7ED78406EFE053@xmb-ams-333.emea.cisco.com> Message-ID: <200904031400.52618.mtinka@globaltransit.net> Hi all. So this turned out to be a bug with iSPF in IS-IS. TAC have filed bug ID CSCsy75784. Although first found in 12.2(33)SRC3, this issue affects all versions of SRC, SRD, as well as a few other trains. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From peter at rathlev.dk Fri Apr 3 04:18:31 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Fri, 03 Apr 2009 10:18:31 +0200 Subject: [c-nsp] 3750/3750E stack upgrade downtime? In-Reply-To: References: <49D1297B.2080106@utc.edu> <1238445916.4440.7.camel@localhost.localdomain> <20090401081546.GE74388@ronin.4ever.de> <37FF646A-6ED6-4331-9AF3-341953AB03B4@djvh.nl> <20090401214417.GL74388@ronin.4ever.de> <2F47563BDFE542548FB2A78C99E5723F@flamdt01> <49D3FB25.6050703@utc.edu> <4340918886AC4B07AD08DC4DE8A740E0@flamdt01> <1238718028.6115.48.camel@localhost.localdomain> Message-ID: <1238746711.3786.56.camel@localhost.localdomain> On Thu, 2009-04-02 at 19:26 -0500, Tony Varriale wrote: > You can reload the master without doing the whole stack. Well, that would select a new master. And this new master has to be running the same software version as the current master, otherwise it would not be able to participate in the stack in the first place. The unit undergoing a reload will not be able to join the stack if it comes up with a new software version. If you know a way of upgrading a 3750 stack without downtime I'd very much like to know; it's a pain for us the way we do it now. :-) Regards, Peter From jgiles at e-dialog.com Fri Apr 3 08:27:10 2009 From: jgiles at e-dialog.com (Jason Giles) Date: Fri, 3 Apr 2009 08:27:10 -0400 Subject: [c-nsp] WS-X6724-SFP & SXI = high cpu usage? In-Reply-To: <458B3EC21E4A3044998E917199AACB2F01A646D5@GNBEX02.gnb.ca> References: <49D44972.9010202@forthnet.gr> <458B3EC21E4A3044998E917199AACB2F01A646D5@GNBEX02.gnb.ca> Message-ID: <5A178C06739A4F4AA21613701E0AD440060C2E97@corp-exc2.ad.e-dialog.com> Not seeing it with the DFC here and sup720-10g. 2 24 CEF720 24 port 1000mb SFP WS-X6724-SFP 2 Distributed Forwarding Card WS-F6700-DFC3C #sho ver Cisco IOS Software, s72033_rp Software (s72033_rp-ADVIPSERVICESK9_WAN-M), Version 12.2(33)SXI, RELEASE SOFTWARE (fc2) CAT6509E-A.BO3#sho plat hardw capa cpu CPU Resources CPU utilization: Module 5 seconds 1 minute 5 minutes 2 3% / 1% 5% 5% CAT6509E-A.BO3#remote command module 2 sh proc cpu sort CPU utilization for five seconds: 4%/1%; one minute: 5%; five minutes: 5% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 192 55227132 1474322 37459 1.59% 1.55% 1.58% 0 Vlan Statistics 238 8745604 741155 11800 0.55% 0.29% 0.29% 0 Hardware API bac 200 8391396 270173484 31 0.39% 0.23% 0.21% 0 fw_lcp process -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Munroe, James (DSS/MAS) Sent: Thursday, April 02, 2009 7:43 AM To: Tassos Chatzithomaoglou; cisco-nsp Subject: Re: [c-nsp] WS-X6724-SFP & SXI = high cpu usage? I've got two 6509's with WS-X6724-SFP (w/ CFC) running SXI and I'm not seeing that problem: 6509 #1: XX#sh mod Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ ----------- 1 24 CEF720 24 port 1000mb SFP WS-X6724-SFP XX#remote command module 1 sh proc cpu sort CPU utilization for five seconds: 0%/0%; one minute: 1%; five minutes: 1% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 187 13802188 547904699 25 0.15% 0.19% 0.18% 0 fw_lcp process 1 0 3 0 0.00% 0.00% 0.00% 0 Chunk Manager 2 204 1277786 0 0.00% 0.00% 0.00% 0 Load Meter 3 4 779932 0 0.00% 0.00% 0.00% 0 MFI LFD Timer Pr 5 0 10 0 0.00% 0.00% 0.00% 0 IPC ISSU Dispatc 4 0 43 0 0.00% 0.00% 0.00% 0 Retransmission o XX#sh platform hardware capacity cpu CPU Resources CPU utilization: Module 5 seconds 1 minute 5 minutes 1 0% / 0% 1% 1% 6509 #2: XY#remote command module 2 sh proc cpu sort CPU utilization for five seconds: 0%/0%; one minute: 1%; five minutes: 1% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 187 10049120 536549944 18 0.15% 0.17% 0.15% 0 fw_lcp process XY#sh platform hardware capacity cpu CPU Resources CPU utilization: Module 5 seconds 1 minute 5 minutes 2 2% / 0% 1% 1% Jim -----Original Message----- From: Tassos Chatzithomaoglou [mailto:achatz at forthnet.gr] Sent: Thursday, April 02, 2009 2:13 AM To: cisco-nsp Subject: [c-nsp] WS-X6724-SFP & SXI = high cpu usage? Anyone running SXI with a WS-X6724-SFP module (DFC or non DFC), showing high cpu usage due to the fw_lcp process? 6500#remote command module 1 sh proc cpu sort | exc 0.00 CPU utilization for five seconds: 32%/1%; one minute: 31%; five minutes: 31% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 187 1949496 613964 3175 31.19% 30.47% 30.45% 0 fw_lcp process 6500#sh platform hardware capacity cpu CPU Resources CPU utilization: Module 5 seconds 1 minute 5 minutes 1 28% / 0% 28% 28% 6 RP 1% / 1% 1% 1% 6 SP 18% / 0% 15% 14% 6500#sh mod Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ ----------- 1 24 CEF720 24 port 1000mb SFP WS-X6724-SFP XXXXXXXXXXX 6 2 Supervisor Engine 720 (Active) WS-SUP720-3B XXXXXXXXXXX SXH, SXF do not seem to have this problem. -- Tassos _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From paul at paulstewart.org Fri Apr 3 09:03:07 2009 From: paul at paulstewart.org (Paul Stewart) Date: Fri, 3 Apr 2009 09:03:07 -0400 Subject: [c-nsp] BGP Cease - Connection collision resolution Message-ID: <000c01c9b45c$88bbf4e0$9a33dea0$@org> On a peering session we started getting the following: %BGP-3-NOTIFICATION: received from neighbor 198.32.XXX.XX 6/7 (cease) 0 bytes This all started when we "upgraded" to 12.2(18)SXF16 it seems or at least the timeline matches up.. So, I've discovered that 6/7 means "Connection collision resolution" - does anyone know what that means in English? ;) We have rebuilt our session and the peer has done the same thing. a Google search tells me what it means by definition but no real solution. Thanks, Paul From jloiacon at csc.com Fri Apr 3 10:14:52 2009 From: jloiacon at csc.com (Joe Loiacono) Date: Fri, 3 Apr 2009 10:14:52 -0400 Subject: [c-nsp] Monitoring External Web Server In-Reply-To: <0867622C64B50C4B878AB45C95F43F1106A1D55B@MAILWA01.wesenergy.local> Message-ID: If you want to go commercial, we use a software-as-a-service (SAAS) product called Gomez. You periodically contact your server from browser-client nodes on their backbone. You can also execute scripts from these nodes that will walk through your web-site in a pre-determined way. The pricing model is based on a 'cost per measurement' subscription where a measurement is an access of a web-site from a test node. If you do it hourly, that would be 24 per day, etc. Joe "Aaron Riemer" Sent by: cisco-nsp-bounces at puck.nether.net 04/03/2009 12:50 AM To cc Subject [c-nsp] Monitoring External Web Server Hey guys, We have a requirement to monitor the external availability of a web server that hangs off our ASA DMZ interface. I was thinking of running an IP SLA probe from our external router to test the web requests but I was wondering if anyone had done something with EEM that could possibly try to establish a TCP connection to the web server and report the statistics somehow. I don't want to place a machine outside for the monitoring so would prefer to do it from our router if possible. Any thoughts? Thanks, Aaron. LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From fweimer at bfk.de Fri Apr 3 09:51:25 2009 From: fweimer at bfk.de (Florian Weimer) Date: Fri, 03 Apr 2009 15:51:25 +0200 Subject: [c-nsp] BGP Cease - Connection collision resolution In-Reply-To: <000c01c9b45c$88bbf4e0$9a33dea0$@org> (Paul Stewart's message of "Fri, 3 Apr 2009 09:03:07 -0400") References: <000c01c9b45c$88bbf4e0$9a33dea0$@org> Message-ID: <82vdplx2ua.fsf@mid.bfk.de> * Paul Stewart: > So, I've discovered that 6/7 means "Connection collision resolution" - does > anyone know what that means in English? ;) In general, it means that both peers successfully established a TCP connection, and one connection was closed. This happens from time to time and does not indicate a problem. (Or do you mean what it means for this specific IOS version? Sorry, in this case I have to pass.) -- Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstra?e 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 From paul at paulstewart.org Fri Apr 3 10:41:49 2009 From: paul at paulstewart.org (Paul Stewart) Date: Fri, 3 Apr 2009 10:41:49 -0400 Subject: [c-nsp] BGP Cease - Connection collision resolution In-Reply-To: <82vdplx2ua.fsf@mid.bfk.de> References: <000c01c9b45c$88bbf4e0$9a33dea0$@org> <82vdplx2ua.fsf@mid.bfk.de> Message-ID: <002201c9b46a$53146b70$f93d4250$@org> Thanks.... what's happening (and perhaps I should have explained this a bit better) is the session is starting to become established and then dropping. This is repeated every 30-60 seconds over and over and the BGP session never actually establishes. Take care, Paul -----Original Message----- From: Florian Weimer [mailto:fweimer at bfk.de] Sent: Friday, April 03, 2009 9:51 AM To: Paul Stewart Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] BGP Cease - Connection collision resolution * Paul Stewart: > So, I've discovered that 6/7 means "Connection collision resolution" - does > anyone know what that means in English? ;) In general, it means that both peers successfully established a TCP connection, and one connection was closed. This happens from time to time and does not indicate a problem. (Or do you mean what it means for this specific IOS version? Sorry, in this case I have to pass.) -- Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstra?e 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 From steve at ibctech.ca Fri Apr 3 11:02:53 2009 From: steve at ibctech.ca (Steve Bertrand) Date: Fri, 03 Apr 2009 11:02:53 -0400 Subject: [c-nsp] BGP Cease - Connection collision resolution In-Reply-To: <002201c9b46a$53146b70$f93d4250$@org> References: <000c01c9b45c$88bbf4e0$9a33dea0$@org> <82vdplx2ua.fsf@mid.bfk.de> <002201c9b46a$53146b70$f93d4250$@org> Message-ID: <49D6251D.6090802@ibctech.ca> Paul Stewart wrote: > Thanks.... what's happening (and perhaps I should have explained this a bit > better) is the session is starting to become established and then dropping. > This is repeated every 30-60 seconds over and over and the BGP session never > actually establishes. Paul, Does the session stabilize if you put one neighbor (at a time) into passive mode? Steve From paul at paulstewart.org Fri Apr 3 11:08:24 2009 From: paul at paulstewart.org (Paul Stewart) Date: Fri, 3 Apr 2009 11:08:24 -0400 Subject: [c-nsp] BGP Cease - Connection collision resolution In-Reply-To: <49D61683.3010100@utc.fr> References: <000c01c9b45c$88bbf4e0$9a33dea0$@org> <49D61683.3010100@utc.fr> Message-ID: <002301c9b46e$09940e70$1cbc2b50$@org> Thank you - but what is the solution to my problem or is there one? By the sounds of it I need to change out the IOS to a new version....;) -----Original Message----- From: Christophe Fillot [mailto:cf at utc.fr] Sent: Friday, April 03, 2009 10:01 AM To: Paul Stewart Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] BGP Cease - Connection collision resolution Paul Stewart wrote: Hi, > On a peering session we started getting the following: > > > > %BGP-3-NOTIFICATION: received from neighbor 198.32.XXX.XX 6/7 (cease) 0 > bytes > > > > This all started when we "upgraded" to 12.2(18)SXF16 it seems or at least > the timeline matches up.. > > > > So, I've discovered that 6/7 means "Connection collision resolution" - does > anyone know what that means in English? ;) We have rebuilt our session and > the peer has done the same thing. a Google search tells me what it means by > definition but no real solution. > > > From RFC 4271: 6.8. BGP Connection Collision Detection If a pair of BGP speakers try to establish a BGP connection with each other simultaneously, then two parallel connections well be formed. If the source IP address used by one of these connections is the same as the destination IP address used by the other, and the destination IP address used by the first connection is the same as the source IP address used by the other, connection collision has occurred. In the event of connection collision, one of the connections MUST be closed. [...] Closing the BGP connection (that results from the collision resolution procedure) is accomplished by sending the NOTIFICATION message with the Error Code Cease. From vijay.ramcharan at verizonbusiness.com Fri Apr 3 11:05:15 2009 From: vijay.ramcharan at verizonbusiness.com (Ramcharan, Vijay A) Date: Fri, 03 Apr 2009 15:05:15 +0000 Subject: [c-nsp] Monitoring External Web Server In-Reply-To: <0867622C64B50C4B878AB45C95F43F1106A1D55B@MAILWA01.wesenergy.local> Message-ID: <8171C8272CE8FE4A8F5BFF8A97CE6AB367068F@ASHEVS006.mcilink.com> Aaron, I have not delved into EEM but from what I have read about it and its support for TCL, it's entirely possible that you can: 1) Create a TCL script to test your web server with a GET or other method (see http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/ v3.00_A1/configuration/slb/guide/script.html 2) Read the response and perform the appropriate action with EEM (send email, syslog etc) I don't know that such a solution exists already but I believe it is certainly possible to do what you are asking, esp since it's only for one server. Vijay Ramcharan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Aaron Riemer Sent: April 03, 2009 00:50 To: cisco-nsp at puck.nether.net Subject: [c-nsp] Monitoring External Web Server Hey guys, We have a requirement to monitor the external availability of a web server that hangs off our ASA DMZ interface. I was thinking of running an IP SLA probe from our external router to test the web requests but I was wondering if anyone had done something with EEM that could possibly try to establish a TCP connection to the web server and report the statistics somehow. I don't want to place a machine outside for the monitoring so would prefer to do it from our router if possible. Any thoughts? Thanks, Aaron. LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ______________________________________________________________________ This e-mail has been scanned by Verizon Managed Email Content Service, using Skeptic(tm) technology powered by MessageLabs. For more information on Verizon Managed Email Content Service, visit http://www.verizonbusiness.com. ______________________________________________________________________ From jloiacon at csc.com Fri Apr 3 11:25:37 2009 From: jloiacon at csc.com (Joe Loiacono) Date: Fri, 3 Apr 2009 11:25:37 -0400 Subject: [c-nsp] Monitoring External Web Server In-Reply-To: Message-ID: Forgot to mention that you control everything from their web-site (hence SAAS) which makes it very easy. You could resell the service ... http://www.gomez.com/ Joe Loiacono/CIV/CSC at CSC Sent by: cisco-nsp-bounces at puck.nether.net 04/03/2009 10:14 AM To "Aaron Riemer" cc cisco-nsp-bounces at puck.nether.net, cisco-nsp at puck.nether.net Subject Re: [c-nsp] Monitoring External Web Server If you want to go commercial, we use a software-as-a-service (SAAS) product called Gomez. You periodically contact your server from browser-client nodes on their backbone. You can also execute scripts from these nodes that will walk through your web-site in a pre-determined way. The pricing model is based on a 'cost per measurement' subscription where a measurement is an access of a web-site from a test node. If you do it hourly, that would be 24 per day, etc. Joe "Aaron Riemer" Sent by: cisco-nsp-bounces at puck.nether.net 04/03/2009 12:50 AM To cc Subject [c-nsp] Monitoring External Web Server Hey guys, We have a requirement to monitor the external availability of a web server that hangs off our ASA DMZ interface. I was thinking of running an IP SLA probe from our external router to test the web requests but I was wondering if anyone had done something with EEM that could possibly try to establish a TCP connection to the web server and report the statistics somehow. I don't want to place a machine outside for the monitoring so would prefer to do it from our router if possible. Any thoughts? Thanks, Aaron. LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From cf at utc.fr Fri Apr 3 11:30:52 2009 From: cf at utc.fr (Christophe Fillot) Date: Fri, 03 Apr 2009 17:30:52 +0200 Subject: [c-nsp] BGP Cease - Connection collision resolution In-Reply-To: <002301c9b46e$09940e70$1cbc2b50$@org> References: <000c01c9b45c$88bbf4e0$9a33dea0$@org> <49D61683.3010100@utc.fr> <002301c9b46e$09940e70$1cbc2b50$@org> Message-ID: <49D62BAC.6090100@utc.fr> Paul Stewart wrote: > Thank you - but what is the solution to my problem or is there one? By the > sounds of it I need to change out the IOS to a new version....;) > In theory this should resolve automatically, but it is abnormal if your session never establishes. If this began to happen with 12.2(18)SXF16 and if there was no config change, I guess it is a problem with this specific IOS release. What is the router on the remote side ? From cf at utc.fr Fri Apr 3 10:00:35 2009 From: cf at utc.fr (Christophe Fillot) Date: Fri, 03 Apr 2009 16:00:35 +0200 Subject: [c-nsp] BGP Cease - Connection collision resolution In-Reply-To: <000c01c9b45c$88bbf4e0$9a33dea0$@org> References: <000c01c9b45c$88bbf4e0$9a33dea0$@org> Message-ID: <49D61683.3010100@utc.fr> Paul Stewart wrote: Hi, > On a peering session we started getting the following: > > > > %BGP-3-NOTIFICATION: received from neighbor 198.32.XXX.XX 6/7 (cease) 0 > bytes > > > > This all started when we "upgraded" to 12.2(18)SXF16 it seems or at least > the timeline matches up.. > > > > So, I've discovered that 6/7 means "Connection collision resolution" - does > anyone know what that means in English? ;) We have rebuilt our session and > the peer has done the same thing. a Google search tells me what it means by > definition but no real solution. > > > From RFC 4271: 6.8. BGP Connection Collision Detection If a pair of BGP speakers try to establish a BGP connection with each other simultaneously, then two parallel connections well be formed. If the source IP address used by one of these connections is the same as the destination IP address used by the other, and the destination IP address used by the first connection is the same as the source IP address used by the other, connection collision has occurred. In the event of connection collision, one of the connections MUST be closed. [...] Closing the BGP connection (that results from the collision resolution procedure) is accomplished by sending the NOTIFICATION message with the Error Code Cease. From elmi at 4ever.de Fri Apr 3 11:31:29 2009 From: elmi at 4ever.de (Elmar K. Bins) Date: Fri, 3 Apr 2009 17:31:29 +0200 Subject: [c-nsp] Too dumb for SLB on ASR1Ks? Message-ID: <20090403153128.GA12333@ronin.4ever.de> Maybe someone can point me to a document that helps me through - or Rodney cuts in and tells me it's a bug ;) I have the following pretty simple (stripped down) configuration which does work on a 7201 and does not work on the ASR1000... (Yes, on the ASR the interface has 0/0/0 instead of 0/0 *g*) 7201 image is 12.4(4)XD10 IPBase ASR1K image is a derivative of 12.2(33)XNB (experimental version with a bugfix) Tests with standard 12.2(33)XNB1 failed as well. Feature set is AdvancedEnterpriseK9 on the ASR. If there's a hint that work has been done on SLB in newer releases, I'm willing to try that... Any idea very much appreciated here - I'm pretty much stuck and am not sure whether I'm looking at my stupidity or a bug. Yours, Elmar. ================================================================ ip slb serverfarm FARM-DNS real 10.10.236.12 inservice ! ip slb vserver VS-DNS virtual 10.10.237.53 udp 53 serverfarm FARM-DNS sticky 5 idle 5 delay 1 inservice ! ip slb vserver VS-DNS-TCP virtual 10.10.237.53 tcp dns serverfarm FARM-DNS sticky 10 idle 10 inservice ! interface GigabitEthernet0/0 no ip address load-interval 30 duplex auto speed auto media-type sfp negotiation auto ! interface GigabitEthernet0/0.701 encapsulation dot1Q 701 ip address 10.10.235.1 255.255.255.0 ! interface GigabitEthernet0/0.702 encapsulation dot1Q 702 ip address 10.10.236.1 255.255.255.0 ================================================================ From paul at paulstewart.org Fri Apr 3 12:02:13 2009 From: paul at paulstewart.org (Paul Stewart) Date: Fri, 3 Apr 2009 12:02:13 -0400 Subject: [c-nsp] BGP Cease - Connection collision resolution In-Reply-To: <49D62BAC.6090100@utc.fr> References: <000c01c9b45c$88bbf4e0$9a33dea0$@org> <49D61683.3010100@utc.fr> <002301c9b46e$09940e70$1cbc2b50$@org> <49D62BAC.6090100@utc.fr> Message-ID: <002a01c9b475$8e12a650$aa37f2f0$@org> Thank you - unfortunately I do not know about the equipment on the other side but it was working perfectly up til the IOS release. This release also seems to have reintroduced the ttl-security bug that was happening a couple of releases back...;( The folks on the other side of the link tell me I'm the only peer they are experiencing this issue with... Take care, Paul -----Original Message----- From: Christophe Fillot [mailto:cf at utc.fr] Sent: Friday, April 03, 2009 11:31 AM To: Paul Stewart Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] BGP Cease - Connection collision resolution Paul Stewart wrote: > Thank you - but what is the solution to my problem or is there one? By the > sounds of it I need to change out the IOS to a new version....;) > In theory this should resolve automatically, but it is abnormal if your session never establishes. If this began to happen with 12.2(18)SXF16 and if there was no config change, I guess it is a problem with this specific IOS release. What is the router on the remote side ? From ddunkin at netos.net Fri Apr 3 16:09:51 2009 From: ddunkin at netos.net (Darryl Dunkin) Date: Fri, 3 Apr 2009 13:09:51 -0700 Subject: [c-nsp] BGP Cease - Connection collision resolution In-Reply-To: <002a01c9b475$8e12a650$aa37f2f0$@org> References: <000c01c9b45c$88bbf4e0$9a33dea0$@org> <49D61683.3010100@utc.fr><002301c9b46e$09940e70$1cbc2b50$@org> <49D62BAC.6090100@utc.fr> <002a01c9b475$8e12a650$aa37f2f0$@org> Message-ID: <56F5BC5F404CF84896C447397A1AAF20D19835@MAIL.nosi.netos.com> Have you checked the capabilities being negotiated with that peer to see if anything new was negotiated up after the change? -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart Sent: Friday, April 03, 2009 09:02 To: 'Christophe Fillot' Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] BGP Cease - Connection collision resolution Thank you - unfortunately I do not know about the equipment on the other side but it was working perfectly up til the IOS release. This release also seems to have reintroduced the ttl-security bug that was happening a couple of releases back...;( The folks on the other side of the link tell me I'm the only peer they are experiencing this issue with... Take care, Paul -----Original Message----- From: Christophe Fillot [mailto:cf at utc.fr] Sent: Friday, April 03, 2009 11:31 AM To: Paul Stewart Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] BGP Cease - Connection collision resolution Paul Stewart wrote: > Thank you - but what is the solution to my problem or is there one? By the > sounds of it I need to change out the IOS to a new version....;) > In theory this should resolve automatically, but it is abnormal if your session never establishes. If this began to happen with 12.2(18)SXF16 and if there was no config change, I guess it is a problem with this specific IOS release. What is the router on the remote side ? _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From tdurack at gmail.com Fri Apr 3 16:14:40 2009 From: tdurack at gmail.com (Tim Durack) Date: Fri, 3 Apr 2009 16:14:40 -0400 Subject: [c-nsp] same-router tunnel loopback Message-ID: <9e246b4d0904031314p5db46d44uf8dac478cc22ae05@mail.gmail.com> Using a same-router tunnel loopback to move traffic between global and vrf on a SUP720: rtr-1#sh run int tun254 Building configuration... Current configuration : 251 bytes ! interface Tunnel254 vrf forwarding v101 ip address 10.1.0.254 255.255.255.254 ip mtu 1500 ipv6 address FE80:0:1970::254 link-local ipv6 address xxxx:0:1970::254/127 ipv6 enable tunnel source Loopback254 tunnel destination 169.254.0.255 end rtr-1#sh run int tun255 Building configuration... Current configuration : 230 bytes ! interface Tunnel255 ip address 10.1.0.255 255.255.255.254 ip mtu 1500 ipv6 address FE80:0:1970::255 link-local ipv6 address xxxx:0:1970::255/127 ipv6 enable tunnel source Loopback255 tunnel destination 169.254.0.254 end Works for ipv4: rtr-1#ping 10.1.0.254 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.0.254, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms But not ipv6: rtr-1#ping ipv6 xxxx:0:1970::254 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to xxxx:0:1970::254, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) What am I doing wrong? From charles at thewybles.com Fri Apr 3 17:01:08 2009 From: charles at thewybles.com (Charles Wyble) Date: Fri, 03 Apr 2009 14:01:08 -0700 Subject: [c-nsp] Monitoring External Web Server In-Reply-To: References: Message-ID: <49D67914.2000207@thewybles.com> I would strongly recommend keynote over gomez. It's what a lot of folks use. Gomez has some interesting features, but I found them harder to work with. Pingdom is also a popular choice. Or you could just use nagios or other monitoring tools.... do you have any sort of network management/monitoring now? If so it's highly likely you can add a probe for an HTTP service. In fact I wouldn't recommend testing from the router, as that may be a false positive (think someone changes an ACL and it's broken from everywhere but the router). So often you will want monitoring of both the "front channel" and the "back channel". Really don't know enough about your architecture to be sure. I'm basing this on the architecture I have used at multiple organizations, where one has a DMZ/Vlan and a management VLAN, with servers having a NIC in each. Joe Loiacono wrote: > Forgot to mention that you control everything from their web-site (hence > SAAS) which makes it very easy. You could resell the service ... > > http://www.gomez.com/ > > > > > Joe Loiacono/CIV/CSC at CSC > Sent by: cisco-nsp-bounces at puck.nether.net > 04/03/2009 10:14 AM > > To > "Aaron Riemer" > cc > cisco-nsp-bounces at puck.nether.net, cisco-nsp at puck.nether.net > Subject > Re: [c-nsp] Monitoring External Web Server > > > > > > > If you want to go commercial, we use a software-as-a-service (SAAS) > product called Gomez. You periodically contact your server from > browser-client nodes on their backbone. You can also execute scripts from > these nodes that will walk through your web-site in a pre-determined way. > > The pricing model is based on a 'cost per measurement' subscription where > a measurement is an access of a web-site from a test node. If you do it > hourly, that would be 24 per day, etc. > > Joe > > > > > "Aaron Riemer" > Sent by: cisco-nsp-bounces at puck.nether.net > 04/03/2009 12:50 AM > > To > > cc > > Subject > [c-nsp] Monitoring External Web Server > > > > > > > Hey guys, > > We have a requirement to monitor the external availability of a web > server that hangs off our ASA DMZ interface. I was thinking of running > an IP SLA probe from our external router to test the web requests but I > was wondering if anyone had done something with EEM that could possibly > try to establish a TCP connection to the web server and report the > statistics somehow. I don't want to place a machine outside for the > monitoring so would prefer to do it from our router if possible. > > Any thoughts? > > Thanks, > > Aaron. > > LEGAL DISCLAIMER: This message contains confidential information and is > intended only for the individual named. If you are not the named addressee > > you should not disseminate, distribute or copy this e-mail. Please notify > the sender immediately by e-mail if you have received this e-mail by > mistake and delete this e-mail from your system. If you are not the > intended recipient you are notified that disclosing, copying, distributing > > or taking any action in reliance on the contents of this information is > strictly prohibited. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From justin at justinshore.com Fri Apr 3 17:11:40 2009 From: justin at justinshore.com (Justin Shore) Date: Fri, 03 Apr 2009 16:11:40 -0500 Subject: [c-nsp] Emulating the L2 aspect of VPLS with VRF-lite Message-ID: <49D67B8C.9090204@justinshore.com> Sorry for the length. I have another Friday mind-bender. We're going into an agreement with a new customer to replace their existing shared radio infrastructure with several bonded PtP DS1s at a number of sites and a DS3 at a main site. The owner of the radios infrastructure currently places the WAN-facing interface of all of this customer's routers into a common VLAN (ie all WAN-facing routers have a connected route to a like interface on all other WAN routers). The customer currently establishes IPSec-protected GRE tunnels from each router to every other router using the connected interfaces. Then they run EIGRP over top of the GRE tunnels. The radio links emulate the L2 aspect of VPLS or an E-LAN service with that simple little VLAN. I'm trying to do something similar with completely different hardware. I can't reach any of these sites with VLAN-capable hardware yet. Most of the sites are getting several bonded DS1s. One main site is getting a DS3 over Overture (Ethernet bridged over the DS3 and handed off as Ethernet on both ends; the 7206 gets it as a sub-int on a GigE port). My initial thought was to put each of the customer's MLPPP interfaces as well as the GigE sub-int for the Ethernet site into a VRF. Each separate interface would be a /30 and I'd be a routed hop in the middle inside of their VRF (everything comes back ultimately to a single 7200). They could tunnel across me if they wanted with a few additional statics to populate the RIB with next-hop information of the other routers. I'm confident that this would work however I think there may be a better way that minimizes our potential involvement in the middle. Thinking about it a bit more I decided that I could provide a L2 service by making each of the MLPPP interfaces and the GigE sub-int unnumbered up to a common loopback. Each customer WAN-facing interface would be addressed from a common subnet. They should then also be able to directly communicate with one another across the loopback and establish routing adjacencies and/or build GRE tunnels with the hosts in that common connected route. That's where I'm at right now. I have 2 test routers with a DS1 bundle on each back to the 7200. Each bundle is in the customer VRF. I have another router doing Ethernet into a 4948 access switchport. That unique VLAN gets trunked up to the 7200 on an on-board GigE interface. The corresponding sub-int on the 7200 is in the customer VRF and is unnumbered back to the dedicated customer loopback. The only error I got in the process was when I did the unnumbered on the sub-int. 003018: Apr 3 13:15:29 CDT: %OSPF-4-NO_IPADDRESS_ON_INT: No IP address for interface GigabitEthernet0/2.1001 That's just OSPF whining and shouldn't be a problem. I set up OSPF on all WAN-facing interfaces on the CE lab routers. For grins I also set up OSPF inside the VRF on the PE. I can ping between the DS1 routers and the 7200. However I can not ping the Ethernet CE router from anywhere. I also can not establish OSPF adjacencies between any of the CEs or the PE. Debugging the OSPF packets I see packets going out from the CEs but nothing coming in. From the PE I see nothing at all. Should this ip unnumbered design work? Any idea what's dropping the OSPF packets along the way? I'm working on the problem while typing this and I have an update on what I wrote above. I now have OSPF adjacencies between the DS1 CPEs and the 7200. It turns out I needed to put the MLPPP interface into the VRF as well even though the ip unnumbered interface as in the VRF already. However this points out a problem. I am unable to establish an adjacency between the DS1 CPEs. The CPEs only claim to see OSPF packets from the 7200. Is that normal? I also just noticed that I can no longer ping between DS1 CPEs. I'm not sure if this isn't being consistent or I should call it a day. I should be able to do the VRF with the L3 hop in the middle if nothing else. I'd rather that be my fall-back position though. Any other suggestions on how to accomplish this would be much appreciated. I'm sure there are other ways to do something similar. Thanks Justin From illcritikz at gmail.com Fri Apr 3 19:37:24 2009 From: illcritikz at gmail.com (Ben Steele) Date: Sat, 4 Apr 2009 10:07:24 +1030 Subject: [c-nsp] Too dumb for SLB on ASR1Ks? In-Reply-To: <20090403153128.GA12333@ronin.4ever.de> References: <20090403153128.GA12333@ronin.4ever.de> Message-ID: <4422cf660904031637x7b694144h4159cf61e2dd4ab6@mail.gmail.com> What part exactly doesn't work? just the load balancing? do you have IP connectivity ok to your real servers? how is that virtual IP being sent to the box? it's not listed anywhere in your configuration on how 10.10.237.x gets to the box. On Sat, Apr 4, 2009 at 2:01 AM, Elmar K. Bins wrote: > Maybe someone can point me to a document that helps me through - or > Rodney cuts in and tells me it's a bug ;) > > I have the following pretty simple (stripped down) configuration > which does work on a 7201 and does not work on the ASR1000... > > (Yes, on the ASR the interface has 0/0/0 instead of 0/0 *g*) > > 7201 image is 12.4(4)XD10 IPBase > > ASR1K image is a derivative of 12.2(33)XNB (experimental version with a > bugfix) > Tests with standard 12.2(33)XNB1 failed as well. > Feature set is AdvancedEnterpriseK9 on the ASR. > If there's a hint that work has been done on SLB in newer > releases, I'm willing to try that... > > Any idea very much appreciated here - I'm pretty much stuck > and am not sure whether I'm looking at my stupidity or a bug. > > Yours, > Elmar. > > > ================================================================ > > ip slb serverfarm FARM-DNS > real 10.10.236.12 > inservice > ! > ip slb vserver VS-DNS > virtual 10.10.237.53 udp 53 > serverfarm FARM-DNS > sticky 5 > idle 5 > delay 1 > inservice > ! > ip slb vserver VS-DNS-TCP > virtual 10.10.237.53 tcp dns > serverfarm FARM-DNS > sticky 10 > idle 10 > inservice > ! > interface GigabitEthernet0/0 > no ip address > load-interval 30 > duplex auto > speed auto > media-type sfp > negotiation auto > ! > interface GigabitEthernet0/0.701 > encapsulation dot1Q 701 > ip address 10.10.235.1 255.255.255.0 > ! > interface GigabitEthernet0/0.702 > encapsulation dot1Q 702 > ip address 10.10.236.1 255.255.255.0 > > ================================================================ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From danletkeman at gmail.com Fri Apr 3 21:10:09 2009 From: danletkeman at gmail.com (Dan Letkeman) Date: Fri, 3 Apr 2009 20:10:09 -0500 Subject: [c-nsp] aironet disable ssid when no lan connection Message-ID: Hello, Is there a command on an 1131ag aironet ap that allows you to disable the ssid broadcast if there is no lan connection to the ap? Thanks, Dan. From mhuff at ox.com Sat Apr 4 00:30:37 2009 From: mhuff at ox.com (Matthew Huff) Date: Sat, 4 Apr 2009 00:30:37 -0400 Subject: [c-nsp] aironet disable ssid when no lan connection In-Reply-To: Message-ID: Will "station-role root access-point fallback track fa 0" under the radio interface work for you? On 4/3/09 9:10 PM, "Dan Letkeman" wrote: Hello, Is there a command on an 1131ag aironet ap that allows you to disable the ssid broadcast if there is no lan connection to the ap? Thanks, Dan. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From gert at greenie.muc.de Sat Apr 4 04:56:52 2009 From: gert at greenie.muc.de (Gert Doering) Date: Sat, 4 Apr 2009 10:56:52 +0200 Subject: [c-nsp] same-router tunnel loopback In-Reply-To: <9e246b4d0904031314p5db46d44uf8dac478cc22ae05@mail.gmail.com> References: <9e246b4d0904031314p5db46d44uf8dac478cc22ae05@mail.gmail.com> Message-ID: <20090404085652.GR290@greenie.muc.de> Hi, On Fri, Apr 03, 2009 at 04:14:40PM -0400, Tim Durack wrote: > Using a same-router tunnel loopback to move traffic between global and > vrf on a SUP720: One small but essential bit is missing: what IOS version? Are you sure the IOS you use supports IPv6 VRF (this was added MUCH later than IPv4 VRF)? (Maybe it's just the /127 - try with /124 or /64, just to be sure) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From elmi at 4ever.de Sat Apr 4 07:02:47 2009 From: elmi at 4ever.de (Elmar K. Bins) Date: Sat, 4 Apr 2009 13:02:47 +0200 Subject: [c-nsp] Too dumb for SLB on ASR1Ks? In-Reply-To: <4422cf660904031637x7b694144h4159cf61e2dd4ab6@mail.gmail.com> References: <20090403153128.GA12333@ronin.4ever.de> <4422cf660904031637x7b694144h4159cf61e2dd4ab6@mail.gmail.com> Message-ID: <20090404110247.GB29526@ronin.4ever.de> illcritikz at gmail.com (Ben Steele) wrote: > What part exactly doesn't work? just the load balancing? do you have IP > connectivity ok to your real servers? how is that virtual IP being sent to > the box? it's not listed anywhere in your configuration on how 10.10.237.x > gets to the box. This is the lab setup; you can count on routing being alright - connectivity among all parts of the setup is working, and I reconfigured the servers myself (UNIX guys usually get netmasks etc. wrong *g*). You can also see this from the drop-in replacement (7201) working perfectly in the setup. The point is that the ASR receives the packets but doesn't push them on. They do not appear in any statistics (SLB or port) and they do not appear on the wire or on the target server. There are two things that would help my cause, one being an idea whether someone else successfully or unsuccessfully used SLB on ASRs (or the info about serious trouble there). Then I'd like to compare configs; maybe I forgot some magic word. There is no documentation for SLB on IOS XE to be found, so I'd be happy about pointers towards recipes or HowTos, since 7*** configs don't seem to work - provided it's not some crazy bug that keeps the ASR from pushing the packets on. Thanks for any insight, Elmar. > On Sat, Apr 4, 2009 at 2:01 AM, Elmar K. Bins wrote: > > > Maybe someone can point me to a document that helps me through - or > > Rodney cuts in and tells me it's a bug ;) > > > > I have the following pretty simple (stripped down) configuration > > which does work on a 7201 and does not work on the ASR1000... > > > > (Yes, on the ASR the interface has 0/0/0 instead of 0/0 *g*) > > > > 7201 image is 12.4(4)XD10 IPBase > > > > ASR1K image is a derivative of 12.2(33)XNB (experimental version with a > > bugfix) > > Tests with standard 12.2(33)XNB1 failed as well. > > Feature set is AdvancedEnterpriseK9 on the ASR. > > If there's a hint that work has been done on SLB in newer > > releases, I'm willing to try that... > > > > Any idea very much appreciated here - I'm pretty much stuck > > and am not sure whether I'm looking at my stupidity or a bug. > > > > Yours, > > Elmar. > > > > > > ================================================================ > > > > ip slb serverfarm FARM-DNS > > real 10.10.236.12 > > inservice > > ! > > ip slb vserver VS-DNS > > virtual 10.10.237.53 udp 53 > > serverfarm FARM-DNS > > sticky 5 > > idle 5 > > delay 1 > > inservice > > ! > > ip slb vserver VS-DNS-TCP > > virtual 10.10.237.53 tcp dns > > serverfarm FARM-DNS > > sticky 10 > > idle 10 > > inservice > > ! > > interface GigabitEthernet0/0 > > no ip address > > load-interval 30 > > duplex auto > > speed auto > > media-type sfp > > negotiation auto > > ! > > interface GigabitEthernet0/0.701 > > encapsulation dot1Q 701 > > ip address 10.10.235.1 255.255.255.0 > > ! > > interface GigabitEthernet0/0.702 > > encapsulation dot1Q 702 > > ip address 10.10.236.1 255.255.255.0 > > > > ================================================================ From jared at puck.nether.net Sat Apr 4 08:27:30 2009 From: jared at puck.nether.net (Jared Mauch) Date: Sat, 4 Apr 2009 08:27:30 -0400 Subject: [c-nsp] aironet disable ssid when no lan connection In-Reply-To: References: Message-ID: <60BEAE40-CA38-4FAA-9ABE-BE72AC682402@puck.nether.net> I'm guessing he wants: AP1121-Attic(config-if)#station-role root fallback ? repeater Become a repeater shutdown Shutdown the radio the 'shutdown' option. - Jared On Apr 4, 2009, at 12:30 AM, Matthew Huff wrote: > Will "station-role root access-point fallback track fa 0" under the > radio interface work for you? > > > On 4/3/09 9:10 PM, "Dan Letkeman" wrote: > > Hello, > > Is there a command on an 1131ag aironet ap that allows you to disable > the ssid broadcast if there is no lan connection to the ap? > > Thanks, > Dan. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From danletkeman at gmail.com Sat Apr 4 14:36:33 2009 From: danletkeman at gmail.com (Dan Letkeman) Date: Sat, 4 Apr 2009 13:36:33 -0500 Subject: [c-nsp] aironet disable ssid when no lan connection In-Reply-To: References: Message-ID: I think the shutdown command would work. Thanks! On Fri, Apr 3, 2009 at 11:30 PM, Matthew Huff wrote: > Will "station-role root access-point fallback track fa 0" ?under the radio interface work for you? > > > On 4/3/09 9:10 PM, "Dan Letkeman" wrote: > > Hello, > > Is there a command on an 1131ag aironet ap that allows you to disable > the ssid broadcast if there is no lan connection to the ap? > > Thanks, > Dan. > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From oboehmer at cisco.com Sat Apr 4 14:51:34 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Sat, 4 Apr 2009 20:51:34 +0200 Subject: [c-nsp] L2TPv3 password keeps changing In-Reply-To: <49D2AAE8.3030503@corp.sonic.net> References: <44417CD2F19FEA4F885088340A71D33201B4F41D@mail.office.dansketelecom.com> <49D2AAE8.3030503@corp.sonic.net> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED7840727E3E7@xmb-ams-333.emea.cisco.com> I only found CSCso12545 (l2tp-class encrypted password recalculated after every 'show run'), but without any resolution so far.. Feel free to contact TAC. oli Jared Gillis <> wrote on Wednesday, April 01, 2009 01:45: > I'm seeing this behavior as well on a 7204VXR, and google only turns > up two threads on c-nsp that have no replies. > Is this expected? Is there a workaround? > > Lars Lystrup Christensen wrote: >> >> >> Hi all, >> >> >> >> When configuring L2TPv3 on one of our routers, I've noticed that the >> password keeps changing all the time, even tough the configuration >> has not been altered. >> >> >> >> The router is a 1811 running 12.4(6)T11 Advanced IP Services. >> >> ______________________________________ >> >> Med venlig hilsen / Kind regards >> >> Lars Lystrup Christensen >> Director of Engineering, CCIE(tm) #20292 >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ From oboehmer at cisco.com Sat Apr 4 15:12:48 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Sat, 4 Apr 2009 21:12:48 +0200 Subject: [c-nsp] MTU settings on GSR linecard 3GE-GBIC-SC In-Reply-To: <49D0C905.4030903@schlund.net> References: <49D0C905.4030903@schlund.net> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED7840727E3EB@xmb-ams-333.emea.cisco.com> Jan Sandmaier <> wrote on Monday, March 30, 2009 15:29: > Hi, > > does anybody know the reason why I can configure a 9180 byte MTU on > port 0 and 1 on a GSR 3-port Gigabit Ethernet port (3GE-GBIC-SC) but > only 4470 byte on the third port. I use IOS 12.0(32)S12 and > 12.0(31)S6. this is a hardware limitiation on the FPGA (limited RX Fifo buffers) on this Engine2 LC. Max MTU on the third port depends on the settings on the other two, so you can't even go up to 4470 if you set the first to 9k.. oli From tdurack at gmail.com Sat Apr 4 19:29:02 2009 From: tdurack at gmail.com (Tim Durack) Date: Sat, 4 Apr 2009 19:29:02 -0400 Subject: [c-nsp] same-router tunnel loopback In-Reply-To: <20090404085652.GR290@greenie.muc.de> References: <9e246b4d0904031314p5db46d44uf8dac478cc22ae05@mail.gmail.com> <20090404085652.GR290@greenie.muc.de> Message-ID: <9e246b4d0904041629i7fd97176obf8097ee2b4d2390@mail.gmail.com> On Sat, Apr 4, 2009 at 4:56 AM, Gert Doering wrote: > Hi, > > On Fri, Apr 03, 2009 at 04:14:40PM -0400, Tim Durack wrote: >> Using a same-router tunnel loopback to move traffic between global and >> vrf on a SUP720: > > One small but essential bit is missing: what IOS version? Are you sure > the IOS you use supports IPv6 VRF (this was added MUCH later than IPv4 VRF)? SXI. IPv6 AF works fine in the VRFs, just not across the tunnel. > (Maybe it's just the /127 - try with /124 or /64, just to be sure) That crossed my mind. Didn't try it yet. Tim:> From eng_mssk at hotmail.com Sun Apr 5 05:40:34 2009 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Sun, 5 Apr 2009 12:40:34 +0300 Subject: [c-nsp] show inventory Message-ID: Hey all i issue the command show inventory on some devices and no output is there and the other is ok any ideas ? _________________________________________________________________ More than messages?check out the rest of the Windows Live?. http://www.microsoft.com/windows/windowslive/ From werner at trans.net Sun Apr 5 07:44:42 2009 From: werner at trans.net (Werner Detter) Date: Sun, 05 Apr 2009 13:44:42 +0200 Subject: [c-nsp] bgp_cpu2timeout and %LINK-4-NOMAC In-Reply-To: <49C0EB08.8020604@trans.net> References: <49C0EB08.8020604@trans.net> Message-ID: <49D899AA.2020904@trans.net> Hi, > *Mar 18 11:35:04.091: bgp_cpu2timeout: seconds: 30000, slot: 3 for 5: 0% and 1: 0% > *Mar 18 11:35:34.875: bgp_cpu2timeout: seconds: 30000, slot: 3 for 5: 0% and 1: 0% > > %LINK-4-NOMAC: A random default MAC address of 0000.0c82.a9fb has > been chosen. Ensure that this address is unique, or specify MAC > addresses for commands (such as 'novell routing') that allow the > use of this address as a default Messages gone since I've changed the 7206VXR-Chassis. bye, Werner From raymondh.nsp at gmail.com Sun Apr 5 09:45:48 2009 From: raymondh.nsp at gmail.com (raymondh (NSP)) Date: Sun, 5 Apr 2009 21:45:48 +0800 Subject: [c-nsp] show inventory In-Reply-To: References: Message-ID: <06657F64-46A5-4F79-8337-EBE498AC74BA@gmail.com> try this. sh invent raw --raymondh On Apr 5, 2009, at 5:40 PM, Mohammad Khalil wrote: > > Hey all > > i issue the command show inventory on some devices and no output is > there and the other is ok > > any ideas ? > > _________________________________________________________________ > More than messages?check out the rest of the Windows Live?. > http://www.microsoft.com/windows/windowslive/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From tedm at toybox.placo.com Sun Apr 5 11:24:44 2009 From: tedm at toybox.placo.com (Ted Mittelstaedt) Date: Sun, 05 Apr 2009 08:24:44 -0700 Subject: [c-nsp] Monitoring External Web Server In-Reply-To: <0867622C64B50C4B878AB45C95F43F1106A1D55B@MAILWA01.wesenergy.local> References: <0867622C64B50C4B878AB45C95F43F1106A1D55B@MAILWA01.wesenergy.local> Message-ID: <49D8CD3C.1020709@toybox.placo.com> Aaron Riemer wrote: > Hey guys, > > We have a requirement to monitor the external availability of a web > server that hangs off our ASA DMZ interface. I was thinking of running > an IP SLA probe from our external router to test the web requests but I > was wondering if anyone had done something with EEM that could possibly > try to establish a TCP connection to the web server and report the > statistics somehow. I don't want to place a machine outside for the > monitoring so would prefer to do it from our router if possible. > > Any thoughts? > You won't get true monitoring unless you place 2 machines on the outside and put a modem in one and run sendpage software on it - OR use a commercial service. I run paging software under FreeBSD running on an old P200 machine. I had to try several different modems before getting one that worked right with the software. The reason you need this is that if your Internet connection goes down your router cannot page you that there's a problem. The reason you need 2 machines is that if one of the monitoring systems goes offline. In my setup both systems monitor each other. I also monitor a few major websites (google, etc.) to make sure we still have connectivity. The only problem I have now is when my cell phone battery dies. ;-) Ted From musmanashraf at gmail.com Sun Apr 5 13:59:02 2009 From: musmanashraf at gmail.com (M Usman Ashraf) Date: Sun, 5 Apr 2009 22:59:02 +0500 Subject: [c-nsp] CISCO ACS 4.2 command pattern matching Message-ID: <9149d2410904051059u4a3d7d2h5894d495481be4e6@mail.gmail.com> Hi List, I have been testing pattern matching with ACS shell command auth sets and it doesn't seem to work like the ACS documentation says. Quote from the Cisco ACS user guide: *For permit or deny command arguments, ACS applies pattern matching. That is, the argument permit wid matches any argument that contains the string wid. Thus, for example, permit wid would allow not only the argument wid but also the arguments anywid and widget.* *To limit the extent of pattern matching you can add the following expressions:* *? Dollarsign ($)* *?Expresses that the argument must end with what has gone before. Thus permit wid$ would match wid or anywid, but not widget.* *? Caret (^)* *?Expresses that the argument must begin with what follows. Thus permit ^wid would match wid or widget, but not anywid. You can combine these expressions to specify absolute matching. In the example given, you would use permit ^wid$ to ensure that only wid was permitted, and not anywid or widget.* *To permit or deny commands that carry no arguments, you can use absolute matching to specify the null argument condition. For example, you use permit ^$ to permit a command with no arguments. Alternatively, entering permit has the same effect. You can use either method, with the Permit Unmatched Args option unchecked, to match and, therefore, permit or deny commands that have no agrument.* ---------------------------------------------------------------------------------------- So from this I take that if I want to deny configuration of certain interfaces say Loopback0, while allowing configuration of Loopback99, I will, permit "interface" , with the sub-command arguments: permit*^Loopback99$ *, unmatched commands are "deny" and "Permit Unmatched Args" is unchecked. Thinking that would allow the command interface Loopback99 but actually the "interface Loopback99" commands, fails authorization. On the other side, if I permit *^Loopback* only, all loopbacks get permitted. It seems like the "^" pattern matching works but the "$" doesn't. Anyone have any experience with pattern matching that can help me out? -- Regards, M Usman Ashraf From peter at rathlev.dk Sun Apr 5 15:40:09 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Sun, 05 Apr 2009 21:40:09 +0200 Subject: [c-nsp] CISCO ACS 4.2 command pattern matching In-Reply-To: <9149d2410904051059u4a3d7d2h5894d495481be4e6@mail.gmail.com> References: <9149d2410904051059u4a3d7d2h5894d495481be4e6@mail.gmail.com> Message-ID: <1238960409.3675.16.camel@localhost.localdomain> On Sun, 2009-04-05 at 22:59 +0500, M Usman Ashraf wrote: > So from this I take that if I want to deny configuration of certain > interfaces say Loopback0, while allowing configuration of Loopback99, > I will, permit "interface" , with the sub-command arguments: > permit*^Loopback99$*, unmatched commands are "deny" and "Permit > Unmatched Args" is unchecked. > > Thinking that would allow the command interface Loopback99 but > actually the "interface Loopback99" commands, fails authorization. On > the other side, if I permit *^Loopback* only, all loopbacks get > permitted. It seems like the "^" pattern matching works but the "$" > doesn't. Anyone have any experience with pattern matching that can > help me out? -- Your TACACS+ log should tell you the reason, even the ACS must have one. ;-) The reason could be that many end points add an explicit "" string to the request. If that is the case you would have to allow this instead: permit "^Loopback99 $" Regards, Peter From david at hughes.com.au Sun Apr 5 20:00:06 2009 From: david at hughes.com.au (David Hughes) Date: Mon, 6 Apr 2009 10:00:06 +1000 Subject: [c-nsp] Pseudowire and EtherChannel In-Reply-To: <8cd002180904011535n13d9327w1e6ed31c5050e367@mail.gmail.com> References: <8cd002180904011535n13d9327w1e6ed31c5050e367@mail.gmail.com> Message-ID: <52F11FED-208A-4130-A744-2F8CC5970E4E@hughes.com.au> We have Multi Gig etherchannel bundles being delivered over multiple port-based xconnects and it works just fine. The only tricky bit is realising then you lose link at the far end (there's no link-loss signaling on the pw). You'll need to run UDLD in aggressive mode so that a failed circuit is removed from the bundle. David ... On 02/04/2009, at 8:35 AM, Ozar wrote: > Quick question on PS and EtherChannel. > > Lets say I have customer who needs 2 gig from A to Z that I am going > to > transport by Pseudowire... > > Should I etherchannel the ports and make my xconnect in the Port > Channel > interface, or just transport each gig interface separately, and > customer > handles all the aggregation? From ler762 at gmail.com Sun Apr 5 22:58:56 2009 From: ler762 at gmail.com (Lee) Date: Sun, 5 Apr 2009 22:58:56 -0400 Subject: [c-nsp] 10GE card for 7609 In-Reply-To: <20090331201210.GF51443@gerbil.cluepon.net> References: <863386.41277.qm@web44809.mail.sp1.yahoo.com> <20090330151600.GA408@roxanne.org> <49D1BE37.8060402@skoal.name> <20090331074620.GV290@greenie.muc.de> <49D1CDD4.3080301@skoal.name> <20090331201210.GF51443@gerbil.cluepon.net> Message-ID: On 3/31/09, Richard A Steenbergen wrote: > On Tue, Mar 31, 2009 at 10:01:24AM +0200, Gergely Antal wrote: > >> I meant that you can not push 40G out of a 6704 >> even with a dfc attached to it.But you can do it with a 6708 >> with 1:1 subscription. > > Worse, some days you can't even get 7G in from a single port on a 6704 > with the other 3 ports unused. We routinely have problems with ingress > interface overruns or egress interface output queue overflows on 6704 > in that traffic range, and DFC doesn't make any difference. > > It seems like it is head of line blocking, and TAC's only answer is > "those things have no buffers, buy a 6708". We had a TAC case for input queue drops on a 6704 port - they told us it's a hardware limitation. When traffic is switched between two ports leading to the same asic you're limited to about 8Gb per port. Regards, Lee From asad747 at cyber.net.pk Mon Apr 6 01:05:40 2009 From: asad747 at cyber.net.pk (Asad Ul-Islam) Date: Mon, 06 Apr 2009 10:05:40 +0500 Subject: [c-nsp] client mac address on LNS?? Message-ID: <003501c9b675$547f7d80$fd7e7880$@net.pk> Dear Friends! I have a setup in which DSL users connect to a LNS via L2TP. Everything is working fine, however on LNS I am not receiving any MAC address for the DSL Users( Type PPPoVPDN). This is my standard crucial requirement for generating several reports for management purposes. Can someone tell me if it is possible to get Mac-address for the VPDN users??? I am getting mac-address for PPPoE type users which are terminated on my BRAS. Attach is the debug output for both LNS and BRAS which shows that mac-address field is missing in LNS output. ######### LNS output (domain stripping is used) ########## Apr 6 04:29:47.020: RADIUS(00001037): Send Access-Request to 10.10.10.10:3312 id 1645/44, len 123 Apr 6 04:29:47.020: RADIUS: Framed-Protocol [7] 6 PPP [1] Apr 6 04:29:47.020: RADIUS: User-Name [1] 11 "testuser7" Apr 6 04:29:47.020: RADIUS: User-Password [2] 18 * Apr 6 04:29:47.020: RADIUS: NAS-Port [5] 6 370 Apr 6 04:29:47.020: RADIUS: NAS-Port-Id [87] 17 "Uniq-Sess-ID370" Apr 6 04:29:47.020: RADIUS: Connect-Info [77] 9 "1920000" Apr 6 04:29:47.020: RADIUS: NAS-Port-Type [61] 6 Virtual [5] Apr 6 04:29:47.020: RADIUS: Service-Type [6] 6 Framed [2] Apr 6 04:29:47.020: RADIUS: NAS-IP-Address [4] 6 1.1.1.1 Apr 6 04:29:47.020: RADIUS: Acct-Session-Id [44] 18 "CAA36E5A00001058" Apr 6 04:29:47.308: RADIUS: Received from id 1645/44 10.10.10.10:3312, Access-Accept, len 37 Apr 6 04:29:47.308: RADIUS: Class [25] 5 Apr 6 04:29:47.308: RADIUS: 50 49 4E [PIN] Apr 6 04:29:47.308: RADIUS: Service-Type [6] 6 Framed [2] Apr 6 04:29:47.308: RADIUS: Framed-Protocol [7] 6 PPP [1] Apr 6 04:31:47.100: RADIUS(00001038): Received from id 1645/45 Apr 6 04:31:47.100: VT[Vi3.1]:Request took 0 msec, 0 msec processing time Apr 6 04:31:47.100: uid:371 Tnl/Sn 58894/504 L2TP: Virtual interface created for testuser7 at best-dsl bandwidth 1920 Kbps Apr 6 04:31:47.100: Vi3.1 Tnl/Sn 58894/504 L2TP: Virtual interface created for testuser7 at best-dsl, bandwidth 1920 Kbps Apr 6 04:31:47.100: Vi3.1 Tnl/Sn 58894/504 L2TP: VPDN session up Apr 6 04:31:47.220: RADIUS/ENCODE(00001038):Orig. component type = VPDN Cisco-3845-L2TP-LNS#show users Interface User Mode Idle Peer Address Vi3.1 testuser7 at best-ds PPPoVPDN - 1.1.1.233 ######### BRAS output ########## *Mar 1 00:13:15.367: RADIUS(00000009): Send Access-Request to 10.10.10.10:3312 id 1645/6, len 167 *Mar 1 00:13:15.367: RADIUS: Vendor, Cisco [26] 41 *Mar 1 00:13:15.367: RADIUS: Cisco AVpair [1] 35 "client-mac-address=000f.a392.4bef" *Mar 1 00:13:15.367: RADIUS: Framed-Protocol [7] 6 PPP [1] *Mar 1 00:13:15.367: RADIUS: User-Name [1] 11 "testuser6" *Mar 1 00:13:15.367: RADIUS: User-Password [2] 18 * *Mar 1 00:13:15.367: RADIUS: NAS-Port-Type [61] 6 Virtual [5] *Mar 1 00:13:15.367: RADIUS: Vendor, Cisco [26] 18 *Mar 1 00:13:15.367: RADIUS: cisco-nas-port [2] 12 "3/0/0/0.36" *Mar 1 00:13:15.367: RADIUS: NAS-Port [5] 6 805306404 *Mar 1 00:13:15.367: RADIUS: Service-Type [6] 6 Framed [2] *Mar 1 00:13:15.371: RADIUS: NAS-IP-Address [4] 6 1.1.1.1 *Mar 1 00:13:15.371: RADIUS: Acct-Session-Id [44] 29 "3/0/0/0.36_CAA3693A0000000E" *Mar 1 00:13:15.519: RADIUS: Received from id 1645/6 10.10.10.10:3312, Access-Accept, len 37 *Mar 1 00:13:15.519: RADIUS: Class [25] 5 *Mar 1 00:13:15.519: RADIUS: 50 49 4E [PIN] *Mar 1 00:13:15.519: RADIUS: Service-Type [6] 6 Framed [2] *Mar 1 00:13:15.519: RADIUS: Framed-Protocol [7] 6 PPP [1] *Mar 1 00:13:15.523: RADIUS(00000009): Received from id 1645/6 *Mar 1 00:13:15.643: RADIUS/ENCODE(00000009):Orig. component type = PPoE Cisc-3640-BRAS-And-L2TP-LAC# show user Interface User Mode Idle Peer Address Vi2.1 testuser6 PPPoE 00:03:25 2.2.2.244 Best Regards, Asad Ul-Islam From farhan at cyber.net.pk Mon Apr 6 03:28:45 2009 From: farhan at cyber.net.pk (Farhan Ali Khan) Date: Mon, 06 Apr 2009 12:28:45 +0500 Subject: [c-nsp] IP Address management software In-Reply-To: References: <7988720.651238675012717.JavaMail.peter@petergunz> Message-ID: <01ee01c9b689$51c1cd00$a370a3ca@IBMB733624712D> Try the followings, 1) http://iptrack.sourceforge.net/ 2) http://www.sofotex.com/IPMaster-:-IP-Address-Management-Software-download_L3 7927.html Paid but awasome 3) http://www.manageengine.com/products/oputils/address-monitoring-tools.html Regards Farhan Ali Khan On Thu, Apr 2, 2009 at 5:23 PM, Peter Nyamukusa < peter.nyamukusa at africaonline.co.tz> wrote: > Hi Gary, > you can try this > > http://www.brownkid.net/NorthStar/ > > cheers, > > -- > > > Peter Nyamukusa > > Technical Manager > Africa Online (T) Ltd. > Tel: +255 (22) 211 6090 > Fax:+255 (22) 211 6089 > Email: peter.nyamukusa at africaonline.co.tz > > > A member of the Telkom South Africa Group > > ----- Original Message ----- > From: "Gary Roberton" > To: cisco-nsp at puck.nether.net > Sent: Tuesday, March 31, 2009 11:17:50 AM GMT +03:00 Iraq > Subject: [c-nsp] IP Address management software > > Hello all > > What IP address management software do you use to control the > allocation of subnets to your customers/department? > > Thanks > > Gary > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ariemer at wesenergy.com.au Mon Apr 6 03:33:57 2009 From: ariemer at wesenergy.com.au (Aaron Riemer) Date: Mon, 6 Apr 2009 15:33:57 +0800 Subject: [c-nsp] Monitoring External Web Server In-Reply-To: <49D8CD3C.1020709@toybox.placo.com> References: <0867622C64B50C4B878AB45C95F43F1106A1D55B@MAILWA01.wesenergy.local> <49D8CD3C.1020709@toybox.placo.com> Message-ID: <0867622C64B50C4B878AB45C95F43F1106A1DA1F@MAILWA01.wesenergy.local> Thanks for the tips guys. Aaron. -----Original Message----- From: Ted Mittelstaedt [mailto:tedm at toybox.placo.com] Sent: Sunday, 5 April 2009 11:25 PM To: Aaron Riemer Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Monitoring External Web Server Aaron Riemer wrote: > Hey guys, > > We have a requirement to monitor the external availability of a web > server that hangs off our ASA DMZ interface. I was thinking of running > an IP SLA probe from our external router to test the web requests but I > was wondering if anyone had done something with EEM that could possibly > try to establish a TCP connection to the web server and report the > statistics somehow. I don't want to place a machine outside for the > monitoring so would prefer to do it from our router if possible. > > Any thoughts? > You won't get true monitoring unless you place 2 machines on the outside and put a modem in one and run sendpage software on it - OR use a commercial service. I run paging software under FreeBSD running on an old P200 machine. I had to try several different modems before getting one that worked right with the software. The reason you need this is that if your Internet connection goes down your router cannot page you that there's a problem. The reason you need 2 machines is that if one of the monitoring systems goes offline. In my setup both systems monitor each other. I also monitor a few major websites (google, etc.) to make sure we still have connectivity. The only problem I have now is when my cell phone battery dies. ;-) Ted LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. From mdado at Airspan.com Mon Apr 6 04:00:20 2009 From: mdado at Airspan.com (Mohammed Dado) Date: Mon, 6 Apr 2009 09:00:20 +0100 Subject: [c-nsp] show inventory In-Reply-To: <06657F64-46A5-4F79-8337-EBE498AC74BA@gmail.com> References: <06657F64-46A5-4F79-8337-EBE498AC74BA@gmail.com> Message-ID: Also try this: show inventory raw slot Regards, Mohammed Dado. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of raymondh (NSP) Sent: 05 April 2009 15:46 To: Mohammad Khalil Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] show inventory try this. sh invent raw --raymondh On Apr 5, 2009, at 5:40 PM, Mohammad Khalil wrote: > > Hey all > > i issue the command show inventory on some devices and no output is > there and the other is ok > > any ideas ? > > _________________________________________________________________ > More than messages-check out the rest of the Windows Live(tm). > http://www.microsoft.com/windows/windowslive/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From eng_mssk at hotmail.com Mon Apr 6 08:08:15 2009 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Mon, 6 Apr 2009 15:08:15 +0300 Subject: [c-nsp] show inventory In-Reply-To: References: <06657F64-46A5-4F79-8337-EBE498AC74BA@gmail.com> Message-ID: the problem with the command show inventory or show inventory raw that its not supported on ever IOS images so there is show c7200 (For VXRs) and show tech as well show diag can be helpful as well > From: mdado at Airspan.com > To: raymondh.nsp at gmail.com; eng_mssk at hotmail.com > CC: cisco-nsp at puck.nether.net > Date: Mon, 6 Apr 2009 09:00:20 +0100 > Subject: RE: [c-nsp] show inventory > > Also try this: > > show inventory raw slot > > > Regards, > Mohammed Dado. > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of raymondh (NSP) > Sent: 05 April 2009 15:46 > To: Mohammad Khalil > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] show inventory > > try this. > > sh invent raw > > > --raymondh > > On Apr 5, 2009, at 5:40 PM, Mohammad Khalil wrote: > > > > > Hey all > > > > i issue the command show inventory on some devices and no output is > > there and the other is ok > > > > any ideas ? > > > > _________________________________________________________________ > > More than messages-check out the rest of the Windows Live(tm). > > http://www.microsoft.com/windows/windowslive/ > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _________________________________________________________________ Show them the way! Add maps and directions to your party invites. http://www.microsoft.com/windows/windowslive/products/events.aspx From david.freedman at uk.clara.net Mon Apr 6 09:12:14 2009 From: david.freedman at uk.clara.net (David Freedman) Date: Mon, 06 Apr 2009 14:12:14 +0100 Subject: [c-nsp] Emulating the L2 aspect of VPLS with VRF-lite In-Reply-To: <49D67B8C.9090204@justinshore.com> References: <49D67B8C.9090204@justinshore.com> Message-ID: <49D9FFAE.10907@uk.clara.net> > Thinking about it a bit more I decided that I could provide a L2 > service by making each of the MLPPP interfaces and the GigE sub-int > unnumbered up to a common loopback. Each customer WAN-facing interface > would be addressed from a common subnet. They should then also be able > to directly communicate with one another across the loopback and > establish routing adjacencies and/or build GRE tunnels with the hosts in > that common connected route. Not quite sure how next-hop address resolution would work here, if you expend the subnet masks such that all devices exist on the same subnet, you will need some kind of address resolution to work, for instance, the CPE on the DS1s will need to have a connected route to the subnet, the 7200 will have to have static routes (or IPCP learnt) to each endpoint on the DS1s and also some kind of ARP for the HQ site. I would personally go for the L3 (VRF) solution as it is simplest to manage and troubleshoot, I would imagine it has about the same overhead on the router as any L2 solution you could come up with using this 7200, If you really want to do L2, consider bridging (IRB, but v.cpu intensive) or l2connect with interworking between the MLPPP bundles and sub-sub interfaces of the GigE, (I would imagine you can do QinQ on this right?) if not consider dropping the Ethernet component and going for a straight DS3 with frame PVCs. This design of course requires that all traffic passes through the HQ site. Dave. > > That's where I'm at right now. I have 2 test routers with a DS1 bundle > on each back to the 7200. Each bundle is in the customer VRF. I have > another router doing Ethernet into a 4948 access switchport. That > unique VLAN gets trunked up to the 7200 on an on-board GigE interface. > The corresponding sub-int on the 7200 is in the customer VRF and is > unnumbered back to the dedicated customer loopback. The only error I > got in the process was when I did the unnumbered on the sub-int. > > 003018: Apr 3 13:15:29 CDT: %OSPF-4-NO_IPADDRESS_ON_INT: No IP address > for interface GigabitEthernet0/2.1001 > > That's just OSPF whining and shouldn't be a problem. I set up OSPF on > all WAN-facing interfaces on the CE lab routers. For grins I also set > up OSPF inside the VRF on the PE. I can ping between the DS1 routers > and the 7200. However I can not ping the Ethernet CE router from > anywhere. I also can not establish OSPF adjacencies between any of the > CEs or the PE. Debugging the OSPF packets I see packets going out from > the CEs but nothing coming in. From the PE I see nothing at all. > > Should this ip unnumbered design work? Any idea what's dropping the > OSPF packets along the way? > > I'm working on the problem while typing this and I have an update on > what I wrote above. I now have OSPF adjacencies between the DS1 CPEs > and the 7200. It turns out I needed to put the MLPPP interface into the > VRF as well even though the ip unnumbered interface as in the VRF > already. However this points out a problem. I am unable to establish > an adjacency between the DS1 CPEs. The CPEs only claim to see OSPF > packets from the 7200. Is that normal? I also just noticed that I can > no longer ping between DS1 CPEs. I'm not sure if this isn't being > consistent or I should call it a day. > > I should be able to do the VRF with the L3 hop in the middle if nothing > else. I'd rather that be my fall-back position though. Any other > suggestions on how to accomplish this would be much appreciated. I'm > sure there are other ways to do something similar. > > Thanks > Justin > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From david.freedman at uk.clara.net Mon Apr 6 09:12:14 2009 From: david.freedman at uk.clara.net (David Freedman) Date: Mon, 06 Apr 2009 14:12:14 +0100 Subject: [c-nsp] Emulating the L2 aspect of VPLS with VRF-lite In-Reply-To: <49D67B8C.9090204@justinshore.com> References: <49D67B8C.9090204@justinshore.com> Message-ID: <49D9FFAE.10907@uk.clara.net> > Thinking about it a bit more I decided that I could provide a L2 > service by making each of the MLPPP interfaces and the GigE sub-int > unnumbered up to a common loopback. Each customer WAN-facing interface > would be addressed from a common subnet. They should then also be able > to directly communicate with one another across the loopback and > establish routing adjacencies and/or build GRE tunnels with the hosts in > that common connected route. Not quite sure how next-hop address resolution would work here, if you expend the subnet masks such that all devices exist on the same subnet, you will need some kind of address resolution to work, for instance, the CPE on the DS1s will need to have a connected route to the subnet, the 7200 will have to have static routes (or IPCP learnt) to each endpoint on the DS1s and also some kind of ARP for the HQ site. I would personally go for the L3 (VRF) solution as it is simplest to manage and troubleshoot, I would imagine it has about the same overhead on the router as any L2 solution you could come up with using this 7200, If you really want to do L2, consider bridging (IRB, but v.cpu intensive) or l2connect with interworking between the MLPPP bundles and sub-sub interfaces of the GigE, (I would imagine you can do QinQ on this right?) if not consider dropping the Ethernet component and going for a straight DS3 with frame PVCs. This design of course requires that all traffic passes through the HQ site. Dave. > > That's where I'm at right now. I have 2 test routers with a DS1 bundle > on each back to the 7200. Each bundle is in the customer VRF. I have > another router doing Ethernet into a 4948 access switchport. That > unique VLAN gets trunked up to the 7200 on an on-board GigE interface. > The corresponding sub-int on the 7200 is in the customer VRF and is > unnumbered back to the dedicated customer loopback. The only error I > got in the process was when I did the unnumbered on the sub-int. > > 003018: Apr 3 13:15:29 CDT: %OSPF-4-NO_IPADDRESS_ON_INT: No IP address > for interface GigabitEthernet0/2.1001 > > That's just OSPF whining and shouldn't be a problem. I set up OSPF on > all WAN-facing interfaces on the CE lab routers. For grins I also set > up OSPF inside the VRF on the PE. I can ping between the DS1 routers > and the 7200. However I can not ping the Ethernet CE router from > anywhere. I also can not establish OSPF adjacencies between any of the > CEs or the PE. Debugging the OSPF packets I see packets going out from > the CEs but nothing coming in. From the PE I see nothing at all. > > Should this ip unnumbered design work? Any idea what's dropping the > OSPF packets along the way? > > I'm working on the problem while typing this and I have an update on > what I wrote above. I now have OSPF adjacencies between the DS1 CPEs > and the 7200. It turns out I needed to put the MLPPP interface into the > VRF as well even though the ip unnumbered interface as in the VRF > already. However this points out a problem. I am unable to establish > an adjacency between the DS1 CPEs. The CPEs only claim to see OSPF > packets from the 7200. Is that normal? I also just noticed that I can > no longer ping between DS1 CPEs. I'm not sure if this isn't being > consistent or I should call it a day. > > I should be able to do the VRF with the L3 hop in the middle if nothing > else. I'd rather that be my fall-back position though. Any other > suggestions on how to accomplish this would be much appreciated. I'm > sure there are other ways to do something similar. > > Thanks > Justin > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From rekordmeister at gmail.com Mon Apr 6 09:22:18 2009 From: rekordmeister at gmail.com (MKS) Date: Mon, 6 Apr 2009 13:22:18 +0000 Subject: [c-nsp] SIP-400 and 10GbE SPA Message-ID: Hi There According to cisco SIP-400 can "Ability to run 4 GE line rate for 64-byte packets, and OC-48 line rate for 48-byte packets for POS, HDLC, etc. with select services" https://www.cisco.com/en/US/prod/collateral/routers/ps368/product_data_sheet0900aecd8027c9e6.html Can someone please clarify what exactly this means. Also if I put a 10GbE SPA into a SIP-400 what is the expected performance of that? Thanks //MKS From jcartier at acs.on.ca Mon Apr 6 10:28:09 2009 From: jcartier at acs.on.ca (Jeff Cartier) Date: Mon, 6 Apr 2009 10:28:09 -0400 Subject: [c-nsp] ME3750 Dropping LDP Message-ID: I've got a ME3750 in the field and it appears to be randomly dropping LDP neighbors every few days. Any have any experience using this platform within a MPLS model? Thanks! From rick at woofpaws.com Mon Apr 6 10:51:40 2009 From: rick at woofpaws.com (Rick Ernst) Date: Mon, 6 Apr 2009 07:51:40 -0700 (PDT) Subject: [c-nsp] Getting ready to pull the trigger: RSP720/SUP720 Message-ID: <46659.69.30.17.85.1239029500.squirrel@www.woofpaws.com> The stars are starting to come into alignment and I'm about ready to order equipment for a network refresh. I currently have a edge/core/aggregation model with 7206VXR/NPE-G1 at the edge, 7500/RSP16/GEIP+ in the core, and various aggregation devices from 5500/RSM to 7500/RSP8 and dialup, DSL, etc. We are migrating from OC-3 to GigE at our edge. We currently push about 300mbs in each direction and that is expected to grow by at least 100mbs this year. The rate of growth has increased dramatically. I'm planning on collapsing the border/core into a pair of 7600/Sup720-3BXLs, and it looks like they will be almost idle with this amount of load. The problem I am running into is spec'ing the aggregation layer. Almost all of our traffic is ethernet now, and all the interfaces need bi-drectional rate-limiting/traffic-shaping/policing. We have a variable bandwidth model and need to cap traffic at 1Mbs granularity. 1,5, and 10Mbs connections are common, and 20,50,100Mbs connections exist with a 200Mbs pipe in process. The only traffic management I have used in the past is Cisco's rate-limit, and it is very CPU intensive. I'm trying to find out if a Sup720/RSP720 can handle hundreds of interfaces, each being rate-limited in some manner. The Cisco data sheet is vague about "some features" and "QoS" in hardware, but isn't specific about what features are in hardware. Is the Sup720 (RSP720 a better answer?) sufficient? Is traffic-management in hardware, and should I be looking at rate-limit or some different mechanism? The network itself is otherwise pretty low-touch. My intent is to "just move the bits", but I also use uRPF with a BGP blackhole system for IDS. Note: I'd like to keep as much of the equipment the same to simplify sparing, configuration, etc. Thanks! From jlewis at lewis.org Mon Apr 6 11:12:00 2009 From: jlewis at lewis.org (Jon Lewis) Date: Mon, 6 Apr 2009 11:12:00 -0400 (EDT) Subject: [c-nsp] Getting ready to pull the trigger: RSP720/SUP720 In-Reply-To: <46659.69.30.17.85.1239029500.squirrel@www.woofpaws.com> References: <46659.69.30.17.85.1239029500.squirrel@www.woofpaws.com> Message-ID: On Mon, 6 Apr 2009, Rick Ernst wrote: > I'm planning on collapsing the border/core into a pair of > 7600/Sup720-3BXLs, and it looks like they will be almost idle with this > amount of load. That really depends on the features you enable. Try doing full netflow on a sup720 doing a few hundred mbit's of traffic, and they're suddenly not so mighty. > The problem I am running into is spec'ing the aggregation layer. Almost > all of our traffic is ethernet now, and all the interfaces need > bi-drectional rate-limiting/traffic-shaping/policing. We have a variable > bandwidth model and need to cap traffic at 1Mbs granularity. 1,5, and > 10Mbs connections are common, and 20,50,100Mbs connections exist with a > 200Mbs pipe in process. We've been using 3550's for years for this, as they have the ability to police in both directions, per port, at whatever granularity you like. The 3560, which was supposed to be an improvement/replacement for the 3550 lost this ability, which really shocked me when I configured my first one. It can do per-port output shaping, but the granularity kind of blows. You're limited to 1/N * port rate, where N is an integer from 0 to 65535. This gives plenty (actually a huge waste of range) of granularity at the low end of bandwidth, but at the high end, you're limited to full rate, 50%, 33%, 25%, 20%, etc. If I'm wrong here, I'd love to hear it and be told how to limit a 100mbit port to say 40mbit/s. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From skeeve at eintellego.net Mon Apr 6 11:16:39 2009 From: skeeve at eintellego.net (Skeeve Stevens) Date: Tue, 7 Apr 2009 01:16:39 +1000 Subject: [c-nsp] Break out a VLAN from a QinQ? Message-ID: <292AF25E62B8894C921B893B53A19D97394469DFF3@BUSINESSEX.business.ad> Hey all, Does Cisco have any switches which can: a) Break out a VLAN from within a QinQ trunk b) Renumber VLAN's pulled from such a trunk c) Renumber VLAN's in general There seems to me such little info out there on QinQ! ...Skeeve -- Skeeve Stevens, CEO/Technical Director eintellego Pty Ltd - The Networking Specialists skeeve at eintellego.net / www.eintellego.net Phone: 1300 753 383, Fax: (+612) 8572 9954 Cell +61 (0)414 753 383 / skype://skeeve -- NOC, NOC, who's there? Disclaimer: Limits of Liability and Disclaimer: This message is for the named person's use only. It may contain sensitive and private proprietary or legally privileged information. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. eintellego Pty Ltd and each legal entity in the Tefilah Pty Ltd group of companies reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of any such entity. Any reference to costs, fee quotations, contractual transactions and variations to contract terms is subject to separate confirmation in writing signed by an authorised representative of eintellego. Whilst all efforts are made to safeguard inbound and outbound e-mails, we cannot guarantee that attachments are virus-free or compatible with your systems and do not accept any liability in respect of viruses or computer problems experienced. From md at bts.sk Mon Apr 6 12:11:17 2009 From: md at bts.sk (Marian =?utf-8?B?xI51cmtvdmnEjQ==?=) Date: Mon, 6 Apr 2009 18:11:17 +0200 Subject: [c-nsp] 10GE card for 7609 In-Reply-To: References: <863386.41277.qm@web44809.mail.sp1.yahoo.com> <20090330151600.GA408@roxanne.org> <49D1BE37.8060402@skoal.name> <20090331074620.GV290@greenie.muc.de> <49D1CDD4.3080301@skoal.name> <20090331201210.GF51443@gerbil.cluepon.net> Message-ID: <20090406161117.GA56528@bts.sk> On Sun, Apr 05, 2009 at 10:58:56PM -0400, Lee wrote: > On 3/31/09, Richard A Steenbergen wrote: > > On Tue, Mar 31, 2009 at 10:01:24AM +0200, Gergely Antal wrote: > > > >> I meant that you can not push 40G out of a 6704 > >> even with a dfc attached to it.But you can do it with a 6708 > >> with 1:1 subscription. > > > > Worse, some days you can't even get 7G in from a single port on a 6704 > > with the other 3 ports unused. We routinely have problems with ingress > > interface overruns or egress interface output queue overflows on 6704 > > in that traffic range, and DFC doesn't make any difference. > > > > It seems like it is head of line blocking, and TAC's only answer is > > "those things have no buffers, buy a 6708". > > We had a TAC case for input queue drops on a 6704 port - they told us > it's a hardware limitation. When traffic is switched between two > ports leading to the same asic you're limited to about 8Gb per port. ??? This is definitely possible with 6704 and SXI: TenGigabitEthernet2/1 is up, line protocol is up (connected) Last clearing of "show interface" counters 00:04:57 Input queue: 0/2000/0 (size/max/drops); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 30 second input rate 9900042000 bits/sec, 137227 packets/sec 30 second output rate 0 bits/sec, 0 packets/sec TenGigabitEthernet2/2 is up, line protocol is up (connected) Last clearing of "show interface" counters 00:04:55 Input queue: 0/2000/0 (size/max/drops); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 30 second input rate 0 bits/sec, 0 packets/sec 30 second output rate 9900041000 bits/sec, 137226 packets/sec No single packet drop in 5 minutes, and the traffic is switched locally in the ASIC - not going out to fabric: #show fabric utilization slot channel speed Ingress % Egress % 2 0 20G 0 0 2 1 20G 0 0 This is on WS-SUP720-3B system with WS-X6704-10GE + WS-F6700-CFC. With kind regards, M. From david.freedman at uk.clara.net Mon Apr 6 12:15:16 2009 From: david.freedman at uk.clara.net (David Freedman) Date: Mon, 06 Apr 2009 17:15:16 +0100 Subject: [c-nsp] Break out a VLAN from a QinQ? In-Reply-To: <292AF25E62B8894C921B893B53A19D97394469DFF3@BUSINESSEX.business.ad> References: <292AF25E62B8894C921B893B53A19D97394469DFF3@BUSINESSEX.business.ad> Message-ID: Skeeve Stevens wrote: > Hey all, > > Does Cisco have any switches which can: > > a) Break out a VLAN from within a QinQ trunk > b) Renumber VLAN's pulled from such a trunk > c) Renumber VLAN's in general Vlan rewriting has been available for some time now, but alas, there are many restrictions and these are h/w dependent (i.e one re-write map per asic, not port) If you have the cash to spare on 7600 and ES20/ES40/ES+ you can make use the "Carrier Ethernet" featureset (http://www.cisco.com/en/US/docs/ios/cether/configuration/guide/ce_mst_evc_bd_ps6922_TSD_Products_Configuration_Guide_Chapter.html) to dynamically modify and steer frames as they arrive (think of it as a kind of route-map , but for ethernet) , this is commonly referred to as "EVC functionality" (EVC = Ethernet Virtual Circuit) http://www.cisco.com/en/US/docs/routers/7600/install_config/ES20_config_guide/SRD/baldcsm.html provides a quick summary of this: Router(config-if-srv)#rewrite ingress tag {push {dot1q vlan-id | dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | pop {1 | 2} | translate {1-to-1 {dot1q vlan-id | dot1ad vlan-id}| 2-to-1 dot1q vlan-id | dot1ad vlan-id}| 1-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id} | 2-to-2 {dot1q vlan-id second-dot1q vlan-id | dot1ad vlan-id dot1q vlan-id}} [symmetric] Great syntax huh? :) Dave. > > There seems to me such little info out there on QinQ! > > ...Skeeve > > -- > Skeeve Stevens, CEO/Technical Director > eintellego Pty Ltd - The Networking Specialists > skeeve at eintellego.net / www.eintellego.net > Phone: 1300 753 383, Fax: (+612) 8572 9954 > Cell +61 (0)414 753 383 / skype://skeeve > -- > NOC, NOC, who's there? > > Disclaimer: Limits of Liability and Disclaimer: This message is for the named person's use only. It may contain sensitive and private proprietary or legally privileged information. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. eintellego Pty Ltd and each legal entity in the Tefilah Pty Ltd group of companies reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of any such entity. Any reference to costs, fee quotations, contractual transactions and variations to contract terms is subject to separate > confirmation in writing signed by an authorised representative of eintellego. Whilst all efforts are made to safeguard inbound and outbound e-mails, we cannot guarantee that attachments are! > virus-free or compatible with your systems and do not accept any liability in respect of viruses or computer problems experienced. > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From p.mayers at imperial.ac.uk Mon Apr 6 12:17:05 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Mon, 06 Apr 2009 17:17:05 +0100 Subject: [c-nsp] Getting ready to pull the trigger: RSP720/SUP720 In-Reply-To: <46659.69.30.17.85.1239029500.squirrel@www.woofpaws.com> References: <46659.69.30.17.85.1239029500.squirrel@www.woofpaws.com> Message-ID: <49DA2B01.3000608@imperial.ac.uk> Rick Ernst wrote: > The stars are starting to come into alignment and I'm about ready to > order equipment for a network refresh. > > I currently have a edge/core/aggregation model with 7206VXR/NPE-G1 at the > edge, 7500/RSP16/GEIP+ in the core, and various aggregation devices from > 5500/RSM to 7500/RSP8 and dialup, DSL, etc. We are migrating from OC-3 to > GigE at our edge. > > We currently push about 300mbs in each direction and that is expected to > grow by at least 100mbs this year. The rate of growth has increased > dramatically. > > I'm planning on collapsing the border/core into a pair of > 7600/Sup720-3BXLs, and it looks like they will be almost idle with this > amount of load. > > The problem I am running into is spec'ing the aggregation layer. Almost > all of our traffic is ethernet now, and all the interfaces need > bi-drectional rate-limiting/traffic-shaping/policing. We have a variable > bandwidth model and need to cap traffic at 1Mbs granularity. 1,5, and > 10Mbs connections are common, and 20,50,100Mbs connections exist with a > 200Mbs pipe in process. > > The only traffic management I have used in the past is Cisco's rate-limit, > and it is very CPU intensive. I'm trying to find out if a Sup720/RSP720 > can handle hundreds of interfaces, each being rate-limited in some manner. > The Cisco data sheet is vague about "some features" and "QoS" in > hardware, but isn't specific about what features are in hardware. > > Is the Sup720 (RSP720 a better answer?) sufficient? Is traffic-management > in hardware, and should I be looking at rate-limit or some different > mechanism? QoS on the 6500/7600 platform is a pretty involved topic. You will want to read up on it carefully. See: http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/guide/qos.html Assuming you're talking about "LAN" lincards e.g. 67xx series, then: * qos is done in hardware * the capabilities are reasonable, but limited and a bit complex because it's done in hardware * the capabilities depend on the exact model of linecard - some have fewer queues, smaller buffers, only 6708 support ingress DSCP mapping to queues etc. In particular, you want to watch ingress rate limiting very carefully. My (limited) understanding is that it'll be tricky to do what you want. From asturluismi at gmail.com Mon Apr 6 12:18:04 2009 From: asturluismi at gmail.com (luismi) Date: Mon, 06 Apr 2009 18:18:04 +0200 Subject: [c-nsp] EEM event-manager and "event none" question. Message-ID: <1239034684.13422.5.camel@dsba-ipso> I have this code... event manager applet A-EU-UP event track 10 state up action 1.0 syslog msg "Track 10 Up. Houston we don't have a problem" action 2.0 cli command "enable" action 3.0 cli command "conf t" action 4.0 cli command "" I tried to execute... # event manager run A-EU-UP Embedded Event Manager policy EU-ACEL-BACKUP-OFF not registered with event none Event Detector What is the reason for that message? Looks like the EEM code is not running. As far as I can read at documentation found with google, I need "event none" at the beginning of the applet, but, what is the reason for it? When "event none" must be used? From saku+cisco-nsp at ytti.fi Mon Apr 6 12:24:00 2009 From: saku+cisco-nsp at ytti.fi (Saku Ytti) Date: Mon, 6 Apr 2009 19:24:00 +0300 Subject: [c-nsp] 10GE card for 7609 In-Reply-To: <20090406161117.GA56528@bts.sk> References: <863386.41277.qm@web44809.mail.sp1.yahoo.com> <20090330151600.GA408@roxanne.org> <49D1BE37.8060402@skoal.name> <20090331074620.GV290@greenie.muc.de> <49D1CDD4.3080301@skoal.name> <20090331201210.GF51443@gerbil.cluepon.net> <20090406161117.GA56528@bts.sk> Message-ID: <20090406162400.GA16201@mx.ytti.net> On (2009-04-06 18:11 +0200), Marian ?urkovi? wrote: > > We had a TAC case for input queue drops on a 6704 port - they told us > > it's a hardware limitation. When traffic is switched between two > > ports leading to the same asic you're limited to about 8Gb per port. > > This is definitely possible with 6704 and SXI: > TenGigabitEthernet2/1 is up, line protocol is up (connected) > 30 second input rate 9900042000 bits/sec, 137227 packets/sec > TenGigabitEthernet2/2 is up, line protocol is up (connected) > 30 second output rate 9900041000 bits/sec, 137226 packets/sec When I tested it traffic inside single channel was worst alternative. 3. Topologies used I used four different topologies: a) anritsu --darkfibre-- ten7/1:7600:ten7/3 --darkfibre-- anritsu b) anritsu --darkfibre-- ten7/1:7600:ten4/1 --darkfibre-- anritsu c) anritsu --darkfibre-- ten7/1:7600:ten7/2 --darkfibre-- anritsu d) anr -dark- ten9/3:7600:ten9/2 -dwdm- ten4/1:7600:ten7/1 -dark- anr 4. Pure IP performance 4.1 no features configured, plain IP routing a) 67bytes and above is linerate in both directions b) 65bytes and above is linerate in both directions c) 64bytes does 87.5% of linerate, rate appraoches 100% as size grows, but is both bps and pps bound, so no configuration of packet size and interval got 100%. d) 67bytes and above is linerate in boh directions This was in mid 2006 with 6704 and CFC running SRA. ACL's and Policers didn't affect forwarding, uRPF did affect slightly. -- ++ytti From rossella at chemeketa.edu Mon Apr 6 12:22:08 2009 From: rossella at chemeketa.edu (Rossella Mariotti-Jones) Date: Mon, 6 Apr 2009 09:22:08 -0700 Subject: [c-nsp] two ISPs, two routers, one firewall - bgp question In-Reply-To: References: <46659.69.30.17.85.1239029500.squirrel@www.woofpaws.com> Message-ID: Hello all, I have a question regarding this scenario: http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example 09186a00800945bf.shtml#conf5 My R2 link to ISP is 100M R1 link to ISP is a DS3 If my firewall has a default route of 192.168.21.2 and I have a 10M download going with AS300, my firewall is going to send out my traffic through its default gateway which is 192.168.21.2, R2 knows through iBGP that R1 is the best path to AS300, so it sends the traffic to R1, traffic coming back goes through R1, R2, firewall to get to the client, so basically in this case the link between my firewall and R2 is taken up twice. Am I understanding this correctly? Thanks everyone in advance. rossella -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jon Lewis Sent: Monday, April 06, 2009 8:12 AM To: Rick Ernst Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Getting ready to pull the trigger: RSP720/SUP720 On Mon, 6 Apr 2009, Rick Ernst wrote: > I'm planning on collapsing the border/core into a pair of > 7600/Sup720-3BXLs, and it looks like they will be almost idle with this > amount of load. That really depends on the features you enable. Try doing full netflow on a sup720 doing a few hundred mbit's of traffic, and they're suddenly not so mighty. > The problem I am running into is spec'ing the aggregation layer. Almost > all of our traffic is ethernet now, and all the interfaces need > bi-drectional rate-limiting/traffic-shaping/policing. We have a variable > bandwidth model and need to cap traffic at 1Mbs granularity. 1,5, and > 10Mbs connections are common, and 20,50,100Mbs connections exist with a > 200Mbs pipe in process. We've been using 3550's for years for this, as they have the ability to police in both directions, per port, at whatever granularity you like. The 3560, which was supposed to be an improvement/replacement for the 3550 lost this ability, which really shocked me when I configured my first one. It can do per-port output shaping, but the granularity kind of blows. You're limited to 1/N * port rate, where N is an integer from 0 to 65535. This gives plenty (actually a huge waste of range) of granularity at the low end of bandwidth, but at the high end, you're limited to full rate, 50%, 33%, 25%, 20%, etc. If I'm wrong here, I'd love to hear it and be told how to limit a 100mbit port to say 40mbit/s. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From pl+list at pmacct.net Mon Apr 6 11:45:43 2009 From: pl+list at pmacct.net (Paolo Lucente) Date: Mon, 6 Apr 2009 16:45:43 +0100 Subject: [c-nsp] SIP-400 and 10GbE SPA In-Reply-To: References: Message-ID: <20090406154543.GA18747@london.pmacct.net> Hi MKS, the performance you get really depends on the average size of the traffic mix you push through the card. The vendor is providing you with the 64-bytes packets scenario, then the scaling exercise to see whether it fits your scenario it's up to you. Also translated you should certainly not expect a SIP-400 to scale 10GE line-rate with an average traffic size of 64 bytes. If this is acceptable to your setup, then you just need to find the average traffic size for the specific scenario with some basic traffic analysis (NetFlow ?), see whether you fit, take some margin (for all sort of inconveniences), etc. Otherwise you might want to look at some different hardware solution (SIP-600 ?). Cheers, Paolo On Mon, Apr 06, 2009 at 01:22:18PM +0000, MKS wrote: > Hi There > > According to cisco SIP-400 can > "Ability to run 4 GE line rate for 64-byte packets, and OC-48 line > rate for 48-byte packets for POS, HDLC, etc. with select services" > https://www.cisco.com/en/US/prod/collateral/routers/ps368/product_data_sheet0900aecd8027c9e6.html > > Can someone please clarify what exactly this means. > > Also if I put a 10GbE SPA into a SIP-400 what is the expected > performance of that? > > Thanks > //MKS From rekordmeister at gmail.com Mon Apr 6 12:30:37 2009 From: rekordmeister at gmail.com (MKS) Date: Mon, 6 Apr 2009 16:30:37 +0000 Subject: [c-nsp] SIP-400 and 10GbE SPA In-Reply-To: <20090406154543.GA18747@london.pmacct.net> References: <20090406154543.GA18747@london.pmacct.net> Message-ID: OK let me put it this way Does someone know what to expect from this card @ 1500byte packets or some "standard" IMIX. Does it matter if the interface is doing mpls or just IP? Thanks On Mon, Apr 6, 2009 at 3:45 PM, Paolo Lucente wrote: > Hi MKS, > > the performance you get really depends on the average size > of the traffic mix you push through the card. The vendor is > providing you with the 64-bytes packets scenario, then the > scaling exercise to see whether it fits your scenario it's > up to you. Also translated you should certainly not expect > a SIP-400 to scale 10GE line-rate with an average traffic > size of 64 bytes. > > If this is acceptable to your setup, then you just need to > find the average traffic size for the specific scenario with > some basic traffic analysis (NetFlow ?), see whether you fit, > take some margin (for all sort of inconveniences), etc. > > Otherwise you might want to look at some different hardware > solution (SIP-600 ?). > > Cheers, > Paolo > > > On Mon, Apr 06, 2009 at 01:22:18PM +0000, MKS wrote: >> Hi There >> >> According to cisco SIP-400 can >> "Ability to run 4 GE line rate for 64-byte packets, and OC-48 line >> rate for 48-byte packets for POS, HDLC, etc. with select services" >> https://www.cisco.com/en/US/prod/collateral/routers/ps368/product_data_sheet0900aecd8027c9e6.html >> >> Can someone please clarify what exactly this means. >> >> Also if I put a 10GbE SPA into a SIP-400 what is the expected >> performance of that? >> >> Thanks >> //MKS > > From raymondh.nsp at gmail.com Mon Apr 6 12:31:05 2009 From: raymondh.nsp at gmail.com (raymondh (NSP)) Date: Tue, 7 Apr 2009 00:31:05 +0800 Subject: [c-nsp] SIP-400 and 10GbE SPA In-Reply-To: References: Message-ID: The SIP-400 supports up to 2.5G. (Other words 01 x STM-16 + some other low speed stuff) Cheers. --raymondh at home-zzz On Apr 6, 2009, at 9:22 PM, MKS wrote: > Hi There > > According to cisco SIP-400 can > "Ability to run 4 GE line rate for 64-byte packets, and OC-48 line > rate for 48-byte packets for POS, HDLC, etc. with select services" > https://www.cisco.com/en/US/prod/collateral/routers/ps368/product_data_sheet0900aecd8027c9e6.html > > Can someone please clarify what exactly this means. > > Also if I put a 10GbE SPA into a SIP-400 what is the expected > performance of that? > > Thanks > //MKS > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From musmanashraf at gmail.com Mon Apr 6 12:45:24 2009 From: musmanashraf at gmail.com (M Usman Ashraf) Date: Mon, 6 Apr 2009 21:45:24 +0500 Subject: [c-nsp] CISCO ACS 4.2 command pattern matching In-Reply-To: <1238960409.3675.16.camel@localhost.localdomain> References: <9149d2410904051059u4a3d7d2h5894d495481be4e6@mail.gmail.com> <1238960409.3675.16.camel@localhost.localdomain> Message-ID: <9149d2410904060945n4b900cb6ua652c90b40ffbf5@mail.gmail.com> Thanks Peter.You were right, explicit "" was missing. It is ok now. On Mon, Apr 6, 2009 at 12:40 AM, Peter Rathlev wrote: > On Sun, 2009-04-05 at 22:59 +0500, M Usman Ashraf wrote: > > So from this I take that if I want to deny configuration of certain > > interfaces say Loopback0, while allowing configuration of Loopback99, > > I will, permit "interface" , with the sub-command arguments: > > permit*^Loopback99$*, unmatched commands are "deny" and "Permit > > Unmatched Args" is unchecked. > > > > Thinking that would allow the command interface Loopback99 but > > actually the "interface Loopback99" commands, fails authorization. On > > the other side, if I permit *^Loopback* only, all loopbacks get > > permitted. It seems like the "^" pattern matching works but the "$" > > doesn't. Anyone have any experience with pattern matching that can > > help me out? -- > > Your TACACS+ log should tell you the reason, even the ACS must have > one. ;-) > > The reason could be that many end points add an explicit "" string > to the request. If that is the case you would have to allow this > instead: > > permit "^Loopback99 $" > > Regards, > Peter > > > -- Regards, M Usman Ashraf From achatz at forthnet.gr Mon Apr 6 12:49:07 2009 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Mon, 06 Apr 2009 19:49:07 +0300 Subject: [c-nsp] EEM event-manager and "event none" question. In-Reply-To: <1239034684.13422.5.camel@dsba-ipso> References: <1239034684.13422.5.camel@dsba-ipso> Message-ID: <49DA3283.1030101@forthnet.gr> Event none is used if you want to manually run the eem applet, like you tried to do. In your case (i guess you need to test your applet), you can create a 2nd applet that uses event none and just sets the track 10 state to up (action 1.0 track set 10 state up). That way you can run the 2nd applet manually which in turn should trigger the 1st applet to run automatically. Just keep an eye on any other consequences this manual track state change might have on your router. -- Tassos luismi wrote on 06/04/2009 19:18: > I have this code... > > event manager applet A-EU-UP > event track 10 state up > action 1.0 syslog msg "Track 10 Up. Houston we don't have a problem" > action 2.0 cli command "enable" > action 3.0 cli command "conf t" > action 4.0 cli command "" > > I tried to execute... > # event manager run A-EU-UP > Embedded Event Manager policy EU-ACEL-BACKUP-OFF not registered with > event none Event Detector > > What is the reason for that message? > Looks like the EEM code is not running. > As far as I can read at documentation found with google, I need "event > none" at the beginning of the applet, but, what is the reason for it? > When "event none" must be used? > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From peter at rathlev.dk Mon Apr 6 12:52:22 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Mon, 06 Apr 2009 18:52:22 +0200 Subject: [c-nsp] Getting ready to pull the trigger: RSP720/SUP720 In-Reply-To: References: <46659.69.30.17.85.1239029500.squirrel@www.woofpaws.com> Message-ID: <1239036742.4684.33.camel@localhost.localdomain> On Mon, 2009-04-06 at 07:51 -0700, Rick Ernst wrote: > The problem I am running into is spec'ing the aggregation layer. > Almost all of our traffic is ethernet now, and all the interfaces need > bi-drectional rate-limiting/traffic-shaping/policing. We have a > variable bandwidth model and need to cap traffic at 1Mbs granularity. > 1,5, and 10Mbs connections are common, and 20,50,100Mbs connections > exist with a 200Mbs pipe in process. ES20 line cards for the 7600 might fit your purpose: http://www.cisco.com/en/US/prod/collateral/routers/ps368/product_data_sheet0900aecd8057f3ad.html http://tinyurl.com/3jc8mx The hardware forwarding switches can't really shape very well on LAN card interfaces. You can use token bucket policing, and the "SRR" enabled interfaces can do some crude "timeslot" shaping, but real buffered shaping isn't possible AFAIK. On Mon, 2009-04-06 at 11:12 -0400, Jon Lewis wrote: > On Mon, 6 Apr 2009, Rick Ernst wrote: > > I'm planning on collapsing the border/core into a pair of > > 7600/Sup720-3BXLs, and it looks like they will be almost idle with > > this amount of load. > > That really depends on the features you enable. Try doing full > netflow on a sup720 doing a few hundred mbit's of traffic, and they're > suddenly not so mighty. Sorry if I repeat myself, but I don't understand this problem. We export netflow from Sup720-3Bs often carrying >1 Gbit/s and the processor hardly seems to notice. And it's with an if-full flowmask. We're still on SXF but I sincerely hope SXH/SXI behave the same way for us. Am I missing something here? Regards, Peter From rick at woofpaws.com Mon Apr 6 12:54:31 2009 From: rick at woofpaws.com (Rick Ernst) Date: Mon, 6 Apr 2009 09:54:31 -0700 (PDT) Subject: [c-nsp] Getting ready to pull the trigger: RSP720/SUP720 In-Reply-To: References: <46659.69.30.17.85.1239029500.squirrel@www.woofpaws.com> Message-ID: <47617.69.30.17.85.1239036871.squirrel@www.woofpaws.com> On Mon, April 6, 2009 08:12, Jon Lewis wrote: > On Mon, 6 Apr 2009, Rick Ernst wrote: > >> I'm planning on collapsing the border/core into a pair of >> 7600/Sup720-3BXLs, and it looks like they will be almost idle with this >> amount of load. > > That really depends on the features you enable. Try doing full netflow on > a sup720 doing a few hundred mbit's of traffic, and they're suddenly not > so mighty. Yikes! Does DFC on the linecards mitigate this? I'm also looking specifically at the Sup720/MSFC3/PFC3BLX. >> The problem I am running into is spec'ing the aggregation layer. Almost >> all of our traffic is ethernet now, and all the interfaces need >> bi-drectional rate-limiting/traffic-shaping/policing. We have a >> variable >> bandwidth model and need to cap traffic at 1Mbs granularity. 1,5, and >> 10Mbs connections are common, and 20,50,100Mbs connections exist with a >> 200Mbs pipe in process. > > We've been using 3550's for years for this, as they have the ability to > police in both directions, per port, at whatever granularity you like. > The 3560, which was supposed to be an improvement/replacement for the 3550 > lost this ability, which really shocked me when I configured my first one. > It can do per-port output shaping, but the granularity kind of blows. > You're limited to 1/N * port rate, where N is an integer from 0 to 65535. > This gives plenty (actually a huge waste of range) of granularity at the > low end of bandwidth, but at the high end, you're limited to full rate, > 50%, 33%, 25%, 20%, etc. If I'm wrong here, I'd love to hear it and be > told how to limit a 100mbit port to say 40mbit/s. It looks like the 3550 has been EOLd for a couple of years. Does the 3750 (non-Metro) or other comparable switch carry the same functionality? Does the switch itself need to be doing IP on the port to provide rate-liming? Input shaping is where my major concern is since these would be deployed where traffic is heavily weighted on inbound (from-the-customer). Thanks! From ip at ioshints.info Mon Apr 6 12:59:19 2009 From: ip at ioshints.info (Ivan Pepelnjak) Date: Mon, 6 Apr 2009 18:59:19 +0200 Subject: [c-nsp] EEM event-manager and "event none" question. In-Reply-To: <1239034684.13422.5.camel@dsba-ipso> References: <1239034684.13422.5.camel@dsba-ipso> Message-ID: <006e01c9b6d9$07af0980$0a00000a@nil.si> An EEM applet can be triggered only by a single condition. If you want to trigger it from the command line (with the "event man run" command), it cannot be triggered by anything else, so it must have "event none" pseudo-trigger. The "event none" is used to indicate that "no trigger" is actually what you want to do (as opposed to "I forgot to specify the trigger"). Ivan http://www.ioshints.info/about http://blog.ioshints.info/ > -----Original Message----- > From: luismi [mailto:asturluismi at gmail.com] > Sent: Monday, April 06, 2009 6:18 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] EEM event-manager and "event none" question. > > I have this code... > > event manager applet A-EU-UP > event track 10 state up > action 1.0 syslog msg "Track 10 Up. Houston we don't have a problem" > action 2.0 cli command "enable" > action 3.0 cli command "conf t" > action 4.0 cli command "" > > I tried to execute... > # event manager run A-EU-UP > Embedded Event Manager policy EU-ACEL-BACKUP-OFF not > registered with event none Event Detector > > What is the reason for that message? > Looks like the EEM code is not running. > As far as I can read at documentation found with google, I > need "event none" at the beginning of the applet, but, what > is the reason for it? > When "event none" must be used? > > > > > From ip at ioshints.info Mon Apr 6 13:05:55 2009 From: ip at ioshints.info (Ivan Pepelnjak) Date: Mon, 6 Apr 2009 19:05:55 +0200 Subject: [c-nsp] two ISPs, two routers, one firewall - bgp question In-Reply-To: References: <46659.69.30.17.85.1239029500.squirrel@www.woofpaws.com> Message-ID: <006f01c9b6d9$f3f50790$0a00000a@nil.si> Outbound traffic traverses the DMZ segment twice (FW -> R2 -> R1). Inbound traffic traverses the DMZ segment once (R2 -> FW). The difference is that FW has no idea where to send the traffic (follows default route), whereas R2 knows the internal network is reachable through the FW. Hope this helps Ivan http://www.ioshints.info/about http://blog.ioshints.info/ > -----Original Message----- > From: Rossella Mariotti-Jones [mailto:rossella at chemeketa.edu] > Sent: Monday, April 06, 2009 6:22 PM > To: cisco-nsp at puck.nether.net > Cc: cisco-nsp at puck.nether.net > Subject: [c-nsp] two ISPs, two routers, one firewall - bgp question > > Hello all, I have a question regarding this scenario: > http://www.cisco.com/en/US/tech/tk365/technologies_configurati > on_example > 09186a00800945bf.shtml#conf5 > > My R2 link to ISP is 100M > R1 link to ISP is a DS3 > > If my firewall has a default route of 192.168.21.2 and I > have a 10M download going with AS300, my firewall is going to > send out my traffic through its default gateway which is > 192.168.21.2, R2 knows through iBGP that R1 is the best path > to AS300, so it sends the traffic to R1, traffic coming back > goes through R1, R2, firewall to get to the client, so > basically in this case the link between my firewall and R2 is > taken up twice. Am I understanding this correctly? Thanks > everyone in advance. > > rossella > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jon Lewis > Sent: Monday, April 06, 2009 8:12 AM > To: Rick Ernst > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Getting ready to pull the trigger: RSP720/SUP720 > > On Mon, 6 Apr 2009, Rick Ernst wrote: > > > I'm planning on collapsing the border/core into a pair of > > 7600/Sup720-3BXLs, and it looks like they will be almost idle with > this > > amount of load. > > That really depends on the features you enable. Try doing > full netflow on a sup720 doing a few hundred mbit's of > traffic, and they're suddenly not > > so mighty. > > > The problem I am running into is spec'ing the aggregation layer. > Almost > > all of our traffic is ethernet now, and all the interfaces need > > bi-drectional rate-limiting/traffic-shaping/policing. We have a > variable > > bandwidth model and need to cap traffic at 1Mbs > granularity. 1,5, and > > 10Mbs connections are common, and 20,50,100Mbs connections > exist with > a > > 200Mbs pipe in process. > > We've been using 3550's for years for this, as they have the > ability to police in both directions, per port, at whatever > granularity you like. > The 3560, which was supposed to be an improvement/replacement > for the 3550 lost this ability, which really shocked me when > I configured my first one. > It can do per-port output shaping, but the granularity kind of blows. > You're limited to 1/N * port rate, where N is an integer from > 0 to 65535. > This gives plenty (actually a huge waste of range) of > granularity at the > > low end of bandwidth, but at the high end, you're limited to > full rate, 50%, 33%, 25%, 20%, etc. If I'm wrong here, I'd > love to hear it and be told how to limit a 100mbit port to > say 40mbit/s. > > ---------------------------------------------------------------------- > Jon Lewis | I route > Senior Network Engineer | therefore you are > Atlantic Net | > _________ http://www.lewis.org/~jlewis/pgp for PGP public > key_________ _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From musmanashraf at gmail.com Mon Apr 6 13:09:13 2009 From: musmanashraf at gmail.com (M Usman Ashraf) Date: Mon, 6 Apr 2009 22:09:13 +0500 Subject: [c-nsp] EEM event-manager and "event none" question. In-Reply-To: <1239034684.13422.5.camel@dsba-ipso> References: <1239034684.13422.5.camel@dsba-ipso> Message-ID: <9149d2410904061009x730a3788u68a687e6b0c19783@mail.gmail.com> Hi, You have to use "event none", under "event manager applet A-EU-UP", if you want to do so. On Mon, Apr 6, 2009 at 9:18 PM, luismi wrote: > I have this code... > > event manager applet A-EU-UP > event track 10 state up > action 1.0 syslog msg "Track 10 Up. Houston we don't have a problem" > action 2.0 cli command "enable" > action 3.0 cli command "conf t" > action 4.0 cli command "" > > I tried to execute... > # event manager run A-EU-UP > Embedded Event Manager policy EU-ACEL-BACKUP-OFF not registered with > event none Event Detector > > What is the reason for that message? > Looks like the EEM code is not running. > As far as I can read at documentation found with google, I need "event > none" at the beginning of the applet, but, what is the reason for it? > When "event none" must be used? > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Regards, M Usman Ashraf From asturluismi at gmail.com Mon Apr 6 13:10:58 2009 From: asturluismi at gmail.com (luismi) Date: Mon, 06 Apr 2009 19:10:58 +0200 Subject: [c-nsp] EEM event-manager and "event none" question. In-Reply-To: <49DA3283.1030101@forthnet.gr> References: <1239034684.13422.5.camel@dsba-ipso> <49DA3283.1030101@forthnet.gr> Message-ID: <1239037858.13422.17.camel@dsba-ipso> I just did a test right now. The appelt is running ok without "event none" as expected, seems to be that is monitoring the track 10 without more manual intervention as I can see in the output of "sh track 10" El lun, 06-04-2009 a las 19:49 +0300, Tassos Chatzithomaoglou escribi?: > Event none is used if you want to manually run the eem applet, like you tried to do. > > In your case (i guess you need to test your applet), you can create a 2nd applet that uses event none and just sets the > track 10 state to up (action 1.0 track set 10 state up). > That way you can run the 2nd applet manually which in turn should trigger the 1st applet to run automatically. > Just keep an eye on any other consequences this manual track state change might have on your router. > > -- > Tassos > > luismi wrote on 06/04/2009 19:18: > > I have this code... > > > > event manager applet A-EU-UP > > event track 10 state up > > action 1.0 syslog msg "Track 10 Up. Houston we don't have a problem" > > action 2.0 cli command "enable" > > action 3.0 cli command "conf t" > > action 4.0 cli command "" > > > > I tried to execute... > > # event manager run A-EU-UP > > Embedded Event Manager policy EU-ACEL-BACKUP-OFF not registered with > > event none Event Detector > > > > What is the reason for that message? > > Looks like the EEM code is not running. > > As far as I can read at documentation found with google, I need "event > > none" at the beginning of the applet, but, what is the reason for it? > > When "event none" must be used? > > > > > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From tdurack at gmail.com Mon Apr 6 16:02:20 2009 From: tdurack at gmail.com (Tim Durack) Date: Mon, 6 Apr 2009 16:02:20 -0400 Subject: [c-nsp] same-router tunnel loopback In-Reply-To: <9e246b4d0904041629i7fd97176obf8097ee2b4d2390@mail.gmail.com> References: <9e246b4d0904031314p5db46d44uf8dac478cc22ae05@mail.gmail.com> <20090404085652.GR290@greenie.muc.de> <9e246b4d0904041629i7fd97176obf8097ee2b4d2390@mail.gmail.com> Message-ID: <9e246b4d0904061302l1f2c5ad7rec292c3b986052cd@mail.gmail.com> >> (Maybe it's just the /127 - try with /124 or /64, just to be sure) Tried a /112, same problem. I wonder if the issue is recirculation. I already need "mls mpls tunnel-recir" to support IPv4 traffic crossing the tunnel. Given that IPv6 requires recirculation for regular forwarding, is there a limit to the amount of recirc that can take place? Perhaps I'm trying to do something weird that no one else has tried... Tim:> From lists at memetic.org Mon Apr 6 16:18:23 2009 From: lists at memetic.org (Adam Armstrong) Date: Mon, 06 Apr 2009 21:18:23 +0100 Subject: [c-nsp] client mac address on LNS?? In-Reply-To: <003501c9b675$547f7d80$fd7e7880$@net.pk> References: <003501c9b675$547f7d80$fd7e7880$@net.pk> Message-ID: <49DA638F.6070106@memetic.org> Why aren't you just using the username for accounting? > Dear Friends! > > > > I have a setup in which DSL users connect to a LNS via L2TP. Everything is > working fine, however on LNS I am not receiving any MAC address for the DSL > Users( Type PPPoVPDN). This is my standard crucial requirement for > generating several reports for management purposes. > > > > Can someone tell me if it is possible to get Mac-address for the VPDN > users??? I am getting mac-address for PPPoE type users which are terminated > on my BRAS. > > > > Attach is the debug output for both LNS and BRAS which shows that > mac-address field is missing in LNS output. > > > > ######### LNS output (domain stripping is used) ########## > > > > Apr 6 04:29:47.020: RADIUS(00001037): Send Access-Request to > 10.10.10.10:3312 id 1645/44, len 123 > > Apr 6 04:29:47.020: RADIUS: Framed-Protocol [7] 6 PPP > [1] > > Apr 6 04:29:47.020: RADIUS: User-Name [1] 11 "testuser7" > > Apr 6 04:29:47.020: RADIUS: User-Password [2] 18 * > > Apr 6 04:29:47.020: RADIUS: NAS-Port [5] 6 370 > > > Apr 6 04:29:47.020: RADIUS: NAS-Port-Id [87] 17 > "Uniq-Sess-ID370" > > Apr 6 04:29:47.020: RADIUS: Connect-Info [77] 9 "1920000" > > Apr 6 04:29:47.020: RADIUS: NAS-Port-Type [61] 6 Virtual > [5] > > Apr 6 04:29:47.020: RADIUS: Service-Type [6] 6 Framed > [2] > > Apr 6 04:29:47.020: RADIUS: NAS-IP-Address [4] 6 1.1.1.1 > > > Apr 6 04:29:47.020: RADIUS: Acct-Session-Id [44] 18 > "CAA36E5A00001058" > > Apr 6 04:29:47.308: RADIUS: Received from id 1645/44 10.10.10.10:3312, > Access-Accept, len 37 > > Apr 6 04:29:47.308: RADIUS: Class [25] 5 > > Apr 6 04:29:47.308: RADIUS: 50 49 4E > [PIN] > > Apr 6 04:29:47.308: RADIUS: Service-Type [6] 6 Framed > [2] > > Apr 6 04:29:47.308: RADIUS: Framed-Protocol [7] 6 PPP > [1] > > Apr 6 04:31:47.100: RADIUS(00001038): Received from id 1645/45 > > Apr 6 04:31:47.100: VT[Vi3.1]:Request took 0 msec, 0 msec processing time > > Apr 6 04:31:47.100: uid:371 Tnl/Sn 58894/504 L2TP: Virtual interface > created for testuser7 at best-dsl bandwidth 1920 Kbps > > Apr 6 04:31:47.100: Vi3.1 Tnl/Sn 58894/504 L2TP: Virtual interface created > for testuser7 at best-dsl, bandwidth 1920 Kbps > > Apr 6 04:31:47.100: Vi3.1 Tnl/Sn 58894/504 L2TP: VPDN session up > > Apr 6 04:31:47.220: RADIUS/ENCODE(00001038):Orig. component type = VPDN > > > > > > Cisco-3845-L2TP-LNS#show users > > > > Interface User Mode Idle Peer Address > > Vi3.1 testuser7 at best-ds PPPoVPDN - 1.1.1.233 > > > > ######### BRAS output ########## > > > > *Mar 1 00:13:15.367: RADIUS(00000009): Send Access-Request to > 10.10.10.10:3312 id 1645/6, len 167 > > *Mar 1 00:13:15.367: RADIUS: Vendor, Cisco [26] 41 > > *Mar 1 00:13:15.367: RADIUS: Cisco AVpair [1] 35 > "client-mac-address=000f.a392.4bef" > > *Mar 1 00:13:15.367: RADIUS: Framed-Protocol [7] 6 PPP > [1] > > *Mar 1 00:13:15.367: RADIUS: User-Name [1] 11 "testuser6" > > *Mar 1 00:13:15.367: RADIUS: User-Password [2] 18 * > > *Mar 1 00:13:15.367: RADIUS: NAS-Port-Type [61] 6 Virtual > [5] > > *Mar 1 00:13:15.367: RADIUS: Vendor, Cisco [26] 18 > > *Mar 1 00:13:15.367: RADIUS: cisco-nas-port [2] 12 "3/0/0/0.36" > > *Mar 1 00:13:15.367: RADIUS: NAS-Port [5] 6 805306404 > > > *Mar 1 00:13:15.367: RADIUS: Service-Type [6] 6 Framed > [2] > > *Mar 1 00:13:15.371: RADIUS: NAS-IP-Address [4] 6 1.1.1.1 > > > *Mar 1 00:13:15.371: RADIUS: Acct-Session-Id [44] 29 > "3/0/0/0.36_CAA3693A0000000E" > > *Mar 1 00:13:15.519: RADIUS: Received from id 1645/6 10.10.10.10:3312, > Access-Accept, len 37 > > *Mar 1 00:13:15.519: RADIUS: Class [25] 5 > > *Mar 1 00:13:15.519: RADIUS: 50 49 4E > [PIN] > > *Mar 1 00:13:15.519: RADIUS: Service-Type [6] 6 Framed > [2] > > *Mar 1 00:13:15.519: RADIUS: Framed-Protocol [7] 6 PPP > [1] > > *Mar 1 00:13:15.523: RADIUS(00000009): Received from id 1645/6 > > *Mar 1 00:13:15.643: RADIUS/ENCODE(00000009):Orig. component type = PPoE > > > > > > Cisc-3640-BRAS-And-L2TP-LAC# show user > > > > Interface User Mode Idle Peer Address > > Vi2.1 testuser6 PPPoE 00:03:25 2.2.2.244 > > > > > > > > Best Regards, > > > > Asad Ul-Islam > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From billw at waveform.net Mon Apr 6 16:34:34 2009 From: billw at waveform.net (Bill Wichers) Date: Mon, 6 Apr 2009 16:34:34 -0400 Subject: [c-nsp] Odd Etherchannel behavior between 7507 and cat 4006 Message-ID: I have a strange problem getting an Etherchannel link betweek a 7507 and a Cat 4006. Basically everything works, but the two FE interfaces on the 7507 (both in the same VIP) keep dropping their "full-duplex" config and reporting "unknown duplex" instead. Traffic works across the link, load is about the same on both member links, only the weird duplex problem - which is causing some errors to show on the port. Config on the switch is very simple: set port speed 2/1-2 100 set port duplex 2/1-2 full set trunk 2/1 on dot1q 1-1005,1025-4094 set trunk 2/2 on dot1q 1-1005,1025-4094 set port channel 2/1-2 mode on Just two FE interfaces in the group. Config on the router isn't very complicated either: interface Port-channel1 no ip address load-interval 30 hold-queue 150 in ! interface FastEthernet1/0/0 description EC to core switch 2/1 no ip address channel-group 1 ! interface FastEthernet1/1/0 description EC to core switch 2/2 no ip address channel-group 1 ! There are a few virtual interfaces on the port-channel using 802.1q tags and they all seem to work, they're setup the usual way of "port-channel 1.123 / encap dot1q 123 ... etc. Router is running 12.2(6a), cat is running 8.4(8)GLX. There is no fancy L3 blade in the cat. It seems like the router is just loosing the 'full-duplex' part of the config of the two member links and aside from that everything seems to work. Any ideas? -Bill From mksmith at adhost.com Mon Apr 6 18:05:20 2009 From: mksmith at adhost.com (Michael K. Smith - Adhost) Date: Mon, 6 Apr 2009 15:05:20 -0700 Subject: [c-nsp] same-router tunnel loopback In-Reply-To: <9e246b4d0904061302l1f2c5ad7rec292c3b986052cd@mail.gmail.com> References: <9e246b4d0904031314p5db46d44uf8dac478cc22ae05@mail.gmail.com><20090404085652.GR290@greenie.muc.de><9e246b4d0904041629i7fd97176obf8097ee2b4d2390@mail.gmail.com> <9e246b4d0904061302l1f2c5ad7rec292c3b986052cd@mail.gmail.com> Message-ID: <17838240D9A5544AAA5FF95F8D52031605D17479@ad-exh01.adhost.lan> -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tim Durack Sent: Monday, April 06, 2009 1:02 PM To: cisco-nsp at puck.nether.net Cc: Gert Doering Subject: Re: [c-nsp] same-router tunnel loopback >> (Maybe it's just the /127 - try with /124 or /64, just to be sure) Tried a /112, same problem. I wonder if the issue is recirculation. I already need "mls mpls tunnel-recir" to support IPv4 traffic crossing the tunnel. Given that IPv6 requires recirculation for regular forwarding, is there a limit to the amount of recirc that can take place? Perhaps I'm trying to do something weird that no one else has tried... [Michael K. Smith - Adhost] Do you need the "tunnel mode ipv6ip" on the tunnel interface perhaps? Regards, Mike From p.mayers at imperial.ac.uk Mon Apr 6 18:45:18 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Mon, 6 Apr 2009 23:45:18 +0100 Subject: [c-nsp] Getting ready to pull the trigger: RSP720/SUP720 In-Reply-To: <1239036742.4684.33.camel@localhost.localdomain> References: <46659.69.30.17.85.1239029500.squirrel@www.woofpaws.com> <1239036742.4684.33.camel@localhost.localdomain> Message-ID: <20090406224518.GA12346@wildfire.net.ic.ac.uk> On Mon, Apr 06, 2009 at 05:52:22PM +0100, Peter Rathlev wrote: >> > this amount of load. >> >> That really depends on the features you enable. Try doing full >> netflow on a sup720 doing a few hundred mbit's of traffic, and they're >> suddenly not so mighty. > >Sorry if I repeat myself, but I don't understand this problem. We export >netflow from Sup720-3Bs often carrying >1 Gbit/s and the processor >hardly seems to notice. And it's with an if-full flowmask. We're still >on SXF but I sincerely hope SXH/SXI behave the same way for us. > >Am I missing something here? I am assuming Jon has a lot of flows. We too run if-full on multiple tens of gigabits, with no issues (and on-3B, not XL), but I guess it depends on your traffic mix. From ler762 at gmail.com Mon Apr 6 19:47:11 2009 From: ler762 at gmail.com (Lee) Date: Mon, 6 Apr 2009 19:47:11 -0400 Subject: [c-nsp] Odd Etherchannel behavior between 7507 and cat 4006 In-Reply-To: References: Message-ID: My experience has been that setting the speed and duplex on a catalyst switch stops it from doing auto-negotiation. So with the switch ports set to 100/full I'd expect the 7500 ports to come up as 100/half. But we don't have any cat4006s at work.. I don't know if they do auto-negotiation even if the port speed and duplex is configured, Lee On 4/6/09, Bill Wichers wrote: > I have a strange problem getting an Etherchannel link betweek a 7507 and > a Cat 4006. Basically everything works, but the two FE interfaces on the > 7507 (both in the same VIP) keep dropping their "full-duplex" config and > reporting "unknown duplex" instead. Traffic works across the link, load > is about the same on both member links, only the weird duplex problem - > which is causing some errors to show on the port. > > > > Config on the switch is very simple: > > > > set port speed 2/1-2 100 > > set port duplex 2/1-2 full > > > > set trunk 2/1 on dot1q 1-1005,1025-4094 > > set trunk 2/2 on dot1q 1-1005,1025-4094 > > set port channel 2/1-2 mode on > > > > Just two FE interfaces in the group. > > > > Config on the router isn't very complicated either: > > > > interface Port-channel1 > > no ip address > > load-interval 30 > > hold-queue 150 in > > ! > > interface FastEthernet1/0/0 > > description EC to core switch 2/1 > > no ip address > > channel-group 1 > > ! > > interface FastEthernet1/1/0 > > description EC to core switch 2/2 > > no ip address > > channel-group 1 > > ! > > > > There are a few virtual interfaces on the port-channel using 802.1q tags > and they all seem to work, they're setup the usual way of "port-channel > 1.123 / encap dot1q 123 ... etc. > > > > Router is running 12.2(6a), cat is running 8.4(8)GLX. There is no fancy > L3 blade in the cat. It seems like the router is just loosing the > 'full-duplex' part of the config of the two member links and aside from > that everything seems to work. Any ideas? > > > > -Bill > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From sf at lists.esoteric.ca Mon Apr 6 21:12:11 2009 From: sf at lists.esoteric.ca (Stephen Fulton) Date: Mon, 06 Apr 2009 21:12:11 -0400 Subject: [c-nsp] SIP-400 and 10GbE SPA In-Reply-To: References: Message-ID: <49DAA86B.5070306@lists.esoteric.ca> According to the SIP/SPA compatibility matrix: http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/install_upgrade/7600series/76intro.html#wp1131939 The SPA-1X10GE-L-V2 is compatible with SIP-400. As always, verify with your Cisco SE. -- Stephen MKS wrote: > Hi There > > According to cisco SIP-400 can > "Ability to run 4 GE line rate for 64-byte packets, and OC-48 line > rate for 48-byte packets for POS, HDLC, etc. with select services" > https://www.cisco.com/en/US/prod/collateral/routers/ps368/product_data_sheet0900aecd8027c9e6.html > > Can someone please clarify what exactly this means. > > Also if I put a 10GbE SPA into a SIP-400 what is the expected > performance of that? > > Thanks > //MKS > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From asad747 at cyber.net.pk Mon Apr 6 23:49:35 2009 From: asad747 at cyber.net.pk (Asad Ul-Islam) Date: Tue, 07 Apr 2009 08:49:35 +0500 Subject: [c-nsp] client mac address on LNS?? In-Reply-To: <49DA638F.6070106@memetic.org> References: <003501c9b675$547f7d80$fd7e7880$@net.pk> <49DA638F.6070106@memetic.org> Message-ID: <001e01c9b733$de42baa0$9ac82fe0$@net.pk> We do accounting on usernames obviously. But client-mac-address is our policy requirement for generating certain security related reports. -----Original Message----- From: Adam Armstrong [mailto:lists at memetic.org] Sent: Tuesday, April 07, 2009 1:18 AM To: Asad Ul-Islam Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] client mac address on LNS?? Why aren't you just using the username for accounting? > Dear Friends! > > > > I have a setup in which DSL users connect to a LNS via L2TP. Everything is > working fine, however on LNS I am not receiving any MAC address for the DSL > Users( Type PPPoVPDN). This is my standard crucial requirement for > generating several reports for management purposes. > > > > Can someone tell me if it is possible to get Mac-address for the VPDN > users??? I am getting mac-address for PPPoE type users which are terminated > on my BRAS. > > > > Attach is the debug output for both LNS and BRAS which shows that > mac-address field is missing in LNS output. > > > > ######### LNS output (domain stripping is used) ########## > > > > Apr 6 04:29:47.020: RADIUS(00001037): Send Access-Request to > 10.10.10.10:3312 id 1645/44, len 123 > > Apr 6 04:29:47.020: RADIUS: Framed-Protocol [7] 6 PPP > [1] > > Apr 6 04:29:47.020: RADIUS: User-Name [1] 11 "testuser7" > > Apr 6 04:29:47.020: RADIUS: User-Password [2] 18 * > > Apr 6 04:29:47.020: RADIUS: NAS-Port [5] 6 370 > > > Apr 6 04:29:47.020: RADIUS: NAS-Port-Id [87] 17 > "Uniq-Sess-ID370" > > Apr 6 04:29:47.020: RADIUS: Connect-Info [77] 9 "1920000" > > Apr 6 04:29:47.020: RADIUS: NAS-Port-Type [61] 6 Virtual > [5] > > Apr 6 04:29:47.020: RADIUS: Service-Type [6] 6 Framed > [2] > > Apr 6 04:29:47.020: RADIUS: NAS-IP-Address [4] 6 1.1.1.1 > > > Apr 6 04:29:47.020: RADIUS: Acct-Session-Id [44] 18 > "CAA36E5A00001058" > > Apr 6 04:29:47.308: RADIUS: Received from id 1645/44 10.10.10.10:3312, > Access-Accept, len 37 > > Apr 6 04:29:47.308: RADIUS: Class [25] 5 > > Apr 6 04:29:47.308: RADIUS: 50 49 4E > [PIN] > > Apr 6 04:29:47.308: RADIUS: Service-Type [6] 6 Framed > [2] > > Apr 6 04:29:47.308: RADIUS: Framed-Protocol [7] 6 PPP > [1] > > Apr 6 04:31:47.100: RADIUS(00001038): Received from id 1645/45 > > Apr 6 04:31:47.100: VT[Vi3.1]:Request took 0 msec, 0 msec processing time > > Apr 6 04:31:47.100: uid:371 Tnl/Sn 58894/504 L2TP: Virtual interface > created for testuser7 at best-dsl bandwidth 1920 Kbps > > Apr 6 04:31:47.100: Vi3.1 Tnl/Sn 58894/504 L2TP: Virtual interface created > for testuser7 at best-dsl, bandwidth 1920 Kbps > > Apr 6 04:31:47.100: Vi3.1 Tnl/Sn 58894/504 L2TP: VPDN session up > > Apr 6 04:31:47.220: RADIUS/ENCODE(00001038):Orig. component type = VPDN > > > > > > Cisco-3845-L2TP-LNS#show users > > > > Interface User Mode Idle Peer Address > > Vi3.1 testuser7 at best-ds PPPoVPDN - 1.1.1.233 > > > > ######### BRAS output ########## > > > > *Mar 1 00:13:15.367: RADIUS(00000009): Send Access-Request to > 10.10.10.10:3312 id 1645/6, len 167 > > *Mar 1 00:13:15.367: RADIUS: Vendor, Cisco [26] 41 > > *Mar 1 00:13:15.367: RADIUS: Cisco AVpair [1] 35 > "client-mac-address=000f.a392.4bef" > > *Mar 1 00:13:15.367: RADIUS: Framed-Protocol [7] 6 PPP > [1] > > *Mar 1 00:13:15.367: RADIUS: User-Name [1] 11 "testuser6" > > *Mar 1 00:13:15.367: RADIUS: User-Password [2] 18 * > > *Mar 1 00:13:15.367: RADIUS: NAS-Port-Type [61] 6 Virtual > [5] > > *Mar 1 00:13:15.367: RADIUS: Vendor, Cisco [26] 18 > > *Mar 1 00:13:15.367: RADIUS: cisco-nas-port [2] 12 "3/0/0/0.36" > > *Mar 1 00:13:15.367: RADIUS: NAS-Port [5] 6 805306404 > > > *Mar 1 00:13:15.367: RADIUS: Service-Type [6] 6 Framed > [2] > > *Mar 1 00:13:15.371: RADIUS: NAS-IP-Address [4] 6 1.1.1.1 > > > *Mar 1 00:13:15.371: RADIUS: Acct-Session-Id [44] 29 > "3/0/0/0.36_CAA3693A0000000E" > > *Mar 1 00:13:15.519: RADIUS: Received from id 1645/6 10.10.10.10:3312, > Access-Accept, len 37 > > *Mar 1 00:13:15.519: RADIUS: Class [25] 5 > > *Mar 1 00:13:15.519: RADIUS: 50 49 4E > [PIN] > > *Mar 1 00:13:15.519: RADIUS: Service-Type [6] 6 Framed > [2] > > *Mar 1 00:13:15.519: RADIUS: Framed-Protocol [7] 6 PPP > [1] > > *Mar 1 00:13:15.523: RADIUS(00000009): Received from id 1645/6 > > *Mar 1 00:13:15.643: RADIUS/ENCODE(00000009):Orig. component type = PPoE > > > > > > Cisc-3640-BRAS-And-L2TP-LAC# show user > > > > Interface User Mode Idle Peer Address > > Vi2.1 testuser6 PPPoE 00:03:25 2.2.2.244 > > > > > > > > Best Regards, > > > > Asad Ul-Islam > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From tedm at toybox.placo.com Tue Apr 7 01:11:23 2009 From: tedm at toybox.placo.com (Ted Mittelstaedt) Date: Mon, 06 Apr 2009 22:11:23 -0700 Subject: [c-nsp] Router failure - config lost? In-Reply-To: <49BE24F9.4010903@gmx.de> References: <49BE24F9.4010903@gmx.de> Message-ID: <49DAE07B.9080901@toybox.placo.com> Garry wrote: > Hi * > > I've got something of a question that's not necessarily a clear > technical problem or config problem ... rather just scoping as to > whether other people have come across this, too ... > > We have a customer who has some 400+ locations. All of these are > connected to the central office via an MPLS-based network, using aDSL > lines. Every location has an identical 876-W-G-E-k9 router, with (apart > from DSL username and IP address) identical config. This network has now > been in operation for something like 18 months, and is working nicely. > > Now, on average 1-2 locations per month go down, losing DSL > connectivity, and even a power-cycle and DSL port reset by the > DSL-provider won't work, at which point we configure a replacement > router and send it out. We usually get the defective router back for > analysis, and apart from a hand full of cases in which the routers where > physically damaged (lightning, spikes on the power supply etc.), most of > the defective routers have simply lost their configuration file. On one > occasion, the whole router flash was cleared, removing the IOS. On yet > another occasion, I think we found the stock config file (the one with > the large header, "cisco" login etc.) on the router (which I thought was > really weird). > > In all those cases, we have opted to re-use the router, if for nothing > else than to see whether it was an actual hardware defect ... to date, > no router has shown that behavior twice (we track the ser#). > > As for the configs/routers themselves, the locations do not have any > username/pw to log in to the routers. External access shouldn't be > possible, as the network itself has no direct Internet connectivity. > > Has anybody else here ever experienced effects like this? > Yes, with the 827-4V Exact same symptoms, flash wiped, including the nvram - fortunately someone put a page up somewhere explaining how to recover a wiped nvram. Putting the thing behind a VERY good UPS might help. You also want to put a surge suppressor on the telephone line the DSL signal is coming in on. Beyond that, cheap router, whaddayah expect? I gave up on the all-in-one 8xx DSL solutions on DSL ages ago. Today I send out separate DSL modems in bridged mode and use ethernet-to-ethernet routers. If the DSL modem goes tits up it's cheap enough to just overnight another one out and tell them to throw away the modem. Ted From pigsign.pykota at gmail.com Tue Apr 7 03:03:54 2009 From: pigsign.pykota at gmail.com (Darren Yang) Date: Tue, 7 Apr 2009 15:03:54 +0800 Subject: [c-nsp] How can enable PfR PIRO function on IOS 12.4(24)T Message-ID: Hi, The Cisco introduced PfR can support OSPF as parent route on IOS 12.4(24)T and this term is PIRO(Protocol Independent Route Optimization). Detail link this: http://www.cisco.com/en/US/docs/ios/oer/configuration/guide/oer-trf_rte_ctl.html#wp1060987 But when I use 12.4(24)T in Cisco 1812 module, I didn't see any PIRO information can support OSPF when I type 'sh oer master prefix', like below... #sh oer master prefix 192.168.1.2/32 DEFAULT* 92 172.17.11.254 Tu11 U U U 0 0 0 0 N N N N 1 1 #sh ip route ospf O 192.168.1.0/24 [110/11] via 10.0.0.1, 02:46:06, Tunnel11 [110/11] via 10.1.1.1, 02:46:06, Tunnel12 Before 12.4(24)T, I use static route as parent route and it works well. But I really want to use OSPF as PfR parent route because static route would make route fail when gateway couldn't arrive. Anyone have idea about this ? Thanks and Regards, Pigsign From md at bts.sk Tue Apr 7 03:37:49 2009 From: md at bts.sk (=?UTF-8?Q?Marian_=C4=8Eurkovi=C4=8D?=) Date: Tue, 7 Apr 2009 09:37:49 +0200 Subject: [c-nsp] 10GE card for 7609 In-Reply-To: <20090406162400.GA16201@mx.ytti.net> References: <863386.41277.qm@web44809.mail.sp1.yahoo.com> <20090330151600.GA408@roxanne.org> <49D1BE37.8060402@skoal.name> <20090331074620.GV290@greenie.muc.de> <49D1CDD4.3080301@skoal.name> <20090331201210.GF51443@gerbil.cluepon.net> <20090406161117.GA56528@bts.sk> <20090406162400.GA16201@mx.ytti.net> Message-ID: <20090407070909.M61817@bts.sk> On Mon, 6 Apr 2009 19:24:00 +0300, Saku Ytti wrote > 3. Topologies used > c) anritsu --darkfibre-- ten7/1:7600:ten7/2 --darkfibre-- anritsu > > 4. Pure IP performance > 4.1 no features configured, plain IP routing > c) 64bytes does 87.5% of linerate, rate appraoches 100% as size grows, This is expected result - it's the 26 Mpps limit in Janus ASIC. > but is both bps and pps bound, so no configuration of packet size > and interval got 100%. That is strange. There is no bandwidth limitation between the ports and Janus, so it looks like something was broken in older IOS versions. M. From lists at memetic.org Tue Apr 7 05:25:26 2009 From: lists at memetic.org (Adam Armstrong) Date: Tue, 07 Apr 2009 10:25:26 +0100 Subject: [c-nsp] Odd Etherchannel behavior between 7507 and cat 4006 In-Reply-To: References: Message-ID: <49DB1C06.60506@memetic.org> Lee wrote: > My experience has been that setting the speed and duplex on a catalyst > switch stops it from doing auto-negotiation. So with the switch ports > set to 100/full I'd expect the 7500 ports to come up as 100/half. But > we don't have any cat4006s at work.. I don't know if they do > auto-negotiation even if the port speed and duplex is configured, > Setting duplex disables autonegiotation (setting speed doesn't disable duplex negotiation). When you force duplex on a port, the port stops participating in the autonegitation and forces itself to the setting you give it. This causes the opposite port (if it's autonegotiating) to drop always to half duplex. As a general rule, you shouldn't force the duplex on a port unless the autonegotiation fails! (as it does on some quite old hardware) adam. From gert at greenie.muc.de Tue Apr 7 05:42:08 2009 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 7 Apr 2009 11:42:08 +0200 Subject: [c-nsp] Odd Etherchannel behavior between 7507 and cat 4006 In-Reply-To: <49DB1C06.60506@memetic.org> References: <49DB1C06.60506@memetic.org> Message-ID: <20090407094208.GZ290@greenie.muc.de> Hi, On Tue, Apr 07, 2009 at 10:25:26AM +0100, Adam Armstrong wrote: > As a general rule, you shouldn't force the duplex on a port unless the > autonegotiation fails! (as it does on some quite old hardware) ... and the context of *this* discussion is likely involving PA-FE-TX's, which are "quite old hardware", and cannot do any sort of autoneg. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From A.L.M.Buxey at lboro.ac.uk Tue Apr 7 05:52:59 2009 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Tue, 7 Apr 2009 10:52:59 +0100 Subject: [c-nsp] cisco IOS ip helper-address and MADCAP Message-ID: <20090407095259.GC25441@lboro.ac.uk> hi, just a quick question to peak some folks interest on a monday morning....and since I didnt get an answer from google et al. does anyone know if cisco 'ip helper-address' can deal with MADCAP (multicast address assignment via DHCP - also known in some circles as MDHCP)? I know there is very little server support for this - it seems, currently, that only microsoft DHCP server can deal with this type of request - I want to know that if such a server was deployed then would the requests from other VLANs reach it as they currently do with standard DHCP (we use ISC DHCPD) alan From lists at memetic.org Tue Apr 7 05:55:33 2009 From: lists at memetic.org (Adam Armstrong) Date: Tue, 07 Apr 2009 10:55:33 +0100 Subject: [c-nsp] Odd Etherchannel behavior between 7507 and cat 4006 In-Reply-To: <20090407094208.GZ290@greenie.muc.de> References: <49DB1C06.60506@memetic.org> <20090407094208.GZ290@greenie.muc.de> Message-ID: <49DB2315.5010806@memetic.org> Gert Doering wrote: > Hi, > > On Tue, Apr 07, 2009 at 10:25:26AM +0100, Adam Armstrong wrote: > >> As a general rule, you shouldn't force the duplex on a port unless the >> autonegotiation fails! (as it does on some quite old hardware) >> > > ... and the context of *this* discussion is likely involving PA-FE-TX's, > which are "quite old hardware", and cannot do any sort of autoneg. > True, so the ports should probably be nailed to full at both sides. adam. From cklam at ias.edu Tue Apr 7 08:57:38 2009 From: cklam at ias.edu (Christina Klam) Date: Tue, 07 Apr 2009 08:57:38 -0400 Subject: [c-nsp] Squid cannot see wccp traffic through GRE Tunnel Message-ID: <49DB4DC2.4070509@ias.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All, We have been having some problems with wccpv2 working through a GRE tunnel between a 6504e (version s3223-ipservicesk9_wan-mz.122-33.SXI.bin) and a Squid server (RHEL5). The tunnel is up; and we an see GRE traffic on both sides. WCCP is up as well. But, when we try to redirect wccp traffic to the Squid server, the Squid server never receives it. We are not having this problem on a separate network where we are using wccp but not though a GRE tunnel. Any ideas? interface Tunnel2 description GRE_Squid ip address 172.16.X.Y 255.255.255.252 ip wccp web-cache redirect out tunnel source Loopback1 tunnel destination 172.16.C.C end interface Loopback1 ip address 172.16.X.A 255.255.255.255 ip wccp web-cache redirect out ip flow ingress Internet facing interface: interface Vlan3 description #Uplink_Packeteer_Nitroguard_FW# ip address 172.16.X.X 255.255.255.0 ip wccp web-cache redirect out ip wccp web-cache redirect in ip flow ingress gateway-resnet#sh ip wccp web-cache detail WCCP Client information: WCCP Client ID: 172.16.X.Z Protocol Version: 2.0 State: Usable Redirection: GRE Packet Return: GRE Assignment: HASH Initial Hash Info: 00000000000000000000000000000000 00000000000000000000000000000000 Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF Hash Allotment: 256 (100.00%) Packets s/w Redirected: 0 Connect Time: 01:21:48 Bypassed Packets Process: 0 CEF: 0 Errors: 0 gateway-resnet#sh int tunn 2 Tunnel2 is up, line protocol is up Hardware is Tunnel Description: GRE_Squid Internet address is 172.16.X.Y/30 MTU 17868 bytes, BW 100 Kbit, DLY 50000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 172.16.X.A (Loopback1), destination 172.16.C.C Tunnel protocol/transport GRE/IP Key disabled, sequencing disabled Checksumming of packets disabled Tunnel TTL 255, Fast tunneling enabled Tunnel transport MTU 1476 bytes Last input 00:00:00, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/0 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec L2 Switched: ucast: 0 pkt, 0 bytes - mcast: 0 pkt, 0 bytes L3 in Switched: ucast: 0 pkt, 0 bytes - mcast: 0 pkt, 0 bytes mcast L3 out Switched: ucast: 0 pkt, 0 bytes mcast: 0 pkt, 0 bytes 226578 packets input, 47805578 bytes, 0 no buffer Received 0 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 114505 packets output, 23682296 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out sh log: Mar 11 14:58:09 172.16.X.X 1654: Mar 11 14:58:08.985 EST: %SEC-6-IPACCESSLOGP: list Squid permitted tcp 172.16.B.B(0) -> 64.233.161.147(0), 3 packets Mar 11 14:58:09 172.16.X.X 1655: Mar 11 14:58:08.989 EST: %SEC-6-IPACCESSLOGP: list Squid permitted tcp 172.16.B.B(0) -> 209.85.133.101(0), 3 packets Mar 11 14:59:10 172.16.X.X 1658: Mar 11 14:59:09.013 EST: %SEC-6-IPACCESSLOGP: list Squid permitted tcp 172.16.B.B(0) -> 209.85.133.102(0), 2 packets Squid ACL: Extended IP access list SquidProxy 10 permit tcp host 172.16.A.A any log 20 permit tcp host 172.16.B.B any log (1220 matches) 30 deny ip any any (118 matches) Thank you, - -- Christina -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBSdtNwt9pUgshfvqBAQKrnwgAh9TciUhv2kEdF8bgPJ/fzqU3gf33JD3F BLlHXCVOdWNz7TmcFqWc7+jkbEtkOJ89/MFH6pD7zwzwRUfauH2O66Fwg8eJVYgO qh4GTbwWwU0rFJ7IUhUQNDlN5Yw4zQtvMKaQmfOvNIGgp77eLj7E9PkPw0lBu7+E O6qt1HCjASPpUVlh6onH6sVz3gjxuhYshkN+O8qO+Bt6uSNUQKit5JqrZ4vZkVWw Syx/SN5DhwPpqQ5MSoyDLwvq41x8cfZ59C/+cnfNW9Sgv7XXMYJhnyO5mYBPhb8W y1zwNtzI19l/x9DNPQeXlvV24jACkx3YD3471CYsJL8X5smDdF28HQ== =XCEq -----END PGP SIGNATURE----- From adrian at creative.net.au Tue Apr 7 09:38:57 2009 From: adrian at creative.net.au (Adrian Chadd) Date: Tue, 7 Apr 2009 21:38:57 +0800 Subject: [c-nsp] Squid cannot see wccp traffic through GRE Tunnel In-Reply-To: <49DB4DC2.4070509@ias.edu> References: <49DB4DC2.4070509@ias.edu> Message-ID: <20090407133857.GE2446@skywalker.creative.net.au> On Tue, Apr 07, 2009, Christina Klam wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > All, > > We have been having some problems with wccpv2 working through a GRE > tunnel between a 6504e (version > s3223-ipservicesk9_wan-mz.122-33.SXI.bin) and a Squid server (RHEL5). > The tunnel is up; and we an see GRE traffic on both sides. WCCP is up Error - don't use a GRE tunnel with a 65xx series switch. > as well. But, when we try to redirect wccp traffic to the Squid > server, the Squid server never receives it. We are not having this > problem on a separate network where we are using wccp but not though a > GRE tunnel. Any ideas? Don't use GRE redirection/return. Use L2 redirection and return. Use mask assignment rather than hash assignment. The traffic will then stay 100% in the hardware path. Anyway, for GRE redirection, you don't configure up a tunnel on the Cisco router - the router just prepends the GRE packet header onto it. Adrian > > interface Tunnel2 > description GRE_Squid > ip address 172.16.X.Y 255.255.255.252 > ip wccp web-cache redirect out > tunnel source Loopback1 > tunnel destination 172.16.C.C > end > > interface Loopback1 > ip address 172.16.X.A 255.255.255.255 > ip wccp web-cache redirect out > ip flow ingress > > Internet facing interface: > interface Vlan3 > description #Uplink_Packeteer_Nitroguard_FW# > ip address 172.16.X.X 255.255.255.0 > ip wccp web-cache redirect out > ip wccp web-cache redirect in > ip flow ingress > > gateway-resnet#sh ip wccp web-cache detail > WCCP Client information: > WCCP Client ID: 172.16.X.Z > Protocol Version: 2.0 > State: Usable > Redirection: GRE > Packet Return: GRE > Assignment: HASH > Initial Hash Info: 00000000000000000000000000000000 > 00000000000000000000000000000000 > Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF > FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF > Hash Allotment: 256 (100.00%) > Packets s/w Redirected: 0 > Connect Time: 01:21:48 > Bypassed Packets > Process: 0 > CEF: 0 > Errors: 0 > > gateway-resnet#sh int tunn 2 > Tunnel2 is up, line protocol is up > Hardware is Tunnel > Description: GRE_Squid > Internet address is 172.16.X.Y/30 > MTU 17868 bytes, BW 100 Kbit, DLY 50000 usec, > reliability 255/255, txload 1/255, rxload 1/255 > Encapsulation TUNNEL, loopback not set > Keepalive not set > Tunnel source 172.16.X.A (Loopback1), destination 172.16.C.C > Tunnel protocol/transport GRE/IP > Key disabled, sequencing disabled > Checksumming of packets disabled > Tunnel TTL 255, Fast tunneling enabled > Tunnel transport MTU 1476 bytes > Last input 00:00:00, output 00:00:00, output hang never > Last clearing of "show interface" counters never > Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 > Queueing strategy: fifo > Output queue: 0/0 (size/max) > 5 minute input rate 0 bits/sec, 0 packets/sec > 5 minute output rate 0 bits/sec, 0 packets/sec > L2 Switched: ucast: 0 pkt, 0 bytes - mcast: 0 pkt, 0 bytes > L3 in Switched: ucast: 0 pkt, 0 bytes - mcast: 0 pkt, 0 bytes mcast > L3 out Switched: ucast: 0 pkt, 0 bytes mcast: 0 pkt, 0 bytes > 226578 packets input, 47805578 bytes, 0 no buffer > Received 0 broadcasts (0 IP multicasts) > 0 runts, 0 giants, 0 throttles > 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort > 114505 packets output, 23682296 bytes, 0 underruns > 0 output errors, 0 collisions, 0 interface resets > 0 output buffer failures, 0 output buffers swapped out > > sh log: > Mar 11 14:58:09 172.16.X.X 1654: Mar 11 14:58:08.985 EST: > %SEC-6-IPACCESSLOGP: list Squid permitted tcp 172.16.B.B(0) -> > 64.233.161.147(0), 3 packets > Mar 11 14:58:09 172.16.X.X 1655: Mar 11 14:58:08.989 EST: > %SEC-6-IPACCESSLOGP: list Squid permitted tcp 172.16.B.B(0) -> > 209.85.133.101(0), 3 packets > Mar 11 14:59:10 172.16.X.X 1658: Mar 11 14:59:09.013 EST: > %SEC-6-IPACCESSLOGP: list Squid permitted tcp 172.16.B.B(0) -> > 209.85.133.102(0), 2 packets > > Squid ACL: > Extended IP access list SquidProxy > 10 permit tcp host 172.16.A.A any log > 20 permit tcp host 172.16.B.B any log (1220 matches) > 30 deny ip any any (118 matches) > > > Thank you, > > - -- Christina > > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.5 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iQEVAwUBSdtNwt9pUgshfvqBAQKrnwgAh9TciUhv2kEdF8bgPJ/fzqU3gf33JD3F > BLlHXCVOdWNz7TmcFqWc7+jkbEtkOJ89/MFH6pD7zwzwRUfauH2O66Fwg8eJVYgO > qh4GTbwWwU0rFJ7IUhUQNDlN5Yw4zQtvMKaQmfOvNIGgp77eLj7E9PkPw0lBu7+E > O6qt1HCjASPpUVlh6onH6sVz3gjxuhYshkN+O8qO+Bt6uSNUQKit5JqrZ4vZkVWw > Syx/SN5DhwPpqQ5MSoyDLwvq41x8cfZ59C/+cnfNW9Sgv7XXMYJhnyO5mYBPhb8W > y1zwNtzI19l/x9DNPQeXlvV24jACkx3YD3471CYsJL8X5smDdF28HQ== > =XCEq > -----END PGP SIGNATURE----- > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA - From juliano_luz at sicredi.com.br Tue Apr 7 09:55:01 2009 From: juliano_luz at sicredi.com.br (Juliano Luz - Sicredi) Date: Tue, 7 Apr 2009 10:55:01 -0300 Subject: [c-nsp] RES: Squid cannot see wccp traffic through GRE Tunnel In-Reply-To: <49DB4DC2.4070509@ias.edu> References: <49DB4DC2.4070509@ias.edu> Message-ID: <004c01c9b788$727deba0$5779c2e0$@com.br> Maybe a problem related to MTU size? Check http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a0080 093f1f.shtml -----Mensagem original----- De: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] Em nome de Christina Klam Enviada em: ter?a-feira, 7 de abril de 2009 09:58 Para: cisco-nsp at puck.nether.net Assunto: [c-nsp] Squid cannot see wccp traffic through GRE Tunnel -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All, We have been having some problems with wccpv2 working through a GRE tunnel between a 6504e (version s3223-ipservicesk9_wan-mz.122-33.SXI.bin) and a Squid server (RHEL5). The tunnel is up; and we an see GRE traffic on both sides. WCCP is up as well. But, when we try to redirect wccp traffic to the Squid server, the Squid server never receives it. We are not having this problem on a separate network where we are using wccp but not though a GRE tunnel. Any ideas? interface Tunnel2 description GRE_Squid ip address 172.16.X.Y 255.255.255.252 ip wccp web-cache redirect out tunnel source Loopback1 tunnel destination 172.16.C.C end interface Loopback1 ip address 172.16.X.A 255.255.255.255 ip wccp web-cache redirect out ip flow ingress Internet facing interface: interface Vlan3 description #Uplink_Packeteer_Nitroguard_FW# ip address 172.16.X.X 255.255.255.0 ip wccp web-cache redirect out ip wccp web-cache redirect in ip flow ingress gateway-resnet#sh ip wccp web-cache detail WCCP Client information: WCCP Client ID: 172.16.X.Z Protocol Version: 2.0 State: Usable Redirection: GRE Packet Return: GRE Assignment: HASH Initial Hash Info: 00000000000000000000000000000000 00000000000000000000000000000000 Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF Hash Allotment: 256 (100.00%) Packets s/w Redirected: 0 Connect Time: 01:21:48 Bypassed Packets Process: 0 CEF: 0 Errors: 0 gateway-resnet#sh int tunn 2 Tunnel2 is up, line protocol is up Hardware is Tunnel Description: GRE_Squid Internet address is 172.16.X.Y/30 MTU 17868 bytes, BW 100 Kbit, DLY 50000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 172.16.X.A (Loopback1), destination 172.16.C.C Tunnel protocol/transport GRE/IP Key disabled, sequencing disabled Checksumming of packets disabled Tunnel TTL 255, Fast tunneling enabled Tunnel transport MTU 1476 bytes Last input 00:00:00, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/0 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec L2 Switched: ucast: 0 pkt, 0 bytes - mcast: 0 pkt, 0 bytes L3 in Switched: ucast: 0 pkt, 0 bytes - mcast: 0 pkt, 0 bytes mcast L3 out Switched: ucast: 0 pkt, 0 bytes mcast: 0 pkt, 0 bytes 226578 packets input, 47805578 bytes, 0 no buffer Received 0 broadcasts (0 IP multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 114505 packets output, 23682296 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out sh log: Mar 11 14:58:09 172.16.X.X 1654: Mar 11 14:58:08.985 EST: %SEC-6-IPACCESSLOGP: list Squid permitted tcp 172.16.B.B(0) -> 64.233.161.147(0), 3 packets Mar 11 14:58:09 172.16.X.X 1655: Mar 11 14:58:08.989 EST: %SEC-6-IPACCESSLOGP: list Squid permitted tcp 172.16.B.B(0) -> 209.85.133.101(0), 3 packets Mar 11 14:59:10 172.16.X.X 1658: Mar 11 14:59:09.013 EST: %SEC-6-IPACCESSLOGP: list Squid permitted tcp 172.16.B.B(0) -> 209.85.133.102(0), 2 packets Squid ACL: Extended IP access list SquidProxy 10 permit tcp host 172.16.A.A any log 20 permit tcp host 172.16.B.B any log (1220 matches) 30 deny ip any any (118 matches) Thank you, - -- Christina -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBSdtNwt9pUgshfvqBAQKrnwgAh9TciUhv2kEdF8bgPJ/fzqU3gf33JD3F BLlHXCVOdWNz7TmcFqWc7+jkbEtkOJ89/MFH6pD7zwzwRUfauH2O66Fwg8eJVYgO qh4GTbwWwU0rFJ7IUhUQNDlN5Yw4zQtvMKaQmfOvNIGgp77eLj7E9PkPw0lBu7+E O6qt1HCjASPpUVlh6onH6sVz3gjxuhYshkN+O8qO+Bt6uSNUQKit5JqrZ4vZkVWw Syx/SN5DhwPpqQ5MSoyDLwvq41x8cfZ59C/+cnfNW9Sgv7XXMYJhnyO5mYBPhb8W y1zwNtzI19l/x9DNPQeXlvV24jACkx3YD3471CYsJL8X5smDdF28HQ== =XCEq -----END PGP SIGNATURE----- As informacoes contidas neste e-mail e anexos podem ser confidenciais e privilegiadas, protegidas por sigilo legal. Qualquer forma de utilizacao deste documento depende de autorizacao do emissor, sujeito as penalidades cabiveis. O emissor utiliza o recurso somente para fins profissionais, eximindo o empregador de responsabilidades por uso pessoal ou improprio. Se esta mensagem foi recebida por engano, o conteudo deve ser apagado e o remetente avisado imediatamente, atraves de resposta a este e-mail. From alasdairm at gmail.com Tue Apr 7 10:22:04 2009 From: alasdairm at gmail.com (Alasdair McWilliam) Date: Tue, 7 Apr 2009 15:22:04 +0100 Subject: [c-nsp] BGP across continents Message-ID: Hi, I am setting up a multihomed hosting centre in Europe. As part of the service offered we will be providing Disaster Recovery services, using our ability to re-route customer IP prefixes, through to another hosting centre in Canada. We have a requirement for some prefixes within our net block to always be available in Canada, and some to always be available in Europe. So, I am wondering if someone can clarify my thoughts re. the AS numbers required for this: can I use the same ASN at both locations (both of which will have different upstreams) or will they reject prefixes from one another? For example, Canada will see a prefix from Europe with the same ASN in the AS-Path and drop it. Likewise Europe will drop Canada prefixes because it can see the same AS in the AS-Path. Is there any way around this or is the only option to request a second ASN? Cheers Alasdair From jjsurlenet at hotmail.fr Tue Apr 7 10:23:54 2009 From: jjsurlenet at hotmail.fr (JJ JJ) Date: Tue, 7 Apr 2009 16:23:54 +0200 Subject: [c-nsp] remove In-Reply-To: <20090407133857.GE2446@skywalker.creative.net.au> References: <49DB4DC2.4070509@ias.edu> <20090407133857.GE2446@skywalker.creative.net.au> Message-ID: remove > Date: Tue, 7 Apr 2009 21:38:57 +0800 > From: adrian at creative.net.au > To: cklam at ias.edu > CC: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Squid cannot see wccp traffic through GRE Tunnel > > On Tue, Apr 07, 2009, Christina Klam wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > All, > > > > We have been having some problems with wccpv2 working through a GRE > > tunnel between a 6504e (version > > s3223-ipservicesk9_wan-mz.122-33.SXI.bin) and a Squid server (RHEL5). > > The tunnel is up; and we an see GRE traffic on both sides. WCCP is up > > Error - don't use a GRE tunnel with a 65xx series switch. > > > as well. But, when we try to redirect wccp traffic to the Squid > > server, the Squid server never receives it. We are not having this > > problem on a separate network where we are using wccp but not though a > > GRE tunnel. Any ideas? > > Don't use GRE redirection/return. Use L2 redirection and return. > Use mask assignment rather than hash assignment. The traffic will > then stay 100% in the hardware path. > > Anyway, for GRE redirection, you don't configure up a tunnel on the Cisco > router - the router just prepends the GRE packet header onto it. > > > > > Adrian > > > > > interface Tunnel2 > > description GRE_Squid > > ip address 172.16.X.Y 255.255.255.252 > > ip wccp web-cache redirect out > > tunnel source Loopback1 > > tunnel destination 172.16.C.C > > end > > > > interface Loopback1 > > ip address 172.16.X.A 255.255.255.255 > > ip wccp web-cache redirect out > > ip flow ingress > > > > Internet facing interface: > > interface Vlan3 > > description #Uplink_Packeteer_Nitroguard_FW# > > ip address 172.16.X.X 255.255.255.0 > > ip wccp web-cache redirect out > > ip wccp web-cache redirect in > > ip flow ingress > > > > gateway-resnet#sh ip wccp web-cache detail > > WCCP Client information: > > WCCP Client ID: 172.16.X.Z > > Protocol Version: 2.0 > > State: Usable > > Redirection: GRE > > Packet Return: GRE > > Assignment: HASH > > Initial Hash Info: 00000000000000000000000000000000 > > 00000000000000000000000000000000 > > Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF > > FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF > > Hash Allotment: 256 (100.00%) > > Packets s/w Redirected: 0 > > Connect Time: 01:21:48 > > Bypassed Packets > > Process: 0 > > CEF: 0 > > Errors: 0 > > > > gateway-resnet#sh int tunn 2 > > Tunnel2 is up, line protocol is up > > Hardware is Tunnel > > Description: GRE_Squid > > Internet address is 172.16.X.Y/30 > > MTU 17868 bytes, BW 100 Kbit, DLY 50000 usec, > > reliability 255/255, txload 1/255, rxload 1/255 > > Encapsulation TUNNEL, loopback not set > > Keepalive not set > > Tunnel source 172.16.X.A (Loopback1), destination 172.16.C.C > > Tunnel protocol/transport GRE/IP > > Key disabled, sequencing disabled > > Checksumming of packets disabled > > Tunnel TTL 255, Fast tunneling enabled > > Tunnel transport MTU 1476 bytes > > Last input 00:00:00, output 00:00:00, output hang never > > Last clearing of "show interface" counters never > > Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 > > Queueing strategy: fifo > > Output queue: 0/0 (size/max) > > 5 minute input rate 0 bits/sec, 0 packets/sec > > 5 minute output rate 0 bits/sec, 0 packets/sec > > L2 Switched: ucast: 0 pkt, 0 bytes - mcast: 0 pkt, 0 bytes > > L3 in Switched: ucast: 0 pkt, 0 bytes - mcast: 0 pkt, 0 bytes mcast > > L3 out Switched: ucast: 0 pkt, 0 bytes mcast: 0 pkt, 0 bytes > > 226578 packets input, 47805578 bytes, 0 no buffer > > Received 0 broadcasts (0 IP multicasts) > > 0 runts, 0 giants, 0 throttles > > 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort > > 114505 packets output, 23682296 bytes, 0 underruns > > 0 output errors, 0 collisions, 0 interface resets > > 0 output buffer failures, 0 output buffers swapped out > > > > sh log: > > Mar 11 14:58:09 172.16.X.X 1654: Mar 11 14:58:08.985 EST: > > %SEC-6-IPACCESSLOGP: list Squid permitted tcp 172.16.B.B(0) -> > > 64.233.161.147(0), 3 packets > > Mar 11 14:58:09 172.16.X.X 1655: Mar 11 14:58:08.989 EST: > > %SEC-6-IPACCESSLOGP: list Squid permitted tcp 172.16.B.B(0) -> > > 209.85.133.101(0), 3 packets > > Mar 11 14:59:10 172.16.X.X 1658: Mar 11 14:59:09.013 EST: > > %SEC-6-IPACCESSLOGP: list Squid permitted tcp 172.16.B.B(0) -> > > 209.85.133.102(0), 2 packets > > > > Squid ACL: > > Extended IP access list SquidProxy > > 10 permit tcp host 172.16.A.A any log > > 20 permit tcp host 172.16.B.B any log (1220 matches) > > 30 deny ip any any (118 matches) > > > > > > Thank you, > > > > - -- Christina > > > > > > > > > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.4.5 (MingW32) > > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > > > iQEVAwUBSdtNwt9pUgshfvqBAQKrnwgAh9TciUhv2kEdF8bgPJ/fzqU3gf33JD3F > > BLlHXCVOdWNz7TmcFqWc7+jkbEtkOJ89/MFH6pD7zwzwRUfauH2O66Fwg8eJVYgO > > qh4GTbwWwU0rFJ7IUhUQNDlN5Yw4zQtvMKaQmfOvNIGgp77eLj7E9PkPw0lBu7+E > > O6qt1HCjASPpUVlh6onH6sVz3gjxuhYshkN+O8qO+Bt6uSNUQKit5JqrZ4vZkVWw > > Syx/SN5DhwPpqQ5MSoyDLwvq41x8cfZ59C/+cnfNW9Sgv7XXMYJhnyO5mYBPhb8W > > y1zwNtzI19l/x9DNPQeXlvV24jACkx3YD3471CYsJL8X5smDdF28HQ== > > =XCEq > > -----END PGP SIGNATURE----- > > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > -- > - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - > - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA - > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _________________________________________________________________ In?dit ! Des Emotic?nes D?jant?es! Installez les dans votre Messenger ! http://www.ilovemessenger.fr/Emoticones/EmoticonesDejantees.aspx From jzp-cnsp at rsuc.gweep.net Tue Apr 7 10:30:41 2009 From: jzp-cnsp at rsuc.gweep.net (Joe Provo) Date: Tue, 7 Apr 2009 10:30:41 -0400 Subject: [c-nsp] BGP across continents In-Reply-To: References: Message-ID: <20090407143039.GA47565@gweep.net> On Tue, Apr 07, 2009 at 03:22:04PM +0100, Alasdair McWilliam wrote: [snip] > Is there any way around this or is the only option to request a second ASN? Among the "give you enough rope" options, "neighbor allowas-in"; use with caution. There are many other options, including to build tunnels between the sites and treat them as a logical single entity. -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE From rodunn at cisco.com Tue Apr 7 11:46:47 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Tue, 7 Apr 2009 11:46:47 -0400 Subject: [c-nsp] NAT on ASR1000 Message-ID: <20090407154647.GQ20028@rtp-cse-489.cisco.com> Few bugs still being worked through but the 72xx and 76xx croaked under the load: ASR1002ESP10#sh proc cpu sort | excl 0.00 CPU utilization for five seconds: 0%/0%; one minute: 0%; five minutes: 0% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process ASR1002ESP10#sh ip nat stat Total active translations: 92367 (80 static, 92287 dynamic; 92287 extended) Outside interfaces: GigabitEthernet0/0/0, Tunnel1 Inside interfaces: GigabitEthernet0/0/1, GigabitEthernet0/0/2 Hits: 0 Misses: 0 CEF Translated packets: 0, CEF Punted packets: 0 Expired translations: 87400847 that's on 12.2(33)XNC and I just filed one bug. CSCsy93931 ASRNAT does not do FIN/RST/SYN timeout when no-payload keyword used My first work on the box with NAT but this thing seems pretty impressive. Anyone else using it for high scale nat yet? Rodney From emanuel.popa at gmail.com Tue Apr 7 11:51:44 2009 From: emanuel.popa at gmail.com (Emanuel Popa) Date: Tue, 7 Apr 2009 18:51:44 +0300 Subject: [c-nsp] carrier router models comparison Message-ID: <4981ce080904070851h6381d4f0qf35885793e959087@mail.gmail.com> hi there, due to the increase in traffic volume in the last couple of years we need to really think about the future of the network. we have deployed and we are managing a 50GE multi-ring topology network with Cisco 7600 routers. i don't want to get into more details about ring topology restrictions, platform limitations regarding wire speed, huge problems with ether-channels or unpredictable load balancing behaviour. we've been using these chassis since 2004 starting with STM-16 lines and the PQ ratio looks pretty good so far. coming back to nowadays, 40GE or 100GE is not available yet, and even if it was, the price would be probably unaffordable. and now the question pops: what is the next step? the best answer is of course a mix of multiple 10GE lines with traffic engineering and partial mesh topology and 100GE ready chassis. first thing that comes to mind is the CRS-1 platform, but it is really expensive: from under 15K per 10GE port with the Cisco 7600 you have to pay more than 75K per 10GE port with the CRS-1. so we have to take into consideration what are the alternatives. i will try a short comparison: - Cisco CRS-1 16 Slot --- max 64 x 10GE --- max 32 links in a bundle --- 40Gbps per slot --- 100GE ready --- multi-chassis ready --- 10.920W max power --- 723kg max weight --- full rack space --- $5.115.000,00/chassis --- $79.921,88/10GE - Juniper T1600 --- max 64 x 10GE --- max 16 links in a bundle --- 100Gbps per slot --- 100GE ready --- multi-chassis ready --- 8.352W max power --- 274,88kg max weight --- 1/2 rack space --- $6.547.000,00/chassis --- $102.296,88/10GE - Brocade/ Foundry NetIron XMR 16000 --- max 64 x 10GE --- max 32 links in a bundle --- 50Gbps per slot --- 100GE ready (* only full slots) --- single-chassis --- 5.572W max power --- 107,00kg max weight --- 1/3 rack space --- $567.515,00/chassis --- $8.867,42/10GE I've also been looking at Huawei, Alcatel and HP gear but haven't been able to find a device to support more than 24 x 10GE ports in a single chassis. Here's what I'm trying to figure out: 1. are there any other devices on the market with same hardware capabilities? 2. why the huge difference between foundry and cisco/juniper? 3. if foundry is so cheap why hasn't it gathered more market share? instead it was bought by brocade a while ago... 4. is the netiron really a carrier router more than a carrier switch? anybody experienced it? 5. how does the software perform when comparing with IOS XR and JunOS? Please, any comments are welcomed. Best regards, Manu From elmi at 4ever.de Tue Apr 7 12:01:15 2009 From: elmi at 4ever.de (Elmar K. Bins) Date: Tue, 7 Apr 2009 18:01:15 +0200 Subject: [c-nsp] Too dumb for SLB on ASR1Ks? In-Reply-To: <20090403153128.GA12333@ronin.4ever.de> References: <20090403153128.GA12333@ronin.4ever.de> Message-ID: <20090407160115.GX29526@ronin.4ever.de> So far, I have gotten only the one response to my question. What would be the suggestion? "Ask Cisco for configuration help?" "Create a bug id?" Any ideas/guidance? I'm under the impression my basic config should be working but it doesn't... You know, any input etc... Elmar. From achatz at forthnet.gr Tue Apr 7 12:02:52 2009 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Tue, 07 Apr 2009 19:02:52 +0300 Subject: [c-nsp] NAT on ASR1000 In-Reply-To: <20090407154647.GQ20028@rtp-cse-489.cisco.com> References: <20090407154647.GQ20028@rtp-cse-489.cisco.com> Message-ID: <49DB792C.6080507@forthnet.gr> Rodney, can you do a "sh plat soft stat contr br"? -- Tassos Rodney Dunn wrote on 07/04/2009 18:46: > Few bugs still being worked through but the 72xx and 76xx croaked > under the load: > > ASR1002ESP10#sh proc cpu sort | excl 0.00 > CPU utilization for five seconds: 0%/0%; one minute: 0%; five minutes: 0% > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process > ASR1002ESP10#sh ip nat stat > Total active translations: 92367 (80 static, 92287 dynamic; 92287 extended) > Outside interfaces: > GigabitEthernet0/0/0, Tunnel1 > Inside interfaces: > GigabitEthernet0/0/1, GigabitEthernet0/0/2 > Hits: 0 Misses: 0 > CEF Translated packets: 0, CEF Punted packets: 0 > Expired translations: 87400847 > > > that's on 12.2(33)XNC and I just filed one bug. > > CSCsy93931 ASRNAT does not do FIN/RST/SYN timeout when no-payload keyword used > > > My first work on the box with NAT but this thing seems pretty impressive. > > Anyone else using it for high scale nat yet? > > Rodney > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From achatz at forthnet.gr Tue Apr 7 12:20:41 2009 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Tue, 07 Apr 2009 19:20:41 +0300 Subject: [c-nsp] carrier router models comparison In-Reply-To: <4981ce080904070851h6381d4f0qf35885793e959087@mail.gmail.com> References: <4981ce080904070851h6381d4f0qf35885793e959087@mail.gmail.com> Message-ID: <49DB7D59.1030006@forthnet.gr> Besides your choices, ASR 9000 should be out soon (its IOS XR Software is already available). -- Tassos Emanuel Popa wrote on 07/04/2009 18:51: > hi there, > > due to the increase in traffic volume in the last couple of years we > need to really think about the future of the network. we have deployed > and we are managing a 50GE multi-ring topology network with Cisco 7600 > routers. i don't want to get into more details about ring topology > restrictions, platform limitations regarding wire speed, huge problems > with ether-channels or unpredictable load balancing behaviour. we've > been using these chassis since 2004 starting with STM-16 lines and the > PQ ratio looks pretty good so far. > > coming back to nowadays, 40GE or 100GE is not available yet, and even > if it was, the price would be probably unaffordable. and now the > question pops: what is the next step? the best answer is of course a > mix of multiple 10GE lines with traffic engineering and partial mesh > topology and 100GE ready chassis. first thing that comes to mind is > the CRS-1 platform, but it is really expensive: from under 15K per > 10GE port with the Cisco 7600 you have to pay more than 75K per 10GE > port with the CRS-1. so we have to take into consideration what are > the alternatives. i will try a short comparison: > > - Cisco CRS-1 16 Slot > --- max 64 x 10GE > --- max 32 links in a bundle > --- 40Gbps per slot > --- 100GE ready > --- multi-chassis ready > --- 10.920W max power > --- 723kg max weight > --- full rack space > --- $5.115.000,00/chassis > --- $79.921,88/10GE > > - Juniper T1600 > --- max 64 x 10GE > --- max 16 links in a bundle > --- 100Gbps per slot > --- 100GE ready > --- multi-chassis ready > --- 8.352W max power > --- 274,88kg max weight > --- 1/2 rack space > --- $6.547.000,00/chassis > --- $102.296,88/10GE > > - Brocade/ Foundry NetIron XMR 16000 > --- max 64 x 10GE > --- max 32 links in a bundle > --- 50Gbps per slot > --- 100GE ready (* only full slots) > --- single-chassis > --- 5.572W max power > --- 107,00kg max weight > --- 1/3 rack space > --- $567.515,00/chassis > --- $8.867,42/10GE > > I've also been looking at Huawei, Alcatel and HP gear but haven't been > able to find a device to support more than 24 x 10GE ports in a single > chassis. > > Here's what I'm trying to figure out: > > 1. are there any other devices on the market with same hardware capabilities? > > 2. why the huge difference between foundry and cisco/juniper? > > 3. if foundry is so cheap why hasn't it gathered more market share? > instead it was bought by brocade a while ago... > > 4. is the netiron really a carrier router more than a carrier switch? > anybody experienced it? > > 5. how does the software perform when comparing with IOS XR and JunOS? > > Please, any comments are welcomed. > > Best regards, > Manu > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From r.tahina at moov.mg Tue Apr 7 11:36:23 2009 From: r.tahina at moov.mg (RAZAFINDRATSIFA Rivo Tahina) Date: Tue, 07 Apr 2009 18:36:23 +0300 Subject: [c-nsp] upload to 2 upstreams Message-ID: <7.0.1.0.2.20090407183213.04f15628@moov.mg> Hi all, We have two upstreams and our upload traffic is load balanced between them, when one of them is down, how can I do to send all output to the one which is still up? Regards. From SMESIATO at petro-canada.ca Tue Apr 7 11:53:16 2009 From: SMESIATO at petro-canada.ca (Mesiatowsky, Shawn) Date: Tue, 7 Apr 2009 11:53:16 -0400 Subject: [c-nsp] Packet Loss on 6513 Message-ID: <259E69AA141E7640822757CAB3EBC70F18B1D0DBE8@MSG-M1P1.pcacorp.net> We currently have 2 6513's in our core, and we have seen packet loss on our network. I was trying to locate the source of the packet loss. We did see some input queue drops on the SVI's and physical interfaces. I had increased our queue size on the vlan interfaces to 500, and our packet drops on the svi's decreased signifigantly. Now I am trying to figure out why there is packet loss on the physical interfaces. We have a sup 720, and our line cards are WS-X6724-SFP and WS-X6748-SFP. Here is a sample of an interface with high drops GigabitEthernet2/23 is up, line protocol is up (connected) Hardware is C6k 1000Mb 802.3, address is 001a.2f68.7bc2 (bia 001a.2f68.7bc2) MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 38/255, rxload 32/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s, media type is SX input flow-control is off, output flow-control is off Clock mode is auto ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:31, output hang never Last clearing of "show interface" counters 1d00h Input queue: 0/2000/91560/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 126671000 bits/sec, 28888 packets/sec 5 minute output rate 151605000 bits/sec, 26499 packets/sec 942611654 packets input, 633784740348 bytes, 0 no buffer Received 7319979 broadcasts (6903850 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 91560 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 891230426 packets output, 579042873963 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out I also looked at the utilization of this interface with our snmp tool, and utilixzation of this interface never went over %40 I also noticed the following, and was not sure if this was completely accurate: show platform hardware capacity interface Interface Resources Interface drops: Module Total drops: Tx Rx Highest drop port: Tx Rx 1 0 466 0 1 2 0 154228 0 23 3 0 123 0 1 4 0 190102 0 21 5 0 446318 0 21 7 3940684041 0 1 0 9 0 34280 0 7 10 0 5 0 42 11 0 433 0 46 12 0 1686 0 44 13 66042 119859 1 1 Interface buffer sizes: Module Bytes: Tx buffer Rx buffer 1 1221120 152000 2 1221120 152000 3 1221120 152000 4 1221120 152000 5 1221120 152000 6 1221120 152000 9 1221120 152000 10 1221120 152000 11 1221120 152000 12 1221120 152000 13 1221120 152000 Does this mean that 3940684041 packets were dropped on the egress queue on the sup? Does this seem extremly high, and shat can cause this? Thanks for your help ________________________________ This email communication is intended as a private communication for the sole use of the primary addressee and those individuals listed for copies in the original message. The information contained in this email is private and confidential and If you are not an intended recipient you are hereby notified that copying, forwarding or other dissemination or distribution of this communication by any means is prohibited. If you are not specifically authorized to receive this email and if you believe that you received it in error please notify the original sender immediately. We honour similar requests relating to the privacy of email communications. Cette communication par courrier ?lectronique est une communication priv?e ? l'usage exclusif du destinataire principal ainsi que des personnes dont les noms figurent en copie. Les renseignements contenus dans ce courriel sont confidentiels et si vous n'?tes pas le destinataire pr?vu, vous ?tes avis?, par les pr?sentes que toute reproduction, transfert ou autre forme de diffusion de cette communication par quelque moyen que ce soit est interdite. Si vous n'?tes pas sp?cifiquement autoris? ? recevoir ce courriel ou si vous croyez l'avoir re?u par erreur, veuillez en aviser l'exp?diteur original imm?diatement. Nous respectons les demandes similaires qui touchent la confidentialit? des communications par courrier ?lectronique. From sethm at rollernet.us Tue Apr 7 12:51:59 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Tue, 07 Apr 2009 09:51:59 -0700 Subject: [c-nsp] Too dumb for SLB on ASR1Ks? In-Reply-To: <20090407160115.GX29526@ronin.4ever.de> References: <20090403153128.GA12333@ronin.4ever.de> <20090407160115.GX29526@ronin.4ever.de> Message-ID: <49DB84AF.1040602@rollernet.us> Elmar K. Bins wrote: > So far, I have gotten only the one response to my question. > > What would be the suggestion? "Ask Cisco for configuration > help?" "Create a bug id?" Any ideas/guidance? I'm under the > impression my basic config should be working but it doesn't... > > You know, any input etc... > Open a TAC case. If it's not supported someone should know. (Although it could take weeks like the time I threw an IPv6 question at TAC.) If it is supported and it's broken, they should be able to open a bug. I'd help more since I use IOS SLB a lot, but I just don't have an ASR1000 as much as I wish I did. ;) ~Seth From sethm at rollernet.us Tue Apr 7 12:55:19 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Tue, 07 Apr 2009 09:55:19 -0700 Subject: [c-nsp] Packet Loss on 6513 In-Reply-To: <259E69AA141E7640822757CAB3EBC70F18B1D0DBE8@MSG-M1P1.pcacorp.net> References: <259E69AA141E7640822757CAB3EBC70F18B1D0DBE8@MSG-M1P1.pcacorp.net> Message-ID: <49DB8577.2060805@rollernet.us> Mesiatowsky, Shawn wrote: > We currently have 2 6513's in our core, and we have seen packet loss on our network. I was trying to locate the source of the packet loss. We did see some input queue drops on the SVI's and physical interfaces. I had increased our queue size on the vlan interfaces to 500, and our packet drops on the svi's decreased signifigantly. Now I am trying to figure out why there is packet loss on the physical interfaces. We have a sup 720, and our line cards are WS-X6724-SFP and WS-X6748-SFP. > Check your TCAM utilization. ~Seth From rodunn at cisco.com Tue Apr 7 12:56:47 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Tue, 7 Apr 2009 12:56:47 -0400 Subject: [c-nsp] NAT on ASR1000 In-Reply-To: <49DB792C.6080507@forthnet.gr> References: <20090407154647.GQ20028@rtp-cse-489.cisco.com> <49DB792C.6080507@forthnet.gr> Message-ID: <20090407165647.GA22725@rtp-cse-489.cisco.com> sh plat software status control-processor brief Load Average Slot Status 1-Min 5-Min 15-Min RP0 Healthy 0.00 0.04 0.01 ESP0 Healthy 0.00 0.00 0.00 SIP0 Healthy 0.02 0.02 0.00 Memory (kB) Slot Status Total Used (Pct) Free (Pct) Committed (Pct) RP0 Healthy 3711920 1525468 (36%) 2186452 (52%) 2438180 (59%) ESP0 Healthy 2024492 527680 (25%) 1496812 (71%) 2807552 (133%) SIP0 Healthy 480084 287860 (54%) 192224 (36%) 199468 (38%) CPU Utilization Slot CPU User System Nice Idle IRQ SIRQ IOwait RP0 0 2.15 1.54 0.00 96.25 0.01 0.03 0.00 ESP0 0 0.57 0.60 0.00 98.80 0.00 0.01 0.00 SIP0 0 0.30 0.41 0.00 99.25 0.00 0.01 0.00 It's a live network I worked on over the weekend. It's a pretty high rate short lived session network. We set the timeouts down: ip nat translation timeout 1800 ip nat translation tcp-timeout 900 ip nat translation udp-timeout 150 ip nat translation dns-timeout 30 show platform hardware cpp active infrastructure exmem statistics and there is a lot of QFP memory left: Type: Name: IRAM, CPP: 0 Total: 134217728 InUse: 4779008 Free: 128974848 Free protected: 463872 Free unprotected: 0 Lowest free water mark: 129438720 Largest free block: 99537920 Type: Name: DRAM, CPP: 0 Total: 402653184 InUse: 190609408 Free: 209715200 Free protected: 598016 Free unprotected: 1730560 Lowest free water mark: 212043776 Largest free block: 210233344 On Tue, Apr 07, 2009 at 07:02:52PM +0300, Tassos Chatzithomaoglou wrote: > Rodney, can you do a "sh plat soft stat contr br"? > > -- > Tassos > > Rodney Dunn wrote on 07/04/2009 18:46: > >Few bugs still being worked through but the 72xx and 76xx croaked > >under the load: > > > >ASR1002ESP10#sh proc cpu sort | excl 0.00 > >CPU utilization for five seconds: 0%/0%; one minute: 0%; five minutes: 0% > > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process > >ASR1002ESP10#sh ip nat stat > >Total active translations: 92367 (80 static, 92287 dynamic; 92287 extended) > >Outside interfaces: > > GigabitEthernet0/0/0, Tunnel1 > >Inside interfaces: > > GigabitEthernet0/0/1, GigabitEthernet0/0/2 > >Hits: 0 Misses: 0 > >CEF Translated packets: 0, CEF Punted packets: 0 > >Expired translations: 87400847 > > > > > >that's on 12.2(33)XNC and I just filed one bug. > > > >CSCsy93931 ASRNAT does not do FIN/RST/SYN timeout when no-payload keyword > >used > > > > > >My first work on the box with NAT but this thing seems pretty impressive. > > > >Anyone else using it for high scale nat yet? > > > >Rodney > > > > > >_______________________________________________ > >cisco-nsp mailing list cisco-nsp at puck.nether.net > >https://puck.nether.net/mailman/listinfo/cisco-nsp > >archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From SMESIATO at petro-canada.ca Tue Apr 7 12:11:29 2009 From: SMESIATO at petro-canada.ca (Mesiatowsky, Shawn) Date: Tue, 7 Apr 2009 12:11:29 -0400 Subject: [c-nsp] Packet Loss on 6513 Message-ID: <259E69AA141E7640822757CAB3EBC70F18B1D0DBE9@MSG-M1P1.pcacorp.net> We currently have 2 6513's in our core, and we have seen packet loss on our network. I was trying to locate the source of the packet loss. We did see some input queue drops on the SVI's and physical interfaces. I had increased our queue size on the vlan interfaces to 500, and our packet drops on the svi's decreased signifigantly. Now I am trying to figure out why there is packet loss on the physical interfaces. We have a sup 720, and our line cards are WS-X6724-SFP and WS-X6748-SFP. Here is a sample of an interface with high drops GigabitEthernet2/23 is up, line protocol is up (connected) Hardware is C6k 1000Mb 802.3, address is 001a.2f68.7bc2 (bia 001a.2f68.7bc2) MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 38/255, rxload 32/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s, media type is SX input flow-control is off, output flow-control is off Clock mode is auto ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:31, output hang never Last clearing of "show interface" counters 1d00h Input queue: 0/2000/91560/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 126671000 bits/sec, 28888 packets/sec 5 minute output rate 151605000 bits/sec, 26499 packets/sec 942611654 packets input, 633784740348 bytes, 0 no buffer Received 7319979 broadcasts (6903850 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 91560 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 891230426 packets output, 579042873963 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out I also looked at the utilization of this interface with our snmp tool, and utilixzation of this interface never went over %40 I also noticed the following, and was not sure if this was completely accurate: show platform hardware capacity interface Interface Resources Interface drops: Module Total drops: Tx Rx Highest drop port: Tx Rx 1 0 466 0 1 2 0 154228 0 23 3 0 123 0 1 4 0 190102 0 21 5 0 446318 0 21 7 3940684041 0 1 0 9 0 34280 0 7 10 0 5 0 42 11 0 433 0 46 12 0 1686 0 44 13 66042 119859 1 1 Interface buffer sizes: Module Bytes: Tx buffer Rx buffer 1 1221120 152000 2 1221120 152000 3 1221120 152000 4 1221120 152000 5 1221120 152000 6 1221120 152000 9 1221120 152000 10 1221120 152000 11 1221120 152000 12 1221120 152000 13 1221120 152000 Does this mean that 3940684041 packets were dropped on the egress queue on the sup? Does this seem extremly high, and shat can cause this? Thanks for your help ________________________________ This email communication is intended as a private communication for the sole use of the primary addressee and those individuals listed for copies in the original message. The information contained in this email is private and confidential and If you are not an intended recipient you are hereby notified that copying, forwarding or other dissemination or distribution of this communication by any means is prohibited. If you are not specifically authorized to receive this email and if you believe that you received it in error please notify the original sender immediately. We honour similar requests relating to the privacy of email communications. Cette communication par courrier ?lectronique est une communication priv?e ? l'usage exclusif du destinataire principal ainsi que des personnes dont les noms figurent en copie. Les renseignements contenus dans ce courriel sont confidentiels et si vous n'?tes pas le destinataire pr?vu, vous ?tes avis?, par les pr?sentes que toute reproduction, transfert ou autre forme de diffusion de cette communication par quelque moyen que ce soit est interdite. Si vous n'?tes pas sp?cifiquement autoris? ? recevoir ce courriel ou si vous croyez l'avoir re?u par erreur, veuillez en aviser l'exp?diteur original imm?diatement. Nous respectons les demandes similaires qui touchent la confidentialit? des communications par courrier ?lectronique. From rodunn at cisco.com Tue Apr 7 13:00:37 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Tue, 7 Apr 2009 13:00:37 -0400 Subject: [c-nsp] Too dumb for SLB on ASR1Ks? In-Reply-To: <20090407160115.GX29526@ronin.4ever.de> References: <20090403153128.GA12333@ronin.4ever.de> <20090407160115.GX29526@ronin.4ever.de> Message-ID: <20090407170037.GB22725@rtp-cse-489.cisco.com> I just asked one of the platform PM's. It's not supported on ASR1k. Rodney On Tue, Apr 07, 2009 at 06:01:15PM +0200, Elmar K. Bins wrote: > So far, I have gotten only the one response to my question. > > What would be the suggestion? "Ask Cisco for configuration > help?" "Create a bug id?" Any ideas/guidance? I'm under the > impression my basic config should be working but it doesn't... > > You know, any input etc... > > Elmar. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From yanf787 at yahoo.com Tue Apr 7 13:02:55 2009 From: yanf787 at yahoo.com (Yan Filyurin) Date: Tue, 7 Apr 2009 10:02:55 -0700 (PDT) Subject: [c-nsp] NAT on ASR1000 In-Reply-To: <49DB792C.6080507@forthnet.gr> References: <20090407154647.GQ20028@rtp-cse-489.cisco.com> <49DB792C.6080507@forthnet.gr> Message-ID: <946159.23396.qm@web54009.mail.re2.yahoo.com> At certain point of time, I was testing NAT with just test tools, sending various forms of raw TCP, UDP and just IP traffic. I was able to get about 150k simultaneous translations at 2Gbps doing very low packet sizes. I definitely remember doing it with IMIX. I do remember seeing issues with BFD when NAT was enabled and a number of IPSec issues. But I think most of these issues have been fixed. There were also some issues with show commands, but that goes back to 2.2.1. This device is perfect for NAT. 7200 G2 is the next best thing and definitely better than 7600. G2 could easily do 100k translations at about 500% Mbps, but with 60% CPU. Maybe easily isn't the right word, but still. I can give more details offline. Yan ________________________________ From: Tassos Chatzithomaoglou To: Rodney Dunn Cc: cisco-nsp at puck.nether.net Sent: Tuesday, April 7, 2009 12:02:52 PM Subject: Re: [c-nsp] NAT on ASR1000 Rodney, can you do a "sh plat soft stat contr br"? -- Tassos Rodney Dunn wrote on 07/04/2009 18:46: > Few bugs still being worked through but the 72xx and 76xx croaked > under the load: > > ASR1002ESP10#sh proc cpu sort | excl 0.00 > CPU utilization for five seconds: 0%/0%; one minute: 0%; five minutes: 0% > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process ASR1002ESP10#sh ip nat stat > Total active translations: 92367 (80 static, 92287 dynamic; 92287 extended) > Outside interfaces: > GigabitEthernet0/0/0, Tunnel1 > Inside interfaces: GigabitEthernet0/0/1, GigabitEthernet0/0/2 > Hits: 0 Misses: 0 > CEF Translated packets: 0, CEF Punted packets: 0 > Expired translations: 87400847 > > > that's on 12.2(33)XNC and I just filed one bug. > > CSCsy93931 ASRNAT does not do FIN/RST/SYN timeout when no-payload keyword used > > > My first work on the box with NAT but this thing seems pretty impressive. > > Anyone else using it for high scale nat yet? > > Rodney > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From clane1875 at gmail.com Tue Apr 7 16:22:47 2009 From: clane1875 at gmail.com (Chris Lane) Date: Tue, 7 Apr 2009 16:22:47 -0400 Subject: [c-nsp] Cisco 3750 ME %SCHED-3-THRASHING Message-ID: <2e1cd850904071322v4252f143n3334d96b9d94e4da@mail.gmail.com> All,Please help me identify why my 3750ME is throwing these errors. %SCHED-3-THRASHING: Process thrashing on watched message event. -Process= "SSH Process", ipl= 6, pid= 98 -Traceback= 2E4424 2E4B70 D0C404 D0C78C ED455C ED4FE8 ED5A44 ED657C ED6650 CBE0C8 CBE32C CBEA68 CBE914 29BD4C ED996C EDA25b I have looked up on google: Cisco isn't very helpful and says its cleared with 122.25S. http://supportwiki.cisco.com/ViewWiki/index.php/The_"SCHED-3-THRASHING:_Process_thrashing_on_watched"_error_message_and_traceback_errors_appear_in_Catalyst_3750_series_switches I am running 122-46.SE.bin uptime is 1week Any help would be greatly appreciated. -- //CL From leonardo.souza at nec.com.br Tue Apr 7 16:50:22 2009 From: leonardo.souza at nec.com.br (Leonardo Gama Souza) Date: Tue, 7 Apr 2009 17:50:22 -0300 Subject: [c-nsp] RES: Packet Loss on 6513 In-Reply-To: <49DB8577.2060805@rollernet.us> References: <259E69AA141E7640822757CAB3EBC70F18B1D0DBE8@MSG-M1P1.pcacorp.net> <49DB8577.2060805@rollernet.us> Message-ID: <9E07F8717FE8BC4FBAE6860F61EA6C1D022E542E@spsrvmail03.nec.br> Mesiatowsky, Shawn wrote: > We currently have 2 6513's in our core, and we have seen packet loss on our network. I was trying to locate the source of the packet loss. We did see some input queue drops on the SVI's and physical interfaces. I had increased our queue size on the vlan interfaces to 500, and our packet drops on the svi's decreased signifigantly. Now I am trying to figure out why there is packet loss on the physical interfaces. We have a sup 720, and our line cards are WS-X6724-SFP and WS-X6748-SFP. > http://puck.nether.net/pipermail/cisco-nsp/2004-November/014366.html It is a good start. []?s From billw at waveform.net Tue Apr 7 17:23:17 2009 From: billw at waveform.net (Bill Wichers) Date: Tue, 7 Apr 2009 17:23:17 -0400 Subject: [c-nsp] Odd Etherchannel behavior between 7507 and cat 4006 In-Reply-To: <49DB2315.5010806@memetic.org> References: <49DB1C06.60506@memetic.org> <20090407094208.GZ290@greenie.muc.de> <49DB2315.5010806@memetic.org> Message-ID: [snip] > > ... and the context of *this* discussion is likely involving PA-FE-TX's, > > which are "quite old hardware", and cannot do any sort of autoneg. > > > True, so the ports should probably be nailed to full at both sides. Correct, they are PA-FE-TX's. There are two such PAs in a VIP2-50, and those are running the port channel. We use the 7507 as a DoS mitigator since the CPU on the VIP can't handle typical DoS traffic very well and effectively self-limits DoS traffic flow to around 20-30Mb/s or so. For "normal" traffic it can do around 150ish Mb/s or so usually without trouble. The packet size makes all the difference :-) I typically set both ends (router and switch) of these links to 100/full since I've seen weird autonegotiation problems before. This works just fine for individual FE links, but as soon as I bring up the Etherchannel group both member links on the router end drop back to "unknown duplex" (which the switch says is 100/half), and I can't figure out why my "full-duplex" config entry on each port magically disappears as soon as the Etherchannel group is brought up. That's the weird problem I'm trying to figure out... -Bill From alasdairm at gmail.com Tue Apr 7 17:34:16 2009 From: alasdairm at gmail.com (Alasdair McWilliam) Date: Tue, 7 Apr 2009 22:34:16 +0100 Subject: [c-nsp] BGP across continents In-Reply-To: <5493710CC8A944FBA14A84C16722685A@Toshiba> References: <5493710CC8A944FBA14A84C16722685A@Toshiba> Message-ID: <8669CB1B-EDD9-49D5-9561-DDAF9D2C1D4F@gmail.com> Hello, I did think about GRE tunnels but GRE would still need to know about the tunnel destination interfaces. I guess I could get around that by using the IP address of the ISP interfaces on the border routers, but each router will have a link to 2 upstreams, so I'd have to look at that from a resilience perspective. Our border routers are ASR 1002 + ESP5, both will have GE interfaces to two providers (4 links, 2 providers). I'm also expecting about 10Mbps consistently between Europe and Canada even without any customer being in "disaster" mode. Any indication of how the ASR1002 + ESP5 will handle this? (I've not actually got my hands on an ASR yet so am not too sure how they will fare. However from the white papers I've read and from what others have said I'm quite hopeful they will last for years to come! ;) Provider wise, Canada and Europe will not share the same providers at all. I'm personally thinking of going with two ASNs to keep it completely clean, but need to look at the commercials around that from a RIPE/ARIN perspective. Thanks very much Alasdair On 7 Apr 2009, at 18:50, Scott Granados wrote: > There's the allow AS option or you could set up GRE tunnels between > sites and build a mesh. If you use the same carrier in both > locations you could use the no-export option and play with more > specifics / traffic engineering on that level as well. Remember > though if you start pushing to much traffic over the GRE you're > likely to have CPU load issues. (depending on hardware) > > > ----- Original Message ----- From: "Alasdair McWilliam" > > To: > Sent: Tuesday, April 07, 2009 7:22 AM > Subject: [c-nsp] BGP across continents > > >> Hi, >> >> I am setting up a multihomed hosting centre in Europe. As part of the >> service offered we will be providing Disaster Recovery services, >> using >> our ability to re-route customer IP prefixes, through to another >> hosting centre in Canada. >> >> We have a requirement for some prefixes within our net block to >> always >> be available in Canada, and some to always be available in Europe. >> So, >> I am wondering if someone can clarify my thoughts re. the AS numbers >> required for this: can I use the same ASN at both locations (both of >> which will have different upstreams) or will they reject prefixes >> from >> one another? For example, Canada will see a prefix from Europe with >> the same ASN in the AS-Path and drop it. Likewise Europe will drop >> Canada prefixes because it can see the same AS in the AS-Path. >> >> Is there any way around this or is the only option to request a >> second ASN? >> >> Cheers >> Alasdair >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > From justin at justinshore.com Tue Apr 7 17:53:17 2009 From: justin at justinshore.com (Justin Shore) Date: Tue, 07 Apr 2009 16:53:17 -0500 Subject: [c-nsp] GigE sub-int won't come up Message-ID: <49DBCB4D.8040207@justinshore.com> I'm trying to add a simple sub-int to a built-in GigE interface on a 7206VXR G2. I already have several sub-ints on the same interface and they're working great (typing this email across one of them). However when I added a new sub-int it refused to come up and I can't figure out why. Here's the physical interface config: interface GigabitEthernet0/2 description TO 4948-1.amherst Gi1/45 no ip address duplex auto speed 1000 media-type sfp negotiation auto Very simple. Here's the sub-int config: interface GigabitEthernet0/2.999 description Acme LAN PoC encapsulation dot1Q 999 ip vrf forwarding acme-elan ip address 100.100.100.13 255.255.255.252 Also very simple. The other sub-ints aren't in VRFs but I doubt if that would be a problem here (could be but I doubt it). GigabitEthernet0/2.999 100.100.100.13 YES manual down down I was using VLAN 1001 for the lab test but switched to 999 after thinking that perhaps 1001 was used internally on the 7200 (I don't think it is but just in case); still no go. The VRF is up. I have MLPPP bundle in it and they're working on the same 7206. I'm running 12.4(15)T7. It appears to stay up/up until I define the 1Q VLAN ID on the sub-int. Then it goes down/down. Oddly enough the sub-int doesn't go back to up/up (when the 1Q VLAN is removed) after going down/down (when the 1Q VLAN is assigned). What in the world would keep a sub-int on an Ethernet interface from coming up? I'm not even sure what debug options are available for something like this. Connected to Gi0/2 is a 4948 and that VLAN is permitted across the trunk. Thoughts? I'm sure someone will noticed my error right off but I sure can't find it. Thanks Justin From streiner at cluebyfour.org Tue Apr 7 18:30:39 2009 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Tue, 7 Apr 2009 18:30:39 -0400 (EDT) Subject: [c-nsp] GigE sub-int won't come up In-Reply-To: <49DBCB4D.8040207@justinshore.com> References: <49DBCB4D.8040207@justinshore.com> Message-ID: On Tue, 7 Apr 2009, Justin Shore wrote: > What in the world would keep a sub-int on an Ethernet interface from coming > up? I'm not even sure what debug options are available for something like > this. Connected to Gi0/2 is a 4948 and that VLAN is permitted across the > trunk. Is there an active access port in VLAN 999 on the 4948, or somewhere downstream of it, assuming any neccessary trunking at the site is already in place? I've seen VLANs not come up before, until there is actually a host in the VLAN. jms From rick at woofpaws.com Tue Apr 7 19:10:20 2009 From: rick at woofpaws.com (Rick Ernst) Date: Tue, 7 Apr 2009 16:10:20 -0700 (PDT) Subject: [c-nsp] MLS and accelerated switching Message-ID: <54204.69.30.17.85.1239145820.squirrel@www.woofpaws.com> I'm still working on developing a network design for our ethernet core to best balance the cost/value of "just moving bits". The core is currently a pair of 7507/RSP16/GEIP+ routers running as BGP route-reflectors between the border and aggregation layers. The 7507s (and GEIPs) don't have the horsepower to move much more than about 400Mbs each with current ACLs, NetFlow, and BGP. If the processing were to move to an MLS or accelerated fabric, with just the high-touch bits touching the RSP, it seems like there is still a lot of performance available without going to an "overpowered" 7600/Sup720. It looks like the 6500 Sup-2 supports 128K MLS entries. Based on my NetFlow analysis, I get the following breakdown of unique IPs per time period: Time Unique IPs ----- ----- 15min 320K 5min 150K 90sec 90K 45sec 70K 30sec 55K 15sec 35K If I understand MLS and aging correctly, I should be able to set MLS aging to 45 seconds and MLS flow to destination, and have at least some room for growth. Am I interpreting my data correctly and understanding MLS properly? Will MLS churn at such a short interval cause its own problems? To alter the question slightly; is there a switching platform that could use the RSP16s as a router-on-a-stick to handle >= 1Gbs/2Mpps? Thanks, From justin at justinshore.com Tue Apr 7 19:12:30 2009 From: justin at justinshore.com (Justin Shore) Date: Tue, 07 Apr 2009 18:12:30 -0500 Subject: [c-nsp] GigE sub-int won't come up In-Reply-To: References: <49DBCB4D.8040207@justinshore.com> Message-ID: <49DBDDDE.9010904@justinshore.com> Justin M. Streiner wrote: > Is there an active access port in VLAN 999 on the 4948, or somewhere > downstream of it, assuming any neccessary trunking at the site is > already in place? I've seen VLANs not come up before, until there is > actually a host in the VLAN. There is an active switchport in 999 currently and 1001 before I switched to 999. I don't know that the 4948 could be the problem though. I've seen VLANs not come up until a port in the VLAN was active as well but that's normally on a switch or a router with a switchport (ISR w/ a Ethernet HWIC for example). There isn't a mechanism to advertise VLANs or their local status across a trunk that I'm aware of (with VTP disabled at least). VTP is transparent on the 4948 and not configurable on the 7206. I should be able to configure a dozen 1Q sub-ints on a router's interface and have them be up/up regardless of whether it's configured for use on the connected switch. At least I'm pretty sure I should be able to. What silly thing am I missing? Maybe it will come to me after consuming chips and salsa. Thanks for the info Justin From dale.shaw+cisco-nsp at gmail.com Tue Apr 7 19:41:06 2009 From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw) Date: Wed, 8 Apr 2009 09:41:06 +1000 Subject: [c-nsp] 7200/NPE-G2 field notices Message-ID: <3329cbb40904071641j4cc9ab12o7d68e10ea6bb3351@mail.gmail.com> In case you missed 'em.. Title: Updated Cisco Field Notice: FN - 62535 - NPE-G2, Incompatibility With Lower-Revision VXR Series Chassis With Specific Port Adaptors - RMA required URL: http://www.cisco.com/en/US/customer/ts/fn/620/fn62535.html Title: Updated Cisco Field Notice: FN - 62514 - C7200-JC-PA - Certain Jacket Cards with PA installed on 7200VXR may have infrequent system crashes due to PCI Bus Error, Software Forced Crash, WDT Reset error - RMA required URL: http://www.cisco.com/en/US/customer/ts/fn/620/fn62514.html cheers, Dale From pshem.k at gmail.com Tue Apr 7 20:51:35 2009 From: pshem.k at gmail.com (Pshem Kowalczyk) Date: Wed, 8 Apr 2009 12:51:35 +1200 Subject: [c-nsp] ASR1004 - ipv6 static route in a vrf Message-ID: <20fe625b0904071751o10fd57f8p4991d548f5e64bd1@mail.gmail.com> Hi, I'm playing with an ASR1004 to test some ipv6 capabilities. For some reason I can't seem to get a static route working: ASR1(config)#ipv6 route vrf Public 2407:7000::/32 Null0 ASR1(config)#do sh ipv6 route vrf Public IPv6 Routing Table - Public - 1 entries Codes: C - Connected, L - Local, S - Static, U - Per-user Static route B - BGP, R - RIP, I1 - ISIS L1, I2 - ISIS L2 IA - ISIS interarea, IS - ISIS summary, D - EIGRP, EX - EIGRP external O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 L FF00::/8 [0/0] via Null0, receive If I assign the /32 to an interface, even a loopback, I can see in the routing table. I have 'ipv6 unicast-routing' in the config and 'ipv6 cef distributed' - but this one seems to be on by default. But CEF doesn't know anything about the prefix either: ASR1#sh ipv6 cef vrf Public 2407:7000::/32 %Prefix not found any ideas? kind regards Pshem From pshem.k at gmail.com Tue Apr 7 21:13:04 2009 From: pshem.k at gmail.com (Pshem Kowalczyk) Date: Wed, 8 Apr 2009 13:13:04 +1200 Subject: [c-nsp] ASR1004 - ipv6 static route in a vrf In-Reply-To: <20fe625b0904071751o10fd57f8p4991d548f5e64bd1@mail.gmail.com> References: <20fe625b0904071751o10fd57f8p4991d548f5e64bd1@mail.gmail.com> Message-ID: <20fe625b0904071813g5b82f6b9sb1dffa27715490fa@mail.gmail.com> It was simpler then I though - there has to be at least one interface with ipv6 configured for the static route to work. kind regards Pshem From gsgranados at comcast.net Tue Apr 7 21:36:23 2009 From: gsgranados at comcast.net (Scott Granados) Date: Tue, 7 Apr 2009 18:36:23 -0700 Subject: [c-nsp] rate limiting pointers? Message-ID: <4F659EDCBCCC440DAD49883F36BDE65A@Toshiba> Since the topic of rate limiting came up... I have a 7206VXR NPE-300 and 2 switches (2960 and 3550). I plan on setting up a trunk from the 7206 to the 3500 and break out via vlans as you'd expect. What are some good methods for rate limiting the individual ports on the access switches? I'm open to other hardware but this is more of a lab / personal environment so solutions for the listed hardware would be appreciated. Could someone also suggest some good foundation type reading for rate limiting and practices? Thank you Scott From nick.geyer at eds.com Tue Apr 7 21:54:57 2009 From: nick.geyer at eds.com (Geyer, Nick) Date: Wed, 8 Apr 2009 11:54:57 +1000 Subject: [c-nsp] BGP across continents In-Reply-To: <8669CB1B-EDD9-49D5-9561-DDAF9D2C1D4F@gmail.com> References: <5493710CC8A944FBA14A84C16722685A@Toshiba> <8669CB1B-EDD9-49D5-9561-DDAF9D2C1D4F@gmail.com> Message-ID: <83027F7A5EB4D6449A1393A94E4D41DA04D856C6@aubwm232.apac.corp.eds.com> I have rolled out ASR1002/ESP5's as border routers in a few places now and they perform fantastically. Doing BGP, bogon filtering and basic ACL's, the highest usage ones I have running in production at the moment push up to ~200Mbps sustained and the routers don't even blink at it. Definitely a good platform for the intended purpose, and kudos to Cisco for not trying to cram it full of features at initial release, IOS XE actually looks like a decent and stable platform =) -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Alasdair McWilliam Sent: Wednesday, 8 April 2009 7:34 AM To: Scott Granados Cc: Cisco NSP Subject: Re: [c-nsp] BGP across continents *snip* Any indication of how the ASR1002 + ESP5 will handle this? (I've not actually got my hands on an ASR yet so am not too sure how they will fare. However from the white papers I've read and from what others have said I'm quite hopeful they will last for years to come! ;) Thanks very much Alasdair On 7 Apr 2009, at 18:50, Scott Granados wrote: > There's the allow AS option or you could set up GRE tunnels between > sites and build a mesh. If you use the same carrier in both > locations you could use the no-export option and play with more > specifics / traffic engineering on that level as well. Remember > though if you start pushing to much traffic over the GRE you're > likely to have CPU load issues. (depending on hardware) > > > ----- Original Message ----- From: "Alasdair McWilliam" > > To: > Sent: Tuesday, April 07, 2009 7:22 AM > Subject: [c-nsp] BGP across continents > > >> Hi, >> >> I am setting up a multihomed hosting centre in Europe. As part of the >> service offered we will be providing Disaster Recovery services, >> using >> our ability to re-route customer IP prefixes, through to another >> hosting centre in Canada. >> >> We have a requirement for some prefixes within our net block to >> always >> be available in Canada, and some to always be available in Europe. >> So, >> I am wondering if someone can clarify my thoughts re. the AS numbers >> required for this: can I use the same ASN at both locations (both of >> which will have different upstreams) or will they reject prefixes >> from >> one another? For example, Canada will see a prefix from Europe with >> the same ASN in the AS-Path and drop it. Likewise Europe will drop >> Canada prefixes because it can see the same AS in the AS-Path. >> >> Is there any way around this or is the only option to request a >> second ASN? >> >> Cheers >> Alasdair >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From gregariouspearl at gmail.com Wed Apr 8 00:36:07 2009 From: gregariouspearl at gmail.com (Muhammad Salman Zahid) Date: Wed, 8 Apr 2009 09:36:07 +0500 Subject: [c-nsp] rate limiting pointers? In-Reply-To: <4F659EDCBCCC440DAD49883F36BDE65A@Toshiba> References: <4F659EDCBCCC440DAD49883F36BDE65A@Toshiba> Message-ID: <44c523750904072136u5c3c82c0scf20d47d5c2e3241@mail.gmail.com> Dear Scott, Read & try the following: Step 1: Define ACL for desired IP Pools Step 2: Define a Packet classification criteria Class-map match-all description Control plane normal traffic match access-group name Step 3: Define a Service Policy policy-map class police cir conform-action set-dscp-transmit default exceed-action drop violate-action drop Step 4: Enter service policy on control plane interface service-policy input service-policy output ip access-list extended [ABC] ip access-list extended [XYZ] class-map match-all [NAME1]=== NAME1=ABC (so easily remember) match access-group name [ABC] class-map match-all [NAME2]=== NAME2=XYZ (so easily remember) match access-group name [XYZ] policy-map [POLICY NAME] class [ABC] put rate limit class [XYZ] put rate limit Regards, MSZ On Wed, Apr 8, 2009 at 6:36 AM, Scott Granados wrote: > Since the topic of rate limiting came up... > > I have a 7206VXR NPE-300 and 2 switches (2960 and 3550). > > I plan on setting up a trunk from the 7206 to the 3500 and break out via > vlans as you'd expect. What are some good methods for rate limiting the > individual ports on the access switches? > > I'm open to other hardware but this is more of a lab / personal environment > so solutions for the listed hardware would be appreciated. Could someone > also suggest some good foundation type reading for rate limiting and > practices? > > Thank you > Scott > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- "Death is no the greatest loss in life .... The greatest loss is what dies inside you while U live...!" From ying-xiang at 163.com Wed Apr 8 01:22:45 2009 From: ying-xiang at 163.com (ying-xiang) Date: Wed, 8 Apr 2009 13:22:45 +0800 (CST) Subject: [c-nsp] about eompls on 7609 Message-ID: <24825069.914261239168165588.JavaMail.coremail@bj163app105.163.com> hi? following is my topology brief? SwitchA---PE1?7609-1?---PE2?7609-2?---SwitchB Both switchA and switchB are configured a vlan100 to achieve layer two transport through EoMPLS and they works without any issue but i got an error when i tried to set the same vlan id on the PEs could anyone explain this for me ? looking forward to your reply. From gert at greenie.muc.de Wed Apr 8 02:44:41 2009 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 8 Apr 2009 08:44:41 +0200 Subject: [c-nsp] Odd Etherchannel behavior between 7507 and cat 4006 In-Reply-To: References: <20090407094208.GZ290@greenie.muc.de> <49DB2315.5010806@memetic.org> Message-ID: <20090408064441.GE290@greenie.muc.de> Hi, On Tue, Apr 07, 2009 at 05:23:17PM -0400, Bill Wichers wrote: > I typically set both ends (router and switch) of these links to 100/full > since I've seen weird autonegotiation problems before. This works just > fine for individual FE links, but as soon as I bring up the Etherchannel > group both member links on the router end drop back to "unknown duplex" > (which the switch says is 100/half), and I can't figure out why my > "full-duplex" config entry on each port magically disappears as soon as > the Etherchannel group is brought up. That's the weird problem I'm > trying to figure out... A switch connected to a PA-FE-TX will never be able to figure out the duplex settings on the PA-FE - because the PA can't tell it. So you'll always have to manually configure both sides for the desired duplex settings. Now, in your case, I think you'll need to do some experimenting - set the switch to 100/full, run cisco ping tests (1000+ packets) - set the switch to 100/half, run cisco ping tests (1000+ packets) if you get packet loss, you have a duplex mismatch... If the setup *works* when set to 100/full, I'd classify the "unknown duplex" thing as an artifact on the 7500 - given that the PA-FE cannot autonegotiate, maybe the high-level code is just telling this to you "we don't know what's the underlying physics". If the setup needs 100/half on the switch side, I'd open a TAC case. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From sethm at rollernet.us Wed Apr 8 03:14:52 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Wed, 08 Apr 2009 00:14:52 -0700 Subject: [c-nsp] T3 or Ethernet delivery? Message-ID: <49DC4EEC.3070001@rollernet.us> One of my carriers has given me a choice for a new circuit delivery: T3 or Ethernet. My outside world circuit experience is all non-Ethernet, so I have a few questions the sales group wasn't able to answer. I'd love to hear some real world experience. The cost difference between the two is not significant enough to be the sole deciding factor and I'm not using pure-Ethernet platforms so it's just a matter of adding the right interface card. How do you detect a "down" condition on Ethernet? My experience is that the interface could be up/up because Ethernet doesn't know about anything further down the line and ends up throwing packets into a magical black hole. Or worse, secret packet loss. Can you even troubleshoot Ethernet? Normally if I'm seeing something like out of frame errors or AIS, I can say "hey, there's a problem and it's X". It scares me to think of opening trouble tickets as "it's broken and I can't really tell you why". With a T3 I can be fairly certain that if there aren't any alarms that my end is happily talking to the other end. How does one accomplish the same with Ethernet? A periodic "ping" seems rather ambiguous as a health check. Since this is an outside world connection (i.e. I'm not in a colo) the slightly lower cost and convenience factor of Ethernet doesn't override my desire to stick with a T3 for its management properties and the sleeping good at night feeling I get knowing there are no alarms. My gut tells me to stick with it even though Ethernet delivery is what all the cool kids are doing these days, so any insight is appreciated. Thanks! ~Seth From r.tahina at moov.mg Wed Apr 8 03:31:16 2009 From: r.tahina at moov.mg (RAZAFINDRATSIFA Rivo Tahina) Date: Wed, 08 Apr 2009 10:31:16 +0300 Subject: [c-nsp] upload to 2 upstreams In-Reply-To: <3c605ce10904072144q43079751i149e425a27d15ee7@mail.gmail.co m> References: <7.0.1.0.2.20090407183213.04f15628@moov.mg> <3c605ce10904072144q43079751i149e425a27d15ee7@mail.gmail.com> Message-ID: <7.0.1.0.2.20090408102917.042f2bf0@moov.mg> Yes it's BGP. At 07:44 08/04/2009, Aftab Siddiqui wrote: >What routing protocol you are runnging with your upstream. It should >be BGP I guess. > >On Tue, Apr 7, 2009 at 8:36 PM, RAZAFINDRATSIFA Rivo Tahina ><r.tahina at moov.mg> wrote: >Hi all, > >We have two upstreams and our upload traffic is load balanced >between them, when one of them is down, how can I do to send all >output to the one which is still up? > >Regards. >_______________________________________________ >cisco-nsp mailing >list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at >http://puck.nether.net/pipermail/cisco-nsp/ > > > > >-- >Regards, > >Aftab A. Siddiqui From aj at sneep.net Wed Apr 8 03:05:41 2009 From: aj at sneep.net (Alastair Johnson) Date: Wed, 08 Apr 2009 15:05:41 +0800 Subject: [c-nsp] Odd Etherchannel behavior between 7507 and cat 4006 In-Reply-To: References: <49DB1C06.60506@memetic.org> <20090407094208.GZ290@greenie.muc.de> <49DB2315.5010806@memetic.org> Message-ID: <49DC4CC5.1030106@sneep.net> Bill Wichers wrote: > I typically set both ends (router and switch) of these links to 100/full > since I've seen weird autonegotiation problems before. This works just > fine for individual FE links, but as soon as I bring up the Etherchannel > group both member links on the router end drop back to "unknown duplex" > (which the switch says is 100/half), and I can't figure out why my > "full-duplex" config entry on each port magically disappears as soon as > the Etherchannel group is brought up. That's the weird problem I'm > trying to figure out... My experience with 7500 and Etherchannel, particularly if it's across multiple PA is to just give up. I was never able to keep it running reliably under 12.0S, whether the the other end was a C2924 or C4006. Best case is it would work for a while, then some magic duplex problem would pop up and make it explode spectacularly - usually after a reload or an OIR or other CxBus restart, and occasionally after DCEF dying... Usually it would involve one end being in FDX, the other end being in HDX or no-duplex at all - despite both ends being configured for 100/Full. I hope you have better luck, but I wouldn't count on it. ISTR that 12.0 mainline and some of the sub-tree variants (12.1E?) had slightly less problematic issues with it. aj From Ian.Mackinnon at lumison.net Wed Apr 8 04:11:10 2009 From: Ian.Mackinnon at lumison.net (Ian MacKinnon) Date: Wed, 8 Apr 2009 09:11:10 +0100 Subject: [c-nsp] T3 or Ethernet delivery? In-Reply-To: <49DC4EEC.3070001@rollernet.us> References: <49DC4EEC.3070001@rollernet.us> Message-ID: Hi Seth, I think the world is moving to ethernet for what traditionally was a leased line, so you are only going to see more of it. Don't forget in your cost calculations the CPE line card, compare the cost of a router (or switch) with a spare Ethernet port and one with a 2Meg serial card. Also don't forget the cost of spares for each and every different serial card you need. Yes, you are right you will see traffic blackholed, the interface is up/up, but there is no end to end connectivity. Ian > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Seth Mattinen > Sent: 08 April 2009 08:15 > To: cisco-nsp > Subject: [c-nsp] T3 or Ethernet delivery? > > One of my carriers has given me a choice for a new circuit delivery: T3 > or Ethernet. My outside world circuit experience is all non-Ethernet, > so > I have a few questions the sales group wasn't able to answer. I'd love > to hear some real world experience. The cost difference between the two > is not significant enough to be the sole deciding factor and I'm not > using pure-Ethernet platforms so it's just a matter of adding the right > interface card. > > How do you detect a "down" condition on Ethernet? My experience is that > the interface could be up/up because Ethernet doesn't know about > anything further down the line and ends up throwing packets into a > magical black hole. Or worse, secret packet loss. > > Can you even troubleshoot Ethernet? Normally if I'm seeing something > like out of frame errors or AIS, I can say "hey, there's a problem and > it's X". It scares me to think of opening trouble tickets as "it's > broken and I can't really tell you why". > > With a T3 I can be fairly certain that if there aren't any alarms that > my end is happily talking to the other end. How does one accomplish the > same with Ethernet? A periodic "ping" seems rather ambiguous as a > health > check. > > Since this is an outside world connection (i.e. I'm not in a colo) the > slightly lower cost and convenience factor of Ethernet doesn't override > my desire to stick with a T3 for its management properties and the > sleeping good at night feeling I get knowing there are no alarms. My > gut > tells me to stick with it even though Ethernet delivery is what all the > cool kids are doing these days, so any insight is appreciated. Thanks! > > ~Seth > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Any offers or quotation of service are subject to formal specification. Errors and omissions excepted. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Lumison and nPlusOne. Finally, the recipient should check this email and any attachments for the presence of viruses. Lumison and nPlusOne accept no liability for any damage caused by any virus transmitted by this email. From justin at justinshore.com Wed Apr 8 04:19:31 2009 From: justin at justinshore.com (Justin Shore) Date: Wed, 08 Apr 2009 03:19:31 -0500 Subject: [c-nsp] GigE sub-int won't come up In-Reply-To: <49DBDDDE.9010904@justinshore.com> References: <49DBCB4D.8040207@justinshore.com> <49DBDDDE.9010904@justinshore.com> Message-ID: <49DC5E13.6050502@justinshore.com> Justin Shore wrote: > Justin M. Streiner wrote: >> Is there an active access port in VLAN 999 on the 4948, or somewhere >> downstream of it, assuming any neccessary trunking at the site is >> already in place? I've seen VLANs not come up before, until there is >> actually a host in the VLAN. > > There is an active switchport in 999 currently and 1001 before I > switched to 999. I don't know that the 4948 could be the problem > though. I've seen VLANs not come up until a port in the VLAN was active > as well but that's normally on a switch or a router with a switchport > (ISR w/ a Ethernet HWIC for example). There isn't a mechanism to > advertise VLANs or their local status across a trunk that I'm aware of > (with VTP disabled at least). VTP is transparent on the 4948 and not > configurable on the 7206. I should be able to configure a dozen 1Q > sub-ints on a router's interface and have them be up/up regardless of > whether it's configured for use on the connected switch. At least I'm > pretty sure I should be able to. I had what was supposed to be a quick maintenance window tonight to bump the code rev on the 7200 and reboot. I also did a minor rev update on the 4948. I rebooted the 4948 first but after 10m it still hadn't come back up (I don't have OOB access to anything in that POP). The 7200 hadn't seen the interfaces come up. I went ahead and did the 7200 while I was getting my things together to drive to that POP. The 7200 never came back up either. Joy. Once I got onsite I found that both devices were in fact running. The problem was that the GigE links on the 7200 wouldn't come up. Both the physical GigE interfaces and all their sub-ints were all up/down. I started opening a TAC case at that point. While the TAC operator waded through the tech options to try and figure out how to assign my case I thought about the problem some more, what Justin wrote earlier and my response about no VTP or VTP-like protocols in use jumped out at me. I checked the config and sure enough I had CFM and OAM (partially?) configured. Don't they share link information including VLAN info? I need to do more research on it and move the config to a lab environment. As soon as I removed the CFM and OAM config from the 7200 the GigE links came up. Not only that but all the sub-ints came up that I'd been fighting earlier. My broken CFM or OAM or both config is what caused all these problems. I was working with CFM and OAM after attending some MetroE training in SJC. At the time my gear wasn't in production but now it is and I hadn't removed the config. Does anyone have any good docs that clearly explain how to properly configure CFM, OAM and LMI? I've found lots of docs that talk about it but none are terribly clear on exactly how to implement it and what's the BCP in certain environments. Clearly what I was doing before wasn't right. How to troubleshoot these protocols would also be very helpful. Had I known that this is what was keeping the interface facing the 4948 down I could have fixed it from my recliner instead of taking a roadtrip to a remote POP. Thanks for the info Justin From emanuel.popa at gmail.com Wed Apr 8 04:28:26 2009 From: emanuel.popa at gmail.com (Emanuel Popa) Date: Wed, 8 Apr 2009 11:28:26 +0300 Subject: [c-nsp] carrier router models comparison In-Reply-To: <49DB7D59.1030006@forthnet.gr> References: <4981ce080904070851h6381d4f0qf35885793e959087@mail.gmail.com> <49DB7D59.1030006@forthnet.gr> Message-ID: <4981ce080904080128u2c54312apb7917ec5759a0335@mail.gmail.com> hi tassos, i'm really scared when using a fairly new platform with a fairly new software version. i would prefer paying more money for a more stable device. and this fear of mine goes back to the SRB2 version for the Cisco 7600 which is the worst thing that could happen for the 7600. anyways, the platform is not even well documented on cisco.com so it can not be included in our business case. i expect a management decision ASAP as our links are pretty congested on single failures as we speak. regards, manu 2009/4/7 Tassos Chatzithomaoglou : > Besides your choices, ASR 9000 should be out soon (its IOS XR Software is > already available). > > -- > Tassos > > Emanuel Popa wrote on 07/04/2009 18:51: >> >> hi there, >> >> due to the increase in traffic volume in the last couple of years we >> need to really think about the future of the network. we have deployed >> and we are managing a 50GE multi-ring topology network with Cisco 7600 >> routers. i don't want to get into more details about ring topology >> restrictions, platform limitations regarding wire speed, huge problems >> with ether-channels or unpredictable load balancing behaviour. we've >> been using these chassis since 2004 starting with STM-16 lines and the >> PQ ratio looks pretty good so far. >> >> coming back to nowadays, 40GE or 100GE is not available yet, and even >> if it was, the price would be probably unaffordable. and now the >> question pops: what is the next step? the best answer is of course a >> mix of multiple 10GE lines with traffic engineering and partial mesh >> topology and 100GE ready chassis. first thing that comes to mind is >> the CRS-1 platform, but it is really expensive: from under 15K per >> 10GE port with the Cisco 7600 you have to pay more than 75K per 10GE >> port with the CRS-1. so we have to take into consideration what are >> the alternatives. i will try a short comparison: >> >> - Cisco CRS-1 16 Slot >> --- max 64 x 10GE >> --- max 32 links in a bundle >> --- 40Gbps per slot >> --- 100GE ready >> --- multi-chassis ready >> --- 10.920W max power >> --- 723kg max weight >> --- full rack space >> --- $5.115.000,00/chassis >> --- $79.921,88/10GE >> >> - Juniper T1600 >> --- max 64 x 10GE >> --- max 16 links in a bundle >> --- 100Gbps per slot >> --- 100GE ready >> --- multi-chassis ready >> --- 8.352W max power >> --- 274,88kg max weight >> --- 1/2 rack space >> --- $6.547.000,00/chassis >> --- $102.296,88/10GE >> >> - Brocade/ Foundry NetIron XMR 16000 >> --- max 64 x 10GE >> --- max 32 links in a bundle >> --- 50Gbps per slot >> --- 100GE ready (* only full slots) >> --- single-chassis >> --- 5.572W max power >> --- 107,00kg max weight >> --- 1/3 rack space >> --- $567.515,00/chassis >> --- $8.867,42/10GE >> >> I've also been looking at Huawei, Alcatel and HP gear but haven't been >> able to find a device to support more than 24 x 10GE ports in a single >> chassis. >> >> Here's what I'm trying to figure out: >> >> 1. are there any other devices on the market with same hardware >> capabilities? >> >> 2. why the huge difference between foundry and cisco/juniper? >> >> 3. if foundry is so cheap why hasn't it gathered more market share? >> instead it was bought by brocade a while ago... >> >> 4. is the netiron really a carrier router more than a carrier switch? >> anybody experienced it? >> >> 5. how does the software perform when comparing with IOS XR and JunOS? >> >> Please, any comments are welcomed. >> >> Best regards, >> Manu >> _______________________________________________ >> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > From sam_mailinglists at spacething.org Wed Apr 8 06:26:06 2009 From: sam_mailinglists at spacething.org (Sam Stickland) Date: Wed, 08 Apr 2009 11:26:06 +0100 Subject: [c-nsp] Max length of 9600 serial over CAT5e Message-ID: <49DC7BBE.50906@spacething.org> Hi, What's the maximum length of you can run async-serial (9600 baud) over CAT5e (from a terminal server to console port). My google-fu has failed me. Sam From richard.halfpenny at exa-networks.co.uk Wed Apr 8 07:31:38 2009 From: richard.halfpenny at exa-networks.co.uk (Richard Halfpenny) Date: Wed, 08 Apr 2009 12:31:38 +0100 Subject: [c-nsp] Max length of 9600 serial over CAT5e In-Reply-To: <49DC7BBE.50906@spacething.org> References: <49DC7BBE.50906@spacething.org> Message-ID: <49DC8B1A.2000501@exa-networks.co.uk> Sam Stickland wrote: > Hi, > > What's the maximum length of you can run async-serial (9600 baud) > over CAT5e (from a terminal server to console port). > > My google-fu has failed me. If I remember correctly, the spec for RS-232 says the maximum capacitance of a cable can be 2500pF at 20kbps. A Cat5e of approx 46pF / metre would give you a maximum length of 54 metres. At 9600bps you could probably drive slightly longer. Rich -- Network Operations Exa Networks Ltd :: AS30740 richard.halfpenny at exa-networks.co.uk From deric.kwok2000 at gmail.com Wed Apr 8 08:09:39 2009 From: deric.kwok2000 at gmail.com (Deric Kwok) Date: Wed, 8 Apr 2009 08:09:39 -0400 Subject: [c-nsp] 2600 series for 100M Message-ID: <40d8a95a0904080509t3955662bod20a1fc36b8353c9@mail.gmail.com> Hi Do you know Cisco 2651XM is fine for 100M network? If the memory is 256M, it is ok? Can it support Virtual private network, VLAN and new tcsh command? i check the ios is "C2600 Software (C2600-ENTSERVICESK9-M), Version 12.3(23)" Do I need to buy any extra memory? Thank you From gert at greenie.muc.de Wed Apr 8 08:54:50 2009 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 8 Apr 2009 14:54:50 +0200 Subject: [c-nsp] T3 or Ethernet delivery? In-Reply-To: <49DC4EEC.3070001@rollernet.us> References: <49DC4EEC.3070001@rollernet.us> Message-ID: <20090408125450.GL290@greenie.muc.de> Hi, On Wed, Apr 08, 2009 at 12:14:52AM -0700, Seth Mattinen wrote: > How do you detect a "down" condition on Ethernet? My experience is that > the interface could be up/up because Ethernet doesn't know about > anything further down the line and ends up throwing packets into a > magical black hole. Or worse, secret packet loss. Run a routing protocol over it. [..] > With a T3 I can be fairly certain that if there aren't any alarms that > my end is happily talking to the other end. How does one accomplish the > same with Ethernet? A periodic "ping" seems rather ambiguous as a health > check. Not necessarily so - even on a T3, you can have bad cables going just one way, so you might have packet loss in your transmit direction. The provider would see (CRC) errors, but you might not see anything. So you'll need to run ping... (And yes, I know how you feel. But the price difference between the gear for SDH 2.4 Gbit equipment vs. 2 x 1Gbit ethernet links was so overwhelming that we decided to go for ethernet... and for the same price, we even got *two* links, so "no single point of failure") gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From cchurc05 at harris.com Wed Apr 8 08:54:20 2009 From: cchurc05 at harris.com (Church, Charles) Date: Wed, 8 Apr 2009 07:54:20 -0500 Subject: [c-nsp] T3 or Ethernet delivery? In-Reply-To: <49DC4EEC.3070001@rollernet.us> References: <49DC4EEC.3070001@rollernet.us> Message-ID: -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Seth Mattinen Sent: Wednesday, April 08, 2009 3:15 AM To: cisco-nsp Subject: [c-nsp] T3 or Ethernet delivery? >How do you detect a "down" condition on Ethernet? My experience is that >the interface could be up/up because Ethernet doesn't know about >anything further down the line and ends up throwing packets into a >magical black hole. Or worse, secret packet loss. Object tracking can take care of this. Or a dynamic routing protocol (no connectivity, no neighbor). You just need to be more careful in your QoS. A routed ethernet port has far more flexibility than a simple switch port on most platforms. You'll probably want to shape/police your traffic outbound if your provided BW is exactly 10, 100, or gig. From rshughes at gmail.com Wed Apr 8 09:09:50 2009 From: rshughes at gmail.com (Ryan Hughes) Date: Wed, 8 Apr 2009 09:09:50 -0400 Subject: [c-nsp] T3 or Ethernet delivery? In-Reply-To: <20090408125450.GL290@greenie.muc.de> References: <49DC4EEC.3070001@rollernet.us> <20090408125450.GL290@greenie.muc.de> Message-ID: Generally my experience with Ethernet handoffs has been hit or miss depending on what the carrier is delivering for the hand off - I've dealt with some gear as you alluded to that doesn't down the CE hand off when the circuit goes which turns into an interesting game of routing protocol timers and EEM/IP SLA for neighbor tracking. I've also run into situations where its best to traffic shape the port to the CIR you're getting the provider on sub-rate Ethernet hand offs (you're only paying for 45mb and you negotiating the physical to a gig with their gear). But yeah - the price and cost saving of not needing certain interface line card for hand off is undeniable and has to be taken serious. Ryan On Wed, Apr 8, 2009 at 8:54 AM, Gert Doering wrote: > Hi, > > On Wed, Apr 08, 2009 at 12:14:52AM -0700, Seth Mattinen wrote: > > How do you detect a "down" condition on Ethernet? My experience is that > > the interface could be up/up because Ethernet doesn't know about > > anything further down the line and ends up throwing packets into a > > magical black hole. Or worse, secret packet loss. > > Run a routing protocol over it. > > [..] > > With a T3 I can be fairly certain that if there aren't any alarms that > > my end is happily talking to the other end. How does one accomplish the > > same with Ethernet? A periodic "ping" seems rather ambiguous as a health > > check. > > Not necessarily so - even on a T3, you can have bad cables going just > one way, so you might have packet loss in your transmit direction. The > provider would see (CRC) errors, but you might not see anything. > > So you'll need to run ping... > > (And yes, I know how you feel. But the price difference between the > gear for SDH 2.4 Gbit equipment vs. 2 x 1Gbit ethernet links was so > overwhelming that we decided to go for ethernet... and for the same > price, we even got *two* links, so "no single point of failure") > > gert > -- > USENET is *not* the non-clickable part of WWW! > // > www.muc.de/~gert/ > Gert Doering - Munich, Germany > gert at greenie.muc.de > fax: +49-89-35655025 > gert at net.informatik.tu-muenchen.de > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jeff at ocjtech.us Wed Apr 8 09:18:32 2009 From: jeff at ocjtech.us (Jeffrey Ollie) Date: Wed, 8 Apr 2009 08:18:32 -0500 Subject: [c-nsp] T3 or Ethernet delivery? In-Reply-To: <49DC4EEC.3070001@rollernet.us> References: <49DC4EEC.3070001@rollernet.us> Message-ID: <935ead450904080618k15aa5c2bo23acf3dac7005e9c@mail.gmail.com> On Wed, Apr 8, 2009 at 2:14 AM, Seth Mattinen wrote: > One of my carriers has given me a choice for a new circuit delivery: T3 > or Ethernet. I would go for Ethernet in a heartbeat. > The cost difference between the two > is not significant enough to be the sole deciding factor and I'm not > using pure-Ethernet platforms so it's just a matter of adding the right > interface card. The cost difference on a ~40Mb/s circuit might not be much different delivered via T3 or Ethernet, but what about anything faster? Ethernet readily scales to 1Gb/s and 10Gb/s is not unreasonable these days. 40Gb/s and 100Gb/s Ethernet will be here in a year or two. Even if you start out with a 100Mb/s Ethernet port you won't have to bond interfaces or move to more expensive electronics to go past ~40Mb/s. > How do you detect a "down" condition on Ethernet? My experience is that > the interface could be up/up because Ethernet doesn't know about > anything further down the line and ends up throwing packets into a > magical black hole. Or worse, secret packet loss. There's nothing unique to Ethernet about that... > Can you even troubleshoot Ethernet? Normally if I'm seeing something > like out of frame errors or AIS, I can say "hey, there's a problem and > it's X". It scares me to think of opening trouble tickets as "it's > broken and I can't really tell you why". Stick a PC directly onto your WAN connection (or stick a switch in there and use port spanning) and run Wireshark. Try that with a T3 connection. > With a T3 I can be fairly certain that if there aren't any alarms that > my end is happily talking to the other end. How does one accomplish the > same with Ethernet? The Ethernet protocol includes CRC checks so most hardware will detect packet errors. Sure, the CRC isn't perfect and you can construct pathological examples where corrupted packets will pass the CRC checks but > A periodic "ping" seems rather ambiguous as a health > check. You'd want to do something like this anyway, since the alarms on a T3 are only a layer 1 check, pings check to make sure that things are working at least up through layer 3. As others have stated, running a dynamic routing protocol across the link gives even more assurance that packets aren't going into a black hole. -- Jeff Ollie From ler762 at gmail.com Wed Apr 8 09:20:30 2009 From: ler762 at gmail.com (Lee) Date: Wed, 8 Apr 2009 09:20:30 -0400 Subject: [c-nsp] T3 or Ethernet delivery? In-Reply-To: <49DC4EEC.3070001@rollernet.us> References: <49DC4EEC.3070001@rollernet.us> Message-ID: For us, price =is= the deciding factor. A 45Mb ethernet service costs us much less than a real T3. We replaced a T3 circuit with a 45Mb ethernet service and then discovered that the RTT went from 12ms on the T3 to 39ms on the ethernet circuit. Much discussion with the provider about re-engineering the circuit to get the RTT down and then much more waiting for them to schedule a service window ... and we've now got a 35ms RTT. Another 'gotcha' is MTU size. It's trivially easy to run IPSec over a T3 without fragmenting packets. Ethernet however... we ended up dumping one provider because they (w|c)ouldn't give us more than a 1524 [?not sure] byte MTU. A nice thing about getting ethernet service is that more bandwidth is just a phone call away. We bumped the speed up from 45 to 100Mb and are still paying less for the 100Mb ethernet service than we were for the T3. Still have that 35ms RTT though.. Input access lists that end with "deny ip any any log-input" are your friend. We just brought up a new circuit & I was seeing strange stuff hitting our router. Call the provider (who is my new love - the person answering the phone was the person that fixed the problem ... while I was on the phone!! ), give 'em the offending IP address and get told it's a pure L2 network on their side. *sigh* change the access-list from log to log-input, give him the offending MAC address, he finds the offending box & fixes the config. If you care at all about keeping your data private, put everything inside an IPSec tunnel. You have no idea who/what else is on that same ethernet circuit. If you care at all about throwing your packets into a black-hole, run a routing protocol over the tunnel. If you care at all about actually using the bandwidth you're paying for, get the hardware crypto accelerator card for your platform. > ... It scares me to think of opening trouble tickets as "it's > broken and I can't really tell you why". Welcome to user-land :) Just remember to act like a real user and lie when they ask you to reboot the box & see if that fixes the problem. HTH, Lee On 4/8/09, Seth Mattinen wrote: > One of my carriers has given me a choice for a new circuit delivery: T3 > or Ethernet. My outside world circuit experience is all non-Ethernet, so > I have a few questions the sales group wasn't able to answer. I'd love > to hear some real world experience. The cost difference between the two > is not significant enough to be the sole deciding factor and I'm not > using pure-Ethernet platforms so it's just a matter of adding the right > interface card. > > How do you detect a "down" condition on Ethernet? My experience is that > the interface could be up/up because Ethernet doesn't know about > anything further down the line and ends up throwing packets into a > magical black hole. Or worse, secret packet loss. > > Can you even troubleshoot Ethernet? Normally if I'm seeing something > like out of frame errors or AIS, I can say "hey, there's a problem and > it's X". It scares me to think of opening trouble tickets as "it's > broken and I can't really tell you why". > > With a T3 I can be fairly certain that if there aren't any alarms that > my end is happily talking to the other end. How does one accomplish the > same with Ethernet? A periodic "ping" seems rather ambiguous as a health > check. > > Since this is an outside world connection (i.e. I'm not in a colo) the > slightly lower cost and convenience factor of Ethernet doesn't override > my desire to stick with a T3 for its management properties and the > sleeping good at night feeling I get knowing there are no alarms. My gut > tells me to stick with it even though Ethernet delivery is what all the > cool kids are doing these days, so any insight is appreciated. Thanks! > > ~Seth > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ler762 at gmail.com Wed Apr 8 09:38:14 2009 From: ler762 at gmail.com (Lee) Date: Wed, 8 Apr 2009 09:38:14 -0400 Subject: [c-nsp] Odd Etherchannel behavior between 7507 and cat 4006 In-Reply-To: References: <49DB1C06.60506@memetic.org> <20090407094208.GZ290@greenie.muc.de> <49DB2315.5010806@memetic.org> Message-ID: On 4/7/09, Bill Wichers wrote: > [snip] >> > ... and the context of *this* discussion is likely involving PA-FE-TX's, >> > which are "quite old hardware", and cannot do any sort of autoneg. >> > >> True, so the ports should probably be nailed to full at both sides. > > Correct, they are PA-FE-TX's. There are two such PAs in a VIP2-50, and > those are running the port channel. <.. snip ..> > > I typically set both ends (router and switch) of these links to 100/full > since I've seen weird autonegotiation problems before. This works just > fine for individual FE links, but as soon as I bring up the Etherchannel > group both member links on the router end drop back to "unknown duplex" Can you configure the etherchannel group interface as 100/full? Lee From andreir at gmail.com Wed Apr 8 10:01:19 2009 From: andreir at gmail.com (Andrei Radu) Date: Wed, 8 Apr 2009 17:01:19 +0300 Subject: [c-nsp] carrier router models comparison In-Reply-To: <4981ce080904070851h6381d4f0qf35885793e959087@mail.gmail.com> References: <4981ce080904070851h6381d4f0qf35885793e959087@mail.gmail.com> Message-ID: <74206b240904080701t75420f7dqd1298597e246008c@mail.gmail.com> Hello Manu, Well the Foundry MLX/XMR is a layer 2 switching platform that evolved into a layer 3 switching platform that evolved into a mpls switching platform much like the 6500/7600. The MLX and XMR are basically the same hardware sold as the core switching platform and the core routing platform (rings a bell ?). Also much like the 6500/7600 it has a TCAM based forwarding engine, as opposed to the programmable ASIC the make up the CRS or the Juniper forwarding engines, which in itself holds many limitations. So you really are comparing apples and pears when comparing the CRS/T-series with the XMR (or the 7600 for that matter). This pretty much explains the price difference. The software pretty similar to IOS (not XR) at least at the CLI level, don't know about the internals. If you follow the foundry-nsp mailing list, and also the ams-ix mailing list you will see that Foundry has their share of software bugs, ranging from "normal" to forwarding entries disappearing from the hardware fib. Also if I remember correctly the MLX/XMRs are 40G/slot and not 50G/slot (although the platform is 100G/slot ready, actually decix decided to migrate it's core to the Foundry MLX 32000 because Force10 is having trouble going to 100G/slot). Hope this helps. Maybe the nanog or the f-nsp folks have a little more info for you. On Tue, Apr 7, 2009 at 6:51 PM, Emanuel Popa wrote: > hi there, > > due to the increase in traffic volume in the last couple of years we > need to really think about the future of the network. we have deployed > and we are managing a 50GE multi-ring topology network with Cisco 7600 > routers. i don't want to get into more details about ring topology > restrictions, platform limitations regarding wire speed, huge problems > with ether-channels or unpredictable load balancing behaviour. we've > been using these chassis since 2004 starting with STM-16 lines and the > PQ ratio looks pretty good so far. > > coming back to nowadays, 40GE or 100GE is not available yet, and even > if it was, the price would be probably unaffordable. and now the > question pops: what is the next step? the best answer is of course a > mix of multiple 10GE lines with traffic engineering and partial mesh > topology and 100GE ready chassis. first thing that comes to mind is > the CRS-1 platform, but it is really expensive: from under 15K per > 10GE port with the Cisco 7600 you have to pay more than 75K per 10GE > port with the CRS-1. so we have to take into consideration what are > the alternatives. i will try a short comparison: > > - Cisco CRS-1 16 Slot > --- max 64 x 10GE > --- max 32 links in a bundle > --- 40Gbps per slot > --- 100GE ready > --- multi-chassis ready > --- 10.920W max power > --- 723kg max weight > --- full rack space > --- $5.115.000,00/chassis > --- $79.921,88/10GE > > - Juniper T1600 > --- max 64 x 10GE > --- max 16 links in a bundle > --- 100Gbps per slot > --- 100GE ready > --- multi-chassis ready > --- 8.352W max power > --- 274,88kg max weight > --- 1/2 rack space > --- $6.547.000,00/chassis > --- $102.296,88/10GE > > - Brocade/ Foundry NetIron XMR 16000 > --- max 64 x 10GE > --- max 32 links in a bundle > --- 50Gbps per slot > --- 100GE ready (* only full slots) > --- single-chassis > --- 5.572W max power > --- 107,00kg max weight > --- 1/3 rack space > --- $567.515,00/chassis > --- $8.867,42/10GE > > I've also been looking at Huawei, Alcatel and HP gear but haven't been > able to find a device to support more than 24 x 10GE ports in a single > chassis. > > Here's what I'm trying to figure out: > > 1. are there any other devices on the market with same hardware capabilities? > > 2. why the huge difference between foundry and cisco/juniper? > > 3. if foundry is so cheap why hasn't it gathered more market share? > instead it was bought by brocade a while ago... > > 4. is the netiron really a carrier router more than a carrier switch? > anybody experienced it? > > 5. how does the software perform when comparing with IOS XR and JunOS? > > Please, any comments are welcomed. > > Best regards, > Manu > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Andrei "2+2=5, for extremely large values of 2 !" From SMESIATO at petro-canada.ca Wed Apr 8 10:07:39 2009 From: SMESIATO at petro-canada.ca (Mesiatowsky, Shawn) Date: Wed, 8 Apr 2009 08:07:39 -0600 Subject: [c-nsp] T3 or Ethernet delivery? In-Reply-To: <49DC4EEC.3070001@rollernet.us> References: <49DC4EEC.3070001@rollernet.us> Message-ID: <259E69AA141E7640822757CAB3EBC70F18B1D0DBED@MSG-M1P1.pcacorp.net> to detect a failure when the link is still up, you can use ip sla to ping the downstream router. You can then use embedded event manager to track your sla and trigger an event upon failure. The event could be to email you, send an snmp trap, or run a tcl script such as changing static routes. The embedded event manager in IOS is very powerful. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Seth Mattinen Sent: Wednesday, April 08, 2009 1:15 AM To: cisco-nsp Subject: [c-nsp] T3 or Ethernet delivery? One of my carriers has given me a choice for a new circuit delivery: T3 or Ethernet. My outside world circuit experience is all non-Ethernet, so I have a few questions the sales group wasn't able to answer. I'd love to hear some real world experience. The cost difference between the two is not significant enough to be the sole deciding factor and I'm not using pure-Ethernet platforms so it's just a matter of adding the right interface card. How do you detect a "down" condition on Ethernet? My experience is that the interface could be up/up because Ethernet doesn't know about anything further down the line and ends up throwing packets into a magical black hole. Or worse, secret packet loss. Can you even troubleshoot Ethernet? Normally if I'm seeing something like out of frame errors or AIS, I can say "hey, there's a problem and it's X". It scares me to think of opening trouble tickets as "it's broken and I can't really tell you why". With a T3 I can be fairly certain that if there aren't any alarms that my end is happily talking to the other end. How does one accomplish the same with Ethernet? A periodic "ping" seems rather ambiguous as a health check. Since this is an outside world connection (i.e. I'm not in a colo) the slightly lower cost and convenience factor of Ethernet doesn't override my desire to stick with a T3 for its management properties and the sleeping good at night feeling I get knowing there are no alarms. My gut tells me to stick with it even though Ethernet delivery is what all the cool kids are doing these days, so any insight is appreciated. Thanks! ~Seth _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ This email communication is intended as a private communication for the sole use of the primary addressee and those individuals listed for copies in the original message. The information contained in this email is private and confidential and If you are not an intended recipient you are hereby notified that copying, forwarding or other dissemination or distribution of this communication by any means is prohibited. If you are not specifically authorized to receive this email and if you believe that you received it in error please notify the original sender immediately. We honour similar requests relating to the privacy of email communications. Cette communication par courrier ?lectronique est une communication priv?e ? l'usage exclusif du destinataire principal ainsi que des personnes dont les noms figurent en copie. Les renseignements contenus dans ce courriel sont confidentiels et si vous n'?tes pas le destinataire pr?vu, vous ?tes avis?, par les pr?sentes que toute reproduction, transfert ou autre forme de diffusion de cette communication par quelque moyen que ce soit est interdite. Si vous n'?tes pas sp?cifiquement autoris? ? recevoir ce courriel ou si vous croyez l'avoir re?u par erreur, veuillez en aviser l'exp?diteur original imm?diatement. Nous respectons les demandes similaires qui touchent la confidentialit? des communications par courrier ?lectronique. From jlewis at lewis.org Wed Apr 8 10:08:10 2009 From: jlewis at lewis.org (Jon Lewis) Date: Wed, 8 Apr 2009 10:08:10 -0400 (EDT) Subject: [c-nsp] T3 or Ethernet delivery? In-Reply-To: <935ead450904080618k15aa5c2bo23acf3dac7005e9c@mail.gmail.com> References: <49DC4EEC.3070001@rollernet.us> <935ead450904080618k15aa5c2bo23acf3dac7005e9c@mail.gmail.com> Message-ID: On Wed, 8 Apr 2009, Jeffrey Ollie wrote: >> How do you detect a "down" condition on Ethernet? My experience is that >> the interface could be up/up because Ethernet doesn't know about >> anything further down the line and ends up throwing packets into a >> magical black hole. Or worse, secret packet loss. > > There's nothing unique to Ethernet about that... No, but with ethernet, it's more likely that there's going to be a layer 2 "local device" (i.e. a switch) which you connect to, but the layer 3 next hop is somewhere off on the providers network in another building. When the network breaks somewhere between the provider's L3 next hop and your location, you'll still be up/up, but have no connectivity. With BGP, you might tune the timers shorter than default so that such a break gets noticed sooner. With a T3, BGP would find out about the break as soon as the interface went down. With ethernet, it's also somewhat easier for your provider to screw things up. I've dealt with several instances where a carrier managed to combine multiple customer VLANs and mix traffic to/from unrelated customers. I've seen similar things once on a DS3 though, so it's not impossible there...just much less likely. Ethernet is generally much cheaper for interfaces. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From jason at fidelityaccess.com Wed Apr 8 10:11:57 2009 From: jason at fidelityaccess.com (Jason Gintert) Date: Wed, 08 Apr 2009 10:11:57 -0400 Subject: [c-nsp] T3 or Ethernet delivery? In-Reply-To: Message-ID: I would go with Ethernet services just for the sheer flexibility. With regard to your concerns of monitoring link state, you can use Ethernet demarcation devices such as the ISG 2X series from Overture to solve that. Think of it as an Ethernet "Smart Jack". It provides some pretty neat testing capabilities (looping, layer 2 ping, etc) and can do things like fault propagation per EVC. This means you can have a heartbeat across a VLAN (you'll need Ethernet Demarcation devices on either side) so if the heartbeat between devices is lost on the network side it can drop interface state to your equipment facing ports. Lastly, there are some great SLA tools to verify your provider is giving you the service that you are paying for. I recommend them highly. http://www.overturenetworks.com/products/name/ISG2x.html Jason > Date: Wed, 08 Apr 2009 00:14:52 -0700 > From: Seth Mattinen > Subject: [c-nsp] T3 or Ethernet delivery? > To: cisco-nsp > Message-ID: <49DC4EEC.3070001 at rollernet.us> > Content-Type: text/plain; charset=UTF-8 > > One of my carriers has given me a choice for a new circuit delivery: T3 > or Ethernet. My outside world circuit experience is all non-Ethernet, so > I have a few questions the sales group wasn't able to answer. I'd love > to hear some real world experience. The cost difference between the two > is not significant enough to be the sole deciding factor and I'm not > using pure-Ethernet platforms so it's just a matter of adding the right > interface card. > > How do you detect a "down" condition on Ethernet? My experience is that > the interface could be up/up because Ethernet doesn't know about > anything further down the line and ends up throwing packets into a > magical black hole. Or worse, secret packet loss. > > Can you even troubleshoot Ethernet? Normally if I'm seeing something > like out of frame errors or AIS, I can say "hey, there's a problem and > it's X". It scares me to think of opening trouble tickets as "it's > broken and I can't really tell you why". > > With a T3 I can be fairly certain that if there aren't any alarms that > my end is happily talking to the other end. How does one accomplish the > same with Ethernet? A periodic "ping" seems rather ambiguous as a health > check. > > Since this is an outside world connection (i.e. I'm not in a colo) the > slightly lower cost and convenience factor of Ethernet doesn't override > my desire to stick with a T3 for its management properties and the > sleeping good at night feeling I get knowing there are no alarms. My gut > tells me to stick with it even though Ethernet delivery is what all the > cool kids are doing these days, so any insight is appreciated. Thanks! > > ~Seth From dudepron at gmail.com Wed Apr 8 10:32:11 2009 From: dudepron at gmail.com (Aaron) Date: Wed, 8 Apr 2009 10:32:11 -0400 Subject: [c-nsp] SIP-400 and 10GbE SPA In-Reply-To: <49DAA86B.5070306@lists.esoteric.ca> References: <49DAA86B.5070306@lists.esoteric.ca> Message-ID: <480dad640904080732t1746096aie1c92ba31f712b21@mail.gmail.com> It might be supported but you don't get 10GB with it. Aaron On Mon, Apr 6, 2009 at 21:12, Stephen Fulton wrote: > According to the SIP/SPA compatibility matrix: > > > http://www.cisco.com/en/US/docs/interfaces_modules/shared_port_adapters/install_upgrade/7600series/76intro.html#wp1131939 > > The SPA-1X10GE-L-V2 is compatible with SIP-400. > > As always, verify with your Cisco SE. > > -- Stephen > > > MKS wrote: > >> Hi There >> >> According to cisco SIP-400 can >> "Ability to run 4 GE line rate for 64-byte packets, and OC-48 line >> rate for 48-byte packets for POS, HDLC, etc. with select services" >> >> https://www.cisco.com/en/US/prod/collateral/routers/ps368/product_data_sheet0900aecd8027c9e6.html >> >> Can someone please clarify what exactly this means. >> >> Also if I put a 10GbE SPA into a SIP-400 what is the expected >> performance of that? >> >> Thanks >> //MKS >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From dudepron at gmail.com Wed Apr 8 10:42:46 2009 From: dudepron at gmail.com (Aaron) Date: Wed, 8 Apr 2009 10:42:46 -0400 Subject: [c-nsp] Max length of 9600 serial over CAT5e In-Reply-To: <49DC8B1A.2000501@exa-networks.co.uk> References: <49DC7BBE.50906@spacething.org> <49DC8B1A.2000501@exa-networks.co.uk> Message-ID: <480dad640904080742v3c7ed5a2g36d662f9782c99cd@mail.gmail.com> Nom. Capacitance @ 1 KHz:15 pF/ft. for cat 5e On Wed, Apr 8, 2009 at 07:31, Richard Halfpenny < richard.halfpenny at exa-networks.co.uk> wrote: > Sam Stickland wrote: > >> Hi, >> >> What's the maximum length of you can run async-serial (9600 baud) >> over CAT5e (from a terminal server to console port). >> >> My google-fu has failed me. >> > > If I remember correctly, the spec for RS-232 says the maximum capacitance > of a cable can be 2500pF at 20kbps. A Cat5e of approx 46pF / metre would > give you a maximum length of 54 metres. At 9600bps you could probably drive > slightly longer. > > Rich > > -- > Network Operations > Exa Networks Ltd :: AS30740 > richard.halfpenny at exa-networks.co.uk > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From dudepron at gmail.com Wed Apr 8 11:25:42 2009 From: dudepron at gmail.com (Aaron) Date: Wed, 8 Apr 2009 11:25:42 -0400 Subject: [c-nsp] 2600 series for 100M In-Reply-To: <40d8a95a0904080509t3955662bod20a1fc36b8353c9@mail.gmail.com> References: <40d8a95a0904080509t3955662bod20a1fc36b8353c9@mail.gmail.com> Message-ID: <480dad640904080825o3f1103dj9ec0c595cf614172@mail.gmail.com> You don't say want services you are planning on running. Full-bgp? That would have an impact on memory requirements. On Wed, Apr 8, 2009 at 08:09, Deric Kwok wrote: > Hi > > Do you know Cisco 2651XM is fine for 100M network? > > If the memory is 256M, it is ok? > > Can it support Virtual private network, VLAN and new tcsh command? > > i check the ios is "C2600 Software (C2600-ENTSERVICESK9-M), Version > 12.3(23)" > > Do I need to buy any extra memory? > > Thank you > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From psirt at cisco.com Wed Apr 8 12:01:39 2009 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: Wed, 8 Apr 2009 12:01:39 -0400 Subject: [c-nsp] Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA Adaptive Security Appliance and Cisco PIX Security Appliances Message-ID: <200904081201.asa@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA Adaptive Security Appliance and Cisco PIX Security Appliances Advisory ID: cisco-sa-20090408-asa http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml Revision 1.0 For Public Release 2009 April 08 1600 UTC (GMT) Summary ======= Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances. This security advisory outlines the details of these vulnerabilities: * VPN Authentication Bypass when Account Override Feature is Used vulnerability * Crafted HTTP packet denial of service (DoS) vulnerability * Crafted TCP Packet DoS vulnerability * Crafted H.323 packet DoS vulnerability * SQL*Net packet DoS vulnerability * Access control list (ACL) bypass vulnerability Workarounds are available for some of the vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml. Affected Products ================= Vulnerable Products +------------------ The following is a list of the products affected by each vulnerability as described in detail within this advisory. VPN Authentication Bypass Vulnerability +-------------------------------------- Cisco ASA or Cisco PIX security appliances that are configured for IPsec or SSL-based remote access VPN and have the Override Account Disabled feature enabled are affected by this vulnerability. Note: The Override Account Disabled feature was introduced in Cisco ASA software version 7.1(1). Cisco ASA and PIX software versions 7.1, 7.2, 8.0, and 8.1 are affected by this vulnerability. This feature is disabled by default. Crafted HTTP Packet DoS Vulnerability +------------------------------------ Cisco ASA security appliances may experience a device reload that can be triggered by a series of crafted HTTP packets, when configured for SSL VPNs or when configured to accept Cisco Adaptive Security Device Manager (ASDM) connections. Only Cisco ASA software versions 8.0 and 8.1 are affected by this vulnerability. Crafted TCP Packet DoS Vulnerability +----------------------------------- Cisco ASA and Cisco PIX security appliances may experience a memory leak that can be triggered by a series of crafted TCP packets. Cisco ASA and Cisco PIX security appliances running versions 7.0, 7.1, 7.2, 8.0, and 8.1 are affected when configured for any of the following features: * SSL VPNs * ASDM Administrative Access * Telnet Access * SSH Access * Cisco Tunneling Control Protocol (cTCP) for Remote Access VPNs * Virtual Telnet * Virtual HTTP * Transport Layer Security (TLS) Proxy for Encrypted Voice Inspection * Cut-Through Proxy for Network Access * TCP Intercept Crafted H.323 Packet DoS Vulnerability +------------------------------------- Cisco ASA and Cisco PIX security appliances may experience a device reload that can be triggered by a series of crafted H.323 packets, when H.323 inspection is enabled. H.323 inspection is enabled by default. Cisco ASA and Cisco PIX software versions 7.0, 7.1, 7.2, 8.0, and 8.1 are affected by this vulnerability. SQL*Net Packet DoS Vulnerability +------------------------------- Cisco ASA and Cisco PIX security appliances may experience a device reload that can be triggered by a series of SQL*Net packets, when SQL*Net inspection is enabled. SQL*Net inspection is enabled by default. Cisco ASA and Cisco PIX software versions 7.2, 8.0, and 8.1 are affected by this vulnerability. Access Control List Bypass Vulnerability +--------------------------------------- A vulnerability exists in the Cisco ASA and Cisco PIX security appliances that may allow traffic to bypass the implicit deny behavior at the end of ACLs that are configured within the device. Cisco ASA and Cisco PIX software versions 7.0, 7.1, 7.2, and 8.0 are affected by this vulnerability. Determination of Software Versions +--------------------------------- The "show version" command-line interface (CLI) command can be used to determine whether a vulnerable version of the Cisco PIX or Cisco ASA software is running. The following example shows a Cisco ASA Adaptive Security Appliance that runs software version 8.0(4): ASA#show version Cisco Adaptive Security Appliance Software Version 8.0(4) Device Manager Version 6.0(1) The following example shows a Cisco PIX security appliance that runs software version 8.0(4): PIX#show version Cisco PIX Security Appliance Software Version 8.0(4) Device Manager Version 5.2(3) Customers who use Cisco ASDM to manage their devices can find the software version displayed in the table in the login window or in the upper left corner of the ASDM window. Products Confirmed Not Vulnerable +-------------------------------- The Cisco Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers and Cisco VPN 3000 Series Concentrators are not affected by any of these vulnerabilities. Cisco PIX Security Appliance Software versions 6.x are not affected by any of these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= This Security Advisory describes multiple distinct vulnerabilities. These vulnerabilities are independent of each other. VPN Authentication Bypass Vulnerability +-------------------------------------- The Cisco ASA or Cisco PIX security appliance can be configured to override an account-disabled indication from a AAA server and allow the user to log on anyway. However, the user must provide the correct credentials in order to login to the VPN. A vulnerability exists in the Cisco ASA and Cisco PIX security appliances where VPN users can bypass authentication when the override account feature is enabled. Note: The override account feature was introduced in Cisco ASA software version 7.1(1). The override account feature is enabled with the "override-account-disable" command in "tunnel-group general-attributes" configuration mode, as shown in the following example. The following example allows overriding the "account-disabled" indicator from the AAA server for the WebVPN tunnel group "testgroup": hostname(config)#tunnel-group testgroup type webvpn hostname(config)#tunnel-group testgroup general-attributes hostname(config-tunnel-general)#override-account-disable Note: The override account feature is disabled by default. This vulnerability is documented in Cisco Bug ID CSCsx47543 and has been assigned Common Vulnerabilities and Exposures (CVE) identifiers CVE-2009-1155. Crafted HTTP Packet DoS Vulnerability +------------------------------------ A crafted SSL or HTTP packet may cause a DoS condition on a Cisco ASA device that is configured to terminate SSL VPN connections. This vulnerability can also be triggered to any interface where ASDM access is enabled. A successful attack may result in a reload of the device. A TCP three-way handshake is not needed to exploit this vulnerability. This vulnerability is documented in Cisco Bug ID CSCsv52239 and has been assigned Common Vulnerabilities and Exposures (CVE) identifiers CVE-2009-1156. Crafted TCP Packet DoS Vulnerability +----------------------------------- A crafted TCP packet may cause a memory leak on a Cisco ASA or Cisco PIX device. A successful attack may result in a sustained DoS condition. A Cisco ASA device configured for any of the following features is affected: * SSL VPNs * ASDM Administrative Access * Telnet Access * SSH Access * cTCP for Remote Access VPNs * Virtual Telnet * Virtual HTTP * TLS Proxy for Encrypted Voice Inspection * Cut-Through Proxy for Network Access * TCP Intercept Note: This vulnerability may be triggered when crafted packets are sent to any TCP based service that terminates on the affected device. The vulnerability may also be triggered via transient traffic only if the TCP intercept features has been enabled. A TCP three-way handshake is not needed to exploit this vulnerability. This vulnerability is documented in Cisco Bug ID CSCsy22484 and has been assigned Common Vulnerabilities and Exposures (CVE) identifiers CVE-2009-1157. Crafted H.323 Packet DoS Vulnerability +------------------------------------- A crafted H.323 packet may cause a DoS condition on a Cisco ASA device that is configured with H.323 inspection. H.323 inspection is enabled by default. A successful attack may result in a reload of the device. A TCP three-way handshake is not needed to exploit this vulnerability. This vulnerability is documented in Cisco Bug ID CSCsx32675 and has been assigned Common Vulnerabilities and Exposures (CVE) identifiers CVE-2009-1158. SQL*Net Packet DoS Vulnerability +------------------------------- The SQL*Net protocol consists of different packet types are handled by the security appliance to make the data stream appear consistent to the Oracle version 7.x and earlier implementations on either side of the Cisco ASA and Cisco PIX security appliances. A series of SQL*Net packets may cause a denial of service condition on a Cisco ASA and Cisco PIX device that is configured with SQL*Net inspection. SQL*Net inspection is enabled by default. A successful attack may result in a reload of the device. The default port assignment for SQL*Net is TCP port 1521. This is the value used by Oracle for SQL*Net. Please note the "class-map" command can be used in the Cisco ASA or Cisco PIX to apply SQL*Net inspection to a range of different port numbers. A TCP three-way handshake is needed to exploit this vulnerability. The requirement of a TCP three way handshake significantly reduces the possibility of exploitation using packets with spoofed source addresses. This vulnerability is documented in Cisco Bug ID CSCsw51809 and has been assigned Common Vulnerabilities and Exposures (CVE) identifiers CVE-2009-1159. Access Control List Bypass Vulnerability +--------------------------------------- Access lists have an implicit deny behavior that is applied to packets that have not matched any of the permit or deny ACEs in an ACL and reach the end of the ACL. This implicit deny is there by design, does not require any configuration and can be understood as an implicit ACE that denies all traffic reaching the end of the ACL. A vulnerability exists in the Cisco ASA and Cisco PIX that may allow traffic to bypass the implicit deny ACE. Note: This behavior only impacts the implicit deny statement on any ACL applied on the device. Access control lists with explicit deny statements are not affected by this vulnerability. This vulnerability is experienced in very rare occasions and extremely hard to reproduce. You can trace the lifespan of a packet through the security appliance to see whether the packet is operating correctly with the packet tracer tool. The "packet-tracer" command provides detailed information about the packets and how they are processed by the security appliance. If a command from the configuration did not cause the packet to drop, the "packet-tracer" command will provide information about the cause in an easily readable manner. You can use this feature to see if the implicit deny on an ACL is not taking effect. The following example shows that the implicit deny is bypassed (result = ALLOW): ... Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x1a09d350, priority=1, domain=permit, deny=false hits=1144595557, user_data=0x0, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0000.0000.0000 This vulnerability is documented in Cisco Bug ID CSCsq91277 and has been assigned Common Vulnerabilities and Exposures (CVE) identifiers CVE-2009-1160. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * AAA account-override-ignore allows VPN session without correct password (CSCsx47543) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - None Availability Impact - None CVSS Temporal Score - 6.8 Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed * Cisco ASA may crash with certain HTTP packets (CSCsv52239) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * Cisco ASA may crash after processing certain TCP packets (CSCsy22484) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * Crafted H.323 packet may cause ASA to reload (CSCsx32675) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * sqlnet traffic causes traceback with inspection configured (CSCsw51809) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed * ACL Misbehavior in Cisco ASA (CSCsq91277) CVSS Base Score - 4.3 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Partial Integrity Impact - None Availability Impact - None CVSS Temporal Score - 3.6 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the VPN Authentication Bypass when Account Override Feature is Used vulnerability may allow an attacker to successfully connect to the Cisco ASA via remote access IPSec or SSL-based VPN. The Denial of Service (DoS) vulnerabilities may cause a reload of the affected device. Repeated exploitation could result in a sustained DoS condition. Successful exploitation of the ACL bypass vulnerability may allow an attacker to access resources that should be protected by the Cisco ASA. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. The following table contains the first fixed software release of each vulnerability. The "Recommended Release" row indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a version of the given release in a specific row (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Release" row of the table. +------------------------------------------------------+ | | Affected | First | Recommended | | Vulnerability | Release | Fixed | Release | | | | Version | | |----------------+----------+------------+-------------| | | 7.0 | Not | 7.0(8)6 | | VPN | | vulnerable | | |Authentication |----------+------------+-------------| | Bypass when | 7.1 | 7.1(2)82 | 7.1(2)82 | |Account |----------+------------+-------------| | Override | 7.2 | 7.2(4)27 | 7.2(4)30 | |Feature is |----------+------------+-------------| | Used | 8.0 | 8.0(4)25 | 8.0(4)28 | |Vulnerability |----------+------------+-------------| | | 8.1 | 8.1(2)15 | 8.1(2)19 | |----------------+----------+------------+-------------| | | 7.0 | Not | 7.0(8)6 | | | | vulnerable | | | |----------+------------+-------------| | | 7.1 | Not | 7.1(2)82 | | Crafted HTTP | | vulnerable | | |packet DoS |----------+------------+-------------| | Vulnerability | 7.2 | Not | 7.2(4)30 | | | | vulnerable | | | |----------+------------+-------------| | | 8.0 | 8.0(4)25 | 8.0(4)28 | | |----------+------------+-------------| | | 8.1 | 8.1(2)15 | 8.1(2)16 | |----------------+----------+------------+-------------| | | 7.0 | 7.0(8)6 | 7.0(8)6 | | |----------+------------+-------------| | | 7.1 | 7.1(2)82 | 7.1(2)82 | |Crafted TCP |----------+------------+-------------| | Packet DoS | 7.2 | 7.2(4)30 | 7.2(4)30 | |Vulnerability |----------+------------+-------------| | | 8.0 | 8.0(4)28 | 8.0(4)28 | | |----------+------------+-------------| | | 8.1 | 8.1(2)19 | 8.1(2)19 | |----------------+----------+------------+-------------| | | 7.0 | 7.0(8)6 | 7.0(8)6 | | |----------+------------+-------------| | | 7.1 | 7.1(2)82 | 7.1(2)82 | |Crafted H.323 |----------+------------+-------------| | packet DoS | 7.2 | 7.2(4)26 | 7.2(4)30 | |Vulnerability |----------+------------+-------------| | | 8.0 | 8.0(4)24 | 8.0(4)28 | | |----------+------------+-------------| | | 8.1 | 8.1(2)14 | 8.1(2)19 | |----------------+----------+------------+-------------| | | 7.0 | Not | 7.0(8)6 | | | | vulnerable | | | |----------+------------+-------------| | | 7.1 | Not | 7.1(2)82 | | Crafted SQL | | vulnerable | | |packet DoS |----------+------------+-------------| | vulnerability | 7.2 | 7.2(4)26 | 7.2(4)30 | | |----------+------------+-------------| | | 8.0 | 8.0(4)22 | 8.0(4)28 | | |----------+------------+-------------| | | 8.1 | 8.1(2)12 | 8.1(2)19 | |----------------+----------+------------+-------------| | | 7.0 | 7.0(8)1 | 7.0(8)6 | | |----------+------------+-------------| | | 7.1 | 7.1(2)74 | 7.1(2)82 | |Access control |----------+------------+-------------| | list (ACL) | 7.2 | 7.2(4)9 | 7.2(4)30 | |bypass |----------+------------+-------------| | vulnerability | 8.0 | 8.0(4)5 | 8.0(4)28 | | |----------+------------+-------------| | | 8.1 | Not | 8.1(2)19 | | | | vulnerable | | +------------------------------------------------------+ Fixed Cisco ASA software can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT Fixed Cisco PIX software can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/PIXPSIRT Workarounds =========== This Security Advisory describes multiple distinct vulnerabilities. These vulnerabilities and their respective workarounds are independent of each other. VPN Authentication Bypass Vulnerability +-------------------------------------- The override account feature is enabled with the "override-account-disable" command in "tunnel-group general-attributes" configuration mode. As a workaround, disable this feature using the "no override-account-disable" command. Crafted HTTP Packet DoS Vulnerability +------------------------------------ Devices configured for SSL VPN (clientless or client-based) or accepting ASDM management connections are vulnerable. Note: IPSec clients are not vulnerable to this vulnerability. If SSL VPN (clientless or client-based) is not used, administrators should make sure that ASDM connections are only allowed from trusted hosts. To identify the IP addresses from which the security appliance accepts HTTPS connections for ASDM, configure the "http" command for each trusted host address or subnet. The following example, shows how a trusted host with IP address 192.168.1.100 is added to the configuration: hostname(config)# http 192.168.1.100 255.255.255.255 Crafted TCP Packet DoS Vulnerability +----------------------------------- There are no workarounds for this vulnerability. Crafted H.323 Packet DoS Vulnerability +------------------------------------- H.323 inspection should be disabled if it is not needed. Temporarily disabling the feature will mitigate this vulnerability. H.323 inspection can be disabled with the command "no inspect h323". SQL*Net Packet DoS Vulnerability +------------------------------- SQL*Net inspection should be disabled if it is not needed. Temporarily disabling the feature will mitigate this vulnerability. SQL*Net inspection can be disabled with the command "no inspect sqlnet". Access Control List (ACL) Bypass Vulnerability +--------------------------------------------- As a workaround, remove the "access-group" line applied on the interface where the ACL is configured and re-apply it. For example: ASA(config)#no access-group acl-inside in interface inside ASA(config)#access-group acl-inside in interface inside In the previous example the access group called "acl-inside" is removed and reapplied to the inside interface. Alternatively, you can add an explicit "deny ip any any" line in the bottom of the ACL applied on that interface. For example: ASA(config)#access-list 100 deny ip any any In the previous example, an explicit deny for all IP traffic is added at the end of "access-list 100". Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link: http://www.cisco.com/warp/public/707/cisco-amb-20090408-asa.shtml. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt at cisco.com or security-alert at cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac at cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. The crafted TCP packet DoS vulnerability was discovered and reported to Cisco by Gregory W. MacPherson and Robert J. Combo from Verizon Business. The ACL bypass vulnerability was reported to Cisco by Jon Ramsey and Jeff Jarmoc from SecureWorks. The Cisco PSIRT greatly appreciates the opportunity to work with researchers on security vulnerabilities, and welcomes the opportunity to review and assist in product reports. All other vulnerabilities were found during internal testing and during the resolution of customer service requests. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce at cisco.com * first-bulletins at lists.first.org * bugtraq at securityfocus.com * vulnwatch at vulnwatch.org * cisco at spot.colorado.edu * cisco-nsp at puck.nether.net * full-disclosure at lists.grok.org.uk * comp.dcom.sys.cisco at newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2009-April-08 | Initial public release. | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2008-2009 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: Apr 08, 2009 Document ID: 109974 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkncyUMACgkQ86n/Gc8U/uBS1ACeP7Toj7XSKuo/eaLfK6K4Gqzc Q8EAn2anUwiQH4xV5NoNVt+3JiKn2LXQ =Xi7D -----END PGP SIGNATURE----- From peter at rathlev.dk Wed Apr 8 12:03:41 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Wed, 08 Apr 2009 18:03:41 +0200 Subject: [c-nsp] about eompls on 7609 In-Reply-To: <24825069.914261239168165588.JavaMail.coremail@bj163app105.163.com> References: <24825069.914261239168165588.JavaMail.coremail@bj163app105.163.com> Message-ID: <1239206621.3496.4.camel@localhost.localdomain> On Wed, 2009-04-08 at 13:22 +0800, ying-xiang wrote: > following is my topology brief? > > SwitchA---PE1?7609-1?---PE2?7609-2?---SwitchB > > Both switchA and switchB are configured a vlan100 to achieve layer two > transport through EoMPLS and they works without any issue > but i got an error when i tried to set the same vlan id on the PEs > could anyone explain this for me ? You really should post the error you got, that would make it much easier to answer the question. :-) The 7600 cannot have VLAN ID overlap between interfaces on LAN cards. This means that using a VLAN on a subinterface, as you do with subint-EoMPLS, means you cannot also perform regular switching of this VLAN. It's a platform limitation. Regards, Peter From Mike.Anning at chep.com Wed Apr 8 12:15:51 2009 From: Mike.Anning at chep.com (Anning, Mike) Date: Wed, 8 Apr 2009 17:15:51 +0100 Subject: [c-nsp] show dot11 network-map In-Reply-To: <9e246b4d0904061302l1f2c5ad7rec292c3b986052cd@mail.gmail.com> Message-ID: Anyone know if the show dot11 network-map output on 1200 series access points shows either; 1. neighbouring access points it can see over the dot11 radio interface 2. neighbouring access points it can see over the wire within the same subnet I am thinking option 2 but cannot find anything conclusive. Many thanks in advance Mike Company Registration number: 197807; Place of Registration: England; Registered office address: Weybridge Business Park, Addlestone Road, Addlestone, Surrey, KT15 2UP Confidentiality Notice: This message, together with its annexes, contains information to be deemed strictly confidential, that may be legally privileged and is destined only to the addressee(s) identified above who only may use, copy and, under his/their responsibility, further disseminate it. If anyone received this message by mistake or reads it without entitlement is forewarned that keeping, copying, disseminating or distributing this message to persons other than the addressee(s) is strictly forbidden and is asked to transmit it immediately to the sender and to erase the original message received. Thank you. Please consider the environment before you print this message. Thank you. From billw at waveform.net Wed Apr 8 12:58:49 2009 From: billw at waveform.net (Bill Wichers) Date: Wed, 8 Apr 2009 12:58:49 -0400 Subject: [c-nsp] T3 or Ethernet delivery? In-Reply-To: <49DC4EEC.3070001@rollernet.us> References: <49DC4EEC.3070001@rollernet.us> Message-ID: I've found that some carriers consider Ethernet something of a "toy" whereas TDM and SONET circuits are considered more "mission critical". Basically our local engineering gusy say that the Ethernet links are just a "bunch of jumpers in COs", and by that they mean a single link patched through to where it needs to go with no protection or management anywhere. The T3 links, while not always path diverse, are typically at least provisioned as 4 fiber handoffs within the carrier's network so you at least have some protection against a dead optic. This seems to be especially an issue for intercity links since the T3s are typically protected around a ring between the cities and the Ethernet rarely, if ever, is protected at all. This is just the ILEC (ATT here) though, most of the CLECs offer protection options for their Ethernet offerings. Personally I've been burned before with carriers not provisioning circuits as "protected" as one would expect (which includes TDM/SONET links). I try to keep all our core links on our own fiber where we control the physical routing and protection, but we have a few remote POPs that are not economical to build fiber to and those are the ones with the leased links. I'm not a big fan of Ethernet for the links to these POPs, but the Ethernet links we use from our gear to the customer premises do tend to work OK. Regarding monitoring, use a routing protocol that has keepalives to detect an outage. If you are using a switch you can probably determine link state on the circuit too (although this probably won't give you an indication of end-to-end circuit status since the carrier probably has a switch serving you that will give you a link regardless of the "rest" of the circuit working). -Bill > One of my carriers has given me a choice for a new circuit delivery: T3 > or Ethernet. My outside world circuit experience is all non-Ethernet, so > I have a few questions the sales group wasn't able to answer. I'd love > to hear some real world experience. The cost difference between the two > is not significant enough to be the sole deciding factor and I'm not > using pure-Ethernet platforms so it's just a matter of adding the right > interface card. > > How do you detect a "down" condition on Ethernet? My experience is that > the interface could be up/up because Ethernet doesn't know about > anything further down the line and ends up throwing packets into a > magical black hole. Or worse, secret packet loss. > > Can you even troubleshoot Ethernet? Normally if I'm seeing something > like out of frame errors or AIS, I can say "hey, there's a problem and > it's X". It scares me to think of opening trouble tickets as "it's > broken and I can't really tell you why". > > With a T3 I can be fairly certain that if there aren't any alarms that > my end is happily talking to the other end. How does one accomplish the > same with Ethernet? A periodic "ping" seems rather ambiguous as a health > check. > > Since this is an outside world connection (i.e. I'm not in a colo) the > slightly lower cost and convenience factor of Ethernet doesn't override > my desire to stick with a T3 for its management properties and the > sleeping good at night feeling I get knowing there are no alarms. My gut > tells me to stick with it even though Ethernet delivery is what all the > cool kids are doing these days, so any insight is appreciated. Thanks! > > ~Seth > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From billw at waveform.net Wed Apr 8 13:03:30 2009 From: billw at waveform.net (Bill Wichers) Date: Wed, 8 Apr 2009 13:03:30 -0400 Subject: [c-nsp] Max length of 9600 serial over CAT5e In-Reply-To: <49DC8B1A.2000501@exa-networks.co.uk> References: <49DC7BBE.50906@spacething.org> <49DC8B1A.2000501@exa-networks.co.uk> Message-ID: RS-232 has more limitations than just cable capacitance. RS-232 is a single-ended communication protocol (on the physical level), so it's noise immunity is not very good. This is especially a problem if you're running the cable in an electrically noisy environment (like a cable tray or wiring closet(s), etc.). If you need to run a long distance, why not just convert your RS-232 signal to RS-422 where you can safely run a 9600bps signal out to over a kilometer? All you need is a 2 pair cable, ideally with a shield, provided you don't need hardware flow control. The converters are usually cheap, maybe $50 or so per end unless you need electrical isolation. -Bill > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Richard Halfpenny > Sent: Wednesday, April 08, 2009 7:32 AM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Max length of 9600 serial over CAT5e > > Sam Stickland wrote: > > Hi, > > > > What's the maximum length of you can run async-serial (9600 baud) > > over CAT5e (from a terminal server to console port). > > > > My google-fu has failed me. > > If I remember correctly, the spec for RS-232 says the maximum > capacitance of a cable can be 2500pF at 20kbps. A Cat5e of approx 46pF > / metre would give you a maximum length of 54 metres. At 9600bps you > could probably drive slightly longer. > > Rich > > -- > Network Operations > Exa Networks Ltd :: AS30740 > richard.halfpenny at exa-networks.co.uk > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From mohacsi at niif.hu Wed Apr 8 13:05:55 2009 From: mohacsi at niif.hu (Mohacsi Janos) Date: Wed, 8 Apr 2009 19:05:55 +0200 (CEST) Subject: [c-nsp] 2600 series for 100M In-Reply-To: <40d8a95a0904080509t3955662bod20a1fc36b8353c9@mail.gmail.com> References: <40d8a95a0904080509t3955662bod20a1fc36b8353c9@mail.gmail.com> Message-ID: According to Cisco: 265x(XM) is capable for the following performance for IP packets: in CEF switching: 40000 PPS and around 21 Mbps Janos Mohacsi Network Engineer, Research Associate, Head of Network Planning and Projects NIIF/HUNGARNET, HUNGARY Key 70EF9882: DEC2 C685 1ED4 C95A 145F 4300 6F64 7B00 70EF 9882 On Wed, 8 Apr 2009, Deric Kwok wrote: > Hi > > Do you know Cisco 2651XM is fine for 100M network? > > If the memory is 256M, it is ok? > > Can it support Virtual private network, VLAN and new tcsh command? > > i check the ios is "C2600 Software (C2600-ENTSERVICESK9-M), Version > 12.3(23)" > > Do I need to buy any extra memory? > > Thank you > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From sethm at rollernet.us Wed Apr 8 13:36:56 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Wed, 08 Apr 2009 10:36:56 -0700 Subject: [c-nsp] Max length of 9600 serial over CAT5e In-Reply-To: References: <49DC7BBE.50906@spacething.org> <49DC8B1A.2000501@exa-networks.co.uk> Message-ID: <49DCE0B8.3070403@rollernet.us> Bill Wichers wrote: > RS-232 has more limitations than just cable capacitance. RS-232 is a > single-ended communication protocol (on the physical level), so it's > noise immunity is not very good. This is especially a problem if you're > running the cable in an electrically noisy environment (like a cable > tray or wiring closet(s), etc.). > > If you need to run a long distance, why not just convert your RS-232 > signal to RS-422 where you can safely run a 9600bps signal out to over a > kilometer? All you need is a 2 pair cable, ideally with a shield, > provided you don't need hardware flow control. The converters are > usually cheap, maybe $50 or so per end unless you need electrical > isolation. > I'll second the 422. It's not worth running 232 for long distances. The converter cost is trivial. Plus if you're stuck running serial through a 1/2" conduit not having that DB9 connector makes the job so much easier. ~Seth From sethm at rollernet.us Wed Apr 8 13:48:46 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Wed, 08 Apr 2009 10:48:46 -0700 Subject: [c-nsp] T3 or Ethernet delivery? In-Reply-To: References: <49DC4EEC.3070001@rollernet.us> Message-ID: <49DCE37E.4070908@rollernet.us> Bill Wichers wrote: > I've found that some carriers consider Ethernet something of a "toy" > whereas TDM and SONET circuits are considered more "mission critical". > Basically our local engineering gusy say that the Ethernet links are > just a "bunch of jumpers in COs", and by that they mean a single link > patched through to where it needs to go with no protection or management > anywhere. The T3 links, while not always path diverse, are typically at > least provisioned as 4 fiber handoffs within the carrier's network so > you at least have some protection against a dead optic. This seems to be > especially an issue for intercity links since the T3s are typically > protected around a ring between the cities and the Ethernet rarely, if > ever, is protected at all. This is just the ILEC (ATT here) though, most > of the CLECs offer protection options for their Ethernet offerings. Good to know; mine is going a POP in another state since where I am isn't exactly a major stop on the internet for anyone to put an L3 POP in state. > Personally I've been burned before with carriers not provisioning > circuits as "protected" as one would expect (which includes TDM/SONET > links). I try to keep all our core links on our own fiber where we > control the physical routing and protection, but we have a few remote > POPs that are not economical to build fiber to and those are the ones > with the leased links. I'm not a big fan of Ethernet for the links to > these POPs, but the Ethernet links we use from our gear to the customer > premises do tend to work OK. > > Regarding monitoring, use a routing protocol that has keepalives to > detect an outage. If you are using a switch you can probably determine > link state on the circuit too (although this probably won't give you an > indication of end-to-end circuit status since the carrier probably has a > switch serving you that will give you a link regardless of the "rest" of > the circuit working). > I probably should have mentioned that I will be running BGP. I have an existing multihomed network and this circuit will be just adding another transit circuit. For added fun, they're going to use some circa 1997 existing fiber equipment (thus qualifying for lit building pricing), complete with a blinking "fault" light on one side of the ring. I will make them aware of that before I sign anything. ;) ~Seth From sethm at rollernet.us Wed Apr 8 13:48:44 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Wed, 08 Apr 2009 10:48:44 -0700 Subject: [c-nsp] T3 or Ethernet delivery? In-Reply-To: References: <49DC4EEC.3070001@rollernet.us> <935ead450904080618k15aa5c2bo23acf3dac7005e9c@mail.gmail.com> Message-ID: <49DCE37C.1030809@rollernet.us> Jon Lewis wrote: > On Wed, 8 Apr 2009, Jeffrey Ollie wrote: > >>> How do you detect a "down" condition on Ethernet? My experience is that >>> the interface could be up/up because Ethernet doesn't know about >>> anything further down the line and ends up throwing packets into a >>> magical black hole. Or worse, secret packet loss. >> >> There's nothing unique to Ethernet about that... > > No, but with ethernet, it's more likely that there's going to be a layer > 2 "local device" (i.e. a switch) which you connect to, but the layer 3 > next hop is somewhere off on the providers network in another building. > When the network breaks somewhere between the provider's L3 next hop and > your location, you'll still be up/up, but have no connectivity. With > BGP, you might tune the timers shorter than default so that such a break > gets noticed sooner. With a T3, BGP would find out about the break as > soon as the interface went down. In my case the next L3 hop is going to be in another state. For example with Sprint, I'm in Reno, NV and their router is in Stockton, CA. As far as the actual equipment, it will be an HWIC-1FE (HWIC-1GE-SFP if fiber) or NM-1T3/E3 in a 3800. ~Seth From sethm at rollernet.us Wed Apr 8 13:54:29 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Wed, 08 Apr 2009 10:54:29 -0700 Subject: [c-nsp] 2600 series for 100M In-Reply-To: <40d8a95a0904080509t3955662bod20a1fc36b8353c9@mail.gmail.com> References: <40d8a95a0904080509t3955662bod20a1fc36b8353c9@mail.gmail.com> Message-ID: <49DCE4D5.6030708@rollernet.us> Deric Kwok wrote: > Hi > > Do you know Cisco 2651XM is fine for 100M network? You aren't likely to get line rate 100 meg out of it. > If the memory is 256M, it is ok? > > Can it support Virtual private network, VLAN and new tcsh command? It'll do crypto (slowly). You'll need a crypto AIM if you're going to do anything serious with it. > i check the ios is "C2600 Software (C2600-ENTSERVICESK9-M), Version > 12.3(23)" > > Do I need to buy any extra memory? > 256MB is the maximum for that platform. You'll only have access to the lower 128 since the other half is used to hold the decompressed IOS image. Sounds weird, but it gives you more free memory, although not like one would expect if you've never used a 2600XM before. ~Seth From raa at opusnet.com Wed Apr 8 14:03:40 2009 From: raa at opusnet.com (Ruben Alvarez) Date: Wed, 8 Apr 2009 11:03:40 -0700 Subject: [c-nsp] Ping priority on Cisco devices Message-ID: <004901c9b874$59596e00$0c0c4a00$@com> All, I've heard that Cisco devices handle ICMP at a low priority. I found one post describing it handled in process-switching and not fast-switching. Does anyone have an article that explains that process and is it configurable? The reason I ask is I see about 4% packet loss when I ping devices in our broadband aggregation network. From the CPE to the router there is none, from my workstation to the router there is none, but if I ping the whole path I get a fairly consistent 4% loss. I can't find any congestion or errors. Ping from my workstation to the CPE are a consistent 60ms, aside from the 4% loss. Thanks. From peter at rathlev.dk Wed Apr 8 14:48:57 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Wed, 08 Apr 2009 20:48:57 +0200 Subject: [c-nsp] 2600 series for 100M In-Reply-To: <49DCE4D5.6030708@rollernet.us> References: <40d8a95a0904080509t3955662bod20a1fc36b8353c9@mail.gmail.com> <49DCE4D5.6030708@rollernet.us> Message-ID: <1239216537.3496.12.camel@localhost.localdomain> On Wed, 2009-04-08 at 10:54 -0700, Seth Mattinen wrote: > > Can it support Virtual private network, VLAN and new tcsh command? > > It'll do crypto (slowly). You'll need a crypto AIM if you're going to do > anything serious with it. Agreed. We had a 2651XM with a single GRE+IPSec tunnel once and it was able to forward no more than around 10-15 mbps with 3DES and no AIM. Regards, Peter From oboehmer at cisco.com Wed Apr 8 15:06:02 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Wed, 8 Apr 2009 21:06:02 +0200 Subject: [c-nsp] Ping priority on Cisco devices In-Reply-To: <004901c9b874$59596e00$0c0c4a00$@com> References: <004901c9b874$59596e00$0c0c4a00$@com> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED784072CC389@xmb-ams-333.emea.cisco.com> Ruben Alvarez <> wrote on Wednesday, April 08, 2009 20:04: > All, > > I've heard that Cisco devices handle ICMP at a low priority. I found > one post describing it handled in process-switching and not > fast-switching. Does anyone have an article that explains that > process and is it configurable? Pings *to* the router are processed in process switching (as all/most other packets destined to the router itself). Pings *through* the router are switched like all others. > The reason I ask is I see about 4% packet loss when I ping devices in > our broadband aggregation network. From the CPE to the router there > is none, from my workstation to the router there is none, but if I > ping the whole path I get a fairly consistent 4% loss. I can't find > any congestion or errors. Ping from my workstation to the CPE are a > consistent 60ms, aside from the 4% loss. don't know what could be causing this. I would try to troubleshoot in which direction the packets are lost, and troubleshoot further.. but sounds strange.. oli From sf at lists.esoteric.ca Wed Apr 8 15:43:57 2009 From: sf at lists.esoteric.ca (Stephen Fulton) Date: Wed, 08 Apr 2009 15:43:57 -0400 Subject: [c-nsp] SIP-400 and EoMPLS, VPLS and H-VPLS Message-ID: <49DCFE7D.9090205@lists.esoteric.ca> According to the SIP/SPA configuration guide for the 7600, the SIP-400 with a SPA-2X1GE-V2 or a SPA-5X1GE-V2, can use individual ports in either a core-facing or edge facing role in MPLS. Can someone please confirm this? Thanks, -- Stephen From sethm at rollernet.us Wed Apr 8 15:54:22 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Wed, 08 Apr 2009 12:54:22 -0700 Subject: [c-nsp] T3 or Ethernet delivery? In-Reply-To: <49DC4EEC.3070001@rollernet.us> References: <49DC4EEC.3070001@rollernet.us> Message-ID: <49DD00EE.9030806@rollernet.us> A big thank you to everyone who shared their wisdom. I'm going to go back and ask them how they plan on delivering the circuit. If it is TDM all the way up to the building and the difference is purely which card they put in their shelf to hand it off to me, then there's not much point in paying extra for the T3. ~Seth From eng_mssk at hotmail.com Wed Apr 8 17:39:47 2009 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Thu, 9 Apr 2009 00:39:47 +0300 Subject: [c-nsp] DNS Tool Message-ID: Hey all is there any tool that can monitor the DNS behavior ?? for example , the resolving process and if there are any errors ?? Thanks _________________________________________________________________ Drag n? drop?Get easy photo sharing with Windows Live? Photos. http://www.microsoft.com/windows/windowslive/products/photos.aspx From walter.keen at RainierConnect.net Wed Apr 8 17:42:50 2009 From: walter.keen at RainierConnect.net (Walter Keen) Date: Wed, 08 Apr 2009 14:42:50 -0700 Subject: [c-nsp] DNS Tool In-Reply-To: References: Message-ID: <49DD1A5A.2020001@rainierconnect.net> Could you elaborate a little? We use Nagios to monitor other things, and use a DNS check plugin that simply does a dns query and reports if it successfully got an answer. I think there are other ones that will compare the answer to a known good answer you supply (wouldn't work well with something like Google.com or yahoo.com that does a lot of round robin entries) Mohammad Khalil wrote: > Hey all > is there any tool that can monitor the DNS behavior ?? > for example , the resolving process and if there are any errors ?? > > Thanks > > _________________________________________________________________ > Drag n? drop?Get easy photo sharing with Windows Live? Photos. > > http://www.microsoft.com/windows/windowslive/products/photos.aspx > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From stevend at uidaho.edu Wed Apr 8 17:45:05 2009 From: stevend at uidaho.edu (Dodd, Steven) Date: Wed, 8 Apr 2009 14:45:05 -0700 Subject: [c-nsp] DNS Tool In-Reply-To: References: Message-ID: <4C0A1E4AB1B97642AFB097A8CDA0B223DCD3C9@EXVS1.its.uidaho.edu> Without knowing more about what you are specifically trying to accomplish, dig is the tool you are looking for. -Steve -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil Sent: Wednesday, April 08, 2009 2:40 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] DNS Tool Hey all is there any tool that can monitor the DNS behavior ?? for example , the resolving process and if there are any errors ?? Thanks _________________________________________________________________ Drag n' drop-Get easy photo sharing with Windows Live(tm) Photos. http://www.microsoft.com/windows/windowslive/products/photos.aspx _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From tedm at toybox.placo.com Wed Apr 8 17:48:29 2009 From: tedm at toybox.placo.com (Ted Mittelstaedt) Date: Wed, 08 Apr 2009 14:48:29 -0700 Subject: [c-nsp] Ping priority on Cisco devices In-Reply-To: <004901c9b874$59596e00$0c0c4a00$@com> References: <004901c9b874$59596e00$0c0c4a00$@com> Message-ID: <49DD1BAD.6020604@toybox.placo.com> Ruben Alvarez wrote: > All, > > I've heard that Cisco devices handle ICMP at a low priority. I found one > post describing it handled in process-switching and not fast-switching. > Does anyone have an article that explains that process and is it > configurable? > > The reason I ask is I see about 4% packet loss when I ping devices in our > broadband aggregation network. From the CPE to the router there is none, > from my workstation to the router there is none, but if I ping the whole > path I get a fairly consistent 4% loss. I can't find any congestion or > errors. Ping from my workstation to the CPE are a consistent 60ms, aside > from the 4% loss. > > Thanks. > > What model is your router and can you post a config? What is CPU utilization on the router? What is memory utilization on the router? Ted From eng_mssk at hotmail.com Wed Apr 8 17:49:34 2009 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Thu, 9 Apr 2009 00:49:34 +0300 Subject: [c-nsp] DNS Tool In-Reply-To: <49DD1A5A.2020001@rainierconnect.net> References: <49DD1A5A.2020001@rainierconnect.net> Message-ID: We are facing some browsing problems , so we want to make sure that our DNS servers are resolving well using tools other than nslookup > Date: Wed, 8 Apr 2009 14:42:50 -0700 > From: walter.keen at rainierconnect.net > To: eng_mssk at hotmail.com > CC: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] DNS Tool > > Could you elaborate a little? > > We use Nagios to monitor other things, and use a DNS check plugin that > simply does a dns query and reports if it successfully got an answer. I > think there are other ones that will compare the answer to a known good > answer you supply (wouldn't work well with something like Google.com or > yahoo.com that does a lot of round robin entries) > > Mohammad Khalil wrote: > > Hey all > > is there any tool that can monitor the DNS behavior ?? > > for example , the resolving process and if there are any errors ?? > > > > Thanks > > > > _________________________________________________________________ > > Drag n? drop?Get easy photo sharing with Windows Live? Photos. > > > > http://www.microsoft.com/windows/windowslive/products/photos.aspx > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _________________________________________________________________ Show them the way! Add maps and directions to your party invites. http://www.microsoft.com/windows/windowslive/products/events.aspx From malitsky at netabn.com Wed Apr 8 17:59:20 2009 From: malitsky at netabn.com (Michael Malitsky) Date: Wed, 8 Apr 2009 16:59:20 -0500 Subject: [c-nsp] rate limiting pointers? In-Reply-To: References: Message-ID: <79AF0C3901752A49881FE4CB31F7AA4001450AFE@abn-borg2.NETABN.LOCAL> Generally speaking, Muhammad is correct. From personal experience, you are going to find a lot of limitations on the switching platform when you try to implement this, though. The switching platforms vary significantly in their abilities to classify traffic and police in different directions. Off the top of my head, I am not sure whether the 2960 supports policing at all. 3550 does, with significant limitations. I can share more specific experiences offline. As an alternative, consider doing the straightforward "rate-limit input | output ..." on the subinterfaces on the 7200. Works like a champ (assuming the CPU can keep up of course) and is just 2 lines to set up vs the MQC on the switch. Sincerely, Michael Malitsky > Date: Wed, 8 Apr 2009 09:36:07 +0500 > From: Muhammad Salman Zahid > Subject: Re: [c-nsp] rate limiting pointers? > To: Scott Granados > Cc: cisco-nsp at puck.nether.net > Message-ID: > <44c523750904072136u5c3c82c0scf20d47d5c2e3241 at mail.gmail.com> > Content-Type: text/plain; charset=ISO-8859-1 > > Dear Scott, > > Read & try the following: > > > Step 1: Define ACL for desired IP Pools > Step 2: Define a Packet classification criteria > Class-map match-all > description Control plane normal traffic > match access-group name > > Step 3: Define a Service Policy > policy-map > class > police cir > conform-action set-dscp-transmit default exceed-action drop violate- > action > drop > > Step 4: Enter service policy on control plane interface > service-policy input > service-policy output > > ip access-list extended [ABC] > ip access-list extended [XYZ] > class-map match-all [NAME1]=== NAME1=ABC (so easily remember) > match access-group name [ABC] > class-map match-all [NAME2]=== NAME2=XYZ (so easily remember) > match access-group name [XYZ] > policy-map [POLICY NAME] > class [ABC] > put rate limit > class [XYZ] > put rate limit > Regards, > MSZ > On Wed, Apr 8, 2009 at 6:36 AM, Scott Granados > wrote: > > > Since the topic of rate limiting came up... > > > > I have a 7206VXR NPE-300 and 2 switches (2960 and 3550). > > > > I plan on setting up a trunk from the 7206 to the 3500 and break out > via > > vlans as you'd expect. What are some good methods for rate limiting > the > > individual ports on the access switches? > > > > I'm open to other hardware but this is more of a lab / personal > environment > > so solutions for the listed hardware would be appreciated. Could > someone > > also suggest some good foundation type reading for rate limiting and > > practices? > > > > Thank you > > Scott > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > -- > "Death is no the greatest loss in life .... > The greatest loss is what dies inside > you while U live...!" From peter at rathlev.dk Wed Apr 8 19:09:53 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Thu, 09 Apr 2009 01:09:53 +0200 Subject: [c-nsp] DNS Tool In-Reply-To: References: Message-ID: <1239232193.6594.1.camel@localhost.localdomain> On Thu, 2009-04-09 at 00:39 +0300, Mohammad Khalil wrote: > is there any tool that can monitor the DNS behavior ?? > for example , the resolving process and if there are any errors ?? If you want to monitor this from a Cisco device, IP SLA Monitor "type dns" is the thing to search for. It can do DNS lookups and tell you how long it took. Regards, Peter From billw at waveform.net Wed Apr 8 19:59:09 2009 From: billw at waveform.net (Bill Wichers) Date: Wed, 8 Apr 2009 19:59:09 -0400 Subject: [c-nsp] Odd Etherchannel behavior between 7507 and cat 4006 In-Reply-To: References: <49DB1C06.60506@memetic.org> <20090407094208.GZ290@greenie.muc.de> <49DB2315.5010806@memetic.org> Message-ID: [snip] > > I typically set both ends (router and switch) of these links to 100/full > > since I've seen weird autonegotiation problems before. This works just > > fine for individual FE links, but as soon as I bring up the Etherchannel > > group both member links on the router end drop back to "unknown duplex" > > Can you configure the etherchannel group interface as 100/full? *That* did it! Thanks! I had not thought of trying it on the etherchannel group since I'd already set it on the underlying member links. Now all I have to do is figure out why traffic balance is something like 5%/95% between the two member links. I think there are some legacy config entries in the switch regarding static MACs that might be causing this though. -Bill From paul at paulstewart.org Wed Apr 8 19:44:57 2009 From: paul at paulstewart.org (Paul Stewart) Date: Wed, 8 Apr 2009 19:44:57 -0400 Subject: [c-nsp] Supervisor Failover - Speed question Message-ID: <000001c9b8a4$0689eee0$139dcca0$@org> Hi there. We have 7606's with dual Sup720-3BXL. I'm investigating how to get the fastest possible failover if/when a supervisor fails. Current config looks like this: my state = 13 -ACTIVE peer state = 8 -STANDBY HOT Mode = Duplex Unit = Primary Unit ID = 5 Redundancy Mode (Operational) = sso Redundancy Mode (Configured) = sso Redundancy State = sso Maintenance Mode = Disabled Communications = Up client count = 78 client_notification_TMR = 30000 milliseconds keep_alive TMR = 9000 milliseconds keep_alive count = 0 keep_alive threshold = 18 RF debug mask = 0x0 -- redundancy keepalive-enable mode sso main-cpu auto-sync running-config Is there any way to get a failover to less than 30 seconds an example? We find currently it's 2-3 minutes for failover it seems.. Thanks, Paul From david at hughes.com.au Wed Apr 8 21:15:09 2009 From: david at hughes.com.au (David Hughes) Date: Thu, 9 Apr 2009 11:15:09 +1000 Subject: [c-nsp] T3 or Ethernet delivery? In-Reply-To: References: <49DC4EEC.3070001@rollernet.us> <935ead450904080618k15aa5c2bo23acf3dac7005e9c@mail.gmail.com> Message-ID: <3E4FE00F-97AE-47DE-9F2F-4B0EA453E005@hughes.com.au> On 09/04/2009, at 12:08 AM, Jon Lewis wrote: > With BGP, you might tune the timers shorter than default so that > such a break gets noticed sooner. With a T3, BGP would find out > about the break as soon as the interface went down. BGP with BFD would work well for this. It's not as clean as losing link, but it'll pick up the fault reasonably quickly. David ... From fwissue at gmail.com Wed Apr 8 21:53:52 2009 From: fwissue at gmail.com (Michael Lee) Date: Wed, 8 Apr 2009 18:53:52 -0700 Subject: [c-nsp] Supervisor Failover - Speed question In-Reply-To: <000001c9b8a4$0689eee0$139dcca0$@org> References: <000001c9b8a4$0689eee0$139dcca0$@org> Message-ID: <709a72990904081853x5d3ead97la962d3e86213b1ca@mail.gmail.com> did you try enable nsf if it is possible? there are some limitation on mpls-te On Wed, Apr 8, 2009 at 4:44 PM, Paul Stewart wrote: > Hi there. > > > > We have 7606's with dual Sup720-3BXL. I'm investigating how to get the > fastest possible failover if/when a supervisor fails. > > > > Current config looks like this: > > > > my state = 13 -ACTIVE > > peer state = 8 -STANDBY HOT > > Mode = Duplex > > Unit = Primary > > Unit ID = 5 > > > > Redundancy Mode (Operational) = sso > > Redundancy Mode (Configured) = sso > > Redundancy State = sso > > Maintenance Mode = Disabled > > Communications = Up > > > > client count = 78 > > client_notification_TMR = 30000 milliseconds > > keep_alive TMR = 9000 milliseconds > > keep_alive count = 0 > > keep_alive threshold = 18 > > RF debug mask = 0x0 > > > > -- > > > > redundancy > > keepalive-enable > > mode sso > > main-cpu > > auto-sync running-config > > > > > > > > Is there any way to get a failover to less than 30 seconds an example? We > find currently it's 2-3 minutes for failover it seems.. > > > > Thanks, > > > > Paul > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From dcp at dcptech.com Wed Apr 8 21:16:26 2009 From: dcp at dcptech.com (David Prall) Date: Wed, 8 Apr 2009 21:16:26 -0400 Subject: [c-nsp] Supervisor Failover - Speed question In-Reply-To: <000001c9b8a4$0689eee0$139dcca0$@org> References: <000001c9b8a4$0689eee0$139dcca0$@org> Message-ID: <008d01c9b8b0$d0aaa910$71fffb30$@com> Do all linecards also have DFC's? Do you have nsf/graceful-restart configured for all routing protocols? What linecards are you using? David -- http://dcp.dcptech.com > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Paul Stewart > Sent: Wednesday, April 08, 2009 7:45 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Supervisor Failover - Speed question > > Hi there. > > > > We have 7606's with dual Sup720-3BXL. I'm investigating how to get the > fastest possible failover if/when a supervisor fails. > > > > Current config looks like this: > > > > my state = 13 -ACTIVE > > peer state = 8 -STANDBY HOT > > Mode = Duplex > > Unit = Primary > > Unit ID = 5 > > > > Redundancy Mode (Operational) = sso > > Redundancy Mode (Configured) = sso > > Redundancy State = sso > > Maintenance Mode = Disabled > > Communications = Up > > > > client count = 78 > > client_notification_TMR = 30000 milliseconds > > keep_alive TMR = 9000 milliseconds > > keep_alive count = 0 > > keep_alive threshold = 18 > > RF debug mask = 0x0 > > > > -- > > > > redundancy > > keepalive-enable > > mode sso > > main-cpu > > auto-sync running-config > > > > > > > > Is there any way to get a failover to less than 30 seconds an example? > We > find currently it's 2-3 minutes for failover it seems.. > > > > Thanks, > > > > Paul > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From chris.garzon at gmail.com Wed Apr 8 22:22:05 2009 From: chris.garzon at gmail.com (Dracul) Date: Thu, 9 Apr 2009 10:22:05 +0800 Subject: [c-nsp] video,voip and internet over DSL (converged) Message-ID: <876789290904081922te84a61ev1da8dff3f198b322@mail.gmail.com> Hi list, is it feasible to broadcast video/voip + internet over DSL like lets say I deploy a cisco DSLAM infra in a 20 storey building. It would run over a media server solution and a VOIP network. I am not sure if this would be a stable solution considering I want to broadcast HD and SD alike plus VOIP and internet to boot. Any cons? like noise level or quality of the video or quality of bandwidth etc. because DSL transport is just running over copper right? Or would I be better off running fibre? But of course cost will then quantify the use of DSL. regards, Chris From sf at lists.esoteric.ca Wed Apr 8 22:27:11 2009 From: sf at lists.esoteric.ca (Stephen Fulton) Date: Wed, 08 Apr 2009 22:27:11 -0400 Subject: [c-nsp] SIP-400 and EoMPLS, VPLS and H-VPLS In-Reply-To: <49DCFE7D.9090205@lists.esoteric.ca> References: <49DCFE7D.9090205@lists.esoteric.ca> Message-ID: <49DD5CFF.7090403@lists.esoteric.ca> For the archives, the answer from my SE is yes, the SIP-400/SPA-(2|5)X1GE-V2 can appropriate in a core and edge facing role, on a per-port basis. -- Stephen Stephen Fulton wrote: > According to the SIP/SPA configuration guide for the 7600, the SIP-400 > with a SPA-2X1GE-V2 or a SPA-5X1GE-V2, can use individual ports in > either a core-facing or edge facing role in MPLS. Can someone please > confirm this? > > Thanks, > > -- Stephen > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From ml at kenweb.org Wed Apr 8 23:15:34 2009 From: ml at kenweb.org (ML) Date: Wed, 08 Apr 2009 23:15:34 -0400 Subject: [c-nsp] Odd multicast behavior from an ME3400 Message-ID: <49DD6856.6020402@kenweb.org> Using an IneoQuest cricket we've been trying to find out why multicast video streams are breaking up. Using an ME3400 as an access device these are our symptoms: 3 x MPEG4 HD streams (8-10MBps each) come through fine. Add one more stream and the Cricket says we've got problems. On aggregate this about 40Mbps/3500pps with four streams. However with *10* standard def MPEG2 streams (~84Mbps/7500pps). Everything looks good according to the Cricket. If the access device is a 3560 we can pull twice as many MPEG4-HD streams without issue. We've already verified the content is good from the source (pulling twice as many stream as a customer would ever pull) now it's down to the ME3400s in the access layer. When looking at the interface counters there is not a single error of any kind. "show buffers" shows no changes in buffer misses during and after the point where video breaks down on the MPEG4-HD streams. When the Cricket's video monitor point is a gigabit port (via a GLC-T, albeit the Cricket monitor port is 100Mb) we can pull four streams with problems but the error rate is reduced. We are using the IPBASE image. Tried several versions 12.2(25)SEG1, 12.2(44)SE no difference. The multicast config is basic at the access layer. Just default config for IGMP snooping on the multicast VLAN with immediate-leave. I used the Bug Toolkit but nothing stood out to me as an open/fixed bug with our symptoms. Is there a troubleshooting step I'm missing here? Thanks From ATolstykh at integrysgroup.com Wed Apr 8 23:19:08 2009 From: ATolstykh at integrysgroup.com (Tolstykh, Andrew) Date: Wed, 8 Apr 2009 22:19:08 -0500 Subject: [c-nsp] Packet Loss on 6513 In-Reply-To: <259E69AA141E7640822757CAB3EBC70F18B1D0DBE9@MSG-M1P1.pcacorp.net> References: <259E69AA141E7640822757CAB3EBC70F18B1D0DBE9@MSG-M1P1.pcacorp.net> Message-ID: What is connected to your SUP-720 Gi7/1 interface? Can you post the output of 'show int gi7/1'? -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mesiatowsky, Shawn Sent: Tuesday, April 07, 2009 11:11 AM To: 'cisco-nsp at puck.nether.net' Subject: [c-nsp] Packet Loss on 6513 We currently have 2 6513's in our core, and we have seen packet loss on our network. I was trying to locate the source of the packet loss. We did see some input queue drops on the SVI's and physical interfaces. I had increased our queue size on the vlan interfaces to 500, and our packet drops on the svi's decreased signifigantly. Now I am trying to figure out why there is packet loss on the physical interfaces. We have a sup 720, and our line cards are WS-X6724-SFP and WS-X6748-SFP. Here is a sample of an interface with high drops GigabitEthernet2/23 is up, line protocol is up (connected) Hardware is C6k 1000Mb 802.3, address is 001a.2f68.7bc2 (bia 001a.2f68.7bc2) MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 38/255, rxload 32/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s, media type is SX input flow-control is off, output flow-control is off Clock mode is auto ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:31, output hang never Last clearing of "show interface" counters 1d00h Input queue: 0/2000/91560/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 126671000 bits/sec, 28888 packets/sec 5 minute output rate 151605000 bits/sec, 26499 packets/sec 942611654 packets input, 633784740348 bytes, 0 no buffer Received 7319979 broadcasts (6903850 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 91560 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 891230426 packets output, 579042873963 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out I also looked at the utilization of this interface with our snmp tool, and utilixzation of this interface never went over %40 I also noticed the following, and was not sure if this was completely accurate: show platform hardware capacity interface Interface Resources Interface drops: Module Total drops: Tx Rx Highest drop port: Tx Rx 1 0 466 0 1 2 0 154228 0 23 3 0 123 0 1 4 0 190102 0 21 5 0 446318 0 21 7 3940684041 0 1 0 9 0 34280 0 7 10 0 5 0 42 11 0 433 0 46 12 0 1686 0 44 13 66042 119859 1 1 Interface buffer sizes: Module Bytes: Tx buffer Rx buffer 1 1221120 152000 2 1221120 152000 3 1221120 152000 4 1221120 152000 5 1221120 152000 6 1221120 152000 9 1221120 152000 10 1221120 152000 11 1221120 152000 12 1221120 152000 13 1221120 152000 Does this mean that 3940684041 packets were dropped on the egress queue on the sup? Does this seem extremly high, and shat can cause this? Thanks for your help ________________________________ This email communication is intended as a private communication for the sole use of the primary addressee and those individuals listed for copies in the original message. The information contained in this email is private and confidential and If you are not an intended recipient you are hereby notified that copying, forwarding or other dissemination or distribution of this communication by any means is prohibited. If you are not specifically authorized to receive this email and if you believe that you received it in error please notify the original sender immediately. We honour similar requests relating to the privacy of email communications. Cette communication par courrier ?lectronique est une communication priv?e ? l'usage exclusif du destinataire principal ainsi que des personnes dont les noms figurent en copie. Les renseignements contenus dans ce courriel sont confidentiels et si vous n'?tes pas le destinataire pr?vu, vous ?tes avis?, par les pr?sentes que toute reproduction, transfert ou autre forme de diffusion de cette communication par quelque moyen que ce soit est interdite. Si vous n'?tes pas sp?cifiquement autoris? ? recevoir ce courriel ou si vous croyez l'avoir re?u par erreur, veuillez en aviser l'exp?diteur original imm?diatement. Nous respectons les demandes similaires qui touchent la confidentialit? des communications par courrier ?lectronique. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From aftab.siddiqui at gmail.com Thu Apr 9 00:37:26 2009 From: aftab.siddiqui at gmail.com (Aftab Siddiqui) Date: Thu, 9 Apr 2009 09:37:26 +0500 Subject: [c-nsp] video,voip and internet over DSL (converged) In-Reply-To: <876789290904081922te84a61ev1da8dff3f198b322@mail.gmail.com> References: <876789290904081922te84a61ev1da8dff3f198b322@mail.gmail.com> Message-ID: <3c605ce10904082137j31fb89c7j1cc3239642ffc00c@mail.gmail.com> Hello Chris, Before deployment you have to consider certain point: - What flavour of DSL you will be using either ADSL2, ADSL2+ or VDSL. They have different reach and different bandwidth capacity. - What will be used for backhauling the DSLAM to CO. - Will it be internet-TV or IPTV? if IPTV than it will be multicast over the network. (I persume it is IPTV) - How many HD and SD channel you are planning to put on the network? HD takes approx 8mbps and SD approx 2mbps. DSL can be used for such type of services and in normal copper condition (but you have to test) it will provide the desired services. On Thu, Apr 9, 2009 at 7:22 AM, Dracul wrote: > Hi list, > > is it feasible to broadcast video/voip + internet over DSL like lets say I > deploy a cisco DSLAM infra in a 20 storey building. It would run over a > media server solution and a VOIP network. I am not sure if this would be a > stable solution considering I want to broadcast HD and SD alike plus VOIP > and internet to boot. > > Any cons? like noise level or quality of the video or quality of bandwidth > etc. because DSL transport is just running over copper right? Or would I be > better off running fibre? But of course cost will then quantify the use of > DSL. > > regards, > Chris > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Regards, Aftab A. Siddiqui From pigsign.pykota at gmail.com Thu Apr 9 01:11:30 2009 From: pigsign.pykota at gmail.com (Darren Yang) Date: Thu, 9 Apr 2009 13:11:30 +0800 Subject: [c-nsp] How can enable PfR PIRO function on IOS 12.4(24)T Message-ID: Hi, The Cisco introduced PfR can support OSPF as parent route on IOS 12.4(24)T and this term is PIRO(Protocol Independent Route Optimization). Detail link this: http://www.cisco.com/en/US/docs/ios/oer/configuration/guide/oer-trf_rte_ctl.html#wp1060987 But when I use 12.4(24)T in Cisco 1812 module, I didn't see any PIRO information can support OSPF when I type 'sh oer master prefix', like below... #sh oer master prefix 192.168.1.2/32 DEFAULT* 92 172.17.11.254 Tu11 U U U 0 0 0 0 N N N N 1 1 #sh ip route ospf O 192.168.1.0/24 [110/11] via 10.0.0.1, 02:46:06, Tunnel11 [110/11] via 10.1.1.1, 02:46:06, Tunnel12 Before 12.4(24)T, I use static route as parent route and it works well. But I really want to use OSPF as PfR parent route because static route would make route fail when gateway couldn't arrive. Anyone have idea about this ? Thanks and Regards, Pigsign From ecralar at hotmail.com Thu Apr 9 03:26:03 2009 From: ecralar at hotmail.com (Alex) Date: Thu, 9 Apr 2009 08:26:03 +0100 Subject: [c-nsp] Odd multicast behavior from an ME3400 References: <49DD6856.6020402@kenweb.org> Message-ID: I think you are missing a couple of steps. Packet count and capture. The multicast streams are UDP, are they? If so then: 1/ count packets sent on source and and packets received on independent receiver (not on switch) 2/ capture stream and verify UDP checksum (udp.checksum_bad == 1 in Wireshark display filter). You will need a powerful PC with lots of RAM and fast disk. HTH Rgds Alex ----- Original Message ----- From: "ML" To: Sent: Thursday, April 09, 2009 4:15 AM Subject: [c-nsp] Odd multicast behavior from an ME3400 > Using an IneoQuest cricket we've been trying to find out why multicast > video streams are breaking up. > > Using an ME3400 as an access device these are our symptoms: > > 3 x MPEG4 HD streams (8-10MBps each) come through fine. > Add one more stream and the Cricket says we've got problems. > On aggregate this about 40Mbps/3500pps with four streams. > > However with *10* standard def MPEG2 streams (~84Mbps/7500pps). > Everything looks good according to the Cricket. > > If the access device is a 3560 we can pull twice as many MPEG4-HD streams > without issue. > > > We've already verified the content is good from the source (pulling twice > as many stream as a customer would ever pull) > now it's down to the ME3400s in the access layer. > > When looking at the interface counters there is not a single error of any > kind. "show buffers" shows no changes in buffer misses > during and after the point where video breaks down on the MPEG4-HD > streams. > > When the Cricket's video monitor point is a gigabit port (via a GLC-T, > albeit the Cricket monitor port is 100Mb) we can pull four streams with > problems but the error rate is reduced. > > We are using the IPBASE image. Tried several versions 12.2(25)SEG1, > 12.2(44)SE no difference. > > The multicast config is basic at the access layer. Just default config > for IGMP snooping on the multicast VLAN with immediate-leave. > > I used the Bug Toolkit but nothing stood out to me as an open/fixed bug > with our symptoms. > > Is there a troubleshooting step I'm missing here? > > Thanks > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From wllmjbs at gmail.com Thu Apr 9 03:36:08 2009 From: wllmjbs at gmail.com (William Jobs) Date: Thu, 9 Apr 2009 10:36:08 +0300 Subject: [c-nsp] Service Deployment Message-ID: Hi, I'm looking for GUI tool that can be used to easily deploy the following services on a large scale, over Cisco hardware: - Layer 3 MPLS VPNs - Layer 2 MPLS VPNs - Any Transport over MPLS - VPLS One option I had come across was Cisco's IP Solutions Centre. Has anyone had any experience using this product and can it handle our requirements? I'd also be open to other solutions/products. Any help would be appreciated. Thanks. From blahu77 at gmail.com Thu Apr 9 04:25:42 2009 From: blahu77 at gmail.com (Mateusz Blaszczyk) Date: Thu, 9 Apr 2009 09:25:42 +0100 Subject: [c-nsp] carrier router models comparison In-Reply-To: <74206b240904080701t75420f7dqd1298597e246008c@mail.gmail.com> References: <4981ce080904070851h6381d4f0qf35885793e959087@mail.gmail.com> <74206b240904080701t75420f7dqd1298597e246008c@mail.gmail.com> Message-ID: <383357750904090125t302139f8o1d836243dc484010@mail.gmail.com> What's the difference between 40g/slot and 100g/slot ready ? Is it like "vista ready"? I would assume (wrongly?) that this is a hw limit? Best Regards, -mat -- pgp-key 0x1C655CAB From techconfig at yahoo.com Thu Apr 9 07:15:29 2009 From: techconfig at yahoo.com (Mark Tech) Date: Thu, 9 Apr 2009 04:15:29 -0700 (PDT) Subject: [c-nsp] Rate limit Physical interface GSR Message-ID: <69329.43725.qm@web44814.mail.sp1.yahoo.com> Hi I would like to cap a physical GE interface to 100mbps whist running vlans through it on a GSR i.e. interface GigabitEthernet0/0/6 ?no ip address ?no ip directed-broadcast ?rate-limit input 100032000 12504000 12504000 conform-action transmit exceed-action drop ?rate-limit output 100032000 12504000 12504000 conform-action transmit exceed-action drop ?no negotiation auto ! interface GigabitEthernet0/0/6.2 ?encapsulation dot1Q 2 ?ip vrf forwarding test ?ip address 10.1.1.5 255.255.255.252 ?no ip directed-broadcast ?no cdp enable ! interface GigabitEthernet0/0/6.3 ?encapsulation dot1Q 3 ?ip vrf forwarding test2 ?ip address 10.1.1.1 255.255.255.252 ?no ip directed-broadcast ?no cdp enable ! .................etc However when I apply? the rate-limit command on GE0/0/6, I don't see any drop in traffic. Actually I have set up a throughput test through GigabitEthernet0/0/6.2 running at 1Gbps which I can see through sh int GigabitEthernet0/0/6 which does not drop to 100Mbps once the rate-limit is added Is there a way to cap this aggregate interface? Regards Mark From sandmaier at schlund.net Thu Apr 9 07:31:45 2009 From: sandmaier at schlund.net (Jan Sandmaier) Date: Thu, 09 Apr 2009 13:31:45 +0200 Subject: [c-nsp] etherchannel load-balancing on "4 Port ISE Gigabit Ethernet"? Message-ID: <49DDDCA1.4060506@schlund.net> Hi, does anybody know how load-balancing in an etherchannel works on a "4 Port ISE Gigabit Ethernet" for Cisco 12000 in detail? I have the following problem: I configured an etherchannel consisting of two GigabitEthernet ports on the same linecard. Only one port is utilized (see show command below). There is no inbound traffic and the outbound traffic originates from various prefixes to basically 3 prefixes. I have a cisco 12010/PRP with IOS 12.0(31)S6. sh interfaces port-channel 1 load ID bits/sec pack/sec ---------- ------------ ---------- PortCh1 Tx 149655000 24926 Rx 0 0 Members (%) bits/sec pack/sec ---------- --- ------------ ---------- Gi1/0 Tx 99 149643000 24919 Rx 54 0 0 Gi1/1 Tx 1 11000 8 Rx 46 0 0 The configuration is: interface Port-channel1 bandwidth 2000000 ip address x.x.x.x 255.255.255.252 ip access-group 188 in ip access-group 189 out no ip redirects no ip unreachables no ip directed-broadcast no ip proxy-arp ip route-cache flow sampled load-interval 30 channel-group minimum active 1 no channel-group bandwidth control-propagation interface GigabitEthernet1/0 no negotiation auto channel-group 1 no cdp enable ! interface GigabitEthernet1/1 negotiation auto channel-group 1 no cdp enable Is there a fundamental problem with this scenario? Thanks, Jan From geoff at pendery.net Thu Apr 9 08:29:03 2009 From: geoff at pendery.net (Geoffrey Pendery) Date: Thu, 9 Apr 2009 07:29:03 -0500 Subject: [c-nsp] Supervisor Failover - Speed question In-Reply-To: <000001c9b8a4$0689eee0$139dcca0$@org> References: <000001c9b8a4$0689eee0$139dcca0$@org> Message-ID: Yes, failover shouldn't take 2-3 minutes. I've personally observed it as less than one second in several test environments. But I imagine it's highly dependent on the details. What it your criteria for measuring it as done? Are you pinging from a host on one port of the chassis to another? One network to another, routed across the 7600? Pinging the supervisor's loopback address? Looking at routing protocol adjacencies in neighbored routers? As others have mentioned, if you're running a routing protocol like EIGRP or OSPF, adding "nsf" in the config for that protocol will likely help to maintain forwarding during the failover, though not technically speeding up the failover itself. Could you elaborate a bit on what traffic you're seeing down for a few minutes? -Geoff On Wed, Apr 8, 2009 at 6:44 PM, Paul Stewart wrote: > Hi there. > > > > We have 7606's with dual Sup720-3BXL. ?I'm investigating how to get the > fastest possible failover if/when a supervisor fails. > > > > Current config looks like this: > > > > ? ? ? my state = 13 -ACTIVE > > ? ? peer state = 8 ?-STANDBY HOT > > ? ? ? ? ? Mode = Duplex > > ? ? ? ? ? Unit = Primary > > ? ? ? ?Unit ID = 5 > > > > Redundancy Mode (Operational) = sso > > Redundancy Mode (Configured) ?= sso > > Redundancy State ? ? ? ? ? ? ?= sso > > ? ? Maintenance Mode = Disabled > > ?Communications = Up > > > > ? client count = 78 > > ?client_notification_TMR = 30000 milliseconds > > ? ? ? ? ?keep_alive TMR = 9000 milliseconds > > ? ? ? ?keep_alive count = 0 > > ? ?keep_alive threshold = 18 > > ? ? ? ? ? RF debug mask = 0x0 > > > > -- > > > > redundancy > > ?keepalive-enable > > ?mode sso > > ?main-cpu > > ?auto-sync running-config > > > > > > > > Is there any way to get a failover to less than 30 seconds an example? ?We > find currently it's 2-3 minutes for failover it seems.. > > > > Thanks, > > > > Paul > > > > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From drew.weaver at thenap.com Thu Apr 9 08:42:01 2009 From: drew.weaver at thenap.com (Drew Weaver) Date: Thu, 9 Apr 2009 05:42:01 -0700 Subject: [c-nsp] best way to network servers with management (iLO/IPMI) Message-ID: Hi there, I am trying to come up with the best way to network servers that have out-of-band management such as the baseboard management controllers in many enterprise servers. Ideally, I would like to be able to assign the management device a RFC 1918 IP, have the actual server be on a different subnet altogether but use a shared port. I know that BMCs generally can use VLAN tagging, but I'm really not sure how I can do all of this with just one port. The 'easy' way is to simply assign a dedicated NIC to the management device and run another cable, but I'm not sure that is the best way to do it. Does anyone have any experience handling the networking side of large server deployments of servers with management capabilities? thanks, -Drew From networkstuff.training at gmail.com Thu Apr 9 08:49:36 2009 From: networkstuff.training at gmail.com (Swati Sharma) Date: Thu, 9 Apr 2009 18:19:36 +0530 Subject: [c-nsp] No route drops packets : 117964064 Message-ID: <8a93d4b30904090549w6367541di30ac41e2744c6c0@mail.gmail.com> Hi, I can see many drops bcos of no route available....it looks strange as this is mpls vpn network (knows abt loopback) and yes Internet routing table is available here. But if some issue on Internet drop should be on peering router... is it a sec. hack efforts!!! RP/0/RP0/CPU0:crs1#sh cef drops CEF Drop Statistics Node: 0/0/CPU0 Unresolved drops packets : 0 Unsupported drops packets : 0 Null0 drops packets : 0 No route drops packets : 22372 No Adjacency drops packets : 0 Checksum error drops packets : 0 RPF drops packets : 0 RPF suppressed drops packets : 0 RP destined drops packets : 0 Node: 0/2/CPU0 Unresolved drops packets : 0 Unsupported drops packets : 218221 Null0 drops packets : 359357 * No route drops packets : 117964064* No Adjacency drops packets : 0 Checksum error drops packets : 0 RPF drops packets : 0 RPF suppressed drops packets : 0 RP destined drops packets : 0 Node: 0/RP0/CPU0 Unresolved drops packets : 0 Unsupported drops packets : 0 Null0 drops packets : 0 No route drops packets : 2662 No Adjacency drops packets : 0 Checksum error drops packets : 0 RPF drops packets : 0 RPF suppressed drops packets : 0 RP destined drops packets : 0 Regards, From achatz at forthnet.gr Thu Apr 9 08:51:38 2009 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Thu, 09 Apr 2009 15:51:38 +0300 Subject: [c-nsp] NAT on ASR1000 In-Reply-To: <20090407165647.GA22725@rtp-cse-489.cisco.com> References: <20090407154647.GQ20028@rtp-cse-489.cisco.com> <49DB792C.6080507@forthnet.gr> <20090407165647.GA22725@rtp-cse-489.cisco.com> Message-ID: <49DDEF5A.5060602@forthnet.gr> We're also evaluating the ASR platform and besides 4 new bugs and 3 not supported features we have found, performance-wise ASR seems like a little monster. RLS5 or RLS6 will probably be our first production release. On the other hand, online documentation is missing a lot of stuff :( While trying to stress the CPU, i was somewhat disappointed by the fact that "sh parser dump exec | i something-that-does-not-exist" makes the CPU go nuts for over 1 hour! IOS should include an option in order to produce a warning after x minutes of cli-command-given-but-no-output-returned. -- Tassos Rodney Dunn wrote on 07/04/2009 19:56: > sh plat software status control-processor brief > Load Average > Slot Status 1-Min 5-Min 15-Min > RP0 Healthy 0.00 0.04 0.01 > ESP0 Healthy 0.00 0.00 0.00 > SIP0 Healthy 0.02 0.02 0.00 > > Memory (kB) > Slot Status Total Used (Pct) Free (Pct) Committed (Pct) > RP0 Healthy 3711920 1525468 (36%) 2186452 (52%) 2438180 (59%) > ESP0 Healthy 2024492 527680 (25%) 1496812 (71%) 2807552 (133%) > SIP0 Healthy 480084 287860 (54%) 192224 (36%) 199468 (38%) > > CPU Utilization > Slot CPU User System Nice Idle IRQ SIRQ IOwait > RP0 0 2.15 1.54 0.00 96.25 0.01 0.03 0.00 > ESP0 0 0.57 0.60 0.00 98.80 0.00 0.01 0.00 > SIP0 0 0.30 0.41 0.00 99.25 0.00 0.01 0.00 > > > It's a live network I worked on over the weekend. It's a pretty high > rate short lived session network. > > We set the timeouts down: > > ip nat translation timeout 1800 > ip nat translation tcp-timeout 900 > ip nat translation udp-timeout 150 > ip nat translation dns-timeout 30 > > show platform hardware cpp active infrastructure exmem statistics > > and there is a lot of QFP memory left: > > Type: Name: IRAM, CPP: 0 > Total: 134217728 > InUse: 4779008 > Free: 128974848 > Free protected: 463872 > Free unprotected: 0 > Lowest free water mark: 129438720 > Largest free block: 99537920 > Type: Name: DRAM, CPP: 0 > Total: 402653184 > InUse: 190609408 > Free: 209715200 > Free protected: 598016 > Free unprotected: 1730560 > Lowest free water mark: 212043776 > Largest free block: 210233344 > > On Tue, Apr 07, 2009 at 07:02:52PM +0300, Tassos Chatzithomaoglou wrote: >> Rodney, can you do a "sh plat soft stat contr br"? >> >> -- >> Tassos >> >> Rodney Dunn wrote on 07/04/2009 18:46: >>> Few bugs still being worked through but the 72xx and 76xx croaked >>> under the load: >>> >>> ASR1002ESP10#sh proc cpu sort | excl 0.00 >>> CPU utilization for five seconds: 0%/0%; one minute: 0%; five minutes: 0% >>> PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process >>> ASR1002ESP10#sh ip nat stat >>> Total active translations: 92367 (80 static, 92287 dynamic; 92287 extended) >>> Outside interfaces: >>> GigabitEthernet0/0/0, Tunnel1 >>> Inside interfaces: >>> GigabitEthernet0/0/1, GigabitEthernet0/0/2 >>> Hits: 0 Misses: 0 >>> CEF Translated packets: 0, CEF Punted packets: 0 >>> Expired translations: 87400847 >>> >>> >>> that's on 12.2(33)XNC and I just filed one bug. >>> >>> CSCsy93931 ASRNAT does not do FIN/RST/SYN timeout when no-payload keyword >>> used >>> >>> >>> My first work on the box with NAT but this thing seems pretty impressive. >>> >>> Anyone else using it for high scale nat yet? >>> >>> Rodney >>> >>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> > From rdobbins at cisco.com Thu Apr 9 09:13:08 2009 From: rdobbins at cisco.com (Roland Dobbins) Date: Thu, 9 Apr 2009 21:13:08 +0800 Subject: [c-nsp] best way to network servers with management (iLO/IPMI) In-Reply-To: References: Message-ID: <68D02AC4-8F1B-4D48-92D4-482F4936ACEF@cisco.com> On Apr 9, 2009, at 8:42 PM, Drew Weaver wrote: > Ideally, I would like to be able to assign the management device a > RFC 1918 IP, have the actual server be on a different subnet > altogether but use a shared port. This isn't a good idea because of fate-sharing - you want your OOB management network to be isolated and bulletproof, and totally unaffected by any problems on the production side. You should use separate NICs, with separate cables, plugged into a separate physical network (unless you're using N7K switches with VDCs, in which case you can safely run the management network on a separate VDC on the same hardware, given the control- and management-plane isolation). ----------------------------------------------------------------------- Roland Dobbins // +852.9133.2844 mobile Our dreams are still big; it's just the future that got small. -- Jason Scott From oboehmer at cisco.com Thu Apr 9 09:59:05 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Thu, 9 Apr 2009 15:59:05 +0200 Subject: [c-nsp] Rate limit Physical interface GSR In-Reply-To: <69329.43725.qm@web44814.mail.sp1.yahoo.com> References: <69329.43725.qm@web44814.mail.sp1.yahoo.com> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED7840731DF99@xmb-ams-333.emea.cisco.com> Mark Tech <> wrote on Thursday, April 09, 2009 13:15: > Hi > I would like to cap a physical GE interface to 100mbps whist running > vlans through it on a GSR i.e. > [...] > > However when I apply? the rate-limit command on GE0/0/6, I don't see > any drop in traffic. Actually I have set up a throughput test through > GigabitEthernet0/0/6.2 running at 1Gbps which I can see through sh > int GigabitEthernet0/0/6 which does not drop to 100Mbps once the > rate-limit is added > > Is there a way to cap this aggregate interface? On Engine3/5 linecards, you can use policy-map gig-out class class-default police 1000000000 ! int gig0/0/6 service-policy output gig-out ! int gig0/0/6. ... You can also use "match vlan" classes to provide differentiated treatment for vlans.. oli From oboehmer at cisco.com Thu Apr 9 10:02:19 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Thu, 9 Apr 2009 16:02:19 +0200 Subject: [c-nsp] etherchannel load-balancing on "4 Port ISE GigabitEthernet"? In-Reply-To: <49DDDCA1.4060506@schlund.net> References: <49DDDCA1.4060506@schlund.net> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED7840731DFA1@xmb-ams-333.emea.cisco.com> Jan Sandmaier <> wrote on Thursday, April 09, 2009 13:32: > Hi, > > does anybody know how load-balancing in an etherchannel works on a "4 > Port ISE Gigabit Ethernet" for Cisco 12000 in detail? > > I have the following problem: I configured an etherchannel consisting > of two GigabitEthernet ports on the same linecard. Only one port is > utilized (see show command below). There is no inbound traffic and the > outbound traffic originates from various prefixes to basically 3 > prefixes. load-sharing over a link bundle is pretty much identical to "regular" Layer 3 CEF load-sharing. So you need to use a large enough number of flows (i.e. pairs). oli From vijay.ramcharan at verizonbusiness.com Thu Apr 9 10:02:11 2009 From: vijay.ramcharan at verizonbusiness.com (Ramcharan, Vijay A) Date: Thu, 09 Apr 2009 14:02:11 +0000 Subject: [c-nsp] best way to network servers with management (iLO/IPMI) In-Reply-To: <68D02AC4-8F1B-4D48-92D4-482F4936ACEF@cisco.com> Message-ID: <8171C8272CE8FE4A8F5BFF8A97CE6AB36CB770@ASHEVS006.mcilink.com> I second that approach. We use it for our builds whenever possible. You really do want your oob mgmt solution to be as isolated as possible from failures on the production side of things. We usually build a mgmt silo to accommodate out of band connectivity; with one or more fixed-configuration switches depending on site size and budget, firewall and ISR router. A separate circuit for remote connectivity as well with failover to IPSec/DMVPN. It's obviously more expensive but it sure goes a long way in reducing visits to customer sites. ilo ports used to be simpler, 1 ilo port connected to one mgmt switch port. With blade chassis and the move there to reduce cabling, blades can now share one physical ilo port on their chassis/enclosure. However, that still doesn't change mgmt connectivity as you still would want to have this single physical connection on a mgmt switch. Vijay Ramcharan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Roland Dobbins Sent: April 09, 2009 09:13 To: Cisco-nsp Subject: Re: [c-nsp] best way to network servers with management (iLO/IPMI) On Apr 9, 2009, at 8:42 PM, Drew Weaver wrote: > Ideally, I would like to be able to assign the management device a > RFC 1918 IP, have the actual server be on a different subnet > altogether but use a shared port. This isn't a good idea because of fate-sharing - you want your OOB management network to be isolated and bulletproof, and totally unaffected by any problems on the production side. You should use separate NICs, with separate cables, plugged into a separate physical network (unless you're using N7K switches with VDCs, in which case you can safely run the management network on a separate VDC on the same hardware, given the control- and management-plane isolation). ----------------------------------------------------------------------- Roland Dobbins // +852.9133.2844 mobile Our dreams are still big; it's just the future that got small. -- Jason Scott _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ______________________________________________________________________ This e-mail has been scanned by Verizon Managed Email Content Service, using Skeptic(tm) technology powered by MessageLabs. For more information on Verizon Managed Email Content Service, visit http://www.verizonbusiness.com. ______________________________________________________________________ From techconfig at yahoo.com Thu Apr 9 10:19:38 2009 From: techconfig at yahoo.com (Mark Tech) Date: Thu, 9 Apr 2009 07:19:38 -0700 (PDT) Subject: [c-nsp] Rate limit Physical interface GSR In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED7840731DF99@xmb-ams-333.emea.cisco.com> References: <69329.43725.qm@web44814.mail.sp1.yahoo.com> <70B7A1CCBFA5C649BD562B6D9F7ED7840731DF99@xmb-ams-333.emea.cisco.com> Message-ID: <362613.58951.qm@web44812.mail.sp1.yahoo.com> Hi Oli Thanks for that. I have tried that however I still see the interface as unaffected interface GigabitEthernet0/0/6 ?no ip address ?no ip directed-broadcast ?no negotiation auto ?service-policy input gig-in ?service-policy output gig-out policy-map gig-out ? class class-default ?? police 64000 4470 4470 policy-map gig-in ? class class-default ?? police 64000 4470 4470 GigabitEthernet0/0/6 is up, line protocol is up ? ? 5 minute input rate 915130000 bits/sec, 417475 packets/sec ? 5 minute output rate 915116000 bits/sec, 417467 packets/sec The sub-interfaces are in vrfs, will that affect this? Cheers Mark ? ----- Original Message ---- From: Oliver Boehmer (oboehmer) To: Mark Tech ; cisco-nsp at puck.nether.net Sent: Thursday, April 9, 2009 2:59:05 PM Subject: RE: [c-nsp] Rate limit Physical interface GSR Mark Tech <> wrote on Thursday, April 09, 2009 13:15: > Hi > I would like to cap a physical GE interface to 100mbps whist running > vlans through it on a GSR i.e. > [...] > > However when I apply? the rate-limit command on GE0/0/6, I don't see > any drop in traffic. Actually I have set up a throughput test through > GigabitEthernet0/0/6.2 running at 1Gbps which I can see through sh > int GigabitEthernet0/0/6 which does not drop to 100Mbps once the > rate-limit is added? ? > > Is there a way to cap this aggregate interface? On Engine3/5 linecards, you can use policy-map gig-out class class-default ? police 1000000000 ! int gig0/0/6 service-policy output gig-out ! int gig0/0/6. ... You can also use "match vlan" classes to provide differentiated treatment for vlans.. ??? oli From oboehmer at cisco.com Thu Apr 9 10:33:43 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Thu, 9 Apr 2009 16:33:43 +0200 Subject: [c-nsp] Rate limit Physical interface GSR In-Reply-To: <362613.58951.qm@web44812.mail.sp1.yahoo.com> References: <69329.43725.qm@web44814.mail.sp1.yahoo.com> <70B7A1CCBFA5C649BD562B6D9F7ED7840731DF99@xmb-ams-333.emea.cisco.com> <362613.58951.qm@web44812.mail.sp1.yahoo.com> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED7840731DFCD@xmb-ams-333.emea.cisco.com> Hmm, can you replace the class-default with something like class-map all-vlans match vlan x y z ... where x y z match your vlan IDs, and see if this changes things? What does "show policy-map int gig0/0/6" say? What type of linecard engine is this? E5/SIP? vrf shouldn't make a difference.. oli Mark Tech wrote on Thursday, April 09, 2009 16:20: > Hi Oli > > Thanks for that. I have tried that however I still see the interface > as unaffected > > interface GigabitEthernet0/0/6 > ?no ip address > ?no ip directed-broadcast > ?no negotiation auto > ?service-policy input gig-in > ?service-policy output gig-out > > policy-map gig-out > ? class class-default > ?? police 64000 4470 4470 > > policy-map gig-in > ? class class-default > ?? police 64000 4470 4470 > > GigabitEthernet0/0/6 is up, line protocol is up > > ? 5 minute input rate 915130000 bits/sec, 417475 packets/sec > ? 5 minute output rate 915116000 bits/sec, 417467 packets/sec > > > The sub-interfaces are in vrfs, will that affect this? > > Cheers > > Mark > > > > > ----- Original Message ---- > From: Oliver Boehmer (oboehmer) > To: Mark Tech ; cisco-nsp at puck.nether.net > Sent: Thursday, April 9, 2009 2:59:05 PM > Subject: RE: [c-nsp] Rate limit Physical interface GSR > > Mark Tech <> wrote on Thursday, April 09, 2009 13:15: > >> Hi >> I would like to cap a physical GE interface to 100mbps whist running >> vlans through it on a GSR i.e. >> > [...] >> >> However when I apply? the rate-limit command on GE0/0/6, I don't see >> any drop in traffic. Actually I have set up a throughput test through >> GigabitEthernet0/0/6.2 running at 1Gbps which I can see through sh >> int GigabitEthernet0/0/6 which does not drop to 100Mbps once the >> rate-limit is added >> >> Is there a way to cap this aggregate interface? > > On Engine3/5 linecards, you can use > > policy-map gig-out > class class-default > ? police 1000000000 > ! > int gig0/0/6 > service-policy output gig-out > ! > int gig0/0/6. > ... > > You can also use "match vlan" classes to provide differentiated > treatment for vlans.. > > ??? oli From MatlockK at exempla.org Thu Apr 9 09:56:09 2009 From: MatlockK at exempla.org (Matlock, Kenneth L) Date: Thu, 9 Apr 2009 07:56:09 -0600 Subject: [c-nsp] best way to network servers with management (iLO/IPMI) In-Reply-To: <68D02AC4-8F1B-4D48-92D4-482F4936ACEF@cisco.com> References: <68D02AC4-8F1B-4D48-92D4-482F4936ACEF@cisco.com> Message-ID: <4288131ED5E3024C9CD4782CECCAD2C7065D3474@LMC-MAIL2.exempla.org> I agree. We completely isolate the ILO onto it's own discrete network. We supply Cisco 2950/2960's at the top of each rack, and it's on it's own RFC1918 IP block. Each ILO gets it's own /27, not related at all to the IP blocks the main servers use. The 2950/2960's then plug into a distribution pair, unrelated to the distribution layer the real NIC connectivity goes through. Now, I realize not a lot of companies have that luxury, so compromises sometimes have to be made. Ken Matlock Network Analyst Exempla Healthcare (303) 467-4671 matlockk at exempla.org -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Roland Dobbins Sent: Thursday, April 09, 2009 7:13 AM To: Cisco-nsp Subject: Re: [c-nsp] best way to network servers with management (iLO/IPMI) On Apr 9, 2009, at 8:42 PM, Drew Weaver wrote: > Ideally, I would like to be able to assign the management device a > RFC 1918 IP, have the actual server be on a different subnet > altogether but use a shared port. This isn't a good idea because of fate-sharing - you want your OOB management network to be isolated and bulletproof, and totally unaffected by any problems on the production side. You should use separate NICs, with separate cables, plugged into a separate physical network (unless you're using N7K switches with VDCs, in which case you can safely run the management network on a separate VDC on the same hardware, given the control- and management-plane isolation). ----------------------------------------------------------------------- Roland Dobbins // +852.9133.2844 mobile Our dreams are still big; it's just the future that got small. -- Jason Scott _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From techconfig at yahoo.com Thu Apr 9 10:56:19 2009 From: techconfig at yahoo.com (Mark Tech) Date: Thu, 9 Apr 2009 07:56:19 -0700 (PDT) Subject: [c-nsp] Rate limit Physical interface GSR In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED7840731DFCD@xmb-ams-333.emea.cisco.com> References: <69329.43725.qm@web44814.mail.sp1.yahoo.com> <70B7A1CCBFA5C649BD562B6D9F7ED7840731DF99@xmb-ams-333.emea.cisco.com> <362613.58951.qm@web44812.mail.sp1.yahoo.com> <70B7A1CCBFA5C649BD562B6D9F7ED7840731DFCD@xmb-ams-333.emea.cisco.com> Message-ID: <639983.88123.qm@web44803.mail.sp1.yahoo.com> Hi tried the vlan policy map with standard and hierarchical but get the same issue when applying to an interface policy-map gig-out ? class all-vlans ?? police 64000 4470 4470 policy-map parent-gig-out ? class class-default ?? service-policy gig-out class-map match-all all-vlans ? match vlan? 1-4095 (config)#int gigabitEthernet 0/0/6 (config-if)#service-policy output parent-gig-out % 'match vlan/pseudowire' not supported in gig-out The GSR cards? are 12000-SIP-601 and?SPA-10X1GE-V2 ----- Original Message ---- From: Oliver Boehmer (oboehmer) To: Mark Tech ; cisco-nsp at puck.nether.net Sent: Thursday, April 9, 2009 3:33:43 PM Subject: RE: [c-nsp] Rate limit Physical interface GSR Hmm, can you replace the class-default with something like class-map all-vlans match vlan x y z ... where x y z match your vlan IDs, and see if this changes things? What does "show policy-map int gig0/0/6" say? What type of linecard engine is this? E5/SIP? vrf shouldn't make a difference.. ??? oli Mark Tech wrote on Thursday, April 09, 2009 16:20: > Hi Oli > > Thanks for that. I have tried that however I still see the interface > as unaffected > > interface GigabitEthernet0/0/6 > ?no ip address > ?no ip directed-broadcast > ?no negotiation auto > ?service-policy input gig-in > ?service-policy output gig-out > > policy-map gig-out > ? class class-default > ?? police 64000 4470 4470 > > policy-map gig-in > ? class class-default > ?? police 64000 4470 4470 > > GigabitEthernet0/0/6 is up, line protocol is up > > ? 5 minute input rate 915130000 bits/sec, 417475 packets/sec > ? 5 minute output rate 915116000 bits/sec, 417467 packets/sec > > > The sub-interfaces are in vrfs, will that affect this? > > Cheers > > Mark > > > > > ----- Original Message ---- > From: Oliver Boehmer (oboehmer) > To: Mark Tech ; cisco-nsp at puck.nether.net > Sent: Thursday, April 9, 2009 2:59:05 PM > Subject: RE: [c-nsp] Rate limit Physical interface GSR > > Mark Tech <> wrote on Thursday, April 09, 2009 13:15: > >> Hi >> I would like to cap a physical GE interface to 100mbps whist running >> vlans through it on a GSR i.e. >> > [...] >> >> However when I apply? the rate-limit command on GE0/0/6, I don't see >> any drop in traffic. Actually I have set up a throughput test through >> GigabitEthernet0/0/6.2 running at 1Gbps which I can see through sh >> int GigabitEthernet0/0/6 which does not drop to 100Mbps once the >> rate-limit is added >> >> Is there a way to cap this aggregate interface? > > On Engine3/5 linecards, you can use > > policy-map gig-out > class class-default > ? police 1000000000 > ! > int gig0/0/6 > service-policy output gig-out > ! > int gig0/0/6. > ... > > You can also use "match vlan" classes to provide differentiated > treatment for vlans.. > > ??? oli From frnkblk at iname.com Thu Apr 9 11:20:55 2009 From: frnkblk at iname.com (Frank Bulk) Date: Thu, 9 Apr 2009 10:20:55 -0500 Subject: [c-nsp] video,voip and internet over DSL (converged) In-Reply-To: <876789290904081922te84a61ev1da8dff3f198b322@mail.gmail.com> References: <876789290904081922te84a61ev1da8dff3f198b322@mail.gmail.com> Message-ID: The hardest part to IPTV is not the technical aspect, but establishing contracts with the content providers, and additionally, encryption. If you can address those issues (first), then the next steps will be clear. There's a lot of middleware vendors out there, but I'm not sure any of them are interested in a single MDU, even though it's large. You may want to talk to VideoFurnace, which does a lot for HigherEd. Frank -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dracul Sent: Wednesday, April 08, 2009 9:22 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] video,voip and internet over DSL (converged) Hi list, is it feasible to broadcast video/voip + internet over DSL like lets say I deploy a cisco DSLAM infra in a 20 storey building. It would run over a media server solution and a VOIP network. I am not sure if this would be a stable solution considering I want to broadcast HD and SD alike plus VOIP and internet to boot. Any cons? like noise level or quality of the video or quality of bandwidth etc. because DSL transport is just running over copper right? Or would I be better off running fibre? But of course cost will then quantify the use of DSL. regards, Chris _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From sethm at rollernet.us Thu Apr 9 12:20:34 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Thu, 09 Apr 2009 09:20:34 -0700 Subject: [c-nsp] best way to network servers with management (iLO/IPMI) In-Reply-To: <68D02AC4-8F1B-4D48-92D4-482F4936ACEF@cisco.com> References: <68D02AC4-8F1B-4D48-92D4-482F4936ACEF@cisco.com> Message-ID: <49DE2052.6080609@rollernet.us> Roland Dobbins wrote: > > On Apr 9, 2009, at 8:42 PM, Drew Weaver wrote: > >> Ideally, I would like to be able to assign the management device a RFC >> 1918 IP, have the actual server be on a different subnet altogether >> but use a shared port. > > This isn't a good idea because of fate-sharing - you want your OOB > management network to be isolated and bulletproof, and totally > unaffected by any problems on the production side. You should use > separate NICs, with separate cables, plugged into a separate physical > network (unless you're using N7K switches with VDCs, in which case you > can safely run the management network on a separate VDC on the same > hardware, given the control- and management-plane isolation). > Sometimes you just don't have a choice. I have two older Dell servers that only give you the option of a shared ethernet port for their onboard IPMI, take it or leave it. So I just put the port on a trunk: interface FastEthernet0/3 switchport trunk encapsulation dot1q switchport trunk native vlan 4 switchport trunk allowed vlan 1,2,4,1002-1005 switchport mode trunk spanning-tree portfast Where VLAN2 is the management network and VLAN4 is the server network. You could put the smallest switch you can find that understand vlans in front of each server and break the two vlans out to individual untagged ports, but you'll still need the trunk to get to the server. ~Seth From tedm at toybox.placo.com Thu Apr 9 12:32:11 2009 From: tedm at toybox.placo.com (Ted Mittelstaedt) Date: Thu, 09 Apr 2009 09:32:11 -0700 Subject: [c-nsp] DNS Tool In-Reply-To: References: <49DD1A5A.2020001@rainierconnect.net> Message-ID: <49DE230B.2020802@toybox.placo.com> Without having a more detailed explanation of what browsing problems your having, it's difficult to give any more specific advice, but here goes: 1) browsers cache DNS lookups, so if your having repetitive lookups fail off the same browser session, it's not actually a DNS problem even though it might seem like one. 2) client operating systems also cache DNS lookups so if your having repetitive lookups fail off multiple browser sessions it's not actually a DNS problem even though it might seem like one. 3) if lookups work fine with nslookup but appear to fail in the browser it's not actually a DNS problem 4) If you override your client OS DNS server IP addresses with your ISP's DNS server IP addresses and you have lookup problems it's not actually a DNS problem. I think you probably are starting to get the picture here - many things that people -think- are DNS problems actually aren't. As long as your being coy about what the exact problem is, your not going to get much useful advice from us. There's no need to be embarassed, all of us have gone through these kinds of problems before, often of our own making. Practially all "DNS problems" I've ever troubleshot turned out to be layer-2 problems, not DNS problems. Just a thought. Ted Mohammad Khalil wrote: > We are facing some browsing problems , so we want to make sure that our DNS servers are resolving well using tools other than nslookup > >> Date: Wed, 8 Apr 2009 14:42:50 -0700 >> From: walter.keen at rainierconnect.net >> To: eng_mssk at hotmail.com >> CC: cisco-nsp at puck.nether.net >> Subject: Re: [c-nsp] DNS Tool >> >> Could you elaborate a little? >> >> We use Nagios to monitor other things, and use a DNS check plugin that >> simply does a dns query and reports if it successfully got an answer. I >> think there are other ones that will compare the answer to a known good >> answer you supply (wouldn't work well with something like Google.com or >> yahoo.com that does a lot of round robin entries) >> >> Mohammad Khalil wrote: >>> Hey all >>> is there any tool that can monitor the DNS behavior ?? >>> for example , the resolving process and if there are any errors ?? >>> >>> Thanks >>> >>> _________________________________________________________________ >>> Drag n? drop?Get easy photo sharing with Windows Live? Photos. >>> >>> http://www.microsoft.com/windows/windowslive/products/photos.aspx >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > _________________________________________________________________ > Show them the way! Add maps and directions to your party invites. > http://www.microsoft.com/windows/windowslive/products/events.aspx > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From rdobbins at cisco.com Thu Apr 9 12:32:24 2009 From: rdobbins at cisco.com (Roland Dobbins) Date: Fri, 10 Apr 2009 00:32:24 +0800 Subject: [c-nsp] best way to network servers with management (iLO/IPMI) In-Reply-To: <49DE2052.6080609@rollernet.us> References: <68D02AC4-8F1B-4D48-92D4-482F4936ACEF@cisco.com> <49DE2052.6080609@rollernet.us> Message-ID: On Apr 10, 2009, at 12:20 AM, Seth Mattinen wrote: > I have two older Dell servers that only give you the option of a > shared ethernet port for their > onboard IPMI, take it or leave it. So, you can use the built-in port for that, and insert another NIC for use on the production side, yes? ;> ----------------------------------------------------------------------- Roland Dobbins // +852.9133.2844 mobile Our dreams are still big; it's just the future that got small. -- Jason Scott From sethm at rollernet.us Thu Apr 9 13:26:53 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Thu, 09 Apr 2009 10:26:53 -0700 Subject: [c-nsp] best way to network servers with management (iLO/IPMI) In-Reply-To: References: <68D02AC4-8F1B-4D48-92D4-482F4936ACEF@cisco.com> <49DE2052.6080609@rollernet.us> Message-ID: <49DE2FDD.1000704@rollernet.us> Roland Dobbins wrote: > > On Apr 10, 2009, at 12:20 AM, Seth Mattinen wrote: > >> I have two older Dell servers that only give you the option of a >> shared ethernet port for their >> onboard IPMI, take it or leave it. > > So, you can use the built-in port for that, and insert another NIC for > use on the production side, yes? > One could, but the single PCI-X (yes there's one and only one, not two) slot is taken by a RAID card and the other onboard GE port is being used for SAN access. ;) For the OP, yes, do use a dedicated port even though it can drastically expand your cabling and switching needs if you have a lot of servers. Port sharing is a horrible, horrible hack. ~Seth From cisco-nsp at natecarlson.com Thu Apr 9 13:16:33 2009 From: cisco-nsp at natecarlson.com (Nate Carlson) Date: Thu, 9 Apr 2009 12:16:33 -0500 (CDT) Subject: [c-nsp] best way to network servers with management (iLO/IPMI) In-Reply-To: References: Message-ID: On Thu, 9 Apr 2009, Drew Weaver wrote: > Ideally, I would like to be able to assign the management device a RFC > 1918 IP, have the actual server be on a different subnet altogether but > use a shared port. I know that BMCs generally can use VLAN tagging, but > I'm really not sure how I can do all of this with just one port. Yeah, you can.. enable VLAN trunking on the port, set your native VLAN to whatever you want the OS's main interface to be on, allow the VLAN you want management on as tagged, and set up your IPMI card to tag on that VLAN. Works fine. The OS can still get at the management VLAN, though, if you enable VLAN tagging on the OS-level and set up an interface on that VLAN. > The 'easy' way is to simply assign a dedicated NIC to the management > device and run another cable, but I'm not sure that is the best way to > do it. ..however, it is always my recommendation to use a dedicated NIC if you can. I've seen lots of issues with IPMI cards and shared interfaces.. for example, with many of the Supermicro motherboard and ipmi combos, when you assign an IP to the shared interface under Linux, all the sudden the IPMI stops working. Ooops. I think this is fixed in 2.6.27+, but still.. With the dedicated NIC, it's usually a completely isolated PHY, etc, so no matter what happens to the system itself, you can still get at IPMI, unless you lose power to that interface card. From raa at opusnet.com Thu Apr 9 14:34:16 2009 From: raa at opusnet.com (Ruben Alvarez) Date: Thu, 9 Apr 2009 11:34:16 -0700 Subject: [c-nsp] Ping priority on Cisco devices In-Reply-To: <49DD1BAD.6020604@toybox.placo.com> References: <004901c9b874$59596e00$0c0c4a00$@com> <49DD1BAD.6020604@toybox.placo.com> Message-ID: <004a01c9b941$caa789c0$5ff69d40$@com> Hi, Thanks for the reply. It running at ~18% cpu and is a 7206vxr w/NPE300. This morning the loss cleared up. I didn't collect enough data yesterday to really get to the bottom of this, so I'll drop it as a Qwest megahost issue. -----Original Message----- From: Ted Mittelstaedt [mailto:tedm at toybox.placo.com] Sent: Wednesday, April 08, 2009 2:48 PM To: Ruben Alvarez Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Ping priority on Cisco devices Ruben Alvarez wrote: > All, > > I've heard that Cisco devices handle ICMP at a low priority. I found one > post describing it handled in process-switching and not fast-switching. > Does anyone have an article that explains that process and is it > configurable? > > The reason I ask is I see about 4% packet loss when I ping devices in our > broadband aggregation network. From the CPE to the router there is none, > from my workstation to the router there is none, but if I ping the whole > path I get a fairly consistent 4% loss. I can't find any congestion or > errors. Ping from my workstation to the CPE are a consistent 60ms, aside > from the 4% loss. > > Thanks. > > What model is your router and can you post a config? What is CPU utilization on the router? What is memory utilization on the router? Ted From fwc at mt.net Thu Apr 9 14:05:53 2009 From: fwc at mt.net (Forrest W. Christian) Date: Thu, 09 Apr 2009 12:05:53 -0600 Subject: [c-nsp] Sonet "hard" patterns for testing Message-ID: <49DE3901.1030807@mt.net> I just got bit by a problem with scrambling not being on on a POS OC3 with a upstream provider... (Long story - provisioning person at provider had no clue... insisted that it wasn't needed). Symptom of course was certain files just not being able to be transfered past a certain point - where the file contained patterns not possible to transmit across a non-scrambled POS circuit. Took me a while to find it, though, because normal ping packets of course go through just fine, 100% of the time. In testing this, though, I would have loved to have some payloads for ping packets which weren't sendable on a non-scrambled POS circuit.. and probably other underlying circuits also. Sort of a set of "difficult" packets to try to send. Google has not been my friend in this regard... probably not using the right keywords, if the data exists out there at all. Ideas? -forrest From billw at waveform.net Thu Apr 9 19:38:23 2009 From: billw at waveform.net (Bill Wichers) Date: Thu, 9 Apr 2009 19:38:23 -0400 Subject: [c-nsp] Sonet "hard" patterns for testing In-Reply-To: <49DE3901.1030807@mt.net> References: <49DE3901.1030807@mt.net> Message-ID: The problem data strings are usually either strings that match control codes or long sequences of either all ones or all zeroes. If too many bits go by without any transitions it is possible for the receiver to loose sync with the network. You might want to just try a packet of all zeroes or ones as an experiment. You might try looking up one of the earlier documents detailing the SONET specification. There used to be a lot more concern for timing and jitter and the like than there is now, which I think is due to better time bases in modern gear making many of those issues less of a problem. I'd try looking for things like "jitter" and "clocking" in your search. While those might not key in on what you're looking for directly, they're likely to find you information that also includes some of what you're looking for. -Bill > I just got bit by a problem with scrambling not being on on a POS OC3 > with a upstream provider... (Long story - provisioning person at > provider had no clue... insisted that it wasn't needed). Symptom of > course was certain files just not being able to be transfered past a > certain point - where the file contained patterns not possible to > transmit across a non-scrambled POS circuit. Took me a while to find > it, though, because normal ping packets of course go through just fine, > 100% of the time. > > In testing this, though, I would have loved to have some payloads for > ping packets which weren't sendable on a non-scrambled POS circuit.. and > probably other underlying circuits also. Sort of a set of "difficult" > packets to try to send. > > Google has not been my friend in this regard... probably not using the > right keywords, if the data exists out there at all. > > Ideas? > > -forrest From hegedus.gabor at euroway.hu Fri Apr 10 05:09:32 2009 From: hegedus.gabor at euroway.hu (Hegedus Gabor) Date: Fri, 10 Apr 2009 11:09:32 +0200 Subject: [c-nsp] c861w wifi problem: reached max retries Message-ID: <49DF0CCC.4050103@euroway.hu> Hi all! I have a problem! I see this log in my c861W ap: Apr 10 06:48:42: %DOT11-6-ROAMED: Station 001f.0000.f4ab Roamed to 001d.70d0.0001 Apr 10 06:48:42: %DOT11-4-MAXRETRIES: Packet to client 001f.3b20.f4ab reached max retries, removing the client Apr 10 06:49:14: %DOT11-6-ROAMED: Station 001f.0000.f4ab Roamed to 001d.7060.0002 Apr 10 06:59:46: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 001f.0000.f4ab Reassociated KEY_MGMT[WPAv2] Apr 10 07:00:23: %DOT11-6-ROAMED: Station 001f.0000.f4ab Roamed to 001d.70d0.0001 Apr 10 07:00:23: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 001f.3b20.f4ab Apr 10 07:00:23: %DOT11-4-MAXRETRIES: Packet to client 001f.0000.f4ab reached max retries, removing the client Apr 10 07:07:08: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 001f.0000.f4ab Reassociated KEY_MGMT[WPAv2-CP] Apr 10 07:07:38: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 001f.0000.f4ab Reason: Sending station has left the BSS Apr 10 07:31:33: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 001f.0000.f4ab Reassociated KEY_MGMT[WPAv2-CP] Apr 10 07:32:03: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 001f.0000.f4ab Reason: Sending station has left the BSS Apr 10 07:36:59: %DOT11-4-MAXRETRIES: Packet to client 001f.0000.f4ab reached max retries, removing the client Apr 10 07:36:59: Client 001f.0000.f4ab failed: reached maximum retries What is the problem? cisco says: Explanation: This error message indicates that the access point attempts to poll the client a certain number of times, but does not receive a response. Therefore, the client is removed from the association table. This issue is commonly seen when the client and access point are attempting to communicate in a noisy RF environment. Recommended Action: To resolve this issue, run a carrier busy test on the access point to determine if there is excessive noise in the radio channel spectrum. Attempt to alleviate any unwanted noise. For more information, refer to the "Performing a Carrier Busy Test" section on page 6-26 . In Carrier Busy test, there is nothing ostentatious. software version: (AP801-K9W7-M), Version 12.4(10b)JA3, I use the 5 devices in WDS, roaming works, current wireless channel: 13 Any idea what is the problem? If I use WDS, do all of the APs in the WDS domain have to use the same channel or not? Thank you for help guys. Gabor I send you a sample of the configuration: dot11 ssid test vlan 1 authentication open eap method_clients authentication network-eap method_clients authentication key-management wpa version 2 accounting method_clients ! interface Dot11Radio0 no ip address no ip route-cache ! encryption vlan 1 mode ciphers tkip ! encryption vlan 2 mode ciphers tkip ! ssid test ! ssid test2 ! station-role root no dot11 extension aironet ! From justin at justinshore.com Fri Apr 10 11:14:10 2009 From: justin at justinshore.com (Justin Shore) Date: Fri, 10 Apr 2009 10:14:10 -0500 Subject: [c-nsp] OT: SNMP Trap manager recommendation Message-ID: <49DF6242.4090301@justinshore.com> I'm in need of a decent SNMP Trap manager that scales and is free (OSS) or cheap. I currently Nagios for my NMS and Cacti for data collection and graphing so clearly I'm a fan of OSS solutions. I read an article several years ago in the now defunct SysAdmin magazine on tying in SNMP-TT into Nagios. Is there a better way? I need to collect traps from Hatteras equipment mainly but once I have it I'm sure I'll use it for other things as well. My searches have so far turned up JFFNMS, OpenNMS, Mila NetWhistler, NetCool (expensive?) and a few others. There's also the GroundWork fork of Nagios and other OSS tools that may be useful. Any recommendations? Thanks Justin From danletkeman at gmail.com Fri Apr 10 11:30:08 2009 From: danletkeman at gmail.com (Dan Letkeman) Date: Fri, 10 Apr 2009 10:30:08 -0500 Subject: [c-nsp] passive ftp static nat Message-ID: Hello, I'm having trouble logging into our ftp server from an external source. It works when you set the client to active mode, but passive mode always hangs. 2821, IOS Firewall Relevant config: ip inspect name SDM_LOW ftp interface GigabitEthernet0/0 ip address 10.10.10.1 255.255.255.252 ip nat inside ! ! interface FastEthernet0/0/3 description Internet switchport access vlan 800 bandwidth 10000 no cdp enable ! ! interface Vlan800 description Internet bandwidth 10000 ip address 64.x.x.1 255.255.255.224 ip access-group firewall in no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip nat outside ip inspect SDM_LOW out ip virtual-reassembly no mop enabled ! ! ip nat pool 152 64.x.x.1 64.x.x.1 netmask 255.255.255.224 ip nat inside source list internet-152 pool 152 overload ip nat inside source static tcp 172.16.0.24 21 64.x.x.1 21 extendable ip nat inside source static tcp 172.16.0.24 80 64.x.x.1 80 extendable ! ip access-list extended firewall permit tcp any host 64.x.x.1 eq ftp deny ip any any log ! ip access-list extended internet-152 permit tcp host 172.16.0.24 any I have tried adding: "permit tcp any host 64.x.x.1 gt 1024 established" to the firewall acl, but it still does not seem to connect from a passive ftp client. Dan. From justin at justinshore.com Fri Apr 10 11:41:37 2009 From: justin at justinshore.com (Justin Shore) Date: Fri, 10 Apr 2009 10:41:37 -0500 Subject: [c-nsp] OT: Service provider-oriented QoS training Message-ID: <49DF68B1.70900@justinshore.com> I'm in need of a SP-oriented QoS training class. We're just starting to deploy voice over G.SHDSL and bonded DS1s and are reaching out to more businesses than ever before. My meager QoS knowledge (I can spell it and talk real big) isn't cutting it anymore. I need guidance on QoS in an MPLS core, in a MetroE environment, re-coloring untrusted traffic at the edge, SP-provided voice and video (IPTV), edge product offerings that include certain QoS parameters (QoS for VoIP, gaming, etc), etc. The docs and books don't seem to be cutting it for me. I'm sure they're fine for someone with a solid background in QoS but I'm afraid that doesn't describe me. I'll pick it up I'm sure if I can spend a few days with an instructor in a classroom setting away from the phone (my phone at least). Any suggestions? The closest thing I've been able to find is the "Advanced Cisco Quality of Service" class from GlobalKnowledge, but it appears to be aimed more towards enterprises. http://www.globalknowledge.com/training/course.asp?pageid=9&courseid=9368&catid=206&country=United+States On a slightly different topic, what does everyone use for monitoring voice quality for VoIP customers? Something that can capture calls and either hand us Wireshark-readable packet dumps or break it down in a web GUI for the non-Wireshark savvy to use would be great. EdgeMarc has their EdgeView server with call quality monitoring features that look good but I'm pretty sure that it requires their CPE as well which is really not what we need or want. What else is out there that SP's use for IP soft switches? Thanks Justin From tedm at toybox.placo.com Fri Apr 10 13:06:54 2009 From: tedm at toybox.placo.com (Ted Mittelstaedt) Date: Fri, 10 Apr 2009 10:06:54 -0700 Subject: [c-nsp] Ping priority on Cisco devices In-Reply-To: <004a01c9b941$caa789c0$5ff69d40$@com> References: <004901c9b874$59596e00$0c0c4a00$@com> <49DD1BAD.6020604@toybox.placo.com> <004a01c9b941$caa789c0$5ff69d40$@com> Message-ID: <49DF7CAE.3010002@toybox.placo.com> Hi Ruben, If you running 12.3 or later IOS I'd suggest backreving to 12.2. fast switching is a problematical thing in the newer IOS on these older CPU cards. I'd guess that even if you have ip cef defined in your config, that cef isn't actually running. what does show ip cef, show cef day? IOS 12.1/12.2 is about the newest most people go on the NPE300 Ted Ruben Alvarez wrote: > Hi, > > Thanks for the reply. It running at ~18% cpu and is a 7206vxr w/NPE300. > This morning the loss cleared up. I didn't collect enough data yesterday to > really get to the bottom of this, so I'll drop it as a Qwest megahost issue. > > -----Original Message----- > From: Ted Mittelstaedt [mailto:tedm at toybox.placo.com] > Sent: Wednesday, April 08, 2009 2:48 PM > To: Ruben Alvarez > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Ping priority on Cisco devices > > Ruben Alvarez wrote: > >> All, >> >> I've heard that Cisco devices handle ICMP at a low priority. I found one >> post describing it handled in process-switching and not fast-switching. >> Does anyone have an article that explains that process and is it >> configurable? >> >> The reason I ask is I see about 4% packet loss when I ping devices in our >> broadband aggregation network. From the CPE to the router there is none, >> from my workstation to the router there is none, but if I ping the whole >> path I get a fairly consistent 4% loss. I can't find any congestion or >> errors. Ping from my workstation to the CPE are a consistent 60ms, aside >> from the 4% loss. >> >> Thanks. >> >> >> > What model is your router and can you post a config? > > What is CPU utilization on the router? What is memory utilization on > the router? > > Ted > > From rubensk at gmail.com Fri Apr 10 14:10:04 2009 From: rubensk at gmail.com (Rubens Kuhl) Date: Fri, 10 Apr 2009 15:10:04 -0300 Subject: [c-nsp] OT: SNMP Trap manager recommendation In-Reply-To: <49DF6242.4090301@justinshore.com> References: <49DF6242.4090301@justinshore.com> Message-ID: <6bb5f5b10904101110k1adbee70pc144d671a164d82f@mail.gmail.com> > My searches have so far turned up JFFNMS, OpenNMS, Mila NetWhistler, NetCool > (expensive?) and a few others. ?There's also the GroundWork fork of Nagios > and other OSS tools that may be useful. On the "few others" section, Castlerock's SNMPc is a nice, cheap product we are very fond of. What's Up Gold and Solarwinds ipMonitor and Orion NPM might also fit one's budget, but no direct experience on those. Rubens From awain567 at yahoo.com Fri Apr 10 14:16:27 2009 From: awain567 at yahoo.com (Alex Wa) Date: Fri, 10 Apr 2009 11:16:27 -0700 (PDT) Subject: [c-nsp] RSPAN VLAN filter & TCAM issue Message-ID: <796193.38319.qm@web58008.mail.re3.yahoo.com> Hi guys, ? We're receiving this log message when trying to apply a vlan filter to a RSPAN VLAN. ? Apr 10 13:36:08.580: %FM-4-TCAM_ENTRY: Hardware TCAM entry capacity exceeded Apr 10 13:36:08.580: %FM-2-VACL_FAILURE: Interface Vlan100 traffic will not comply with VACLs in ingress direction(s) ? We don't have any access list applied to any interface except the VLAN filter , and in total 16 access-lists. the sh tcam counts is below (when the output was taken the vlan filter wasn't applied) ? ?????????? Used??????? Free??????? Percent Used?????? Reserved ?????????? ----??????? ----??????? ------------?????? -------- ?Labels:????? 2???????? 510??????????? 0 ACL_TCAM ? Masks:????? 2??????? 4094??????????? 0???????????????????? 0 Entries:???? 16?????? 32752??????????? 0???????????????????? 0 QOS_TCAM ? Masks:????? 0??????? 4096??????????? 0???????????????????? 0 Entries:????? 0?????? 32768??????????? 0???????????????????? 0 ??? LOU:????? 0????????? 64??????????? 0 ? ANDOR:????? 0????????? 16??????????? 0 ? ORAND:????? 1????????? 15??????????? 6 ??? ADJ:????? 0??????? 1024??????????? 0? ? Cisco's error decoder recomends to delete unused access list but we can't reduce no more and 16 acess lists ?is a normal, if not low, amount . ? any hint ? ? thanks in advance, Alejandro Wainshtok From bdikici at gmail.com Fri Apr 10 18:55:09 2009 From: bdikici at gmail.com (Burak Dikici) Date: Sat, 11 Apr 2009 01:55:09 +0300 Subject: [c-nsp] BGP Multihoming and syncronous traffic flow for the different traffic types Message-ID: ISP-1 ISP-2 same country ISP outside of country ISP | | | | | | | | | | | | | | | | ---------- My router (Cisco 7600)-------- | | | User's real subnet (for example 50.50.0.0) Hello , I have got two different ISPs connections from my router. One of the ISP is in my country (local ISP) , other IPS is in the different country. Here are the requiremets ; If the traffic is p2p and if it goes to the outside of the country , use ISP-2. And the return of this traffic will come from the ISP-2 link. (syncronous traffic flow) The other traffic types will use the ISP-1 connection. For example , maybe p2p traffic goes inside of the country. Use ISP-1 connection for this type of traffic as well. How can i differentiate the traffic goes to the inside of the country , or the outside of the country ? The users have got real ip addresses. (Nearly 10.000 users.) To catch the p2p traffic , i think we have to use NBAR. To route the different kind of traffic types , i think we have to use PBR. For this kind of request , i can use NATing on the ISP-2 link. But , is this cause any problem for this type of connection on the Cisco 7600 model router ? Is NAT doing on the Cisco 7600 router by software based or hardware based ? For complete scenario , we have to use NAT , PBR and NBAR. Is that cause any problem on the Cisco 7600 router , what about performance ? Could you give me an idea how can it be done ? Kind Regards... Burak Dikici From acm at axians.de Sat Apr 11 08:51:09 2009 From: acm at axians.de (Cheikh-Moussa Ahmad) Date: Sat, 11 Apr 2009 14:51:09 +0200 Subject: [c-nsp] 4948 MAX Arp entries In-Reply-To: References: Message-ID: Hi Guys, it looks like my question wasn't that easy. Anyone knowing a good link, where to find more specific informations about TCAM ? Regards, Ahmad > -----Urspr?ngliche Nachricht----- > Von: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] Im Auftrag von Cheikh-Moussa Ahmad > Gesendet: Donnerstag, 2. April 2009 14:26 > An: cisco-nsp at puck.nether.net > Betreff: [c-nsp] 4948 MAX Arp entries > > Hi Guys, > > I have searched a lot of sites and unfortunately didn't find a answer. > Can someone tell me, how much arp entries (adjacencies) a 4948 switch > can handle ? > For L2 switching it can has up to 32K or the 4948-10g up to 55k entries, > but I could not > find anything about the max arp entries. As far as I know this arp > entries or adjacencies > are stored in TCAM. So the 4948 series can have 64k entries in the TCAM. > > Am I right, when I say : > TCAM 64K = > 32K IPv4 unicast routes > 32K Unicast arp entries (adjacencies) > > What about the acls and qos configuration ? These are also stored in > TCAM, right ? > So if this right, then I never reach this, what I can found on the > datasheets of the > switches : > * Unicast and multicast routing entries: 32,000 > * Policers: 512 ingress and 512 egress > * Access control list (ACL) and QoS entries: 32,000 > > Could it be that all these features share the same TCAM ? > I'am little bit confused. > > Regards, > Ahmad > > > > > Ahmad Cheikh-Moussa > Consultant > Business Unit Carrier & Service Provider > > AXIANS > NK Networks & Services GmbH > Fischertwiete 2, Chilehaus A > 20095 Hamburg > > Tel.: +49 40 237 899 - 72 > Fax: +49 40 237 899 - 69 > > Ahmad.cheikh-moussa at axians.de > Acheikh-moussa at axians.de > acm at axians.de > www.axians.com > Sitz der NK Networks & Services GmbH: Von-der-Wettern-Stra?e 15, 51149 K?ln Registergericht: Amtsgericht K?ln, Registernummer HRB 30805 Gesch?ftsf?hrer: Tonis R?sche From bdikici at gmail.com Sat Apr 11 11:39:49 2009 From: bdikici at gmail.com (Burak Dikici) Date: Sat, 11 Apr 2009 18:39:49 +0300 Subject: [c-nsp] BGP Multihoming and syncronous traffic flow for the different traffic types In-Reply-To: References: Message-ID: P2P is peer to peer traffic. Peer to peer traffic to the outside of the country , it will go over the ISP-2 link , and the return traffic of this connection will come back through the same ISP-2 link. My clients are using the real ip addresses. If i advertise their subnet from the ISP-1 with BGP to the outside world , the outside world knows them via the ISP-1 link and the their return traffic will come through the ISP-1 link. I catch the outside of the country with p2p traffic with NBAR and route this traffic to the ISP-2 with PBR , what about the return traffic of this connection ? At this point the NATing comes in the play. The outside of the country with p2p traffic's source ip address will be NATed to the ISP-2 NAT pool addresses. And this NAT pool addresses will be advertise with BGP only to the ISP-2 link. Therefore , the outside world knows this addresses only through the ISP-2 and the return traffic of this connection will come back through the ISP-2 link , it is symmetrical traffic flow for the outside of the country with p2p traffic. Am i right ? How can it be done without using the NAT ? Regards... On Sat, Apr 11, 2009 at 1:55 AM, Burak Dikici wrote: > ISP-1 > ISP-2 > same country ISP outside of country ISP > | | > | | > | | > | | > | | > | | > | | > | | > ---------- My router (Cisco 7600)-------- > | > | > | > User's real subnet (for example 50.50.0.0) > > > > Hello , > > I have got two different ISPs connections from my router. One of the ISP is > in my country (local ISP) , other IPS is in the different country. Here are > the requiremets ; > > If the traffic is p2p and if it goes to the outside of the country , use > ISP-2. And the return of this traffic will come from the ISP-2 link. > (syncronous traffic flow) > > The other traffic types will use the ISP-1 connection. For example , maybe > p2p traffic goes inside of the country. Use ISP-1 connection for this type > of traffic as well. > > How can i differentiate the traffic goes to the inside of the country , or > the outside of the country ? > > The users have got real ip addresses. (Nearly 10.000 users.) To catch the > p2p traffic , i think we have to use NBAR. To route the different kind of > traffic types , i think we have to use PBR. For this kind of request , i can > use NATing on the ISP-2 link. But , is this cause any problem for this type > of connection on the Cisco 7600 model router ? Is NAT doing on the Cisco > 7600 router by software based or hardware based ? For complete scenario , we > have to use NAT , PBR and NBAR. Is that cause any problem on the Cisco 7600 > router , what about performance ? Could you give me an idea how can it be > done ? Kind Regards... > > Burak Dikici From lists at hojmark.org Sat Apr 11 16:54:06 2009 From: lists at hojmark.org (Asbjorn Hojmark - Lists) Date: Sat, 11 Apr 2009 22:54:06 +0200 Subject: [c-nsp] 4948 MAX Arp entries In-Reply-To: References: Message-ID: <50F3D441178E4472814BD21298295A77@hojmark.net> > What about the acls and qos configuration ? These are also > stored in TCAM, right ? It's separate TCAM, described in http://tinyurl.com/cu4a9o (http://www.cisco.com/en/US/products/hw/switches/ps663/products_tech_note091 86a008054a499.shtml) -A From frnkblk at iname.com Sun Apr 12 01:38:01 2009 From: frnkblk at iname.com (Frank Bulk) Date: Sun, 12 Apr 2009 00:38:01 -0500 Subject: [c-nsp] NAT on ASR1000 In-Reply-To: <20090407154647.GQ20028@rtp-cse-489.cisco.com> References: <20090407154647.GQ20028@rtp-cse-489.cisco.com> Message-ID: Could the ASR1000 be the box that Cisco recommends for carrier IPv6 NAT (i.e. IPv6 to IPv4 translations)? Frank -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rodney Dunn Sent: Tuesday, April 07, 2009 10:47 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] NAT on ASR1000 Few bugs still being worked through but the 72xx and 76xx croaked under the load: ASR1002ESP10#sh proc cpu sort | excl 0.00 CPU utilization for five seconds: 0%/0%; one minute: 0%; five minutes: 0% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process ASR1002ESP10#sh ip nat stat Total active translations: 92367 (80 static, 92287 dynamic; 92287 extended) Outside interfaces: GigabitEthernet0/0/0, Tunnel1 Inside interfaces: GigabitEthernet0/0/1, GigabitEthernet0/0/2 Hits: 0 Misses: 0 CEF Translated packets: 0, CEF Punted packets: 0 Expired translations: 87400847 that's on 12.2(33)XNC and I just filed one bug. CSCsy93931 ASRNAT does not do FIN/RST/SYN timeout when no-payload keyword used My first work on the box with NAT but this thing seems pretty impressive. Anyone else using it for high scale nat yet? Rodney _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From frnkblk at iname.com Sun Apr 12 02:00:57 2009 From: frnkblk at iname.com (Frank Bulk) Date: Sun, 12 Apr 2009 01:00:57 -0500 Subject: [c-nsp] OT: Service provider-oriented QoS training In-Reply-To: <49DF68B1.70900@justinshore.com> References: <49DF68B1.70900@justinshore.com> Message-ID: Lots of tools out there, you get as much as you want to pay for: - if you're doing PacketCable VoIP, then the Tektronix product (through their Minacom acquistion) seems the right fit. The Arris eMTAs also have lots of stats that are queryable via SNMP or the CLI. - Brix-line of products now part of EXFO - Empirix's Hammer - if you're serving an enterprise, then Cisco's IP SLA may be a fit There's more here: http://www.voip-info.org/wiki/view/How+To+Debug+and+Troubleshoot+VOIP RTCP XR (RFC 3611) is the standard you want to take advantage of, if the CPE supports it. The ability for the product to extract/obtain metrics from your softswitch will totally depend if the vendor has done the integration work. Frank -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin Shore Sent: Friday, April 10, 2009 10:42 AM To: 'Cisco-nsp' Subject: [c-nsp] OT: Service provider-oriented QoS training On a slightly different topic, what does everyone use for monitoring voice quality for VoIP customers? Something that can capture calls and either hand us Wireshark-readable packet dumps or break it down in a web GUI for the non-Wireshark savvy to use would be great. EdgeMarc has their EdgeView server with call quality monitoring features that look good but I'm pretty sure that it requires their CPE as well which is really not what we need or want. What else is out there that SP's use for IP soft switches? Thanks Justin _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From piotr.nowacki at interia.pl Sun Apr 12 05:06:19 2009 From: piotr.nowacki at interia.pl (Piotr Nowacki) Date: Sun, 12 Apr 2009 10:06:19 +0100 Subject: [c-nsp] OT: SNMP Trap manager recommendation In-Reply-To: <49DF6242.4090301@justinshore.com> References: <49DF6242.4090301@justinshore.com> Message-ID: <20090412090619.GA3842@i-194-106-50-219> On Fri, Apr 10, 2009 at 10:14:10AM -0500, Justin Shore wrote: > I'm in need of a decent SNMP Trap manager that scales and is free (OSS) > or cheap. I currently Nagios for my NMS and Cacti for data collection > and graphing so clearly I'm a fan of OSS solutions. I read an article > several years ago in the now defunct SysAdmin magazine on tying in > SNMP-TT into Nagios. Is there a better way? I need to collect traps > from Hatteras equipment mainly but once I have it I'm sure I'll use it > for other things as well. > > My searches have so far turned up JFFNMS, OpenNMS, Mila NetWhistler, > NetCool (expensive?) and a few others. There's also the GroundWork fork > of Nagios and other OSS tools that may be useful. > > Any recommendations? Thanks > Justin Hi, take a look at Opsview (www.opsview.org) It is basically nagios with heavily patched NDO and Java frontend. It does support basic SNMP Traps processing. Peter From sami.joseph at gmail.com Sun Apr 12 07:45:13 2009 From: sami.joseph at gmail.com (Sami Joseph) Date: Sun, 12 Apr 2009 13:45:13 +0200 Subject: [c-nsp] Testing reachability Message-ID: <9da37ec40904120445y51a94a4fmdc38c84f134eb703@mail.gmail.com> Network Management Gurus, I have an Enterprise network and my NMS is showing interfaces on some devices as down and that is because it keeps checking their availability with snmp/ping and if one response is missed then it considers the interface as down and needs to acknowledge/clearing the alarm in order to remove it. I would like to know why that response is missed so we can fix it. Is there a tool that can give me a detailed report that can help me troubleshoot this? Regards, Sam From aftab.siddiqui at gmail.com Sun Apr 12 09:16:05 2009 From: aftab.siddiqui at gmail.com (Aftab Siddiqui) Date: Sun, 12 Apr 2009 18:16:05 +0500 Subject: [c-nsp] Testing reachability In-Reply-To: <9da37ec40904120445y51a94a4fmdc38c84f134eb703@mail.gmail.com> References: <9da37ec40904120445y51a94a4fmdc38c84f134eb703@mail.gmail.com> Message-ID: <3c605ce10904120616k5959bd02ua9009d8b2b1df5aa@mail.gmail.com> There could be several reasons for a packet drop on particualr in some point in time. It could be coz of high traffic utilization or may be coz of high cpu utilization incase of a system process. There is no general rule for troubleshooting that's why placing the NMS is very critical with in the enterprise network. For a start if you have snmp enabled devices than start polling the switch/router ports for traffic (mrtg) and CPU. It will definately help to drill down the problem. On 12/04/2009, Sami Joseph wrote: > Network Management Gurus, > > I have an Enterprise network and my NMS is showing interfaces on some > devices as down and that is because it keeps checking their availability > with snmp/ping and if one response is missed then it considers the interface > as down and needs to acknowledge/clearing the alarm in order to remove it. > > I would like to know why that response is missed so we can fix it. Is there > a tool that can give me a detailed report that can help me troubleshoot > this? > > Regards, > Sam > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Regards, Aftab A. Siddiqui From david.freedman at uk.clara.net Sun Apr 12 10:06:48 2009 From: david.freedman at uk.clara.net (David Freedman) Date: Sun, 12 Apr 2009 15:06:48 +0100 Subject: [c-nsp] 12.4(T) feature oddness Message-ID: <1BD38DD97E9BEB40A599BFCCED93CC7F4780D5@EXVS01.claranet.local> I've been looking at doing some EEM stuff with client kit using latest 12.4(T) and have come across some feature oddness. It appears that, you can not make outgoing ISDN calls without using the ADVANCED ENTERPRISE license (using ADVANCED IP will give you obscure messages such as "Outgoing Call id XXXX Blocked") This is fine and dandy, however, am deploying some EEM applets on the CPE which I would like to respond to SNMP traps which are sent from events on the CPE and looped back to itself (I don't want to rely on logging for event triggers in case there is a logging storm and I miss the messages), in such case, I need the trap receiver or "snmp-server manager" command which ONLY appears to be present in ADVANCED IP and not ADVANCED ENTERPRISE Does anybody know a way around this sillyness? The box in question is an 876 on which I am compelled to run technology train (I do not believe there is mainline support for 876 yet?) thanks in advance Dave. ------------------------------------------------ David Freedman Group Network Engineering Claranet Limited http://www.clara.net From zivl at gilat.net Sun Apr 12 10:58:43 2009 From: zivl at gilat.net (Ziv Leyes) Date: Sun, 12 Apr 2009 17:58:43 +0300 Subject: [c-nsp] OT: Service provider-oriented QoS training In-Reply-To: <5c7a3dff-6cb1-4c47-8977-6d8058c74118@exch2k7.gilat.local> References: <49DF68B1.70900@justinshore.com> <5c7a3dff-6cb1-4c47-8977-6d8058c74118@exch2k7.gilat.local> Message-ID: You may want to take a look at what RADCOM's Omni-Q has to offer on this field -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Frank Bulk Sent: Sunday, April 12, 2009 9:01 AM To: 'Justin Shore'; 'Cisco-nsp' Subject: Re: [c-nsp] OT: Service provider-oriented QoS training Lots of tools out there, you get as much as you want to pay for: - if you're doing PacketCable VoIP, then the Tektronix product (through their Minacom acquistion) seems the right fit. The Arris eMTAs also have lots of stats that are queryable via SNMP or the CLI. - Brix-line of products now part of EXFO - Empirix's Hammer - if you're serving an enterprise, then Cisco's IP SLA may be a fit There's more here: http://www.voip-info.org/wiki/view/How+To+Debug+and+Troubleshoot+VOIP RTCP XR (RFC 3611) is the standard you want to take advantage of, if the CPE supports it. The ability for the product to extract/obtain metrics from your softswitch will totally depend if the vendor has done the integration work. Frank -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin Shore Sent: Friday, April 10, 2009 10:42 AM To: 'Cisco-nsp' Subject: [c-nsp] OT: Service provider-oriented QoS training On a slightly different topic, what does everyone use for monitoring voice quality for VoIP customers? Something that can capture calls and either hand us Wireshark-readable packet dumps or break it down in a web GUI for the non-Wireshark savvy to use would be great. EdgeMarc has their EdgeView server with call quality monitoring features that look good but I'm pretty sure that it requires their CPE as well which is really not what we need or want. What else is out there that SP's use for IP soft switches? Thanks Justin _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From charles at thewybles.com Sun Apr 12 12:29:08 2009 From: charles at thewybles.com (Charles Wyble) Date: Sun, 12 Apr 2009 09:29:08 -0700 Subject: [c-nsp] Testing reachability In-Reply-To: <3c605ce10904120616k5959bd02ua9009d8b2b1df5aa@mail.gmail.com> References: <9da37ec40904120445y51a94a4fmdc38c84f134eb703@mail.gmail.com> <3c605ce10904120616k5959bd02ua9009d8b2b1df5aa@mail.gmail.com> Message-ID: <49E216D4.5030503@thewybles.com> Lower you NMS sensitivity. Only have it alert after n failures in n time. I do this with nagios. It has an algorithm which causes it to change the level of checking dynamically based on if their is a failure or not. Aftab Siddiqui wrote: > There could be several reasons for a packet drop on particualr in some > point in time. It could be coz of high traffic utilization or may be > coz of high cpu utilization incase of a system process. There is no > general rule for troubleshooting that's why placing the NMS is very > critical with in the enterprise network. > > For a start if you have snmp enabled devices than start polling the > switch/router ports for traffic (mrtg) and CPU. > > It will definately help to drill down the problem. > > On 12/04/2009, Sami Joseph wrote: >> Network Management Gurus, >> >> I have an Enterprise network and my NMS is showing interfaces on some >> devices as down and that is because it keeps checking their availability >> with snmp/ping and if one response is missed then it considers the interface >> as down and needs to acknowledge/clearing the alarm in order to remove it. >> >> I would like to know why that response is missed so we can fix it. Is there >> a tool that can give me a detailed report that can help me troubleshoot >> this? >> >> Regards, >> Sam >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > From chris.garzon at gmail.com Sun Apr 12 22:56:42 2009 From: chris.garzon at gmail.com (Dracul) Date: Mon, 13 Apr 2009 10:56:42 +0800 Subject: [c-nsp] video,voip and internet over DSL (converged) In-Reply-To: <223F626EF40847739E6B7BB120FAAC5B@Toshiba> References: <876789290904081922te84a61ev1da8dff3f198b322@mail.gmail.com> <223F626EF40847739E6B7BB120FAAC5B@Toshiba> Message-ID: <876789290904121956q2713f8b8g5573cf2fba8c255b@mail.gmail.com> Thanks all! I'll take into consideration all your inputs. Another thing. will the CPU processing power of each DSLAM be enough or do I also need to distribute its load, like not filling up a DSLAM's ports to its limit, maybe 70% only per floor of the building? regards, chris On Fri, Apr 10, 2009 at 12:01 AM, Scott Granados wrote: > DSL will work but you'll need the right flavor. > > You could set different PVC's with different QOS and characteristics but > bottom line you'll need enough pipe to make this work. I believe it's > something on the order of 6 - 8 megabits for HD and 1-3 for sd. > I've heard although I've never used it personally that the ATT Uverse > offering works similar to this with ADSL2+ on the last few feet in to the > home. > > > ----- Original Message ----- From: "Dracul" > To: > Sent: Wednesday, April 08, 2009 7:22 PM > Subject: [c-nsp] video,voip and internet over DSL (converged) > > > Hi list, >> >> is it feasible to broadcast video/voip + internet over DSL like lets say >> I >> deploy a cisco DSLAM infra in a 20 storey building. It would run over a >> media server solution and a VOIP network. I am not sure if this would be a >> stable solution considering I want to broadcast HD and SD alike plus VOIP >> and internet to boot. >> >> Any cons? like noise level or quality of the video or quality of bandwidth >> etc. because DSL transport is just running over copper right? Or would I >> be >> better off running fibre? But of course cost will then quantify the use of >> DSL. >> >> regards, >> Chris >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> __________ Information from ESET NOD32 Antivirus, version of virus >> signature database 3995 (20090408) __________ >> >> The message was checked by ESET NOD32 Antivirus. >> >> http://www.eset.com >> >> >> >> > From scubacuda at gmail.com Mon Apr 13 00:22:19 2009 From: scubacuda at gmail.com (Rogelio) Date: Sun, 12 Apr 2009 21:22:19 -0700 Subject: [c-nsp] OT: SNMP Trap manager recommendation In-Reply-To: <20090412090619.GA3842@i-194-106-50-219> References: <49DF6242.4090301@justinshore.com> <20090412090619.GA3842@i-194-106-50-219> Message-ID: <49E2BDFB.5020908@gmail.com> Piotr Nowacki wrote: >> Justin > Hi, > take a look at Opsview (www.opsview.org) > It is basically nagios with heavily patched NDO and Java frontend. > It does support basic SNMP Traps processing. OpenNMS might also do what you need. see this URL http://www.opennms.org/index.php/Event_Configuration_How-To particularly this section on traps using the trapd process http://www.opennms.org/index.php/Event_Configuration_How-To#SNMP_Traps There in eventconf.xml you can write up the details on how you'd like to trap things and convert them into something more user friendly. (Which is what you're trying to do, right?) HTH From acm at axians.de Mon Apr 13 07:33:53 2009 From: acm at axians.de (Cheikh-Moussa Ahmad) Date: Mon, 13 Apr 2009 13:33:53 +0200 Subject: [c-nsp] 4948 MAX Arp entries In-Reply-To: <50F3D441178E4472814BD21298295A77@hojmark.net> References: <50F3D441178E4472814BD21298295A77@hojmark.net> Message-ID: Hi Asbjorn, thanks for the link. That means this is right, because acl and qos use a separate TCAM. TCAM 64K = 32K IPv4 unicast routes 32K Unicast arp entries (adjacencies) Thanks, Ahmad > -----Urspr?ngliche Nachricht----- > Von: Asbjorn Hojmark - Lists [mailto:lists at hojmark.org] > Gesendet: Samstag, 11. April 2009 22:54 > An: Cheikh-Moussa Ahmad > Cc: cisco-nsp at puck.nether.net > Betreff: RE: [c-nsp] 4948 MAX Arp entries > > > What about the acls and qos configuration ? These are also > > stored in TCAM, right ? > > It's separate TCAM, described in http://tinyurl.com/cu4a9o > > (http://www.cisco.com/en/US/products/hw/switches/ps663/products_tech_not > e091 > 86a008054a499.shtml) > > -A Sitz der NK Networks & Services GmbH: Von-der-Wettern-Stra?e 15, 51149 K?ln Registergericht: Amtsgericht K?ln, Registernummer HRB 30805 Gesch?ftsf?hrer: Tonis R?sche From deric.kwok2000 at gmail.com Mon Apr 13 07:35:48 2009 From: deric.kwok2000 at gmail.com (Deric Kwok) Date: Mon, 13 Apr 2009 07:35:48 -0400 Subject: [c-nsp] 2600 vs 2800 series different Message-ID: <40d8a95a0904130435h372d686aie18645da6239899a@mail.gmail.com> Hi What is different between 2600 and 2800 router? I check it is just 100 different in ebay Does 2800 also have feature as 2600? if yet Does 3500 Router also have same feature as 2600? Does 2800 support VPN, tcsh command and vlan? Thank you From plunin at gmail.com Mon Apr 13 08:27:05 2009 From: plunin at gmail.com (Pavel Lunin) Date: Mon, 13 Apr 2009 16:27:05 +0400 Subject: [c-nsp] NAT on ACE Message-ID: <49E32F99.6010701@gmail.com> Hi experts, Who thinks what about an idea of using Cisco ACE module for 6500/7600 as a NAT device for a huge enterprise network? I am looking for a device which would be capable to NAT traffic for a network of several thousand desktops + an enterprise-scale data center: up to 5 Gbps of traffic totally. Local sales say it is a nice idea to use ACE. The price is also very attractive in compare with any classic stateful firewall solution. But I myself have absolutely no experience with ACE and am also afraid nothing goes free. At least in Cisco world :) Skimming through Cisco's datasheets it seems like ACE is rather a kind of load balancer, SSL accelerator, L7 proxy, etc. This functions are usually done in software. However ACE's NAT capabilities, announced by the vendor, should require lots of expensive hardware, just as any firewall does. So where is the trick? Does anyone have real life experience with NAT on ACE module? Should we go there? Let's assume we don't need any other firewall features, only NAT. Thank you. -- Kind regards, Pavel From peter at rathlev.dk Mon Apr 13 10:02:17 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Mon, 13 Apr 2009 16:02:17 +0200 Subject: [c-nsp] 2600 vs 2800 series different In-Reply-To: <40d8a95a0904130435h372d686aie18645da6239899a@mail.gmail.com> References: <40d8a95a0904130435h372d686aie18645da6239899a@mail.gmail.com> Message-ID: <1239631337.3480.10.camel@localhost.localdomain> On Mon, 2009-04-13 at 07:35 -0400, Deric Kwok wrote: > What is different between 2600 and 2800 router? > > I check it is just 100 different in ebay > > Does 2800 also have feature as 2600? if yet > Does 3500 Router also have same feature as 2600? > Does 2800 support VPN, tcsh command and vlan? The 2800 is the successor to the 2600. The last 2600 models were announced EoS from march 2007. The 2800 is likely to support more features than the 2600. It at least supports IPSec, tclsh and 802.1Q VLANs with the correct IOS, though the IPSec handling benifits from accellerator modules. Regards, Peter From arievayner at gmail.com Mon Apr 13 11:44:37 2009 From: arievayner at gmail.com (Arie Vayner) Date: Mon, 13 Apr 2009 18:44:37 +0300 Subject: [c-nsp] NAT on ACE In-Reply-To: <49E32F99.6010701@gmail.com> References: <49E32F99.6010701@gmail.com> Message-ID: <20b13c6b0904130844n924aba3t96cb7d46a0055f40@mail.gmail.com> Pavel, ACE can do this, but you need to take a look also at other performance metrics such as maximal session number (which could be very different for the same BW rate for different session profiles). Also, you need to make sure that more advanced features you may need are available and are scalable enough (like static mappings etc). You should also think about features like NetFlow and routing It could be a good idea to actually split the NAT functionality of the enterprise and the data center as their level of redundancy, features and traffic profiles are quite different. Arie On Mon, Apr 13, 2009 at 3:27 PM, Pavel Lunin wrote: > Hi experts, > > Who thinks what about an idea of using Cisco ACE module for 6500/7600 as a > NAT device for a huge enterprise network? > > I am looking for a device which would be capable to NAT traffic for a > network of several thousand desktops + an enterprise-scale data center: up > to 5 Gbps of traffic totally. Local sales say it is a nice idea to use ACE. > The price is also very attractive in compare with any classic stateful > firewall solution. But I myself have absolutely no experience with ACE and > am also afraid nothing goes free. At least in Cisco world :) > > Skimming through Cisco's datasheets it seems like ACE is rather a kind of > load balancer, SSL accelerator, L7 proxy, etc. This functions are usually > done in software. However ACE's NAT capabilities, announced by the vendor, > should require lots of expensive hardware, just as any firewall does. > > So where is the trick? Does anyone have real life experience with NAT on > ACE module? Should we go there? Let's assume we don't need any other > firewall features, only NAT. > > Thank you. > > -- > Kind regards, > Pavel > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jmkeller at houseofzen.org Mon Apr 13 11:25:16 2009 From: jmkeller at houseofzen.org (James Michael Keller) Date: Mon, 13 Apr 2009 11:25:16 -0400 Subject: [c-nsp] Verizon's PIP service In-Reply-To: References: Message-ID: <49E3595C.6060005@houseofzen.org> Verizon's PIP (as of a few years ago, been a while since I left) was using a dedicated backbone and POPs (Inherited from the MCI merger) for the PIP service. One of the downsides was there where limited POPs compared to the access network offerings. Customer connections are just access lines into the POPs. The local loops will ride the local carrier into the local POP, this often caused fairly long back-haul connections if there wasn't a POP close enough. Especially if customers where running diverse POP connections into sites for redundancy. So unless they have had to bring on third party POP sites, after the local loop it will be all Verizon controlled. You would need to confirm the current configuration with your sales team, but I haven't had to terminate into anything other then a Verizon owned POP in the US or Western Europe yet. -- James Michael Keller D W wrote: > Anyone happen to know if Verizon relies on any 3rd party service providers (using inter-AS MP-BGP, ATOM, etc.) for their PIP (MPLS based private IP) service? I'm trying to figure out which service providers have a national reach and fully contain/control their own MPLS clouds without relying on one another for transport. > > > > Thanks, > > Dave > > _________________________________________________________________ > Windows Live?: Life without walls. > http://windowslive.com/explore?ocid=TXT_TAGLM_WL_allup_1a_explore_032009 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jmkeller at houseofzen.org Mon Apr 13 11:51:12 2009 From: jmkeller at houseofzen.org (James Michael Keller) Date: Mon, 13 Apr 2009 11:51:12 -0400 Subject: [c-nsp] Opinions of DDoS appliances, other techniques, most notably Cisco Guard In-Reply-To: References: <725C9117-BE48-468B-A39E-B69347853BAB@cisco.com> <04670DB7-99B1-4F55-8DDD-9C036F93E4AF@cisco.com> <49BD9755.6060608@justinshore.com> Message-ID: <49E35F70.3090209@houseofzen.org> Yes, I've crushed a MARS 110 unit with netflow data from around 200 devices. Cisco recommended we switch to a dedicated netflow collector and then feed the consolidated sessions into MARS rather then have MARS directly take all the raw netflows (ie layer3 switch flow and router flow having duplicate data for the same flow). We're on the last 5.x build version before 6.x. Getting ready to re-build it from a 6.x disk and see if the new SQL backend helps with some of that until we get a dedicated netflow box in. --- James Michael Keller Ryan Hughes wrote: > MARS really isn't positioned to be a Netflow anomaly detection with the > likes of Arbor and others previously mentioned. It's simply a feature that's > in there to help bring into perspective of what's going on with your Cisco > infrastructure from a threat perspective. And I would definitely be careful > with the amount of logs and Netflow that you send to the device as you can > definitely cause it to choke whereby the device isn't storing enough events > for proper correlation. > > On Sun, Mar 15, 2009 at 8:03 PM, Justin Shore wrote: > > >> Roland Dobbins wrote: >> >> >>> On Mar 16, 2009, at 12:39 AM, Roland Dobbins wrote: >>> >>> Arbor Peakflow SP, Narus Insight Manager, and Lancope StealthWatch Xe are >>> >>>> three commercial NetFlow-based anomaly-detection systems. >>>> >>>> >>> I forgot to add Q1 Labs Q1Radar, and I believe NetQoS now have an >>> anomaly-detection module, as well, though I've not seen it. >>> >>> >> How about MARS? I'm trying to get a pair of IDSM2s returned (they don't >> work right on 7600s) in exchange for a MARS 110R appliance. That's roughly >> the same price. I'm planning on using it for log analysis. Would its >> Netflow abilities be useful here? >> >> Justin >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From walter.keen at RainierConnect.net Mon Apr 13 12:24:30 2009 From: walter.keen at RainierConnect.net (Walter Keen) Date: Mon, 13 Apr 2009 09:24:30 -0700 Subject: [c-nsp] carrier router models comparison In-Reply-To: <383357750904090125t302139f8o1d836243dc484010@mail.gmail.com> References: <4981ce080904070851h6381d4f0qf35885793e959087@mail.gmail.com> <74206b240904080701t75420f7dqd1298597e246008c@mail.gmail.com> <383357750904090125t302139f8o1d836243dc484010@mail.gmail.com> Message-ID: <49E3673E.1040705@rainierconnect.net> Backplane speed per slot I would imagine. Imagine the 7600 and it's 10-port 10Ge card. If it only has 40gb on the backplane or fabric for that slot... well... lets hope all 10 ports aren't utilized to 100% at all times, It's a little over 2:1 over-subscription for the example I gave. Mateusz Blaszczyk wrote: > What's the difference between 40g/slot and 100g/slot ready ? > Is it like "vista ready"? > > I would assume (wrongly?) that this is a hw limit? > > Best Regards, > > -mat > > From sethm at rollernet.us Mon Apr 13 13:16:02 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Mon, 13 Apr 2009 10:16:02 -0700 Subject: [c-nsp] 2600 vs 2800 series different In-Reply-To: <40d8a95a0904130435h372d686aie18645da6239899a@mail.gmail.com> References: <40d8a95a0904130435h372d686aie18645da6239899a@mail.gmail.com> Message-ID: <49E37352.9000601@rollernet.us> Deric Kwok wrote: > Hi > > What is different between 2600 and 2800 router? > > I check it is just 100 different in ebay > > Does 2800 also have feature as 2600? if yet > > Does 3500 Router also have same feature as 2600? > > Does 2800 support VPN, tcsh command and vlan? > Did you try reading the data sheet? http://cisco.com/en/US/prod/collateral/routers/ps5854/ps5882/product_data_sheet0900aecd8016fa68_ps5854_Products_Data_Sheet.html ~Seth From raymondh.nsp at gmail.com Mon Apr 13 13:30:37 2009 From: raymondh.nsp at gmail.com (raymondh (NSP)) Date: Tue, 14 Apr 2009 01:30:37 +0800 Subject: [c-nsp] Opinions of DDoS appliances, other techniques, most notably Cisco Guard In-Reply-To: <49E35F70.3090209@houseofzen.org> References: <725C9117-BE48-468B-A39E-B69347853BAB@cisco.com> <04670DB7-99B1-4F55-8DDD-9C036F93E4AF@cisco.com> <49BD9755.6060608@justinshore.com> <49E35F70.3090209@houseofzen.org> Message-ID: <60DD6789-8261-4A37-8C8E-8268C30C7018@gmail.com> Personally, if cost isn't an issue and you're expecting to sink high volume of traffic, I'd suggest that you go for Peakflow SP together with TMS (It's still ranked as one of the better ones among the rest). Else the ADM + AGM should work well enough. Generally for the MARS boxes, I'd propose the same concept to have a dedicated collector and forward it. --raymondh On Apr 13, 2009, at 11:51 PM, James Michael Keller wrote: > Yes, I've crushed a MARS 110 unit with netflow data from around 200 > devices. Cisco recommended we switch to a dedicated netflow > collector and then feed the consolidated sessions into MARS rather > then have MARS directly take all the raw netflows (ie layer3 switch > flow and router flow having duplicate data for the same flow). > > We're on the last 5.x build version before 6.x. Getting ready to > re-build it from a 6.x disk and see if the new SQL backend helps > with some of that until we get a dedicated netflow box in. > > --- > James Michael Keller > > > > Ryan Hughes wrote: >> MARS really isn't positioned to be a Netflow anomaly detection with >> the >> likes of Arbor and others previously mentioned. It's simply a >> feature that's >> in there to help bring into perspective of what's going on with >> your Cisco >> infrastructure from a threat perspective. And I would definitely be >> careful >> with the amount of logs and Netflow that you send to the device as >> you can >> definitely cause it to choke whereby the device isn't storing >> enough events >> for proper correlation. >> >> On Sun, Mar 15, 2009 at 8:03 PM, Justin Shore >> wrote: >> >> >>> Roland Dobbins wrote: >>> >>> >>>> On Mar 16, 2009, at 12:39 AM, Roland Dobbins wrote: >>>> >>>> Arbor Peakflow SP, Narus Insight Manager, and Lancope >>>> StealthWatch Xe are >>>> >>>>> three commercial NetFlow-based anomaly-detection systems. >>>>> >>>>> >>>> I forgot to add Q1 Labs Q1Radar, and I believe NetQoS now have an >>>> anomaly-detection module, as well, though I've not seen it. >>>> >>>> >>> How about MARS? I'm trying to get a pair of IDSM2s returned (they >>> don't >>> work right on 7600s) in exchange for a MARS 110R appliance. >>> That's roughly >>> the same price. I'm planning on using it for log analysis. Would >>> its >>> Netflow abilities be useful here? >>> >>> Justin >>> >>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >>> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From blahu77 at gmail.com Mon Apr 13 15:33:09 2009 From: blahu77 at gmail.com (Mateusz Blaszczyk) Date: Mon, 13 Apr 2009 20:33:09 +0100 Subject: [c-nsp] carrier router models comparison In-Reply-To: <49E3673E.1040705@rainierconnect.net> References: <4981ce080904070851h6381d4f0qf35885793e959087@mail.gmail.com> <74206b240904080701t75420f7dqd1298597e246008c@mail.gmail.com> <383357750904090125t302139f8o1d836243dc484010@mail.gmail.com> <49E3673E.1040705@rainierconnect.net> Message-ID: <383357750904131233g1150df4ao268138063321cff1@mail.gmail.com> Okay, But if I imagine crs-1 (my favorite example) with same limitation (currently) of 40g per slot I don't see how it is 100G ready. Some say that its because they will introduce 100g switching matrix concurrently to new 100 LC, I am not 100% conviced that it satisfies "100G ready" label. For me ready is now, crs-1/7600 is 40g ready but not 100g. It may never be. That's why I don't understand position of this platform comparing to asr9k... Best Regards, -mat 2009/4/13 Walter Keen : > Backplane speed per slot I would imagine. > > Imagine the 7600 and it's 10-port 10Ge card. ? If it only has 40gb on > the backplane or fabric for that slot... well... lets hope all 10 ports > aren't utilized to 100% at all times, It's a little over 2:1 > over-subscription for the example I gave. > > Mateusz Blaszczyk wrote: >> What's the difference between 40g/slot and 100g/slot ready ? >> Is it like "vista ready"? >> >> I would assume (wrongly?) that this is a hw limit? >> >> Best Regards, >> >> -mat >> >> > > -- pgp-key 0x1C655CAB From raa at opusnet.com Mon Apr 13 18:46:29 2009 From: raa at opusnet.com (Ruben Alvarez) Date: Mon, 13 Apr 2009 15:46:29 -0700 Subject: [c-nsp] Ping priority on Cisco devices In-Reply-To: <49DF7CAE.3010002@toybox.placo.com> References: <004901c9b874$59596e00$0c0c4a00$@com> <49DD1BAD.6020604@toybox.placo.com> <004a01c9b941$caa789c0$5ff69d40$@com> <49DF7CAE.3010002@toybox.placo.com> Message-ID: <005101c9bc89$afcbf2d0$0f63d870$@com> Hi I did figure it out today. It was my fault there was a null route on that router. The Virtual interfaces for each DSL customer will create a /32 route on the router and most of the time OSPF had a route. But intermittently, those routes would drop and the ICMP would drop too. I've since removed the null route and it's rock solid. Thanks. -----Original Message----- From: Ted Mittelstaedt [mailto:tedm at toybox.placo.com] Sent: Friday, April 10, 2009 10:07 AM To: Ruben Alvarez Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Ping priority on Cisco devices Hi Ruben, If you running 12.3 or later IOS I'd suggest backreving to 12.2. fast switching is a problematical thing in the newer IOS on these older CPU cards. I'd guess that even if you have ip cef defined in your config, that cef isn't actually running. what does show ip cef, show cef day? IOS 12.1/12.2 is about the newest most people go on the NPE300 Ted Ruben Alvarez wrote: > Hi, > > Thanks for the reply. It running at ~18% cpu and is a 7206vxr w/NPE300. > This morning the loss cleared up. I didn't collect enough data yesterday to > really get to the bottom of this, so I'll drop it as a Qwest megahost issue. > > -----Original Message----- > From: Ted Mittelstaedt [mailto:tedm at toybox.placo.com] > Sent: Wednesday, April 08, 2009 2:48 PM > To: Ruben Alvarez > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Ping priority on Cisco devices > > Ruben Alvarez wrote: > >> All, >> >> I've heard that Cisco devices handle ICMP at a low priority. I found one >> post describing it handled in process-switching and not fast-switching. >> Does anyone have an article that explains that process and is it >> configurable? >> >> The reason I ask is I see about 4% packet loss when I ping devices in our >> broadband aggregation network. From the CPE to the router there is none, >> from my workstation to the router there is none, but if I ping the whole >> path I get a fairly consistent 4% loss. I can't find any congestion or >> errors. Ping from my workstation to the CPE are a consistent 60ms, aside >> from the 4% loss. >> >> Thanks. >> >> >> > What model is your router and can you post a config? > > What is CPU utilization on the router? What is memory utilization on > the router? > > Ted > > From charles.regan at gmail.com Mon Apr 13 19:58:49 2009 From: charles.regan at gmail.com (Charles Regan) Date: Mon, 13 Apr 2009 20:58:49 -0300 Subject: [c-nsp] VLAN and switch and ? In-Reply-To: References:

<40d8a95a0903041344v5ebf64ffk1288300312ed7371@mail.gmail.com> <40d8a95a0903041435n51afa718qe90074f2f957ca1c@mail.gmail.com> Message-ID: For those interested here is how I made it work. I bought two 3550 switch. ISP----Wireless-BH#1----3550#1----Fiber----2950----3550#2----Wireless-BH#2----ISPClients On the 3550#1 the port connected to Wireless-Backhaul1 I've used the following command. ?switchport access vlan xx ?switchport mode dot1q-tunnel ?l2protocol-tunnel cdp ?l2protocol-tunnel stp ?l2protocol-tunnel vtp ?spanning-tree bpdufilter enable Same thing on the 3550#2 Everything works perfectly. On Wed, Mar 4, 2009 at 7:35 PM, Deric Kwok wrote: >> Hi >> >> I only have l2tp configuration in linux router. Here is below. >> >> Pls note that i don't know Jeff suggestion how?L2tp works out in your >> network >> it looks like his suggestion is same as L2tp so that I post to ask him >> >> I only know this l2tp worked in my setting before when doing in DSL >> >> HTH >> ! >> interface Ethernet0 >> ?no ip address >> ?speed 1000 >> ?duplex full >> ! >> interface Ethernet0.120 >> ?description vlan120 >> ?ip address 10.0.0.6 255.255.255.252 >> ! >> interface Ethernet0.130 >> ?description vlan130 >> ?ip address 10.0.0.74 255.255.255.252 >> ! >> interface Ethernet0.140 >> ?description vlan140 >> ?ip address 10.0.0.54 255.255.255.252 >> ! >> ! >> interface Tunnel1 >> ?description vlan120 >> ?tunnel mode l2tp >> ?tunnel peer name xxxx >> ?tunnel local name deric >> ?tunnel key kwok >> ?tunnel virtual-template 1 >> ! >> interface Tunnel2 >> ?description vlan130 >> ?tunnel mode l2tp >> ?tunnel peer name xxxx >> ?tunnel local name deric >> ?tunnel key kwok >> ?tunnel virtual-template 1 >> ! >> interface Tunnel3 >> ?description vlan140 >> ?tunnel mode l2tp >> ?tunnel peer name xxxx >> ?tunnel local name deric >> ?tunnel key kwok >> ?tunnel virtual-template 1 >> ! >> >> >> >> On Wed, Mar 4, 2009 at 4:48 PM, Charles Regan >> wrote: >>> >>> There's now way my switch will support L2TP. >>> >>> How would you setup VLAN in this setup. >>> >>> ISP needs to pass all his vlan (switchport mode trunk) >>> I don't want ISP to have access to my network ... (swictchport access >>> vlan 500, on both end ?) >>> I want Internet acces from this ISP from his BackHaul1. ?(switchport >>> access vlan 500, on my gateway router ?) >>> >>> >>> >>> On Wed, Mar 4, 2009 at 5:48 PM, Charles Regan >>> wrote: >>> > On Wed, Mar 4, 2009 at 5:47 PM, Charles Regan