From jckdaniels12 at gmail.com Sat Aug 1 04:03:52 2009 From: jckdaniels12 at gmail.com (jack daniels) Date: Sat, 1 Aug 2009 13:33:52 +0530 Subject: [c-nsp] SFC DOWN In-Reply-To: References: <8bb137f40907302114n72fafa06ldc4ef0505774454c@mail.gmail.com> <8bb137f40907302123w522dc0d7s3af539e0c38579b4@mail.gmail.com> Message-ID: <8bb137f40908010103i4fa4808s54d229ed3720650d@mail.gmail.com> Hi All, I'm working on 12416 chassis , I'm getting below errors which I'm not able to troubleshoot request your help - IOS i'm using is c12kprp-k4p-mz.120-32.SY6 Slot 14 type = Modular SPA Interface Card state = IOS RUN Line Card Enabled subslot 14/0: SPA-2XOC48POS/RPR (0x46F), status is ok subslot 14/1: SPA-5X1GE-V2 (0x50A), status is ok subslot 14/2: Empty subslot 14/3: Empty SLOT 14:Jul 28 17:15:02.588 IST: %EE192-3-SPABRG_DRV: wwolf_handle_rxpadstrb_status: Rx SPI-4.2 out of sync: 0x1, 0x408C, 0x1D0 -Traceback= 40B41258 4060D0E8 40611E04 405F2700 405F2C30 40737624 40B3D12C 401131B0 SLOT 14:Jul 28 17:15:02.588 IST: %EE192-3-SPABRG_DRV: wwolf_handle_rxpadstrb_status: DIP-4 error on the Rx SPI-4.2 data bus: 0x1, 0x408C, 0x1D0 -Traceback= 40B41258 4060D118 40611E04 405F2700 405F2C30 40737624 40B3D12C 401131B0 SLOT 14:Jul 28 17:15:04.592 IST: %EE192-3-SPABRG_DRV: wwolf_handle_rxpadstrb_status: Missing end of packet on SPI-4.2 bus: 0x1, 0x408C, 0x0 -Traceback= 40B41258 4060D058 40611E04 405F2700 405F2C30 40737624 40B3D12C 401131B0 SLOT 14:Jul 28 17:15:04.592 IST: %EE192-3-SPABRG_DRV: wwolf_handle_rxpadstrb_status: Rx SPI-4.2 out of sync: 0x1, 0x408C, 0x1D0 -Traceback= 40B41258 4060D0E8 40611E04 405F2700 405F2C30 40737624 40B3D12C 401131B0 SLOT 14:Jul 28 17:15:04.592 IST: %EE192-3-SPABRG_DRV: wwolf_handle_rxpadstrb_status: DIP-4 error on the Rx SPI-4.2 data bus: 0x1, 0x408C, 0x1D0 -Traceback= 40B41258 4060D118 40611E04 405F2700 405F2C30 40737624 40B3D12C 401131B0 SLOT 14:Jul 28 17:15:06.596 IST: %EE192-3-SPABRG_DRV: wwolf_handle_rxpadstrb_status: Missing end of packet on SPI-4.2 bus: 0x1, 0x408C, 0x0 -Traceback= 40B41258 4060D058 40611E04 405F2700 405F2C30 40737624 40B3D12C 401131B0 SLOT 14:Jul 28 17:15:06.596 IST: %EE192-3-SPABRG_DRV: wwolf_handle_rxpadstrb_status: Rx SPI-4.2 out of sync: 0x1, 0x408C, 0x1D0 -Traceback= 40B41258 4060D0E8 40611E04 405F2700 405F2C30 40737624 40B3D12C 401131B0 SLOT 14:Jul 28 17:15:06.600 IST: %EE192-3-SPABRG_DRV: wwolf_handle_rxpadstrb_status: DIP-4 error on the Rx SPI-4.2 data bus: 0x1, 0x408C, 0x1D0 -Traceback= 40B41258 4060D118 40611E04 405F2700 405F2C30 40737624 40B3D12C 401131B0 SLOT 14:Jul 28 17:15:08.604 IST: %EE192-3-SPABRG_DRV: wwolf_handle_rxpadstrb_status: Missing end of packet on SPI-4.2 bus: 0x1, 0x408C, 0x0 -Traceback= 40B41258 4060D058 40611E04 405F2700 405F2C30 40737624 40B3D12C 401131B0 SLOT 14:Jul 28 17:15:08.604 IST: %EE192-3-SPABRG_DRV: wwolf_handle_rxpadstrb_status: Rx SPI-4.2 out of sync: 0x1, 0x408C, 0x1D0 -Traceback= 40B41258 4060D0E8 40611E04 405F2700 405F2C30 40737624 40B3D12C 401131B0 SLOT 14:Jul 28 17:15:08.608 IST: %EE192-3-SPABRG_DRV: wwolf_handle_rxpadstrb_status: DIP-4 error on the Rx SPI-4.2 data bus: 0x1, 0x408C, 0x1D0 -Traceback= 40B41258 4060D118 40611E04 405F2700 405F2C30 40737624 40B3D12C 401131B0 SLOT 14:Jul 28 17:15:10.604 IST: %EE192-3-SPABRG_DRV: wwolf_handle_rxpadstrb_status: Missing end of packet on SPI-4.2 bus: 0x1, 0x408C, 0x0 -Traceback= 40B41258 4060D058 40611E04 405F2700 405F2C30 40737624 40B3D12C 401131B0 SLOT 14:Jul 28 17:15:10.608 IST: %EE192-3-SPABRG_DRV: wwolf_handle_rxpadstrb_status: Rx SPI-4.2 out of sync: 0x1, 0x408C, 0x1D0 -Traceback= 40B41258 4060D0E8 40611E04 405F2700 405F2C30 40737624 40B3D12C 401131B0 SLOT 14:Jul 28 17:15:10.608 IST: %EE192-3-SPABRG_DRV: wwolf_handle_rxpadstrb_status: DIP-4 error on the Rx SPI-4.2 data bus: 0x1, 0x408C, 0x1D0 -Traceback= 40B41258 4060D118 40611E04 405F2700 405F2C30 40737624 40B3D12C 401131B0 SLOT 14:Jul 28 17:15:12.180 IST: %GSRSPA-6-ERRORRECOVER: A Hardware or Software error occurred on Subslot 1. Reason : Fugu: RXHSPITSTATOOF Automatic Error recovery initiated. No further intervention required. -Traceback= 40031128 407E7584 407D9318 407D3670 40729FB0 40737A38 40B3E4EC 401131B0 SLOT 14:Jul 28 17:15:12.612 IST: %EE192-3-SPABRG_DRV: wwolf_handle_rxpadstrb_status: Missing end of packet on SPI-4.2 bus: 0x1, 0x408C, 0x0 -Traceback= 40B41258 4060D058 40611E04 405F2700 405F2C30 40737624 40B3D12C 401131B0 SLOT 14:Jul 28 17:15:12.612 IST: %EE192-3-SPABRG_DRV: wwolf_handle_rxpadstrb_status: Rx SPI-4.2 out of sync: 0x1, 0x408C, 0x1D0 -Traceback= 40B41258 4060D0E8 40611E04 405F2700 405F2C30 40737624 40B3D12C 401131B0 SLOT 14:Jul 28 17:15:12.612 IST: %EE192-3-SPABRG_DRV: wwolf_handle_rxpadstrb_status: DIP-4 error on the Rx SPI-4.2 data bus: 0x1, 0x408C, 0x1D0 -Traceback= 40B41258 4060D118 40611E04 405F2700 405F2C30 40737624 40B3D12C 401131B0 Thanks and Regards J.Daniels On 8/1/09, e ninja wrote: > > Jack, > > > http://howtos.mysolvr.com/How_to_Power_Off_and_On_a_Cisco_GSR_12000_Linecard > > Eninja > > > On Thu, Jul 30, 2009 at 9:23 PM, jack daniels wrote: > >> > Hi All, >> > >> > I'm facing a issue in Cisco 12416 request your help - >> > >> > show GSR - >> > "Slot 19 type = Switch Fabric Card 16XOC192 >> > state = Administratively Down, Powered" <<<<<<<<<<<<<<<<<<<<<< >> > >> > how to take it out of this Administratively down state to powered state. >> > >> > My IOS version is 12.0(32)SY6 >> > >> > >> > Regards >> > Jack >> > >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > From jckdaniels12 at gmail.com Sat Aug 1 04:06:33 2009 From: jckdaniels12 at gmail.com (jack daniels) Date: Sat, 1 Aug 2009 13:36:33 +0530 Subject: [c-nsp] CSC CARD info Message-ID: <8bb137f40908010106g3938ba62s93fb6ac604ff6b43@mail.gmail.com> Hi all, what is significance of slot no of CSC. If we use 2 CSC and 3 SFC When I do OIR of slot 17 CSC ( when MASTER ) we get 3 ping drops for transit traffic through the router. When I do OIR of slot 16 CSC ( when MASTER ) we get lot of ping drops for transit traffic through the router and neighbourships break. Regards Jack.Daniels From awilliam1981 at gmail.com Sat Aug 1 05:06:36 2009 From: awilliam1981 at gmail.com (Andy William) Date: Sat, 1 Aug 2009 12:06:36 +0300 Subject: [c-nsp] ISP in US In-Reply-To: References: <9569de140907290644j11098b10l7c9c929ce4b30bb9@mail.gmail.com> <9569de140907301542j5519a2e5j9fd32c0a8bf16ce0@mail.gmail.com> Message-ID: <9569de140908010206i51d5c476oece239816de53bca@mail.gmail.com> Daryl , so you recommed to get over-provisioned internet link and that will do the job without extra effor ? On Fri, Jul 31, 2009 at 9:22 PM, Daryl G. Jurbala wrote: > > On Jul 30, 2009, at 6:42 PM, Andy William wrote: > > Thx all and i will think about Gulfstream Daryl :) > > but i start to think about P2P connections like AT&T IPL (International > Private Line) or ATM PVC between both sites , what do you think ? what is > the estimated cost for 2M connection ? > > > > That is also a very expensive way to go (if not just as expensive), and a > lot of it depends on where your office is in the Middle East (to determine > which carrier you will need to pay AT&T to buy their last few miles of > transit through). > > I'm still not convinced that you need it - a 5 MB connection at each end > with a VPN between the two and some sane QoS at each edge device ought to be > more than enough. I deliver thousands of simultaneous calls from the Middle > East through 3 GB connections to 3 different ISPs at my colo in San > Francisco. No special agreements with anyone, the other sides of the calls > originating from internet connections owned by our customers. No real > problems. > > So before signing any contracts, I would simply give it a shot right over > the Internet. You'll likely be pleased with the results. > From eninja at gmail.com Sat Aug 1 06:09:50 2009 From: eninja at gmail.com (Eninja) Date: Sat, 1 Aug 2009 11:09:50 +0100 Subject: [c-nsp] CSC CARD info In-Reply-To: <8bb137f40908010106g3938ba62s93fb6ac604ff6b43@mail.gmail.com> References: <8bb137f40908010106g3938ba62s93fb6ac604ff6b43@mail.gmail.com> Message-ID: <132FEFEE-9C5D-466F-9474-CF73BC1ABEBA@gmail.com> OIR'ing the primary CSC (slot 17 by default) will _always_ result in traffic loss because the CSC clocks and schedules all fabric traffic. Remember to shutdown the primary CSC using hw-module shut command, wait at least 1 min before OIR'ing and failing over from primary to secondary CSC. Eninja On Aug 1, 2009, at 9:06 AM, jack daniels wrote: > Hi all, > > what is significance of slot no of CSC. > > If we use 2 CSC and 3 SFC > > When I do OIR of slot 17 CSC ( when MASTER ) we get 3 ping drops for > transit > traffic through the router. > When I do OIR of slot 16 CSC ( when MASTER ) we get lot of ping > drops for > transit traffic through the router and neighbourships break. > > > Regards > Jack.Daniels > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From gsgranados at comcast.net Sat Aug 1 10:22:39 2009 From: gsgranados at comcast.net (Scott Granados) Date: Sat, 1 Aug 2009 07:22:39 -0700 Subject: [c-nsp] ISP in US In-Reply-To: <9569de140908010206i51d5c476oece239816de53bca@mail.gmail.com> References: <9569de140907290644j11098b10l7c9c929ce4b30bb9@mail.gmail.com><9569de140907301542j5519a2e5j9fd32c0a8bf16ce0@mail.gmail.com> <9569de140908010206i51d5c476oece239816de53bca@mail.gmail.com> Message-ID: I still like the heavy business jet solution. :) ----- Original Message ----- From: "Andy William" To: "Daryl G. Jurbala" Cc: Sent: Saturday, August 01, 2009 2:06 AM Subject: Re: [c-nsp] ISP in US > Daryl , so you recommed to get over-provisioned internet link and that > will > do the job without extra effor ? > > > > > On Fri, Jul 31, 2009 at 9:22 PM, Daryl G. Jurbala > wrote: > >> >> On Jul 30, 2009, at 6:42 PM, Andy William wrote: >> >> Thx all and i will think about Gulfstream Daryl :) >> >> but i start to think about P2P connections like AT&T IPL (International >> Private Line) or ATM PVC between both sites , what do you think ? what is >> the estimated cost for 2M connection ? >> >> >> >> That is also a very expensive way to go (if not just as expensive), and a >> lot of it depends on where your office is in the Middle East (to >> determine >> which carrier you will need to pay AT&T to buy their last few miles of >> transit through). >> >> I'm still not convinced that you need it - a 5 MB connection at each end >> with a VPN between the two and some sane QoS at each edge device ought to >> be >> more than enough. I deliver thousands of simultaneous calls from the >> Middle >> East through 3 GB connections to 3 different ISPs at my colo in San >> Francisco. No special agreements with anyone, the other sides of the >> calls >> originating from internet connections owned by our customers. No real >> problems. >> >> So before signing any contracts, I would simply give it a shot right over >> the Internet. You'll likely be pleased with the results. >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > __________ Information from ESET NOD32 Antivirus, version of virus > signature database 4296 (20090801) __________ > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com > > > From snortbsd at yahoo.com.au Sat Aug 1 17:52:32 2009 From: snortbsd at yahoo.com.au (snort bsd) Date: Sat, 1 Aug 2009 14:52:32 -0700 (PDT) Subject: [c-nsp] Can't pick up ip address--cisco 1200 ap Message-ID: <546098.51753.qm@web38101.mail.mud.yahoo.com> Hi: all: I got ciscoAP 1200 configured and can connect it via wireless without problems. But the system connecting to the AP can't pick up any IP address. dot11 ssid lab vlan 20 vlan 20 max-associations 10 authentication open authentication key-management wpa guest-mode mbssid guest-mode wpa-psk ascii 7 "whatever key" information-element ssidl wps ! dot11 ssid test vlan 10 vlan 10 max-associations 10 authentication open authentication key-management wpa mbssid guest-mode wpa-psk ascii 7 "whatever key" information-element ssidl wps what else I didn't do right? Thanks ____________________________________________________________________________________ Access Yahoo!7 Mail on your mobile. Anytime. Anywhere. Show me how: http://au.mobile.yahoo.com/mail From graham at g-rock.net Sat Aug 1 20:22:13 2009 From: graham at g-rock.net (Graham Wooden) Date: Sat, 01 Aug 2009 19:22:13 -0500 Subject: [c-nsp] Can't pick up ip address--cisco 1200 ap In-Reply-To: <546098.51753.qm@web38101.mail.mud.yahoo.com> Message-ID: Hi there, Your switch port that the AP is connected to - is it in trunk mode? Like "switchport trunk encap dot1q" ? On 8/1/09 4:52 PM, "snort bsd" wrote: > > Hi: all: > > I got ciscoAP 1200 configured and can connect it via wireless without > problems. But the system connecting to the AP can't pick up any IP address. > > dot11 ssid lab vlan 20 > vlan 20 > max-associations 10 > authentication open > authentication key-management wpa > guest-mode > mbssid guest-mode > wpa-psk ascii 7 "whatever key" > information-element ssidl wps > ! > dot11 ssid test vlan 10 > vlan 10 > max-associations 10 > authentication open > authentication key-management wpa > mbssid guest-mode > wpa-psk ascii 7 "whatever key" > information-element ssidl wps > > what else I didn't do right? > > Thanks > > > > ______________________________________________________________________________ > ______ > Access Yahoo!7 Mail on your mobile. Anytime. Anywhere. > Show me how: http://au.mobile.yahoo.com/mail > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rwest at zyedge.com Sat Aug 1 20:25:54 2009 From: rwest at zyedge.com (Ryan West) Date: Sat, 1 Aug 2009 20:25:54 -0400 Subject: [c-nsp] Can't pick up ip address--cisco 1200 ap In-Reply-To: <546098.51753.qm@web38101.mail.mud.yahoo.com> References: <546098.51753.qm@web38101.mail.mud.yahoo.com> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2AE3@zy-ex1.zyedge.local> Are you trunking that interface and allowing both vlan 10 and 20? Do you have a DHCP server in both subnets or an ip-helper address? -ryan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of snort bsd Sent: Saturday, August 01, 2009 5:53 PM To: cisco-nsp Subject: [c-nsp] Can't pick up ip address--cisco 1200 ap Hi: all: I got ciscoAP 1200 configured and can connect it via wireless without problems. But the system connecting to the AP can't pick up any IP address. dot11 ssid lab vlan 20 vlan 20 max-associations 10 authentication open authentication key-management wpa guest-mode mbssid guest-mode wpa-psk ascii 7 "whatever key" information-element ssidl wps ! dot11 ssid test vlan 10 vlan 10 max-associations 10 authentication open authentication key-management wpa mbssid guest-mode wpa-psk ascii 7 "whatever key" information-element ssidl wps what else I didn't do right? Thanks ____________________________________________________________________________________ Access Yahoo!7 Mail on your mobile. Anytime. Anywhere. Show me how: http://au.mobile.yahoo.com/mail _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From snortbsd at yahoo.com.au Sat Aug 1 21:08:45 2009 From: snortbsd at yahoo.com.au (snort bsd) Date: Sat, 1 Aug 2009 18:08:45 -0700 (PDT) Subject: [c-nsp] Can't pick up ip address--cisco 1200 ap In-Reply-To: Message-ID: <979659.89285.qm@web38101.mail.mud.yahoo.com> Thanks for reply. No, we have no VLAN aware switch connecting to it yet. We want to use it to replace the linksys wireless router we are using. The idea is that some of mobile user connecting to VLAN 10 via wireless and some of mobile users connecting to VLAN 20. Users on both VLANs could get to internet but access different resources internally (with VLAN aware switches). One problem a time...:) _Dave --- On Sun, 2/8/09, Graham Wooden wrote: > From: Graham Wooden > Subject: Re: [c-nsp] Can't pick up ip address--cisco 1200 ap > To: "snort bsd" , "cisco-nsp" > Received: Sunday, 2 August, 2009, 10:22 AM > Hi there, > > Your switch port that the AP is connected to - is it in > trunk mode? > Like "switchport trunk encap dot1q" ? > > > On 8/1/09 4:52 PM, "snort bsd" > wrote: > > > > > Hi: all: > > > > I got ciscoAP 1200 configured and can connect it via > wireless without > > problems. But the system connecting to the AP can't > pick up any IP address. > > > > dot11 ssid lab vlan 20 > >? ? vlan 20 > >? ? max-associations 10 > >? ? authentication open > >? ? authentication key-management wpa > >? ? guest-mode > >? ? mbssid guest-mode > >? ? wpa-psk ascii 7 "whatever key" > >? ? information-element ssidl wps > > ! > > dot11 ssid test vlan 10 > >? ? vlan 10 > >? ? max-associations 10 > >? ? authentication open > >? ? authentication key-management wpa > >? ? mbssid guest-mode > >? ? wpa-psk ascii 7 "whatever key" > >? ? information-element ssidl wps > > > > what else I didn't do right? > > > > Thanks > > > > > >? ? ??? > > > ______________________________________________________________________________ > > ______ > > Access Yahoo!7 Mail on your mobile. Anytime. > Anywhere. > > Show me how: http://au.mobile.yahoo.com/mail > > _______________________________________________ > > cisco-nsp mailing list? cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > ____________________________________________________________________________________ Access Yahoo!7 Mail on your mobile. Anytime. Anywhere. Show me how: http://au.mobile.yahoo.com/mail From rwest at zyedge.com Sat Aug 1 21:15:35 2009 From: rwest at zyedge.com (Ryan West) Date: Sat, 1 Aug 2009 21:15:35 -0400 Subject: [c-nsp] Can't pick up ip address--cisco 1200 ap In-Reply-To: <979659.89285.qm@web38101.mail.mud.yahoo.com> References: <979659.89285.qm@web38101.mail.mud.yahoo.com> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2AE5@zy-ex1.zyedge.local> Since the switch is not VLAN aware, you'll need to configure one of the two VLANs for native to remove the tagging. You'll only be able to use one of the two SSIDs for now. -ryan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of snort bsd Sent: Saturday, August 01, 2009 9:09 PM To: cisco-nsp; Graham Wooden Subject: Re: [c-nsp] Can't pick up ip address--cisco 1200 ap Thanks for reply. No, we have no VLAN aware switch connecting to it yet. We want to use it to replace the linksys wireless router we are using. The idea is that some of mobile user connecting to VLAN 10 via wireless and some of mobile users connecting to VLAN 20. Users on both VLANs could get to internet but access different resources internally (with VLAN aware switches). One problem a time...:) _Dave --- On Sun, 2/8/09, Graham Wooden wrote: > From: Graham Wooden > Subject: Re: [c-nsp] Can't pick up ip address--cisco 1200 ap > To: "snort bsd" , "cisco-nsp" > Received: Sunday, 2 August, 2009, 10:22 AM > Hi there, > > Your switch port that the AP is connected to - is it in > trunk mode? > Like "switchport trunk encap dot1q" ? > > > On 8/1/09 4:52 PM, "snort bsd" > wrote: > > > > > Hi: all: > > > > I got ciscoAP 1200 configured and can connect it via > wireless without > > problems. But the system connecting to the AP can't > pick up any IP address. > > > > dot11 ssid lab vlan 20 > >? ? vlan 20 > >? ? max-associations 10 > >? ? authentication open > >? ? authentication key-management wpa > >? ? guest-mode > >? ? mbssid guest-mode > >? ? wpa-psk ascii 7 "whatever key" > >? ? information-element ssidl wps > > ! > > dot11 ssid test vlan 10 > >? ? vlan 10 > >? ? max-associations 10 > >? ? authentication open > >? ? authentication key-management wpa > >? ? mbssid guest-mode > >? ? wpa-psk ascii 7 "whatever key" > >? ? information-element ssidl wps > > > > what else I didn't do right? > > > > Thanks > > > > > >? ? ??? > > > ______________________________________________________________________________ > > ______ > > Access Yahoo!7 Mail on your mobile. Anytime. > Anywhere. > > Show me how: http://au.mobile.yahoo.com/mail > > _______________________________________________ > > cisco-nsp mailing list? cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > ____________________________________________________________________________________ Access Yahoo!7 Mail on your mobile. Anytime. Anywhere. Show me how: http://au.mobile.yahoo.com/mail _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From eninja at gmail.com Sat Aug 1 23:12:05 2009 From: eninja at gmail.com (e ninja) Date: Sat, 1 Aug 2009 20:12:05 -0700 Subject: [c-nsp] SFC DOWN In-Reply-To: <8bb137f40908010103i4fa4808s54d229ed3720650d@mail.gmail.com> References: <8bb137f40907302114n72fafa06ldc4ef0505774454c@mail.gmail.com> <8bb137f40907302123w522dc0d7s3af539e0c38579b4@mail.gmail.com> <8bb137f40908010103i4fa4808s54d229ed3720650d@mail.gmail.com> Message-ID: Jack, Response posted to http://bugs.mysolvr.com/TBD-3. Eninja PS. Contributors to this list should strive to post reusable knowledge to www.mysolvr.com so that it is properly documented, organized and easily searchable for posterity. On Sat, Aug 1, 2009 at 1:03 AM, jack daniels wrote: > Hi All, > > I'm working on 12416 chassis , I'm getting below errors which I'm not able > to troubleshoot request your help - > > IOS i'm using is c12kprp-k4p-mz.120-32.SY6 > > Slot 14 type = Modular SPA Interface Card > state = IOS RUN Line Card Enabled > subslot 14/0: SPA-2XOC48POS/RPR (0x46F), status is ok > subslot 14/1: SPA-5X1GE-V2 (0x50A), status is ok > subslot 14/2: Empty > subslot 14/3: Empty > > SLOT 14:Jul 28 17:15:02.588 IST: %EE192-3-SPABRG_DRV: > wwolf_handle_rxpadstrb_status: Rx SPI-4.2 out of sync: 0x1, 0x408C, 0x1D0 > -Traceback= 40B41258 4060D0E8 40611E04 405F2700 405F2C30 40737624 40B3D12C > 401131B0 > SLOT 14:Jul 28 17:15:02.588 IST: %EE192-3-SPABRG_DRV: > wwolf_handle_rxpadstrb_status: DIP-4 error on the Rx SPI-4.2 data bus: 0x1, > 0x408C, 0x1D0 > -Traceback= 40B41258 4060D118 40611E04 405F2700 405F2C30 40737624 40B3D12C > 401131B0 > SLOT 14:Jul 28 17:15:04.592 IST: %EE192-3-SPABRG_DRV: > wwolf_handle_rxpadstrb_status: Missing end of packet on SPI-4.2 bus: 0x1, > 0x408C, 0x0 > -Traceback= 40B41258 4060D058 40611E04 405F2700 405F2C30 40737624 40B3D12C > 401131B0 > SLOT 14:Jul 28 17:15:04.592 IST: %EE192-3-SPABRG_DRV: > wwolf_handle_rxpadstrb_status: Rx SPI-4.2 out of sync: 0x1, 0x408C, 0x1D0 > -Traceback= 40B41258 4060D0E8 40611E04 405F2700 405F2C30 40737624 40B3D12C > 401131B0 > SLOT 14:Jul 28 17:15:04.592 IST: %EE192-3-SPABRG_DRV: > wwolf_handle_rxpadstrb_status: DIP-4 error on the Rx SPI-4.2 data bus: 0x1, > 0x408C, 0x1D0 > -Traceback= 40B41258 4060D118 40611E04 405F2700 405F2C30 40737624 40B3D12C > 401131B0 > SLOT 14:Jul 28 17:15:06.596 IST: %EE192-3-SPABRG_DRV: > wwolf_handle_rxpadstrb_status: Missing end of packet on SPI-4.2 bus: 0x1, > 0x408C, 0x0 > -Traceback= 40B41258 4060D058 40611E04 405F2700 405F2C30 40737624 40B3D12C > 401131B0 > SLOT 14:Jul 28 17:15:06.596 IST: %EE192-3-SPABRG_DRV: > wwolf_handle_rxpadstrb_status: Rx SPI-4.2 out of sync: 0x1, 0x408C, 0x1D0 > -Traceback= 40B41258 4060D0E8 40611E04 405F2700 405F2C30 40737624 40B3D12C > 401131B0 > SLOT 14:Jul 28 17:15:06.600 IST: %EE192-3-SPABRG_DRV: > wwolf_handle_rxpadstrb_status: DIP-4 error on the Rx SPI-4.2 data bus: 0x1, > 0x408C, 0x1D0 > -Traceback= 40B41258 4060D118 40611E04 405F2700 405F2C30 40737624 40B3D12C > 401131B0 > SLOT 14:Jul 28 17:15:08.604 IST: %EE192-3-SPABRG_DRV: > wwolf_handle_rxpadstrb_status: Missing end of packet on SPI-4.2 bus: 0x1, > 0x408C, 0x0 > -Traceback= 40B41258 4060D058 40611E04 405F2700 405F2C30 40737624 40B3D12C > 401131B0 > SLOT 14:Jul 28 17:15:08.604 IST: %EE192-3-SPABRG_DRV: > wwolf_handle_rxpadstrb_status: Rx SPI-4.2 out of sync: 0x1, 0x408C, 0x1D0 > -Traceback= 40B41258 4060D0E8 40611E04 405F2700 405F2C30 40737624 40B3D12C > 401131B0 > SLOT 14:Jul 28 17:15:08.608 IST: %EE192-3-SPABRG_DRV: > wwolf_handle_rxpadstrb_status: DIP-4 error on the Rx SPI-4.2 data bus: 0x1, > 0x408C, 0x1D0 > -Traceback= 40B41258 4060D118 40611E04 405F2700 405F2C30 40737624 40B3D12C > 401131B0 > SLOT 14:Jul 28 17:15:10.604 IST: %EE192-3-SPABRG_DRV: > wwolf_handle_rxpadstrb_status: Missing end of packet on SPI-4.2 bus: 0x1, > 0x408C, 0x0 > -Traceback= 40B41258 4060D058 40611E04 405F2700 405F2C30 40737624 40B3D12C > 401131B0 > SLOT 14:Jul 28 17:15:10.608 IST: %EE192-3-SPABRG_DRV: > wwolf_handle_rxpadstrb_status: Rx SPI-4.2 out of sync: 0x1, 0x408C, 0x1D0 > -Traceback= 40B41258 4060D0E8 40611E04 405F2700 405F2C30 40737624 40B3D12C > 401131B0 > SLOT 14:Jul 28 17:15:10.608 IST: %EE192-3-SPABRG_DRV: > wwolf_handle_rxpadstrb_status: DIP-4 error on the Rx SPI-4.2 data bus: 0x1, > 0x408C, 0x1D0 > -Traceback= 40B41258 4060D118 40611E04 405F2700 405F2C30 40737624 40B3D12C > 401131B0 > SLOT 14:Jul 28 17:15:12.180 IST: %GSRSPA-6-ERRORRECOVER: A Hardware or > Software error occurred on Subslot 1. Reason : Fugu: RXHSPITSTATOOF > Automatic Error recovery initiated. No further intervention required. > -Traceback= 40031128 407E7584 407D9318 407D3670 40729FB0 40737A38 40B3E4EC > 401131B0 > SLOT 14:Jul 28 17:15:12.612 IST: %EE192-3-SPABRG_DRV: > wwolf_handle_rxpadstrb_status: Missing end of packet on SPI-4.2 bus: 0x1, > 0x408C, 0x0 > -Traceback= 40B41258 4060D058 40611E04 405F2700 405F2C30 40737624 40B3D12C > 401131B0 > SLOT 14:Jul 28 17:15:12.612 IST: %EE192-3-SPABRG_DRV: > wwolf_handle_rxpadstrb_status: Rx SPI-4.2 out of sync: 0x1, 0x408C, 0x1D0 > -Traceback= 40B41258 4060D0E8 40611E04 405F2700 405F2C30 40737624 40B3D12C > 401131B0 > SLOT 14:Jul 28 17:15:12.612 IST: %EE192-3-SPABRG_DRV: > wwolf_handle_rxpadstrb_status: DIP-4 error on the Rx SPI-4.2 data bus: 0x1, > 0x408C, 0x1D0 > -Traceback= 40B41258 4060D118 40611E04 405F2700 405F2C30 40737624 40B3D12C > 401131B0 > > Thanks and Regards > J.Daniels > > > > On 8/1/09, e ninja wrote: >> >> Jack, >> >> >> http://howtos.mysolvr.com/How_to_Power_Off_and_On_a_Cisco_GSR_12000_Linecard >> >> Eninja >> >> >> On Thu, Jul 30, 2009 at 9:23 PM, jack daniels wrote: >> >>> > Hi All, >>> > >>> > I'm facing a issue in Cisco 12416 request your help - >>> > >>> > show GSR - >>> > "Slot 19 type = Switch Fabric Card 16XOC192 >>> > state = Administratively Down, Powered" <<<<<<<<<<<<<<<<<<<<<< >>> > >>> > how to take it out of this Administratively down state to powered >>> state. >>> > >>> > My IOS version is 12.0(32)SY6 >>> > >>> > >>> > Regards >>> > Jack >>> > >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> >> > From gert at greenie.muc.de Sun Aug 2 04:45:24 2009 From: gert at greenie.muc.de (Gert Doering) Date: Sun, 2 Aug 2009 10:45:24 +0200 Subject: [c-nsp] SFC DOWN In-Reply-To: References: <8bb137f40907302114n72fafa06ldc4ef0505774454c@mail.gmail.com> <8bb137f40907302123w522dc0d7s3af539e0c38579b4@mail.gmail.com> <8bb137f40908010103i4fa4808s54d229ed3720650d@mail.gmail.com> Message-ID: <20090802084524.GL290@greenie.muc.de> Hi, On Sat, Aug 01, 2009 at 08:12:05PM -0700, e ninja wrote: > PS. Contributors to this list should strive to post reusable knowledge to > www.mysolvr.com so that it is properly documented, organized and easily > searchable for posterity. Contributors to this list should just post to this list. Archives are available in many places, google will find the answers, and it's not necessary to go to a separate web site (which is likely to profit from it in some way) to get answers to questions posted *here*. The value of this list is not "post links to web sites". gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From BBlackford at nwresd.k12.or.us Sun Aug 2 09:18:35 2009 From: BBlackford at nwresd.k12.or.us (Bill Blackford) Date: Sun, 2 Aug 2009 06:18:35 -0700 Subject: [c-nsp] Upgrading IOS core on a 3750 Stack Message-ID: <6069A203FD01884885C037F81DD75080171D1F97AF@wsc-mail-01.intra.nwresd.k12.or.us> The subject line says it all. I have some questions regarding how the upgrade works. 1. Do I only upgrade the master? 2. If not, how do I upgrade the other switches in the stack? 3. Should everything be running the same exact code(base vs. ipservices)? Switch Ports Model SW Version SW Image ------ ----- ----- ---------- ---------- * 1 52 WS-C3750-48P 12.2(25)SEE1 C3750-IPSERVICESK9-M 2 52 WS-C3750-48P 12.2(25)SEE1 C3750-IPBASEK9-M 3 52 WS-C3750-48P 12.2(25)SEE1 C3750-IPBASEK9-M 4 52 WS-C3750-48P 12.2(25)SEE1 C3750-IPSERVICESK9-M Thank you -b -- Bill Blackford Senior Network Engineer NWRESD my /home away from home From peter at rathlev.dk Sun Aug 2 09:47:05 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Sun, 02 Aug 2009 15:47:05 +0200 Subject: [c-nsp] Upgrading IOS core on a 3750 Stack In-Reply-To: <6069A203FD01884885C037F81DD75080171D1F97AF@wsc-mail-01.intra.nwresd.k12.or.us> References: <6069A203FD01884885C037F81DD75080171D1F97AF@wsc-mail-01.intra.nwresd.k12.or.us> Message-ID: <1249220826.4809.10.camel@abehat.net.rm.dk> On Sun, 2009-08-02 at 06:18 -0700, Bill Blackford wrote: > The subject line says it all. > > I have some questions regarding how the upgrade works. > > 1. Do I only upgrade the master? Technically no, but the master might be able to auto-upgrade the members. > 2. If not, how do I upgrade the other switches in the stack? You can upload software to flash1:, flash2: etc. and set the boot variables with "boot system switch 2 flash:/asdf.bin". Remember that each switch sees the flash as just "flash:" when booting, so set the boot variable accordingly. > 3. Should everything be running the same exact code(base vs. > ipservices)? > > > Switch Ports Model SW Version SW Image > ------ ----- ----- ---------- ---------- > * 1 52 WS-C3750-48P 12.2(25)SEE1 C3750-IPSERVICESK9-M > 2 52 WS-C3750-48P 12.2(25)SEE1 C3750-IPBASEK9-M > 3 52 WS-C3750-48P 12.2(25)SEE1 C3750-IPBASEK9-M > 4 52 WS-C3750-48P 12.2(25)SEE1 C3750-IPSERVICESK9-M > I actually thought potential members with another feature set than the master wouldn't become active, but if that's part of a "show version" it seems they can. I would recommend running the same feature set on all switches. I don't know how different feature sets handle a master failover, but only problems come to mind when looking at it. Regards, Peter From eninja at gmail.com Sun Aug 2 09:51:07 2009 From: eninja at gmail.com (e ninja) Date: Sun, 2 Aug 2009 06:51:07 -0700 Subject: [c-nsp] SFC DOWN In-Reply-To: <20090802084524.GL290@greenie.muc.de> References: <8bb137f40907302114n72fafa06ldc4ef0505774454c@mail.gmail.com> <8bb137f40907302123w522dc0d7s3af539e0c38579b4@mail.gmail.com> <8bb137f40908010103i4fa4808s54d229ed3720650d@mail.gmail.com> <20090802084524.GL290@greenie.muc.de> Message-ID: Gert, So if we apply your thought process, there is no value in capturing and organizing re-usable intellectual capital? I guess you must think Wikipedia is useless and we should just trawl through the web and layers of email threads to find simple answers to questions that have already been answered? The value of any list is to share knowledge. If there are free tools out there like mysolvr (a user-generated knowledge-base), that also allows us to go the extra mile of documenting and organizing re-usable know-how for the benefit of others, it is worth the effort. We have to work smarter, not harder. Eninja On Sun, Aug 2, 2009 at 1:45 AM, Gert Doering wrote: > Hi, > > On Sat, Aug 01, 2009 at 08:12:05PM -0700, e ninja wrote: > > PS. Contributors to this list should strive to post reusable knowledge to > > www.mysolvr.com so that it is properly documented, organized and easily > > searchable for posterity. > > Contributors to this list should just post to this list. Archives are > available in many places, google will find the answers, and it's not > necessary to go to a separate web site (which is likely to profit from > it in some way) to get answers to questions posted *here*. > > The value of this list is not "post links to web sites". > > gert > -- > USENET is *not* the non-clickable part of WWW! > // > www.muc.de/~gert/ > Gert Doering - Munich, Germany > gert at greenie.muc.de > fax: +49-89-35655025 > gert at net.informatik.tu-muenchen.de > From gert at greenie.muc.de Sun Aug 2 09:56:20 2009 From: gert at greenie.muc.de (Gert Doering) Date: Sun, 2 Aug 2009 15:56:20 +0200 Subject: [c-nsp] SFC DOWN In-Reply-To: References: <8bb137f40907302114n72fafa06ldc4ef0505774454c@mail.gmail.com> <8bb137f40907302123w522dc0d7s3af539e0c38579b4@mail.gmail.com> <8bb137f40908010103i4fa4808s54d229ed3720650d@mail.gmail.com> <20090802084524.GL290@greenie.muc.de> Message-ID: <20090802135620.GS290@greenie.muc.de> Hi, On Sun, Aug 02, 2009 at 06:51:07AM -0700, e ninja wrote: > We have to work smarter, not harder. That's why "hey, please go *there* to read my answer to your question" is the wrong approach. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From jbest at zyedge.com Sun Aug 2 10:30:59 2009 From: jbest at zyedge.com (Jeremiah Best) Date: Sun, 2 Aug 2009 10:30:59 -0400 Subject: [c-nsp] Upgrading IOS core on a 3750 Stack In-Reply-To: <1249220826.4809.10.camel@abehat.net.rm.dk> References: <6069A203FD01884885C037F81DD75080171D1F97AF@wsc-mail-01.intra.nwresd.k12.or.us>, <1249220826.4809.10.camel@abehat.net.rm.dk> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DED8BB@zy-ex1.zyedge.local> Here's the documentation from Cisco including CLI commands to do the upgrade. http://www.cisco.com/en/US/products/hw/switches/ps5023/products_configuration_example09186a00804799d7.shtml -Jeremiah ________________________________________ From: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net] On Behalf Of Peter Rathlev [peter at rathlev.dk] Sent: Sunday, August 02, 2009 9:47 AM To: Bill Blackford Cc: cisco-nsp mailing list Subject: Re: [c-nsp] Upgrading IOS core on a 3750 Stack On Sun, 2009-08-02 at 06:18 -0700, Bill Blackford wrote: > The subject line says it all. > > I have some questions regarding how the upgrade works. > > 1. Do I only upgrade the master? Technically no, but the master might be able to auto-upgrade the members. > 2. If not, how do I upgrade the other switches in the stack? You can upload software to flash1:, flash2: etc. and set the boot variables with "boot system switch 2 flash:/asdf.bin". Remember that each switch sees the flash as just "flash:" when booting, so set the boot variable accordingly. > 3. Should everything be running the same exact code(base vs. > ipservices)? > > > Switch Ports Model SW Version SW Image > ------ ----- ----- ---------- ---------- > * 1 52 WS-C3750-48P 12.2(25)SEE1 C3750-IPSERVICESK9-M > 2 52 WS-C3750-48P 12.2(25)SEE1 C3750-IPBASEK9-M > 3 52 WS-C3750-48P 12.2(25)SEE1 C3750-IPBASEK9-M > 4 52 WS-C3750-48P 12.2(25)SEE1 C3750-IPSERVICESK9-M > I actually thought potential members with another feature set than the master wouldn't become active, but if that's part of a "show version" it seems they can. I would recommend running the same feature set on all switches. I don't know how different feature sets handle a master failover, but only problems come to mind when looking at it. Regards, Peter _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From jeff-kell at utc.edu Sun Aug 2 11:48:06 2009 From: jeff-kell at utc.edu (Jeff Kell) Date: Sun, 02 Aug 2009 11:48:06 -0400 Subject: [c-nsp] VSS question... In-Reply-To: <44C483CB52659549BA199961AEFAD717257FCB@b-exch-recovery.internal.scmc.org> References: <4A6FAE95.6010806@utc.edu> <20090729081252.GB11496@lboro.ac.uk><4A7005ED.7060305@rollernet.us> <20090729083813.GA11906@lboro.ac.uk> <44C483CB52659549BA199961AEFAD717257FCB@b-exch-recovery.internal.scmc.org> Message-ID: <4A75B536.4030108@utc.edu> Thanks for all the feedback on the VSS basics, very helpful. If I can push the envelope just a bit further, anyone running FWSM[s] in a VSS pair? Jeff From sethm at rollernet.us Sun Aug 2 12:33:08 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Sun, 02 Aug 2009 09:33:08 -0700 Subject: [c-nsp] SFC DOWN In-Reply-To: References: <8bb137f40907302114n72fafa06ldc4ef0505774454c@mail.gmail.com> <8bb137f40907302123w522dc0d7s3af539e0c38579b4@mail.gmail.com> <8bb137f40908010103i4fa4808s54d229ed3720650d@mail.gmail.com> <20090802084524.GL290@greenie.muc.de> Message-ID: <4A75BFC4.9030203@rollernet.us> e ninja wrote: > Gert, > > So if we apply your thought process, there is no value in capturing and > organizing re-usable intellectual capital? I guess you must think Wikipedia > is useless and we should just trawl through the web and layers of email > threads to find simple answers to questions that have already been answered? > > > The value of any list is to share knowledge. If there are free tools out > there like mysolvr (a user-generated knowledge-base), that also allows us to > go the extra mile of documenting and organizing re-usable know-how for the > benefit of others, it is worth the effort. > > We have to work smarter, not harder. You're not sharing knowledge, you're pimping a website. I am fully capable of searching this list from my own archives or the ones online. I suspect others are as well. If you're going to participate here *do not* spam the archives of this list. They are likely to last far longer than at the whim of some web 2.0 fad that may or may not allow free access to said knowledge in the future. ~Seth From snortbsd at yahoo.com.au Sun Aug 2 11:53:09 2009 From: snortbsd at yahoo.com.au (snort bsd) Date: Sun, 2 Aug 2009 08:53:09 -0700 (PDT) Subject: [c-nsp] Can't pick up ip address--cisco 1200 ap In-Reply-To: <979659.89285.qm@web38101.mail.mud.yahoo.com> Message-ID: <916322.54913.qm@web38107.mail.mud.yahoo.com> Ok, here is what I have for DHCP sewrvice: ip dhcp pool r-office network 192.168.12.0 255.255.255.0 subnet prefix-length 24 default-router 192.168.12.1 lease infinite what did I do wrong? --- On Sun, 2/8/09, snort bsd wrote: > From: snort bsd > Subject: Re: [c-nsp] Can't pick up ip address--cisco 1200 ap > To: "cisco-nsp" , "Graham Wooden" > Received: Sunday, 2 August, 2009, 11:08 AM > > Thanks for reply. > > No, we have no VLAN aware switch connecting to it yet. We > want to use it to replace the linksys wireless router we are > using. > > The idea is that some of mobile user connecting to VLAN 10 > via wireless and some? of mobile users connecting to > VLAN 20. Users on both VLANs could get to internet but > access different resources internally (with VLAN aware > switches). > > One problem a time...:) > > _Dave > > --- On Sun, 2/8/09, Graham Wooden > wrote: > > > From: Graham Wooden > > Subject: Re: [c-nsp] Can't pick up ip address--cisco > 1200 ap > > To: "snort bsd" , > "cisco-nsp" > > Received: Sunday, 2 August, 2009, 10:22 AM > > Hi there, > > > > Your switch port that the AP is connected to - is it > in > > trunk mode? > > Like "switchport trunk encap dot1q" ? > > > > > > On 8/1/09 4:52 PM, "snort bsd" > > wrote: > > > > > > > > Hi: all: > > > > > > I got ciscoAP 1200 configured and can connect it > via > > wireless without > > > problems. But the system connecting to the AP > can't > > pick up any IP address. > > > > > > dot11 ssid lab vlan 20 > > >? ? vlan 20 > > >? ? max-associations 10 > > >? ? authentication open > > >? ? authentication key-management wpa > > >? ? guest-mode > > >? ? mbssid guest-mode > > >? ? wpa-psk ascii 7 "whatever key" > > >? ? information-element ssidl wps > > > ! > > > dot11 ssid test vlan 10 > > >? ? vlan 10 > > >? ? max-associations 10 > > >? ? authentication open > > >? ? authentication key-management wpa > > >? ? mbssid guest-mode > > >? ? wpa-psk ascii 7 "whatever key" > > >? ? information-element ssidl wps > > > > > > what else I didn't do right? > > > > > > Thanks > > > > > > > > >? ? ??? > > > > > > ______________________________________________________________________________ > > > ______ > > > Access Yahoo!7 Mail on your mobile. Anytime. > > Anywhere. > > > Show me how: http://au.mobile.yahoo.com/mail > > > _______________________________________________ > > > cisco-nsp mailing list? cisco-nsp at puck.nether.net > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > > > > ? ? ? > ____________________________________________________________________________________ > Access Yahoo!7 Mail on your mobile. Anytime. Anywhere. > Show me how: http://au.mobile.yahoo.com/mail > _______________________________________________ > cisco-nsp mailing list? cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ____________________________________________________________________________________ Access Yahoo!7 Mail on your mobile. Anytime. Anywhere. Show me how: http://au.mobile.yahoo.com/mail From jay at west.net Sun Aug 2 13:10:10 2009 From: jay at west.net (Jay Hennigan) Date: Sun, 02 Aug 2009 10:10:10 -0700 Subject: [c-nsp] SFC DOWN In-Reply-To: <20090802084524.GL290@greenie.muc.de> References: <8bb137f40907302114n72fafa06ldc4ef0505774454c@mail.gmail.com> <8bb137f40907302123w522dc0d7s3af539e0c38579b4@mail.gmail.com> <8bb137f40908010103i4fa4808s54d229ed3720650d@mail.gmail.com> <20090802084524.GL290@greenie.muc.de> Message-ID: <4A75C872.8060104@west.net> Gert Doering wrote: > Contributors to this list should just post to this list. Archives are > available in many places, google will find the answers, and it's not > necessary to go to a separate web site (which is likely to profit from > it in some way) to get answers to questions posted *here*. > > The value of this list is not "post links to web sites". Agreed 100%. FYI, "Mysolvr" is the same "Pingsta" outfit that scraped addresses from this list and spammed them repeatedly a while back. http://www.google.com/search?q=pingsta+spam -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV From lmeade at signal.ca Sun Aug 2 13:14:04 2009 From: lmeade at signal.ca (Leslie Meade) Date: Sun, 2 Aug 2009 10:14:04 -0700 Subject: [c-nsp] Can't pick up ip address--cisco 1200 ap In-Reply-To: <916322.54913.qm@web38107.mail.mud.yahoo.com> References: <979659.89285.qm@web38101.mail.mud.yahoo.com> <916322.54913.qm@web38107.mail.mud.yahoo.com> Message-ID: You got this on the router and what is the AP connected to ? U need to have an interface, gateway, default router commands so that the vlan 20 can connect to the router, if you want them to connect to different vlans internally you may need to look at this type of setup Ie interface Vlan12 description Wireless Vlan no ip address no ip redirects no ip unreachables no ip proxy-arp ip virtual-reassembly bridge-group 12 bridge-group 12 spanning-disabled interface BVI12 description Bridge to Internal Network ip address 192.168.12.1 255.255.255.0 ip nat inside ip virtual-reassembly bridge 12 protocol ieee bridge 12 route ip -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of snort bsd Sent: Sunday, August 02, 2009 8:53 AM To: cisco-nsp; Graham Wooden Subject: Re: [c-nsp] Can't pick up ip address--cisco 1200 ap Ok, here is what I have for DHCP sewrvice: ip dhcp pool r-office network 192.168.12.0 255.255.255.0 subnet prefix-length 24 default-router 192.168.12.1 lease infinite what did I do wrong? --- On Sun, 2/8/09, snort bsd wrote: > From: snort bsd > Subject: Re: [c-nsp] Can't pick up ip address--cisco 1200 ap > To: "cisco-nsp" , "Graham Wooden" > Received: Sunday, 2 August, 2009, 11:08 AM > > Thanks for reply. > > No, we have no VLAN aware switch connecting to it yet. We > want to use it to replace the linksys wireless router we are > using. > > The idea is that some of mobile user connecting to VLAN 10 > via wireless and some? of mobile users connecting to > VLAN 20. Users on both VLANs could get to internet but > access different resources internally (with VLAN aware > switches). > > One problem a time...:) > > _Dave > > --- On Sun, 2/8/09, Graham Wooden > wrote: > > > From: Graham Wooden > > Subject: Re: [c-nsp] Can't pick up ip address--cisco > 1200 ap > > To: "snort bsd" , > "cisco-nsp" > > Received: Sunday, 2 August, 2009, 10:22 AM > > Hi there, > > > > Your switch port that the AP is connected to - is it > in > > trunk mode? > > Like "switchport trunk encap dot1q" ? > > > > > > On 8/1/09 4:52 PM, "snort bsd" > > wrote: > > > > > > > > Hi: all: > > > > > > I got ciscoAP 1200 configured and can connect it > via > > wireless without > > > problems. But the system connecting to the AP > can't > > pick up any IP address. > > > > > > dot11 ssid lab vlan 20 > > >? ? vlan 20 > > >? ? max-associations 10 > > >? ? authentication open > > >? ? authentication key-management wpa > > >? ? guest-mode > > >? ? mbssid guest-mode > > >? ? wpa-psk ascii 7 "whatever key" > > >? ? information-element ssidl wps > > > ! > > > dot11 ssid test vlan 10 > > >? ? vlan 10 > > >? ? max-associations 10 > > >? ? authentication open > > >? ? authentication key-management wpa > > >? ? mbssid guest-mode > > >? ? wpa-psk ascii 7 "whatever key" > > >? ? information-element ssidl wps > > > > > > what else I didn't do right? > > > > > > Thanks > > > > > > > > >? ? ??? > > > > > > ______________________________________________________________________________ > > > ______ > > > Access Yahoo!7 Mail on your mobile. Anytime. > > Anywhere. > > > Show me how: http://au.mobile.yahoo.com/mail > > > _______________________________________________ > > > cisco-nsp mailing list? cisco-nsp at puck.nether.net > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > > > > ? ? ? > ____________________________________________________________________________________ > Access Yahoo!7 Mail on your mobile. Anytime. Anywhere. > Show me how: http://au.mobile.yahoo.com/mail > _______________________________________________ > cisco-nsp mailing list? cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ____________________________________________________________________________________ Access Yahoo!7 Mail on your mobile. Anytime. Anywhere. Show me how: http://au.mobile.yahoo.com/mail _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From eninja at gmail.com Sun Aug 2 13:28:31 2009 From: eninja at gmail.com (Eninja) Date: Sun, 2 Aug 2009 18:28:31 +0100 Subject: [c-nsp] SFC DOWN In-Reply-To: <4A75C872.8060104@west.net> References: <8bb137f40907302114n72fafa06ldc4ef0505774454c@mail.gmail.com> <8bb137f40907302123w522dc0d7s3af539e0c38579b4@mail.gmail.com> <8bb137f40908010103i4fa4808s54d229ed3720650d@mail.gmail.com> <20090802084524.GL290@greenie.muc.de> <4A75C872.8060104@west.net> Message-ID: <4541D4F1-BC21-4819-AE93-435A383F880F@gmail.com> That 'spam' was the result of a Pingsta mailserver bug. What exactly has that got to do with working smarter? Eninja On Aug 2, 2009, at 6:10 PM, Jay Hennigan wrote: > Gert Doering wrote: > >> Contributors to this list should just post to this list. Archives >> are >> available in many places, google will find the answers, and it's not >> necessary to go to a separate web site (which is likely to profit >> from >> it in some way) to get answers to questions posted *here*. >> The value of this list is not "post links to web sites". > > Agreed 100%. > > FYI, "Mysolvr" is the same "Pingsta" outfit that scraped addresses > from this list and spammed them repeatedly a while back. > > http://www.google.com/search?q=pingsta+spam > > -- > Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net > Impulse Internet Service - http://www.impulse.net/ > Your local telephone and internet company - 805 884-6323 - WB6RDV > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jckdaniels12 at gmail.com Sun Aug 2 13:34:57 2009 From: jckdaniels12 at gmail.com (jack daniels) Date: Sun, 2 Aug 2009 23:04:57 +0530 Subject: [c-nsp] CSC CARD info In-Reply-To: <132FEFEE-9C5D-466F-9474-CF73BC1ABEBA@gmail.com> References: <8bb137f40908010106g3938ba62s93fb6ac604ff6b43@mail.gmail.com> <132FEFEE-9C5D-466F-9474-CF73BC1ABEBA@gmail.com> Message-ID: <8bb137f40908021034l4ad7c878xefb040e7f9433b0b@mail.gmail.com> Hi, Thanks , but my querry still remains unanswered - If we use 2 CSC and 3 SFC " When I do OIR of slot 17 CSC ( when MASTER - defaul ) we get 3 ping drops for transit traffic through the router. When I do OIR of slot 16 CSC ( when MASTER ) we get lot of ping drops for transit traffic through the router and neighbourships break." Regards J.Daniels On Sat, Aug 1, 2009 at 3:39 PM, Eninja wrote: > OIR'ing the primary CSC (slot 17 by default) will _always_ result in > traffic loss because the CSC clocks and schedules all fabric traffic. > > Remember to shutdown the primary CSC using hw-module shut command, wait at > least 1 min before OIR'ing and failing over from primary to secondary CSC. > > Eninja > > > > On Aug 1, 2009, at 9:06 AM, jack daniels wrote: > > Hi all, >> >> what is significance of slot no of CSC. >> >> If we use 2 CSC and 3 SFC >> >> When I do OIR of slot 17 CSC ( when MASTER ) we get 3 ping drops for >> transit >> traffic through the router. >> When I do OIR of slot 16 CSC ( when MASTER ) we get lot of ping drops for >> transit traffic through the router and neighbourships break. >> >> >> Regards >> Jack.Daniels >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > From sethm at rollernet.us Sun Aug 2 13:59:47 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Sun, 02 Aug 2009 10:59:47 -0700 Subject: [c-nsp] SFC DOWN In-Reply-To: <4541D4F1-BC21-4819-AE93-435A383F880F@gmail.com> References: <8bb137f40907302114n72fafa06ldc4ef0505774454c@mail.gmail.com> <8bb137f40907302123w522dc0d7s3af539e0c38579b4@mail.gmail.com> <8bb137f40908010103i4fa4808s54d229ed3720650d@mail.gmail.com> <20090802084524.GL290@greenie.muc.de> <4A75C872.8060104@west.net> <4541D4F1-BC21-4819-AE93-435A383F880F@gmail.com> Message-ID: <4A75D413.6050609@rollernet.us> Eninja wrote: > That 'spam' was the result of a Pingsta mailserver bug. What exactly has > that got to do with working smarter? > It means that many of us will not find any credibility in Pingsta or anything related to it. We are not a short-sighted "oooo shiny" web 2.0 audience that forgets quickly. ~Seth From josmon at rigozsaurus.com Sun Aug 2 13:32:16 2009 From: josmon at rigozsaurus.com (John Osmon) Date: Sun, 2 Aug 2009 11:32:16 -0600 Subject: [c-nsp] mailing list vs. web site (WAS: Re: SFC DOWN) In-Reply-To: References: <8bb137f40907302114n72fafa06ldc4ef0505774454c@mail.gmail.com> <8bb137f40907302123w522dc0d7s3af539e0c38579b4@mail.gmail.com> <8bb137f40908010103i4fa4808s54d229ed3720650d@mail.gmail.com> <20090802084524.GL290@greenie.muc.de> Message-ID: <20090802173216.GA18289@jeeves.rigozsaurus.com> Let me preafce my words with the thought that I find the most of the new wikis, forums, and whatnots are poor substitutes for searchable text archives. However, I learned most of my foundation material from Usenet in the late 80s and early 90s, so I might be biased... On Sun, Aug 02, 2009 at 06:51:07AM -0700, e ninja wrote: > Gert, > > So if we apply your thought process, there is no value in capturing and > organizing re-usable intellectual capital? I guess you must think Wikipedia > is useless and we should just trawl through the web and layers of email > threads to find simple answers to questions that have already been answered? You're putting words in Gert's mouth suggesting he derides the valuable (free) services available. I've never met Gert, but would buy him a beer if I found we were in the same room. Gert and others have helped me (and others) countless times without need of any of the tools you espouse -- so there is already value present without need for more work... Back to the main point: There is value -- but who has to exert energy, and who reaps the benefits? > The value of any list is to share knowledge. If there are free tools out > there like mysolvr (a user-generated knowledge-base), that also allows us to > go the extra mile of documenting and organizing re-usable know-how for the > benefit of others, it is worth the effort. Yes, there is likely value in organizing the info. However, is the marginal value greater than the marginal cost? I'm of the opinion that most of the people reading this list and the archives believe that it works well as it is. > We have to work smarter, not harder. Absolutely! However, I think that you've got a hard hill in front of you trying to change the behavior of people using this list. A amarter approach might be to start moving the data to your preferred site on your own. Perhaps even building automated tools to do so. If your idea catches on, you could very well end up with a reputation and following like Jared and/or Gert. Until that occurs, I have doubts that the wealth of info on cisco-nsp will be transferred to another medium... (With that said, I'd be happy to be proven wrong -- more knowledge is better! I don't, however, think that I'd get enough out of the process to spend my time doing any of the prep work...) From graham at g-rock.net Sun Aug 2 16:17:21 2009 From: graham at g-rock.net (Graham Wooden) Date: Sun, 02 Aug 2009 15:17:21 -0500 Subject: [c-nsp] Can't pick up ip address--cisco 1200 ap In-Reply-To: <916322.54913.qm@web38107.mail.mud.yahoo.com> Message-ID: Well, without a VLAN aware switch you are dumping tagged VLAN traffic into an interface that won't do anything with it, and in turn won't pass you traffic to your "sub interfaces" on your AP. So to move forward, you really need to have the AP plugged into a VLAN aware switch, with the port setup for dot1q and allowing these two vlans. Then set up some other ports on the switch to handle the untagged traffic for these two vlans and put your DHCP server(s) on it. Or if you running your DHCP server on a router, you can sub interface out the router and make that switchport dot1q as well. Make sense? Again, without the proper handling of the traffic leaving the AP, traffic won't go in properlly as well. HTH, -graham >> From: snort bsd >> Subject: Re: [c-nsp] Can't pick up ip address--cisco 1200 ap >> To: "cisco-nsp" , "Graham Wooden" >> >> Received: Sunday, 2 August, 2009, 11:08 AM >> >> Thanks for reply. >> >> No, we have no VLAN aware switch connecting to it yet. We >> want to use it to replace the linksys wireless router we are >> using. >> >> The idea is that some of mobile user connecting to VLAN 10 >> via wireless and some? of mobile users connecting to >> VLAN 20. Users on both VLANs could get to internet but >> access different resources internally (with VLAN aware >> switches). >> >> One problem a time...:) >> >> _Dave >> >> --- On Sun, 2/8/09, Graham Wooden >> wrote: >> >>> From: Graham Wooden >>> Subject: Re: [c-nsp] Can't pick up ip address--cisco >> 1200 ap >>> To: "snort bsd" , >> "cisco-nsp" >>> Received: Sunday, 2 August, 2009, 10:22 AM >>> Hi there, >>> >>> Your switch port that the AP is connected to - is it >> in >>> trunk mode? >>> Like "switchport trunk encap dot1q" ? >>> >>> >>> On 8/1/09 4:52 PM, "snort bsd" >>> wrote: >>> >>>> >>>> Hi: all: >>>> >>>> I got ciscoAP 1200 configured and can connect it >> via >>> wireless without >>>> problems. But the system connecting to the AP >> can't >>> pick up any IP address. >>>> >>>> dot11 ssid lab vlan 20 >>>> ? ? vlan 20 >>>> ? ? max-associations 10 >>>> ? ? authentication open >>>> ? ? authentication key-management wpa >>>> ? ? guest-mode >>>> ? ? mbssid guest-mode >>>> ? ? wpa-psk ascii 7 "whatever key" >>>> ? ? information-element ssidl wps >>>> ! >>>> dot11 ssid test vlan 10 >>>> ? ? vlan 10 >>>> ? ? max-associations 10 >>>> ? ? authentication open >>>> ? ? authentication key-management wpa >>>> ? ? mbssid guest-mode >>>> ? ? wpa-psk ascii 7 "whatever key" >>>> ? ? information-element ssidl wps >>>> >>>> what else I didn't do right? >>>> >>>> Thanks >>>> >>>> >>>> ? ? ??? >>>> >>> >> _____________________________________________________________________________>> _ >>>> ______ >>>> Access Yahoo!7 Mail on your mobile. Anytime. >>> Anywhere. >>>> Show me how: http://au.mobile.yahoo.com/mail >>>> _______________________________________________ >>>> cisco-nsp mailing list? cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >>> >>> >> >> >> ? ? ? >> _____________________________________________________________________________ >> _______ >> Access Yahoo!7 Mail on your mobile. Anytime. Anywhere. >> Show me how: http://au.mobile.yahoo.com/mail >> _______________________________________________ >> cisco-nsp mailing list? cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > > > ______________________________________________________________________________ > ______ > Access Yahoo!7 Mail on your mobile. Anytime. Anywhere. > Show me how: http://au.mobile.yahoo.com/mail From jay at west.net Sun Aug 2 17:23:20 2009 From: jay at west.net (Jay Hennigan) Date: Sun, 02 Aug 2009 14:23:20 -0700 Subject: [c-nsp] mailing list vs. web site (WAS: Re: SFC DOWN) In-Reply-To: <20090802173216.GA18289@jeeves.rigozsaurus.com> References: <8bb137f40907302114n72fafa06ldc4ef0505774454c@mail.gmail.com> <8bb137f40907302123w522dc0d7s3af539e0c38579b4@mail.gmail.com> <8bb137f40908010103i4fa4808s54d229ed3720650d@mail.gmail.com> <20090802084524.GL290@greenie.muc.de> <20090802173216.GA18289@jeeves.rigozsaurus.com> Message-ID: <4A7603C8.2090603@west.net> John Osmon wrote: > Let me preafce my words with the thought that I find the most of the new > wikis, forums, and whatnots are poor substitutes for searchable text > archives. Agreed. > However, I learned most of my foundation material from Usenet > in the late 80s and early 90s, so I might be biased... Ditto. > On Sun, Aug 02, 2009 at 06:51:07AM -0700, e ninja wrote: >> Gert, >> >> So if we apply your thought process, there is no value in capturing and >> organizing re-usable intellectual capital? I guess you must think Wikipedia >> is useless and we should just trawl through the web and layers of email >> threads to find simple answers to questions that have already been answered? > > You're putting words in Gert's mouth suggesting he derides the valuable > (free) services available. I've never met Gert, but would buy him a > beer if I found we were in the same room. Gert and others have helped > me (and others) countless times without need of any of the tools you > espouse -- so there is already value present without need for more > work... Agreed, and I'd buy him two. Issues brought to this list should be discussed on this list and hopefully resolved on this list. A "Go over there for the answer" response fragments discussion and actually tends to make future searches for the same information less likely to succeed as information on the web changes, links break, etc. A response of "Go over there for the answer" from someone with a vested interest in "Over there" is nothing more than an advertisement for "Over there". > Back to the main point: > There is value -- but who has to exert energy, and who reaps the > benefits? Those looking for the information have to exert the energy, those trying to commercialize it reap the benefits. >> The value of any list is to share knowledge. If there are free tools out >> there like mysolvr (a user-generated knowledge-base), that also allows us to >> go the extra mile of documenting and organizing re-usable know-how for the >> benefit of others, it is worth the effort. > > Yes, there is likely value in organizing the info. However, is the > marginal value greater than the marginal cost? I'm of the opinion > that most of the people reading this list and the archives believe > that it works well as it is. Agreed. >> We have to work smarter, not harder. > > Absolutely! However, I think that you've got a hard hill in front of > you trying to change the behavior of people using this list. And the smart way to work is to avoid fragmenting the information. The hard way is to fragment it among diffuse sites. The ethical way is to resist hijacking threads to promote one's own website. > A smarter approach might be to start moving the data to your preferred > site on your own. Perhaps even building automated tools to do so. If > your idea catches on, you could very well end up with a reputation and > following like Jared and/or Gert. Until that occurs, I have doubts > that the wealth of info on cisco-nsp will be transferred to > another medium... He doesn't want to move the information to his site on his own. He wants us to do it for him. This began over a year ago with scraping cisco-nsp for email addresses and spamming them with "invitations". It went mostly under-the-radar until his spambot went nuts and flooded its victims with multiple invitations at once. Faded under the radar again and now he's back hawking the sister site. > (With that said, I'd be happy to be proven wrong -- more knowledge is > better! I don't, however, think that I'd get enough out of the > process to spend my time doing any of the prep work...) Agreed. And it fragments the information. -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV From eninja at gmail.com Sun Aug 2 19:43:45 2009 From: eninja at gmail.com (e ninja) Date: Sun, 2 Aug 2009 16:43:45 -0700 Subject: [c-nsp] CSC CARD info In-Reply-To: <8bb137f40908021034l4ad7c878xefb040e7f9433b0b@mail.gmail.com> References: <8bb137f40908010106g3938ba62s93fb6ac604ff6b43@mail.gmail.com> <132FEFEE-9C5D-466F-9474-CF73BC1ABEBA@gmail.com> <8bb137f40908021034l4ad7c878xefb040e7f9433b0b@mail.gmail.com> Message-ID: Jack, Assuming the right procedures were followed for OIR, send the following captures when 17 & 16 are primary CSC to aid further assessment; 1. sh controller fia (from the RP and from an "attach" session to each of the LCs) 2. show controllers psar 3. sh fabric 4. sh log Eninja On Sun, Aug 2, 2009 at 10:34 AM, jack daniels wrote: > Hi, > > Thanks , but my querry still remains unanswered - > > > If we use 2 CSC and 3 SFC > > " When I do OIR of slot 17 CSC ( when MASTER - defaul ) we get 3 ping drops > for transit traffic through the router. > When I do OIR of slot 16 CSC ( when MASTER ) we get lot of ping drops for > transit traffic through the router and neighbourships break." > > Regards > J.Daniels > > On Sat, Aug 1, 2009 at 3:39 PM, Eninja wrote: > >> OIR'ing the primary CSC (slot 17 by default) will _always_ result in >> traffic loss because the CSC clocks and schedules all fabric traffic. >> >> Remember to shutdown the primary CSC using hw-module shut command, wait at >> least 1 min before OIR'ing and failing over from primary to secondary CSC. >> >> Eninja >> >> >> >> On Aug 1, 2009, at 9:06 AM, jack daniels wrote: >> >> Hi all, >>> >>> what is significance of slot no of CSC. >>> >>> If we use 2 CSC and 3 SFC >>> >>> When I do OIR of slot 17 CSC ( when MASTER ) we get 3 ping drops for >>> transit >>> traffic through the router. >>> When I do OIR of slot 16 CSC ( when MASTER ) we get lot of ping drops >>> for >>> transit traffic through the router and neighbourships break. >>> >>> >>> Regards >>> Jack.Daniels >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> > From snortbsd at yahoo.com.au Sun Aug 2 19:44:54 2009 From: snortbsd at yahoo.com.au (snort bsd) Date: Sun, 2 Aug 2009 16:44:54 -0700 (PDT) Subject: [c-nsp] Can't pick up ip address--cisco 1200 ap In-Reply-To: Message-ID: <563713.60520.qm@web38107.mail.mud.yahoo.com> Thanks for help! Here is what I have: internet <-> AP <-> VLAN aware switch <-> firewall <-> internal networks | | | wireless PCs (VLAN 10 or VLAN 20) I have DHCP service configured on the AP, which means those wireless PCs should get their IP addresses from the DHCP server on the AP (I don't have separated DHCP server on the internal network). what I am trying to figure out how I can tie the right pool of DHCP IP addresses to the right interface. Right now the authenticated PCs could not get IP address at all. here is my config relating to the diagram: ip dhcp pool vlan20 network 192.168.12.0 255.255.255.0 subnet prefix-length 24 default-router 192.168.12.1 lease infinite ! ip dhcp pool vlan10 network 192.168.13.0 255.255.255.0 subnet prefix-length 24 default-router 192.16.13.1 lease infinite .... ... dot11 vlan-name ming vlan 20 dot11 vlan-name rest vlan 10 ! dot11 ssid lab vlan 20 vlan 20 max-associations 10 authentication open authentication key-management wpa guest-mode mbssid guest-mode wpa-psk ascii 7 "whatever" ! information-element ssidl wps ! dot11 ssid test vlan 10 vlan 10 max-associations 10 authentication open authentication key-management wpa mbssid guest-mode wpa-psk ascii 7 "whatever" ! information-element ssidl wps .... ... interface Dot11Radio0 no ip address no ip route-cache ! encryption vlan 10 mode ciphers aes-ccm tkip ! encryption vlan 20 mode ciphers aes-ccm tkip ! ssid lab vlan 20 ! ssid test vlan 10 ! mbssid speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role root ! interface Dot11Radio0.10 encapsulation dot1Q 10 native no ip redirects no ip route-cache bridge-group 10 bridge-group 10 subscriber-loop-control bridge-group 10 block-unknown-source no bridge-group 10 source-learning no bridge-group 10 unicast-flooding bridge-group 10 spanning-disabled ! interface Dot11Radio0.20 encapsulation dot1Q 20 no ip redirects no ip route-cache bridge-group 20 bridge-group 20 subscriber-loop-control bridge-group 20 port-protected bridge-group 20 block-unknown-source no bridge-group 20 source-learning no bridge-group 20 unicast-flooding bridge-group 20 spanning-disabled ! interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface FastEthernet0.10 encapsulation dot1Q 10 ip address 192.168.13.10 255.255.255.0 no ip redirects no ip route-cache ! interface FastEthernet0.20 encapsulation dot1Q 20 ip address 192.168.12.10 255.255.255.0 no ip redirects no ip route-cache ! --- On Mon, 3/8/09, Graham Wooden wrote: > From: Graham Wooden > Subject: Re: [c-nsp] Can't pick up ip address--cisco 1200 ap > To: "snort bsd" , "cisco-nsp" > Received: Monday, 3 August, 2009, 6:17 AM > Well, without a VLAN aware switch you > are dumping tagged VLAN traffic into > an interface that won't do anything with it, and in turn > won't pass you > traffic to your "sub interfaces" on your AP. > > So to move forward, you really need to have the AP plugged > into a VLAN aware > switch, with the port setup for dot1q and allowing these > two vlans. > Then set up some other ports on the switch to handle the > untagged traffic > for these two vlans and put your DHCP server(s) on > it.? Or if you running > your DHCP server on a router, you can sub interface out the > router and make > that switchport dot1q as well. > > Make sense?? Again, without the proper handling of the > traffic leaving the > AP, traffic won't go in properlly as well. > > HTH, > > -graham > > > >> From: snort bsd > >> Subject: Re: [c-nsp] Can't pick up ip > address--cisco 1200 ap > >> To: "cisco-nsp" , > "Graham Wooden" > >> > >> Received: Sunday, 2 August, 2009, 11:08 AM > >> > >> Thanks for reply. > >> > >> No, we have no VLAN aware switch connecting to it > yet. We > >> want to use it to replace the linksys wireless > router we are > >> using. > >> > >> The idea is that some of mobile user connecting to > VLAN 10 > >> via wireless and some? of mobile users connecting > to > >> VLAN 20. Users on both VLANs could get to internet > but > >> access different resources internally (with VLAN > aware > >> switches). > >> > >> One problem a time...:) > >> > >> _Dave > >> > >> --- On Sun, 2/8/09, Graham Wooden > >> wrote: > >> > >>> From: Graham Wooden > >>> Subject: Re: [c-nsp] Can't pick up ip > address--cisco > >> 1200 ap > >>> To: "snort bsd" , > >> "cisco-nsp" > >>> Received: Sunday, 2 August, 2009, 10:22 AM > >>> Hi there, > >>> > >>> Your switch port that the AP is connected to - > is it > >> in > >>> trunk mode? > >>> Like "switchport trunk encap dot1q" ? > >>> > >>> > >>> On 8/1/09 4:52 PM, "snort bsd" > >>> wrote: > >>> > >>>> > >>>> Hi: all: > >>>> > >>>> I got ciscoAP 1200 configured and can > connect it > >> via > >>> wireless without > >>>> problems. But the system connecting to the > AP > >> can't > >>> pick up any IP address. > >>>> > >>>> dot11 ssid lab vlan 20 > >>>> ? ? vlan 20 > >>>> ? ? max-associations 10 > >>>> ? ? authentication open > >>>> ? ? authentication key-management wpa > >>>> ? ? guest-mode > >>>> ? ? mbssid guest-mode > >>>> ? ? wpa-psk ascii 7 "whatever key" > >>>> ? ? information-element ssidl wps > >>>> ! > >>>> dot11 ssid test vlan 10 > >>>> ? ? vlan 10 > >>>> ? ? max-associations 10 > >>>> ? ? authentication open > >>>> ? ? authentication key-management wpa > >>>> ? ? mbssid guest-mode > >>>> ? ? wpa-psk ascii 7 "whatever key" > >>>> ? ? information-element ssidl wps > >>>> > >>>> what else I didn't do right? > >>>> > >>>> Thanks > >>>> > >>>> > >>>> ? ? ??? > >>>> > >>> > >> > _____________________________________________________________________________>> > _ > >>>> ______ > >>>> Access Yahoo!7 Mail on your mobile. > Anytime. > >>> Anywhere. > >>>> Show me how: http://au.mobile.yahoo.com/mail > >>>> > _______________________________________________ > >>>> cisco-nsp mailing list? cisco-nsp at puck.nether.net > >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp > >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >>> > >>> > >>> > >> > >> > >> ? ? ? > >> > _____________________________________________________________________________ > >> _______ > >> Access Yahoo!7 Mail on your mobile. Anytime. > Anywhere. > >> Show me how: http://au.mobile.yahoo.com/mail > >> _______________________________________________ > >> cisco-nsp mailing list? cisco-nsp at puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >> > > > > > >? ? ??? > > > ______________________________________________________________________________ > > ______ > > Access Yahoo!7 Mail on your mobile. Anytime. > Anywhere. > > Show me how: http://au.mobile.yahoo.com/mail > > > ____________________________________________________________________________________ Access Yahoo!7 Mail on your mobile. Anytime. Anywhere. Show me how: http://au.mobile.yahoo.com/mail From jbest at zyedge.com Sun Aug 2 20:01:53 2009 From: jbest at zyedge.com (Jeremiah Best) Date: Sun, 2 Aug 2009 20:01:53 -0400 Subject: [c-nsp] SFC DOWN In-Reply-To: <4A75C872.8060104@west.net> References: <8bb137f40907302114n72fafa06ldc4ef0505774454c@mail.gmail.com> <8bb137f40907302123w522dc0d7s3af539e0c38579b4@mail.gmail.com> <8bb137f40908010103i4fa4808s54d229ed3720650d@mail.gmail.com> <20090802084524.GL290@greenie.muc.de> <4A75C872.8060104@west.net> Message-ID: <218DA613-7747-469B-9AB2-51A53140A7DB@zyedge.com> Has the original question of this thread been answered? Sent from my handheld On Aug 2, 2009, at 1:12 PM, "Jay Hennigan" wrote: > Gert Doering wrote: > >> Contributors to this list should just post to this list. Archives >> are >> available in many places, google will find the answers, and it's not >> necessary to go to a separate web site (which is likely to profit >> from >> it in some way) to get answers to questions posted *here*. >> >> The value of this list is not "post links to web sites". > > Agreed 100%. > > FYI, "Mysolvr" is the same "Pingsta" outfit that scraped addresses > from > this list and spammed them repeatedly a while back. > > http://www.google.com/search?q=pingsta+spam > > -- > Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net > Impulse Internet Service - http://www.impulse.net/ > Your local telephone and internet company - 805 884-6323 - WB6RDV > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jared at puck.nether.net Sun Aug 2 19:12:26 2009 From: jared at puck.nether.net (Jared Mauch) Date: Sun, 2 Aug 2009 19:12:26 -0400 Subject: [c-nsp] Humor: Cisco announces end of BGP In-Reply-To: <014c01ca1122$6dad3ab0$4907b010$@com> References: <020201ca106b$e8b6a730$ba23f590$@com> <4A708339.5020700@uk.clara.net> <025401ca1076$74a53590$5defa0b0$@com> <20090729.205456.74738911.sthaug@nethelp.no> <014c01ca1122$6dad3ab0$4907b010$@com> Message-ID: <460775F5-268B-4EF1-9F6C-E9384CA4AB57@puck.nether.net> Anyone can write an informational rfc. See apr 1 as an example. One can easily write up what they do, or survey responses. You can then follow the feedback from your request. Jared Mauch On Jul 30, 2009, at 10:31 AM, "TJ" wrote: >> -----Original Message----- >> From: sthaug at nethelp.no [mailto:sthaug at nethelp.no] >> Subject: Re: [c-nsp] Humor: Cisco announces end of BGP >> >>> My feeling is based on two things: >>> I don't like the idea of vendors/providers ignoring an RFC just >>> because. >>> And note the RFC in question leaves no wiggle room here. >> >> Please cite chapter and verse. As long as you use static IPv6 >> addresses, > /126 >> is fine. No, a /126 address does *not* have to be based on a 64 bit > interface >> ID. > > > Sure ... > > RFC4291 > 2.5.1 > " For all unicast addresses, except those that start with the binary > value 000, Interface IDs are required to be 64 bits long and to be > constructed in Modified EUI-64 format. " > > 2.5.4 > " All Global Unicast addresses other than those that start with > binary > 000 have a 64-bit interface ID field (i.e., n + m = 64), formatted > as > described in Section 2.5.1. Global Unicast addresses that start > with > binary 000 have no such constraint on the size or structure of the > interface ID field. " > > That would seem pretty clear cut to me, rather explicitly calling > for 64bit > IIDs in all unicast cases (excluding the "starts with 000 block"). > Additionally, 3177 implies the same: > 3. > " - /64 when it is known that one and only one subnet is > needed by > design. " > > > Again - I am not saying /126s (or others!) don't work. And most > implementations let you assign arbitrary values for prefix length. > I am not saying /126s or similar options are (evil|bad), or even > functionally problematic. > In fact, RFC3627 explicitly mentions /126s as "less bad than /127s" > ... but prefers /112s over /126s, and prefers /64s over all of the > above. > > All I am saying that I prefer the spec(s) be updated based on real > world > preferences/implementations, and that this proposed change get > reviewed as > thoroughly as the original spec(s) did to ensure nothing breaks. I > fully > realize that the real world doesn't always agree with the IETF, but in > something this "low down" and yet relatively easy to codify I fail > to see > why it hasn't been done, unless there is a reason not to? (If you > don't > mind wiggle room in specs, or implementers "reinterpreting" the > specs, that > is (cough) fine.) > > In closing, I would turn the question around - can you cite chapter > and > verse where it says you are allowed to do this? Hopefully including > an > assessment of the potential "unintended consequences" (Note: If it > exists, > Great! ... sorry I missed it!) > > > > /TJ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From snortbsd at yahoo.com.au Sun Aug 2 19:54:04 2009 From: snortbsd at yahoo.com.au (snort bsd) Date: Sun, 2 Aug 2009 16:54:04 -0700 (PDT) Subject: [c-nsp] Can't pick up ip address--cisco 1200 ap In-Reply-To: <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2AE3@zy-ex1.zyedge.local> Message-ID: <784731.72896.qm@web38105.mail.mud.yahoo.com> Yes that sole fastethernet interface is in trunk mode and allowing both tag 10 and 20. But I don't use any separated DHCP server for those wirless users. They will get IP addresses from the DHCP service activated on the AP. So I don't need the command "ip helper address" in this configuration. --- On Sun, 2/8/09, Ryan West wrote: > From: Ryan West > Subject: RE: [c-nsp] Can't pick up ip address--cisco 1200 ap > To: "snort bsd" , "cisco-nsp" > Received: Sunday, 2 August, 2009, 10:25 AM > Are you trunking that interface and > allowing both vlan 10 and 20????Do you have a > DHCP server in both subnets or an ip-helper address? > > -ryan > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] > On Behalf Of snort bsd > Sent: Saturday, August 01, 2009 5:53 PM > To: cisco-nsp > Subject: [c-nsp] Can't pick up ip address--cisco 1200 ap > > > Hi: all: > > I got ciscoAP 1200 configured and can connect it via > wireless without problems. But the system connecting to the > AP can't pick up any IP address. > > dot11 ssid lab vlan 20 > ???vlan 20 > ???max-associations 10 > ???authentication open > ???authentication key-management wpa > ???guest-mode > ???mbssid guest-mode > ???wpa-psk ascii 7 "whatever key" > ???information-element ssidl wps > ! > dot11 ssid test vlan 10 > ???vlan 10 > ???max-associations 10 > ???authentication open > ???authentication key-management wpa > ???mbssid guest-mode > ???wpa-psk ascii 7 "whatever key" > ???information-element ssidl wps > > what else I didn't do right? > > Thanks > > > ? ? ? > ____________________________________________________________________________________ > Access Yahoo!7 Mail on your mobile. Anytime. Anywhere. > Show me how: http://au.mobile.yahoo.com/mail > _______________________________________________ > cisco-nsp mailing list? cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ____________________________________________________________________________________ Access Yahoo!7 Mail on your mobile. Anytime. Anywhere. Show me how: http://au.mobile.yahoo.com/mail From eninja at gmail.com Sun Aug 2 20:55:38 2009 From: eninja at gmail.com (e ninja) Date: Sun, 2 Aug 2009 17:55:38 -0700 Subject: [c-nsp] mailing list vs. web site (WAS: Re: SFC DOWN) In-Reply-To: <4A7603C8.2090603@west.net> References: <8bb137f40907302114n72fafa06ldc4ef0505774454c@mail.gmail.com> <8bb137f40907302123w522dc0d7s3af539e0c38579b4@mail.gmail.com> <8bb137f40908010103i4fa4808s54d229ed3720650d@mail.gmail.com> <20090802084524.GL290@greenie.muc.de> <20090802173216.GA18289@jeeves.rigozsaurus.com> <4A7603C8.2090603@west.net> Message-ID: Jay, Not sure what you continue to refer to here about *"**scraping cisco-nsp for email addresses**"* but to minimize your exposure, you may want to refrain from making unsubstantiated allegations against corporate entities without facts. All that was suggested is simple, if folks have extra bandwidth, they should clearly and concisely document best practices in a format that is easily searchable and reusable for posterity. Whether that is mysolvr.com, CCO, juniper.net, private blogs or impulse.net, it really doesn't matter. Suggesting that someone taking the time to research and respond to a complex 2-day old GSR 12000 ASIC problem that no one else on the list had responded to - is doing so for an ulterior motive is highly unprofessional. You need to remove emotions from your list conversations and focus on the only reason why everybody is here - to *voluntarily* help others solve their technical problems. Remember, a list is only as good as the quality of the answers people get from it. eom on this matter. eninja On Sun, Aug 2, 2009 at 2:23 PM, Jay Hennigan wrote: > John Osmon wrote: > >> Let me preafce my words with the thought that I find the most of the new >> wikis, forums, and whatnots are poor substitutes for searchable text >> archives. >> > > Agreed. > > However, I learned most of my foundation material from Usenet >> in the late 80s and early 90s, so I might be biased... >> > > Ditto. > > On Sun, Aug 02, 2009 at 06:51:07AM -0700, e ninja wrote: >> >>> Gert, >>> >>> So if we apply your thought process, there is no value in capturing and >>> organizing re-usable intellectual capital? I guess you must think >>> Wikipedia >>> is useless and we should just trawl through the web and layers of email >>> threads to find simple answers to questions that have already been >>> answered? >>> >> >> You're putting words in Gert's mouth suggesting he derides the valuable >> (free) services available. I've never met Gert, but would buy him a beer >> if I found we were in the same room. Gert and others have helped >> me (and others) countless times without need of any of the tools you >> espouse -- so there is already value present without need for more work... >> > > Agreed, and I'd buy him two. Issues brought to this list should be > discussed on this list and hopefully resolved on this list. A "Go over > there for the answer" response fragments discussion and actually tends to > make future searches for the same information less likely to succeed as > information on the web changes, links break, etc. > > A response of "Go over there for the answer" from someone with a vested > interest in "Over there" is nothing more than an advertisement for "Over > there". > > Back to the main point: >> There is value -- but who has to exert energy, and who reaps the >> benefits? >> > > Those looking for the information have to exert the energy, those trying to > commercialize it reap the benefits. > > The value of any list is to share knowledge. If there are free tools out >>> there like mysolvr (a user-generated knowledge-base), that also allows us >>> to >>> go the extra mile of documenting and organizing re-usable know-how for >>> the >>> benefit of others, it is worth the effort. >>> >> >> Yes, there is likely value in organizing the info. However, is the >> marginal value greater than the marginal cost? I'm of the opinion >> that most of the people reading this list and the archives believe >> that it works well as it is. >> > > Agreed. > > We have to work smarter, not harder. >>> >> >> Absolutely! However, I think that you've got a hard hill in front of >> you trying to change the behavior of people using this list. >> > > And the smart way to work is to avoid fragmenting the information. The > hard way is to fragment it among diffuse sites. The ethical way is to > resist hijacking threads to promote one's own website. > > A smarter approach might be to start moving the data to your preferred >> site on your own. Perhaps even building automated tools to do so. If >> your idea catches on, you could very well end up with a reputation and >> following like Jared and/or Gert. Until that occurs, I have doubts that >> the wealth of info on cisco-nsp will be transferred to >> another medium... >> > > He doesn't want to move the information to his site on his own. He wants > us to do it for him. This began over a year ago with scraping cisco-nsp for > email addresses and spamming them with "invitations". It went mostly > under-the-radar until his spambot went nuts and flooded its victims with > multiple invitations at once. Faded under the radar again and now he's back > hawking the sister site. > > (With that said, I'd be happy to be proven wrong -- more knowledge is >> better! I don't, however, think that I'd get enough out of the >> process to spend my time doing any of the prep work...) >> > > Agreed. And it fragments the information. > > -- > Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net > Impulse Internet Service - http://www.impulse.net/ > Your local telephone and internet company - 805 884-6323 - WB6RDV > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From David at Hughes.com.au Sun Aug 2 21:23:40 2009 From: David at Hughes.com.au (David Hughes) Date: Mon, 3 Aug 2009 11:23:40 +1000 Subject: [c-nsp] BGP Multipath and unequal IGP metrics In-Reply-To: <073E0C99-024C-4D1B-8B1B-347F5CD8302F@hughes.com.au> References: <073E0C99-024C-4D1B-8B1B-347F5CD8302F@hughes.com.au> Message-ID: Hi Hate to bump my own post but does anyone have any thoughts on the below? Thanks David ... On 28/07/2009, at 10:11 AM, David Hughes wrote: > Hi > > I have a situation that looks like a problem in the making. In a > subset of our network there's a pair of well connected datacentres > (eg dual 10GE paths etc). One of our upstreams will shortly be > presenting a transit path at both of these 2 locations. No problems > I think to myself - we'll just multi-path from our core and load > share over both paths. > > Problem. Seeing as the 2 border routers in question are at > different locations, the core routers see different IGP metrics to > the nexthop of the BGP table entry. As a result they are excluded > from use with BGP multipath and I'm left with the core routers at > each DC only using the paths to the border router at the local site. > > I don't want to mess around with tweaking the OSPF metrics as I'm > sure that's just a disaster waiting to happen for some poor network > engineer in a year or two. I thought I'd found a nice clean > solution with Cisco's "multipath unequal-cost" feature but for some > reason I can't even start to understand you can only use it in a > VRF, not in the default table. > > So the only solution I can see is to reconfigure the core devices > and move all interfaces and routing processes into a VRF so that I > can effectively get this feature on our entire table. > > What am I missing here? Surely I'm not Robinson Crusoe - someone > must have done this before. Platform is Cat6k / Sup720. > > > Thanks > > David > ... > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rubensk at gmail.com Sun Aug 2 22:14:24 2009 From: rubensk at gmail.com (Rubens Kuhl) Date: Sun, 2 Aug 2009 23:14:24 -0300 Subject: [c-nsp] BGP Multipath and unequal IGP metrics In-Reply-To: <073E0C99-024C-4D1B-8B1B-347F5CD8302F@hughes.com.au> References: <073E0C99-024C-4D1B-8B1B-347F5CD8302F@hughes.com.au> Message-ID: <6bb5f5b10908021914r780d0430g4b7589eae8880ee8@mail.gmail.com> I would consider using a layered-session approach. The first layer would be used only to provide the path to the BGP loopback, both to your core routers and to your transit providers, and would be used to equalize the metric of the alternate paths. A likely scenario would consist of 4 BGP sessions among your own routers and 2 or 4 sessions to your transit provider, but might be more; it would require BGP support, but no 1 milion routes support. The second layer would use the first one to exchange provider announcements, both yours to transit and full routes from the transit providers. Disclaimer: haven't tested this exact scenario, ended up having full-route capable routers on all hops. Rubens On Mon, Jul 27, 2009 at 9:11 PM, David Hughes wrote: > Hi > > I have a situation that looks like a problem in the making. ?In a subset of > our network there's a pair of well connected datacentres (eg dual 10GE paths > etc). ?One of our upstreams will shortly be presenting a transit path at > both of these 2 locations. ?No problems I think to myself - we'll just > multi-path from our core and load share over both paths. > > Problem. ?Seeing as the 2 border routers in question are at different > locations, the core routers see different IGP metrics to the nexthop of the > BGP table entry. ?As a result they are excluded from use with BGP multipath > and I'm left with the core routers at each DC only using the paths to the > border router at the local site. > > I don't want to mess around with tweaking the OSPF metrics as I'm sure > that's just a disaster waiting to happen for some poor network engineer in a > year or two. ?I thought I'd found a nice clean solution with Cisco's > "multipath unequal-cost" feature but for some reason I can't even start to > understand you can only use it in a VRF, not in the default table. > > So the only solution I can see is to reconfigure the core devices and move > all interfaces and routing processes into a VRF so that I can effectively > get this feature on our entire table. > > What am I missing here? ?Surely I'm not Robinson Crusoe - someone must have > done this before. ?Platform is Cat6k / Sup720. > > > Thanks > > David > ... > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From peter at rathlev.dk Mon Aug 3 03:47:14 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Mon, 03 Aug 2009 09:47:14 +0200 Subject: [c-nsp] Can't pick up ip address--cisco 1200 ap In-Reply-To: <563713.60520.qm@web38107.mail.mud.yahoo.com> References: <563713.60520.qm@web38107.mail.mud.yahoo.com> Message-ID: <1249285635.3071.4.camel@abehat.net.rm.dk> AFAIK without BVI interfaces this will not work. You need to reconfigure the subinterfaces of Fa0 to match what Leslie pointed out: interface FastEthernet0.10 encapsulation dot1Q 10 bridge-group 10 bridge-group 10 spanning-disabled ! interface FastEthernet0.20 encapsulation dot1Q 20 bridge-group 20 bridge-group 20 spanning-disabled ! interface BVI10 ip address 192.168.13.10 255.255.255.0 ! interface BVI20 ip address 192.168.12.10 255.255.255.0 ! bridge 10 protocol ieee bridge 20 protocol ieee ! bridge 10 route ip bridge 20 route ip ! Regards, Peter On Sun, 2009-08-02 at 16:44 -0700, snort bsd wrote: > Thanks for help! > > Here is what I have: > > > internet <-> AP <-> VLAN aware switch <-> firewall <-> internal > networks > | > | > | > wireless PCs (VLAN 10 or VLAN 20) > > I have DHCP service configured on the AP, which means those wireless > PCs should get their IP addresses from the DHCP server on the AP (I > don't have separated DHCP server on the internal network). what I am > trying to figure out how I can tie the right pool of DHCP IP addresses > to the right interface. Right now the authenticated PCs could not get > IP address at all. > > here is my config relating to the diagram: > > ip dhcp pool vlan20 > network 192.168.12.0 255.255.255.0 > subnet prefix-length 24 > default-router 192.168.12.1 > lease infinite > ! > ip dhcp pool vlan10 > network 192.168.13.0 255.255.255.0 > subnet prefix-length 24 > default-router 192.16.13.1 > lease infinite > .... > ... > dot11 vlan-name ming vlan 20 > dot11 vlan-name rest vlan 10 > ! > dot11 ssid lab vlan 20 > vlan 20 > max-associations 10 > authentication open > authentication key-management wpa > guest-mode > mbssid guest-mode > wpa-psk ascii 7 "whatever" > ! > information-element ssidl wps > ! > dot11 ssid test vlan 10 > vlan 10 > max-associations 10 > authentication open > authentication key-management wpa > mbssid guest-mode > wpa-psk ascii 7 "whatever" > ! > information-element ssidl wps > .... > ... > interface Dot11Radio0 > no ip address > no ip route-cache > ! > encryption vlan 10 mode ciphers aes-ccm tkip > ! > encryption vlan 20 mode ciphers aes-ccm tkip > ! > ssid lab vlan 20 > ! > ssid test vlan 10 > ! > mbssid > speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 > 36.0 48.0 54.0 > station-role root > ! > interface Dot11Radio0.10 > encapsulation dot1Q 10 native > no ip redirects > no ip route-cache > bridge-group 10 > bridge-group 10 subscriber-loop-control > bridge-group 10 block-unknown-source > no bridge-group 10 source-learning > no bridge-group 10 unicast-flooding > bridge-group 10 spanning-disabled > ! > interface Dot11Radio0.20 > encapsulation dot1Q 20 > no ip redirects > no ip route-cache > bridge-group 20 > bridge-group 20 subscriber-loop-control > bridge-group 20 port-protected > bridge-group 20 block-unknown-source > no bridge-group 20 source-learning > no bridge-group 20 unicast-flooding > bridge-group 20 spanning-disabled > ! > interface FastEthernet0 > no ip address > no ip route-cache > duplex auto > speed auto > bridge-group 1 > no bridge-group 1 source-learning > bridge-group 1 spanning-disabled > ! > interface FastEthernet0.10 > encapsulation dot1Q 10 > ip address 192.168.13.10 255.255.255.0 > no ip redirects > no ip route-cache > ! > interface FastEthernet0.20 > encapsulation dot1Q 20 > ip address 192.168.12.10 255.255.255.0 > no ip redirects > no ip route-cache > ! From frosya84 at mail.ru Mon Aug 3 05:05:03 2009 From: frosya84 at mail.ru (=?koi8-r?Q?=EF=CC=D8=C7=C1_=F2=D5=D6=C1=CE=D3=CB=C1=D1?=) Date: Mon, 03 Aug 2009 13:05:03 +0400 Subject: [c-nsp] What router to choose instead of 7206VXR-G1/G2 (Ruzhanskaya Olga) Message-ID: Hello List! Questions about "platformX vs platformY" or "what platform to choose" is not new for discussion here, but I didn't find mails in archives that directly fits to my needs. So, I would really appreciate any suggestions (or usefull references or links :-)). We are using 7206VXR-G1/G2 platform as edge router (PE) in our MPLS network. When traffic volume grows, we replace NPE-G1 processor with NPE-G2. But in future we'll need something more powerfull. General requirements: - OSPF, BGP (full table for our own needs and for customers); - MPLS VPN (L3 and L2); - CBWFQ (better LLQ) QoS, uRPF, GRE.. As core routers (P) - we use 7600(RSP-720). But it is more expensive and not so flexible as software platform (NetFlow issues, specific QoS, etc. ). So, we need something "between 7206VXR-G2 and 7600(RSP-720)". Any suggestions? I was looking at ASR 10xx series and want to know the opinion of people who use it as PE router. Best regards, Olga From alex at digriz.org.uk Mon Aug 3 03:45:34 2009 From: alex at digriz.org.uk (Alexander Clouter) Date: Mon, 3 Aug 2009 08:45:34 +0100 Subject: [c-nsp] Upgrading IOS core on a 3750 Stack References: <6069A203FD01884885C037F81DD75080171D1F97AF@wsc-mail-01.intra.nwresd.k12.or.us> <1249220826.4809.10.camel@abehat.net.rm.dk> Message-ID: Peter Rathlev wrote: > On Sun, 2009-08-02 at 06:18 -0700, Bill Blackford wrote: >> The subject line says it all. >> >> I have some questions regarding how the upgrade works. >> >> 1. Do I only upgrade the master? > > Technically no, but the master might be able to auto-upgrade the > members. > There is a whole 'licencing' question issue. You can get ipservices into your network slightly cheaper if you put ipservices on the master and ipbase on the other stack members. Then you just hope the master does not die as everything will then drop to ipbase...apparently. All of our 3750's run the same IOS and you have to copy it to each flash area seperately. One hint is you can copy from flash<->flash which savessome finger wear and tear. >> 2. If not, how do I upgrade the other switches in the stack? > > You can upload software to flash1:, flash2: etc. and set the boot > variables with "boot system switch 2 flash:/asdf.bin". Remember that > each switch sees the flash as just "flash:" when booting, so set the > boot variable accordingly. > Hmmm, we run ours with 'no boot system switch all' and the switches pick up the IOS on the flash automatically. As you can only fit one IOS on the flash anyway..... Cheers -- Alexander Clouter .sigmonster says: The man who runs may fight again. -- Menander From trejrco at gmail.com Mon Aug 3 07:51:07 2009 From: trejrco at gmail.com (TJ) Date: Mon, 3 Aug 2009 07:51:07 -0400 Subject: [c-nsp] Humor: Cisco announces end of BGP In-Reply-To: <460775F5-268B-4EF1-9F6C-E9384CA4AB57@puck.nether.net> References: <020201ca106b$e8b6a730$ba23f590$@com> <4A708339.5020700@uk.clara.net> <025401ca1076$74a53590$5defa0b0$@com> <20090729.205456.74738911.sthaug@nethelp.no> <014c01ca1122$6dad3ab0$4907b010$@com> <460775F5-268B-4EF1-9F6C-E9384CA4AB57@puck.nether.net> Message-ID: <005a01ca1430$b08d81d0$11a88570$@com> >-----Original Message----- >From: Jared Mauch [mailto:jared at puck.nether.net] >Anyone can write an informational rfc. See apr 1 as an example. One can easily >write up what they do, or survey responses. You can then follow the feedback >from your request. That is exactly my point - if /126s are the "industry preferred" approach, I fail to see why it hasn't been codified in an (atleast) information RFC. Once submitted in this fashion, it could be further reviewed and perhaps even be updated later-on to be a proposed standard. ( any "directive" documentation would need to be PS as it is changing a PS. ) >Jared Mauch Thanks! /TJ From gsgranados at comcast.net Mon Aug 3 10:15:03 2009 From: gsgranados at comcast.net (Scott Granados) Date: Mon, 3 Aug 2009 07:15:03 -0700 Subject: [c-nsp] ASA5500 authentication with Kerberos/NT Domain Controler Message-ID: <007a01ca1445$08a1a270$c27b0146@am.thmulti.com> Hi, I have a pair of ASA5500 devices that I wish to use to provide VPN services. I've been googling but all the examples I've found on Cisco.com and other sites are designed for configuration using the ASDM. The ASDM is absolutely awful to use and also almost entirely inaccessible with a screen reader. Does anyone have some configuration examples using the command line that allow for users with Cisco VPN clients to authenticate against a Domain controler using Kerberos/NT and authenticates to a specific VPN group with a preshared key? I have a very basic network with a 10.x.0.0/16 network that I wish to share to users via VPN clients. Any basic pointers or any pointers to a site that's more command line specific either on or off Cisco.com would be appreciated. Thank you Scott From jbest at zyedge.com Mon Aug 3 10:27:55 2009 From: jbest at zyedge.com (Jeremiah Best) Date: Mon, 3 Aug 2009 10:27:55 -0400 Subject: [c-nsp] ASA5500 authentication with Kerberos/NT Domain Controler In-Reply-To: <007a01ca1445$08a1a270$c27b0146@am.thmulti.com> References: <007a01ca1445$08a1a270$c27b0146@am.thmulti.com> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2B08@zy-ex1.zyedge.local> Scott, I hope this helps: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml#cli . aaa-server WINDOWS protocol nt aaa-server WINDOWS (inside) host x.x.x.x nt-auth-domain-controller servername group-policy name-vpn-policy internal group-policy name-vpn-policy attributes wins-server value x.x.x.x dns-server value x.x.x.x split-tunnel-policy tunnelspecified split-tunnel-network-list value acl_namevpn address-pools value dhcp-name-pool tunnel-group name-vpn type ipsec-ra tunnel-group name-vpn general-attributes authentication-server-group WINDOWS LOCAL default-group-policy name-vpn-policy Thanks, Jeremiah -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Granados Sent: Monday, August 03, 2009 10:15 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] ASA5500 authentication with Kerberos/NT Domain Controler Hi, I have a pair of ASA5500 devices that I wish to use to provide VPN services. I've been googling but all the examples I've found on Cisco.com and other sites are designed for configuration using the ASDM. The ASDM is absolutely awful to use and also almost entirely inaccessible with a screen reader. Does anyone have some configuration examples using the command line that allow for users with Cisco VPN clients to authenticate against a Domain controler using Kerberos/NT and authenticates to a specific VPN group with a preshared key? I have a very basic network with a 10.x.0.0/16 network that I wish to share to users via VPN clients. Any basic pointers or any pointers to a site that's more command line specific either on or off Cisco.com would be appreciated. Thank you Scott _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From mulitskiy at acedsl.com Mon Aug 3 11:09:42 2009 From: mulitskiy at acedsl.com (Michael Ulitskiy) Date: Mon, 3 Aug 2009 11:09:42 -0400 Subject: [c-nsp] IP unnumbered vlan subinterfaces question Message-ID: <200908031109.42285.mulitskiy@acedsl.com> Hello, Guys, are there any drawbacks of doing the following: interface Lo0 ip address 10.10.10.1 255.255.255.0 ! interface FastEthernet0/0.1 encapsulation dot1q 1 native ip unnumbered Lo0 ! ip route 10.10.10.0 255.255.255.0 FastEthernet0/0.1 ! as opposed to having ip address configured directly on the interface as usual? I need that ip address to stay always up regardless of Fa0/0 state, 'cause it's used for other services that should stay up and I'd prefer to avoid assigning another ip address exclusively for loopback use. It seems to work in my lab, but I thought I'd better ask... Thanks, Michael From dudepron at gmail.com Mon Aug 3 11:29:52 2009 From: dudepron at gmail.com (Aaron) Date: Mon, 3 Aug 2009 11:29:52 -0400 Subject: [c-nsp] IP unnumbered vlan subinterfaces question In-Reply-To: <200908031109.42285.mulitskiy@acedsl.com> References: <200908031109.42285.mulitskiy@acedsl.com> Message-ID: <480dad640908030829kf40edccvd02d2b45522a298a@mail.gmail.com> Loopback interfaces do not go down, so I'm not sure what benefit you are getting besides the ability to blackhole the 10.10.10.0/24 if the ethernet goes down. On Mon, Aug 3, 2009 at 11:09, Michael Ulitskiy wrote: > Hello, > > Guys, are there any drawbacks of doing the following: > > interface Lo0 > ip address 10.10.10.1 255.255.255.0 > ! > interface FastEthernet0/0.1 > encapsulation dot1q 1 native > ip unnumbered Lo0 > ! > ip route 10.10.10.0 255.255.255.0 FastEthernet0/0.1 > ! > > as opposed to having ip address configured directly on the interface as > usual? > I need that ip address to stay always up regardless of Fa0/0 state, 'cause > it's used for other services that should stay up > and I'd prefer to avoid assigning another ip address exclusively for > loopback use. > It seems to work in my lab, but I thought I'd better ask... > > Thanks, > Michael > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From dudepron at gmail.com Mon Aug 3 11:31:09 2009 From: dudepron at gmail.com (Aaron) Date: Mon, 3 Aug 2009 11:31:09 -0400 Subject: [c-nsp] IP unnumbered vlan subinterfaces question In-Reply-To: <480dad640908030829kf40edccvd02d2b45522a298a@mail.gmail.com> References: <200908031109.42285.mulitskiy@acedsl.com> <480dad640908030829kf40edccvd02d2b45522a298a@mail.gmail.com> Message-ID: <480dad640908030831o446225cybf2d4105c18ce30b@mail.gmail.com> So you don't want to use another IP for loopback. Sorry, misunderstood. On Mon, Aug 3, 2009 at 11:29, Aaron wrote: > Loopback interfaces do not go down, so I'm not sure what benefit you are > getting besides the ability to blackhole the 10.10.10.0/24 if the ethernet > goes down. > > > On Mon, Aug 3, 2009 at 11:09, Michael Ulitskiy wrote: > >> Hello, >> >> Guys, are there any drawbacks of doing the following: >> >> interface Lo0 >> ip address 10.10.10.1 255.255.255.0 >> ! >> interface FastEthernet0/0.1 >> encapsulation dot1q 1 native >> ip unnumbered Lo0 >> ! >> ip route 10.10.10.0 255.255.255.0 FastEthernet0/0.1 >> ! >> >> as opposed to having ip address configured directly on the interface as >> usual? >> I need that ip address to stay always up regardless of Fa0/0 state, 'cause >> it's used for other services that should stay up >> and I'd prefer to avoid assigning another ip address exclusively for >> loopback use. >> It seems to work in my lab, but I thought I'd better ask... >> >> Thanks, >> Michael >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > From rodunn at cisco.com Mon Aug 3 11:42:09 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Mon, 03 Aug 2009 11:42:09 -0400 Subject: [c-nsp] IP unnumbered vlan subinterfaces question In-Reply-To: <480dad640908030829kf40edccvd02d2b45522a298a@mail.gmail.com> References: <200908031109.42285.mulitskiy@acedsl.com> <480dad640908030829kf40edccvd02d2b45522a298a@mail.gmail.com> Message-ID: <4A770551.4060901@cisco.com> Don't do it. It's a hack and there are other forwarding plane things that don't like it. Read as..it may or may not always work. Burn another /32 for your loopback. Rodney Aaron wrote: > Loopback interfaces do not go down, so I'm not sure what benefit you are > getting besides the ability to blackhole the 10.10.10.0/24 if the ethernet > goes down. > > On Mon, Aug 3, 2009 at 11:09, Michael Ulitskiy wrote: > >> Hello, >> >> Guys, are there any drawbacks of doing the following: >> >> interface Lo0 >> ip address 10.10.10.1 255.255.255.0 >> ! >> interface FastEthernet0/0.1 >> encapsulation dot1q 1 native >> ip unnumbered Lo0 >> ! >> ip route 10.10.10.0 255.255.255.0 FastEthernet0/0.1 >> ! >> >> as opposed to having ip address configured directly on the interface as >> usual? >> I need that ip address to stay always up regardless of Fa0/0 state, 'cause >> it's used for other services that should stay up >> and I'd prefer to avoid assigning another ip address exclusively for >> loopback use. >> It seems to work in my lab, but I thought I'd better ask... >> >> Thanks, >> Michael >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From oboehmer at cisco.com Mon Aug 3 12:01:37 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Mon, 3 Aug 2009 18:01:37 +0200 Subject: [c-nsp] CSC CARD info In-Reply-To: <8bb137f40908021034l4ad7c878xefb040e7f9433b0b@mail.gmail.com> References: <8bb137f40908010106g3938ba62s93fb6ac604ff6b43@mail.gmail.com><132FEFEE-9C5D-466F-9474-CF73BC1ABEBA@gmail.com> <8bb137f40908021034l4ad7c878xefb040e7f9433b0b@mail.gmail.com> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78407BC8BB7@xmb-ams-333.emea.cisco.com> Jack, can you define "lots of ping drops"? primary CSC OIR (or CSC switchover) is expected to cause traffic loss for a few seconds.. What type of fabric is this (2.5, 10 or 40Gbps) and which chassis? Do you see the same traffic loss on all linecard types? If you see more than 10 seconds or so loss, I would contact TAC.. oli jack daniels <> wrote on Sunday, August 02, 2009 19:35: > Hi, > > Thanks , but my querry still remains unanswered - > > > If we use 2 CSC and 3 SFC > > " When I do OIR of slot 17 CSC ( when MASTER - defaul ) we get 3 ping > drops for transit traffic through the router. > When I do OIR of slot 16 CSC ( when MASTER ) we get lot of ping > drops for transit traffic through the router and neighbourships > break." > > Regards > J.Daniels > > On Sat, Aug 1, 2009 at 3:39 PM, Eninja wrote: > >> OIR'ing the primary CSC (slot 17 by default) will _always_ result in >> traffic loss because the CSC clocks and schedules all fabric traffic. >> >> Remember to shutdown the primary CSC using hw-module shut command, >> wait at least 1 min before OIR'ing and failing over from primary to >> secondary CSC. >> >> Eninja >> >> >> >> On Aug 1, 2009, at 9:06 AM, jack daniels >> wrote: >> >> Hi all, >>> >>> what is significance of slot no of CSC. >>> >>> If we use 2 CSC and 3 SFC >>> >>> When I do OIR of slot 17 CSC ( when MASTER ) we get 3 ping drops >>> for transit traffic through the router. >>> When I do OIR of slot 16 CSC ( when MASTER ) we get lot of ping >>> drops for transit traffic through the router and neighbourships >>> break. >>> >>> >>> Regards >>> Jack.Daniels >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From zeusdadog at gmail.com Mon Aug 3 12:07:35 2009 From: zeusdadog at gmail.com (Jay Nakamura) Date: Mon, 3 Aug 2009 12:07:35 -0400 Subject: [c-nsp] DMVPN and OSPF In-Reply-To: <9418aca70907301232v1e0ab042o41b272c365734753@mail.gmail.com> References: <9418aca70907291342u477505b0vf9c937dfb7d767ed@mail.gmail.com> <4A710119.50503@cisco.com> <9418aca70907291928k2c152e81xceb3eb6fc8f72ce4@mail.gmail.com> <4A718893.1050307@cisco.com> <9418aca70907301053l3614852cq76ca441447ec9903@mail.gmail.com> <9418aca70907301054h51d73effq72a4a9b672066862@mail.gmail.com> <019f01ca1141$00f875f0$02e961d0$@net> <4A71E4C8.50505@rollernet.us> <9418aca70907301232v1e0ab042o41b272c365734753@mail.gmail.com> Message-ID: <9418aca70908030907k16a88e4ex3204ba81c454bef4@mail.gmail.com> To follow up, I have tried 12.4(20)T3, 12.4(24)T, 12.4(24)T1, all of them have the same symptom. I have downgraded back to 12.4(15)T9 and the network is stable again. I need at least 12.4(20)T because we want to implement IOS content filtering. TAC case is pending. I will post again when the situation is resolved. From ip at ioshints.info Mon Aug 3 12:12:50 2009 From: ip at ioshints.info (Ivan Pepelnjak) Date: Mon, 3 Aug 2009 18:12:50 +0200 Subject: [c-nsp] IP unnumbered vlan subinterfaces question In-Reply-To: <200908031109.42285.mulitskiy@acedsl.com> References: <200908031109.42285.mulitskiy@acedsl.com> Message-ID: <001301ca1455$40a08dc0$0a00000a@nil.si> OSPF does not work across unnumbered VLAN subinterfaces. http://wiki.nil.com/Unnumbered_Ethernet_VLAN_interfaces#Limitations Ivan http://www.ioshints.info/about http://blog.ioshints.info/ > -----Original Message----- > From: Michael Ulitskiy [mailto:mulitskiy at acedsl.com] > Sent: Monday, August 03, 2009 5:10 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] IP unnumbered vlan subinterfaces question > > Hello, > > Guys, are there any drawbacks of doing the following: > > interface Lo0 > ip address 10.10.10.1 255.255.255.0 > ! > interface FastEthernet0/0.1 > encapsulation dot1q 1 native > ip unnumbered Lo0 > ! > ip route 10.10.10.0 255.255.255.0 FastEthernet0/0.1 ! > > as opposed to having ip address configured directly on the > interface as usual? > I need that ip address to stay always up regardless of Fa0/0 > state, 'cause it's used for other services that should stay > up and I'd prefer to avoid assigning another ip address > exclusively for loopback use. > It seems to work in my lab, but I thought I'd better ask... > > Thanks, > Michael > > From asnoka at gmail.com Mon Aug 3 12:20:01 2009 From: asnoka at gmail.com (asnoka zhung) Date: Tue, 4 Aug 2009 00:20:01 +0800 Subject: [c-nsp] Help:Anyone Familar with Cisco L3VPN Inter-AS Option C MPLS Forwarding Model? Message-ID: Recently I have to configured L3VPN Inter-AS Option C on our network,while I noticed these issue on ASBR: 1.Cisco(7609 router) will allocate Implicit Null(3) label for routes locally generated on ASBR. 2.For routes learned from the PE in the same AS(suppose using LDP in the local AS),when redistributed the routes to BGP from IGP(e.g ISIS/OSPF),the ASBR will just pick the label which was allocated for IGP routes by LDP. So I am a little confused,I am not sure can this scheme working properly when forwarding mpls packet for L3VPN? -- Learning Linux:) --------------------------------------------------- Make Everyday Counts! From mulitskiy at acedsl.com Mon Aug 3 12:22:40 2009 From: mulitskiy at acedsl.com (Michael Ulitskiy) Date: Mon, 3 Aug 2009 12:22:40 -0400 Subject: [c-nsp] IP unnumbered vlan subinterfaces question In-Reply-To: <4A770551.4060901@cisco.com> References: <200908031109.42285.mulitskiy@acedsl.com> <480dad640908030829kf40edccvd02d2b45522a298a@mail.gmail.com> <4A770551.4060901@cisco.com> Message-ID: <200908031222.40296.mulitskiy@acedsl.com> It's not about saving a /32. This is a CPE device and I was just trying to save myself administrative burden of maintaining another per-customer static ip assignment. I don't need dynamic routing protocol to run on those interfaces, but thanks for pointing it out anyway. Ok, if I have to do it then I have to do it. Thanks everybody, Michael On Monday 03 August 2009 11:42:09 am Rodney Dunn wrote: > Don't do it. It's a hack and there are other forwarding plane things > that don't like it. Read as..it may or may not always work. > > Burn another /32 for your loopback. > > Rodney > > > > Aaron wrote: > > Loopback interfaces do not go down, so I'm not sure what benefit you are > > getting besides the ability to blackhole the 10.10.10.0/24 if the ethernet > > goes down. > > > > On Mon, Aug 3, 2009 at 11:09, Michael Ulitskiy wrote: > > > >> Hello, > >> > >> Guys, are there any drawbacks of doing the following: > >> > >> interface Lo0 > >> ip address 10.10.10.1 255.255.255.0 > >> ! > >> interface FastEthernet0/0.1 > >> encapsulation dot1q 1 native > >> ip unnumbered Lo0 > >> ! > >> ip route 10.10.10.0 255.255.255.0 FastEthernet0/0.1 > >> ! > >> > >> as opposed to having ip address configured directly on the interface as > >> usual? > >> I need that ip address to stay always up regardless of Fa0/0 state, 'cause > >> it's used for other services that should stay up > >> and I'd prefer to avoid assigning another ip address exclusively for > >> loopback use. > >> It seems to work in my lab, but I thought I'd better ask... > >> > >> Thanks, > >> Michael > >> _______________________________________________ > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >> > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From b.turnbow at twt.it Mon Aug 3 12:18:38 2009 From: b.turnbow at twt.it (Brian Turnbow) Date: Mon, 3 Aug 2009 18:18:38 +0200 Subject: [c-nsp] IP unnumbered vlan subinterfaces question In-Reply-To: <200908031109.42285.mulitskiy@acedsl.com> References: <200908031109.42285.mulitskiy@acedsl.com> Message-ID: Not sure what's attached to the IP, or what you want to achieve , but a different approach would be to add no keepalive to the ethernet so it is always up. Brian -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Michael Ulitskiy Sent: luned? 3 agosto 2009 17.10 To: cisco-nsp at puck.nether.net Subject: [c-nsp] IP unnumbered vlan subinterfaces question Hello, Guys, are there any drawbacks of doing the following: interface Lo0 ip address 10.10.10.1 255.255.255.0 ! interface FastEthernet0/0.1 encapsulation dot1q 1 native ip unnumbered Lo0 ! ip route 10.10.10.0 255.255.255.0 FastEthernet0/0.1 ! as opposed to having ip address configured directly on the interface as usual? I need that ip address to stay always up regardless of Fa0/0 state, 'cause it's used for other services that should stay up and I'd prefer to avoid assigning another ip address exclusively for loopback use. It seems to work in my lab, but I thought I'd better ask... Thanks, Michael _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From gert at greenie.muc.de Mon Aug 3 13:50:27 2009 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 3 Aug 2009 19:50:27 +0200 Subject: [c-nsp] What router to choose instead of 7206VXR-G1/G2 (Ruzhanskaya Olga) In-Reply-To: References: Message-ID: <20090803175027.GZ290@greenie.muc.de> Hi, On Mon, Aug 03, 2009 at 01:05:03PM +0400, ????? ????????? wrote: > We are using 7206VXR-G1/G2 platform as edge router (PE) in our MPLS network. > When traffic volume grows, we replace NPE-G1 processor with NPE-G2. > But in future we'll need something more powerfull. As far as I understand the Cisco product strategy, ASK1k is the current recommendation. The platform is powerful, but a bit "young" and lacking some features, though - so make sure that whatever you need is there. > General requirements: > - OSPF, BGP (full table for our own needs and for customers); > - MPLS VPN (L3 and L2); > - CBWFQ (better LLQ) QoS, uRPF, GRE.. As far as I understand, this should all be there today. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From mvanton at gmail.com Mon Aug 3 13:51:03 2009 From: mvanton at gmail.com (vince anton) Date: Mon, 3 Aug 2009 19:51:03 +0200 Subject: [c-nsp] vlans to customer - good practise / myth to bust ! Message-ID: <87e0d3ae0908031051q59cb627dy5a6e5951654a265c@mail.gmail.com> Hi, I currently have a setup below that works ok, but I'd like some opinions about some unanswered questions ive got. Basically i currently offer IP based services to customers. What i do is run a fibre to a customer site, which on my end terminates in a switch as a vlan or as a trunk allowing that customer's specific vlans. Then a router linked to same switch with an allow all trunk that handles all the L3 interfaces as subinterfaces using dot1q. So for example customer A has vlans 10,11,12 and say customer B has vlans 20,21,22 which are L3 subinterfaces on the router. Some of these subinterfaces are used for plain internet access, some may be a member of a vrf for private (non internet) connections between customer sites. My concern here is whether this is best practise for delivering such services, or if other ways of doing this are out there and proven better. Also scalability and stability is a concern. there is a limit to how large you want a Layer2 network to be. Last but not least, security. what if a customer plugs the fibre link into his switch with a bunch of other vlans running. the only form of 'protection' that I currently have is restriction of vlans on the trunk from the customer, but some traffic (like spanning tree) travels on vlan1 as far as i recall and this cannot be blocked. another item would be vlan hopping. Im just after some pointers from what you all do out there to offer similar services, what the best practises for this are, lessons learnt, etc... so I can then delve into the details given the pointers, to ensure im running inline with tried and testing ways of doing things. thanks anton From swmike at swm.pp.se Mon Aug 3 14:20:45 2009 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Mon, 3 Aug 2009 20:20:45 +0200 (CEST) Subject: [c-nsp] vlans to customer - good practise / myth to bust ! In-Reply-To: <87e0d3ae0908031051q59cb627dy5a6e5951654a265c@mail.gmail.com> References: <87e0d3ae0908031051q59cb627dy5a6e5951654a265c@mail.gmail.com> Message-ID: On Mon, 3 Aug 2009, vince anton wrote: > My concern here is whether this is best practise for delivering such > services, or if other ways of doing this are out there and proven better. No, that's a common model. > Last but not least, security. what if a customer plugs the fibre link > into his switch with a bunch of other vlans running. the only form of > 'protection' that I currently have is restriction of vlans on the trunk > from the customer, but some traffic (like spanning tree) travels on > vlan1 as far as i recall and this cannot be blocked. another item would > be vlan hopping. Well, you probably want to enable stp filters if you dont expect stp packets to come in on the link. Disabling the use of vlan 1 onto the customer link might be good as well (ie only use tagged vlans, do not run native vlan 1 onto customer link). > Im just after some pointers from what you all do out there to offer similar > services, what the best practises for this are, lessons learnt, etc... so I > can then delve into the details given the pointers, to ensure im running > inline with tried and testing ways of doing things. Vlan hopping shouldn't be a problem with modern equipment, but it might be good to verify that the one you're using doesn't have this problem. -- Mikael Abrahamsson email: swmike at swm.pp.se From awilliam1981 at gmail.com Mon Aug 3 14:31:16 2009 From: awilliam1981 at gmail.com (Andy William) Date: Mon, 3 Aug 2009 21:31:16 +0300 Subject: [c-nsp] ISP in US In-Reply-To: References: <9569de140907290644j11098b10l7c9c929ce4b30bb9@mail.gmail.com> <9569de140907301542j5519a2e5j9fd32c0a8bf16ce0@mail.gmail.com> <9569de140908010206i51d5c476oece239816de53bca@mail.gmail.com> Message-ID: <9569de140908031131n4d4d510cnbd8875368ce45517@mail.gmail.com> I decided to go with Internet connection solution but based on your experience as a customer what ISP should i select ? Level3 , Globalcrossing , Verizon , Sparkle , TATA or FLAG? thanks Andy On Sat, Aug 1, 2009 at 5:22 PM, Scott Granados wrote: > I still like the heavy business jet solution. > > :) > > ----- Original Message ----- From: "Andy William" > To: "Daryl G. Jurbala" > Cc: > Sent: Saturday, August 01, 2009 2:06 AM > Subject: Re: [c-nsp] ISP in US > > > Daryl , so you recommed to get over-provisioned internet link and that >> will >> do the job without extra effor ? >> >> >> >> >> On Fri, Jul 31, 2009 at 9:22 PM, Daryl G. Jurbala > >wrote: >> >> >>> On Jul 30, 2009, at 6:42 PM, Andy William wrote: >>> >>> Thx all and i will think about Gulfstream Daryl :) >>> >>> but i start to think about P2P connections like AT&T IPL (International >>> Private Line) or ATM PVC between both sites , what do you think ? what is >>> the estimated cost for 2M connection ? >>> >>> >>> >>> That is also a very expensive way to go (if not just as expensive), and a >>> lot of it depends on where your office is in the Middle East (to >>> determine >>> which carrier you will need to pay AT&T to buy their last few miles of >>> transit through). >>> >>> I'm still not convinced that you need it - a 5 MB connection at each end >>> with a VPN between the two and some sane QoS at each edge device ought to >>> be >>> more than enough. I deliver thousands of simultaneous calls from the >>> Middle >>> East through 3 GB connections to 3 different ISPs at my colo in San >>> Francisco. No special agreements with anyone, the other sides of the >>> calls >>> originating from internet connections owned by our customers. No real >>> problems. >>> >>> So before signing any contracts, I would simply give it a shot right over >>> the Internet. You'll likely be pleased with the results. >>> >>> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> __________ Information from ESET NOD32 Antivirus, version of virus >> signature database 4296 (20090801) __________ >> >> The message was checked by ESET NOD32 Antivirus. >> >> http://www.eset.com >> >> >> >> > From awilliam1981 at gmail.com Mon Aug 3 14:32:39 2009 From: awilliam1981 at gmail.com (Andy William) Date: Mon, 3 Aug 2009 21:32:39 +0300 Subject: [c-nsp] ISP in US In-Reply-To: <9569de140908031131n4d4d510cnbd8875368ce45517@mail.gmail.com> References: <9569de140907290644j11098b10l7c9c929ce4b30bb9@mail.gmail.com> <9569de140907301542j5519a2e5j9fd32c0a8bf16ce0@mail.gmail.com> <9569de140908010206i51d5c476oece239816de53bca@mail.gmail.com> <9569de140908031131n4d4d510cnbd8875368ce45517@mail.gmail.com> Message-ID: <9569de140908031132j3a264551p29997b8e166c6f1e@mail.gmail.com> selection will depend on service relaibility , network stability and support On Mon, Aug 3, 2009 at 9:31 PM, Andy William wrote: > I decided to go with Internet connection solution but based on your > experience as a customer what ISP should i select ? > > Level3 , Globalcrossing , Verizon , Sparkle , TATA or FLAG? > > thanks > Andy > > On Sat, Aug 1, 2009 at 5:22 PM, Scott Granados wrote: > >> I still like the heavy business jet solution. >> >> :) >> >> ----- Original Message ----- From: "Andy William" > > >> To: "Daryl G. Jurbala" >> Cc: >> Sent: Saturday, August 01, 2009 2:06 AM >> Subject: Re: [c-nsp] ISP in US >> >> >> Daryl , so you recommed to get over-provisioned internet link and that >>> will >>> do the job without extra effor ? >>> >>> >>> >>> >>> On Fri, Jul 31, 2009 at 9:22 PM, Daryl G. Jurbala >> >wrote: >>> >>> >>>> On Jul 30, 2009, at 6:42 PM, Andy William wrote: >>>> >>>> Thx all and i will think about Gulfstream Daryl :) >>>> >>>> but i start to think about P2P connections like AT&T IPL (International >>>> Private Line) or ATM PVC between both sites , what do you think ? what >>>> is >>>> the estimated cost for 2M connection ? >>>> >>>> >>>> >>>> That is also a very expensive way to go (if not just as expensive), and >>>> a >>>> lot of it depends on where your office is in the Middle East (to >>>> determine >>>> which carrier you will need to pay AT&T to buy their last few miles of >>>> transit through). >>>> >>>> I'm still not convinced that you need it - a 5 MB connection at each end >>>> with a VPN between the two and some sane QoS at each edge device ought >>>> to be >>>> more than enough. I deliver thousands of simultaneous calls from the >>>> Middle >>>> East through 3 GB connections to 3 different ISPs at my colo in San >>>> Francisco. No special agreements with anyone, the other sides of the >>>> calls >>>> originating from internet connections owned by our customers. No real >>>> problems. >>>> >>>> So before signing any contracts, I would simply give it a shot right >>>> over >>>> the Internet. You'll likely be pleased with the results. >>>> >>>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >>> __________ Information from ESET NOD32 Antivirus, version of virus >>> signature database 4296 (20090801) __________ >>> >>> The message was checked by ESET NOD32 Antivirus. >>> >>> http://www.eset.com >>> >>> >>> >>> >> > From tomas at soitron.com Mon Aug 3 17:13:20 2009 From: tomas at soitron.com (Tomas Daniska) Date: Mon, 3 Aug 2009 23:13:20 +0200 Subject: [c-nsp] IP unnumbered vlan subinterfaces question In-Reply-To: <200908031222.40296.mulitskiy@acedsl.com> References: <200908031109.42285.mulitskiy@acedsl.com><480dad640908030829kf40edccvd02d2b45522a298a@mail.gmail.com><4A770551.4060901@cisco.com> <200908031222.40296.mulitskiy@acedsl.com> Message-ID: <6B43981C32F8464CB24CEE209DA32BD3023E3F7F@kenya.tronet.as> Michail, you can use a different 10.10.10.x IP for f0/0.1 and have 10.10.10.1/32 on the loopback if this helps you. Proxy-ARP might be needed as well. -- deejay > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Michael Ulitskiy > Sent: Monday, August 03, 2009 6:23 PM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] IP unnumbered vlan subinterfaces question > > It's not about saving a /32. > This is a CPE device and I was just trying to save myself > administrative burden of maintaining another per-customer static ip > assignment. > I don't need dynamic routing protocol to run on those interfaces, but > thanks for pointing it out anyway. > Ok, if I have to do it then I have to do it. > Thanks everybody, > > Michael > > On Monday 03 August 2009 11:42:09 am Rodney Dunn wrote: > > Don't do it. It's a hack and there are other forwarding plane things > > that don't like it. Read as..it may or may not always work. > > > > Burn another /32 for your loopback. > > > > Rodney > > > > > > > > Aaron wrote: > > > Loopback interfaces do not go down, so I'm not sure what benefit > you are > > > getting besides the ability to blackhole the 10.10.10.0/24 if the > ethernet > > > goes down. > > > > > > On Mon, Aug 3, 2009 at 11:09, Michael Ulitskiy > wrote: > > > > > >> Hello, > > >> > > >> Guys, are there any drawbacks of doing the following: > > >> > > >> interface Lo0 > > >> ip address 10.10.10.1 255.255.255.0 > > >> ! > > >> interface FastEthernet0/0.1 > > >> encapsulation dot1q 1 native > > >> ip unnumbered Lo0 > > >> ! > > >> ip route 10.10.10.0 255.255.255.0 FastEthernet0/0.1 > > >> ! > > >> > > >> as opposed to having ip address configured directly on the > interface as > > >> usual? > > >> I need that ip address to stay always up regardless of Fa0/0 > state, 'cause > > >> it's used for other services that should stay up > > >> and I'd prefer to avoid assigning another ip address exclusively > for > > >> loopback use. > > >> It seems to work in my lab, but I thought I'd better ask... > > >> > > >> Thanks, > > >> Michael > > >> _______________________________________________ > > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > >> > > > _______________________________________________ > > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > __________ Informacia od ESET NOD32 Antivirus, verzia databazy 4300 > (20090803) __________ > > Tuto spravu preveril ESET NOD32 Antivirus. > > http://www.eset.sk > __________ Informacia od ESET NOD32 Antivirus, verzia databazy 4300 (20090803) __________ Tuto spravu preveril ESET NOD32 Antivirus. http://www.eset.sk From david at hughes.com.au Mon Aug 3 17:44:18 2009 From: david at hughes.com.au (David Hughes) Date: Tue, 4 Aug 2009 07:44:18 +1000 Subject: [c-nsp] BGP Multipath and unequal IGP metrics In-Reply-To: <6bb5f5b10908021914r780d0430g4b7589eae8880ee8@mail.gmail.com> References: <073E0C99-024C-4D1B-8B1B-347F5CD8302F@hughes.com.au> <6bb5f5b10908021914r780d0430g4b7589eae8880ee8@mail.gmail.com> Message-ID: Hi By "layers" are your suggesting building tunnels to match the iBGP topology so the peers all think they are directly connected? Interesting thought but not sure how it'd scale with gre etc. There is mpls configured on the core (just for inter-DC EoMPLS at present) so perhaps mpls-te could provide an answer. I've no experience with mpls-te but I'll go off and have a read. Thanks for your thoughts. David ... On 03/08/2009, at 12:14 PM, Rubens Kuhl wrote: > I would consider using a layered-session approach. > The first layer would be used only to provide the path to the BGP > loopback, both to your core routers and to your transit providers, and > would be used to equalize the metric of the alternate paths. A likely > scenario would consist of 4 BGP sessions among your own routers and 2 > or 4 sessions to your transit provider, but might be more; it would > require BGP support, but no 1 milion routes support. > > The second layer would use the first one to exchange provider > announcements, both yours to transit and full routes from the transit > providers. > > Disclaimer: haven't tested this exact scenario, ended up having > full-route capable routers on all hops. > > > Rubens > > > On Mon, Jul 27, 2009 at 9:11 PM, David Hughes > wrote: >> Hi >> >> I have a situation that looks like a problem in the making. In a >> subset of >> our network there's a pair of well connected datacentres (eg dual >> 10GE paths >> etc). One of our upstreams will shortly be presenting a transit >> path at >> both of these 2 locations. No problems I think to myself - we'll >> just >> multi-path from our core and load share over both paths. >> >> Problem. Seeing as the 2 border routers in question are at different >> locations, the core routers see different IGP metrics to the >> nexthop of the >> BGP table entry. As a result they are excluded from use with BGP >> multipath >> and I'm left with the core routers at each DC only using the paths >> to the >> border router at the local site. >> >> I don't want to mess around with tweaking the OSPF metrics as I'm >> sure >> that's just a disaster waiting to happen for some poor network >> engineer in a >> year or two. I thought I'd found a nice clean solution with Cisco's >> "multipath unequal-cost" feature but for some reason I can't even >> start to >> understand you can only use it in a VRF, not in the default table. >> >> So the only solution I can see is to reconfigure the core devices >> and move >> all interfaces and routing processes into a VRF so that I can >> effectively >> get this feature on our entire table. >> >> What am I missing here? Surely I'm not Robinson Crusoe - someone >> must have >> done this before. Platform is Cat6k / Sup720. >> >> >> Thanks >> >> David >> ... >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> From David at hughes.com.au Mon Aug 3 18:11:31 2009 From: David at hughes.com.au (David Hughes) Date: Tue, 4 Aug 2009 08:11:31 +1000 Subject: [c-nsp] SFC DOWN In-Reply-To: References: <8bb137f40907302114n72fafa06ldc4ef0505774454c@mail.gmail.com> <8bb137f40907302123w522dc0d7s3af539e0c38579b4@mail.gmail.com> <8bb137f40908010103i4fa4808s54d229ed3720650d@mail.gmail.com> <20090802084524.GL290@greenie.muc.de> Message-ID: <9F7B627D-9AFD-4A56-9624-B32663E67D27@Hughes.com.au> Looking for a well structure web site of info from this list? Just use markmail. David ... On 02/08/2009, at 11:51 PM, e ninja wrote: > Gert, > > So if we apply your thought process, there is no value in capturing > and > organizing re-usable intellectual capital? I guess you must think > Wikipedia > is useless and we should just trawl through the web and layers of > email > threads to find simple answers to questions that have already been > answered? > > > The value of any list is to share knowledge. If there are free tools > out > there like mysolvr (a user-generated knowledge-base), that also > allows us to > go the extra mile of documenting and organizing re-usable know-how > for the > benefit of others, it is worth the effort. > > We have to work smarter, not harder. > > Eninja > > > On Sun, Aug 2, 2009 at 1:45 AM, Gert Doering > wrote: > >> Hi, >> >> On Sat, Aug 01, 2009 at 08:12:05PM -0700, e ninja wrote: >>> PS. Contributors to this list should strive to post reusable >>> knowledge to >>> www.mysolvr.com so that it is properly documented, organized and >>> easily >>> searchable for posterity. >> >> Contributors to this list should just post to this list. Archives >> are >> available in many places, google will find the answers, and it's not >> necessary to go to a separate web site (which is likely to profit >> from >> it in some way) to get answers to questions posted *here*. >> >> The value of this list is not "post links to web sites". >> >> gert >> -- >> USENET is *not* the non-clickable part of WWW! >> // >> www.muc.de/~gert/ >> Gert Doering - Munich, Germany >> gert at greenie.muc.de >> fax: +49-89-35655025 >> gert at net.informatik.tu-muenchen.de >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From clayton at MNSi.Net Mon Aug 3 20:51:32 2009 From: clayton at MNSi.Net (Clayton Zekelman) Date: Mon, 03 Aug 2009 20:51:32 -0400 Subject: [c-nsp] Retired IOS Releases Message-ID: <1249347021_59693@surgemail.win> Looks like Cisco went and removed a bunch of IOS release from the website in May. Not sure if this has already been discussed here. http://www.cisco.com/web/software/SPRIT/swretirement/IOSRetirementTable.html Anyone with older production equipment should probably archive their images from their equipment just in case something happens, because apparently you can't get it from Cisco anymore. --- Clayton Zekelman Managed Network Systems Inc. (MNSi) 344-300 Tecumseh Rd. E. Windsor, Ontario N8X 5E8 tel. 519-985-8410 fax. 519-985-8409 From snortbsd at yahoo.com.au Tue Aug 4 00:06:49 2009 From: snortbsd at yahoo.com.au (snort bsd) Date: Mon, 3 Aug 2009 21:06:49 -0700 (PDT) Subject: [c-nsp] Can't pick up ip address--cisco 1200 ap In-Reply-To: <1249285635.3071.4.camel@abehat.net.rm.dk> Message-ID: <666686.33750.qm@web38105.mail.mud.yahoo.com> Thanks. But I did almost exactly you suggested and still not working. BTW, the command "bridge 10 route ip" doesn't work since only command "bridge 1 route ip" works. --- On Mon, 3/8/09, Peter Rathlev wrote: > From: Peter Rathlev > Subject: Re: [c-nsp] Can't pick up ip address--cisco 1200 ap > To: "snort bsd" > Cc: "cisco-nsp" > Received: Monday, 3 August, 2009, 5:47 PM > AFAIK without BVI interfaces this > will not work. You need to reconfigure > the subinterfaces of Fa0 to match what Leslie pointed out: > > interface FastEthernet0.10 > encapsulation dot1Q 10 > bridge-group 10 > bridge-group 10 spanning-disabled > ! > interface FastEthernet0.20 > encapsulation dot1Q 20 > bridge-group 20 > bridge-group 20 spanning-disabled > ! > interface BVI10 > ip address 192.168.13.10 255.255.255.0 > ! > interface BVI20 > ip address 192.168.12.10 255.255.255.0 > ! > bridge 10 protocol ieee > bridge 20 protocol ieee > ! > bridge 10 route ip > bridge 20 route ip > ! > > Regards, > Peter > > > On Sun, 2009-08-02 at 16:44 -0700, snort bsd wrote: > > Thanks for help! > > > > Here is what I have: > > > > > > internet <-> AP <-> VLAN aware switch > <-> firewall <-> internal > > networks > >? ? ? ? ? ? ? | > >? ? ? ? ? ? ? | > >? ? ? ? ? ? ? | > >? ? ? ???wireless PCs > (VLAN 10 or VLAN 20) > > > > I have DHCP service configured on the AP, which means > those wireless > > PCs should get their IP addresses from the DHCP server > on the AP (I > > don't have separated DHCP server on the internal > network). what I am > > trying to figure out how I can tie the right pool of > DHCP IP addresses > > to the right interface. Right now the authenticated > PCs could not get > > IP address at all. > > > > here is my config relating to the diagram: > > > > ip dhcp pool vlan20 > >? ? network 192.168.12.0 255.255.255.0 > >? ? subnet prefix-length 24 > >? ? default-router 192.168.12.1 > >? ? lease infinite > > ! > > ip dhcp pool vlan10 > >? ? network 192.168.13.0 255.255.255.0 > >? ? subnet prefix-length 24 > >? ? default-router 192.16.13.1 > >? ? lease infinite > > .... > > ... > > dot11 vlan-name ming vlan 20 > > dot11 vlan-name rest vlan 10 > > ! > > dot11 ssid lab vlan 20 > >? ? vlan 20 > >? ? max-associations 10 > >? ? authentication open > >? ? authentication key-management wpa > >? ? guest-mode > >? ? mbssid guest-mode > >? ? wpa-psk ascii 7 "whatever" > > ! > >? ? information-element ssidl wps > > ! > > dot11 ssid test vlan 10 > >? ? vlan 10 > >? ? max-associations 10 > >? ? authentication open > >? ? authentication key-management wpa > >? ? mbssid guest-mode > >? ? wpa-psk ascii 7 "whatever" > > ! > >? ? information-element ssidl wps > > .... > > ... > > interface Dot11Radio0 > >? no ip address > >? no ip route-cache > >? ! > >? encryption vlan 10 mode ciphers aes-ccm tkip > >? ! > >? encryption vlan 20 mode ciphers aes-ccm tkip > >? ! > >? ssid lab vlan 20 > >? ! > >? ssid test vlan 10 > >? ! > >? mbssid > >? speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 > basic-11.0 12.0 18.0 24.0 > > 36.0 48.0 54.0 > >? station-role root > > ! > > interface Dot11Radio0.10 > >? encapsulation dot1Q 10 native > >? no ip redirects > >? no ip route-cache > >? bridge-group 10 > >? bridge-group 10 subscriber-loop-control > >? bridge-group 10 block-unknown-source > >? no bridge-group 10 source-learning > >? no bridge-group 10 unicast-flooding > >? bridge-group 10 spanning-disabled > > ! > > interface Dot11Radio0.20 > >? encapsulation dot1Q 20 > >? no ip redirects > >? no ip route-cache > >? bridge-group 20 > >? bridge-group 20 subscriber-loop-control > >? bridge-group 20 port-protected > >? bridge-group 20 block-unknown-source > >? no bridge-group 20 source-learning > >? no bridge-group 20 unicast-flooding > >? bridge-group 20 spanning-disabled > > ! > > interface FastEthernet0 > >? no ip address > >? no ip route-cache > >? duplex auto > >? speed auto > >? bridge-group 1 > >? no bridge-group 1 source-learning > >? bridge-group 1 spanning-disabled > > ! > > interface FastEthernet0.10 > >? encapsulation dot1Q 10 > >? ip address 192.168.13.10 255.255.255.0 > >? no ip redirects > >? no ip route-cache > > ! > > interface FastEthernet0.20 > >? encapsulation dot1Q 20 > >? ip address 192.168.12.10 255.255.255.0 > >? no ip redirects > >? no ip route-cache > > ! > > > ____________________________________________________________________________________ Access Yahoo!7 Mail on your mobile. Anytime. Anywhere. Show me how: http://au.mobile.yahoo.com/mail From eng_mssk at hotmail.com Tue Aug 4 05:31:14 2009 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Tue, 4 Aug 2009 12:31:14 +0300 Subject: [c-nsp] VPN over WiMAX Message-ID: hey all i have 2 CPEs and 2 trendnet routers im trying to establish ipsec vpn but i cannot the setup is like below: PC (172.16.5.2) connected to router (172.16.5.1) (172.16.0.101) connected to CPE (172.16.0.138) connected to internet (x.x.x.x) PC (192.168.10.2) connected to router (192.168.10.1) (10.0.0.100) connected to CPE (10.0.0.138) connected to internet (y.y.y.y) we connected the 2 routers to our LAN with defferent subnets and it worked fine can anyone help ?? _________________________________________________________________ Drag n? drop?Get easy photo sharing with Windows Live? Photos. http://www.microsoft.com/windows/windowslive/products/photos.aspx From nick at inex.ie Tue Aug 4 05:38:26 2009 From: nick at inex.ie (Nick Hilliard) Date: Tue, 04 Aug 2009 10:38:26 +0100 Subject: [c-nsp] Retired IOS Releases In-Reply-To: <1249347021_59693@surgemail.win> References: <1249347021_59693@surgemail.win> Message-ID: <4A780192.1000205@inex.ie> On 04/08/2009 01:51, Clayton Zekelman wrote: > Looks like Cisco went and removed a bunch of IOS release from the > website in May. Not sure if this has already been discussed here. > > http://www.cisco.com/web/software/SPRIT/swretirement/IOSRetirementTable.html > > Anyone with older production equipment should probably archive their > images from their equipment just in case something happens, because > apparently you can't get it from Cisco anymore. Clayton, Although these images have been retired from the CCO web site, they are still available along with a whole pile more from the Cisco FTP site: ftp://ftp.cisco.com/cisco/ios/ You will need to log in using your web username and password. The ftp archive is great. There are still images there going back to 11.3, if you have really old equipment lying around (e.g. memory limited 2500s and that sort of thing). Unfortunately, the cisco ftp site does not contain 3des images, so if you depend on encryption, you will need to maintain a local archive. Nick From walter.keen at RainierConnect.net Tue Aug 4 05:51:07 2009 From: walter.keen at RainierConnect.net (Walter Keen) Date: Tue, 04 Aug 2009 02:51:07 -0700 Subject: [c-nsp] 7500 for DSL aggregation - RSP memory error? Message-ID: <4A78048B.60803@rainierconnect.net> I've got a 7507 with dual RSP8's attempting to use rsp-jsv-mz.124-8.bin configured for rpr-plus, but keep getting this around every 10 minutes or so. It results in a loss of connectivity for end-users of course, until the system recovers. My initial guess is something is wrong with the standby processor (slot 3) or perhaps the memory in it. I've had the tech pull it out to see if the system stabalizes and will bring it back to the lab if it does. Anyone else ran into this in the past? sea-agg-1# 2w5d: %TBRIDGE-4-NOVCFLOOD: No VC's configured for bridging on ATM4/1/0.669 2w5d: %RSP-3-ERROR: MD error 0080000000010000 -Traceback= 0x40588B14 0x405891CC 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: Cybus1 parity error (bytes 0:7) 04 -Traceback= 0x40588CDC 0x405891CC 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: bus command write 8bytes (0x7) -Traceback= 0x40588930 0x40588CF8 0x405891CC 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: physical address (bits 20:12) 0E2000 -Traceback= 0x40588A50 0x40588CF8 0x405891CC 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: virtual address (bits 23:17) 6E0000 -Traceback= 0x40588A74 0x40588CF8 0x405891CC 0x405892F0 0x4058A978 0x404CFA54 2w5d: %VIP4-80 RM7000-3-MSG: slot5 VIP-3-MVIP_CYBUSERROR_INTERRUPT: A Cybus Error occured. 2w5d: %VIP4-80 RM7000-1-MSG: slot5 CYASIC Error Interrupt register 0xB 2w5d: %VIP4-80 RM7000-1-MSG: slot5 Parity Error internal to CYA 2w5d: %VIP4-80 RM7000-1-MSG: slot5 Missing ACK on CyBus access 2w5d: %VIP4-80 RM7000-1-MSG: slot5 NACK present on CyBus access 2w5d: %VIP4-80 RM7000-1-MSG: slot5 CYASIC Other Interrupt register 0x100 2w5d: %VIP4-80 RM7000-1-MSG: slot5 QE HIGH Priority Interrupt 2w5d: %VIP4-80 RM7000-1-MSG: slot5 QE RX HIGH Priority Interrupt 2w5d: %VIP4-80 RM7000-1-MSG: slot5 CYBUS Error Cmd/Addr 0x8001A80, CYBUS Error Data 0x0 2w5d: %VIP4-80 RM7000-1-MSG: slot5 MPUIntfc/PacketBus Error register 0x0 2w5d: %VIP4-80 RM7000-1-MSG: slot5 IOBUS Error Interrupt Status register 0x4 2w5d: %VIP4-80 RM7000-1-MSG: slot5 Address/Command Strobe Timeout 2w5d: %VIP4-80 RM7000-1-MSG: slot5 IOBUS Error Address High 0x1C01 2w5d: %VIP4-80 RM7000-1-MSG: slot5 IOBUS Error Address Low 0xC 2w5d: %VIP4-80 RM7000-3-MSG: slot5 VIP-3-SVIP_RELOAD: SVIP Reload is called. 2w5d: %VIP4-80 RM7000-3-MSG: slot5 VIP-3-SYSTEM_EXCEPTION: VIP System Exception occurred sig=22, code=0x0, context=0x6199A8A8 2w5d: %RSP-3-ERROR: End of MEMD error interrupt processing -Traceback= 0x40589298 0x405892F0 0x4058A978 0x404CFA54 2w5d: %DBUS-3-CXBUSERR: Slot 5, CBus Error 2w5d: %DBUS-3-DBUSINTERRSWSET: Slot 5, Internal Error due to VIP crash 2w5d: %OSPF-5-ADJCHG: Process 10, Nbr 74.50.207.83 on FastEthernet5/1/0 from FULL to DOWN, Neighbor Down: Interface down or detached 2w5d: %RSP-3-ERROR: CyBus1 error 10 -Traceback= 0x40588DA8 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: command/address mismatch -Traceback= 0x40588E64 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: bus command read 8bytes (0x1) -Traceback= 0x40588930 0x40588F68 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: address offset (bits 3:1) 8 -Traceback= 0x40588A18 0x40588F68 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: virtual address (bits 23:17) 000000 -Traceback= 0x40588A74 0x40588F68 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %VIP4-80 RM7000-3-MSG: slot4 VIP-3-MVIP_CYBUSERROR_INTERRUPT: A Cybus Error occured. 2w5d: %VIP4-80 RM7000-1-MSG: slot4 CYASIC Error Interrupt register 0xF 2w5d: %VIP4-80 RM7000-1-MSG: slot4 Parity Error internal to CYA 2w5d: %VIP4-80 RM7000-1-MSG: slot4 Parity Error in data from CyBus 2w5d: %VIP4-80 RM7000-1-MSG: slot4 Missing ACK on CyBus access 2w5d: %VIP4-80 RM7000-1-MSG: slot4 NACK present on CyBus access 2w5d: %VIP4-80 RM7000-1-MSG: slot4 CYASIC Other Interrupt register 0x80 2w5d: %VIP4-80 RM7000-1-MSG: slot4 QE HIGH Priority Interrupt 2w5d: %VIP4-80 RM7000-1-MSG: slot4 Unknown CYA oisr bit 0x00000080 2w5d: %VIP4-80 RM7000-1-MSG: slot4 QE TX HIGH Priority Interrupt 2w5d: %VIP4-80 RM7000-1-MSG: slot4 CYBUS Error Cmd/Addr 0x1000198, CYBUS Error Data 0x0 2w5d: %VIP4-80 RM7000-1-MSG: slot4 MPUIntfc/PacketBus Error register 0x0 2w5d: %VIP4-80 RM7000-1-MSG: slot4 IOBUS Error Interrupt Status register 0x0 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %HA-5-MODE: Operating mode is hsa, configured mode is rpr-plus. 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-ERROR: CyBus1 error 10 -Traceback= 0x40588DA8 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: command/address mismatch -Traceback= 0x40588E64 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: bus command write 1byte (0xB) -Traceback= 0x40588930 0x40588F68 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: address offset (bits 3:1) 12 -Traceback= 0x40588A18 0x40588F68 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: virtual address (bits 23:17) 000000 -Traceback= 0x40588A74 0x40588F68 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %DBUS-3-SW_NOTRDY: DBUS software not ready for slot 5 after HARD_RESET, elapsed 15048, status 0x0 -Traceback= 0x40388848 0x405BA000 0x405BD2C0 0x405C3720 2w5d: %DBUS-3-WCSLDERR: Slot 5, error loading WCS, status 0x14 cmd/data 0x2E pos 5749518 2w5d: %UCODE-3-LDFAIL: Unable to download ucode from system image in slot 5, trying rom ucode 2w5d: %RSP-3-NOSTART: No microcode for VIP4-80 RM7000 card, slot 5 2w5d: %DBUS-3-WCSLDERR: Slot 5, error loading WCS, status 0x14 cmd/data 0x2E pos 5749518 2w5d: %UCODE-3-LDFAIL: Unable to download ucode from system image in slot 5, trying rom ucode 2w5d: %OIR-6-INSCARD: Card inserted in slot 5, interfaces administratively shut down 2w5d: %RSP-3-NOSTART: No microcode for VIP4-80 RM7000 card, slot 5 2w5d: %DBUS-3-SW_NOTRDY: DBUS software not ready for slot 3 after dbus_slot_enable(), elapsed 15040, status 0x29 -Traceback= 0x40388848 0x405BA000 0x405BB054 0x405D2DF4 0x405C393C 2w5d: %DBUS-3-WCSPARERR: Slot 3, WCS Controller Parity Error 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %VIP4-80 RM7000-3-MSG: slot4 VIP-3-SVIP_RELOAD: SVIP Reload is called. 2w5d: %VIP4-80 RM7000-3-MSG: slot4 VIP-3-SYSTEM_EXCEPTION: VIP System Exception occurred sig=22, code=0x0, context=0x6199A8A8 2w5d: %DBUS-3-CXBUSERR: Slot 4, CBus Error 2w5d: %DBUS-3-DBUSINTERRSWSET: Slot 4, Internal Error due to VIP crash 2w5d: %LINK-3-UPDOWN: Interface BVI3, changed state to down 2w5d: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI3, changed state to down 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %OIR-6-INSCARD: Card inserted in slot 5, interfaces administratively shut down 2w5d: %CBUS-3-CCBPTIMEOUT: CCB handover timed out, CCB 0xF800FF50, slot 4 -Traceback= 0x40388848 0x405D6054 0x405D2830 0x405D2EE0 0x405C393C 2w5d: %LINK-3-UPDOWN: Interface FastEthernet5/1/0, changed state to down 2w5d: %LINEPROTO-5-UPDOWN: Line protocol on Interface ATM4/1/0, changed state to down 2w5d: %LINK-3-UPDOWN: Interface FastEthernet5/1/0, changed state to up 2w5d: %OSPF-5-ADJCHG: Process 10, Nbr 74.50.207.83 on FastEthernet5/1/0 from LOADING to FULL, Loading Done 2w5d: %IPC_RSP_CBUS-3-NOHWQ: Hardware queue for card at slot 0 not found sea-agg-1# sea-agg-1# sea-agg-1# sea-agg-1# sea-agg-1# 2w5d: %IPC_RSP_CBUS-3-NOHWQ: Hardware queue for card at slot 0 not found sea-agg-1# 2w5d: %IPC_RSP_CBUS-3-NOHWQ: Hardware queue for card at slot 0 not found 2w5d: %IPC_RSP_CBUS-3-NOHWQ: Hardware queue for card at slot 0 not found 2w5d: %IPC_RSP_CBUS-3-NOHWQ: Hardware queue for card at slot 0 not found 2w5d: %IPC_RSP_CBUS-3-NOHWQ: Hardware queue for card at slot 0 not found -------------------- sea-agg-1# 2w5d: %RSP-3-ERROR: MD error 0080000000010000 -Traceback= 0x40588B14 0x405891CC 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: Cybus1 parity error (bytes 0:7) 04 -Traceback= 0x40588CDC 0x405891CC 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: bus command write 8bytes (0x7) -Traceback= 0x40588930 0x40588CF8 0x405891CC 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: physical address (bits 20:12) 0F8000 -Traceback= 0x40588A50 0x40588CF8 0x405891CC 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: virtual address (bits 23:17) 6E0000 -Traceback= 0x40588A74 0x40588CF8 0x405891CC 0x405892F0 0x4058A978 0x404CFA54 2w5d: %VIP4-80 RM7000-3-MSG: slot5 VIP-3-MVIP_CYBUSERROR_INTERRUPT: A Cybus Error occured. 2w5d: %VIP4-80 RM7000-1-MSG: slot5 CYASIC Error Interrupt register 0xB 2w5d: %VIP4-80 RM7000-1-MSG: slot5 Parity Error internal to CYA 2w5d: %VIP4-80 RM7000-1-MSG: slot5 Missing ACK on CyBus access 2w5d: %VIP4-80 RM7000-1-MSG: slot5 NACK present on CyBus access 2w5d: %VIP4-80 RM7000-1-MSG: slot5 CYASIC Other Interrupt register 0x100 2w5d: %VIP4-80 RM7000-1-MSG: slot5 QE HIGH Priority Interrupt 2w5d: %VIP4-80 RM7000-1-MSG: slot5 QE RX HIGH Priority Interrupt 2w5d: %VIP4-80 RM7000-1-MSG: slot5 CYBUS Error Cmd/Addr 0x76F8548, CYBUS Error Data 0x0 2w5d: %VIP4-80 RM7000-1-MSG: slot5 MPUIntfc/PacketBus Error register 0x0 2w5d: %VIP4-80 RM7000-1-MSG: slot5 IOBUS Error Interrupt Status register 0x4 2w5d: %VIP4-80 RM7000-1-MSG: slot5 Address/Command Strobe Timeout 2w5d: %VIP4-80 RM7000-1-MSG: slot5 IOBUS Error Address High 0x1C01 2w5d: %VIP4-80 RM7000-1-MSG: slot5 IOBUS Error Address Low 0xC 2w5d: %VIP4-80 RM7000-3-MSG: slot5 VIP-3-SVIP_RELOAD: SVIP Reload is called. 2w5d: %VIP4-80 RM7000-3-MSG: slot5 VIP-3-SYSTEM_EXCEPTION: VIP System Exception occurred sig=22, code=0x0, context=0x6199B028 2w5d: %RSP-3-ERROR: End of MEMD error interrupt processing -Traceback= 0x40589298 0x405892F0 0x4058A978 0x404CFA54 2w5d: %DBUS-3-CXBUSERR: Slot 5, CBus Error 2w5d: %DBUS-3-DBUSINTERRSWSET: Slot 5, Internal Error due to VIP crash 2w5d: %OSPF-5-ADJCHG: Process 10, Nbr 74.50.207.83 on FastEthernet5/1/0 from FULL to DOWN, Neighbor Down: Interface down or detached 2w5d: %RSP-3-ERROR: CyBus1 error 10 -Traceback= 0x40588DA8 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: command/address mismatch -Traceback= 0x40588E64 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: bus command read 8bytes (0x1) -Traceback= 0x40588930 0x40588F68 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: address offset (bits 3:1) 0 -Traceback= 0x40588A18 0x40588F68 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: virtual address (bits 23:17) 000000 -Traceback= 0x40588A74 0x40588F68 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %VIP4-80 RM7000-3-MSG: slot4 VIP-3-MVIP_CYBUSERROR_INTERRUPT: A Cybus Error occured. 2w5d: %VIP4-80 RM7000-1-MSG: slot4 CYASIC Error Interrupt register 0x4000F 2w5d: %VIP4-80 RM7000-1-MSG: slot4 CBus read during CBus stall 2w5d: %VIP4-80 RM7000-1-MSG: slot4 Parity Error internal to CYA 2w5d: %VIP4-80 RM7000-1-MSG: slot4 Parity Error in data from CyBus 2w5d: %VIP4-80 RM7000-1-MSG: slot4 Missing ACK on CyBus access 2w5d: %VIP4-80 RM7000-1-MSG: slot4 NACK present on CyBus access 2w5d: %VIP4-80 RM7000-1-MSG: slot4 CYASIC Other Interrupt register 0x80 2w5d: %VIP4-80 RM7000-1-MSG: slot4 QE HIGH Priority Interrupt 2w5d: %VIP4-80 RM7000-1-MSG: slot4 Unknown CYA oisr bit 0x00000080 2w5d: %VIP4-80 RM7000-1-MSG: slot4 QE TX HIGH Priority Interrupt 2w5d: %VIP4-80 RM7000-1-MSG: slot4 CYBUS Error Cmd/Addr 0x10001A0, CYBUS Error Data 0x0 2w5d: %VIP4-80 RM7000-1-MSG: slot4 MPUIntfc/PacketBus Error register 0x110000A1 2w5d: %VIP4-80 RM7000-1-MSG: slot4 IOBUS Error Interrupt Status register 0x4 2w5d: %VIP4-80 RM7000-1-MSG: slot4 Address/Command Strobe Timeout 2w5d: %VIP4-80 RM7000-1-MSG: slot4 IOBUS Error Address High 0x1C01 2w5d: %VIP4-80 RM7000-1-MSG: slot4 IOBUS Error Address Low 0xC 2w5d: %RSP-2-QAERROR: reused or zero link error, write at addr 0138 (QA) log 22013800, data A0F00000 00000000 2w5d: %QA-3-DIAG: Failed to enqueue buffer header 0xA0F0 2w5d: %QA-3-DIAG: Approximate stack backtrace prior to interrupt: 2w5d: %QA-3-DIAG: -Traceback= 0x404CD814 0x406B3684 0x406BA5F0 0x406C3770 0x406B6518 0x406AE188 0x406A5EE0 0x406B1FC4 0x4051C730 0x40642F1C 0x40643104 0x406432F8 2w5d: %QA-3-DIAG: Buffer 0xA0F0 is element 1 on queue 0x20 2w5d: %QA-3-DIAG: Queue 0x20 (E8000100) has 1 elements 2w5d: %QA-3-DIAG: Buffer 0xA0F0 is element 1154 on queue 0x27 2w5d: %QA-3-DIAG: Queue 0x27 (E8000138) has 1154 elements 2w5d: %QA-3-DIAG: No NULL terminator for queue 0x28 2w5d: %QA-3-DIAG: Queue 0x28 (E8000140) has 90 elements 2w5d: %QA-3-DIAG: No NULL terminator for queue 0x2C 2w5d: %QA-3-DIAG: Queue 0x2C (E8000160) has 5 elements 2w5d: %QA-3-DIAG: At least one QA queue is broken 2w5d: %QA-3-DIAG: Buffer header at 0xE000A0F0: 12 1A0 3FEFEFEF 8A800 2w5d: %QA-3-DIAG: Buffer contents: 2w5d: %RSP-3-IDBOFFSET: hwidb = 0x444B8760, Name = AT4/1/0, hwidb->rx_offset = 96 Possible datagram start = 0xF808A980 -Traceback= 0x40388848 0x4059E3A0 0x405A9930 0x405AA064 0x40589324 0x4058A978 0x404CFA54 2w5d: %SYS-3-DMPMEM: F808A800: 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 2w5d: %SYS-3-DMPMEM: F808A818: 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 2w5d: %SYS-3-DMPMEM: F808A830: 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 2w5d: %SYS-3-DMPMEM: F808A848: 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 2w5d: %SYS-3-DMPMEM: F808A860: 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 2w5d: %SYS-3-DMPMEM: F808A878: 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 2w5d: %QA-3-DIAG: Global queues: 2w5d: %QA-3-DIAG: 3313 buffer headers 2w5d: %QA-3-DIAG: RawQ 0xE8000100 (1), ReturnQ 0xE8000108 (0), EventQ 0xE8000110 (0) 2w5d: %QA-3-DIAG: IpcackQ 0xE8000118 (0) 2w5d: %QA-3-DIAG: VIP_CrashinfoQ 0xE8000128 (0) 2w5d: %QA-3-DIAG: IpcSlaveackQ 0xE8000120 (0) 2w5d: %QA-3-DIAG: BufhdrQ 0xE8000158 (0) 2w5d: %QA-3-DIAG: LovltrQ 0xE8000170 (0) 2w5d: %QA-3-DIAG: IpcbufQ 0xE8000180 (0) 2w5d: %QA-3-DIAG: IpcbufQ_classic 0xE8000178 (0) 2w5d: %QA-3-DIAG: Pool0: 10 buffers, 256 bytes, queue 0xE8000160 (5) 2w5d: %QA-3-DIAG: Pool1: 932 buffers, 1536 bytes, queue 0xE8000168 (0) 2w5d: %QA-3-DIAG: Pool2: 1357 buffers, 4544 bytes, queue 0xE8000188 (0) 2w5d: %QA-3-DIAG: Pool3: 4 buffers, 4576 bytes, queue 0xE8000190 (0) 2w5d: %QA-3-DIAG: Slot3: 2w5d: %QA-3-DIAG: Slot4: 2w5d: %QA-3-DIAG: ATM4/0/0: gfreeq 0xE8000188 (0), lfreeq 0xE8000198 (0) (4544 bytes) 2w5d: %QA-3-DIAG: txq 0xE8001A00 (0) 2w5d: %QA-3-DIAG: ATM4/1/0: gfreeq 0xE8000188 (0), lfreeq 0xE80001A0 (0) (4544 bytes) 2w5d: %QA-3-DIAG: txq 0xE8001A08 (0) 2w5d: %QA-3-DIAG: Slot5: 2w5d: %QA-3-DIAG: FastEthernet5/1/0: gfreeq 0xE8000168 (0), lfreeq 0xE80001A8 (0) (1536 bytes) 2w5d: %QA-3-DIAG: txq 0xE8001A80 (0) 2w5d: %QA-3-DIAG: Slot6: 2w5d: %QA-3-DIAG: ATM6/0/0: gfreeq 0xE8000188 (0), lfreeq 0xE80001B0 (0) (4544 bytes) 2w5d: %QA-3-DIAG: txq 0xE8001B00 (0) 2w5d: %QA-3-DIAG: FastEthernet6/1/0: gfreeq 0xE8000168 (0), lfreeq 0xE80001B8 (0) (1536 bytes) 2w5d: %QA-3-DIAG: txq 0xE8001B08 (0) 2w5d: %QA-3-DIAG: Trying to recover from QA ERROR. 2w5d: %QA-3-DIAG: Removing buffer header 0xA0F0 from all queues 2w5d: %QA-3-DIAG: Buffer 0xA0F0 is on queue 0x20 2w5d: %QA-3-DIAG: At least one QA queue is broken 2w5d: %QA-3-DIAG: Recovered from QA ERROR. 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %HA-5-MODE: Operating mode is hsa, configured mode is rpr-plus. 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-ERROR: CyBus1 error 10 -Traceback= 0x40588DA8 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: command/address mismatch -Traceback= 0x40588E64 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: bus command write 1byte (0xB) -Traceback= 0x40588930 0x40588F68 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: address offset (bits 3:1) 12 -Traceback= 0x40588A18 0x40588F68 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: virtual address (bits 23:17) 000000 -Traceback= 0x40588A74 0x40588F68 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %DBUS-3-SW_NOTRDY: DBUS software not ready for slot 5 after HARD_RESET, elapsed 15480, status 0x0 -Traceback= 0x40388848 0x405BA000 0x405BD2C0 0x405C3720 2w5d: %DBUS-3-WCSLDERR: Slot 5, error loading WCS, status 0x14 cmd/data 0x2E pos 5749518 2w5d: %UCODE-3-LDFAIL: Unable to download ucode from system image in slot 5, trying rom ucode 2w5d: %RSP-3-NOSTART: No microcode for VIP4-80 RM7000 card, slot 5 2w5d: %DBUS-3-WCSLDERR: Slot 5, error loading WCS, status 0x14 cmd/data 0x2E pos 5749518 2w5d: %UCODE-3-LDFAIL: Unable to download ucode from system image in slot 5, trying rom ucode 2w5d: %OIR-6-INSCARD: Card inserted in slot 5, interfaces administratively shut down 2w5d: %RSP-3-NOSTART: No microcode for VIP4-80 RM7000 card, slot 5 2w5d: %DBUS-3-SW_NOTRDY: DBUS software not ready for slot 3 after dbus_slot_enable(), elapsed 15040, status 0x29 -Traceback= 0x40388848 0x405BA000 0x405BB054 0x405D2DF4 0x405C393C 2w5d: %DBUS-3-WCSPARERR: Slot 3, WCS Controller Parity Error 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %TIGER-3-BADADDR_MBE: Invalid MBE dram address: 0xFFFFFFFF latched by Tiger 2w5d: %RSP-3-ERROR: dbus read at 3E8410C0 -Traceback= 0x405BBE30 0x405BCDA0 0x405C3720 -Traceback= 0x405887C4 0x4058AFA8 0x404E6EA8 0x404CDC04 2w5d: %DBUS-3-SLOTCOMP: Slot 3, dbus error, slot (0xF) and complement (0x0) do not match 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %VIP4-80 RM7000-3-MSG: slot4 VIP-3-SVIP_RELOAD: SVIP Reload is called. 2w5d: %VIP4-80 RM7000-3-MSG: slot4 VIP-3-SYSTEM_EXCEPTION: VIP System Exception occurred sig=22, code=0x0, context=0x6199A8A8 2w5d: %DBUS-3-CXBUSERR: Slot 4, CBus Error 2w5d: %DBUS-3-DBUSINTERRSWSET: Slot 4, Internal Error due to VIP crash 2w5d: %LINK-3-UPDOWN: Interface BVI3, changed state to down 2w5d: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI3, changed state to down 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %OIR-6-INSCARD: Card inserted in slot 5, interfaces administratively shut down 2w5d: %CBUS-3-CCBPTIMEOUT: CCB handover timed out, CCB 0xF800FF50, slot 4 -Traceback= 0x40388848 0x405D6054 0x405D2830 0x405D2EE0 0x405C393C 2w5d: %LINEPROTO-5-UPDOWN: Line protocol on Interface ATM4/1/0, changed state to down 2w5d: %OSPF-5-ADJCHG: Process 10, Nbr 74.50.207.83 on FastEthernet5/1/0 from LOADING to FULL, Loading Done 2w5d: %RADIUS-4-RADIUS_DEAD: RADIUS server 69.10.208.10:1645,1646 is not responding. 2w5d: %RADIUS-4-RADIUS_ALIVE: RADIUS server 69.10.208.10:1645,1646 has returned. 2w5d: %IPC_RSP_CBUS-3-NOHWQ: Hardware queue for card at slot 0 not found sea-agg-1# sea-agg-1# sea-agg-1# sea-agg-1# 2w5d: %IPC_RSP_CBUS-3-NOHWQ: Hardware queue for card at slot 0 not found sea-agg-1# sea-agg-1# sea-agg-1# sea-agg-1# 2w5d: %IPC_RSP_CBUS-3-NOHWQ: Hardware queue for card at slot 0 not found 2w5d: %IPC_RSP_CBUS-3-NOHWQ: Hardware queue for card at slot 0 not found 2w5d: %IPC_RSP_CBUS-3-NOHWQ: Hardware queue for card at slot 0 not found 2w5d: %IPC_RSP_CBUS-3-NOHWQ: Hardware queue for card at slot 0 not found 2w5d: %DBUS-3-SW_NOTRDY: DBUS software not ready for slot 3 after dbus_slot_enable(), elapsed 15040, status 0x29 -Traceback= 0x40388848 0x405BA000 0x405BB054 0x405D2DF4 0x405C393C 2w5d: %DBUS-3-WCSPARERR: Slot 3, WCS Controller Parity Error 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %LINK-3-UPDOWN: Interface ATM4/1/0, changed state to up 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %LINEPROTO-5-UPDOWN: Line protocol on Interface ATM4/1/0, changed state to up 2w5d: %LINK-3-UPDOWN: Interface BVI3, changed state to up 2w5d: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI3, changed state to up 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %TBRIDGE-4-NOVCFLOOD: No VC's configured for bridging on ATM4/1/0.669 2w5d: %HA-5-NOTICE: Standby (slave) configured to run HA image "disk0:rsp-jsv-mz.124-8.bin" 2w5d: %HA-5-NOTICE: Loading standby (slave) image: "disk0:rsp-jsv-mz.124-8.bin" 2w5d: %TBRIDGE-4-NOVCFLOOD: No VC's configured for bridging on ATM4/1/0.669 2w5d: %RADIUS-4-RADIUS_DEAD: RADIUS server 69.10.201.13:1645,1646 is not responding. 2w5d: %RADIUS-4-RADIUS_ALIVE: RADIUS server 69.10.201.13:1645,1646 has returned. 2w5d: %RADIUS-4-RADIUS_DEAD: RADIUS server 69.10.201.13:1645,1646 is not responding. 2w5d: %RADIUS-4-RADIUS_ALIVE: RADIUS server 69.10.201.13:1645,1646 has returned. 2w5d: %RADIUS-4-RADIUS_DEAD: RADIUS server 69.10.201.13:1645,1646 is not responding. 2w5d: %RADIUS-4-RADIUS_ALIVE: RADIUS server 69.10.201.13:1645,1646 has returned. 2w5d: %HA-5-MODE: Operating mode is hsa, configured mode is rpr-plus. 2w5d: %HA-5-SYNC_NOTICE: Bulk sync started. 2w5d: %HA-5-SYNC_NOTICE: Bulk sync completed. 2w5d: %HA-5-SYNC_NOTICE: Config sync started. sea-agg-1# From clayton at MNSi.Net Tue Aug 4 10:15:24 2009 From: clayton at MNSi.Net (Clayton Zekelman) Date: Tue, 04 Aug 2009 10:15:24 -0400 Subject: [c-nsp] Retired IOS Releases In-Reply-To: <4A780192.1000205@inex.ie> References: <1249347021_59693@surgemail.win> <4A780192.1000205@inex.ie> Message-ID: <1249395253_64723@surgemail.win> Yeah, tried that... empty directory. ftp> pwd 257 "/cisco/ios/12.3/12.3.9e/6400" is current directory ftp> ls 200 PORT: Command successful 150 Opening ASCII mode data connection for file list 226 Transfer complete. ftp> That was the most recent release for the 6400. At 05:38 AM 8/4/2009, Nick Hilliard wrote: >On 04/08/2009 01:51, Clayton Zekelman wrote: >>Looks like Cisco went and removed a bunch of IOS release from the >>website in May. Not sure if this has already been discussed here. >> >>http://www.cisco.com/web/software/SPRIT/swretirement/IOSRetirementTable.html >> >>Anyone with older production equipment should probably archive their >>images from their equipment just in case something happens, because >>apparently you can't get it from Cisco anymore. > >Clayton, > >Although these images have been retired from the CCO web site, they >are still available along with a whole pile more from the Cisco FTP site: > >ftp://ftp.cisco.com/cisco/ios/ > >You will need to log in using your web username and password. The >ftp archive is great. There are still images there going back to >11.3, if you have really old equipment lying around (e.g. memory >limited 2500s and that sort of thing). > >Unfortunately, the cisco ftp site does not contain 3des images, so >if you depend on encryption, you will need to maintain a local archive. > >Nick > > >No virus found in this incoming message. >Checked by AVG - www.avg.com >Version: 8.5.392 / Virus Database: 270.13.43/2281 - Release Date: >08/04/09 05:57:00 --- Clayton Zekelman Managed Network Systems Inc. (MNSi) 344-300 Tecumseh Rd. E. Windsor, Ontario N8X 5E8 tel. 519-985-8410 fax. 519-985-8409 From mulitskiy at acedsl.com Tue Aug 4 10:48:30 2009 From: mulitskiy at acedsl.com (Michael Ulitskiy) Date: Tue, 4 Aug 2009 10:48:30 -0400 Subject: [c-nsp] IP unnumbered vlan subinterfaces question In-Reply-To: <6B43981C32F8464CB24CEE209DA32BD3023E3F7F@kenya.tronet.as> References: <200908031109.42285.mulitskiy@acedsl.com> <200908031222.40296.mulitskiy@acedsl.com> <6B43981C32F8464CB24CEE209DA32BD3023E3F7F@kenya.tronet.as> Message-ID: <200908041048.30424.mulitskiy@acedsl.com> It wouldn't let me to do that. It would say "overlapping subnet" Michael On Monday 03 August 2009 05:13:20 pm Tomas Daniska wrote: > Michail, > > you can use a different 10.10.10.x IP for f0/0.1 and have 10.10.10.1/32 > on the loopback if this helps you. Proxy-ARP might be needed as well. > > > -- > > deejay > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > > bounces at puck.nether.net] On Behalf Of Michael Ulitskiy > > Sent: Monday, August 03, 2009 6:23 PM > > To: cisco-nsp at puck.nether.net > > Subject: Re: [c-nsp] IP unnumbered vlan subinterfaces question > > > > It's not about saving a /32. > > This is a CPE device and I was just trying to save myself > > administrative burden of maintaining another per-customer static ip > > assignment. > > I don't need dynamic routing protocol to run on those interfaces, but > > thanks for pointing it out anyway. > > Ok, if I have to do it then I have to do it. > > Thanks everybody, > > > > Michael > > > > On Monday 03 August 2009 11:42:09 am Rodney Dunn wrote: > > > Don't do it. It's a hack and there are other forwarding plane things > > > that don't like it. Read as..it may or may not always work. > > > > > > Burn another /32 for your loopback. > > > > > > Rodney > > > > > > > > > > > > Aaron wrote: > > > > Loopback interfaces do not go down, so I'm not sure what benefit > > you are > > > > getting besides the ability to blackhole the 10.10.10.0/24 if the > > ethernet > > > > goes down. > > > > > > > > On Mon, Aug 3, 2009 at 11:09, Michael Ulitskiy > > wrote: > > > > > > > >> Hello, > > > >> > > > >> Guys, are there any drawbacks of doing the following: > > > >> > > > >> interface Lo0 > > > >> ip address 10.10.10.1 255.255.255.0 > > > >> ! > > > >> interface FastEthernet0/0.1 > > > >> encapsulation dot1q 1 native > > > >> ip unnumbered Lo0 > > > >> ! > > > >> ip route 10.10.10.0 255.255.255.0 FastEthernet0/0.1 > > > >> ! > > > >> > > > >> as opposed to having ip address configured directly on the > > interface as > > > >> usual? > > > >> I need that ip address to stay always up regardless of Fa0/0 > > state, 'cause > > > >> it's used for other services that should stay up > > > >> and I'd prefer to avoid assigning another ip address exclusively > > for > > > >> loopback use. > > > >> It seems to work in my lab, but I thought I'd better ask... > > > >> > > > >> Thanks, > > > >> Michael > > > >> _______________________________________________ > > > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > > > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > > > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > >> > > > > _______________________________________________ > > > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > __________ Informacia od ESET NOD32 Antivirus, verzia databazy 4300 > > (20090803) __________ > > > > Tuto spravu preveril ESET NOD32 Antivirus. > > > > http://www.eset.sk > > > > > __________ Informacia od ESET NOD32 Antivirus, verzia databazy 4300 > (20090803) __________ > > Tuto spravu preveril ESET NOD32 Antivirus. > > http://www.eset.sk > > From kilobit at gmail.com Tue Aug 4 11:04:21 2009 From: kilobit at gmail.com (bas) Date: Tue, 4 Aug 2009 17:04:21 +0200 Subject: [c-nsp] multipath BGP not balancing equally. Message-ID: Hi, I have an issue with unequal multipath BGP loadbalancing It is a 6500 / SUP720-3BXL running 12.2.18SXF16 There are four eBGP sessions to a transit carriers ASN, all with full table However one out of four interfaces sends about 2Gbps less than the other three. RTR-HV7#sh int ten 2/2 | i output rate 1 minute output rate 6357052000 bits/sec, 546295 packets/sec RTR-HV7#sh int ten 3/1 | i output rate 1 minute output rate 8509719000 bits/sec, 729490 packets/sec RTR-HV7#sh int ten 3/3 | i output rate 1 minute output rate 8721235000 bits/sec, 746980 packets/sec RTR-HV7#sh int ten 4/4 | i output rate 1 minute output rate 8592400000 bits/sec, 734864 packets/sec All four sessions have the same settings (in the same peer-group) Through netflow I've tried to deduct if there are specific ASN's not chosen through the nexthop that has less traffic, but that does not seem to be the case. I've looked at "ip cef load-sharing algorithm universal" however that seems to already be the default algorithm in current IOS versions. With any prefix I test through "sh ip cef x.x.x.x detail" it seems all four paths are used. Thanks in advance, Bas From nsp at myzionetworks.com Tue Aug 4 11:22:24 2009 From: nsp at myzionetworks.com (Todd Shipway) Date: Tue, 4 Aug 2009 11:22:24 -0400 Subject: [c-nsp] 7513 multilink interface issue Message-ID: <6dde6e570908040822h739561e0s6baba249c67b3028@mail.gmail.com> We have several customers setup with T1's multilinked. We are running into a problem with a single multilink member bouncing causing routing issues. When a single T1 member of a multilink group bounces, traffic to the overall multilink interface stops and we have to manually shut and no shut the multilink interface to get traffic flowing again. Has anyone seen this before and if so, know what the issue may be? From b.turnbow at twt.it Tue Aug 4 11:55:58 2009 From: b.turnbow at twt.it (Brian Turnbow) Date: Tue, 4 Aug 2009 17:55:58 +0200 Subject: [c-nsp] 7500 for DSL aggregation - RSP memory error? In-Reply-To: <4A78048B.60803@rainierconnect.net> References: <4A78048B.60803@rainierconnect.net> Message-ID: It's been awhile since I've had one but The MD error is a memory parity error. 2w5d: %RSP-3-ERROR: Cybus1 parity error (bytes 0:7) 04 -Traceback= 0x40588CDC 0x405891CC 0x405892F0 0x4058A978 0x404CFA54 Means that it was received on cybus1 ( slots5-7) This comes from the VIP, so I don't think your standby processor is causing it. You need to check on your vip. I've never been brave enough to try a 7500 for dsl aggregation:) I'd pick up a 7200 instead. Brian -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Walter Keen Sent: marted? 4 agosto 2009 11.51 To: cisco-nsp at puck.nether.net Subject: [c-nsp] 7500 for DSL aggregation - RSP memory error? I've got a 7507 with dual RSP8's attempting to use rsp-jsv-mz.124-8.bin configured for rpr-plus, but keep getting this around every 10 minutes or so. It results in a loss of connectivity for end-users of course, until the system recovers. My initial guess is something is wrong with the standby processor (slot 3) or perhaps the memory in it. I've had the tech pull it out to see if the system stabalizes and will bring it back to the lab if it does. Anyone else ran into this in the past? sea-agg-1# 2w5d: %TBRIDGE-4-NOVCFLOOD: No VC's configured for bridging on ATM4/1/0.669 2w5d: %RSP-3-ERROR: MD error 0080000000010000 -Traceback= 0x40588B14 0x405891CC 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: Cybus1 parity error (bytes 0:7) 04 -Traceback= 0x40588CDC 0x405891CC 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: bus command write 8bytes (0x7) -Traceback= 0x40588930 0x40588CF8 0x405891CC 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: physical address (bits 20:12) 0E2000 -Traceback= 0x40588A50 0x40588CF8 0x405891CC 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: virtual address (bits 23:17) 6E0000 -Traceback= 0x40588A74 0x40588CF8 0x405891CC 0x405892F0 0x4058A978 0x404CFA54 2w5d: %VIP4-80 RM7000-3-MSG: slot5 VIP-3-MVIP_CYBUSERROR_INTERRUPT: A Cybus Error occured. 2w5d: %VIP4-80 RM7000-1-MSG: slot5 CYASIC Error Interrupt register 0xB 2w5d: %VIP4-80 RM7000-1-MSG: slot5 Parity Error internal to CYA 2w5d: %VIP4-80 RM7000-1-MSG: slot5 Missing ACK on CyBus access 2w5d: %VIP4-80 RM7000-1-MSG: slot5 NACK present on CyBus access 2w5d: %VIP4-80 RM7000-1-MSG: slot5 CYASIC Other Interrupt register 0x100 2w5d: %VIP4-80 RM7000-1-MSG: slot5 QE HIGH Priority Interrupt 2w5d: %VIP4-80 RM7000-1-MSG: slot5 QE RX HIGH Priority Interrupt 2w5d: %VIP4-80 RM7000-1-MSG: slot5 CYBUS Error Cmd/Addr 0x8001A80, CYBUS Error Data 0x0 2w5d: %VIP4-80 RM7000-1-MSG: slot5 MPUIntfc/PacketBus Error register 0x0 2w5d: %VIP4-80 RM7000-1-MSG: slot5 IOBUS Error Interrupt Status register 0x4 2w5d: %VIP4-80 RM7000-1-MSG: slot5 Address/Command Strobe Timeout 2w5d: %VIP4-80 RM7000-1-MSG: slot5 IOBUS Error Address High 0x1C01 2w5d: %VIP4-80 RM7000-1-MSG: slot5 IOBUS Error Address Low 0xC 2w5d: %VIP4-80 RM7000-3-MSG: slot5 VIP-3-SVIP_RELOAD: SVIP Reload is called. 2w5d: %VIP4-80 RM7000-3-MSG: slot5 VIP-3-SYSTEM_EXCEPTION: VIP System Exception occurred sig=22, code=0x0, context=0x6199A8A8 2w5d: %RSP-3-ERROR: End of MEMD error interrupt processing -Traceback= 0x40589298 0x405892F0 0x4058A978 0x404CFA54 2w5d: %DBUS-3-CXBUSERR: Slot 5, CBus Error 2w5d: %DBUS-3-DBUSINTERRSWSET: Slot 5, Internal Error due to VIP crash 2w5d: %OSPF-5-ADJCHG: Process 10, Nbr 74.50.207.83 on FastEthernet5/1/0 from FULL to DOWN, Neighbor Down: Interface down or detached 2w5d: %RSP-3-ERROR: CyBus1 error 10 -Traceback= 0x40588DA8 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: command/address mismatch -Traceback= 0x40588E64 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: bus command read 8bytes (0x1) -Traceback= 0x40588930 0x40588F68 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: address offset (bits 3:1) 8 -Traceback= 0x40588A18 0x40588F68 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: virtual address (bits 23:17) 000000 -Traceback= 0x40588A74 0x40588F68 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %VIP4-80 RM7000-3-MSG: slot4 VIP-3-MVIP_CYBUSERROR_INTERRUPT: A Cybus Error occured. 2w5d: %VIP4-80 RM7000-1-MSG: slot4 CYASIC Error Interrupt register 0xF 2w5d: %VIP4-80 RM7000-1-MSG: slot4 Parity Error internal to CYA 2w5d: %VIP4-80 RM7000-1-MSG: slot4 Parity Error in data from CyBus 2w5d: %VIP4-80 RM7000-1-MSG: slot4 Missing ACK on CyBus access 2w5d: %VIP4-80 RM7000-1-MSG: slot4 NACK present on CyBus access 2w5d: %VIP4-80 RM7000-1-MSG: slot4 CYASIC Other Interrupt register 0x80 2w5d: %VIP4-80 RM7000-1-MSG: slot4 QE HIGH Priority Interrupt 2w5d: %VIP4-80 RM7000-1-MSG: slot4 Unknown CYA oisr bit 0x00000080 2w5d: %VIP4-80 RM7000-1-MSG: slot4 QE TX HIGH Priority Interrupt 2w5d: %VIP4-80 RM7000-1-MSG: slot4 CYBUS Error Cmd/Addr 0x1000198, CYBUS Error Data 0x0 2w5d: %VIP4-80 RM7000-1-MSG: slot4 MPUIntfc/PacketBus Error register 0x0 2w5d: %VIP4-80 RM7000-1-MSG: slot4 IOBUS Error Interrupt Status register 0x0 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %HA-5-MODE: Operating mode is hsa, configured mode is rpr-plus. 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-ERROR: CyBus1 error 10 -Traceback= 0x40588DA8 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: command/address mismatch -Traceback= 0x40588E64 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: bus command write 1byte (0xB) -Traceback= 0x40588930 0x40588F68 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: address offset (bits 3:1) 12 -Traceback= 0x40588A18 0x40588F68 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: virtual address (bits 23:17) 000000 -Traceback= 0x40588A74 0x40588F68 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %DBUS-3-SW_NOTRDY: DBUS software not ready for slot 5 after HARD_RESET, elapsed 15048, status 0x0 -Traceback= 0x40388848 0x405BA000 0x405BD2C0 0x405C3720 2w5d: %DBUS-3-WCSLDERR: Slot 5, error loading WCS, status 0x14 cmd/data 0x2E pos 5749518 2w5d: %UCODE-3-LDFAIL: Unable to download ucode from system image in slot 5, trying rom ucode 2w5d: %RSP-3-NOSTART: No microcode for VIP4-80 RM7000 card, slot 5 2w5d: %DBUS-3-WCSLDERR: Slot 5, error loading WCS, status 0x14 cmd/data 0x2E pos 5749518 2w5d: %UCODE-3-LDFAIL: Unable to download ucode from system image in slot 5, trying rom ucode 2w5d: %OIR-6-INSCARD: Card inserted in slot 5, interfaces administratively shut down 2w5d: %RSP-3-NOSTART: No microcode for VIP4-80 RM7000 card, slot 5 2w5d: %DBUS-3-SW_NOTRDY: DBUS software not ready for slot 3 after dbus_slot_enable(), elapsed 15040, status 0x29 -Traceback= 0x40388848 0x405BA000 0x405BB054 0x405D2DF4 0x405C393C 2w5d: %DBUS-3-WCSPARERR: Slot 3, WCS Controller Parity Error 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %VIP4-80 RM7000-3-MSG: slot4 VIP-3-SVIP_RELOAD: SVIP Reload is called. 2w5d: %VIP4-80 RM7000-3-MSG: slot4 VIP-3-SYSTEM_EXCEPTION: VIP System Exception occurred sig=22, code=0x0, context=0x6199A8A8 2w5d: %DBUS-3-CXBUSERR: Slot 4, CBus Error 2w5d: %DBUS-3-DBUSINTERRSWSET: Slot 4, Internal Error due to VIP crash 2w5d: %LINK-3-UPDOWN: Interface BVI3, changed state to down 2w5d: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI3, changed state to down 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %OIR-6-INSCARD: Card inserted in slot 5, interfaces administratively shut down 2w5d: %CBUS-3-CCBPTIMEOUT: CCB handover timed out, CCB 0xF800FF50, slot 4 -Traceback= 0x40388848 0x405D6054 0x405D2830 0x405D2EE0 0x405C393C 2w5d: %LINK-3-UPDOWN: Interface FastEthernet5/1/0, changed state to down 2w5d: %LINEPROTO-5-UPDOWN: Line protocol on Interface ATM4/1/0, changed state to down 2w5d: %LINK-3-UPDOWN: Interface FastEthernet5/1/0, changed state to up 2w5d: %OSPF-5-ADJCHG: Process 10, Nbr 74.50.207.83 on FastEthernet5/1/0 from LOADING to FULL, Loading Done 2w5d: %IPC_RSP_CBUS-3-NOHWQ: Hardware queue for card at slot 0 not found sea-agg-1# sea-agg-1# sea-agg-1# sea-agg-1# sea-agg-1# 2w5d: %IPC_RSP_CBUS-3-NOHWQ: Hardware queue for card at slot 0 not found sea-agg-1# 2w5d: %IPC_RSP_CBUS-3-NOHWQ: Hardware queue for card at slot 0 not found 2w5d: %IPC_RSP_CBUS-3-NOHWQ: Hardware queue for card at slot 0 not found 2w5d: %IPC_RSP_CBUS-3-NOHWQ: Hardware queue for card at slot 0 not found 2w5d: %IPC_RSP_CBUS-3-NOHWQ: Hardware queue for card at slot 0 not found -------------------- sea-agg-1# 2w5d: %RSP-3-ERROR: MD error 0080000000010000 -Traceback= 0x40588B14 0x405891CC 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: Cybus1 parity error (bytes 0:7) 04 -Traceback= 0x40588CDC 0x405891CC 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: bus command write 8bytes (0x7) -Traceback= 0x40588930 0x40588CF8 0x405891CC 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: physical address (bits 20:12) 0F8000 -Traceback= 0x40588A50 0x40588CF8 0x405891CC 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: virtual address (bits 23:17) 6E0000 -Traceback= 0x40588A74 0x40588CF8 0x405891CC 0x405892F0 0x4058A978 0x404CFA54 2w5d: %VIP4-80 RM7000-3-MSG: slot5 VIP-3-MVIP_CYBUSERROR_INTERRUPT: A Cybus Error occured. 2w5d: %VIP4-80 RM7000-1-MSG: slot5 CYASIC Error Interrupt register 0xB 2w5d: %VIP4-80 RM7000-1-MSG: slot5 Parity Error internal to CYA 2w5d: %VIP4-80 RM7000-1-MSG: slot5 Missing ACK on CyBus access 2w5d: %VIP4-80 RM7000-1-MSG: slot5 NACK present on CyBus access 2w5d: %VIP4-80 RM7000-1-MSG: slot5 CYASIC Other Interrupt register 0x100 2w5d: %VIP4-80 RM7000-1-MSG: slot5 QE HIGH Priority Interrupt 2w5d: %VIP4-80 RM7000-1-MSG: slot5 QE RX HIGH Priority Interrupt 2w5d: %VIP4-80 RM7000-1-MSG: slot5 CYBUS Error Cmd/Addr 0x76F8548, CYBUS Error Data 0x0 2w5d: %VIP4-80 RM7000-1-MSG: slot5 MPUIntfc/PacketBus Error register 0x0 2w5d: %VIP4-80 RM7000-1-MSG: slot5 IOBUS Error Interrupt Status register 0x4 2w5d: %VIP4-80 RM7000-1-MSG: slot5 Address/Command Strobe Timeout 2w5d: %VIP4-80 RM7000-1-MSG: slot5 IOBUS Error Address High 0x1C01 2w5d: %VIP4-80 RM7000-1-MSG: slot5 IOBUS Error Address Low 0xC 2w5d: %VIP4-80 RM7000-3-MSG: slot5 VIP-3-SVIP_RELOAD: SVIP Reload is called. 2w5d: %VIP4-80 RM7000-3-MSG: slot5 VIP-3-SYSTEM_EXCEPTION: VIP System Exception occurred sig=22, code=0x0, context=0x6199B028 2w5d: %RSP-3-ERROR: End of MEMD error interrupt processing -Traceback= 0x40589298 0x405892F0 0x4058A978 0x404CFA54 2w5d: %DBUS-3-CXBUSERR: Slot 5, CBus Error 2w5d: %DBUS-3-DBUSINTERRSWSET: Slot 5, Internal Error due to VIP crash 2w5d: %OSPF-5-ADJCHG: Process 10, Nbr 74.50.207.83 on FastEthernet5/1/0 from FULL to DOWN, Neighbor Down: Interface down or detached 2w5d: %RSP-3-ERROR: CyBus1 error 10 -Traceback= 0x40588DA8 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: command/address mismatch -Traceback= 0x40588E64 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: bus command read 8bytes (0x1) -Traceback= 0x40588930 0x40588F68 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: address offset (bits 3:1) 0 -Traceback= 0x40588A18 0x40588F68 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: virtual address (bits 23:17) 000000 -Traceback= 0x40588A74 0x40588F68 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %VIP4-80 RM7000-3-MSG: slot4 VIP-3-MVIP_CYBUSERROR_INTERRUPT: A Cybus Error occured. 2w5d: %VIP4-80 RM7000-1-MSG: slot4 CYASIC Error Interrupt register 0x4000F 2w5d: %VIP4-80 RM7000-1-MSG: slot4 CBus read during CBus stall 2w5d: %VIP4-80 RM7000-1-MSG: slot4 Parity Error internal to CYA 2w5d: %VIP4-80 RM7000-1-MSG: slot4 Parity Error in data from CyBus 2w5d: %VIP4-80 RM7000-1-MSG: slot4 Missing ACK on CyBus access 2w5d: %VIP4-80 RM7000-1-MSG: slot4 NACK present on CyBus access 2w5d: %VIP4-80 RM7000-1-MSG: slot4 CYASIC Other Interrupt register 0x80 2w5d: %VIP4-80 RM7000-1-MSG: slot4 QE HIGH Priority Interrupt 2w5d: %VIP4-80 RM7000-1-MSG: slot4 Unknown CYA oisr bit 0x00000080 2w5d: %VIP4-80 RM7000-1-MSG: slot4 QE TX HIGH Priority Interrupt 2w5d: %VIP4-80 RM7000-1-MSG: slot4 CYBUS Error Cmd/Addr 0x10001A0, CYBUS Error Data 0x0 2w5d: %VIP4-80 RM7000-1-MSG: slot4 MPUIntfc/PacketBus Error register 0x110000A1 2w5d: %VIP4-80 RM7000-1-MSG: slot4 IOBUS Error Interrupt Status register 0x4 2w5d: %VIP4-80 RM7000-1-MSG: slot4 Address/Command Strobe Timeout 2w5d: %VIP4-80 RM7000-1-MSG: slot4 IOBUS Error Address High 0x1C01 2w5d: %VIP4-80 RM7000-1-MSG: slot4 IOBUS Error Address Low 0xC 2w5d: %RSP-2-QAERROR: reused or zero link error, write at addr 0138 (QA) log 22013800, data A0F00000 00000000 2w5d: %QA-3-DIAG: Failed to enqueue buffer header 0xA0F0 2w5d: %QA-3-DIAG: Approximate stack backtrace prior to interrupt: 2w5d: %QA-3-DIAG: -Traceback= 0x404CD814 0x406B3684 0x406BA5F0 0x406C3770 0x406B6518 0x406AE188 0x406A5EE0 0x406B1FC4 0x4051C730 0x40642F1C 0x40643104 0x406432F8 2w5d: %QA-3-DIAG: Buffer 0xA0F0 is element 1 on queue 0x20 2w5d: %QA-3-DIAG: Queue 0x20 (E8000100) has 1 elements 2w5d: %QA-3-DIAG: Buffer 0xA0F0 is element 1154 on queue 0x27 2w5d: %QA-3-DIAG: Queue 0x27 (E8000138) has 1154 elements 2w5d: %QA-3-DIAG: No NULL terminator for queue 0x28 2w5d: %QA-3-DIAG: Queue 0x28 (E8000140) has 90 elements 2w5d: %QA-3-DIAG: No NULL terminator for queue 0x2C 2w5d: %QA-3-DIAG: Queue 0x2C (E8000160) has 5 elements 2w5d: %QA-3-DIAG: At least one QA queue is broken 2w5d: %QA-3-DIAG: Buffer header at 0xE000A0F0: 12 1A0 3FEFEFEF 8A800 2w5d: %QA-3-DIAG: Buffer contents: 2w5d: %RSP-3-IDBOFFSET: hwidb = 0x444B8760, Name = AT4/1/0, hwidb->rx_offset = 96 Possible datagram start = 0xF808A980 -Traceback= 0x40388848 0x4059E3A0 0x405A9930 0x405AA064 0x40589324 0x4058A978 0x404CFA54 2w5d: %SYS-3-DMPMEM: F808A800: 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 2w5d: %SYS-3-DMPMEM: F808A818: 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 2w5d: %SYS-3-DMPMEM: F808A830: 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 2w5d: %SYS-3-DMPMEM: F808A848: 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 2w5d: %SYS-3-DMPMEM: F808A860: 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 2w5d: %SYS-3-DMPMEM: F808A878: 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 2w5d: %QA-3-DIAG: Global queues: 2w5d: %QA-3-DIAG: 3313 buffer headers 2w5d: %QA-3-DIAG: RawQ 0xE8000100 (1), ReturnQ 0xE8000108 (0), EventQ 0xE8000110 (0) 2w5d: %QA-3-DIAG: IpcackQ 0xE8000118 (0) 2w5d: %QA-3-DIAG: VIP_CrashinfoQ 0xE8000128 (0) 2w5d: %QA-3-DIAG: IpcSlaveackQ 0xE8000120 (0) 2w5d: %QA-3-DIAG: BufhdrQ 0xE8000158 (0) 2w5d: %QA-3-DIAG: LovltrQ 0xE8000170 (0) 2w5d: %QA-3-DIAG: IpcbufQ 0xE8000180 (0) 2w5d: %QA-3-DIAG: IpcbufQ_classic 0xE8000178 (0) 2w5d: %QA-3-DIAG: Pool0: 10 buffers, 256 bytes, queue 0xE8000160 (5) 2w5d: %QA-3-DIAG: Pool1: 932 buffers, 1536 bytes, queue 0xE8000168 (0) 2w5d: %QA-3-DIAG: Pool2: 1357 buffers, 4544 bytes, queue 0xE8000188 (0) 2w5d: %QA-3-DIAG: Pool3: 4 buffers, 4576 bytes, queue 0xE8000190 (0) 2w5d: %QA-3-DIAG: Slot3: 2w5d: %QA-3-DIAG: Slot4: 2w5d: %QA-3-DIAG: ATM4/0/0: gfreeq 0xE8000188 (0), lfreeq 0xE8000198 (0) (4544 bytes) 2w5d: %QA-3-DIAG: txq 0xE8001A00 (0) 2w5d: %QA-3-DIAG: ATM4/1/0: gfreeq 0xE8000188 (0), lfreeq 0xE80001A0 (0) (4544 bytes) 2w5d: %QA-3-DIAG: txq 0xE8001A08 (0) 2w5d: %QA-3-DIAG: Slot5: 2w5d: %QA-3-DIAG: FastEthernet5/1/0: gfreeq 0xE8000168 (0), lfreeq 0xE80001A8 (0) (1536 bytes) 2w5d: %QA-3-DIAG: txq 0xE8001A80 (0) 2w5d: %QA-3-DIAG: Slot6: 2w5d: %QA-3-DIAG: ATM6/0/0: gfreeq 0xE8000188 (0), lfreeq 0xE80001B0 (0) (4544 bytes) 2w5d: %QA-3-DIAG: txq 0xE8001B00 (0) 2w5d: %QA-3-DIAG: FastEthernet6/1/0: gfreeq 0xE8000168 (0), lfreeq 0xE80001B8 (0) (1536 bytes) 2w5d: %QA-3-DIAG: txq 0xE8001B08 (0) 2w5d: %QA-3-DIAG: Trying to recover from QA ERROR. 2w5d: %QA-3-DIAG: Removing buffer header 0xA0F0 from all queues 2w5d: %QA-3-DIAG: Buffer 0xA0F0 is on queue 0x20 2w5d: %QA-3-DIAG: At least one QA queue is broken 2w5d: %QA-3-DIAG: Recovered from QA ERROR. 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %HA-5-MODE: Operating mode is hsa, configured mode is rpr-plus. 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-ERROR: CyBus1 error 10 -Traceback= 0x40588DA8 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: command/address mismatch -Traceback= 0x40588E64 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: bus command write 1byte (0xB) -Traceback= 0x40588930 0x40588F68 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: address offset (bits 3:1) 12 -Traceback= 0x40588A18 0x40588F68 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: virtual address (bits 23:17) 000000 -Traceback= 0x40588A74 0x40588F68 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %DBUS-3-SW_NOTRDY: DBUS software not ready for slot 5 after HARD_RESET, elapsed 15480, status 0x0 -Traceback= 0x40388848 0x405BA000 0x405BD2C0 0x405C3720 2w5d: %DBUS-3-WCSLDERR: Slot 5, error loading WCS, status 0x14 cmd/data 0x2E pos 5749518 2w5d: %UCODE-3-LDFAIL: Unable to download ucode from system image in slot 5, trying rom ucode 2w5d: %RSP-3-NOSTART: No microcode for VIP4-80 RM7000 card, slot 5 2w5d: %DBUS-3-WCSLDERR: Slot 5, error loading WCS, status 0x14 cmd/data 0x2E pos 5749518 2w5d: %UCODE-3-LDFAIL: Unable to download ucode from system image in slot 5, trying rom ucode 2w5d: %OIR-6-INSCARD: Card inserted in slot 5, interfaces administratively shut down 2w5d: %RSP-3-NOSTART: No microcode for VIP4-80 RM7000 card, slot 5 2w5d: %DBUS-3-SW_NOTRDY: DBUS software not ready for slot 3 after dbus_slot_enable(), elapsed 15040, status 0x29 -Traceback= 0x40388848 0x405BA000 0x405BB054 0x405D2DF4 0x405C393C 2w5d: %DBUS-3-WCSPARERR: Slot 3, WCS Controller Parity Error 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %TIGER-3-BADADDR_MBE: Invalid MBE dram address: 0xFFFFFFFF latched by Tiger 2w5d: %RSP-3-ERROR: dbus read at 3E8410C0 -Traceback= 0x405BBE30 0x405BCDA0 0x405C3720 -Traceback= 0x405887C4 0x4058AFA8 0x404E6EA8 0x404CDC04 2w5d: %DBUS-3-SLOTCOMP: Slot 3, dbus error, slot (0xF) and complement (0x0) do not match 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %VIP4-80 RM7000-3-MSG: slot4 VIP-3-SVIP_RELOAD: SVIP Reload is called. 2w5d: %VIP4-80 RM7000-3-MSG: slot4 VIP-3-SYSTEM_EXCEPTION: VIP System Exception occurred sig=22, code=0x0, context=0x6199A8A8 2w5d: %DBUS-3-CXBUSERR: Slot 4, CBus Error 2w5d: %DBUS-3-DBUSINTERRSWSET: Slot 4, Internal Error due to VIP crash 2w5d: %LINK-3-UPDOWN: Interface BVI3, changed state to down 2w5d: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI3, changed state to down 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %OIR-6-INSCARD: Card inserted in slot 5, interfaces administratively shut down 2w5d: %CBUS-3-CCBPTIMEOUT: CCB handover timed out, CCB 0xF800FF50, slot 4 -Traceback= 0x40388848 0x405D6054 0x405D2830 0x405D2EE0 0x405C393C 2w5d: %LINEPROTO-5-UPDOWN: Line protocol on Interface ATM4/1/0, changed state to down 2w5d: %OSPF-5-ADJCHG: Process 10, Nbr 74.50.207.83 on FastEthernet5/1/0 from LOADING to FULL, Loading Done 2w5d: %RADIUS-4-RADIUS_DEAD: RADIUS server 69.10.208.10:1645,1646 is not responding. 2w5d: %RADIUS-4-RADIUS_ALIVE: RADIUS server 69.10.208.10:1645,1646 has returned. 2w5d: %IPC_RSP_CBUS-3-NOHWQ: Hardware queue for card at slot 0 not found sea-agg-1# sea-agg-1# sea-agg-1# sea-agg-1# 2w5d: %IPC_RSP_CBUS-3-NOHWQ: Hardware queue for card at slot 0 not found sea-agg-1# sea-agg-1# sea-agg-1# sea-agg-1# 2w5d: %IPC_RSP_CBUS-3-NOHWQ: Hardware queue for card at slot 0 not found 2w5d: %IPC_RSP_CBUS-3-NOHWQ: Hardware queue for card at slot 0 not found 2w5d: %IPC_RSP_CBUS-3-NOHWQ: Hardware queue for card at slot 0 not found 2w5d: %IPC_RSP_CBUS-3-NOHWQ: Hardware queue for card at slot 0 not found 2w5d: %DBUS-3-SW_NOTRDY: DBUS software not ready for slot 3 after dbus_slot_enable(), elapsed 15040, status 0x29 -Traceback= 0x40388848 0x405BA000 0x405BB054 0x405D2DF4 0x405C393C 2w5d: %DBUS-3-WCSPARERR: Slot 3, WCS Controller Parity Error 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %LINK-3-UPDOWN: Interface ATM4/1/0, changed state to up 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %LINEPROTO-5-UPDOWN: Line protocol on Interface ATM4/1/0, changed state to up 2w5d: %LINK-3-UPDOWN: Interface BVI3, changed state to up 2w5d: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI3, changed state to up 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %TBRIDGE-4-NOVCFLOOD: No VC's configured for bridging on ATM4/1/0.669 2w5d: %HA-5-NOTICE: Standby (slave) configured to run HA image "disk0:rsp-jsv-mz.124-8.bin" 2w5d: %HA-5-NOTICE: Loading standby (slave) image: "disk0:rsp-jsv-mz.124-8.bin" 2w5d: %TBRIDGE-4-NOVCFLOOD: No VC's configured for bridging on ATM4/1/0.669 2w5d: %RADIUS-4-RADIUS_DEAD: RADIUS server 69.10.201.13:1645,1646 is not responding. 2w5d: %RADIUS-4-RADIUS_ALIVE: RADIUS server 69.10.201.13:1645,1646 has returned. 2w5d: %RADIUS-4-RADIUS_DEAD: RADIUS server 69.10.201.13:1645,1646 is not responding. 2w5d: %RADIUS-4-RADIUS_ALIVE: RADIUS server 69.10.201.13:1645,1646 has returned. 2w5d: %RADIUS-4-RADIUS_DEAD: RADIUS server 69.10.201.13:1645,1646 is not responding. 2w5d: %RADIUS-4-RADIUS_ALIVE: RADIUS server 69.10.201.13:1645,1646 has returned. 2w5d: %HA-5-MODE: Operating mode is hsa, configured mode is rpr-plus. 2w5d: %HA-5-SYNC_NOTICE: Bulk sync started. 2w5d: %HA-5-SYNC_NOTICE: Bulk sync completed. 2w5d: %HA-5-SYNC_NOTICE: Config sync started. sea-agg-1# _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From gtb at slac.stanford.edu Tue Aug 4 12:07:48 2009 From: gtb at slac.stanford.edu (Buhrmaster, Gary) Date: Tue, 4 Aug 2009 09:07:48 -0700 Subject: [c-nsp] 7500 for DSL aggregation - RSP memory error? In-Reply-To: References: <4A78048B.60803@rainierconnect.net> Message-ID: > I've never been brave enough to try a 7500 for dsl aggregation:) And while a memory parity error is probably hardware, I have this vague recollection that someone from Cisco (Rodney Dunn?) has on a couple of occasions recommended against using a 7500 for broadband aggregation, since the platform was simply not targeted or tested to that role. One *would* encounter things that do not work, and they would end up being "won't fix" on that platform. From rodunn at cisco.com Tue Aug 4 13:24:24 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Tue, 04 Aug 2009 13:24:24 -0400 Subject: [c-nsp] 7513 multilink interface issue In-Reply-To: <6dde6e570908040822h739561e0s6baba249c67b3028@mail.gmail.com> References: <6dde6e570908040822h739561e0s6baba249c67b3028@mail.gmail.com> Message-ID: <4A786EC8.2070606@cisco.com> That should never happen and is possibly a bug. Can you ping directly over the bundle to the ip address on the other side when it's broke? If not, go to the latest code and see if it's fixed...or do some debugging: 'sh ip cef for other side of bundle, debug ip packet, etc... Rodney Todd Shipway wrote: > We have several customers setup with T1's multilinked. We are running into > a problem with a single multilink member bouncing causing routing issues. > When a single T1 member of a multilink group bounces, traffic to the overall > multilink interface stops and we have to manually shut and no shut the > multilink interface to get traffic flowing again. > > Has anyone seen this before and if so, know what the issue may be? > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rodunn at cisco.com Tue Aug 4 13:25:54 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Tue, 04 Aug 2009 13:25:54 -0400 Subject: [c-nsp] 7500 for DSL aggregation - RSP memory error? In-Reply-To: References: <4A78048B.60803@rainierconnect.net> Message-ID: <4A786F22.3060309@cisco.com> Probably me. ;) There were some issues around DSL termination in to a VRF that would not work. The platform was never targeted for that market space so I wouldn't use it. 72xx, 10k, or ASR would be the pick. The ISR's on really really low end side. Rodney Buhrmaster, Gary wrote: >> I've never been brave enough to try a 7500 for dsl aggregation:) > > And while a memory parity error is probably hardware, > I have this vague recollection that someone from > Cisco (Rodney Dunn?) has on a couple of occasions > recommended against using a 7500 for broadband > aggregation, since the platform was simply not > targeted or tested to that role. One *would* > encounter things that do not work, and they would > end up being "won't fix" on that platform. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rodunn at cisco.com Tue Aug 4 13:29:58 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Tue, 04 Aug 2009 13:29:58 -0400 Subject: [c-nsp] multipath BGP not balancing equally. In-Reply-To: References: Message-ID: <4A787016.7040006@cisco.com> That's usually caused by routes not being the same on the paths. This is a hard problem to solve. Is there any way we could prove the prefix distribution is the exact same over the paths? I don't know of a way other than dumping the output for every route in the RIB looking for the next hop. Rodney bas wrote: > Hi, > > I have an issue with unequal multipath BGP loadbalancing > It is a 6500 / SUP720-3BXL running 12.2.18SXF16 > > There are four eBGP sessions to a transit carriers ASN, all with full table > > However one out of four interfaces sends about 2Gbps less than the other three. > > RTR-HV7#sh int ten 2/2 | i output rate > 1 minute output rate 6357052000 bits/sec, 546295 packets/sec > RTR-HV7#sh int ten 3/1 | i output rate > 1 minute output rate 8509719000 bits/sec, 729490 packets/sec > RTR-HV7#sh int ten 3/3 | i output rate > 1 minute output rate 8721235000 bits/sec, 746980 packets/sec > RTR-HV7#sh int ten 4/4 | i output rate > 1 minute output rate 8592400000 bits/sec, 734864 packets/sec > > All four sessions have the same settings (in the same peer-group) > Through netflow I've tried to deduct if there are specific ASN's not > chosen through the nexthop that has less traffic, but that does not > seem to be the case. > > I've looked at "ip cef load-sharing algorithm universal" however that > seems to already be the default algorithm in current IOS versions. > > With any prefix I test through "sh ip cef x.x.x.x detail" it seems all > four paths are used. > > Thanks in advance, > > Bas > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From nsp at myzionetworks.com Tue Aug 4 13:36:26 2009 From: nsp at myzionetworks.com (Todd) Date: Tue, 4 Aug 2009 13:36:26 -0400 Subject: [c-nsp] 7513 multilink interface issue In-Reply-To: <4A786EC8.2070606@cisco.com> References: <6dde6e570908040822h739561e0s6baba249c67b3028@mail.gmail.com> <4A786EC8.2070606@cisco.com> Message-ID: <000001ca152a$18a8b600$49fa2200$@com> When it happens, I can ping the remote end from the 7513, but nothing outside of the 7513. For Example.... SERVER --ethernet--- 7513 ---multilink (2 T1's)--- END USER 1 multilink T1 bounces. After the T1 comes up, the multilink interface and both T1's show as up/up and 7513 can ping END USER, but END USER can't ping 7513 and no connection to/from SERVER to END USER. Hope that makes sense. -----Original Message----- From: Rodney Dunn [mailto:rodunn at cisco.com] Sent: Tuesday, August 04, 2009 1:24 PM To: Todd Shipway Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 7513 multilink interface issue That should never happen and is possibly a bug. Can you ping directly over the bundle to the ip address on the other side when it's broke? If not, go to the latest code and see if it's fixed...or do some debugging: 'sh ip cef for other side of bundle, debug ip packet, etc... Rodney Todd Shipway wrote: > We have several customers setup with T1's multilinked. We are running into > a problem with a single multilink member bouncing causing routing issues. > When a single T1 member of a multilink group bounces, traffic to the overall > multilink interface stops and we have to manually shut and no shut the > multilink interface to get traffic flowing again. > > Has anyone seen this before and if so, know what the issue may be? > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rodunn at cisco.com Tue Aug 4 13:42:52 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Tue, 04 Aug 2009 13:42:52 -0400 Subject: [c-nsp] 7513 multilink interface issue In-Reply-To: <000001ca152a$18a8b600$49fa2200$@com> References: <6dde6e570908040822h739561e0s6baba249c67b3028@mail.gmail.com> <4A786EC8.2070606@cisco.com> <000001ca152a$18a8b600$49fa2200$@com> Message-ID: <4A78731C.7070004@cisco.com> It does. I've seen it before years ago. get 'sh ppp multilink' from the RSP and VIP console (if-con slot) and sh contr cbus. Make sure you are in dCEF mode, all links are on the same PA, and on later(est) 12.4 mainline (12.4(25) or 12.0(32)S(latest)) on Cisco.com. We had bugs in how we manage the member links of the bundle. Rodney Todd wrote: > When it happens, I can ping the remote end from the 7513, but nothing > outside of the 7513. > > For Example.... > > SERVER --ethernet--- 7513 ---multilink (2 T1's)--- END USER > > 1 multilink T1 bounces. > > After the T1 comes up, the multilink interface and both T1's show as up/up > and 7513 can ping END USER, but END USER can't ping 7513 and no connection > to/from SERVER to END USER. > > Hope that makes sense. > > -----Original Message----- > From: Rodney Dunn [mailto:rodunn at cisco.com] > Sent: Tuesday, August 04, 2009 1:24 PM > To: Todd Shipway > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] 7513 multilink interface issue > > That should never happen and is possibly a bug. > > Can you ping directly over the bundle to the ip address on the other > side when it's broke? If not, go to the latest code and see if it's > fixed...or do some debugging: 'sh ip cef for other side of bundle, debug > ip packet, etc... > > Rodney > > > > Todd Shipway wrote: >> We have several customers setup with T1's multilinked. We are running > into >> a problem with a single multilink member bouncing causing routing issues. >> When a single T1 member of a multilink group bounces, traffic to the > overall >> multilink interface stops and we have to manually shut and no shut the >> multilink interface to get traffic flowing again. >> >> Has anyone seen this before and if so, know what the issue may be? >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ From jlewis at lewis.org Tue Aug 4 13:45:02 2009 From: jlewis at lewis.org (Jon Lewis) Date: Tue, 4 Aug 2009 13:45:02 -0400 (EDT) Subject: [c-nsp] 7513 multilink interface issue In-Reply-To: <4A786EC8.2070606@cisco.com> References: <6dde6e570908040822h739561e0s6baba249c67b3028@mail.gmail.com> <4A786EC8.2070606@cisco.com> Message-ID: On Tue, 4 Aug 2009, Rodney Dunn wrote: > That should never happen and is possibly a bug. On the 7500 platform, lots of things that should never happen do. Another thing that may be worth trying is to flip dCEF off and back on (I'm assuming Todd normally has is on)...or depending on traffic levels and RSP, just leave it off if it fixes some of your problems. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From walter.keen at RainierConnect.net Tue Aug 4 13:56:56 2009 From: walter.keen at RainierConnect.net (Walter Keen) Date: Tue, 04 Aug 2009 10:56:56 -0700 Subject: [c-nsp] 7500 for DSL aggregation - RSP memory error? In-Reply-To: <4A786F22.3060309@cisco.com> References: <4A78048B.60803@rainierconnect.net> <4A786F22.3060309@cisco.com> Message-ID: <4A787668.8050909@rainierconnect.net> Yes, I believe it was you. We are trying to migrate from a 7200 to a 7500 to gain route processor redundancy. Our traffic is typically 20mbit peak from this site between 2 atm ds3's. Using radius, pppoa, and some dsl subs are behind NAT, but we're slowly weeding them out into having a typical dsl connection with a public ip. Probably about 1k subscribers, and in the next year or two we'll probably be moving them to an ethernet-based handoff from the carriers to us. Rodney Dunn wrote: > Probably me. ;) > > There were some issues around DSL termination in to a VRF that would > not work. > > The platform was never targeted for that market space so I wouldn't > use it. > > 72xx, 10k, or ASR would be the pick. > > The ISR's on really really low end side. > > Rodney > > > > Buhrmaster, Gary wrote: >>> I've never been brave enough to try a 7500 for dsl aggregation:) >> >> And while a memory parity error is probably hardware, >> I have this vague recollection that someone from >> Cisco (Rodney Dunn?) has on a couple of occasions >> recommended against using a 7500 for broadband >> aggregation, since the platform was simply not >> targeted or tested to that role. One *would* >> encounter things that do not work, and they would >> end up being "won't fix" on that platform. >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Walter Keen Network Technician Rainier Connect (o) 360-832-4024 (c) 253-302-0194 From jim.brunetti at usa.net Tue Aug 4 13:57:57 2009 From: jim.brunetti at usa.net (Jim Brunetti) Date: Tue, 04 Aug 2009 13:57:57 -0400 Subject: [c-nsp] NBAR and Netflow integration code version question Message-ID: <135NHDR569542S13.1249408677@cmsweb13.cms.usa.net> http://www.cisco.com/en/US/docs/ios/netflow/configuration/guide/nf_lay2_sec_mon_exp.html#wp1059924 describes Application-aware Netflow. Being able to correlate NBAR and Netflow information is something I am very interested in. The article implies that this feature is only available on the Catalyst 6500 with a PISA module and only using IOS version 12.2(18)ZYA2. Is this still the case? Has this feature been ported to other platforms that can run Netflow and NBAR? jim.brunetti at usa.net From swmike at swm.pp.se Tue Aug 4 13:58:56 2009 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Tue, 4 Aug 2009 19:58:56 +0200 (CEST) Subject: [c-nsp] multipath BGP not balancing equally. In-Reply-To: <4A787016.7040006@cisco.com> References: <4A787016.7040006@cisco.com> Message-ID: On Tue, 4 Aug 2009, Rodney Dunn wrote: > That's usually caused by routes not being the same on the paths. It was my understanding that this usually was caused by not having enough L4 flows to loadshare on...? Ie if you have 100 TCP flows and 4 paths, then it's not enough flows to get good load share on, but if you instead have 10k flows and all of them are low-speed, then the odds of them being equally load shared is much better? -- Mikael Abrahamsson email: swmike at swm.pp.se From andy-lists at bourges.de Tue Aug 4 14:20:56 2009 From: andy-lists at bourges.de (Andreas Bourges) Date: Tue, 4 Aug 2009 20:20:56 +0200 Subject: [c-nsp] NBAR and Netflow integration code version question In-Reply-To: <135NHDR569542S13.1249408677@cmsweb13.cms.usa.net> References: <135NHDR569542S13.1249408677@cmsweb13.cms.usa.net> Message-ID: <200908042020.56570.andy-lists@bourges.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, On Tuesday 04 August 2009 19:57:57 Jim Brunetti wrote: > http://www.cisco.com/en/US/docs/ios/netflow/configuration/guide/nf_lay2_sec >_mon_exp.html#wp1059924 describes Application-aware Netflow. > > Being able to correlate NBAR and Netflow information is something I am > very interested in. The article implies that this feature is only > available on the Catalyst 6500 with a PISA module and only using IOS > version 12.2(18)ZYA2. > > Is this still the case? Has this feature been ported to other > platforms that can run Netflow and NBAR? In a Networkers slide I found target release 12.4(Pi11)T for this feature. I know there are already BETA images for Netflow application developers available and IIRC it was targeted for the end of this year... regards, Andy -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkp4fAgACgkQRrny/uOBVy6NmgCgsLbIQKTmoBsJ2z/LnjrAHguZ tjIAn0YZ1Dj9vm7e3dFxaT5bzLFWj6lB =/Juk -----END PGP SIGNATURE----- From nsp at myzionetworks.com Tue Aug 4 14:47:02 2009 From: nsp at myzionetworks.com (Todd) Date: Tue, 4 Aug 2009 14:47:02 -0400 Subject: [c-nsp] 7513 multilink interface issue In-Reply-To: <4A78731C.7070004@cisco.com> References: <6dde6e570908040822h739561e0s6baba249c67b3028@mail.gmail.com> <4A786EC8.2070606@cisco.com> <000001ca152a$18a8b600$49fa2200$@com> <4A78731C.7070004@cisco.com> Message-ID: <012a01ca1533$f5b55ea0$e1201be0$@com> Currently running Version 12.4(23). I may upgrade to (25) to see if that helps at all. VIP Console: VIP-Slot5>sh ppp multilink dmlp_ipc_config_count 210 dmlp_bundle_count 4 Bundle Multilink75, 2 members bundle 0x61B1C3A0, frag_mode 0 tag vectors 0x6053A4A0 0x60514CBC Bundle hwidb vector 0x605AA624 idb Multilink75, vc 14, RSP vc 15 QoS disabled, fastsend (qos_fastsend 0x605AA624), visible_bandwidth 1540 board_encap 0x605A61A4, hw_if_index 0, pak_to_host 0x0 max_particles 400, mrru 1500, seq_window_size 0x8000 working_pak 0x0, working_pak_cache 0x0 una_frag_list 0x0, una_frag_end 0x0, null_link 0 rcved_end_bit 1, is_lost_frag 0, resync_count 0 timeout 0, timer_start 0, timer_running 0, timer_count 0 next_xmit_link Serial1/0:15, member 0x3, congestion 0x3 dmlp_orig_pak_to_host 0x60425D00 dmlp_orig_fastsend 0x60397B18 bundle_idb->lc_ip_turbo_fs 0x60503E70 bundle_idb->lc_ip_mdfs 0x604251B4 0 lost fragments, 0 reordered, 0 unassigned 0 discarded, 0 lost received 0x2AE received sequence, 0x319 sent sequence Member Link: 2 active Pascb for Bundle 0x61A8CD20, tx_polling_high_default 0, tx_polling_high 143 Serial1/0:14, id 0x2, fastsend 0x605A88B4, lc_turbo 0x605A97BC, PTH 0x605A8FF4, OOF 0 Pascb 0x61A8CD20, tx_polling_high_default 0, tx_polling_high 143, poll_default_addr 0x61A8CD7C, poll_addr 0x61A8CD68 Serial1/0:15, id 0x1, fastsend 0x605A88B4, lc_turbo 0x605A97BC, PTH 0x605A8FF4, OOF 0 Pascb 0x61A8CE60, tx_polling_high_default 0, tx_polling_high 143, poll_default_addr 0x61A8CEBC, poll_addr 0x61A8CEA8 RSP: Multilink75, bundle name is group75 Endpoint discriminator is group75 Bundle up for 00:19:29, total bandwidth 3080, load 1/255 Receive buffer limit 24000 bytes, frag timeout 1000 ms Bundle is Distributed 0/0 fragments/bytes in reassembly list 0 lost fragments, 0 reordered 0/0 discarded fragments/bytes, 0 lost received 0x2B3 received sequence, 0x319 sent sequence Member links: 2 active, 0 inactive (max not set, min not set) Se5/1/0/15:0, since 00:12:53 Se5/1/0/16:0, since 00:02:15 -----Original Message----- From: Rodney Dunn [mailto:rodunn at cisco.com] Sent: Tuesday, August 04, 2009 1:43 PM To: Todd Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 7513 multilink interface issue It does. I've seen it before years ago. get 'sh ppp multilink' from the RSP and VIP console (if-con slot) and sh contr cbus. Make sure you are in dCEF mode, all links are on the same PA, and on later(est) 12.4 mainline (12.4(25) or 12.0(32)S(latest)) on Cisco.com. We had bugs in how we manage the member links of the bundle. Rodney Todd wrote: > When it happens, I can ping the remote end from the 7513, but nothing > outside of the 7513. > > For Example.... > > SERVER --ethernet--- 7513 ---multilink (2 T1's)--- END USER > > 1 multilink T1 bounces. > > After the T1 comes up, the multilink interface and both T1's show as up/up > and 7513 can ping END USER, but END USER can't ping 7513 and no connection > to/from SERVER to END USER. > > Hope that makes sense. > > -----Original Message----- > From: Rodney Dunn [mailto:rodunn at cisco.com] > Sent: Tuesday, August 04, 2009 1:24 PM > To: Todd Shipway > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] 7513 multilink interface issue > > That should never happen and is possibly a bug. > > Can you ping directly over the bundle to the ip address on the other > side when it's broke? If not, go to the latest code and see if it's > fixed...or do some debugging: 'sh ip cef for other side of bundle, debug > ip packet, etc... > > Rodney > > > > Todd Shipway wrote: >> We have several customers setup with T1's multilinked. We are running > into >> a problem with a single multilink member bouncing causing routing issues. >> When a single T1 member of a multilink group bounces, traffic to the > overall >> multilink interface stops and we have to manually shut and no shut the >> multilink interface to get traffic flowing again. >> >> Has anyone seen this before and if so, know what the issue may be? >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ From mvanton at gmail.com Tue Aug 4 14:59:23 2009 From: mvanton at gmail.com (vince anton) Date: Tue, 4 Aug 2009 20:59:23 +0200 Subject: [c-nsp] vlans to customer - good practise / myth to bust ! In-Reply-To: References: <87e0d3ae0908031051q59cb627dy5a6e5951654a265c@mail.gmail.com> Message-ID: <87e0d3ae0908041159i1dcd00b7h2bdb3e812151c406@mail.gmail.com> thanks - glad to know that this model is in use what keeps on buzzing at the back of my mind is that I have a layer2 connection (actually a number of them) from my switch to many switches (of customers) that i have no control over. so not only is this a large L2 network (and best practise says to reduce the size of your L2 domain) but most of it is not within my control ! so do you typically use bpdufilter, only allow tagged vlans, not use vtp - and this keeps things under control ? thanks for your feedback anton 2009/8/3 Mikael Abrahamsson > On Mon, 3 Aug 2009, vince anton wrote: > > My concern here is whether this is best practise for delivering such >> services, or if other ways of doing this are out there and proven better. >> > > No, that's a common model. > > Last but not least, security. what if a customer plugs the fibre link >> into his switch with a bunch of other vlans running. the only form of >> 'protection' that I currently have is restriction of vlans on the trunk from >> the customer, but some traffic (like spanning tree) travels on vlan1 as far >> as i recall and this cannot be blocked. another item would be vlan hopping. >> > > Well, you probably want to enable stp filters if you dont expect stp > packets to come in on the link. Disabling the use of vlan 1 onto the > customer link might be good as well (ie only use tagged vlans, do not run > native vlan 1 onto customer link). > > Im just after some pointers from what you all do out there to offer >> similar >> services, what the best practises for this are, lessons learnt, etc... so >> I >> can then delve into the details given the pointers, to ensure im running >> inline with tried and testing ways of doing things. >> > > Vlan hopping shouldn't be a problem with modern equipment, but it might be > good to verify that the one you're using doesn't have this problem. > > -- > Mikael Abrahamsson email: swmike at swm.pp.se > -- Thanks, anton From swmike at swm.pp.se Tue Aug 4 15:56:16 2009 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Tue, 4 Aug 2009 21:56:16 +0200 (CEST) Subject: [c-nsp] vlans to customer - good practise / myth to bust ! In-Reply-To: <87e0d3ae0908041159i1dcd00b7h2bdb3e812151c406@mail.gmail.com> References: <87e0d3ae0908031051q59cb627dy5a6e5951654a265c@mail.gmail.com> <87e0d3ae0908041159i1dcd00b7h2bdb3e812151c406@mail.gmail.com> Message-ID: On Tue, 4 Aug 2009, vince anton wrote: > what keeps on buzzing at the back of my mind is that I have a layer2 > connection (actually a number of them) from my switch to many switches (of > customers) that i have no control over. If each vlan only goes -> and not -> then I'd say you have control. > so do you typically use bpdufilter, only allow tagged vlans, not use vtp > - and this keeps things under control ? Yes, I'd say so. -- Mikael Abrahamsson email: swmike at swm.pp.se From jmaimon at ttec.com Tue Aug 4 15:59:37 2009 From: jmaimon at ttec.com (Joe Maimon) Date: Tue, 04 Aug 2009 15:59:37 -0400 Subject: [c-nsp] 7500 for DSL aggregation - RSP memory error? In-Reply-To: <4A787668.8050909@rainierconnect.net> References: <4A78048B.60803@rainierconnect.net> <4A786F22.3060309@cisco.com> <4A787668.8050909@rainierconnect.net> Message-ID: <4A789329.8090804@ttec.com> I view the rpr feature as completely useless in the real world. Cold spare are way more effective. The last time I had a rp failure, it was fixed by yanking one and leaving the other. In other words, odds are it causes more issues than it resolves. Just added complexity for a box where its already a support problem. Terminate your atm into an atm switch and run a bank of agg routers, 7200 or 7500. Then you can bridge group them into both, or just manual throw pvc's from one router to the other. The 7500 are not worth the watts they consume. Walter Keen wrote: > Yes, I believe it was you. We are trying to migrate from a 7200 to a > 7500 to gain route processor redundancy. Our traffic is typically > 20mbit peak from this site between 2 atm ds3's. Using radius, pppoa, > and some dsl subs are behind NAT, but we're slowly weeding them out into > having a typical dsl connection with a public ip. Probably about 1k > subscribers, and in the next year or two we'll probably be moving them > to an ethernet-based handoff from the carriers to us. > > Rodney Dunn wrote: >> Probably me. ;) >> >> There were some issues around DSL termination in to a VRF that would >> not work. >> >> The platform was never targeted for that market space so I wouldn't >> use it. >> >> 72xx, 10k, or ASR would be the pick. >> >> The ISR's on really really low end side. >> >> Rodney >> >> >> >> Buhrmaster, Gary wrote: >>>> I've never been brave enough to try a 7500 for dsl aggregation:) >>> >>> And while a memory parity error is probably hardware, >>> I have this vague recollection that someone from >>> Cisco (Rodney Dunn?) has on a couple of occasions >>> recommended against using a 7500 for broadband >>> aggregation, since the platform was simply not >>> targeted or tested to that role. One *would* >>> encounter things that do not work, and they would >>> end up being "won't fix" on that platform. >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ > From justin at justinshore.com Tue Aug 4 16:30:21 2009 From: justin at justinshore.com (Justin Shore) Date: Tue, 04 Aug 2009 15:30:21 -0500 Subject: [c-nsp] Policing on a 3560 Message-ID: <4A789A5D.4040705@justinshore.com> I'm having a little trouble doing something that should be simple. I'm using a 3560 as a CPE to break up multiple services and bind them to unique switchports. I don't normally use 3560s for this. The port in question is for a 10Mbp PtP with no SLA across our backbone. What I currently have is apparently not doing anything and I fail to see the flaw in my logic: class-map match-all ALL ! ! policy-map Re-color-BE description Police to 10Mbps CIR - Re-color ALL to BE class ALL police 10000000 8000 exceed-action drop set ip dscp default This is my QoS trust boundary so I'm re-coloring to 0 and setting muy CIR to 10Mbps. The switch wouldn't let me define 'match any' in the class-map. I suspect that I'm not matching anything because of that. I want to match anything coming in that interface and police it to the CIR and drop everything else. I must be missing something but I'm not sure what it is. Is there something unique about this platform? The IOS is 12.2(50)SE1. Thanks Justin From walter.keen at RainierConnect.net Tue Aug 4 16:36:11 2009 From: walter.keen at RainierConnect.net (Walter Keen) Date: Tue, 04 Aug 2009 13:36:11 -0700 Subject: [c-nsp] Policing on a 3560 In-Reply-To: <4A789A5D.4040705@justinshore.com> References: <4A789A5D.4040705@justinshore.com> Message-ID: <4A789BBB.30607@rainierconnect.net> While it may not be ideal, I've run into some cases where match any was not available and matching an access list(that matched anything) was my only viable option. Justin Shore wrote: > I'm having a little trouble doing something that should be simple. > I'm using a 3560 as a CPE to break up multiple services and bind them > to unique switchports. I don't normally use 3560s for this. The port > in question is for a 10Mbp PtP with no SLA across our backbone. > > What I currently have is apparently not doing anything and I fail to > see the flaw in my logic: > > > class-map match-all ALL > ! > ! > policy-map Re-color-BE > description Police to 10Mbps CIR - Re-color ALL to BE > class ALL > police 10000000 8000 exceed-action drop > set ip dscp default > > > This is my QoS trust boundary so I'm re-coloring to 0 and setting muy > CIR to 10Mbps. The switch wouldn't let me define 'match any' in the > class-map. I suspect that I'm not matching anything because of that. > I want to match anything coming in that interface and police it to the > CIR and drop everything else. I must be missing something but I'm not > sure what it is. Is there something unique about this platform? The > IOS is 12.2(50)SE1. > > Thanks > Justin > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Walter Keen Network Technician Rainier Connect (o) 360-832-4024 (c) 253-302-0194 From peter at rathlev.dk Tue Aug 4 16:59:00 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Tue, 04 Aug 2009 22:59:00 +0200 Subject: [c-nsp] Can't pick up ip address--cisco 1200 ap In-Reply-To: <666686.33750.qm@web38105.mail.mud.yahoo.com> References: <666686.33750.qm@web38105.mail.mud.yahoo.com> Message-ID: <1249419540.4165.4.camel@abehat.net.rm.dk> On Mon, 2009-08-03 at 21:06 -0700, snort bsd wrote: > But I did almost exactly you suggested and still not working. BTW, the > command "bridge 10 route ip" doesn't work since only command "bridge 1 > route ip" works. That "almost" might be critical. ;-) What does it say if you type "bridge ?" when configuring? How many bridge groups does it support? What error do you get? I'm not familiar with the 1200 AP (vaguely remember working with a 350 AP but haven't touched it since) but unless you absolutely need to bridge the VLAN you might also be able to just configure the Dot11Radio0 subinterface with an IP address. Regards, Peter From SPfister at dps.k12.oh.us Tue Aug 4 16:32:52 2009 From: SPfister at dps.k12.oh.us (Steven Pfister) Date: Tue, 04 Aug 2009 16:32:52 -0400 Subject: [c-nsp] Question on 6500 series switches Message-ID: <4A7862F8.9E6F.00B8.0@dps.k12.oh.us> We're looking at replacing a 4507R at the core of our network with a 6500 series. Currently, the 4507R has a supervisor engine IV, 3 48-port copper blades, and 2 6-port fiber blades. We're hoping to include in the 6500 series replacement the firewall module (to replace a PIX 525), vpn (to replace a 3005 concentrator), and IDS/IPS. I'm a little confused as to what I need from looking at the Cisco product pages. Is there a guide somewhere as to what to get? The firewall that we would be replacing is actually a pair of PIX 525s in an active/standby pair. We'd like to have some redundancy in the 6500 as well. We'd also like some sort of failover for the IDS/IPS if possible. A couple of questions: - if I have two FWSMs installed, they would load balance, and if one failed, the other would take over all traffic, correct? - I see a "VPN services port adapter" and a "VPN shared port adapter"... I'm not sure how they differ - The supervisor engine 720 and the supervisor engine 32... we'd need one or the other, correct? - Would we need the Policy Feature Card and the Distributed Forwarding Card? Thanks! --Steve Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfister at dps.k12.oh.us From peter at rathlev.dk Tue Aug 4 17:39:41 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Tue, 04 Aug 2009 23:39:41 +0200 Subject: [c-nsp] Question on 6500 series switches In-Reply-To: <4A7862F8.9E6F.00B8.0@dps.k12.oh.us> References: <4A7862F8.9E6F.00B8.0@dps.k12.oh.us> Message-ID: <1249421981.4165.16.camel@abehat.net.rm.dk> On Tue, 2009-08-04 at 16:32 -0400, Steven Pfister wrote: > A couple of questions: > - if I have two FWSMs installed, they would load balance, and if one > failed, the other would take over all traffic, correct? AFAIK they can only load balance in active/active mode if you create two contexts and place them each in their own primary FWSM. Put another way: Load balancing won't be there by default and it's a little tricky to implement if you're running a single context. It doesn't matter whether they're in the same chassis or not. > - The supervisor engine 720 and the supervisor engine 32... we'd need > one or the other, correct? You very probably need one of them, unless you want to go the Sup2 or Sup1A way, which you don't. :-) The "Sup720 vs. Sup32" subject is a lengthy one (search the archives) but the main differences (IMHO) is: - The 256k TCAM entry limitation in the non XL-versions of the PFCs, and Sup32 can only use a PFC3B, non-XL. This means no full BGP table. - Performance: 32 Gb/s bus (Sup32) vs. 2x20 Gb/s full mesh fabric (Sup720). - Sup32 can't use 6700-series interface modules (e.g. WS-X6748-GE-TX). > - Would we need the Policy Feature Card and the Distributed Forwarding > Card? Both are included in Sup32 and Sup720. For Sup720 you have to decide between a "regular" PFC or an XL-version. (There's also both a PFC3B and a PFC3C version of the Sup720, the latter having 10GE uplinks as the most visible difference.) Regards, Peter From sigurbjornl at vodafone.is Tue Aug 4 17:45:16 2009 From: sigurbjornl at vodafone.is (=?ISO-8859-1?B?U2lndXJiavZybg==?= Birkir =?ISO-8859-1?B?TOFydXNzb24=?=) Date: Tue, 04 Aug 2009 21:45:16 +0000 Subject: [c-nsp] Question on 6500 series switches In-Reply-To: <4A7862F8.9E6F.00B8.0@dps.k12.oh.us> Message-ID: Never used the VPN services so I can't answer for that. The FWSMs behave just like an ASA/PIX. There is no load-balancing, it's active/standby failover. You can achieve active/active by having multiple contexts and spreading the active/standby pairs, for example Context FWSM 1 FWSM 2 A Active Standby B Standby Active C Active Standby D Standby Active Therefore having 2 contexts active on each FWSM and failover for the other 2. The SUP32 does not support distributed forwarding at all. The maximum throughput through the SUP32 is 32Gbps on the shared bus. The SUP32 also does not support the 6700 or 6800 series linecards, and features a maximum throughput of 15 Mpps for IPV4 traffic. The SUP720 does support distributed forwarding and can, with suitable line-cards and DFCs reach push 720Gbps. Different beasts for different tasks, it mostly depends on how much traffic you are looking into pushing through the box. Kind regards, Sibbi On 4.8.2009 20:32, "Steven Pfister" wrote: > We're looking at replacing a 4507R at the core of our network with a 6500 > series. Currently, the 4507R has a supervisor engine IV, 3 48-port copper > blades, and 2 6-port fiber blades. We're hoping to include in the 6500 series > replacement the firewall module (to replace a PIX 525), vpn (to replace a 3005 > concentrator), and IDS/IPS. > > I'm a little confused as to what I need from looking at the Cisco product > pages. Is there a guide somewhere as to what to get? The firewall that we > would be replacing is actually a pair of PIX 525s in an active/standby pair. > We'd like to have some redundancy in the 6500 as well. We'd also like some > sort of failover for the IDS/IPS if possible. > > A couple of questions: > - if I have two FWSMs installed, they would load balance, and if one failed, > the other would take over all traffic, correct? > - I see a "VPN services port adapter" and a "VPN shared port adapter"... I'm > not sure how they differ > - The supervisor engine 720 and the supervisor engine 32... we'd need one or > the other, correct? > - Would we need the Policy Feature Card and the Distributed Forwarding Card? > > Thanks! > > --Steve > > Steve Pfister > Technical Coordinator, > The Office of Information Technology > Dayton Public Schools > 115 S. Ludlow St. > Dayton, OH 45402 > > Office (937) 542-3149 > Cell (937) 673-6779 > Direct Connect: 137*131747*8 > Email spfister at dps.k12.oh.us > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From peter at rathlev.dk Tue Aug 4 17:56:00 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Tue, 04 Aug 2009 23:56:00 +0200 Subject: [c-nsp] OT: Sniffing TCP connection quality Message-ID: <1249422960.4165.33.camel@abehat.net.rm.dk> Hi, Since TCP works the way it does a passive observer is able to see packet loss by looking for e.g. duplicate ACKs. For some time I've had a dumpcap process picking out traffic to/from specific destinations and running it through tshark to get the wireshark "Expert Info" output. This turns out to be very interesting data. The problem is that I'd like to do some further data mining to see if certain sources/destinations are more troubled than others. For this I'd have to isolate each flow and analyse them one by one. Even though this would be possible (and not too hard) with a few scripts, I'd like to know if there might exist some tool/appliance that does this: Looks at traffic (e.g. from a SPAN port) and collects statistics about the flows including analysis of packet loss et cetera. The important part is that it looks at the seperate flows. I've been looking at tstat (http://tstat.tlc.polito.it/index.shtml) and this looks very promising, but it doesn't seem to be able to analyze the different flows seperately. Anybody know of such tool/appliance? Preferably either appliance or something that runs on Linux, but commercial solutions as well as open source. Regards, Peter From sigurbjornl at vodafone.is Tue Aug 4 17:00:19 2009 From: sigurbjornl at vodafone.is (=?iso-8859-1?Q?Sigurbj=F6rn_Birkir_L=E1russon?=) Date: Tue, 4 Aug 2009 21:00:19 -0000 Subject: [c-nsp] Policing on a 3560 In-Reply-To: <4A789BBB.30607@rainierconnect.net> Message-ID: Why not use class-default? Kind regards, Sibbi On 4.8.2009 20:36, "Walter Keen" wrote: > While it may not be ideal, I've run into some cases where match any was > not available and matching an access list(that matched anything) was my > only viable option. > > Justin Shore wrote: >> I'm having a little trouble doing something that should be simple. >> I'm using a 3560 as a CPE to break up multiple services and bind them >> to unique switchports. I don't normally use 3560s for this. The port >> in question is for a 10Mbp PtP with no SLA across our backbone. >> >> What I currently have is apparently not doing anything and I fail to >> see the flaw in my logic: >> >> >> class-map match-all ALL >> ! >> ! >> policy-map Re-color-BE >> description Police to 10Mbps CIR - Re-color ALL to BE >> class ALL >> police 10000000 8000 exceed-action drop >> set ip dscp default >> >> >> This is my QoS trust boundary so I'm re-coloring to 0 and setting muy >> CIR to 10Mbps. The switch wouldn't let me define 'match any' in the >> class-map. I suspect that I'm not matching anything because of that. >> I want to match anything coming in that interface and police it to the >> CIR and drop everything else. I must be missing something but I'm not >> sure what it is. Is there something unique about this platform? The >> IOS is 12.2(50)SE1. >> >> Thanks >> Justin >> >> >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ From guru6111 at gmail.com Tue Aug 4 18:58:32 2009 From: guru6111 at gmail.com (Atif Sid) Date: Tue, 4 Aug 2009 18:58:32 -0400 Subject: [c-nsp] Cisco 7600 - ES card VLAN Shapping Message-ID: <766b203d0908041558g5c83e9bdj11aacb8d3b21b581@mail.gmail.com> Iam trying to apply Hierarchical policymap under a inter vlan it gives an error: it is 7606 with RSP 720 and ES 40 cards. PE4(config)#int vlan 299 PE4(config-if)#service-policy output testce Hierarchical policymap is not supported for this interface. Configuration failed! here is the policy-map: policy-map testce class class-default police 450000000 service-policy pe-ce-450m Nested policy map: policy-map pe-ce-450m class pe-ce-450m-s bandwidth percent 4 random-detect random-detect precedence 0 300 1000 1 random-detect precedence 1 300 1000 1 class pe-ce-450m-p bandwidth percent 30 random-detect random-detect precedence 2 100 150 1 random-detect precedence 3 750 1000 1 random-detect precedence 6 750 1000 1 random-detect precedence 7 750 1000 1 class pe-ce-450m-nrt police cir 292496000 bc 146248 be 4470 conform-action transmit exceed-action drop violate-action drop ********************* is i use shaping than it says it is not supported. policy-map testce class class-default shape average 450000000 service-policy pe-ce-450m -> same as above... PE4(config)#int vlan 299 PE4(config-if)#service-policy output testce shape average command is not supported in output direction for this interface Configuration failed! how can we apply shaping on VLAN interface... subinterface configuration it works but not on VLAN interface. From scott at labyrinth.org Tue Aug 4 19:02:35 2009 From: scott at labyrinth.org (Scott Keoseyan) Date: Tue, 4 Aug 2009 19:02:35 -0400 Subject: [c-nsp] OT: Sniffing TCP connection quality In-Reply-To: <1249422960.4165.33.camel@abehat.net.rm.dk> References: <1249422960.4165.33.camel@abehat.net.rm.dk> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Both Netscout and Fluke make products that do this. Plus, you can buy probes to insert into your links directly (as opposed to span-port) if you want to do some sniffing on something other than an Ethernet switch. Be ready to fork out some money though. On Aug 4, 2009, at 5:56 PM, Peter Rathlev wrote: > Hi, > > Since TCP works the way it does a passive observer is able to see > packet > loss by looking for e.g. duplicate ACKs. For some time I've had a > dumpcap process picking out traffic to/from specific destinations and > running it through tshark to get the wireshark "Expert Info" output. > This turns out to be very interesting data. > > The problem is that I'd like to do some further data mining to see if > certain sources/destinations are more troubled than others. For this > I'd > have to isolate each flow and analyse them one by one. Even though > this > would be possible (and not too hard) with a few scripts, I'd like to > know if there might exist some tool/appliance that does this: Looks at > traffic (e.g. from a SPAN port) and collects statistics about the > flows > including analysis of packet loss et cetera. The important part is > that > it looks at the seperate flows. > > I've been looking at tstat (http://tstat.tlc.polito.it/index.shtml) > and > this looks very promising, but it doesn't seem to be able to analyze > the > different flows seperately. > > Anybody know of such tool/appliance? Preferably either appliance or > something that runs on Linux, but commercial solutions as well as open > source. > > Regards, > Peter > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ - -- Scott Keoseyan scott at labyrinth.org Homepage - http://www.labyrinth.org/homepages/scott Blog - http://www.labyrinth.org/wp1 PGP Key - http://www.labyrinth.org/homepages/scott/pgp.html -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.11 (Darwin) iEYEARECAAYFAkp4vgsACgkQA7TpMPAlvEfsBACgmcU0DwdGiSPkYePbIsW8nHNj TFEAn0A8GojMMhXPTkxkmMf3MhAMwj9i =IRYG -----END PGP SIGNATURE----- From mtinka at globaltransit.net Tue Aug 4 05:44:52 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Tue, 4 Aug 2009 17:44:52 +0800 Subject: [c-nsp] What router to choose instead of 7206VXR-G1/G2 (Ruzhanskaya Olga) In-Reply-To: References: Message-ID: <200908041744.58177.mtinka@globaltransit.net> On Monday 03 August 2009 05:05:03 pm ????? ????????? wrote: > We are using 7206VXR-G1/G2 platform as edge router (PE) > in our MPLS network. When traffic volume grows, we > replace NPE-G1 processor with NPE-G2. But in future we'll > need something more powerfull. General requirements: > - OSPF, BGP (full table for our own needs and for > customers); - MPLS VPN (L3 and L2); > - CBWFQ (better LLQ) QoS, uRPF, GRE.. What Gert mentions in his response is essentially what you're getting from Cisco re: the natural migration from the NPE-G2 or 7201 platforms, i.e., the ASR1000 series routers. However, if you're willing to "check out the neighbor's garage", have a look at Juniper's J6350. It's a software- based platform too, their top-end model, but you might want to test it out for performance and feature parity, to see if you're really gaining much by switching platforms, if you so choose. I'd say that by the time you're pushing a software-based platform like the NPE-G2 or J6350 to its limits, you're pretty much justified breaking into the hardware-based router realm, particularly when it's "relatively" affordable platforms like the Cisco ASR1002 or Juniper M7i (at those traffic levels, of course). Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From gert at greenie.muc.de Wed Aug 5 03:11:09 2009 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 5 Aug 2009 09:11:09 +0200 Subject: [c-nsp] 7500 for DSL aggregation - RSP memory error? In-Reply-To: <4A787668.8050909@rainierconnect.net> References: <4A78048B.60803@rainierconnect.net> <4A786F22.3060309@cisco.com> <4A787668.8050909@rainierconnect.net> Message-ID: <20090805071109.GG290@greenie.muc.de> Hi, On Tue, Aug 04, 2009 at 10:56:56AM -0700, Walter Keen wrote: > Yes, I believe it was you. We are trying to migrate from a 7200 to a > 7500 to gain route processor redundancy. "Don't". The 7200 is a much better maintained platform, and the 7500 will give you headaches just *because* you have redundant processors, distributed things and too-complex packet paths in it. > Our traffic is typically > 20mbit peak from this site between 2 atm ds3's. Using radius, pppoa, > and some dsl subs are behind NAT, but we're slowly weeding them out into > having a typical dsl connection with a public ip. Probably about 1k > subscribers, and in the next year or two we'll probably be moving them > to an ethernet-based handoff from the carriers to us. All this stuff is something that happens to be in the 7500 code base, but Cisco didn't really test it on that platform, and won't fix any bugs that you find - and there are lots :-( I'd really really go for a 7200 - and for redundancy, put a second 7200 on top of it. Yes, in theory this is much less fail-save, but in practice, 7200s just don't die... - in the last 10 years, we had a single NPE die on us (from a pool of about 12 7200s, NPE-150 to NPE-G1), but *much* more fun with CyBUS stall/resets and such on our single 7500. If you *insist* on having route-processor redundancy (what about interface and physical path redundancy?), I think you can do that with ASR1k, but I admit to not having any hands-on experience with that platform yet. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From erik at infopact.nl Wed Aug 5 04:02:24 2009 From: erik at infopact.nl (E. Versaevel) Date: Wed, 05 Aug 2009 10:02:24 +0200 Subject: [c-nsp] 7500 for DSL aggregation - RSP memory error? In-Reply-To: <20090805071109.GG290@greenie.muc.de> References: <4A78048B.60803@rainierconnect.net> <4A786F22.3060309@cisco.com> <4A787668.8050909@rainierconnect.net> <20090805071109.GG290@greenie.muc.de> Message-ID: <4A793C90.9070004@infopact.nl> Only drawback on the ASR1k platform is the lack of PPPoA support, otherwise we would have happely migrated away from our 7200/1G's We got 2 ASR1004's for ethernet aggregation and they're doing just fine for that :) > > If you *insist* on having route-processor redundancy (what about interface > and physical path redundancy?), I think you can do that with ASR1k, but > I admit to not having any hands-on experience with that platform yet. > Erik Versaevel From carl at outerloop.net Wed Aug 5 04:08:44 2009 From: carl at outerloop.net (Carl Jones) Date: Wed, 5 Aug 2009 20:08:44 +1200 Subject: [c-nsp] 3750 CPU Usage; TCAM Exhaustion? Message-ID: Hi all, I'm running 3x 3750G-24 in a stack. I'm seeing high CPU usage e.g.: CPU utilization for five seconds: 69%/24%; one minute: 63%; five minutes: 74% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 201 50885085 5144152 9891 17.41% 17.60% 16.68% 0 Spanning Tree 73 9841381 3782242 2601 9.26% 7.11% 6.23% 0 HLFM address lea 134 6355962 267005 23804 1.75% 0.93% 0.95% 0 HL3U bkgrd proce 301 3115451 273365 11396 1.43% 1.13% 0.96% 0 CEF: IPv4 proces 60 5452829 80160 68024 1.27% 1.78% 1.81% 0 Adjust Regions 192 2715297 3543754 766 1.27% 0.95% 1.15% 0 IP Input 133 3143317 3476055 904 0.95% 0.84% 1.08% 0 Hulc LED Process 9 2401841 2057237 1167 0.95% 0.71% 0.74% 0 ARP Input 153 1479640 198328 7460 0.63% 0.58% 0.55% 0 PI MATM Aging Pr 96 785363 313609 2504 0.63% 0.32% 0.31% 0 hpm counter proc 197 2776025 4243834 654 0.47% 0.63% 0.75% 0 ADJ resolve proc 142 378847 243608 1555 0.15% 0.13% 0.13% 0 HRPC qos request 92 348283 1281519 271 0.15% 0.12% 0.14% 0 hpm main process 141 353779 41162 8594 0.15% 0.10% 0.14% 0 HQM Stack Proces 23 ports are configured as trunks (to 2950/3550/2960s). They show normal CPU utilization. Enabling spanning tree debugging shows nothing out of the ordinary (just regular BPDUs). They are all attached to the first switch (nothing in use on the other two). There are ~80 VLANs that terminate on the stack and two routed interfaces. Currently I see: core-dal#sh platform tcam utilization CAM Utilization for ASIC# 0 Max Used Masks/Values Masks/values Unicast mac addresses: 400/3200 373/2911 IPv4 IGMP groups + multicast routes: 144/1152 6/26 IPv4 unicast directly-connected routes: 400/3200 373/2911 IPv4 unicast indirectly-connected routes: 1040/8320 114/848 IPv4 policy based routing aces: 384/512 1/2 IPv4 qos aces: 768/768 324/324 IPv4 security aces: 1024/1024 31/31 core-dal#sh ip arp sum 7222 IP ARP entries, with 1011 of them incomplete Currently using the routing template. Unfortunately that did not seem to help with the CPU usage (nor did 'no ip unreachables' on our VLANs). core-dal#sh sdm prefer The current template is "desktop routing" template. Using a fairly recent IOS on them: * 1 28 WS-C3750G-24TS 12.2(50)SE2 C3750-IPSERVICESK9-M I suspect I may be seeing TCAM exhaustion. Any suggestions on how I can confirm or avoid that? Regards, Carl From mschedrin at gmail.com Wed Aug 5 04:24:12 2009 From: mschedrin at gmail.com (Michael Schedrin) Date: Wed, 5 Aug 2009 12:24:12 +0400 Subject: [c-nsp] 3750 CPU Usage; TCAM Exhaustion? In-Reply-To: References: Message-ID: <73ec141e0908050124r25f75ee7jd784011866a59827@mail.gmail.com> 2009/8/5 Carl Jones > Hi all, > > I'm running 3x 3750G-24 in a stack. I'm seeing high CPU usage e.g.: > > CPU utilization for five seconds: 69%/24%; one minute: 63%; five minutes: > 74% > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process > 201 50885085 5144152 9891 17.41% 17.60% 16.68% 0 Spanning > Tree > 73 9841381 3782242 2601 9.26% 7.11% 6.23% 0 HLFM address > lea > 134 6355962 267005 23804 1.75% 0.93% 0.95% 0 HL3U bkgrd > proce > 301 3115451 273365 11396 1.43% 1.13% 0.96% 0 CEF: IPv4 > proces > 60 5452829 80160 68024 1.27% 1.78% 1.81% 0 Adjust > Regions > 192 2715297 3543754 766 1.27% 0.95% 1.15% 0 IP Input > 133 3143317 3476055 904 0.95% 0.84% 1.08% 0 Hulc LED > Process > 9 2401841 2057237 1167 0.95% 0.71% 0.74% 0 ARP Input > 153 1479640 198328 7460 0.63% 0.58% 0.55% 0 PI MATM > Aging Pr > 96 785363 313609 2504 0.63% 0.32% 0.31% 0 hpm counter > proc > 197 2776025 4243834 654 0.47% 0.63% 0.75% 0 ADJ resolve > proc > 142 378847 243608 1555 0.15% 0.13% 0.13% 0 HRPC qos > request > 92 348283 1281519 271 0.15% 0.12% 0.14% 0 hpm main > process > 141 353779 41162 8594 0.15% 0.10% 0.14% 0 HQM Stack > Proces > > 23 ports are configured as trunks (to 2950/3550/2960s). They show > normal CPU utilization. Enabling spanning tree debugging shows nothing > out of the ordinary (just regular BPDUs). They are all attached to the > first switch (nothing in use on the other two). > > There are ~80 VLANs that terminate on the stack and two routed interfaces. > > Currently I see: > > core-dal#sh platform tcam utilization > > CAM Utilization for ASIC# 0 Max Used > Masks/Values Masks/values > > Unicast mac addresses: 400/3200 373/2911 Look at "sh mac address-table count" Check "Total Mac Address Space Available:" 3750 hat a table for 6000 mac adresses. If you stack 3*3750, this bundle will also have table of 6000. > > IPv4 IGMP groups + multicast routes: 144/1152 6/26 > IPv4 unicast directly-connected routes: 400/3200 373/2911 > IPv4 unicast indirectly-connected routes: 1040/8320 114/848 > IPv4 policy based routing aces: 384/512 1/2 > IPv4 qos aces: 768/768 324/324 > IPv4 security aces: 1024/1024 31/31 > > core-dal#sh ip arp sum > 7222 IP ARP entries, with 1011 of them incomplete Yes this proves information about lack of size of mac-address-table. > > > Currently using the routing template. Unfortunately that did not seem > to help with the CPU usage (nor did 'no ip unreachables' on our > VLANs). > > core-dal#sh sdm prefer > The current template is "desktop routing" template. > > Using a fairly recent IOS on them: > * 1 28 WS-C3750G-24TS 12.2(50)SE2 C3750-IPSERVICESK9-M > > I suspect I may be seeing TCAM exhaustion. Any suggestions on how I > can confirm or avoid that? You have two ways to avoid the problem. First - change sdm to "vlan". Second - disassemble stack and make every switch use it's own mac-address-table and tcam. You will summary have 6000*3 mac addresses table. > > > Regards, > Carl > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ayourtch at cisco.com Wed Aug 5 04:48:55 2009 From: ayourtch at cisco.com (Andrew Yourtchenko) Date: Wed, 5 Aug 2009 10:48:55 +0200 (CEST) Subject: [c-nsp] OT: Sniffing TCP connection quality In-Reply-To: <1249422960.4165.33.camel@abehat.net.rm.dk> References: <1249422960.4165.33.camel@abehat.net.rm.dk> Message-ID: Hi Peter, On Tue, 4 Aug 2009, Peter Rathlev wrote: > I've been looking at tstat (http://tstat.tlc.polito.it/index.shtml) and > this looks very promising, but it doesn't seem to be able to analyze the > different flows seperately. Have you taken a look at http://jarok.cs.ohiou.edu/software/tcptrace/ ? It can handle multiple flows and outputs quite a lot of interesting aggregate data. Though, AFAIK it needs the pcap file (as opposed to reporting about the traffic realtime). cheers, andrew From dale.shaw+cisco-nsp at gmail.com Wed Aug 5 05:57:52 2009 From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw) Date: Wed, 5 Aug 2009 19:57:52 +1000 Subject: [c-nsp] OT: Using wireshark to decode IPSec/ESP Message-ID: <3329cbb40908050257y120624a4wefe6075be535585d@mail.gmail.com> Hi all, Has anyone used wireshark successfully to decode ESP traffic? The only material I can find online is people having the same problem as me, or people using null encryption. I need to peek inside esp-3des/esp-sha-hmac SAs The wireshark wiki entry is: http://wiki.wireshark.org/ESP_Preferences It's been years since I was armpit deep in IPSec but I am assuming the encryption key it wants is NOT the ISAKMP pre-shared key. If that's right, is there a way I can get the key(s)? I have access to the peers. If that's wrong, well, why isn't it working for me? :-) (no errors, just no meaningful decode.) In case you're wondering, I just want to see with my own eyes what DMVPN looks like on the wire (eth:ip:esp:gre:ip:payload) There are some screen caps here that show it's possible: http://www.carbonwind.net/VyattaOFR/AdvVPN/AdvVPN2.htm#toJj cheers, Dale From asturluismi at gmail.com Wed Aug 5 06:33:28 2009 From: asturluismi at gmail.com (luismi) Date: Wed, 05 Aug 2009 12:33:28 +0200 Subject: [c-nsp] Counters for null0? Message-ID: <1249468408.11065.7.camel@dsba-ipso> Hi, is there any way to see how much traffic is going to null0 interface? I configured several routes to be forwarded to null0 and I would like to have some info about how much traffic is going there. If the IOS doesn't provide any information about it... is it possible to obtain that information using netflow? From avayner at cisco.com Wed Aug 5 06:47:34 2009 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Wed, 5 Aug 2009 12:47:34 +0200 Subject: [c-nsp] Counters for null0? In-Reply-To: <1249468408.11065.7.camel@dsba-ipso> References: <1249468408.11065.7.camel@dsba-ipso> Message-ID: <78C984F8939D424697B15E4B1C1BB3D7011A0F7E@xmb-ams-331.emea.cisco.com> Did you try looking at "show interface null0"? I am not sure it works, but give it a try as I do not have quick access to a lab where I can test this. Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of luismi Sent: Wednesday, August 05, 2009 13:33 To: cisco-nsp Subject: [c-nsp] Counters for null0? Hi, is there any way to see how much traffic is going to null0 interface? I configured several routes to be forwarded to null0 and I would like to have some info about how much traffic is going there. If the IOS doesn't provide any information about it... is it possible to obtain that information using netflow? _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From masood at nexlinx.net.pk Wed Aug 5 08:19:00 2009 From: masood at nexlinx.net.pk (masood at nexlinx.net.pk) Date: Wed, 5 Aug 2009 17:19:00 +0500 (PKT) Subject: [c-nsp] Counters for null0? In-Reply-To: <78C984F8939D424697B15E4B1C1BB3D7011A0F7E@xmb-ams-331.emea.cisco.com> References: <1249468408.11065.7.camel@dsba-ipso> <78C984F8939D424697B15E4B1C1BB3D7011A0F7E@xmb-ams-331.emea.cisco.com> Message-ID: <4434.196.46.241.57.1249474740.squirrel@nexmail1.nexlinx.net.pk> show interface null0 always works on Cisco boxes. You can see in/out packets as well. Regards, Masood Blog: http://weblogs.com.pk/jahil/ > Did you try looking at "show interface null0"? > I am not sure it works, but give it a try as I do not have quick access > to a lab where I can test this. > > Arie > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of luismi > Sent: Wednesday, August 05, 2009 13:33 > To: cisco-nsp > Subject: [c-nsp] Counters for null0? > > Hi, is there any way to see how much traffic is going to null0 > interface? > I configured several routes to be forwarded to null0 and I would like to > have some info about how much traffic is going there. > If the IOS doesn't provide any information about it... is it possible to > obtain that information using netflow? > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From hank at efes.iucc.ac.il Wed Aug 5 07:38:58 2009 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Wed, 5 Aug 2009 14:38:58 +0300 (IDT) Subject: [c-nsp] Counters for null0? In-Reply-To: <4434.196.46.241.57.1249474740.squirrel@nexmail1.nexlinx.net.pk> References: <1249468408.11065.7.camel@dsba-ipso> <78C984F8939D424697B15E4B1C1BB3D7011A0F7E@xmb-ams-331.emea.cisco.com> <4434.196.46.241.57.1249474740.squirrel@nexmail1.nexlinx.net.pk> Message-ID: On Wed, 5 Aug 2009, masood at nexlinx.net.pk wrote: Not always. Just do: sho ip cache flow | incl Null to see pkts that are null routed and that are not counted via the null0 interface. -Hank > show interface null0 always works on Cisco boxes. You can see in/out > packets as well. > > Regards, > Masood > Blog: http://weblogs.com.pk/jahil/ > > >> Did you try looking at "show interface null0"? >> I am not sure it works, but give it a try as I do not have quick access >> to a lab where I can test this. >> >> Arie >> >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of luismi >> Sent: Wednesday, August 05, 2009 13:33 >> To: cisco-nsp >> Subject: [c-nsp] Counters for null0? >> >> Hi, is there any way to see how much traffic is going to null0 >> interface? >> I configured several routes to be forwarded to null0 and I would like to >> have some info about how much traffic is going there. >> If the IOS doesn't provide any information about it... is it possible to >> obtain that information using netflow? >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From asturluismi at gmail.com Wed Aug 5 08:04:03 2009 From: asturluismi at gmail.com (luismi) Date: Wed, 05 Aug 2009 14:04:03 +0200 Subject: [c-nsp] Counters for null0? In-Reply-To: <78C984F8939D424697B15E4B1C1BB3D7011A0F7E@xmb-ams-331.emea.cisco.com> References: <1249468408.11065.7.camel@dsba-ipso> <78C984F8939D424697B15E4B1C1BB3D7011A0F7E@xmb-ams-331.emea.cisco.com> Message-ID: <1249473843.11065.16.camel@dsba-ipso> Yes, but I just can see the "output" counters growing up. Quite strange since null0 is not generating traffic and it has configured "no ip unreachables". El mi?, 05-08-2009 a las 12:47 +0200, Arie Vayner (avayner) escribi?: > Did you try looking at "show interface null0"? > I am not sure it works, but give it a try as I do not have quick access > to a lab where I can test this. > > Arie From domintefamily at yahoo.co.uk Wed Aug 5 07:29:36 2009 From: domintefamily at yahoo.co.uk (C and C Dominte) Date: Wed, 5 Aug 2009 11:29:36 +0000 (GMT) Subject: [c-nsp] VSS 1440 issues Message-ID: <745803.32277.qm@web27904.mail.ukl.yahoo.com> Hi, ? I recently clustered 2 Catalysts 6509's into a VSS 1440 Virtual switch. ? Details about the cluster: ? - Software version:? s72033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), Version 12.2(33)SXI1, RELEASE SOFTWARE (fc3) ? - Supervisor:? VS-S720-10G? with one 10G port used as VSL link - Linecards Active chassis: ??????????????? 1 x WS-X6708-10GE with one 10G used for the VSL link for redundancy ??????????????? 4 x WS-X6748-GE-TX ? - Linecards Standby chassis ??????????????? 1 x WS-X6708-10GE with one 10G used for the VSL link for redundancy ??????????????? 2 x WS-X6748-GE-TX ??????????????? The 6748 line cards are used and configured for MEC Etherchannels. ? At the other end of the MEC channels there are non-Cisco edge switches. The multi chassis Ether Channels are configured as 2 x 1G links, and single switchport trunks are configured as 1 x 1G links. All vlans are allowed on the single switchport trunks and port channels from VSS Cluster to the edge switches. ? The issue is that unicast traffic is flooded by the VSS Cluster across all trunks. The flooded traffic generated by the VSS cluster is between 600mbps and 1gbps, and almost all of the flooded traffic is unicast and has the source MAC address of the VSS Cluster. However, if the trunk is a MEC, the unicast traffic is flooded only on one switchport. All of the flooded ports in MECs are on switch 2 in the VSS cluster. The only ports flooded in switch 1 are the ones that have a single trunk instead of MEC. ? We tried to investigate this on a low importance link. The VSS cluster learned only 10 MAC addresses on one edge trunk configured as 1 x 1G link. This edge trunk received the flood of unicast traffic from the VSS cluster as well. During testing, this trunk was modified manually on the VSS Cluster, to allow only 4 VLANS instead of all. Allowing only 4 vlans on this trunk stopped the flood on the edge trunk and stopped the flood on all other trunks as well. ? Does anyone have any idea about what can cause this? ? Thanks ? Catalin From asturluismi at gmail.com Wed Aug 5 08:30:23 2009 From: asturluismi at gmail.com (luismi) Date: Wed, 05 Aug 2009 14:30:23 +0200 Subject: [c-nsp] Counters for null0? In-Reply-To: References: <1249468408.11065.7.camel@dsba-ipso> <78C984F8939D424697B15E4B1C1BB3D7011A0F7E@xmb-ams-331.emea.cisco.com> <4434.196.46.241.57.1249474740.squirrel@nexmail1.nexlinx.net.pk> Message-ID: <1249475423.11065.31.camel@dsba-ipso> I just configure a router here to use it but it is quite strange because I can see correct traffic routed to "null", and I didn't expect to see that, I don't think it is correct. #sho ip cache flow | incl Null Fa0/1.1 10.55.0.32 Null 208.67.222.222 11 0A2A 0035 1 Fa0/1.1 10.55.0.32 Null 208.67.222.222 11 0A26 0035 5 208.67.222.222 is the opendns server but the destination interface is "null" Any idea why I see that? is that correct (I don't think so)? From jarruda-cnsp at jarruda.com Wed Aug 5 08:49:50 2009 From: jarruda-cnsp at jarruda.com (Julio Arruda) Date: Wed, 05 Aug 2009 08:49:50 -0400 Subject: [c-nsp] Counters for null0? In-Reply-To: <1249475423.11065.31.camel@dsba-ipso> References: <1249468408.11065.7.camel@dsba-ipso> <78C984F8939D424697B15E4B1C1BB3D7011A0F7E@xmb-ams-331.emea.cisco.com> <4434.196.46.241.57.1249474740.squirrel@nexmail1.nexlinx.net.pk> <1249475423.11065.31.camel@dsba-ipso> Message-ID: <4A797FEE.5090102@jarruda.com> luismi wrote: > I just configure a router here to use it but it is quite strange because > I can see correct traffic routed to "null", and I didn't expect to see > that, I don't think it is correct. > > #sho ip cache flow | incl Null > Fa0/1.1 10.55.0.32 Null 208.67.222.222 11 0A2A 0035 > 1 > Fa0/1.1 10.55.0.32 Null 208.67.222.222 11 0A26 0035 > 5 > > 208.67.222.222 is the opendns server but the destination interface is > "null" > > Any idea why I see that? is that correct (I don't think so)? Isn't all process switched/punted traffic reported as ifout == Null in Netflow ? Is this traffic going via NAT ? (likely from what I see). From p.caci at seabone.net Wed Aug 5 08:46:33 2009 From: p.caci at seabone.net (Pierfrancesco Caci) Date: Wed, 05 Aug 2009 14:46:33 +0200 Subject: [c-nsp] Counters for null0? In-Reply-To: <1249475423.11065.31.camel@dsba-ipso> (asturluismi@gmail.com's message of "Wed, 05 Aug 2009 14:30:23 +0200") References: <1249468408.11065.7.camel@dsba-ipso> <78C984F8939D424697B15E4B1C1BB3D7011A0F7E@xmb-ams-331.emea.cisco.com> <4434.196.46.241.57.1249474740.squirrel@nexmail1.nexlinx.net.pk> <1249475423.11065.31.camel@dsba-ipso> Message-ID: <874osmo2c6.fsf@clarabella.noc.seabone.net> :-> "luismi" == luismi writes: > I just configure a router here to use it but it is quite strange because > I can see correct traffic routed to "null", and I didn't expect to see > that, I don't think it is correct. > #sho ip cache flow | incl Null > Fa0/1.1 10.55.0.32 Null 208.67.222.222 11 0A2A 0035 > 1 > Fa0/1.1 10.55.0.32 Null 208.67.222.222 11 0A26 0035 > 5 Null0 appears as "Nu0" in that output, Null means something else which I don't remember, looking at my router probably traffic for which you'd get 'Network not in table'. Can someone confirm ? -- ------------------------------------------------------------------------------- Pierfrancesco Caci | Network & System Administrator - INOC-DBA: 6762*PFC p.caci at seabone.net | Telecom Italia Sparkle - http://etabeta.noc.seabone.net/ From rodunn at cisco.com Wed Aug 5 09:19:51 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Wed, 05 Aug 2009 09:19:51 -0400 Subject: [c-nsp] multipath BGP not balancing equally. In-Reply-To: References: <4A787016.7040006@cisco.com> Message-ID: <4A7986F7.4070905@cisco.com> For small flow combinations you are right. btw, it would be just L3 src/dst flows by default unless the L4 port option is enabled. I thought about there being a single flow causing the difference that would be hashing down one of the paths. But 2G, while not impossible, typically isn't used between two ip addresses. It's something to check though for sure. Rodney Mikael Abrahamsson wrote: > On Tue, 4 Aug 2009, Rodney Dunn wrote: > >> That's usually caused by routes not being the same on the paths. > > It was my understanding that this usually was caused by not having > enough L4 flows to loadshare on...? Ie if you have 100 TCP flows and 4 > paths, then it's not enough flows to get good load share on, but if you > instead have 10k flows and all of them are low-speed, then the odds of > them being equally load shared is much better? > From rodunn at cisco.com Wed Aug 5 09:23:20 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Wed, 05 Aug 2009 09:23:20 -0400 Subject: [c-nsp] Counters for null0? In-Reply-To: <1249475423.11065.31.camel@dsba-ipso> References: <1249468408.11065.7.camel@dsba-ipso> <78C984F8939D424697B15E4B1C1BB3D7011A0F7E@xmb-ams-331.emea.cisco.com> <4434.196.46.241.57.1249474740.squirrel@nexmail1.nexlinx.net.pk> <1249475423.11065.31.camel@dsba-ipso> Message-ID: <4A7987C8.3070407@cisco.com> There are scenarios (nat, acl drops, etc.) where the dst in the netflow will show null. For a transit packet that is forwarded out will not (should not) show Null. Rodney luismi wrote: > I just configure a router here to use it but it is quite strange because > I can see correct traffic routed to "null", and I didn't expect to see > that, I don't think it is correct. > > #sho ip cache flow | incl Null > Fa0/1.1 10.55.0.32 Null 208.67.222.222 11 0A2A 0035 > 1 > Fa0/1.1 10.55.0.32 Null 208.67.222.222 11 0A26 0035 > 5 > > 208.67.222.222 is the opendns server but the destination interface is > "null" > > Any idea why I see that? is that correct (I don't think so)? > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From p.caci at seabone.net Wed Aug 5 08:32:36 2009 From: p.caci at seabone.net (Pierfrancesco Caci) Date: Wed, 05 Aug 2009 14:32:36 +0200 Subject: [c-nsp] Counters for null0? In-Reply-To: <1249473843.11065.16.camel@dsba-ipso> (asturluismi@gmail.com's message of "Wed, 05 Aug 2009 14:04:03 +0200") References: <1249468408.11065.7.camel@dsba-ipso> <78C984F8939D424697B15E4B1C1BB3D7011A0F7E@xmb-ams-331.emea.cisco.com> <1249473843.11065.16.camel@dsba-ipso> Message-ID: <878whyo2zf.fsf@clarabella.noc.seabone.net> :-> "luismi" == luismi writes: > Yes, but I just can see the "output" counters growing up. Quite strange > since null0 is not generating traffic and it has configured "no ip > unreachables". yes, output counters are those that have a meaning. it's traffic that's actually dropped. I have a vague memory of some platform using inbound counters for something else, but I may be wrong. I just looked at a GSR and inbound is all 0. -- ------------------------------------------------------------------------------- Pierfrancesco Caci | Network & System Administrator - INOC-DBA: 6762*PFC p.caci at seabone.net | Telecom Italia Sparkle - http://etabeta.noc.seabone.net/ From mhuff at ox.com Wed Aug 5 09:32:05 2009 From: mhuff at ox.com (Matthew Huff) Date: Wed, 5 Aug 2009 09:32:05 -0400 Subject: [c-nsp] VSS 1440 issues In-Reply-To: <745803.32277.qm@web27904.mail.ukl.yahoo.com> References: <745803.32277.qm@web27904.mail.ukl.yahoo.com> Message-ID: <483E6B0272B0284BA86D7596C40D29F9D1221281DB@PUR-EXCH07.ox.com> I would suspect it's a timeout issue caused by it aging out of the arp cache and not the tcam table. Try adding "mac-address-table aging-time 14400" to the config. This usually happens when running HSPR/GLBP or other first-hop redudancy (VSS) where the return path may be asymmetrical. ---- Matthew Huff?????? | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff? | Fax:?? 914-460-4139 > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of C and C Dominte > Sent: Wednesday, August 05, 2009 7:30 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] VSS 1440 issues > > > > > > Hi, > > > > I recently clustered 2 Catalysts 6509's into a VSS 1440 > Virtual switch. > > > > Details about the cluster: > > > > - Software version: > s72033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), Version > 12.2(33)SXI1, > RELEASE SOFTWARE (fc3) > > > > - Supervisor: > VS-S720-10G? with one 10G port > used as VSL link > > - Linecards Active chassis: > > ??????????????? 1 x > WS-X6708-10GE with one 10G used for the VSL link for redundancy > > ??????????????? 4 x > WS-X6748-GE-TX > > > > - Linecards Standby chassis > > ??????????????? 1 x > WS-X6708-10GE with one 10G used for the VSL link for redundancy > > ??????????????? 2 x > WS-X6748-GE-TX > > > > The 6748 line cards are used and > configured for MEC Etherchannels. > > > > At the other end of the MEC > channels there are non-Cisco edge switches. The multi chassis Ether > Channels > are configured as 2 x 1G links, and single switchport trunks are > configured as > 1 x 1G links. All vlans are allowed on the single switchport trunks and > port > channels from VSS Cluster to the edge switches. > > > > The issue is that unicast > traffic is flooded by the VSS Cluster across all trunks. The flooded > traffic > generated by the VSS cluster is between 600mbps and 1gbps, and almost > all of > the flooded traffic is unicast and has the source MAC address of the > VSS > Cluster. However, if the trunk is a MEC, the unicast traffic is flooded > only on > one switchport. All of the flooded ports in MECs are on switch 2 in the > VSS > cluster. The only ports flooded in switch 1 are the ones that have a > single > trunk instead of MEC. > > > > We tried to investigate this on > a low importance link. The VSS cluster learned only 10 MAC addresses on > one > edge trunk configured as 1 x 1G link. This edge trunk received the > flood of > unicast traffic from the VSS cluster as well. During testing, this > trunk was > modified manually on the VSS Cluster, to allow only 4 VLANS instead of > all. > Allowing only 4 vlans on this trunk stopped the flood on the edge trunk > and > stopped the flood on all other trunks as well. > > > > Does anyone have any idea about > what can cause this? > > > > Thanks > > > > Catalin > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4229 bytes Desc: not available URL: From r.tahina at moov.mg Wed Aug 5 09:44:53 2009 From: r.tahina at moov.mg (RAZAFINDRATSIFA Rivo Tahina) Date: Wed, 05 Aug 2009 16:44:53 +0300 Subject: [c-nsp] 7206 NPE-G2 - Cat 3750 sfp issue In-Reply-To: References: <7.0.1.0.2.20090730185902.04b8d458@moov.mg> Message-ID: <7.0.1.0.2.20090805164429.02147ac8@moov.mg> I tried any combination but same result. Regards.At 13:24 31/07/2009, Marko Milivojevic wrote: > > I use > > 1000BASE-LX/LH (GLC-LH-SM), on both Catalyst and 7206 NPE-G2, interface and > > protocol are up but I cannot do anything, what am I missing? > >How are your speed negotiation settings on both ends? >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ From benny+usenet at amorsen.dk Wed Aug 5 09:48:25 2009 From: benny+usenet at amorsen.dk (Benny Amorsen) Date: Wed, 05 Aug 2009 15:48:25 +0200 Subject: [c-nsp] OT: Using wireshark to decode IPSec/ESP In-Reply-To: <3329cbb40908050257y120624a4wefe6075be535585d@mail.gmail.com> (Dale Shaw's message of "Wed\, 5 Aug 2009 19\:57\:52 +1000") References: <3329cbb40908050257y120624a4wefe6075be535585d@mail.gmail.com> Message-ID: Dale Shaw writes: > It's been years since I was armpit deep in IPSec but I am assuming the > encryption key it wants is NOT the ISAKMP pre-shared key. Nope, it wants the session key used for that particular session. This can be hard to get, depending on which platforms the IPSEC end points are. For Linux you can get the keys with ip xfrm state. /Benny From koug at intracom.gr Wed Aug 5 09:51:34 2009 From: koug at intracom.gr (John Kougoulos) Date: Wed, 5 Aug 2009 16:51:34 +0300 (GTB Daylight Time) Subject: [c-nsp] Counters for null0? In-Reply-To: <4A7987C8.3070407@cisco.com> References: <1249468408.11065.7.camel@dsba-ipso> <78C984F8939D424697B15E4B1C1BB3D7011A0F7E@xmb-ams-331.emea.cisco.com> <4434.196.46.241.57.1249474740.squirrel@nexmail1.nexlinx.net.pk> <1249475423.11065.31.camel@dsba-ipso> <4A7987C8.3070407@cisco.com> Message-ID: I think it will also show Null when it is forwarded but goes through a permit ACL with log keyword John On Wed, 5 Aug 2009, Rodney Dunn wrote: > There are scenarios (nat, acl drops, etc.) where the dst in the netflow will > show null. > > For a transit packet that is forwarded out will not (should not) show Null. > > Rodney > > > > luismi wrote: >> I just configure a router here to use it but it is quite strange because >> I can see correct traffic routed to "null", and I didn't expect to see >> that, I don't think it is correct. >> >> #sho ip cache flow | incl Null >> Fa0/1.1 10.55.0.32 Null 208.67.222.222 11 0A2A 0035 >> 1 Fa0/1.1 10.55.0.32 Null 208.67.222.222 11 0A26 0035 >> 5 >> 208.67.222.222 is the opendns server but the destination interface is >> "null" >> >> Any idea why I see that? is that correct (I don't think so)? >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From dean at eatworms.org.uk Wed Aug 5 09:53:05 2009 From: dean at eatworms.org.uk (Dean Smith) Date: Wed, 5 Aug 2009 14:53:05 +0100 Subject: [c-nsp] multipath BGP not balancing equally. References: <4A787016.7040006@cisco.com> <4A7986F7.4070905@cisco.com> Message-ID: <5F398FA44E094EB7BD7F6581E07943B5@experienbd1776> Would agree that volume is rare between 2xIP addresses but we have something similair although on not quite the scale. We NAT a very large organisation to the Internet. They have a large number of disparate sites that all do their own AV updates. All the PCs download at the same time in the evening and we generate about .75 Gb/s of traffic between our external PAT address and the AV download site for a good couple of hours. If we had a bigger internet pipe it would be a higher figure. (for less time of course). Dean ----- Original Message ----- From: "Rodney Dunn" To: "Mikael Abrahamsson" Cc: "Cisco" Sent: Wednesday, August 05, 2009 2:19 PM Subject: Re: [c-nsp] multipath BGP not balancing equally. > For small flow combinations you are right. btw, it would be just L3 > src/dst flows by default unless the L4 port option is enabled. > > I thought about there being a single flow causing the difference that > would be hashing down one of the paths. But 2G, while not impossible, > typically isn't used between two ip addresses. It's something to check > though for sure. > > Rodney > > > > Mikael Abrahamsson wrote: >> On Tue, 4 Aug 2009, Rodney Dunn wrote: >> >>> That's usually caused by routes not being the same on the paths. >> >> It was my understanding that this usually was caused by not having enough >> L4 flows to loadshare on...? Ie if you have 100 TCP flows and 4 paths, >> then it's not enough flows to get good load share on, but if you instead >> have 10k flows and all of them are low-speed, then the odds of them being >> equally load shared is much better? >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > __________ NOD32 4306 (20090804) Information __________ > > This message was checked by NOD32 antivirus system. > http://www.eset.com > > From asturluismi at gmail.com Wed Aug 5 10:01:41 2009 From: asturluismi at gmail.com (luismi) Date: Wed, 05 Aug 2009 16:01:41 +0200 Subject: [c-nsp] Counters for null0? In-Reply-To: <4A7987C8.3070407@cisco.com> References: <1249468408.11065.7.camel@dsba-ipso> <78C984F8939D424697B15E4B1C1BB3D7011A0F7E@xmb-ams-331.emea.cisco.com> <4434.196.46.241.57.1249474740.squirrel@nexmail1.nexlinx.net.pk> <1249475423.11065.31.camel@dsba-ipso> <4A7987C8.3070407@cisco.com> Message-ID: <1249480901.11065.35.camel@dsba-ipso> Yes, this is a NAT scenario, maybe that is the reason. So far the router is working ok, and the service is ok too. So "null" value must be related with NAT or something similar. From rdobbins at arbor.net Wed Aug 5 10:32:25 2009 From: rdobbins at arbor.net (Roland Dobbins) Date: Wed, 5 Aug 2009 21:32:25 +0700 Subject: [c-nsp] Counters for null0? In-Reply-To: <1249480901.11065.35.camel@dsba-ipso> References: <1249468408.11065.7.camel@dsba-ipso> <78C984F8939D424697B15E4B1C1BB3D7011A0F7E@xmb-ams-331.emea.cisco.com> <4434.196.46.241.57.1249474740.squirrel@nexmail1.nexlinx.net.pk> <1249475423.11065.31.camel@dsba-ipso> <4A7987C8.3070407@cisco.com> <1249480901.11065.35.camel@dsba-ipso> Message-ID: <6521E82E-BBE0-4CF6-B8D3-EB8FFD899A5D@arbor.net> On Aug 5, 2009, at 9:01 PM, luismi wrote: > So "null" value must be related with NAT or something similar. Most Cisco routers (the main exceptions being 6500/7600/4500 switches, with their well-known NetFlow caveats regarding dropped traffic) show the destination ifindex as 0 when the traffic's being dropped (ACL, uRPF, PBR, QoS, et. al.) or when the traffic is being intercepted by a software feature such as NAT or WCCP - in other words, when the RP doesn't know where the packet is going to end up. In most scenarios, this is because traffic is being dropped. But if you're running NAT on this box, it's a good bet that a lot of what you're seeing is traffic being NATted and you can sh ip nat trans to verify that. ----------------------------------------------------------------------- Roland Dobbins // Unfortunately, inefficiency scales really well. -- Kevin Lawton From jp at saucer.midcoast.com Wed Aug 5 10:34:23 2009 From: jp at saucer.midcoast.com (jp) Date: Wed, 5 Aug 2009 10:34:23 -0400 Subject: [c-nsp] 7500 for DSL aggregation - RSP memory error? In-Reply-To: <4A789329.8090804@ttec.com> References: <4A78048B.60803@rainierconnect.net> <4A786F22.3060309@cisco.com> <4A787668.8050909@rainierconnect.net> <4A789329.8090804@ttec.com> Message-ID: <20090805143423.GA17144@saucer.midcoast.com> We use a 7507 for about 800 DSL customers. We've found it works more reliably and uses quite a bit less electricity using DC power. We'd had some random crashes on AC power from little power issues that weren't enough to activate UPSs. Then I got some DC power supplies on Ebay for less than the cost of shipping, and a big old loraine DC power supply from a tadiran phone switch. We use cold spares for parts. I've played with the redundant RSPs, but its not a very clean cutover, and it takes a couple minutes before everyting is happy. I've seen issues too where something breaks, but things don't switch over. I'm looking for even more power savings and wouldn't mind something non-cisco for the ATM DSL aggregation. It'll probably eventually go ethernet based instead of ATM, so I wouldn't be inclined to invest big in a short term solution. Basically, it's in a rural area with bad power reliability, and more power use == shorter battery runtime and more frequent generator refueling. On Tue, Aug 04, 2009 at 03:59:37PM -0400, Joe Maimon wrote: > I view the rpr feature as completely useless in the real world. > > Cold spare are way more effective. > > The last time I had a rp failure, it was fixed by yanking one and leaving > the other. > > In other words, odds are it causes more issues than it resolves. > > Just added complexity for a box where its already a support problem. > > Terminate your atm into an atm switch and run a bank of agg routers, 7200 > or 7500. > > Then you can bridge group them into both, or just manual throw pvc's from > one router to the other. > > The 7500 are not worth the watts they consume. > > > Walter Keen wrote: >> Yes, I believe it was you. We are trying to migrate from a 7200 to a 7500 >> to gain route processor redundancy. Our traffic is typically 20mbit peak >> from this site between 2 atm ds3's. Using radius, pppoa, and some dsl >> subs are behind NAT, but we're slowly weeding them out into having a >> typical dsl connection with a public ip. Probably about 1k subscribers, >> and in the next year or two we'll probably be moving them to an >> ethernet-based handoff from the carriers to us. >> >> Rodney Dunn wrote: >>> Probably me. ;) >>> >>> There were some issues around DSL termination in to a VRF that would not >>> work. >>> >>> The platform was never targeted for that market space so I wouldn't use >>> it. >>> >>> 72xx, 10k, or ASR would be the pick. >>> >>> The ISR's on really really low end side. >>> >>> Rodney >>> >>> >>> >>> Buhrmaster, Gary wrote: >>>>> I've never been brave enough to try a 7500 for dsl aggregation:) >>>> >>>> And while a memory parity error is probably hardware, >>>> I have this vague recollection that someone from >>>> Cisco (Rodney Dunn?) has on a couple of occasions >>>> recommended against using a 7500 for broadband >>>> aggregation, since the platform was simply not >>>> targeted or tested to that role. One *would* >>>> encounter things that do not work, and they would >>>> end up being "won't fix" on that platform. >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- /* Jason Philbrook | Midcoast Internet Solutions - Wireless and DSL KB1IOJ | Broadband Internet Access, Dialup, and Hosting http://f64.nu/ | for Midcoast Maine http://www.midcoast.com/ */ From asturluismi at gmail.com Wed Aug 5 10:49:02 2009 From: asturluismi at gmail.com (luismi) Date: Wed, 05 Aug 2009 16:49:02 +0200 Subject: [c-nsp] Counters for null0? In-Reply-To: <6521E82E-BBE0-4CF6-B8D3-EB8FFD899A5D@arbor.net> References: <1249468408.11065.7.camel@dsba-ipso> <78C984F8939D424697B15E4B1C1BB3D7011A0F7E@xmb-ams-331.emea.cisco.com> <4434.196.46.241.57.1249474740.squirrel@nexmail1.nexlinx.net.pk> <1249475423.11065.31.camel@dsba-ipso> <4A7987C8.3070407@cisco.com> <1249480901.11065.35.camel@dsba-ipso> <6521E82E-BBE0-4CF6-B8D3-EB8FFD899A5D@arbor.net> Message-ID: <1249483742.11065.37.camel@dsba-ipso> Yes it is being translated by NAT for sure, I am 110% sure about that. From gert at greenie.muc.de Wed Aug 5 10:58:41 2009 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 5 Aug 2009 16:58:41 +0200 Subject: [c-nsp] Counters for null0? In-Reply-To: <4A797FEE.5090102@jarruda.com> References: <1249468408.11065.7.camel@dsba-ipso> <78C984F8939D424697B15E4B1C1BB3D7011A0F7E@xmb-ams-331.emea.cisco.com> <4434.196.46.241.57.1249474740.squirrel@nexmail1.nexlinx.net.pk> <1249475423.11065.31.camel@dsba-ipso> <4A797FEE.5090102@jarruda.com> Message-ID: <20090805145841.GH290@greenie.muc.de> Hi, On Wed, Aug 05, 2009 at 08:49:50AM -0400, Julio Arruda wrote: > Isn't all process switched/punted traffic reported as ifout == Null in > Netflow ? If a given IOS version does that, it's a bug. ifout = NULL usually means "traffic dropped due to ACL or no route". gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From frnkblk at iname.com Wed Aug 5 11:06:33 2009 From: frnkblk at iname.com (Frank Bulk - iName.com) Date: Wed, 5 Aug 2009 10:06:33 -0500 Subject: [c-nsp] 7500 for DSL aggregation - RSP memory error? In-Reply-To: <4A793C90.9070004@infopact.nl> References: <4A78048B.60803@rainierconnect.net> <4A786F22.3060309@cisco.com> <4A787668.8050909@rainierconnect.net> <20090805071109.GG290@greenie.muc.de> <4A793C90.9070004@infopact.nl> Message-ID: Our DSLAM vendor supports PPPoA to PPPoE encapsulation/conversion (I'm not sure how), so that's our migration plan if we need to move to a new BRAS that doesn't have OC-3 interfaces. Frank -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of E. Versaevel Sent: Wednesday, August 05, 2009 3:02 AM To: Gert Doering Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 7500 for DSL aggregation - RSP memory error? Only drawback on the ASR1k platform is the lack of PPPoA support, otherwise we would have happely migrated away from our 7200/1G's We got 2 ASR1004's for ethernet aggregation and they're doing just fine for that :) > > If you *insist* on having route-processor redundancy (what about interface > and physical path redundancy?), I think you can do that with ASR1k, but > I admit to not having any hands-on experience with that platform yet. > Erik Versaevel _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From jarruda-cnsp at jarruda.com Wed Aug 5 11:07:09 2009 From: jarruda-cnsp at jarruda.com (Julio Arruda) Date: Wed, 05 Aug 2009 11:07:09 -0400 Subject: [c-nsp] Counters for null0? In-Reply-To: <20090805145841.GH290@greenie.muc.de> References: <1249468408.11065.7.camel@dsba-ipso> <78C984F8939D424697B15E4B1C1BB3D7011A0F7E@xmb-ams-331.emea.cisco.com> <4434.196.46.241.57.1249474740.squirrel@nexmail1.nexlinx.net.pk> <1249475423.11065.31.camel@dsba-ipso> <4A797FEE.5090102@jarruda.com> <20090805145841.GH290@greenie.muc.de> Message-ID: <4A79A01D.3030007@jarruda.com> Gert Doering wrote: > Hi, > > On Wed, Aug 05, 2009 at 08:49:50AM -0400, Julio Arruda wrote: >> Isn't all process switched/punted traffic reported as ifout == Null in >> Netflow ? > > If a given IOS version does that, it's a bug. > > ifout = NULL usually means "traffic dropped due to ACL or no route". > > gert Gert, Traffic consumed by the router :-), that should be more specific. Example, OSPF/BGP traffic, NAT traffic, some VPN traffic (tunnel interface as outbound). From jarruda-cnsp at jarruda.com Wed Aug 5 11:13:28 2009 From: jarruda-cnsp at jarruda.com (Julio Arruda) Date: Wed, 05 Aug 2009 11:13:28 -0400 Subject: [c-nsp] Counters for null0? In-Reply-To: <20090805145841.GH290@greenie.muc.de> References: <1249468408.11065.7.camel@dsba-ipso> <78C984F8939D424697B15E4B1C1BB3D7011A0F7E@xmb-ams-331.emea.cisco.com> <4434.196.46.241.57.1249474740.squirrel@nexmail1.nexlinx.net.pk> <1249475423.11065.31.camel@dsba-ipso> <4A797FEE.5090102@jarruda.com> <20090805145841.GH290@greenie.muc.de> Message-ID: <4A79A198.2000202@jarruda.com> Gert Doering wrote: > Hi, > > On Wed, Aug 05, 2009 at 08:49:50AM -0400, Julio Arruda wrote: >> Isn't all process switched/punted traffic reported as ifout == Null in >> Netflow ? > > If a given IOS version does that, it's a bug. > > ifout = NULL usually means "traffic dropped due to ACL or no route". > > gert Being more specific, since clearly I used the wrong term :-).. If traffic is processed by the CPU, being it NAT or OSPF/BGP/ICMP to the box itself, I saw in most cases, the netflow would be showing as ifout == 0. I saw in one specific case a couple of years ago, some VPN traffic also being shown as IfOut=0, but this was in a 6500 running hybrid, not Native, and most likely was not the expected behaviour. From gert at greenie.muc.de Wed Aug 5 11:57:59 2009 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 5 Aug 2009 17:57:59 +0200 Subject: [c-nsp] Counters for null0? In-Reply-To: <4A79A01D.3030007@jarruda.com> References: <1249468408.11065.7.camel@dsba-ipso> <78C984F8939D424697B15E4B1C1BB3D7011A0F7E@xmb-ams-331.emea.cisco.com> <4434.196.46.241.57.1249474740.squirrel@nexmail1.nexlinx.net.pk> <1249475423.11065.31.camel@dsba-ipso> <4A797FEE.5090102@jarruda.com> <20090805145841.GH290@greenie.muc.de> <4A79A01D.3030007@jarruda.com> Message-ID: <20090805155759.GI290@greenie.muc.de> Hi, On Wed, Aug 05, 2009 at 11:07:09AM -0400, Julio Arruda wrote: > >On Wed, Aug 05, 2009 at 08:49:50AM -0400, Julio Arruda wrote: > >>Isn't all process switched/punted traffic reported as ifout == Null in > >>Netflow ? > > > >If a given IOS version does that, it's a bug. > > > >ifout = NULL usually means "traffic dropped due to ACL or no route". > > Traffic consumed by the router :-), that should be more specific. > Example, OSPF/BGP traffic, NAT traffic, some VPN traffic (tunnel > interface as outbound). I'm wondering a bit about VPN and NAT (I think this might depend very much on platform, but at least the software platforms should know the output interface). BGP shows up on our 7200s as "Local" (addresses changed): Cisco-7200>sh ip cache flow | inc 00B3 Gi0/3.123 100.100.10.219 Local 100.100.10.200 06 8355 00B3 65 Gi0/1.11 100.100.10.46 Local 100.100.10.200 06 00B3 8BA5 2 Gi0/3.123 101.10.101.79 Local 101.10.101.65 06 E514 00B3 1 Gi0/1.11 100.100.10.209 Local 100.100.10.200 06 E473 00B3 1 Gi0/3.123 100.100.10.213 Local 100.100.10.200 06 EAD7 00B3 52 Gi0/3.123 101.10.101.80 Local 101.10.101.65 06 37D3 00B3 1 EIGRP is "Null", though: Cisco-7200>sh ip cache flow | inc 224.0 Gi0/1.11 100.100.10.111 Null 224.0.0.10 58 0000 0000 47 Gi0/1.11 100.100.10.118 Null 224.0.0.10 58 0000 0000 51 Gi0/1.11 100.100.10.117 Null 224.0.0.10 58 0000 0000 56 Gi0/1.11 100.100.10.114 Null 224.0.0.10 58 0000 0000 65 gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From jarruda-cnsp at jarruda.com Wed Aug 5 12:05:32 2009 From: jarruda-cnsp at jarruda.com (Julio Arruda) Date: Wed, 05 Aug 2009 12:05:32 -0400 Subject: [c-nsp] Counters for null0? In-Reply-To: <20090805155759.GI290@greenie.muc.de> References: <1249468408.11065.7.camel@dsba-ipso> <78C984F8939D424697B15E4B1C1BB3D7011A0F7E@xmb-ams-331.emea.cisco.com> <4434.196.46.241.57.1249474740.squirrel@nexmail1.nexlinx.net.pk> <1249475423.11065.31.camel@dsba-ipso> <4A797FEE.5090102@jarruda.com> <20090805145841.GH290@greenie.muc.de> <4A79A01D.3030007@jarruda.com> <20090805155759.GI290@greenie.muc.de> Message-ID: <4A79ADCC.2080909@jarruda.com> Gert Doering wrote: > Hi, > > On Wed, Aug 05, 2009 at 11:07:09AM -0400, Julio Arruda wrote: >>> On Wed, Aug 05, 2009 at 08:49:50AM -0400, Julio Arruda wrote: >>>> Isn't all process switched/punted traffic reported as ifout == Null in >>>> Netflow ? >>> If a given IOS version does that, it's a bug. >>> >>> ifout = NULL usually means "traffic dropped due to ACL or no route". >> Traffic consumed by the router :-), that should be more specific. >> Example, OSPF/BGP traffic, NAT traffic, some VPN traffic (tunnel >> interface as outbound). > > I'm wondering a bit about VPN and NAT (I think this might depend very > much on platform, but at least the software platforms should know the > output interface). > On IPSEC, there is a great doc on www.cisco.com on the expected behaviour.. http://www.cisco.com/en/US/products/ps6601/products_white_paper09186a008022bde8.shtml What I saw in old Catos+IOS was NOT something expected...but the customer changed topology, so I'm not sure if they ever opened a case with their support. > BGP shows up on our 7200s as "Local" (addresses changed): > > Cisco-7200>sh ip cache flow | inc 00B3 > Gi0/3.123 100.100.10.219 Local 100.100.10.200 06 8355 00B3 65 > Gi0/1.11 100.100.10.46 Local 100.100.10.200 06 00B3 8BA5 2 > Gi0/3.123 101.10.101.79 Local 101.10.101.65 06 E514 00B3 1 > Gi0/1.11 100.100.10.209 Local 100.100.10.200 06 E473 00B3 1 > Gi0/3.123 100.100.10.213 Local 100.100.10.200 06 EAD7 00B3 52 > Gi0/3.123 101.10.101.80 Local 101.10.101.65 06 37D3 00B3 1 > Interesting, how this is exported ? I seem to recall it would show as ifout=0, but was looking at the 'out of the box experience' :-) And as you said, it may quite well be platform dependent... > EIGRP is "Null", though: > > Cisco-7200>sh ip cache flow | inc 224.0 > Gi0/1.11 100.100.10.111 Null 224.0.0.10 58 0000 0000 47 > Gi0/1.11 100.100.10.118 Null 224.0.0.10 58 0000 0000 51 > Gi0/1.11 100.100.10.117 Null 224.0.0.10 58 0000 0000 56 > Gi0/1.11 100.100.10.114 Null 224.0.0.10 58 0000 0000 65 > > gert From gert at greenie.muc.de Wed Aug 5 12:25:56 2009 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 5 Aug 2009 18:25:56 +0200 Subject: [c-nsp] Counters for null0? In-Reply-To: <4A79ADCC.2080909@jarruda.com> References: <1249468408.11065.7.camel@dsba-ipso> <78C984F8939D424697B15E4B1C1BB3D7011A0F7E@xmb-ams-331.emea.cisco.com> <4434.196.46.241.57.1249474740.squirrel@nexmail1.nexlinx.net.pk> <1249475423.11065.31.camel@dsba-ipso> <4A797FEE.5090102@jarruda.com> <20090805145841.GH290@greenie.muc.de> <4A79A01D.3030007@jarruda.com> <20090805155759.GI290@greenie.muc.de> <4A79ADCC.2080909@jarruda.com> Message-ID: <20090805162556.GJ290@greenie.muc.de> Hi, On Wed, Aug 05, 2009 at 12:05:32PM -0400, Julio Arruda wrote: > >BGP shows up on our 7200s as "Local" (addresses changed): > > > >Cisco-7200>sh ip cache flow | inc 00B3 > >Gi0/3.123 100.100.10.219 Local 100.100.10.200 06 8355 00B3 > >65 Gi0/1.11 100.100.10.46 Local 100.100.10.200 06 00B3 > >8BA5 2 Gi0/3.123 101.10.101.79 Local 101.10.101.65 06 > >E514 00B3 1 Gi0/1.11 100.100.10.209 Local 100.100.10.200 > >06 E473 00B3 1 Gi0/3.123 100.100.10.213 Local > >100.100.10.200 06 EAD7 00B3 52 Gi0/3.123 101.10.101.80 Local > >101.10.101.65 06 37D3 00B3 1 > > Interesting, how this is exported ? I seem to recall it would show as > ifout=0, but was looking at the 'out of the box experience' :-) I was checking the caches on the box only. Let me go to the netflow data... Indeed, you're right. These show up on the router as definitely distinct from "Null", but in the export, they have "out if = 0". OTOH, our 7600s (SXF/SXH) don't seem to export flows to "local" at all... Amazing :) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From ecables at gmail.com Wed Aug 5 14:06:39 2009 From: ecables at gmail.com (Eric Cables) Date: Wed, 5 Aug 2009 11:06:39 -0700 Subject: [c-nsp] VSS 1440 issues In-Reply-To: <483E6B0272B0284BA86D7596C40D29F9D1221281DB@PUR-EXCH07.ox.com> References: <745803.32277.qm@web27904.mail.ukl.yahoo.com> <483E6B0272B0284BA86D7596C40D29F9D1221281DB@PUR-EXCH07.ox.com> Message-ID: Take a look at this.. http://www.cisco.com/en/US/products/ps9336/products_tech_note09186a0080a7c837.shtml#oob_mac Cisco also recommends that once you enable OOB Synchronization, that the MAC aging timer be set to at least 3x the synchronization timer of 160: "Configure the MAC aging timer to three times the MAC synchronization timer value. The default MAC synchronization and MAC aging timers can cause unknown unicast flooding. VSS can cause traffic to flow asymmetrically such that the source MAC address is only learned on one chassis. The MAC aging timer of 300 seconds and MAC synchronization timer of 160 seconds allows for up to 20 seconds of unknown unicast flooding for any given MAC address in a 320 second interval. In order to resolve this, change the timers such that the aging timer is three times as long as synchronization timer, for example, mac-address-table aging-time 480 ." -- Eric Cables On Wed, Aug 5, 2009 at 6:32 AM, Matthew Huff wrote: > I would suspect it's a timeout issue caused by it aging out of the arp > cache > and not the tcam table. > > Try adding "mac-address-table aging-time 14400" to the config. This usually > happens when running HSPR/GLBP or other first-hop redudancy (VSS) where the > return path may be asymmetrical. > > > > ---- > Matthew Huff | One Manhattanville Rd > OTA Management LLC | Purchase, NY 10577 > http://www.ox.com | Phone: 914-460-4039 > aim: matthewbhuff | Fax: 914-460-4139 > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > > bounces at puck.nether.net] On Behalf Of C and C Dominte > > Sent: Wednesday, August 05, 2009 7:30 AM > > To: cisco-nsp at puck.nether.net > > Subject: [c-nsp] VSS 1440 issues > > > > > > > > > > > > Hi, > > > > > > > > I recently clustered 2 Catalysts 6509's into a VSS 1440 > > Virtual switch. > > > > > > > > Details about the cluster: > > > > > > > > - Software version: > > s72033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), Version > > 12.2(33)SXI1, > > RELEASE SOFTWARE (fc3) > > > > > > > > - Supervisor: > > VS-S720-10G with one 10G port > > used as VSL link > > > > - Linecards Active chassis: > > > > 1 x > > WS-X6708-10GE with one 10G used for the VSL link for redundancy > > > > 4 x > > WS-X6748-GE-TX > > > > > > > > - Linecards Standby chassis > > > > 1 x > > WS-X6708-10GE with one 10G used for the VSL link for redundancy > > > > 2 x > > WS-X6748-GE-TX > > > > > > > > The 6748 line cards are used and > > configured for MEC Etherchannels. > > > > > > > > At the other end of the MEC > > channels there are non-Cisco edge switches. The multi chassis Ether > > Channels > > are configured as 2 x 1G links, and single switchport trunks are > > configured as > > 1 x 1G links. All vlans are allowed on the single switchport trunks and > > port > > channels from VSS Cluster to the edge switches. > > > > > > > > The issue is that unicast > > traffic is flooded by the VSS Cluster across all trunks. The flooded > > traffic > > generated by the VSS cluster is between 600mbps and 1gbps, and almost > > all of > > the flooded traffic is unicast and has the source MAC address of the > > VSS > > Cluster. However, if the trunk is a MEC, the unicast traffic is flooded > > only on > > one switchport. All of the flooded ports in MECs are on switch 2 in the > > VSS > > cluster. The only ports flooded in switch 1 are the ones that have a > > single > > trunk instead of MEC. > > > > > > > > We tried to investigate this on > > a low importance link. The VSS cluster learned only 10 MAC addresses on > > one > > edge trunk configured as 1 x 1G link. This edge trunk received the > > flood of > > unicast traffic from the VSS cluster as well. During testing, this > > trunk was > > modified manually on the VSS Cluster, to allow only 4 VLANS instead of > > all. > > Allowing only 4 vlans on this trunk stopped the flood on the edge trunk > > and > > stopped the flood on all other trunks as well. > > > > > > > > Does anyone have any idea about > > what can cause this? > > > > > > > > Thanks > > > > > > > > Catalin > > > > > > > > > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jared.a.gillis at gmail.com Wed Aug 5 15:57:10 2009 From: jared.a.gillis at gmail.com (Jared Gillis) Date: Wed, 05 Aug 2009 12:57:10 -0700 Subject: [c-nsp] IS-IS route separation/filtering Message-ID: <4A79E416.7040909@gmail.com> Hello all, I'm trying to accomplish something with an IS-IS network, and I'm starting to think it may not be possible, but I'm hoping someone here might have a suggestion to help. Basically, what I'm trying to accomplish is to have two routers subtended off an aggregation router. So, say Router A has a link to Router B and Router C. I want Router A to advertise a default route to B and C (this I have done), and B and C should announce their routes to A (also done), but I do *not* want B to learn C's routes, nor C to learn B's. This is my sticking point. Currently my config is that A is L1/L2 and B and C are L1 only, but since they are all in the same area, they learn all of each other's routes. I could put B and C into different areas, and put A into both of those areas as well, but I need to have up to 15-20 L1 routers hung off of Router A, and all the docs say that you can only configure 3 NET addresses on a Cisco router, so this won't scale to what I need. Basically I'm trying to replicate the concept of an OSPF totally-stubby-not-so-stubby-area in IS-IS, and I'm starting to question whether it can be done. My network design is fairly flexible at this point (the only requirements are that it run IS-IS and L1 routers don't learn each other's routes), so I'm open to any ideas or suggestions. Thanks for your time -Jared From rodunn at cisco.com Wed Aug 5 16:23:27 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Wed, 05 Aug 2009 16:23:27 -0400 Subject: [c-nsp] multipath BGP not balancing equally. In-Reply-To: <5F398FA44E094EB7BD7F6581E07943B5@experienbd1776> References: <4A787016.7040006@cisco.com> <4A7986F7.4070905@cisco.com> <5F398FA44E094EB7BD7F6581E07943B5@experienbd1776> Message-ID: <4A79EA3F.6060002@cisco.com> Ah...good one. If the sources were not random enough and it's NAT'ed to one external ip you could really be multiplexing flows with NAT. ;) Dean Smith wrote: > Would agree that volume is rare between 2xIP addresses but we have > something similair although on not quite the scale. > > We NAT a very large organisation to the Internet. They have a large > number of disparate sites that all do their own AV updates. All the PCs > download at the same time in the evening and we generate about .75 Gb/s > of traffic between our external PAT address and the AV download site for > a good couple of hours. If we had a bigger internet pipe it would be a > higher figure. (for less time of course). > > Dean > ----- Original Message ----- From: "Rodney Dunn" > To: "Mikael Abrahamsson" > Cc: "Cisco" > Sent: Wednesday, August 05, 2009 2:19 PM > Subject: Re: [c-nsp] multipath BGP not balancing equally. > > >> For small flow combinations you are right. btw, it would be just L3 >> src/dst flows by default unless the L4 port option is enabled. >> >> I thought about there being a single flow causing the difference that >> would be hashing down one of the paths. But 2G, while not impossible, >> typically isn't used between two ip addresses. It's something to check >> though for sure. >> >> Rodney >> >> >> >> Mikael Abrahamsson wrote: >>> On Tue, 4 Aug 2009, Rodney Dunn wrote: >>> >>>> That's usually caused by routes not being the same on the paths. >>> >>> It was my understanding that this usually was caused by not having >>> enough L4 flows to loadshare on...? Ie if you have 100 TCP flows and >>> 4 paths, then it's not enough flows to get good load share on, but if >>> you instead have 10k flows and all of them are low-speed, then the >>> odds of them being equally load shared is much better? >>> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> __________ NOD32 4306 (20090804) Information __________ >> >> This message was checked by NOD32 antivirus system. >> http://www.eset.com >> >> From carl at outerloop.net Wed Aug 5 17:19:59 2009 From: carl at outerloop.net (Carl Jones) Date: Thu, 6 Aug 2009 09:19:59 +1200 Subject: [c-nsp] 3750 CPU Usage; TCAM Exhaustion? In-Reply-To: <73ec141e0908050124r25f75ee7jd784011866a59827@mail.gmail.com> References: <73ec141e0908050124r25f75ee7jd784011866a59827@mail.gmail.com> Message-ID: On Wed, Aug 5, 2009 at 8:24 PM, Michael Schedrin wrote: >> core-dal#sh platform tcam utilization >> >> CAM Utilization for ASIC# 0 ? ? ? ? ? ? ? ? ? ? ?Max ? ? ? ? ? ?Used >> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Masks/Values ? ?Masks/values >> >> ?Unicast mac addresses: ? ? ? ? ? ? ? ? ? ? ? ?400/3200 ? ? ? ?373/2911 > > Look at "sh mac address-table count" Check "Total Mac Address Space > Available:" > 3750 hat a table for 6000 mac adresses. If you stack 3*3750, this bundle > will also have table of 6000. Yep, that seems to be it: core-dal#sh mac address-table count | in Space Total Mac Address Space Available: 0 >> I suspect I may be seeing TCAM exhaustion. Any suggestions on how I >> can confirm or avoid that? > > You have two ways to avoid the problem. First - change sdm to "vlan". Second > - disassemble stack and make every switch use it's own mac-address-table and > tcam. You will summary have 6000*3 mac addresses table. Thanks for your suggestions Michael. Makes sense. Regards, Carl From daniel at bit.nl Wed Aug 5 17:21:46 2009 From: daniel at bit.nl (Daniel Verlouw) Date: Wed, 5 Aug 2009 23:21:46 +0200 Subject: [c-nsp] IS-IS route separation/filtering In-Reply-To: <4A79E416.7040909@gmail.com> References: <4A79E416.7040909@gmail.com> Message-ID: On Aug 5, 2009, at 9:57 PM, Jared Gillis wrote: > Basically I'm trying to replicate the concept of an OSPF > totally-stubby-not-so-stubby-area in IS-IS, and I'm starting to > question whether > it can be done. My network design is fairly flexible at this point > (the only > requirements are that it run IS-IS and L1 routers don't learn each > other's > routes), so I'm open to any ideas or suggestions. have a look at IS-IS mesh-groups. Although designed for a different purpose, it might work. Stick router A and all of its stub routers into the same L1 area. On router A, put all interfaces towards the stub routers in the same mesh-group. PS. My preference would be to use BGP for the external routes and use IS-IS only to the distribute loopback IPs. Also makes filtering towards the stub routers a lot easier using route-maps etc. Depending on your gear/software/etc that might not be an option here though. --Daniel. From lowen at pari.edu Wed Aug 5 16:38:02 2009 From: lowen at pari.edu (Lamar Owen) Date: Wed, 5 Aug 2009 16:38:02 -0400 Subject: [c-nsp] 7500 for DSL aggregation - RSP memory error? In-Reply-To: <20090805143423.GA17144@saucer.midcoast.com> References: <4A78048B.60803@rainierconnect.net> Message-ID: <200908051638.02436.lowen@pari.edu> On Wednesday 05 August 2009 10:34:23 am jp wrote: > We use cold spares for parts. I've played with the redundant RSPs, but > its not a very clean cutover, and it takes a couple minutes before > everyting is happy. I've seen issues too where something breaks, but > things don't switch over. I've got a couple or 7507's as well, but not doing DSL agg with them. RPR+ is the slow option for redundant RSP's, and is the best you can do with 12.4 IOS. 12.0(32)S supports SSO/NSF (at least on the RSP8's that I have), and that switchover isn't bad; not as smooth as 12000 GRP SSO/NSF, but not bad. -- Lamar Owen Chief Information Officer Pisgah Astronomical Research Institute 1 PARI Drive Rosman, NC 28772 http://www.pari.edu From jared.a.gillis at gmail.com Wed Aug 5 18:02:47 2009 From: jared.a.gillis at gmail.com (Jared Gillis) Date: Wed, 05 Aug 2009 15:02:47 -0700 Subject: [c-nsp] IS-IS route separation/filtering In-Reply-To: References: <4A79E416.7040909@gmail.com> Message-ID: <4A7A0187.8070807@gmail.com> Daniel Verlouw wrote: > have a look at IS-IS mesh-groups. Although designed for a different > purpose, it might work. Stick router A and all of its stub routers into > the same L1 area. On router A, put all interfaces towards the stub > routers in the same mesh-group. Hm, interesting though. Unfortunately, it doesn't seem to pan out in the lab. The LSPs don't seem to get flooded, but the routes do get passed through Router A to all the stub routers, regardless of how I set up the mesh-groups. > PS. My preference would be to use BGP for the external routes and use > IS-IS only to the distribute loopback IPs. Also makes filtering towards > the stub routers a lot easier using route-maps etc. Depending on your > gear/software/etc that might not be an option here though. This is almost what I'm trying to do, there will be very few routes in IS-IS, but the decree from on high is that each stub router should be totally stubby =( > --Daniel. From dean at eatworms.org.uk Wed Aug 5 17:34:53 2009 From: dean at eatworms.org.uk (Dean Smith) Date: Wed, 5 Aug 2009 22:34:53 +0100 Subject: [c-nsp] multipath BGP not balancing equally. In-Reply-To: <4A79EA3F.6060002@cisco.com> References: <4A787016.7040006@cisco.com> <4A7986F7.4070905@cisco.com> <5F398FA44E094EB7BD7F6581E07943B5@experienbd1776> <4A79EA3F.6060002@cisco.com> Message-ID: <00ba01ca1614$9235d940$b6a18bc0$@org.uk> Exactly whats happening. On a couple of occasions when only 1 IP address at the far end is active for downloads we see the traffic on just one of our links because its all 1 IP to 1 IP (which was the point I was going to make...and then forgot!) instead of all 3 links. In this case its 1 BGP peering (eBGP multihop) that has 3 equal cost paths between but the principle is the same. (we cant go per packet CEF load balancing because the far end doesn't support it - and the major traffic flow is inbound to us) Dean -----Original Message----- From: Rodney Dunn [mailto:rodunn at cisco.com] Sent: 05 August 2009 21:23 To: Dean Smith Cc: Mikael Abrahamsson; Cisco Subject: Re: [c-nsp] multipath BGP not balancing equally. Ah...good one. If the sources were not random enough and it's NAT'ed to one external ip you could really be multiplexing flows with NAT. ;) Dean Smith wrote: > Would agree that volume is rare between 2xIP addresses but we have > something similair although on not quite the scale. > > We NAT a very large organisation to the Internet. They have a large > number of disparate sites that all do their own AV updates. All the PCs > download at the same time in the evening and we generate about .75 Gb/s > of traffic between our external PAT address and the AV download site for > a good couple of hours. If we had a bigger internet pipe it would be a > higher figure. (for less time of course). > > Dean > ----- Original Message ----- From: "Rodney Dunn" > To: "Mikael Abrahamsson" > Cc: "Cisco" > Sent: Wednesday, August 05, 2009 2:19 PM > Subject: Re: [c-nsp] multipath BGP not balancing equally. > > >> For small flow combinations you are right. btw, it would be just L3 >> src/dst flows by default unless the L4 port option is enabled. >> >> I thought about there being a single flow causing the difference that >> would be hashing down one of the paths. But 2G, while not impossible, >> typically isn't used between two ip addresses. It's something to check >> though for sure. >> >> Rodney >> >> >> >> Mikael Abrahamsson wrote: >>> On Tue, 4 Aug 2009, Rodney Dunn wrote: >>> >>>> That's usually caused by routes not being the same on the paths. >>> >>> It was my understanding that this usually was caused by not having >>> enough L4 flows to loadshare on...? Ie if you have 100 TCP flows and >>> 4 paths, then it's not enough flows to get good load share on, but if >>> you instead have 10k flows and all of them are low-speed, then the >>> odds of them being equally load shared is much better? >>> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> __________ NOD32 4306 (20090804) Information __________ >> >> This message was checked by NOD32 antivirus system. >> http://www.eset.com >> >> From David at hughes.com.au Wed Aug 5 17:47:59 2009 From: David at hughes.com.au (David Hughes) Date: Thu, 6 Aug 2009 07:47:59 +1000 Subject: [c-nsp] multipath BGP not balancing equally. In-Reply-To: <4A79EA3F.6060002@cisco.com> References: <4A787016.7040006@cisco.com> <4A7986F7.4070905@cisco.com> <5F398FA44E094EB7BD7F6581E07943B5@experienbd1776> <4A79EA3F.6060002@cisco.com> Message-ID: Hi But seeing as the OP indicated that one of the circuits was 2GB *underutilised* you'd be looking for 3 src/dst pairs that were all doing 2GB to get this situation. It's looking pretty unlikely that this is a hashing issue. David ... On 06/08/2009, at 6:23 AM, Rodney Dunn wrote: > Ah...good one. If the sources were not random enough and it's NAT'ed > to one external ip you could really be multiplexing flows with NAT. ;) > > > > Dean Smith wrote: >> Would agree that volume is rare between 2xIP addresses but we have >> something similair although on not quite the scale. >> We NAT a very large organisation to the Internet. They have a large >> number of disparate sites that all do their own AV updates. All the >> PCs download at the same time in the evening and we generate about . >> 75 Gb/s of traffic between our external PAT address and the AV >> download site for a good couple of hours. If we had a bigger >> internet pipe it would be a higher figure. (for less time of course). >> Dean >> ----- Original Message ----- From: "Rodney Dunn" >> To: "Mikael Abrahamsson" >> Cc: "Cisco" >> Sent: Wednesday, August 05, 2009 2:19 PM >> Subject: Re: [c-nsp] multipath BGP not balancing equally. >>> For small flow combinations you are right. btw, it would be just >>> L3 src/dst flows by default unless the L4 port option is enabled. >>> >>> I thought about there being a single flow causing the difference >>> that would be hashing down one of the paths. But 2G, while not >>> impossible, typically isn't used between two ip addresses. It's >>> something to check though for sure. >>> >>> Rodney >>> >>> >>> >>> Mikael Abrahamsson wrote: >>>> On Tue, 4 Aug 2009, Rodney Dunn wrote: >>>> >>>>> That's usually caused by routes not being the same on the paths. >>>> >>>> It was my understanding that this usually was caused by not >>>> having enough L4 flows to loadshare on...? Ie if you have 100 TCP >>>> flows and 4 paths, then it's not enough flows to get good load >>>> share on, but if you instead have 10k flows and all of them are >>>> low-speed, then the odds of them being equally load shared is >>>> much better? >>>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >>> __________ NOD32 4306 (20090804) Information __________ >>> >>> This message was checked by NOD32 antivirus system. >>> http://www.eset.com >>> >>> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From cisco-nsp at itpro.co.nz Wed Aug 5 19:50:11 2009 From: cisco-nsp at itpro.co.nz (Ivan) Date: Thu, 6 Aug 2009 11:50:11 +1200 (NZST) Subject: [c-nsp] VSS Best Practices Message-ID: <23603.203.163.71.197.1249516211.squirrel@mail.orcon.net.nz> Cisco VSS best practice document states Recommendations * Always run L2 or L3 MEC. * Do not use on and off options with PAgP or LACP or Trunk protocol negotiation. o PAgP ? Run Desirable-Desirable with MEC links. o LACP ? Run Active-Active with MEC links. o Trunk ? Run Desirable-Desirable with MEC links. http://www.cisco.com/en/US/products/ps9336/products_tech_note09186a0080a7c837.shtml There is not really any explanation of the reasoning behind these recommendations. If anyone can explain the rational that would be great. I would also be interested to hear what settings people are using in production, why and how that is going. Generally in non VSS setups I have found setting links explicitly to trunk mode and as etherchannel members has been reliable and would like to understand why they are not recommended above. Thanks Ivan From carl at outerloop.net Wed Aug 5 21:21:14 2009 From: carl at outerloop.net (Carl Jones) Date: Thu, 6 Aug 2009 13:21:14 +1200 Subject: [c-nsp] 3750 Suggestions? Message-ID: Hi all, I'm looking for something suitable to take the load from our 3750G stack. But I'm not quite sure what the best solution would be. Some details of the issues I'm seeing: https://puck.nether.net/pipermail/cisco-nsp/2009-August/062932.html I anticipate the new setup will eventually need to handle roughly double the number of IPs and VLANs the stack is currently (not) handling, with 4 routed interfaces (2x GigE, 2x FE). A couple of suggestions I've had so far is a router to handle everything L3, and use the VLAN template on the 3750s. Or replace them with a 6500 series switch. Or use a 4948 for L3 and/or replacing the 3750s. Any suggestions appreciated. Regards, Carl From justin at justinshore.com Thu Aug 6 01:27:24 2009 From: justin at justinshore.com (Justin Shore) Date: Thu, 06 Aug 2009 00:27:24 -0500 Subject: [c-nsp] Policing on a 3560 In-Reply-To: References: Message-ID: <4A7A69BC.3000009@justinshore.com> I'm getting pushback from TAC on this. They're telling me that using class-default is unsupported and they pointed me to the config guide for the platform as proof: http://www.cisco.com/en/US/partner/docs/switches/metro/catalyst3750m/software/release/12.2_50_se/configuration/guide/swuncli.html I haven't gotten an actual answer from my engineer yet on what I'm doing wrong. I thought policing was simple and that this would be a simple fix. Justin Sigurbj?rn Birkir L?russon wrote: > Why not use class-default? > > Kind regards, > Sibbi From davidwarner1975 at yahoo.com.au Thu Aug 6 03:11:54 2009 From: davidwarner1975 at yahoo.com.au (David Warner) Date: Thu, 6 Aug 2009 00:11:54 -0700 (PDT) Subject: [c-nsp] 3800 - HSRP/ARP issue Message-ID: <996865.95399.qm@web111620.mail.gq1.yahoo.com> Hi All, Just came up against a bit of a weird issue and would appreciate some advice/input. Basic environment of two 3800s operating HSRP and plugging into a layer 2 switch network where servers connect (there are only 2-3 servers attached to two switches at the moment). On the face of it it looks like an ARP issue but unable to confirm and we cant even clear tables til until a maintenance window is arranged but obviously need to do some research. ? Base config on each 3800 is as follows: ?interface GigabitEthernet0/0/0.100 ?encapsulation dot1Q 100 ?ip vrf forwarding TEST ?ip address 192.168.23.13x 255.255.255.128 ?ip nat outside ?ip virtual-reassembly ?standby 3 ip 192.168.23.129 ?standby 3 priority xxx ?standby 3 preempt standby 3 track GigabitEthernet0/0.200 ? ? The issue were seeing is that dead IP addresses in the range is resolving to the same MAC of the HSRP active (the physical interface). Only three of these IP address are live on this VLAN (141-143 - servers are unable to see the network). Any ideas why: ? a)?????? the interface is holding ARP entries (age is zero) ?for a large part of this subnet when no devices with these IP are on the network? b)?????? ?CEF tables shows a (?) against the only ?real? server IP addresses on the network. Im assuming a dodgy ARP table will upset the CEF tables. ? ? This issue is causing connectivity problems to the servers on this subnet. Looks buggy to me J ? ? SydPrimary01#sh ip arp vrf TEST Protocol? Address????????? Age (min)? Hardware Addr?? Type?? Interface Internet? 192.168.23.250????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 10.220.80.33????????? 125?? 0000.5e00.0165? ARPA?? GigabitEthernet0/0.231 Internet? 10.220.80.46??????????? -?? 0000.0c07.ac17? ARPA?? GigabitEthernet0/0.231 Internet? 10.220.80..45??????????? -?? 0023.0470.85c0? ARPA?? GigabitEthernet0/0.231 Internet? 192.168.23.164????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.163????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.162????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.161????????? -?? 0023.0470..85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.160????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.154????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.153????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.152????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.151????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168..23.150????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.144????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.143????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.142????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.141????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.140????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.139????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.138????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.137????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.136????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.135????????? -?? 0023..0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.134????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.133????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.132????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.131????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.130????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.129????????? -?? 0000.0c07.ac17? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.128????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 ? ? SydPrimary01#sh int gi0/0/0 | i 0023.0470.85c3 ? Hardware is PM-3387, address is 0023.0470.85c3 (bia 0023.0470.85c3) ? ? NPMDS5DAWMDAR01#sh ip cef vrf? TEST Prefix????????????? Next Hop???????????? Interface 0.0.0.0/0?????????? 10.220.80.33???????? GigabitEthernet0/0.231 0.0.0.0/8?????????? drop 0.0.0.0/32????????? receive 10.136.191.0/24???? 192..168.23.150?????? GigabitEthernet0/0/0.100 10.220.80.32/28???? attached???????????? GigabitEthernet0/0.231 10.220.80.32/32???? receive 10.220.80.33/32???? 10.220.80.33???????? GigabitEthernet0/0.231 10.220.80.45/32???? receive 10.220.80.46/32???? receive 10.220.80.47/32???? receive 10.220.194.141/32?? 192.168.23.141 (?)?? GigabitEthernet0/0/0.100 10.220.194.142/32?? 192.168.23.142 (?)?? GigabitEthernet0/0/0.100 10.220.194.143/32?? 192.168.23.143 (?)?? GigabitEthernet0/0/0.100 127.0.0..0/8???????? drop 192.168.23.128/25?? attached???????????? GigabitEthernet0/0/0.100 192.168.23.128/32?? receive 192.168.23.129/32?? receive 192.168.23.130/32?? receive 192.168.23.131/32?? receive 192.168.23.132/32?? receive 192.168.23.133/32?? receive 192.168.23..134/32?? receive 192.168.23.135/32?? receive 192.168.23.136/32?? receive 192.168.23.137/32?? receive 192.168.23.138/32?? receive 192.168.23.139/32?? receive 192.168.23.140/32?? receive 192.168.23.141/32?? receive 192.168.23.142/32?? receive 192.168.23.143/32?? receive 192.168.23.144/32?? receive 192.168.23.150/32?? receive 192.168.23.151/32?? receive 192.168.23.152/32?? receive 192.168.23.153/32?? receive 192.168..23.154/32?? receive 192.168.23.160/32?? receive 192.168.23.161/32?? receive 192.168.23.162/32?? receive 192.168.23.163/32?? receive 192.168.23.164/32?? receive 192.168.23.250/32?? receive 192.168.23.255/32?? receive 224.0.0.0/4???????? drop 224.0.0.0/24??????? receive 240.0.0.0/4???????? drop 255.255.255.255/32? receive ? SydPrimary01#sh ip cef vrf? TEST 192.168.23.141 detail 192.168.23.141/32, version 50, epoch 0, receive ? Cheers, David __________________________________________________________________________________ Find local businesses and services in your area with Yahoo!7 Local. Get started: http://local.yahoo.com.au From zivl at gilat.net Thu Aug 6 03:27:19 2009 From: zivl at gilat.net (Ziv Leyes) Date: Thu, 6 Aug 2009 10:27:19 +0300 Subject: [c-nsp] Policing on a 3560 In-Reply-To: <4A789A5D.4040705@justinshore.com> References: <4A789A5D.4040705@justinshore.com> Message-ID: I had the same problem when trying to police L2 traffic and I've been told to use the dscp default to match all traffic You don't need to qualify it, it is already default, so why setting it again? This is what you should try based on what I use and it works fine: ! Don't forget to set this globally mls qos class-map match-all ALL match ip dscp 0 ! policy-map Re-color-BE description Police to 10Mbps CIR - Re-color ALL to BE class ALL police 10000000 8000 exceed-action drop ! not sure the following line is required ! set ip dscp default Hope this helps Ziv -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin Shore Sent: Tuesday, August 04, 2009 11:30 PM To: 'Cisco-nsp' Subject: [c-nsp] Policing on a 3560 I'm having a little trouble doing something that should be simple. I'm using a 3560 as a CPE to break up multiple services and bind them to unique switchports. I don't normally use 3560s for this. The port in question is for a 10Mbp PtP with no SLA across our backbone. What I currently have is apparently not doing anything and I fail to see the flaw in my logic: class-map match-all ALL ! ! policy-map Re-color-BE description Police to 10Mbps CIR - Re-color ALL to BE class ALL police 10000000 8000 exceed-action drop set ip dscp default This is my QoS trust boundary so I'm re-coloring to 0 and setting muy CIR to 10Mbps. The switch wouldn't let me define 'match any' in the class-map. I suspect that I'm not matching anything because of that. I want to match anything coming in that interface and police it to the CIR and drop everything else. I must be missing something but I'm not sure what it is. Is there something unique about this platform? The IOS is 12.2(50)SE1. Thanks Justin _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ __________ Information from ESET NOD32 Antivirus, version of virus signature database 4310 (20090805) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __________ Information from ESET NOD32 Antivirus, version of virus signature database 4310 (20090805) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From peter at rathlev.dk Thu Aug 6 04:53:14 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Thu, 06 Aug 2009 10:53:14 +0200 Subject: [c-nsp] OT: Sniffing TCP connection quality In-Reply-To: References: <1249422960.4165.33.camel@abehat.net.rm.dk> Message-ID: <1249548794.4662.10.camel@abehat.net.rm.dk> Thank you all for the pointers. Tcptrace does seem quite interesting, even though it doesn't seem to be actively maintained since 2004. I had of course overlooked Arbor Peakflow SP which seems very interesting. Would there happen to be anybody on this list using Peakflow for quality analysis? Any comments on how it does? Regards, Peter On Wed, 2009-08-05 at 10:48 +0200, Andrew Yourtchenko wrote: > Hi Peter, > > On Tue, 4 Aug 2009, Peter Rathlev wrote: > > > I've been looking at tstat (http://tstat.tlc.polito.it/index.shtml) and > > this looks very promising, but it doesn't seem to be able to analyze the > > different flows seperately. > > Have you taken a look at http://jarok.cs.ohiou.edu/software/tcptrace/ ? > > It can handle multiple flows and outputs quite a lot of interesting > aggregate data. Though, AFAIK it needs the pcap file (as opposed to > reporting about the traffic realtime). > > cheers, > andrew From daniel at bit.nl Thu Aug 6 04:58:51 2009 From: daniel at bit.nl (Daniel Verlouw) Date: Thu, 06 Aug 2009 10:58:51 +0200 Subject: [c-nsp] IS-IS route separation/filtering In-Reply-To: <4A7A0187.8070807@gmail.com> References: <4A79E416.7040909@gmail.com> <4A7A0187.8070807@gmail.com> Message-ID: <1249549131.28552.14.camel@daniel.office.bit.nl> On Wed, 2009-08-05 at 15:02 -0700, Jared Gillis wrote: > Hm, interesting though. Unfortunately, it doesn't seem to pan out in the lab. > The LSPs don't seem to get flooded, but the routes do get passed through Router > A to all the stub routers, regardless of how I set up the mesh-groups. right. Mesh-groups block only LSPs, CSNPs would still be flooded. > This is almost what I'm trying to do, there will be very few routes in IS-IS, > but the decree from on high is that each stub router should be totally stubby =( -why- !? --Daniel. From edlazerus20 at gmail.com Thu Aug 6 07:50:28 2009 From: edlazerus20 at gmail.com (Ed Lazerus) Date: Thu, 6 Aug 2009 21:50:28 +1000 Subject: [c-nsp] Single LNS, two providers Message-ID: Hi, We have an LNS (7200) configured for DSL from one provider, we wish to keep this provider, however they only offer us DSL1, but we are negotiating with another wholesaler to supply us with ADSL2+ (only) . My question is how easy is it to have this single LNS server to service all customers using two wholesalers Is it a mater of duplicating the following? vpdn-group cca1 accept-dialin protocol l2tp virtual-template 1 source-ip 10.255.255.2 lcp renegotiation on-mismatch l2tp tunnel password XXXXXXX ip mtu adjust ! interface Virtual-Template1 ip unnumbered Loopback0 ip tcp adjust-mss 1360 peer default ip address pool default ppp mtu adaptive ppp authentication pap chap /Ed/ From manafo at hotmail.com Thu Aug 6 08:13:33 2009 From: manafo at hotmail.com (Manaf Al Oqlah) Date: Thu, 6 Aug 2009 15:13:33 +0300 Subject: [c-nsp] Deny Default Route Propagation Message-ID: hello, In OSPF, how can I filter the default route from being propagated out in the same area? I want to deny the external default route in outbound routes so other routers in the same area doesn't accept the default route from that router. Thank you, Manaf From manafo at hotmail.com Thu Aug 6 08:28:35 2009 From: manafo at hotmail.com (Manaf Al Oqlah) Date: Thu, 6 Aug 2009 15:28:35 +0300 Subject: [c-nsp] 3750 Suggestions? In-Reply-To: References: Message-ID: use the "desktop vlan" template -------------------------------------------------- From: "Carl Jones" Sent: Thursday, August 06, 2009 4:21 AM To: "cisco-nsp" Subject: [c-nsp] 3750 Suggestions? > Hi all, > > I'm looking for something suitable to take the load from our 3750G > stack. But I'm not quite sure what the best solution would be. > > Some details of the issues I'm seeing: > https://puck.nether.net/pipermail/cisco-nsp/2009-August/062932.html > > I anticipate the new setup will eventually need to handle roughly > double the number of IPs and VLANs the stack is currently (not) > handling, with 4 routed interfaces (2x GigE, 2x FE). > > A couple of suggestions I've had so far is a router to handle > everything L3, and use the VLAN template on the 3750s. Or replace them > with a 6500 series switch. Or use a 4948 for L3 and/or replacing the > 3750s. > > Any suggestions appreciated. > > Regards, > Carl > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From manafo at hotmail.com Thu Aug 6 08:33:16 2009 From: manafo at hotmail.com (Manaf Al Oqlah) Date: Thu, 6 Aug 2009 15:33:16 +0300 Subject: [c-nsp] Single LNS, two providers In-Reply-To: References: Message-ID: why you don't configure another vpdn-group with another virtual-template interface? it should be working very well! -------------------------------------------------- From: "Ed Lazerus" Sent: Thursday, August 06, 2009 2:50 PM To: Subject: [c-nsp] Single LNS, two providers > Hi, > > We have an LNS (7200) configured for DSL from one provider, we wish to > keep > this provider, however they only offer us DSL1, but we are negotiating > with > another wholesaler to supply us with ADSL2+ (only) . > > My question is how easy is it to have this single LNS server to service > all > customers using two wholesalers > > Is it a mater of duplicating the following? > > vpdn-group cca1 > accept-dialin > protocol l2tp > virtual-template 1 > source-ip 10.255.255.2 > lcp renegotiation on-mismatch > l2tp tunnel password XXXXXXX > ip mtu adjust > ! > interface Virtual-Template1 > ip unnumbered Loopback0 > ip tcp adjust-mss 1360 > peer default ip address pool default > ppp mtu adaptive > ppp authentication pap chap > > > > /Ed/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From Bagosi.Romeo at iqsys.hu Thu Aug 6 08:01:02 2009 From: Bagosi.Romeo at iqsys.hu (=?ISO-8859-2?Q?Bagosi_R=F3me=F3?=) Date: Thu, 6 Aug 2009 14:01:02 +0200 Subject: [c-nsp] Monitoring VPN User on ASA In-Reply-To: <008901ca0fef$d599fe80$80cdfb80$@com> References: <008901ca0fef$d599fe80$80cdfb80$@com> Message-ID: <085C022C25FF9C4EBCF76712A2588DCB035CB188@X-SPIRIT.integris.hu> http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?objectInput=1.3.6.1.4.1.9.9.392.1.3.21.1.1&translate=Translate&submitValue=SUBMIT&submitClicked=true Permission: not-accessible -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Narma Wahyuadi Sent: Wednesday, July 29, 2009 3:57 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Monitoring VPN User on ASA I want to monitoring vpn user on my ASA by snmp, it can trap vpn group but it cannot trap the username (no such object available .) I use oid 1.3.6.1.4.1.9.9.392.1.3.21.1.1 , can you help me solve this problem ? _____________________________________________________________________ Note: The information contained in this e-mail is intended only for the use of the individual or entity named above and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended party to receive the message and its attachment(s), you are hereby notified that any dissemination, distribution or copy of the message is strictly prohibited. Please immediately notify the sender and delete the message as soon as possible. Thank you for kind attention. Catatan: Informasi yang terdapat dalam e-mail ini ditujukan hanya untuk penggunaan individu atau kelompok yang disebutkan di atas dan mungkin berisi informasi yang istimewa, rahasia dan dikecualikan dari pengungkapan menurut hukum yang berlaku. Jika Anda bukan pihak yang ditujukan untuk menerima pesan ini beserta lampirannya, dengan ini Anda diberitahukan bahwa penyebaran, pendistribusian atau penyalinan pesan ini adalah sangat dilarang. Harap segera memberitahu pengirim dan menghapus pesan ini secepatnya. Terima kasih atas perhatian Anda. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From b.turnbow at twt.it Thu Aug 6 09:03:56 2009 From: b.turnbow at twt.it (Brian Turnbow) Date: Thu, 6 Aug 2009 15:03:56 +0200 Subject: [c-nsp] 3750 Suggestions? In-Reply-To: References: Message-ID: It'll give for more mac space , but you'll have the same problem with routes. Vlan is basically a layer 2 only template so all your ip routes with not be hardware forwarded. For this you'd need an external router.You could try and take a 3750 out of the stack and use it as the router , the default template gives 6k mac and 8k IP routes, but in you original post it shows over 6k arp entries so it may make it better but is not a complete solution. You mentioned also a 4948 or a 6500 , I think the right choice depends on your current traffic requirements and expected growth in both traffic ports and hosts, with the 6500 giving the maximum room for expansion. Brian -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Manaf Al Oqlah Sent: gioved? 6 agosto 2009 14.29 To: Carl Jones; cisco-nsp Subject: Re: [c-nsp] 3750 Suggestions? use the "desktop vlan" template -------------------------------------------------- From: "Carl Jones" Sent: Thursday, August 06, 2009 4:21 AM To: "cisco-nsp" Subject: [c-nsp] 3750 Suggestions? > Hi all, > > I'm looking for something suitable to take the load from our 3750G > stack. But I'm not quite sure what the best solution would be. > > Some details of the issues I'm seeing: > https://puck.nether.net/pipermail/cisco-nsp/2009-August/062932.html > > I anticipate the new setup will eventually need to handle roughly > double the number of IPs and VLANs the stack is currently (not) > handling, with 4 routed interfaces (2x GigE, 2x FE). > > A couple of suggestions I've had so far is a router to handle > everything L3, and use the VLAN template on the 3750s. Or replace them > with a 6500 series switch. Or use a 4948 for L3 and/or replacing the > 3750s. > > Any suggestions appreciated. > > Regards, > Carl > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From skoal at skoal.name Thu Aug 6 08:23:38 2009 From: skoal at skoal.name (Gergely Antal) Date: Thu, 06 Aug 2009 14:23:38 +0200 Subject: [c-nsp] Deny Default Route Propagation In-Reply-To: References: Message-ID: <4A7ACB4A.90805@skoal.name> http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/routmap.html Manaf Al Oqlah wrote: > hello, > > In OSPF, how can I filter the default route from being propagated out in the same area? I want to deny the external default route in outbound routes so other routers in the same area doesn't accept the default route from that router. > > Thank you, > Manaf > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 261 bytes Desc: OpenPGP digital signature URL: From ariemer at wesenergy.com.au Thu Aug 6 09:27:03 2009 From: ariemer at wesenergy.com.au (Aaron Riemer) Date: Thu, 6 Aug 2009 21:27:03 +0800 Subject: [c-nsp] Monitoring VPN User on ASA In-Reply-To: <085C022C25FF9C4EBCF76712A2588DCB035CB188@X-SPIRIT.integris.hu> References: <008901ca0fef$d599fe80$80cdfb80$@com> <085C022C25FF9C4EBCF76712A2588DCB035CB188@X-SPIRIT.integris.hu> Message-ID: I use a script that logs on to the ASA runs a cmd and exports the result as a data source within cacti. It works quite well for overall avg statistics. Sent from my iPod Touch. On 06/08/2009, at 8:56 PM, Bagosi R?me? wrote: > http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?objectInput=1.3.6.1.4.1.9.9.392.1.3.21.1.1&translate=Translate&submitValue=SUBMIT&submitClicked=true > > Permission: not-accessible > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net > ] On Behalf Of Narma Wahyuadi > Sent: Wednesday, July 29, 2009 3:57 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Monitoring VPN User on ASA > > I want to monitoring vpn user on my ASA by snmp, it can trap vpn > group but > it cannot trap the username (no such object available .) I use oid > 1.3.6.1.4.1.9.9.392.1.3.21.1.1 , can you help me solve this problem ? > > > _____________________________________________________________________ > > Note: The information contained in this e-mail is intended only for > the use of the individual or entity named above and may contain > information that is privileged, confidential and exempt from > disclosure under applicable law. If you are not the intended party > to receive the message and its attachment(s), you are hereby > notified that any dissemination, distribution or copy of the message > is strictly prohibited. Please immediately notify the sender and > delete the message as soon as possible. Thank you for kind attention. > > Catatan: Informasi yang terdapat dalam e-mail ini ditujukan hanya > untuk penggunaan individu atau kelompok yang disebutkan di atas dan > mungkin berisi informasi yang istimewa, rahasia dan dikecualikan > dari pengungkapan menurut hukum yang berlaku. Jika Anda bukan pihak > yang ditujukan untuk menerima pesan ini beserta lampirannya, dengan > ini Anda diberitahukan bahwa penyebaran, pendistribusian atau > penyalinan pesan ini adalah sangat dilarang. Harap segera > memberitahu pengirim dan menghapus pesan ini secepatnya. Terima > kasih atas perhatian Anda. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. From moua0100 at umn.edu Thu Aug 6 09:39:39 2009 From: moua0100 at umn.edu (Ge Moua) Date: Thu, 06 Aug 2009 08:39:39 -0500 Subject: [c-nsp] tcam exhaustion for netflow & vacl capture for cat6500 In-Reply-To: <4A5BB029.7070702@umn.edu> References: <98E30C61-3FE0-4FF6-8B1D-C11023E0F4C8@gmail.com> <4A5BB029.7070702@umn.edu> Message-ID: <4A7ADD1B.5020509@umn.edu> on 6500 with 3bxl sup720: will concurrent use of (> 10K) netflow exports & (> 10Gb/s) vacl caputure exhaust tcam more quickly than each by itself? how do I monitor this? how do I check status? Regards, Ge Moua | Email: moua0100 at umn.edu Network Design Engineer University of Minnesota | Networking & Telecommunications Services From rodunn at cisco.com Thu Aug 6 09:43:54 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Thu, 06 Aug 2009 09:43:54 -0400 Subject: [c-nsp] multipath BGP not balancing equally. In-Reply-To: References: <4A787016.7040006@cisco.com> <4A7986F7.4070905@cisco.com> <5F398FA44E094EB7BD7F6581E07943B5@experienbd1776> <4A79EA3F.6060002@cisco.com> Message-ID: <4A7ADE1A.8060103@cisco.com> I don't disagree. It was a good theory though. Rodney David Hughes wrote: > > Hi > > But seeing as the OP indicated that one of the circuits was 2GB > *underutilised* you'd be looking for 3 src/dst pairs that were all doing > 2GB to get this situation. It's looking pretty unlikely that this is a > hashing issue. > > > David > ... > > On 06/08/2009, at 6:23 AM, Rodney Dunn wrote: > >> Ah...good one. If the sources were not random enough and it's NAT'ed >> to one external ip you could really be multiplexing flows with NAT. ;) >> >> >> >> Dean Smith wrote: >>> Would agree that volume is rare between 2xIP addresses but we have >>> something similair although on not quite the scale. >>> We NAT a very large organisation to the Internet. They have a large >>> number of disparate sites that all do their own AV updates. All the >>> PCs download at the same time in the evening and we generate about >>> .75 Gb/s of traffic between our external PAT address and the AV >>> download site for a good couple of hours. If we had a bigger internet >>> pipe it would be a higher figure. (for less time of course). >>> Dean >>> ----- Original Message ----- From: "Rodney Dunn" >>> To: "Mikael Abrahamsson" >>> Cc: "Cisco" >>> Sent: Wednesday, August 05, 2009 2:19 PM >>> Subject: Re: [c-nsp] multipath BGP not balancing equally. >>>> For small flow combinations you are right. btw, it would be just L3 >>>> src/dst flows by default unless the L4 port option is enabled. >>>> >>>> I thought about there being a single flow causing the difference >>>> that would be hashing down one of the paths. But 2G, while not >>>> impossible, typically isn't used between two ip addresses. It's >>>> something to check though for sure. >>>> >>>> Rodney >>>> >>>> >>>> >>>> Mikael Abrahamsson wrote: >>>>> On Tue, 4 Aug 2009, Rodney Dunn wrote: >>>>> >>>>>> That's usually caused by routes not being the same on the paths. >>>>> >>>>> It was my understanding that this usually was caused by not having >>>>> enough L4 flows to loadshare on...? Ie if you have 100 TCP flows >>>>> and 4 paths, then it's not enough flows to get good load share on, >>>>> but if you instead have 10k flows and all of them are low-speed, >>>>> then the odds of them being equally load shared is much better? >>>>> >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> >>>> __________ NOD32 4306 (20090804) Information __________ >>>> >>>> This message was checked by NOD32 antivirus system. >>>> http://www.eset.com >>>> >>>> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ From rodunn at cisco.com Thu Aug 6 09:46:53 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Thu, 06 Aug 2009 09:46:53 -0400 Subject: [c-nsp] 7513 multilink interface issue In-Reply-To: <012a01ca1533$f5b55ea0$e1201be0$@com> References: <6dde6e570908040822h739561e0s6baba249c67b3028@mail.gmail.com> <4A786EC8.2070606@cisco.com> <000001ca152a$18a8b600$49fa2200$@com> <4A78731C.7070004@cisco.com> <012a01ca1533$f5b55ea0$e1201be0$@com> Message-ID: <4A7ADECD.3010704@cisco.com> sh contr cbus | incl 1/0:14|1/0:15 Todd wrote: > Currently running Version 12.4(23). I may upgrade to (25) to see if that > helps at all. > > VIP Console: > VIP-Slot5>sh ppp multilink > dmlp_ipc_config_count 210 > dmlp_bundle_count 4 > > Bundle Multilink75, 2 members > bundle 0x61B1C3A0, frag_mode 0 > tag vectors 0x6053A4A0 0x60514CBC > Bundle hwidb vector 0x605AA624 > idb Multilink75, vc 14, RSP vc 15 > QoS disabled, fastsend (qos_fastsend 0x605AA624), visible_bandwidth 1540 > board_encap 0x605A61A4, hw_if_index 0, pak_to_host 0x0 > max_particles 400, mrru 1500, seq_window_size 0x8000 > working_pak 0x0, working_pak_cache 0x0 > una_frag_list 0x0, una_frag_end 0x0, null_link 0 > rcved_end_bit 1, is_lost_frag 0, resync_count 0 > timeout 0, timer_start 0, timer_running 0, timer_count 0 > next_xmit_link Serial1/0:15, member 0x3, congestion 0x3 > dmlp_orig_pak_to_host 0x60425D00 > dmlp_orig_fastsend 0x60397B18 > bundle_idb->lc_ip_turbo_fs 0x60503E70 > bundle_idb->lc_ip_mdfs 0x604251B4 > 0 lost fragments, 0 reordered, 0 unassigned > 0 discarded, 0 lost received > 0x2AE received sequence, 0x319 sent sequence > Member Link: 2 active > Pascb for Bundle 0x61A8CD20, tx_polling_high_default 0, tx_polling_high 143 > Serial1/0:14, id 0x2, fastsend 0x605A88B4, lc_turbo 0x605A97BC, PTH > 0x605A8FF4, OOF 0 > Pascb 0x61A8CD20, tx_polling_high_default 0, tx_polling_high > 143, poll_default_addr 0x61A8CD7C, poll_addr 0x61A8CD68 > Serial1/0:15, id 0x1, fastsend 0x605A88B4, lc_turbo 0x605A97BC, PTH > 0x605A8FF4, OOF 0 > Pascb 0x61A8CE60, tx_polling_high_default 0, tx_polling_high > 143, poll_default_addr 0x61A8CEBC, poll_addr 0x61A8CEA8 > > > RSP: > Multilink75, bundle name is group75 > Endpoint discriminator is group75 > Bundle up for 00:19:29, total bandwidth 3080, load 1/255 > Receive buffer limit 24000 bytes, frag timeout 1000 ms > Bundle is Distributed > 0/0 fragments/bytes in reassembly list > 0 lost fragments, 0 reordered > 0/0 discarded fragments/bytes, 0 lost received > 0x2B3 received sequence, 0x319 sent sequence > Member links: 2 active, 0 inactive (max not set, min not set) > Se5/1/0/15:0, since 00:12:53 > Se5/1/0/16:0, since 00:02:15 > > > > -----Original Message----- > From: Rodney Dunn [mailto:rodunn at cisco.com] > Sent: Tuesday, August 04, 2009 1:43 PM > To: Todd > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] 7513 multilink interface issue > > It does. I've seen it before years ago. > > get 'sh ppp multilink' from the RSP and VIP console (if-con slot) > and sh contr cbus. > > Make sure you are in dCEF mode, all links are on the same PA, and on > later(est) 12.4 mainline (12.4(25) or 12.0(32)S(latest)) on Cisco.com. > > We had bugs in how we manage the member links of the bundle. > > Rodney > > > > Todd wrote: >> When it happens, I can ping the remote end from the 7513, but nothing >> outside of the 7513. >> >> For Example.... >> >> SERVER --ethernet--- 7513 ---multilink (2 T1's)--- END USER >> >> 1 multilink T1 bounces. >> >> After the T1 comes up, the multilink interface and both T1's show as up/up >> and 7513 can ping END USER, but END USER can't ping 7513 and no connection >> to/from SERVER to END USER. >> >> Hope that makes sense. >> >> -----Original Message----- >> From: Rodney Dunn [mailto:rodunn at cisco.com] >> Sent: Tuesday, August 04, 2009 1:24 PM >> To: Todd Shipway >> Cc: cisco-nsp at puck.nether.net >> Subject: Re: [c-nsp] 7513 multilink interface issue >> >> That should never happen and is possibly a bug. >> >> Can you ping directly over the bundle to the ip address on the other >> side when it's broke? If not, go to the latest code and see if it's >> fixed...or do some debugging: 'sh ip cef for other side of bundle, debug >> ip packet, etc... >> >> Rodney >> >> >> >> Todd Shipway wrote: >>> We have several customers setup with T1's multilinked. We are running >> into >>> a problem with a single multilink member bouncing causing routing issues. >>> When a single T1 member of a multilink group bounces, traffic to the >> overall >>> multilink interface stops and we have to manually shut and no shut the >>> multilink interface to get traffic flowing again. >>> >>> Has anyone seen this before and if so, know what the issue may be? >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ From ayourtch at cisco.com Thu Aug 6 10:01:02 2009 From: ayourtch at cisco.com (Andrew Yourtchenko) Date: Thu, 6 Aug 2009 16:01:02 +0200 (CEST) Subject: [c-nsp] OT: Sniffing TCP connection quality In-Reply-To: <1249548794.4662.10.camel@abehat.net.rm.dk> References: <1249422960.4165.33.camel@abehat.net.rm.dk> <1249548794.4662.10.camel@abehat.net.rm.dk> Message-ID: Peter, (not to hijack the thread, just to comment on tcptrace) On Thu, 6 Aug 2009, Peter Rathlev wrote: > Thank you all for the pointers. Tcptrace does seem quite interesting, > even though it doesn't seem to be actively maintained since 2004. At the IETF in Stockholm I had a chat with one of maintainers - basically they haven't seen any bug reports, hence no new releases. Might be understandable since the TCP has not majorly changed lately. Of course, could be still bugs, so if you notice something, let them know. cheers, andrew From Grzegorz at Janoszka.pl Thu Aug 6 10:03:40 2009 From: Grzegorz at Janoszka.pl (Grzegorz Janoszka) Date: Thu, 06 Aug 2009 16:03:40 +0200 Subject: [c-nsp] Freezing counters at 6500 In-Reply-To: <4A7067C3.7090200@kl.net> References: <4A6F6A2D.40101@Janoszka.pl> <4A7067C3.7090200@kl.net> Message-ID: <4A7AE2BC.80506@Janoszka.pl> Kevin Loch wrote: > Try adjusting 'service counters max age' to zero if you haven't already. > As others have pointed out a delay of 3-4 minutes is not normal > What does your SP (not RP) cpu usage look like? Try disabling netflow > if your SP cpu usage is maxing out. Are there any snmp oids we can use to have access to the real counters, not the 'soft' ones? -- Grzegorz Janoszka From nsp at myzionetworks.com Thu Aug 6 11:09:59 2009 From: nsp at myzionetworks.com (Todd) Date: Thu, 6 Aug 2009 11:09:59 -0400 Subject: [c-nsp] 7513 multilink interface issue In-Reply-To: <4A7ADECD.3010704@cisco.com> References: <6dde6e570908040822h739561e0s6baba249c67b3028@mail.gmail.com> <4A786EC8.2070606@cisco.com> <000001ca152a$18a8b600$49fa2200$@com> <4A78731C.7070004@cisco.com> <012a01ca1533$f5b55ea0$e1201be0$@com> <4A7ADECD.3010704@cisco.com> Message-ID: <000001ca16a7$fa106b50$ee3141f0$@com> No output from the command. summit#sh contr cbus | incl 1/0:14|1/0:15 summit# I also upgrade to 12.4(25) last night and no change in the issue. The same issue still remains. -----Original Message----- From: Rodney Dunn [mailto:rodunn at cisco.com] Sent: Thursday, August 06, 2009 9:47 AM To: Todd Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 7513 multilink interface issue sh contr cbus | incl 1/0:14|1/0:15 Todd wrote: > Currently running Version 12.4(23). I may upgrade to (25) to see if that > helps at all. > > VIP Console: > VIP-Slot5>sh ppp multilink > dmlp_ipc_config_count 210 > dmlp_bundle_count 4 > > Bundle Multilink75, 2 members > bundle 0x61B1C3A0, frag_mode 0 > tag vectors 0x6053A4A0 0x60514CBC > Bundle hwidb vector 0x605AA624 > idb Multilink75, vc 14, RSP vc 15 > QoS disabled, fastsend (qos_fastsend 0x605AA624), visible_bandwidth 1540 > board_encap 0x605A61A4, hw_if_index 0, pak_to_host 0x0 > max_particles 400, mrru 1500, seq_window_size 0x8000 > working_pak 0x0, working_pak_cache 0x0 > una_frag_list 0x0, una_frag_end 0x0, null_link 0 > rcved_end_bit 1, is_lost_frag 0, resync_count 0 > timeout 0, timer_start 0, timer_running 0, timer_count 0 > next_xmit_link Serial1/0:15, member 0x3, congestion 0x3 > dmlp_orig_pak_to_host 0x60425D00 > dmlp_orig_fastsend 0x60397B18 > bundle_idb->lc_ip_turbo_fs 0x60503E70 > bundle_idb->lc_ip_mdfs 0x604251B4 > 0 lost fragments, 0 reordered, 0 unassigned > 0 discarded, 0 lost received > 0x2AE received sequence, 0x319 sent sequence > Member Link: 2 active > Pascb for Bundle 0x61A8CD20, tx_polling_high_default 0, tx_polling_high 143 > Serial1/0:14, id 0x2, fastsend 0x605A88B4, lc_turbo 0x605A97BC, PTH > 0x605A8FF4, OOF 0 > Pascb 0x61A8CD20, tx_polling_high_default 0, tx_polling_high > 143, poll_default_addr 0x61A8CD7C, poll_addr 0x61A8CD68 > Serial1/0:15, id 0x1, fastsend 0x605A88B4, lc_turbo 0x605A97BC, PTH > 0x605A8FF4, OOF 0 > Pascb 0x61A8CE60, tx_polling_high_default 0, tx_polling_high > 143, poll_default_addr 0x61A8CEBC, poll_addr 0x61A8CEA8 > > > RSP: > Multilink75, bundle name is group75 > Endpoint discriminator is group75 > Bundle up for 00:19:29, total bandwidth 3080, load 1/255 > Receive buffer limit 24000 bytes, frag timeout 1000 ms > Bundle is Distributed > 0/0 fragments/bytes in reassembly list > 0 lost fragments, 0 reordered > 0/0 discarded fragments/bytes, 0 lost received > 0x2B3 received sequence, 0x319 sent sequence > Member links: 2 active, 0 inactive (max not set, min not set) > Se5/1/0/15:0, since 00:12:53 > Se5/1/0/16:0, since 00:02:15 > > > > -----Original Message----- > From: Rodney Dunn [mailto:rodunn at cisco.com] > Sent: Tuesday, August 04, 2009 1:43 PM > To: Todd > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] 7513 multilink interface issue > > It does. I've seen it before years ago. > > get 'sh ppp multilink' from the RSP and VIP console (if-con slot) > and sh contr cbus. > > Make sure you are in dCEF mode, all links are on the same PA, and on > later(est) 12.4 mainline (12.4(25) or 12.0(32)S(latest)) on Cisco.com. > > We had bugs in how we manage the member links of the bundle. > > Rodney > > > > Todd wrote: >> When it happens, I can ping the remote end from the 7513, but nothing >> outside of the 7513. >> >> For Example.... >> >> SERVER --ethernet--- 7513 ---multilink (2 T1's)--- END USER >> >> 1 multilink T1 bounces. >> >> After the T1 comes up, the multilink interface and both T1's show as up/up >> and 7513 can ping END USER, but END USER can't ping 7513 and no connection >> to/from SERVER to END USER. >> >> Hope that makes sense. >> >> -----Original Message----- >> From: Rodney Dunn [mailto:rodunn at cisco.com] >> Sent: Tuesday, August 04, 2009 1:24 PM >> To: Todd Shipway >> Cc: cisco-nsp at puck.nether.net >> Subject: Re: [c-nsp] 7513 multilink interface issue >> >> That should never happen and is possibly a bug. >> >> Can you ping directly over the bundle to the ip address on the other >> side when it's broke? If not, go to the latest code and see if it's >> fixed...or do some debugging: 'sh ip cef for other side of bundle, debug >> ip packet, etc... >> >> Rodney >> >> >> >> Todd Shipway wrote: >>> We have several customers setup with T1's multilinked. We are running >> into >>> a problem with a single multilink member bouncing causing routing issues. >>> When a single T1 member of a multilink group bounces, traffic to the >> overall >>> multilink interface stops and we have to manually shut and no shut the >>> multilink interface to get traffic flowing again. >>> >>> Has anyone seen this before and if so, know what the issue may be? >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ From bgoulet at harris.com Thu Aug 6 11:37:05 2009 From: bgoulet at harris.com (Goulet, Brian) Date: Thu, 6 Aug 2009 10:37:05 -0500 Subject: [c-nsp] Counters for null0? In-Reply-To: References: Message-ID: <86E53CC251ECC1469D0ED710E68DC278017F809C@mspe2k1.cs.myharris.net> >BGP shows up on our 7200s as "Local" (addresses changed): > >Cisco-7200>sh ip cache flow | inc 00B3 >Gi0/3.123 100.100.10.219 Local 100.100.10.200 06 >8355 00B3 65 > >EIGRP is "Null", though: > >Cisco-7200>sh ip cache flow | inc 224.0 >Gi0/1.11 100.100.10.111 Null 224.0.0.10 58 >0000 0000 47 > >gert Due to the difference between unicast and multicast I presume? Brian From ip at ioshints.info Thu Aug 6 12:00:54 2009 From: ip at ioshints.info (Ivan Pepelnjak) Date: Thu, 6 Aug 2009 18:00:54 +0200 Subject: [c-nsp] Deny Default Route Propagation In-Reply-To: <4A7ACB4A.90805@skoal.name> References: <4A7ACB4A.90805@skoal.name> Message-ID: <005d01ca16af$14f26c00$0a00000a@nil.si> Just make sure you configure the "distribute-list in" on ALL OTHER routers in the area, otherwise you'll get some hard-to-troubleshoot loops or blackholes. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ > -----Original Message----- > From: Gergely Antal [mailto:skoal at skoal.name] > Sent: Thursday, August 06, 2009 2:24 PM > To: Manaf Al Oqlah > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Deny Default Route Propagation > > http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/routmap.html > > Manaf Al Oqlah wrote: > > hello, > > > > In OSPF, how can I filter the default route from being > propagated out in the same area? I want to deny the external > default route in outbound routes so other routers in the same > area doesn't accept the default route from that router. > > > > Thank you, > > Manaf > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From jbest at zyedge.com Thu Aug 6 12:12:57 2009 From: jbest at zyedge.com (Jeremiah Best) Date: Thu, 6 Aug 2009 12:12:57 -0400 Subject: [c-nsp] Deny Default Route Propagation In-Reply-To: <005d01ca16af$14f26c00$0a00000a@nil.si> References: <4A7ACB4A.90805@skoal.name> <005d01ca16af$14f26c00$0a00000a@nil.si> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2D94@zy-ex1.zyedge.local> Can't you do a "distribute-list out" on the ABR/ASBR whichever the router is? -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ivan Pepelnjak Sent: Thursday, August 06, 2009 12:01 PM To: skoal at skoal.name; 'Manaf Al Oqlah' Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Deny Default Route Propagation Just make sure you configure the "distribute-list in" on ALL OTHER routers in the area, otherwise you'll get some hard-to-troubleshoot loops or blackholes. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ > -----Original Message----- > From: Gergely Antal [mailto:skoal at skoal.name] > Sent: Thursday, August 06, 2009 2:24 PM > To: Manaf Al Oqlah > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Deny Default Route Propagation > > http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/routmap.html > > Manaf Al Oqlah wrote: > > hello, > > > > In OSPF, how can I filter the default route from being > propagated out in the same area? I want to deny the external > default route in outbound routes so other routers in the same > area doesn't accept the default route from that router. > > > > Thank you, > > Manaf > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From lists at nexus6.co.za Thu Aug 6 12:20:46 2009 From: lists at nexus6.co.za (Andy Ashley) Date: Thu, 06 Aug 2009 18:20:46 +0200 Subject: [c-nsp] Cisco 7206 - IOS version for L2TPV3 Message-ID: <4A7B02DE.6040601@nexus6.co.za> Hi, We are trying to upgrade IOS on a Cisco 7206VXR (NPE-G1) processor (revision B) with 983040K/65536K bytes of memory. Currently running Version 12.3(13a), RELEASE SOFTWARE (fc2) but we need L2TPv3 functionality to configure a xconnects using a pw-class statement. We tried running Version 12.2(33)SRC4, RELEASE SOFTWARE (fc2) but the router was unstable. Our peering sessions would come up and die after about a minute, the logs had lots of these entries: %BGP_SESSION-5-ADJCHANGE: neighbor X.X.X.X IPv4 Unicast topology base removed from session BGP Notification sent I noticed that the BGP sessions had high InQ and OutQ values of 300+ where they usually sit at 0 and router was generally not very responsive on the command line. Also our RADIUS athentication was not working for some reason. Is this just incompatability or unstable code? Can anyone recommend an image version for this hardware platform that has this feature set and is known to be stable in your environment? Thanks. Andy. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rodunn at cisco.com Thu Aug 6 12:23:58 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Thu, 06 Aug 2009 12:23:58 -0400 Subject: [c-nsp] 7513 multilink interface issue In-Reply-To: <000001ca16a7$fa106b50$ee3141f0$@com> References: <6dde6e570908040822h739561e0s6baba249c67b3028@mail.gmail.com> <4A786EC8.2070606@cisco.com> <000001ca152a$18a8b600$49fa2200$@com> <4A78731C.7070004@cisco.com> <012a01ca1533$f5b55ea0$e1201be0$@com> <4A7ADECD.3010704@cisco.com> <000001ca16a7$fa106b50$ee3141f0$@com> Message-ID: <4A7B039E.5060504@cisco.com> Can you get me remote access to it to look? You can use the ip of: 64.100.21.4 if you want to punch a hole for me. Just get "sh contr cbus". The | probably didn't match the exact interface number correctly. Todd wrote: > No output from the command. > > summit#sh contr cbus | incl 1/0:14|1/0:15 > summit# > > I also upgrade to 12.4(25) last night and no change in the issue. The same > issue still remains. > > -----Original Message----- > From: Rodney Dunn [mailto:rodunn at cisco.com] > Sent: Thursday, August 06, 2009 9:47 AM > To: Todd > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] 7513 multilink interface issue > > sh contr cbus | incl 1/0:14|1/0:15 > > Todd wrote: >> Currently running Version 12.4(23). I may upgrade to (25) to see if that >> helps at all. >> >> VIP Console: >> VIP-Slot5>sh ppp multilink >> dmlp_ipc_config_count 210 >> dmlp_bundle_count 4 >> >> Bundle Multilink75, 2 members >> bundle 0x61B1C3A0, frag_mode 0 >> tag vectors 0x6053A4A0 0x60514CBC >> Bundle hwidb vector 0x605AA624 >> idb Multilink75, vc 14, RSP vc 15 >> QoS disabled, fastsend (qos_fastsend 0x605AA624), visible_bandwidth 1540 >> board_encap 0x605A61A4, hw_if_index 0, pak_to_host 0x0 >> max_particles 400, mrru 1500, seq_window_size 0x8000 >> working_pak 0x0, working_pak_cache 0x0 >> una_frag_list 0x0, una_frag_end 0x0, null_link 0 >> rcved_end_bit 1, is_lost_frag 0, resync_count 0 >> timeout 0, timer_start 0, timer_running 0, timer_count 0 >> next_xmit_link Serial1/0:15, member 0x3, congestion 0x3 >> dmlp_orig_pak_to_host 0x60425D00 >> dmlp_orig_fastsend 0x60397B18 >> bundle_idb->lc_ip_turbo_fs 0x60503E70 >> bundle_idb->lc_ip_mdfs 0x604251B4 >> 0 lost fragments, 0 reordered, 0 unassigned >> 0 discarded, 0 lost received >> 0x2AE received sequence, 0x319 sent sequence >> Member Link: 2 active >> Pascb for Bundle 0x61A8CD20, tx_polling_high_default 0, tx_polling_high > 143 >> Serial1/0:14, id 0x2, fastsend 0x605A88B4, lc_turbo 0x605A97BC, PTH >> 0x605A8FF4, OOF 0 >> Pascb 0x61A8CD20, tx_polling_high_default 0, > tx_polling_high >> 143, poll_default_addr 0x61A8CD7C, poll_addr 0x61A8CD68 >> Serial1/0:15, id 0x1, fastsend 0x605A88B4, lc_turbo 0x605A97BC, PTH >> 0x605A8FF4, OOF 0 >> Pascb 0x61A8CE60, tx_polling_high_default 0, > tx_polling_high >> 143, poll_default_addr 0x61A8CEBC, poll_addr 0x61A8CEA8 >> >> >> RSP: >> Multilink75, bundle name is group75 >> Endpoint discriminator is group75 >> Bundle up for 00:19:29, total bandwidth 3080, load 1/255 >> Receive buffer limit 24000 bytes, frag timeout 1000 ms >> Bundle is Distributed >> 0/0 fragments/bytes in reassembly list >> 0 lost fragments, 0 reordered >> 0/0 discarded fragments/bytes, 0 lost received >> 0x2B3 received sequence, 0x319 sent sequence >> Member links: 2 active, 0 inactive (max not set, min not set) >> Se5/1/0/15:0, since 00:12:53 >> Se5/1/0/16:0, since 00:02:15 >> >> >> >> -----Original Message----- >> From: Rodney Dunn [mailto:rodunn at cisco.com] >> Sent: Tuesday, August 04, 2009 1:43 PM >> To: Todd >> Cc: cisco-nsp at puck.nether.net >> Subject: Re: [c-nsp] 7513 multilink interface issue >> >> It does. I've seen it before years ago. >> >> get 'sh ppp multilink' from the RSP and VIP console (if-con slot) >> and sh contr cbus. >> >> Make sure you are in dCEF mode, all links are on the same PA, and on >> later(est) 12.4 mainline (12.4(25) or 12.0(32)S(latest)) on Cisco.com. >> >> We had bugs in how we manage the member links of the bundle. >> >> Rodney >> >> >> >> Todd wrote: >>> When it happens, I can ping the remote end from the 7513, but nothing >>> outside of the 7513. >>> >>> For Example.... >>> >>> SERVER --ethernet--- 7513 ---multilink (2 T1's)--- END USER >>> >>> 1 multilink T1 bounces. >>> >>> After the T1 comes up, the multilink interface and both T1's show as > up/up >>> and 7513 can ping END USER, but END USER can't ping 7513 and no > connection >>> to/from SERVER to END USER. >>> >>> Hope that makes sense. >>> >>> -----Original Message----- >>> From: Rodney Dunn [mailto:rodunn at cisco.com] >>> Sent: Tuesday, August 04, 2009 1:24 PM >>> To: Todd Shipway >>> Cc: cisco-nsp at puck.nether.net >>> Subject: Re: [c-nsp] 7513 multilink interface issue >>> >>> That should never happen and is possibly a bug. >>> >>> Can you ping directly over the bundle to the ip address on the other >>> side when it's broke? If not, go to the latest code and see if it's >>> fixed...or do some debugging: 'sh ip cef for other side of bundle, debug >>> ip packet, etc... >>> >>> Rodney >>> >>> >>> >>> Todd Shipway wrote: >>>> We have several customers setup with T1's multilinked. We are running >>> into >>>> a problem with a single multilink member bouncing causing routing > issues. >>>> When a single T1 member of a multilink group bounces, traffic to the >>> overall >>>> multilink interface stops and we have to manually shut and no shut the >>>> multilink interface to get traffic flowing again. >>>> >>>> Has anyone seen this before and if so, know what the issue may be? >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ From walter.keen at RainierConnect.net Thu Aug 6 12:51:59 2009 From: walter.keen at RainierConnect.net (Walter Keen) Date: Thu, 06 Aug 2009 09:51:59 -0700 Subject: [c-nsp] soft-disco/redirection Message-ID: <4A7B0A2F.4060104@rainierconnect.net> We're trying to formulate a plan to do a soft-disconnect or redirect users to a site where they can pay their bill online to get reconnected when they get disconnected for billing. Mostly we're talking about either bridged or pppoa dsl customers, or cablemodem customers. Using 7204's and 7246vxr respectively. Our intial thoughts included using some route-maps, but I was wondering if anyone had experience in doing this, and if there are any more graceful ways of doing this (including using snmp to trigger this instead of a scripted telnet session) -- Walter Keen Network Technician Rainier Connect From domintefamily at yahoo.co.uk Thu Aug 6 11:59:47 2009 From: domintefamily at yahoo.co.uk (C and C Dominte) Date: Thu, 6 Aug 2009 15:59:47 +0000 (GMT) Subject: [c-nsp] VSS 1440 issues In-Reply-To: Message-ID: <569473.50338.qm@web27907.mail.ukl.yahoo.com> Hi, ? Thank you for your advice, however, increasing the timers did not work. ? I powered down the active linecards from switch 2 yesterday to see if it stopped the unicast flood, which it did. ? Today I increased the mac address syncronisation activity time to 640 and the mac address aging time to 1920 (3x640) as below: ? ----------------------------------------------------------- ? ??? Module Status: Statistics collected from Switch/Module???????????? :? 1/1 Number of L2 asics in this module?????????????????? :? 1 ? ??? Global Status: Status of feature enabled on the switch???????????? :? on Default activity time?????????????????????????????? :? 160 Configured current activity time??????????????????? :? 640 ? ------------------------------------------------------------ ? Module Status: Statistics collected from Switch/Module???????????? :? 2/1 Number of L2 asics in this module?????????????????? :? 1 ? ??? Global Status: Status of feature enabled on the switch???????????? :? on Default activity time?????????????????????????????? :? 160 Configured current activity time??????????????????? :? 640 ? ------------------------------------------------------------ ? #sh mac-addr aging-time Vlan??? Aging Time ----??? ---------- Global? 1920 no vlan age other than global age configured ? ------------------------------------------------------------ ? Once this was done, I re-enabled one of the linecards on switch 2, and the same thing happens. The network is flooded with loads of unicast traffic, on all the trunk ports on switch 2. ? Is there any other reason that this unicast flood is being caused? ? Catalin --- On Wed, 5/8/09, Eric Cables wrote: From: Eric Cables Subject: Re: [c-nsp] VSS 1440 issues To: "Matthew Huff" Cc: "C and C Dominte" , "cisco-nsp at puck.nether.net" Date: Wednesday, 5 August, 2009, 9:06 PM Take a look at this.. http://www.cisco.com/en/US/products/ps9336/products_tech_note09186a0080a7c837.shtml#oob_mac Cisco also recommends that once you enable OOB Synchronization, that the MAC aging timer be set to at least 3x the synchronization timer of 160: "Configure the MAC aging timer to three times the MAC synchronization timer value. The default MAC synchronization and MAC aging timers can cause unknown unicast flooding. VSS can cause traffic to flow asymmetrically such that the source MAC address is only learned on one chassis. The MAC aging timer of 300 seconds and MAC synchronization timer of 160 seconds allows for up to 20 seconds of unknown unicast flooding for any given MAC address in a 320 second interval. In order to resolve this, change the timers such that the aging timer is three times as long as synchronization timer, for example, mac-address-table aging-time 480 ." -- Eric Cables On Wed, Aug 5, 2009 at 6:32 AM, Matthew Huff wrote: I would suspect it's a timeout issue caused by it aging out of the arp cache and not the tcam table. Try adding "mac-address-table aging-time 14400" to the config. This usually happens when running HSPR/GLBP or other first-hop redudancy (VSS) where the return path may be asymmetrical. ---- Matthew Huff?????? | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com ?| Phone: 914-460-4039 aim: matthewbhuff? | Fax:?? 914-460-4139 > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of C and C Dominte > Sent: Wednesday, August 05, 2009 7:30 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] VSS 1440 issues > > > > > > Hi, > > > > I recently clustered 2 Catalysts 6509's into a VSS 1440 > Virtual switch. > > > > Details about the cluster: > > > > - Software version: > s72033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), Version > 12.2(33)SXI1, > RELEASE SOFTWARE (fc3) > > > > - Supervisor: > VS-S720-10G? with one 10G port > used as VSL link > > - Linecards Active chassis: > > ??????????????? 1 x > WS-X6708-10GE with one 10G used for the VSL link for redundancy > > ??????????????? 4 x > WS-X6748-GE-TX > > > > - Linecards Standby chassis > > ??????????????? 1 x > WS-X6708-10GE with one 10G used for the VSL link for redundancy > > ??????????????? 2 x > WS-X6748-GE-TX > > > > The 6748 line cards are used and > configured for MEC Etherchannels. > > > > At the other end of the MEC > channels there are non-Cisco edge switches. The multi chassis Ether > Channels > are configured as 2 x 1G links, and single switchport trunks are > configured as > 1 x 1G links. All vlans are allowed on the single switchport trunks and > port > channels from VSS Cluster to the edge switches. > > > > The issue is that unicast > traffic is flooded by the VSS Cluster across all trunks. The flooded > traffic > generated by the VSS cluster is between 600mbps and 1gbps, and almost > all of > the flooded traffic is unicast and has the source MAC address of the > VSS > Cluster. However, if the trunk is a MEC, the unicast traffic is flooded > only on > one switchport. All of the flooded ports in MECs are on switch 2 in the > VSS > cluster. The only ports flooded in switch 1 are the ones that have a > single > trunk instead of MEC. > > > > We tried to investigate this on > a low importance link. The VSS cluster learned only 10 MAC addresses on > one > edge trunk configured as 1 x 1G link. This edge trunk received the > flood of > unicast traffic from the VSS cluster as well. During testing, this > trunk was > modified manually on the VSS Cluster, to allow only 4 VLANS instead of > all. > Allowing only 4 vlans on this trunk stopped the flood on the edge trunk > and > stopped the flood on all other trunks as well. > > > > Does anyone have any idea about > what can cause this? > > > > Thanks > > > > Catalin > > > > > > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list ?cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ip at ioshints.info Thu Aug 6 13:40:08 2009 From: ip at ioshints.info (Ivan Pepelnjak) Date: Thu, 6 Aug 2009 19:40:08 +0200 Subject: [c-nsp] Deny Default Route Propagation In-Reply-To: <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2D94@zy-ex1.zyedge.local> References: <4A7ACB4A.90805@skoal.name> <005d01ca16af$14f26c00$0a00000a@nil.si> <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2D94@zy-ex1.zyedge.local> Message-ID: <006801ca16bc$f1b45330$0a00000a@nil.si> No, you cannot control the LSA flooding (apart from blocking the flooding over a particular interface). All LSAs still get to all the routers (this is what you've asked for: OSPF is a link-state protocol :), but you can control which of the best OSPF routes get inserted in the IP routing table with the "distribute-list in". Ivan http://www.ioshints.info/about http://blog.ioshints.info/ > -----Original Message----- > From: Jeremiah Best [mailto:jbest at zyedge.com] > Sent: Thursday, August 06, 2009 6:13 PM > To: Ivan Pepelnjak; skoal at skoal.name; 'Manaf Al Oqlah' > Cc: cisco-nsp at puck.nether.net > Subject: RE: [c-nsp] Deny Default Route Propagation > > Can't you do a "distribute-list out" on the ABR/ASBR > whichever the router is? > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ivan Pepelnjak > Sent: Thursday, August 06, 2009 12:01 PM > To: skoal at skoal.name; 'Manaf Al Oqlah' > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Deny Default Route Propagation > > Just make sure you configure the "distribute-list in" on ALL > OTHER routers in the area, otherwise you'll get some > hard-to-troubleshoot loops or blackholes. > > Ivan > > http://www.ioshints.info/about > http://blog.ioshints.info/ > > > -----Original Message----- > > From: Gergely Antal [mailto:skoal at skoal.name] > > Sent: Thursday, August 06, 2009 2:24 PM > > To: Manaf Al Oqlah > > Cc: cisco-nsp at puck.nether.net > > Subject: Re: [c-nsp] Deny Default Route Propagation > > > > http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/routmap.html > > > > Manaf Al Oqlah wrote: > > > hello, > > > > > > In OSPF, how can I filter the default route from being > > propagated out in the same area? I want to deny the > external default > > route in outbound routes so other routers in the same area doesn't > > accept the default route from that router. > > > > > > Thank you, > > > Manaf > > > _______________________________________________ > > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jared.a.gillis at gmail.com Thu Aug 6 14:47:39 2009 From: jared.a.gillis at gmail.com (Jared Gillis) Date: Thu, 06 Aug 2009 11:47:39 -0700 Subject: [c-nsp] IS-IS route separation/filtering In-Reply-To: <1249549131.28552.14.camel@daniel.office.bit.nl> References: <4A79E416.7040909@gmail.com> <4A7A0187.8070807@gmail.com> <1249549131.28552.14.camel@daniel.office.bit.nl> Message-ID: <4A7B254B.8040607@gmail.com> Daniel Verlouw wrote: > On Wed, 2009-08-05 at 15:02 -0700, Jared Gillis wrote: >> Hm, interesting though. Unfortunately, it doesn't seem to pan out in the lab. >> The LSPs don't seem to get flooded, but the routes do get passed through Router >> A to all the stub routers, regardless of how I set up the mesh-groups. > > right. Mesh-groups block only LSPs, CSNPs would still be flooded. > >> This is almost what I'm trying to do, there will be very few routes in IS-IS, >> but the decree from on high is that each stub router should be totally stubby =( Mostly due to longevity, planning for the worst case of high growth, IPv6 deployment, etc that will make each route in our routers very costly over time. Also, given our topology, there's no reason for the stub routers to learn anything but default. It's looking like we might have to run OSPF on this, but we'd really rather stick with IS-IS. It seems that OSPF's ability to put individual interfaces into different areas might be the required feature that forces us that way. That is, unless anyone knows a way to put an IS-IS router into different areas aside from assigning multiple NET addresses... > -why- !? > > --Daniel. > From oliver.gorwits at oucs.ox.ac.uk Thu Aug 6 14:54:04 2009 From: oliver.gorwits at oucs.ox.ac.uk (Oliver Gorwits) Date: Thu, 06 Aug 2009 19:54:04 +0100 Subject: [c-nsp] Free NMS Tools In-Reply-To: <20090717070140.GA22208@mx.ytti.net> References: <4f890e580907030600y3f8e6c15qfa6c4b4db539fec@mail.gmail.com> <20090717070140.GA22208@mx.ytti.net> Message-ID: <4A7B26CC.70800@oucs.ox.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Sorry for the late follow-up on this, Saku Ytti wrote: > Other thing that annoys me is how SNMP pollers are implemented, > they're blocking, giving sucky performance on misbehaving or down > nodes. Oh I agree, most of the free NMS systems out there do a fairly poor job of efficiently polling devices. So we put some development time in, and what we came up with is not really cutting edge, but explores a few novel ideas: http://search.cpan.org/perldoc?YATG http://search.cpan.org/perldoc?YATG::Tutorial Simply, it's an SNMP poller daemon which polls devices in parallel at some time interval, for OIDs specified in config. We then take that data and put it into a Memcached server, from where other services can read. The nice thing there is that we only poll devices once (it being CPU intensive) but many client systems can check the retrieved data (e.g. tools for end users, tools for helpdesk, Nagios, etc). We actually have a Nagios plugin which reads the Memcached store for the ports and errors state for each device. Well, it's Nagios within Opsview - a much better piece of software which I highly recommend: http://www.opsview.org/ The traffic counter data is also stored to flat file, from which we draw graphs in some tools such as Netdisco. I dislike RRD because of the (potential) loss of resolution in the long term, and the binary format. We have tuned text file storage to be quite efficient and it works very well (better than RRD, and databases/SQL which we also tested). http://netdisco.org/ Most of the above (YATG) is a 1st gen. effort, and we'd rewrite it given a chance, but it works very well and has proved the concepts. HTH, - -- Oliver Gorwits, Network and Telecommunications Group, Oxford University Computing Services -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFKeybM2NPq7pwWBt4RAtTfAKC45gktQF9k9rlgX/4NqJbFaSaTwACgkraX TwJ7/c3xgMxxpR9QLz3a34M= =MAK7 -----END PGP SIGNATURE----- From jared.a.gillis at gmail.com Thu Aug 6 15:09:54 2009 From: jared.a.gillis at gmail.com (Jared Gillis) Date: Thu, 06 Aug 2009 12:09:54 -0700 Subject: [c-nsp] IS-IS route separation/filtering In-Reply-To: <1249549131.28552.14.camel@daniel.office.bit.nl> References: <4A79E416.7040909@gmail.com> <4A7A0187.8070807@gmail.com> <1249549131.28552.14.camel@daniel.office.bit.nl> Message-ID: <4A7B2A82.7020105@gmail.com> Here's a thought: If I change Router A to L2 and Routers B and C to L2/L1, I can put B and C in different areas, but because they are L2/L1, they learn all the routes to all the areas, just as L2 routes instead of L1 routes. This gets me each stub router and everything behind it into different areas, but doesn't solve the problem of needing local-only routes plus default on B and C... Daniel Verlouw wrote: > On Wed, 2009-08-05 at 15:02 -0700, Jared Gillis wrote: >> Hm, interesting though. Unfortunately, it doesn't seem to pan out in the lab. >> The LSPs don't seem to get flooded, but the routes do get passed through Router >> A to all the stub routers, regardless of how I set up the mesh-groups. > > right. Mesh-groups block only LSPs, CSNPs would still be flooded. > >> This is almost what I'm trying to do, there will be very few routes in IS-IS, >> but the decree from on high is that each stub router should be totally stubby =( > > -why- !? > > --Daniel. > From gert at greenie.muc.de Thu Aug 6 16:08:26 2009 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 6 Aug 2009 22:08:26 +0200 Subject: [c-nsp] Single LNS, two providers In-Reply-To: References: Message-ID: <20090806200826.GQ290@greenie.muc.de> Hi, On Thu, Aug 06, 2009 at 09:50:28PM +1000, Ed Lazerus wrote: > Is it a mater of duplicating the following? Basically, yes. Add a new vpdn-group, and (optionally) a new virtual-template. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From Jeff.Wojciechowski at midlandpaper.com Thu Aug 6 16:50:59 2009 From: Jeff.Wojciechowski at midlandpaper.com (Jeff Wojciechowski) Date: Thu, 6 Aug 2009 15:50:59 -0500 Subject: [c-nsp] IPSLAs with OpenNMS or Other? Message-ID: <6B8401A83219DF499C34DEAEE9A599921256B58E2A@XBOX.midlandpaper.com> Hi All: Anyone using IPSLAs with OpenNMS or any other favorite tool? I just set up a small test network and am thinking about adding this to a couple of our WAN routers closest to our PBXs and setting up remote switches that VoIP phones are on to monitor jitter, etc of our VoIP traffic. Any thoughts on: 1) Is it best to locate the IPSLA monitor on the switch near the phone system or on the WAN edge router (right now we even have anything resembling congestion is on our WAN links)? 2) Any gotchas that I need to look out for? (False positives on bad performance, etc - for a start I plan on marking the test traffic with the same ToS bit that our VoIP will be marked so it gets the same priority) 3) This should be simple but whats the minimum IOS flavor required to configure the IPSLA monitor (2811 router if I decide to make the WAN router the IPSLA monitor or 3560 switch if I decide to locate monitor to the switch the PBX is on) (I cant figure out the IOS feature browser to save my life - sorry I am a N00b) 4) Suggestion on other tools other than OpenNMS to monitor IPSLA stats? 5) Suggested intervals, packet sizes, anything else of each test? Thanks all, Jeff From td_miles at yahoo.com Thu Aug 6 17:55:17 2009 From: td_miles at yahoo.com (Tony) Date: Thu, 6 Aug 2009 14:55:17 -0700 (PDT) Subject: [c-nsp] Cisco 7206 - IOS version for L2TPV3 In-Reply-To: <4A7B02DE.6040601@nexus6.co.za> Message-ID: <581927.18016.qm@web110103.mail.gq1.yahoo.com> Hi Andy, We're using 12.2(33)SRD1 and recently before that SRC3 on 7204 LNS routers without any issues. We don't have any eBGP on these devices, but iBGP works fine with about 9 peers on each router carrying internal MP-BGP routes. These routers also authenticate PPP sessions via RADIUS and that continues to function fine through the upgrade from SCR3 to SRD1 without problems. Perhaps you need to turn on some BGP & RADIUS debug and work out what is going wrong because it probably should work for you. If the BGP queues are sitting at 300, it means that your BGP speakers aren't talking to each other and you need to look at why (eg. MTU mismatch, disagree on some other parameter). There might be some defaults for BGP parameters that have been changed and you need to explicitly set now. Not very responsive on the command line suggests that CPU was busy doing other stuff (like continually setting up BGP sessions). If you have the time to do some debugging then you probably should be able to get a 12.2(33)SR version working. regards, Tony. --- On Fri, 7/8/09, Andy Ashley wrote: > From: Andy Ashley > Subject: [c-nsp] Cisco 7206 - IOS version for L2TPV3 > To: cisco-nsp at puck.nether.net > Date: Friday, 7 August, 2009, 2:20 AM > Hi, > > We are trying to upgrade IOS on a Cisco 7206VXR (NPE-G1) > processor (revision B) with 983040K/65536K bytes of memory. > > Currently running Version 12.3(13a), RELEASE SOFTWARE (fc2) > but we need L2TPv3 functionality to configure a xconnects > using a pw-class statement. > We tried running Version 12.2(33)SRC4, RELEASE SOFTWARE > (fc2) but the router was unstable. > > Our peering sessions would come up and die after about a > minute, the logs had lots of these entries: > > %BGP_SESSION-5-ADJCHANGE: neighbor X.X.X.X IPv4 Unicast > topology base removed from session? BGP Notification > sent > > I noticed that the BGP sessions had high InQ and OutQ > values of 300+ where they usually sit at 0 and router was > generally not very responsive on the command line. > Also our RADIUS athentication was not working for some > reason. > > Is this just incompatability or unstable code? > Can anyone recommend an image version for this hardware > platform that has this feature set and is known to be stable > in your environment? > > Thanks. > > Andy. > > > > -- This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > _______________________________________________ > cisco-nsp mailing list? cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From td_miles at yahoo.com Thu Aug 6 18:06:25 2009 From: td_miles at yahoo.com (Tony) Date: Thu, 6 Aug 2009 15:06:25 -0700 (PDT) Subject: [c-nsp] Deny Default Route Propagation In-Reply-To: <006801ca16bc$f1b45330$0a00000a@nil.si> Message-ID: <282601.36178.qm@web110105.mail.gq1.yahoo.com> Ivan is correct, I know this first hand after wrestling with this very recently. You can only filter inbound from OSPF to the route table and you will need to do it on each OSPF router in the area. Cisco reference is here: http://www.cisco.com/en/US/tech/tk365/technologies_q_and_a_item09186a0080094704.shtml#q12 http://tinyurl.com/m4kvgg regards, Tony. --- On Fri, 7/8/09, Ivan Pepelnjak wrote: > From: Ivan Pepelnjak > Subject: Re: [c-nsp] Deny Default Route Propagation > To: "'Jeremiah Best'" , skoal at skoal.name, "'Manaf Al Oqlah'" > Cc: cisco-nsp at puck.nether.net > Date: Friday, 7 August, 2009, 3:40 AM > No, you cannot control the LSA > flooding (apart from blocking the flooding > over a particular interface). All LSAs still get to all the > routers (this is > what you've asked for: OSPF is a link-state protocol :), > but you can control > which of the best OSPF routes get inserted in the IP > routing table with the > "distribute-list in". > > Ivan > > http://www.ioshints.info/about > http://blog.ioshints.info/ > > > -----Original Message----- > > From: Jeremiah Best [mailto:jbest at zyedge.com] > > > Sent: Thursday, August 06, 2009 6:13 PM > > To: Ivan Pepelnjak; skoal at skoal.name; > 'Manaf Al Oqlah' > > Cc: cisco-nsp at puck.nether.net > > Subject: RE: [c-nsp] Deny Default Route Propagation > > > > Can't you do a "distribute-list out" on the ABR/ASBR > > whichever the router is? > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net > > > [mailto:cisco-nsp-bounces at puck.nether.net] > On Behalf Of Ivan Pepelnjak > > Sent: Thursday, August 06, 2009 12:01 PM > > To: skoal at skoal.name; > 'Manaf Al Oqlah' > > Cc: cisco-nsp at puck.nether.net > > Subject: Re: [c-nsp] Deny Default Route Propagation > > > > Just make sure you configure the "distribute-list in" > on ALL > > OTHER routers in the area, otherwise you'll get some > > hard-to-troubleshoot loops or blackholes. > > > > Ivan > >? > > http://www.ioshints..info/about > > http://blog.ioshints.info/ > > > > > -----Original Message----- > > > From: Gergely Antal [mailto:skoal at skoal.name] > > > Sent: Thursday, August 06, 2009 2:24 PM > > > To: Manaf Al Oqlah > > > Cc: cisco-nsp at puck.nether.net > > > Subject: Re: [c-nsp] Deny Default Route > Propagation > > > > > > http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/routmap.html > > > > > > Manaf Al Oqlah wrote: > > > > hello, > > > > > > > > In OSPF, how can I filter the default route > from being > > > propagated out in the same area? I want to deny > the > > external default > > > route in outbound routes so other routers in the > same area doesn't > > > accept the default route from that router. > > > > > > > > Thank you, > > > > Manaf > > > > From chunt at reachone.com Thu Aug 6 17:57:11 2009 From: chunt at reachone.com (Christopher Hunt) Date: Thu, 06 Aug 2009 14:57:11 -0700 Subject: [c-nsp] MPLS MTU [override] bug 12.4(22)T? Message-ID: <4A7B51B7.2080808@reachone.com> I'm trying to configure "mpls mtu 1508" on a dot1q subinterface on a 2851. IOS 12.4(7) will allow it, but IOS 12.4(22)T won't. The Bug Toolkit doesn't show any relevant bugs. Has anyone else run into this? Is there a recommended release? I would really like a release that supports mpls tracroute. router-1#sh ver Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(7), RELEASE SOFTWARE (fc6) ... ROM: System Bootstrap, Version 12.4(1r) [hqluong 1r], RELEASE SOFTWARE (fc1) ... router-1 uptime is 53 minutes System returned to ROM by reload at 14:42:21 PDT Thu Aug 6 2009 System image file is "flash:c2800nm-advipservicesk9-mz.124-7.bin" ... Cisco 2851 (revision 53.51) with 509952K/14336K bytes of memory. Processor board ID FTX... 16 FastEthernet interfaces 2 Gigabit Ethernet interfaces 1 Virtual Private Network (VPN) Module DRAM configuration is 64 bits wide with parity enabled. 239K bytes of non-volatile configuration memory. 125440K bytes of ATA CompactFlash (Read/Write) Configuration register is 0x2102 router-1#config term Enter configuration commands, one per line. End with CNTL/Z. router-1(config)#int gi0/1.457 router-1(config-subif)#mpls mtu ? <64-65535> MTU (bytes) router-1(config-subif)#mpls mtu 1508 router-1(config-subif)#end router-1#sh run int gi0/1.457 ... interface GigabitEthernet0/1.457 encapsulation dot1Q 457 ip address x.x.x.x 255.255.255.252 ip ospf network point-to-point no snmp trap link-status mpls ip mpls mtu 1508 no cdp enable end !!!! router-1#sh ver Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(22)T, RELEASE SOFTWARE (fc1) ... router-1#conf term Enter configuration commands, one per line. End with CNTL/Z. router-1(config)#int gi0/1.457 router-1(config-subif)#mpls mt router-1(config-subif)#mpls mtu ? <64-1500> MTU (bytes) router-1(config-subif)#mpls mtu 1508 ^ % Invalid input detected at '^' marker. router-1(config-subif)#end shelton-1#sh run int gi0/1.457 ... interface GigabitEthernet0/1.457 encapsulation dot1Q 457 ip address x.x.x.x 255.255.255.252 ip ospf network point-to-point mpls mtu 1508 mpls ip no cdp enable end -- cheers Christopher Hunt From kloch at kl.net Fri Aug 7 00:35:40 2009 From: kloch at kl.net (Kevin Loch) Date: Fri, 07 Aug 2009 00:35:40 -0400 Subject: [c-nsp] VSS 1440 issues In-Reply-To: <569473.50338.qm@web27907.mail.ukl.yahoo.com> References: <569473.50338.qm@web27907.mail.ukl.yahoo.com> Message-ID: <4A7BAF1C.4070009@kl.net> C and C Dominte wrote: > Thank you for your advice, however, increasing the timers > did not work. > > > > I powered down the active linecards from switch 2 > yesterday to see if it stopped the unicast flood, which it did. > > > > Today I increased the mac address syncronisation activity > time to 640 and the mac address aging time to 1920 (3x640) as below: While I have not run 6500's in VSS mode I have run into similar unicast flooding with certain non-VSS configurations of 6500's. The most reliable fix I have found is "arp timeout 120" in the affected vlan interfaces. - Kevin From swmike at swm.pp.se Fri Aug 7 00:51:07 2009 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Fri, 7 Aug 2009 06:51:07 +0200 (CEST) Subject: [c-nsp] MPLS MTU [override] bug 12.4(22)T? In-Reply-To: <4A7B51B7.2080808@reachone.com> References: <4A7B51B7.2080808@reachone.com> Message-ID: On Thu, 6 Aug 2009, Christopher Hunt wrote: > I'm trying to configure "mpls mtu 1508" on a dot1q subinterface on a 2851. > IOS 12.4(7) will allow it, but IOS 12.4(22)T won't. The Bug Toolkit doesn't > show any relevant bugs. Has anyone else run into this? Is there a > recommended release? I would really like a release that supports mpls > tracroute. Don't use "mpls mtu", instead use "mtu", "ip mtu" and "clns mtu" in combination instead. -- Mikael Abrahamsson email: swmike at swm.pp.se From kloch at kl.net Fri Aug 7 00:59:06 2009 From: kloch at kl.net (Kevin Loch) Date: Fri, 07 Aug 2009 00:59:06 -0400 Subject: [c-nsp] multipath BGP not balancing equally. In-Reply-To: References: <4A787016.7040006@cisco.com> <4A7986F7.4070905@cisco.com> <5F398FA44E094EB7BD7F6581E07943B5@experienbd1776> <4A79EA3F.6060002@cisco.com> Message-ID: <4A7BB49A.2060902@kl.net> This sounds like the unequal multipath is a quirk (feature?) of sup720 default load sharing behavior. It happens to any multipath routes (static, ospf, bgp) installed in the FIB: http://cisco.cluepon.net/index.php/Sup720_load_balancing shows a different ratios than OP but that might be due to different behavior in different IOS versions or hardware revisions. "mls ip cef load-sharing simple" works well for me but "mls ip cef load-sharing full simple" should also work if you also want layer4 hashes involved. - Kevin David Hughes wrote: > > Hi > > But seeing as the OP indicated that one of the circuits was 2GB > *underutilised* you'd be looking for 3 src/dst pairs that were all doing > 2GB to get this situation. It's looking pretty unlikely that this is a > hashing issue. > > > David > ... > > On 06/08/2009, at 6:23 AM, Rodney Dunn wrote: > >> Ah...good one. If the sources were not random enough and it's NAT'ed >> to one external ip you could really be multiplexing flows with NAT. ;) >> >> >> >> Dean Smith wrote: >>> Would agree that volume is rare between 2xIP addresses but we have >>> something similair although on not quite the scale. >>> We NAT a very large organisation to the Internet. They have a large >>> number of disparate sites that all do their own AV updates. All the >>> PCs download at the same time in the evening and we generate about >>> .75 Gb/s of traffic between our external PAT address and the AV >>> download site for a good couple of hours. If we had a bigger internet >>> pipe it would be a higher figure. (for less time of course). >>> Dean >>> ----- Original Message ----- From: "Rodney Dunn" >>> To: "Mikael Abrahamsson" >>> Cc: "Cisco" >>> Sent: Wednesday, August 05, 2009 2:19 PM >>> Subject: Re: [c-nsp] multipath BGP not balancing equally. >>>> For small flow combinations you are right. btw, it would be just L3 >>>> src/dst flows by default unless the L4 port option is enabled. >>>> >>>> I thought about there being a single flow causing the difference >>>> that would be hashing down one of the paths. But 2G, while not >>>> impossible, typically isn't used between two ip addresses. It's >>>> something to check though for sure. >>>> >>>> Rodney >>>> >>>> >>>> >>>> Mikael Abrahamsson wrote: >>>>> On Tue, 4 Aug 2009, Rodney Dunn wrote: >>>>> >>>>>> That's usually caused by routes not being the same on the paths. >>>>> >>>>> It was my understanding that this usually was caused by not having >>>>> enough L4 flows to loadshare on...? Ie if you have 100 TCP flows >>>>> and 4 paths, then it's not enough flows to get good load share on, >>>>> but if you instead have 10k flows and all of them are low-speed, >>>>> then the odds of them being equally load shared is much better? >>>>> >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> >>>> __________ NOD32 4306 (20090804) Information __________ >>>> >>>> This message was checked by NOD32 antivirus system. >>>> http://www.eset.com >>>> >>>> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From ecables at gmail.com Fri Aug 7 01:43:23 2009 From: ecables at gmail.com (Eric Cables) Date: Thu, 6 Aug 2009 22:43:23 -0700 Subject: [c-nsp] VSS 1440 issues In-Reply-To: <4A7BAF1C.4070009@kl.net> References: <569473.50338.qm@web27907.mail.ukl.yahoo.com> <4A7BAF1C.4070009@kl.net> Message-ID: Agreed, your mileage may vary on the exact timers to use (I ended up at 900 seconds), but synchronizing MAC and ARP aging timers should solve your unicast flooding issues, assuming the traffic is to legitimate destinations. Have you captured any traffic to identify the destination of flooded traffic? -- Eric Cables On Thu, Aug 6, 2009 at 9:35 PM, Kevin Loch wrote: > C and C Dominte wrote: > > Thank you for your advice, however, increasing the timers >> did not work. >> >> >> I powered down the active linecards from switch 2 >> yesterday to see if it stopped the unicast flood, which it did. >> >> Today I increased the mac address syncronisation activity >> time to 640 and the mac address aging time to 1920 (3x640) as below: >> > > While I have not run 6500's in VSS mode I have run into similar unicast > flooding with certain non-VSS configurations of 6500's. The most > reliable fix I have found is "arp timeout 120" in the affected vlan > interfaces. > > - Kevin > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From oboehmer at cisco.com Fri Aug 7 02:34:15 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Fri, 7 Aug 2009 08:34:15 +0200 Subject: [c-nsp] IS-IS route separation/filtering In-Reply-To: <4A7B254B.8040607@gmail.com> References: <4A79E416.7040909@gmail.com> <4A7A0187.8070807@gmail.com><1249549131.28552.14.camel@daniel.office.bit.nl> <4A7B254B.8040607@gmail.com> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78407C2FE1C@xmb-ams-333.emea.cisco.com> Jared Gillis <> wrote on Thursday, August 06, 2009 20:48: > Daniel Verlouw wrote: >> On Wed, 2009-08-05 at 15:02 -0700, Jared Gillis wrote: >>> Hm, interesting though. Unfortunately, it doesn't seem to pan out >>> in the lab. The LSPs don't seem to get flooded, but the routes do >>> get passed through Router A to all the stub routers, regardless of >>> how I set up the mesh-groups. >> >> right. Mesh-groups block only LSPs, CSNPs would still be flooded. >> >>> This is almost what I'm trying to do, there will be very few routes >>> in IS-IS, but the decree from on high is that each stub router >>> should be totally stubby =( > > Mostly due to longevity, planning for the worst case of high growth, > IPv6 deployment, etc that will make each route in our routers very > costly over time. Also, given our topology, there's no reason for the > stub routers to learn anything but default. Well.. not sure how large you want to grow your L1 area, but you could investigate "advertise-passive-only" to only adveritse the loopbacks (all customer routes should be in BGP if you need to plan for growth), and you'll be fine, even with a 1000 nodes in the area. And if you reach this number, address summarization (and the implications of it) will become an issue (even with OSPF).. > It's looking like we might have to run OSPF on this, but we'd really > rather stick with IS-IS. It seems that OSPF's ability to put > individual interfaces into different areas might be the required > feature that forces us that way. That is, unless anyone knows a way > to put an IS-IS router into different areas aside from assigning > multiple NET addresses... No, doesn't work with Integrated ISIS (only CLNS allows you to use different ISIS areas on a single node).. oli From asturluismi at gmail.com Fri Aug 7 07:01:55 2009 From: asturluismi at gmail.com (luismi) Date: Fri, 07 Aug 2009 13:01:55 +0200 Subject: [c-nsp] TACACs access filtered by device Message-ID: <1249642915.11716.6.camel@dsba-ipso> Hi, We have here several Cisco devices and I would like to know if it is possible to filter who get access to some specific devices using the tacacs.conf file or the AAA configuration inside the devices. Is that possible? From jbest at zyedge.com Fri Aug 7 08:08:01 2009 From: jbest at zyedge.com (Jeremiah Best) Date: Fri, 7 Aug 2009 08:08:01 -0400 Subject: [c-nsp] TACACs access filtered by device In-Reply-To: <1249642915.11716.6.camel@dsba-ipso> References: <1249642915.11716.6.camel@dsba-ipso> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2DEF@zy-ex1.zyedge.local> You can do it using ACS if you have an ACS server. The way we've done it is create groups of devices and then just assign the user whatever rights and then only allow said user to access that group of users. Works well. Outside of ACS I'm not sure if there's a way. If you want more details let me know. -Jeremiah -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of luismi Sent: Friday, August 07, 2009 7:02 AM To: cisco_nsp Subject: [c-nsp] TACACs access filtered by device Hi, We have here several Cisco devices and I would like to know if it is possible to filter who get access to some specific devices using the tacacs.conf file or the AAA configuration inside the devices. Is that possible? _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From asturluismi at gmail.com Fri Aug 7 08:35:45 2009 From: asturluismi at gmail.com (luismi) Date: Fri, 07 Aug 2009 14:35:45 +0200 Subject: [c-nsp] TACACs access filtered by device In-Reply-To: <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2DEF@zy-ex1.zyedge.local> References: <1249642915.11716.6.camel@dsba-ipso> <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2DEF@zy-ex1.zyedge.local> Message-ID: <1249648545.11716.8.camel@dsba-ipso> Hi, We don't use here ACS, just tacacs-server over linux. From chunt at reachone.com Fri Aug 7 09:27:50 2009 From: chunt at reachone.com (Christopher Hunt) Date: Fri, 07 Aug 2009 06:27:50 -0700 Subject: [c-nsp] TACACs access filtered by device In-Reply-To: <1249642915.11716.6.camel@dsba-ipso> References: <1249642915.11716.6.camel@dsba-ipso> Message-ID: <4A7C2BD6.3000801@reachone.com> We don't use it this way, but it looks like the linux tac_plus daemon supports authorization ACLs. See the line "acl = dial_only" at http://www.linuxcertif.com/man/5/tac_plus.conf/#EXAMPLE_TAC_PLUS_CONFIGURATION_311843h Christopher Hunt luismi wrote: > Hi, > > We have here several Cisco devices and I would like to know if it is > possible to filter who get access to some specific devices using the > tacacs.conf file or the AAA configuration inside the devices. > > Is that possible? > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From peter at rathlev.dk Fri Aug 7 10:21:32 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Fri, 07 Aug 2009 16:21:32 +0200 Subject: [c-nsp] TACACs access filtered by device In-Reply-To: <1249642915.11716.6.camel@dsba-ipso> References: <1249642915.11716.6.camel@dsba-ipso> Message-ID: <1249654892.3168.2.camel@abehat.net.rm.dk> On Fri, 2009-08-07 at 13:01 +0200, luismi wrote: > We have here several Cisco devices and I would like to know if it is > possible to filter who get access to some specific devices using the > tacacs.conf file or the AAA configuration inside the devices. > > Is that possible? It is, and it works like a charm. The link Christopher Hunt posted has a good example. We use it e.g. like this: acl = pop1-access { permit = ^10\.0\.0\. } user = example-pop1-operator { member = admin acl = pop1-access } group = other-example-acl { acl = pop1-access } Regards, Peter From asturluismi at gmail.com Fri Aug 7 10:25:47 2009 From: asturluismi at gmail.com (luismi) Date: Fri, 07 Aug 2009 16:25:47 +0200 Subject: [c-nsp] TACACs access filtered by device In-Reply-To: <1249654892.3168.2.camel@abehat.net.rm.dk> References: <1249642915.11716.6.camel@dsba-ipso> <1249654892.3168.2.camel@abehat.net.rm.dk> Message-ID: <1249655147.11716.22.camel@dsba-ipso> Yes! seems to be pretty simple I will try it today :-D From walter.keen at RainierConnect.net Fri Aug 7 11:28:06 2009 From: walter.keen at RainierConnect.net (Walter Keen) Date: Fri, 07 Aug 2009 08:28:06 -0700 Subject: [c-nsp] TACACs access filtered by device In-Reply-To: <1249655147.11716.22.camel@dsba-ipso> References: <1249642915.11716.6.camel@dsba-ipso> <1249654892.3168.2.camel@abehat.net.rm.dk> <1249655147.11716.22.camel@dsba-ipso> Message-ID: <4A7C4806.9040605@rainierconnect.net> We take it another step, using the linux tac-plus, specifying a acl for each user, and commands they can or cannot run.... The only problem we've run into is one user who needs higher access on one router but still limited access on another, we've gotten around that a little bit by setting privilege levels in the routers, and making tacacs send the privilege level data to router, but we still had one or two cases where one user had to have 2 usernames for different routers (and acl's to make sure they didn't use the wrong one on the wrong router) If anyone's interested, i can send an example offline. luismi wrote: > Yes! seems to be pretty simple I will try it today :-D > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Walter Keen Network Technician Rainier Connect (o) 360-832-4024 (c) 253-302-0194 From ecables at gmail.com Fri Aug 7 13:21:12 2009 From: ecables at gmail.com (Eric Cables) Date: Fri, 7 Aug 2009 10:21:12 -0700 Subject: [c-nsp] RedSeal users? Message-ID: Slightly OT, but with all the NMS e-mails going around lately it might have some relevance. I'm in the middle of a RedSeal (http://www.redseal.net/) deployment, and I was wondering if anyone else on the list was using this product. I'd just like to get an idea of whether it has been useful, and what applications you've used it for. Thanks, -- Eric Cables From Jeff.Wojciechowski at midlandpaper.com Fri Aug 7 13:47:26 2009 From: Jeff.Wojciechowski at midlandpaper.com (Jeff Wojciechowski) Date: Fri, 7 Aug 2009 12:47:26 -0500 Subject: [c-nsp] IPSLAs with OpenNMS or Other? In-Reply-To: <6B8401A83219DF499C34DEAEE9A599921256B58E2A@XBOX.midlandpaper.com> References: <6B8401A83219DF499C34DEAEE9A599921256B58E2A@XBOX.midlandpaper.com> Message-ID: <6B8401A83219DF499C34DEAEE9A599921256B58E7E@XBOX.midlandpaper.com> Not one hit on this one, perhaps broadening the question to as follows might help: Anyone using IPSLA's standalone have any pointers to monitor voice have any pointers (what tests to run, packet sizes, frequency of tests)? Thanks, -Jeff -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jeff Wojciechowski Sent: Thursday, August 06, 2009 3:51 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] IPSLAs with OpenNMS or Other? Hi All: Anyone using IPSLAs with OpenNMS or any other favorite tool? I just set up a small test network and am thinking about adding this to a couple of our WAN routers closest to our PBXs and setting up remote switches that VoIP phones are on to monitor jitter, etc of our VoIP traffic. Any thoughts on: 1) Is it best to locate the IPSLA monitor on the switch near the phone system or on the WAN edge router (right now we even have anything resembling congestion is on our WAN links)? 2) Any gotchas that I need to look out for? (False positives on bad performance, etc - for a start I plan on marking the test traffic with the same ToS bit that our VoIP will be marked so it gets the same priority) 3) This should be simple but whats the minimum IOS flavor required to configure the IPSLA monitor (2811 router if I decide to make the WAN router the IPSLA monitor or 3560 switch if I decide to locate monitor to the switch the PBX is on) (I cant figure out the IOS feature browser to save my life - sorry I am a N00b) 4) Suggestion on other tools other than OpenNMS to monitor IPSLA stats? 5) Suggested intervals, packet sizes, anything else of each test? Thanks all, Jeff _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From gsgranados at comcast.net Fri Aug 7 16:47:27 2009 From: gsgranados at comcast.net (Scott Granados) Date: Fri, 7 Aug 2009 13:47:27 -0700 Subject: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client and inside network? Message-ID: <002b01ca17a0$4d104ac0$2208120a@am.thmulti.com> Hi, I'm having difficulties configuring VPN tunnels between a PC with the Cisco VPN client (windows XP) and an ASA5520. BACKGROUND I have an ASA5520 with a public interface of 206.x.x.232 and an inside address of 10.18.14.6. The outside interface is connected to the public internet directly, the inside interface is attached to a switch with layer 3 capabilities and has an address of 10.18.14.1/24. The default route is pointed to the public Internet gateway and the 10.18.0.0/16 network is routed via the 10.18.14.1 inside address. The VPN device is running version 7 software (according to the VPN client log file). PROBLEM When I initiate a connection from the PC to the public facing interface over an external network the session authenticates and reports connected, the client is assigned an address from the correct pool, but I'm not able to pass traffic. Looking at the stats the routes learned appear (10.18.0.0/16) or what ever routes I added to the split-tunnel network list. I do notice that the tunnel stats do not show the encrypted packet count increasing so I assume I'm not tagging something correctly or the ASA is confused about what to encrypt. I've been using the Cisco ASA configuration examples as a starting point but think I'm missing the point somewhere. Any pointers would be appreciated, config tidbits follow. split-tunnel ACL access-list vpn-nets standard permit 10.1.0.0 255.255.0.0 access-list vpn-nets standard permit 10.11.0.0 255.255.0.0 access-list vpn-nets standard permit 10.18.0.0 255.255.0.0 access-list vpn-nets standard permit 10.64.0.0 255.255.0.0 access-list vpn-nets standard permit 10.66.0.0 255.255.0.0 local pool definition ip local pool VPRN-team-vpn-pool1 10.18.14.96-10.18.14.127 mask 255.255.255.0 STATIC ROUTES route outside 0.0.0.0 0.0.0.0 206.x.x.225 1 route inside 10.66.0.0 255.255.0.0 10.18.14.1 1 route inside 10.11.0.0 255.255.0.0 10.18.14.1 1 route inside 10.64.0.0 255.255.0.0 10.18.14.1 1 route inside 10.1.0.0 255.255.0.0 10.18.14.1 1 route inside 10.18.0.0 255.255.0.0 10.18.14.1 1 GROUP POLICY DEFINITION group-policy VPRN-team-policy internal group-policy VPRN-team-policy attributes banner value This is a private network connection for XXX authorized users only. If you do not have explicit permission from the XXX Network Services department you must disconnect now. banner value Thank you, banner value Network Services banner value 415.xxx.xxxx wins-server value 10.18.1.14 10.18.1.15 dns-server value 10.18.1.14 10.18.1.15 dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 1 vpn-idle-timeout 30 vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec password-storage disable ip-comp enable re-xauth disable group-lock none pfs disable ipsec-udp enable ipsec-udp-port 10000 split-tunnel-policy tunnelspecified split-tunnel-network-list value vpn-nets default-domain value MY-COMPANY.COM split-dns none secure-unit-authentication disable user-authentication enable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers 206.x.x.233 client-firewall opt cisco-integrated acl-in FWBlockIn acl-out FWAllowAnyOut webvpn functions none tunnel-group VPRN-team type ipsec-ra tunnel-group VPRN-team general-attributes address-pool VPRN-team-vpn-pool1 authentication-server-group my_authent_grp default-group-policy VPRN-team-policy tunnel-group VPRN-team ipsec-attributes pre-shared-key * CRYPTO MAP and ISAKMP crypto ipsec transform-set vpn-transform1 esp-3des esp-sha-hmac crypto dynamic-map dynmap1 10 set transform-set vpn-transform1 crypto dynamic-map dynmap1 10 set reverse-route crypto map vpnmap 10 ipsec-isakmp dynamic dynmap1 crypto map vpnmap interface outside isakmp enable outside isakmp policy 1 authentication pre-share isakmp policy 1 encryption aes isakmp policy 1 hash sha isakmp policy 1 group 2 isakmp policy 1 lifetime 28800 isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 1000 isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 10000 isakmp policy 30 authentication pre-share isakmp policy 30 encryption 3des isakmp policy 30 hash sha isakmp policy 30 group 2 isakmp policy 30 lifetime 10000 isakmp policy 40 authentication pre-share isakmp policy 40 encryption 3des isakmp policy 40 hash sha isakmp policy 40 group 2 isakmp policy 40 lifetime 86400 isakmp nat-traversal 20 isakmp reload-wait From mksmith at adhost.com Fri Aug 7 17:40:21 2009 From: mksmith at adhost.com (Michael K. Smith - Adhost) Date: Fri, 7 Aug 2009 14:40:21 -0700 Subject: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client andinside network? In-Reply-To: <002b01ca17a0$4d104ac0$2208120a@am.thmulti.com> References: <002b01ca17a0$4d104ac0$2208120a@am.thmulti.com> Message-ID: <17838240D9A5544AAA5FF95F8D5203160676BDAA@ad-exh01.adhost.lan> > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Scott Granados > Sent: Friday, August 07, 2009 1:47 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] ASA5520,can't pass traffic over ipsec tunnel between > Cisco client andinside network? > > Hi, I'm having difficulties configuring VPN tunnels between a PC with > the > Cisco VPN client (windows XP) and an ASA5520. > > BACKGROUND > > I have an ASA5520 with a public interface of 206.x.x.232 and an inside > address of 10.18.14.6. The outside interface is connected to the > public > internet directly, the inside interface is attached to a switch with > layer 3 > capabilities and has an address of 10.18.14.1/24. The default route is > pointed to the public Internet gateway and the 10.18.0.0/16 network is > routed via the 10.18.14.1 inside address. The VPN device is running > version > 7 software (according to the VPN client log file). > > PROBLEM > > > When I initiate a connection from the PC to the public facing > interface > over an external network the session authenticates and reports > connected, > the client is assigned an address from the correct pool, but I'm not > able to > pass traffic. Looking at the stats the routes learned appear > (10.18.0.0/16) > or what ever routes I added to the split-tunnel network list. I do > notice > that the tunnel stats do not show the encrypted packet count increasing > so I > assume I'm not tagging something correctly or the ASA is confused about > what > to encrypt. I've been using the Cisco ASA configuration examples as a > starting point but think I'm missing the point somewhere. Any pointers > would be appreciated, config tidbits follow. > > split-tunnel ACL I would imagine having the /16 that encompasses the /24 of your inside interface and your VPN pool is a "bad thing." The /16 route is injected into the tunnel, which encompasses your default gateway for the VPN. But, you have forwarded all that traffic to the .1 address. As a start, I would get more specific on your subnets, since the 10.18.14.0/24 is physically tied to the ASA. Why not try more specifics like 10.18.1.0/24, 10.18.2.0/24, etc. and see if that helps. Regards, Mike From gsgranados at comcast.net Fri Aug 7 17:51:49 2009 From: gsgranados at comcast.net (Scott Granados) Date: Fri, 7 Aug 2009 14:51:49 -0700 Subject: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client and inside network? References: <002b01ca17a0$4d104ac0$2208120a@am.thmulti.com> <200908071635.21214.rgilreath@hbs.net> Message-ID: <00b201ca17a9$49e6e120$2208120a@am.thmulti.com> I actually don't have any nat entries because I didn't think I needed any what with this not being used for anything but VPN, is this incorrect? ----- Original Message ----- From: "Rob Gilreath" To: Cc: "Scott Granados" Sent: Friday, August 07, 2009 2:35 PM Subject: Re: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client and inside network? > > Is your nat 0 exception setup? > > Send the config lines starting with nat as well. > > > > On Friday 07 August 2009 03:47:27 pm Scott Granados wrote: >> Hi, I'm having difficulties configuring VPN tunnels between a PC with the >> Cisco VPN client (windows XP) and an ASA5520. >> >> BACKGROUND >> >> I have an ASA5520 with a public interface of 206.x.x.232 and an inside >> address of 10.18.14.6. The outside interface is connected to the public >> internet directly, the inside interface is attached to a switch with >> layer >> 3 capabilities and has an address of 10.18.14.1/24. The default route is >> pointed to the public Internet gateway and the 10.18.0.0/16 network is >> routed via the 10.18.14.1 inside address. The VPN device is running >> version 7 software (according to the VPN client log file). >> >> PROBLEM >> >> >> When I initiate a connection from the PC to the public facing >> interface >> over an external network the session authenticates and reports connected, >> the client is assigned an address from the correct pool, but I'm not able >> to pass traffic. Looking at the stats the routes learned appear >> (10.18.0.0/16) or what ever routes I added to the split-tunnel network >> list. I do notice that the tunnel stats do not show the encrypted packet >> count increasing so I assume I'm not tagging something correctly or the >> ASA >> is confused about what to encrypt. I've been using the Cisco ASA >> configuration examples as a starting point but think I'm missing the >> point >> somewhere. Any pointers would be appreciated, config tidbits follow. >> >> split-tunnel ACL >> >> access-list vpn-nets standard permit 10.1.0.0 255.255.0.0 >> access-list vpn-nets standard permit 10.11.0.0 255.255.0.0 >> access-list vpn-nets standard permit 10.18.0.0 255.255.0.0 >> access-list vpn-nets standard permit 10.64.0.0 255.255.0.0 >> access-list vpn-nets standard permit 10.66.0.0 255.255.0.0 >> >> local pool definition >> ip local pool VPRN-team-vpn-pool1 10.18.14.96-10.18.14.127 mask >> 255.255.255.0 >> >> STATIC ROUTES >> route outside 0.0.0.0 0.0.0.0 206.x.x.225 1 >> route inside 10.66.0.0 255.255.0.0 10.18.14.1 1 >> route inside 10.11.0.0 255.255.0.0 10.18.14.1 1 >> route inside 10.64.0.0 255.255.0.0 10.18.14.1 1 >> route inside 10.1.0.0 255.255.0.0 10.18.14.1 1 >> route inside 10.18.0.0 255.255.0.0 10.18.14.1 1 >> >> GROUP POLICY DEFINITION >> >> group-policy VPRN-team-policy internal >> group-policy VPRN-team-policy attributes >> banner value This is a private network connection for XXX authorized >> users >> only. If you do not have explicit permission from the XXX Network >> Services >> department you must disconnect now. >> banner value Thank you, >> banner value Network Services >> banner value 415.xxx.xxxx >> wins-server value 10.18.1.14 10.18.1.15 >> dns-server value 10.18.1.14 10.18.1.15 >> dhcp-network-scope none >> vpn-access-hours none >> vpn-simultaneous-logins 1 >> vpn-idle-timeout 30 >> vpn-session-timeout none >> vpn-filter none >> vpn-tunnel-protocol IPSec >> password-storage disable >> ip-comp enable >> re-xauth disable >> group-lock none >> pfs disable >> ipsec-udp enable >> ipsec-udp-port 10000 >> split-tunnel-policy tunnelspecified >> split-tunnel-network-list value vpn-nets >> default-domain value MY-COMPANY.COM >> split-dns none >> secure-unit-authentication disable >> user-authentication enable >> user-authentication-idle-timeout 30 >> ip-phone-bypass disable >> leap-bypass disable >> nem disable >> backup-servers 206.x.x.233 >> client-firewall opt cisco-integrated acl-in FWBlockIn acl-out >> FWAllowAnyOut webvpn >> functions none >> >> tunnel-group VPRN-team type ipsec-ra >> tunnel-group VPRN-team general-attributes >> address-pool VPRN-team-vpn-pool1 >> authentication-server-group my_authent_grp >> default-group-policy VPRN-team-policy >> tunnel-group VPRN-team ipsec-attributes >> pre-shared-key * >> >> CRYPTO MAP and ISAKMP >> >> crypto ipsec transform-set vpn-transform1 esp-3des esp-sha-hmac >> crypto dynamic-map dynmap1 10 set transform-set vpn-transform1 >> crypto dynamic-map dynmap1 10 set reverse-route >> crypto map vpnmap 10 ipsec-isakmp dynamic dynmap1 >> crypto map vpnmap interface outside >> isakmp enable outside >> isakmp policy 1 authentication pre-share >> isakmp policy 1 encryption aes >> isakmp policy 1 hash sha >> isakmp policy 1 group 2 >> isakmp policy 1 lifetime 28800 >> isakmp policy 10 authentication pre-share >> isakmp policy 10 encryption 3des >> isakmp policy 10 hash sha >> isakmp policy 10 group 2 >> isakmp policy 10 lifetime 1000 >> isakmp policy 20 authentication pre-share >> isakmp policy 20 encryption 3des >> isakmp policy 20 hash md5 >> isakmp policy 20 group 2 >> isakmp policy 20 lifetime 10000 >> isakmp policy 30 authentication pre-share >> isakmp policy 30 encryption 3des >> isakmp policy 30 hash sha >> isakmp policy 30 group 2 >> isakmp policy 30 lifetime 10000 >> isakmp policy 40 authentication pre-share >> isakmp policy 40 encryption 3des >> isakmp policy 40 hash sha >> isakmp policy 40 group 2 >> isakmp policy 40 lifetime 86400 >> isakmp nat-traversal 20 >> isakmp reload-wait >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > -- > Rob Gilreath > Systems Engineer - CCNP, CCDP > Heartland Business Systems > rgilreath at hbs.net > (920) 850-3018 From gsgranados at comcast.net Fri Aug 7 18:03:58 2009 From: gsgranados at comcast.net (Scott Granados) Date: Fri, 7 Aug 2009 15:03:58 -0700 Subject: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client andinside network? References: <002b01ca17a0$4d104ac0$2208120a@am.thmulti.com> <17838240D9A5544AAA5FF95F8D5203160676BDAA@ad-exh01.adhost.lan> Message-ID: <00e401ca17aa$fb9e3890$2208120a@am.thmulti.com> Hi Michael, Wouldn't the more specific /24 come in to play instead of the much larger /16? If I route the /16 via 10.18.14.1 but the /24 of 10.18.14.1 is directly connected I would have thought the /24 would win. I'll definitely give this a try however. Thanks Scott ----- Original Message ----- From: "Michael K. Smith - Adhost" To: "Scott Granados" ; Sent: Friday, August 07, 2009 2:40 PM Subject: RE: [c-nsp] ASA5520,can't pass traffic over ipsec tunnel between Cisco client andinside network? > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Scott Granados > Sent: Friday, August 07, 2009 1:47 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] ASA5520,can't pass traffic over ipsec tunnel between > Cisco client andinside network? > > Hi, I'm having difficulties configuring VPN tunnels between a PC with > the > Cisco VPN client (windows XP) and an ASA5520. > > BACKGROUND > > I have an ASA5520 with a public interface of 206.x.x.232 and an inside > address of 10.18.14.6. The outside interface is connected to the > public > internet directly, the inside interface is attached to a switch with > layer 3 > capabilities and has an address of 10.18.14.1/24. The default route is > pointed to the public Internet gateway and the 10.18.0.0/16 network is > routed via the 10.18.14.1 inside address. The VPN device is running > version > 7 software (according to the VPN client log file). > > PROBLEM > > > When I initiate a connection from the PC to the public facing > interface > over an external network the session authenticates and reports > connected, > the client is assigned an address from the correct pool, but I'm not > able to > pass traffic. Looking at the stats the routes learned appear > (10.18.0.0/16) > or what ever routes I added to the split-tunnel network list. I do > notice > that the tunnel stats do not show the encrypted packet count increasing > so I > assume I'm not tagging something correctly or the ASA is confused about > what > to encrypt. I've been using the Cisco ASA configuration examples as a > starting point but think I'm missing the point somewhere. Any pointers > would be appreciated, config tidbits follow. > > split-tunnel ACL I would imagine having the /16 that encompasses the /24 of your inside interface and your VPN pool is a "bad thing." The /16 route is injected into the tunnel, which encompasses your default gateway for the VPN. But, you have forwarded all that traffic to the .1 address. As a start, I would get more specific on your subnets, since the 10.18.14.0/24 is physically tied to the ASA. Why not try more specifics like 10.18.1.0/24, 10.18.2.0/24, etc. and see if that helps. Regards, Mike From gsgranados at comcast.net Fri Aug 7 19:12:01 2009 From: gsgranados at comcast.net (Scott Granados) Date: Fri, 7 Aug 2009 16:12:01 -0700 Subject: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client and inside network? References: <870133.47242.qm@web80503.mail.mud.yahoo.com> Message-ID: <015501ca17b4$7e9c11f0$2208120a@am.thmulti.com> Hi, so the client is attached directly to a Sprint air card or directly to a cable internet connection with a real IP address. I have udp 10000 defined in the group policy and see that port being used in the client logs. Thanks Scott ----- Original Message ----- From: Randy To: Rob Gilreath ; cisco-nsp at puck.nether.net ; Scott Granados Sent: Friday, August 07, 2009 3:40 PM Subject: Re: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client and inside network? ..NAT entries are not required as long as *nat-control* is not enabled. I can't recall the default but you can verify your setup - sh run nat-control. The PC in question wouldn't happen to be behind a firewall and using an rfc1918 addr. on the 10.x space as well ? Also, NAT-T (ipsec/UDP port 10,000 is enabled on the client? --- On Fri, 8/7/09, Scott Granados wrote: From: Scott Granados Subject: Re: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client and inside network? To: "Rob Gilreath" , cisco-nsp at puck.nether.net Date: Friday, August 7, 2009, 2:51 PM I actually don't have any nat entries because I didn't think I needed any what with this not being used for anything but VPN, is this incorrect? ----- Original Message ----- From: "Rob Gilreath" To: Cc: "Scott Granados" Sent: Friday, August 07, 2009 2:35 PM Subject: Re: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client and inside network? > > Is your nat 0 exception setup? > > Send the config lines starting with nat as well. > > > > On Friday 07 August 2009 03:47:27 pm Scott Granados wrote: >> Hi, I'm having difficulties configuring VPN tunnels between a PC with the >> Cisco VPN client (windows XP) and an ASA5520. >> >> BACKGROUND >> >> I have an ASA5520 with a public interface of 206.x.x.232 and an inside >> address of 10.18.14.6. The outside interface is connected to the public >> internet directly, the inside interface is attached to a switch with layer >> 3 capabilities and has an address of 10.18.14.1/24. The default route is >> pointed to the public Internet gateway and the 10.18.0.0/16 network is >> routed via the 10.18.14.1 inside address. The VPN device is running >> version 7 software (according to the VPN client log file). >> >> PROBLEM >> >> >> When I initiate a connection from the PC to the public facing interface >> over an external network the session authenticates and reports connected, >> the client is assigned an address from the correct pool, but I'm not able >> to pass traffic. Looking at the stats the routes learned appear >> (10.18.0.0/16) or what ever routes I added to the split-tunnel network >> list. I do notice that the tunnel stats do not show the encrypted packet >> count increasing so I assume I'm not tagging something correctly or the ASA >> is confused about what to encrypt. I've been using the Cisco ASA >> configuration examples as a starting point but think I'm missing the point >> somewhere. Any pointers would be appreciated, config tidbits follow. >> >> split-tunnel ACL >> >> access-list vpn-nets standard permit 10.1.0.0 255.255.0.0 >> access-list vpn-nets standard permit 10.11.0.0 255.255.0.0 >> access-list vpn-nets standard permit 10.18.0.0 255.255.0.0 >> access-list vpn-nets standard permit 10.64.0.0 255.255.0.0 >> access-list vpn-nets standard permit 10.66.0.0 255.255.0.0 >> >> local pool definition >> ip local pool VPRN-team-vpn-pool1 10.18.14.96-10.18.14.127 mask >> 255.255.255.0 >> >> STATIC ROUTES >> route outside 0.0.0.0 0.0.0.0 206.x.x.225 1 >> route inside 10.66.0.0 255.255.0.0 10.18.14.1 1 >> route inside 10.11.0.0 255.255.0.0 10.18.14.1 1 >> route inside 10.64.0.0 255.255.0.0 10.18.14.1 1 >> route inside 10.1.0.0 255.255.0.0 10.18.14.1 1 >> route inside 10.18.0.0 255.255.0.0 10.18.14.1 1 >> >> GROUP POLICY DEFINITION >> >> group-policy VPRN-team-policy internal >> group-policy VPRN-team-policy attributes >> banner value This is a private network connection for XXX authorized users >> only. If you do not have explicit permission from the XXX Network Services >> department you must disconnect now. >> banner value Thank you, >> banner value Network Services >> banner value 415.xxx.xxxx >> wins-server value 10.18.1.14 10.18.1.15 >> dns-server value 10.18.1.14 10.18.1.15 >> dhcp-network-scope none >> vpn-access-hours none >> vpn-simultaneous-logins 1 >> vpn-idle-timeout 30 >> vpn-session-timeout none >> vpn-filter none >> vpn-tunnel-protocol IPSec >> password-storage disable >> ip-comp enable >> re-xauth disable >> group-lock none >> pfs disable >> ipsec-udp enable >> ipsec-udp-port 10000 >> split-tunnel-policy tunnelspecified >> split-tunnel-network-list value vpn-nets >> default-domain value MY-COMPANY.COM >> split-dns none >> secure-unit-authentication disable >> user-authentication enable >> user-authentication-idle-timeout 30 >> ip-phone-bypass disable >> leap-bypass disable >> nem disable >> backup-servers 206.x.x.233 >> client-firewall opt cisco-integrated acl-in FWBlockIn acl-out >> FWAllowAnyOut webvpn >> functions none >> >> tunnel-group VPRN-team type ipsec-ra >> tunnel-group VPRN-team general-attributes >> address-pool VPRN-team-vpn-pool1 >> authentication-server-group my_authent_grp >> default-group-policy VPRN-team-policy >> tunnel-group VPRN-team ipsec-attributes >> pre-shared-key * >> >> CRYPTO MAP and ISAKMP >> >> crypto ipsec transform-set vpn-transform1 esp-3des esp-sha-hmac >> crypto dynamic-map dynmap1 10 set transform-set vpn-transform1 >> crypto dynamic-map dynmap1 10 set reverse-route >> crypto map vpnmap 10 ipsec-isakmp dynamic dynmap1 >> crypto map vpnmap interface outside >> isakmp enable outside >> isakmp policy 1 authentication pre-share >> isakmp policy 1 encryption aes >> isakmp policy 1 hash sha >> isakmp policy 1 group 2 >> isakmp policy 1 lifetime 28800 >> isakmp policy 10 authentication pre-share >> isakmp policy 10 encryption 3des >> isakmp policy 10 hash sha >> isakmp policy 10 group 2 >> isakmp policy 10 lifetime 1000 >> isakmp policy 20 authentication pre-share >> isakmp policy 20 encryption 3des >> isakmp policy 20 hash md5 >> isakmp policy 20 group 2 >> isakmp policy 20 lifetime 10000 >> isakmp policy 30 authentication pre-share >> isakmp policy 30 encryption 3des >> isakmp policy 30 hash sha >> isakmp policy 30 group 2 >> isakmp policy 30 lifetime 10000 >> isakmp policy 40 authentication pre-share >> isakmp policy 40 encryption 3des >> isakmp policy 40 hash sha >> isakmp policy 40 group 2 >> isakmp policy 40 lifetime 86400 >> isakmp nat-traversal 20 >> isakmp reload-wait >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > -- Rob Gilreath > Systems Engineer - CCNP, CCDP > Heartland Business Systems > rgilreath at hbs.net > (920) 850-3018 _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From gsgranados at comcast.net Fri Aug 7 19:13:33 2009 From: gsgranados at comcast.net (Scott Granados) Date: Fri, 7 Aug 2009 16:13:33 -0700 Subject: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client andinside network? References: <752681.4220.qm@web80506.mail.mud.yahoo.com> Message-ID: <016501ca17b4$b67fee70$2208120a@am.thmulti.com> I'm thinking this might be it. I'm probably doing bad things with the connected pool. Thanks for the pointers. ----- Original Message ----- From: Randy To: Michael K. Smith - Adhost ; Scott Granados Cc: cisco-nsp at puck.nether.net Sent: Friday, August 07, 2009 4:02 PM Subject: Re: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client andinside network? ..also keep in mind that your split-tunnel ACL can be extended if specified in the following format: x.x.x.x mask y.y.y.y mask (your vpn pool) 10.18.0.0 255.255.0.0 10.18.14.0 255.255.255.0 --- On Fri, 8/7/09, Scott Granados wrote: From: Scott Granados Subject: Re: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client andinside network? To: "Michael K. Smith - Adhost" Cc: cisco-nsp at puck.nether.net Date: Friday, August 7, 2009, 3:03 PM Hi Michael, Wouldn't the more specific /24 come in to play instead of the much larger /16? If I route the /16 via 10.18.14.1 but the /24 of 10.18.14.1 is directly connected I would have thought the /24 would win. I'll definitely give this a try however. Thanks Scott ----- Original Message ----- From: "Michael K. Smith - Adhost" To: "Scott Granados" ; Sent: Friday, August 07, 2009 2:40 PM Subject: RE: [c-nsp] ASA5520,can't pass traffic over ipsec tunnel between Cisco client andinside network? > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Scott Granados > Sent: Friday, August 07, 2009 1:47 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] ASA5520,can't pass traffic over ipsec tunnel between > Cisco client andinside network? > > Hi, I'm having difficulties configuring VPN tunnels between a PC with > the > Cisco VPN client (windows XP) and an ASA5520. > > BACKGROUND > > I have an ASA5520 with a public interface of 206.x.x.232 and an inside > address of 10.18.14.6. The outside interface is connected to the > public > internet directly, the inside interface is attached to a switch with > layer 3 > capabilities and has an address of 10.18.14.1/24. The default route is > pointed to the public Internet gateway and the 10.18.0.0/16 network is > routed via the 10.18.14.1 inside address. The VPN device is running > version > 7 software (according to the VPN client log file). > > PROBLEM > > > When I initiate a connection from the PC to the public facing > interface > over an external network the session authenticates and reports > connected, > the client is assigned an address from the correct pool, but I'm not > able to > pass traffic. Looking at the stats the routes learned appear > (10.18.0.0/16) > or what ever routes I added to the split-tunnel network list. I do > notice > that the tunnel stats do not show the encrypted packet count increasing > so I > assume I'm not tagging something correctly or the ASA is confused about > what > to encrypt. I've been using the Cisco ASA configuration examples as a > starting point but think I'm missing the point somewhere. Any pointers > would be appreciated, config tidbits follow. > > split-tunnel ACL I would imagine having the /16 that encompasses the /24 of your inside interface and your VPN pool is a "bad thing." The /16 route is injected into the tunnel, which encompasses your default gateway for the VPN. But, you have forwarded all that traffic to the .1 address. As a start, I would get more specific on your subnets, since the 10.18.14.0/24 is physically tied to the ASA. Why not try more specifics like 10.18.1.0/24, 10.18.2.0/24, etc. and see if that helps. Regards, Mike _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From randy_94108 at yahoo.com Fri Aug 7 18:15:12 2009 From: randy_94108 at yahoo.com (Randy) Date: Fri, 7 Aug 2009 15:15:12 -0700 (PDT) Subject: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client and inside network? In-Reply-To: <002b01ca17a0$4d104ac0$2208120a@am.thmulti.com> Message-ID: <831090.36449.qm@web80505.mail.mud.yahoo.com> Hi Scott, ...at first pass - have you *exempted* your vpn pool<->split-tunnel subnets from NAT on the?appropriate interfaces? Regards, ./Randy --- On Fri, 8/7/09, Scott Granados wrote: From: Scott Granados Subject: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client and inside network? To: cisco-nsp at puck.nether.net Date: Friday, August 7, 2009, 1:47 PM Hi, I'm having difficulties configuring VPN tunnels between a PC with the Cisco VPN client (windows XP) and an ASA5520. BACKGROUND I have an ASA5520 with a public interface of 206.x.x.232 and an inside address of 10.18.14.6.? The outside interface is connected to the public internet directly, the inside interface is attached to a switch with layer 3 capabilities and has an address of 10.18.14.1/24.? The default route is pointed to the public Internet gateway and the 10.18.0.0/16 network is routed via the 10.18.14.1 inside address.? The VPN device is running version 7 software (according to the VPN client log file). PROBLEM ???When I initiate a connection from the PC to the public facing interface over an external network the session authenticates and reports connected, the client is assigned an address from the correct pool, but I'm not able to pass traffic.? Looking at the stats the routes learned appear (10.18.0.0/16) or what ever routes I added to the split-tunnel network list.? I do notice that the tunnel stats do not show the encrypted packet count increasing so I assume I'm not tagging something correctly or the ASA is confused about what to encrypt. I've been using the Cisco ASA configuration examples as a starting point but think I'm missing the point somewhere.? Any pointers would be appreciated, config tidbits follow. split-tunnel ACL access-list vpn-nets standard permit 10.1.0.0 255.255.0.0 access-list vpn-nets standard permit 10.11.0.0 255.255.0.0 access-list vpn-nets standard permit 10.18.0.0 255.255.0.0 access-list vpn-nets standard permit 10.64.0.0 255.255.0.0 access-list vpn-nets standard permit 10.66.0.0 255.255.0.0 local pool definition ip local pool VPRN-team-vpn-pool1 10.18.14.96-10.18.14.127 mask 255.255.255.0 STATIC ROUTES route outside 0.0.0.0 0.0.0.0 206.x.x.225 1 route inside 10.66.0.0 255.255.0.0 10.18.14.1 1 route inside 10.11.0.0 255.255.0.0 10.18.14.1 1 route inside 10.64.0.0 255.255.0.0 10.18.14.1 1 route inside 10.1.0.0 255.255.0.0 10.18.14.1 1 route inside 10.18.0.0 255.255.0.0 10.18.14.1 1 GROUP POLICY DEFINITION group-policy VPRN-team-policy internal group-policy VPRN-team-policy attributes banner value This is a private network connection for XXX authorized users only.? If you do not have explicit permission from the XXX Network Services department you must disconnect now. banner value Thank you, banner value Network Services banner value 415.xxx.xxxx wins-server value 10.18.1.14 10.18.1.15 dns-server value 10.18.1.14 10.18.1.15 dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 1 vpn-idle-timeout 30 vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec password-storage disable ip-comp enable re-xauth disable group-lock none pfs disable ipsec-udp enable ipsec-udp-port 10000 split-tunnel-policy tunnelspecified split-tunnel-network-list value vpn-nets default-domain value MY-COMPANY.COM split-dns none secure-unit-authentication disable user-authentication enable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers 206.x.x.233 client-firewall opt cisco-integrated acl-in FWBlockIn acl-out FWAllowAnyOut webvpn functions none tunnel-group VPRN-team type ipsec-ra tunnel-group VPRN-team general-attributes address-pool VPRN-team-vpn-pool1 authentication-server-group my_authent_grp default-group-policy VPRN-team-policy tunnel-group VPRN-team ipsec-attributes pre-shared-key * CRYPTO MAP and ISAKMP crypto ipsec transform-set vpn-transform1 esp-3des esp-sha-hmac crypto dynamic-map dynmap1 10 set transform-set vpn-transform1 crypto dynamic-map dynmap1 10 set reverse-route crypto map vpnmap 10 ipsec-isakmp dynamic dynmap1 crypto map vpnmap interface outside isakmp enable outside isakmp policy 1 authentication pre-share isakmp policy 1 encryption aes isakmp policy 1 hash sha isakmp policy 1 group 2 isakmp policy 1 lifetime 28800 isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 1000 isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 10000 isakmp policy 30 authentication pre-share isakmp policy 30 encryption 3des isakmp policy 30 hash sha isakmp policy 30 group 2 isakmp policy 30 lifetime 10000 isakmp policy 40 authentication pre-share isakmp policy 40 encryption 3des isakmp policy 40 hash sha isakmp policy 40 group 2 isakmp policy 40 lifetime 86400 isakmp nat-traversal? 20 isakmp reload-wait _______________________________________________ cisco-nsp mailing list? cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From randy_94108 at yahoo.com Fri Aug 7 18:40:56 2009 From: randy_94108 at yahoo.com (Randy) Date: Fri, 7 Aug 2009 15:40:56 -0700 (PDT) Subject: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client and inside network? In-Reply-To: <00b201ca17a9$49e6e120$2208120a@am.thmulti.com> Message-ID: <870133.47242.qm@web80503.mail.mud.yahoo.com> ..NAT entries are not required as long as *nat-control* is not enabled. I can't recall the default but you can verify your setup?- sh run nat-control. The PC in question wouldn't happen to be behind a firewall and using an rfc1918 addr. on the 10.x space as well ? Also, NAT-T (ipsec/UDP port 10,000 is enabled on the client? --- On Fri, 8/7/09, Scott Granados wrote: From: Scott Granados Subject: Re: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client and inside network? To: "Rob Gilreath" , cisco-nsp at puck.nether.net Date: Friday, August 7, 2009, 2:51 PM I actually don't have any nat entries because I didn't think I needed any what with this not being used for anything but VPN, is this incorrect? ----- Original Message ----- From: "Rob Gilreath" To: Cc: "Scott Granados" Sent: Friday, August 07, 2009 2:35 PM Subject: Re: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client and inside network? > > Is your nat 0 exception setup? > > Send the config lines starting with nat as well. > > > > On Friday 07 August 2009 03:47:27 pm Scott Granados wrote: >> Hi, I'm having difficulties configuring VPN tunnels between a PC with the >> Cisco VPN client (windows XP) and an ASA5520. >> >> BACKGROUND >> >> I have an ASA5520 with a public interface of 206.x.x.232 and an inside >> address of 10.18.14.6.? The outside interface is connected to the public >> internet directly, the inside interface is attached to a switch with layer >> 3 capabilities and has an address of 10.18.14.1/24.? The default route is >> pointed to the public Internet gateway and the 10.18.0.0/16 network is >> routed via the 10.18.14.1 inside address.? The VPN device is running >> version 7 software (according to the VPN client log file). >> >> PROBLEM >> >> >>? ???When I initiate a connection from the PC to the public facing interface >> over an external network the session authenticates and reports connected, >> the client is assigned an address from the correct pool, but I'm not able >> to pass traffic.? Looking at the stats the routes learned appear >> (10.18.0.0/16) or what ever routes I added to the split-tunnel network >> list.? I do notice that the tunnel stats do not show the encrypted packet >> count increasing so I assume I'm not tagging something correctly or the ASA >> is confused about what to encrypt. I've been using the Cisco ASA >> configuration examples as a starting point but think I'm missing the point >> somewhere.? Any pointers would be appreciated, config tidbits follow. >> >> split-tunnel ACL >> >> access-list vpn-nets standard permit 10.1.0.0 255.255.0.0 >> access-list vpn-nets standard permit 10.11.0.0 255.255.0.0 >> access-list vpn-nets standard permit 10.18.0.0 255.255.0.0 >> access-list vpn-nets standard permit 10.64.0.0 255.255.0.0 >> access-list vpn-nets standard permit 10.66.0.0 255.255.0.0 >> >> local pool definition >> ip local pool VPRN-team-vpn-pool1 10.18.14.96-10.18.14.127 mask >> 255.255.255.0 >> >> STATIC ROUTES >> route outside 0.0.0.0 0.0.0.0 206.x.x.225 1 >> route inside 10.66.0.0 255.255.0.0 10.18.14.1 1 >> route inside 10.11.0.0 255.255.0.0 10.18.14.1 1 >> route inside 10.64.0.0 255.255.0.0 10.18.14.1 1 >> route inside 10.1.0.0 255.255.0.0 10.18.14.1 1 >> route inside 10.18.0.0 255.255.0.0 10.18.14.1 1 >> >> GROUP POLICY DEFINITION >> >> group-policy VPRN-team-policy internal >> group-policy VPRN-team-policy attributes >>? banner value This is a private network connection for XXX authorized users >> only.? If you do not have explicit permission from the XXX Network Services >> department you must disconnect now. >>? banner value Thank you, >>? banner value Network Services >>? banner value 415.xxx.xxxx >>? wins-server value 10.18.1.14 10.18.1.15 >>? dns-server value 10.18.1.14 10.18.1.15 >>? dhcp-network-scope none >>? vpn-access-hours none >>? vpn-simultaneous-logins 1 >>? vpn-idle-timeout 30 >>? vpn-session-timeout none >>? vpn-filter none >>? vpn-tunnel-protocol IPSec >>? password-storage disable >>? ip-comp enable >>? re-xauth disable >>? group-lock none >>? pfs disable >>? ipsec-udp enable >>? ipsec-udp-port 10000 >>? split-tunnel-policy tunnelspecified >>? split-tunnel-network-list value vpn-nets >>? default-domain value MY-COMPANY.COM >>? split-dns none >>? secure-unit-authentication disable >>? user-authentication enable >>? user-authentication-idle-timeout 30 >>? ip-phone-bypass disable >>? leap-bypass disable >>? nem disable >>? backup-servers 206.x.x.233 >>? client-firewall opt cisco-integrated acl-in FWBlockIn acl-out >> FWAllowAnyOut webvpn >>???functions none >> >> tunnel-group VPRN-team type ipsec-ra >> tunnel-group VPRN-team general-attributes >>? address-pool VPRN-team-vpn-pool1 >>? authentication-server-group my_authent_grp >>? default-group-policy VPRN-team-policy >> tunnel-group VPRN-team ipsec-attributes >>? pre-shared-key * >> >> CRYPTO MAP and ISAKMP >> >> crypto ipsec transform-set vpn-transform1 esp-3des esp-sha-hmac >> crypto dynamic-map dynmap1 10 set transform-set vpn-transform1 >> crypto dynamic-map dynmap1 10 set reverse-route >> crypto map vpnmap 10 ipsec-isakmp dynamic dynmap1 >> crypto map vpnmap interface outside >> isakmp enable outside >> isakmp policy 1 authentication pre-share >> isakmp policy 1 encryption aes >> isakmp policy 1 hash sha >> isakmp policy 1 group 2 >> isakmp policy 1 lifetime 28800 >> isakmp policy 10 authentication pre-share >> isakmp policy 10 encryption 3des >> isakmp policy 10 hash sha >> isakmp policy 10 group 2 >> isakmp policy 10 lifetime 1000 >> isakmp policy 20 authentication pre-share >> isakmp policy 20 encryption 3des >> isakmp policy 20 hash md5 >> isakmp policy 20 group 2 >> isakmp policy 20 lifetime 10000 >> isakmp policy 30 authentication pre-share >> isakmp policy 30 encryption 3des >> isakmp policy 30 hash sha >> isakmp policy 30 group 2 >> isakmp policy 30 lifetime 10000 >> isakmp policy 40 authentication pre-share >> isakmp policy 40 encryption 3des >> isakmp policy 40 hash sha >> isakmp policy 40 group 2 >> isakmp policy 40 lifetime 86400 >> isakmp nat-traversal? 20 >> isakmp reload-wait >> >> >> _______________________________________________ >> cisco-nsp mailing list? cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > -- Rob Gilreath > Systems Engineer - CCNP, CCDP > Heartland Business Systems > rgilreath at hbs.net > (920) 850-3018 _______________________________________________ cisco-nsp mailing list? cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From randy_94108 at yahoo.com Fri Aug 7 19:02:51 2009 From: randy_94108 at yahoo.com (Randy) Date: Fri, 7 Aug 2009 16:02:51 -0700 (PDT) Subject: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client andinside network? In-Reply-To: <00e401ca17aa$fb9e3890$2208120a@am.thmulti.com> Message-ID: <752681.4220.qm@web80506.mail.mud.yahoo.com> ..also keep in mind that your split-tunnel ACL can be extended if specified in the following format: ? x.x.x.x mask? y.y.y.y mask (your vpn pool) 10.18.0.0 255.255.0.0 10.18.14.0 255.255.255.0 ? --- On Fri, 8/7/09, Scott Granados wrote: From: Scott Granados Subject: Re: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client andinside network? To: "Michael K. Smith - Adhost" Cc: cisco-nsp at puck.nether.net Date: Friday, August 7, 2009, 3:03 PM Hi Michael, Wouldn't the more specific /24 come in to play instead of the much larger /16?? If I route the /16 via 10.18.14.1 but the /24 of 10.18.14.1 is directly connected I would have thought the /24 would win.? I'll definitely give this a try however. Thanks Scott ----- Original Message ----- From: "Michael K. Smith - Adhost" To: "Scott Granados" ; Sent: Friday, August 07, 2009 2:40 PM Subject: RE: [c-nsp] ASA5520,can't pass traffic over ipsec tunnel between Cisco client andinside network? > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Scott Granados > Sent: Friday, August 07, 2009 1:47 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] ASA5520,can't pass traffic over ipsec tunnel between > Cisco client andinside network? > > Hi, I'm having difficulties configuring VPN tunnels between a PC with > the > Cisco VPN client (windows XP) and an ASA5520. > > BACKGROUND > > I have an ASA5520 with a public interface of 206.x.x.232 and an inside > address of 10.18.14.6.? The outside interface is connected to the > public > internet directly, the inside interface is attached to a switch with > layer 3 > capabilities and has an address of 10.18.14.1/24.? The default route is > pointed to the public Internet gateway and the 10.18.0.0/16 network is > routed via the 10.18.14.1 inside address.? The VPN device is running > version > 7 software (according to the VPN client log file). > > PROBLEM > > >? ???When I initiate a connection from the PC to the public facing > interface > over an external network the session authenticates and reports > connected, > the client is assigned an address from the correct pool, but I'm not > able to > pass traffic.? Looking at the stats the routes learned appear > (10.18.0.0/16) > or what ever routes I added to the split-tunnel network list.? I do > notice > that the tunnel stats do not show the encrypted packet count increasing > so I > assume I'm not tagging something correctly or the ASA is confused about > what > to encrypt. I've been using the Cisco ASA configuration examples as a > starting point but think I'm missing the point somewhere.? Any pointers > would be appreciated, config tidbits follow. > > split-tunnel ACL I would imagine having the /16 that encompasses the /24 of your inside interface and your VPN pool is a "bad thing."? The /16 route is injected into the tunnel, which encompasses your default gateway for the VPN. But, you have forwarded all that traffic to the .1 address.? As a start, I would get more specific on your subnets, since the 10.18.14.0/24 is physically tied to the ASA.? Why not try more specifics like 10.18.1.0/24, 10.18.2.0/24, etc. and see if that helps. Regards, Mike _______________________________________________ cisco-nsp mailing list? cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From peter at rathlev.dk Sat Aug 8 07:36:49 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Sat, 08 Aug 2009 13:36:49 +0200 Subject: [c-nsp] IPSLAs with OpenNMS or Other? In-Reply-To: <6B8401A83219DF499C34DEAEE9A599921256B58E7E@XBOX.midlandpaper.com> References: <6B8401A83219DF499C34DEAEE9A599921256B58E2A@XBOX.midlandpaper.com> <6B8401A83219DF499C34DEAEE9A599921256B58E7E@XBOX.midlandpaper.com> Message-ID: <1249731409.3129.29.camel@abehat.net.rm.dk> I'll give it a shot, even though we don't really have a planned professional setup. :-) We only use the data for internal purposes. We're an enterprise and our SLAs (OLAs) currently do not require us to present any data on latency/jitter/loss. We use Cacti to graph the results. For voice circuits we typically measure "standard" 20 packets, 192 bytes payload, 20 ms interval with a jitter probe. We always use both an EF-marked and a DSCP0-marked. For data circuit quality we use N x 1000 packets, 384 bytes payload, 50 ms interval, also a jitter probe. This means they run for longer time and thus will catch the extreme jitter. OTOH it gives a good picture of the base line. Regarding the questions: > 1) Is it best to locate the IPSLA monitor on the switch near the phone > system or on the WAN edge router (right now we even have anything > resembling congestion is on our WAN links)? I'd locate the measuring unit as close to the phone system as possible, unless of course your part of the responsibility only goes to the edge router. > 2) Any gotchas that I need to look out for? (False positives on bad > performance, etc - for a start I plan on marking the test traffic with > the same ToS bit that our VoIP will be marked so it gets the same > priority) We often use 3560 and 3750 switches as responders (they happen to be in the right place) and see very varying quality compared to a 2800 in the same place. I guess that's because of a slow processor or something. > 3) This should be simple but whats the minimum IOS flavor required to > configure the IPSLA monitor (2811 router if I decide to make the WAN > router the IPSLA monitor or 3560 switch if I decide to locate monitor > to the switch the PBX is on) (I cant figure out the IOS feature > browser to save my life - sorry I am a N00b) I seem to remember that the 2800 requires an Enterprise Base license to run IP SLA probes. I don't know about 3560 since we only use those as responders. I think almost all currently availably IOS versions support either "rtr" or "ip sla monitor" and a jitter probe. > 4) Suggestion on other tools other than OpenNMS to monitor IPSLA > stats? Cacti works very well for us. > 5) Suggested intervals, packet sizes, anything else of each test? We largely went for the defaults believing (possibly naively) that this would follow some "industry standard". Regards, Peter From gert at greenie.muc.de Sat Aug 8 09:45:50 2009 From: gert at greenie.muc.de (Gert Doering) Date: Sat, 8 Aug 2009 15:45:50 +0200 Subject: [c-nsp] MPLS MTU [override] bug 12.4(22)T? In-Reply-To: <4A7B51B7.2080808@reachone.com> References: <4A7B51B7.2080808@reachone.com> Message-ID: <20090808134550.GS290@greenie.muc.de> Hi, On Thu, Aug 06, 2009 at 02:57:11PM -0700, Christopher Hunt wrote: > I'm trying to configure "mpls mtu 1508" on a dot1q subinterface on a > 2851. IOS 12.4(7) will allow it, but IOS 12.4(22)T won't. Quite possibly you need to configure "mtu 1508" and then "ip mtu 1500" to get the desired behaviour - "standard" IOS wants a maximum interface MTU, and all protocols (ip, mpls, ...) can go up to that maximum, but not further. Being able to set "mpls mtu" to a value larger than the generic interface MTU was a workaround for some issues on single-port 7200 FEs, if I remember correctly, and should not be needed for 2800s anyway. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From frnkblk at iname.com Sat Aug 8 11:43:06 2009 From: frnkblk at iname.com (Frank Bulk) Date: Sat, 8 Aug 2009 10:43:06 -0500 Subject: [c-nsp] soft-disco/redirection In-Reply-To: <4A7B0A2F.4060104@rainierconnect.net> References: <4A7B0A2F.4060104@rainierconnect.net> Message-ID: What about giving them a different IP address (via RADIUS or DHCP), for which there is a route-map to webserver? Yes, it's not immediate, but with PPPoA/E users could you could "clear int Vi#", CM users just wait for their next DHCP lease. Frank -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Walter Keen Sent: Thursday, August 06, 2009 11:52 AM To: 'Cisco-nsp' Subject: [c-nsp] soft-disco/redirection We're trying to formulate a plan to do a soft-disconnect or redirect users to a site where they can pay their bill online to get reconnected when they get disconnected for billing. Mostly we're talking about either bridged or pppoa dsl customers, or cablemodem customers. Using 7204's and 7246vxr respectively. Our intial thoughts included using some route-maps, but I was wondering if anyone had experience in doing this, and if there are any more graceful ways of doing this (including using snmp to trigger this instead of a scripted telnet session) -- Walter Keen Network Technician Rainier Connect _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From avayner at cisco.com Sat Aug 8 12:14:21 2009 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Sat, 8 Aug 2009 18:14:21 +0200 Subject: [c-nsp] soft-disco/redirection In-Reply-To: <4A7B0A2F.4060104@rainierconnect.net> References: <4A7B0A2F.4060104@rainierconnect.net> Message-ID: You could do L2TP switching (VPDN) and terminate them on a remote LNS or just in another VRF, which would have a closed garden, redirecting any HTTP session to your own server (DNS...) and displaying whatever you like them to see. Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Walter Keen Sent: Thursday, August 06, 2009 19:52 To: 'Cisco-nsp' Subject: [c-nsp] soft-disco/redirection We're trying to formulate a plan to do a soft-disconnect or redirect users to a site where they can pay their bill online to get reconnected when they get disconnected for billing. Mostly we're talking about either bridged or pppoa dsl customers, or cablemodem customers. Using 7204's and 7246vxr respectively. Our intial thoughts included using some route-maps, but I was wondering if anyone had experience in doing this, and if there are any more graceful ways of doing this (including using snmp to trigger this instead of a scripted telnet session) -- Walter Keen Network Technician Rainier Connect _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From noreply at netlogmail.com Sat Aug 8 12:20:39 2009 From: noreply at netlogmail.com (Robert Kern) Date: Sat, 8 Aug 2009 12:20:39 -0400 (EDT) Subject: [c-nsp] =?iso-8859-2?q?Obi=B9=E8i_moj_profil_na_Netlogu?= Message-ID: <200908081620.n78GKdIQ050466@puck.nether.net> Hej, Ustvaril/a sem profil na Netlogu s svojimi slikami, video posnetki, blogi in dogodki in ?elim te dodati kot prijatelja, da bo? lahko vse to videl/a. Najprej se mora? registrirati na Netlogu! Ko se vpi?e?, lahko ustvari? svoj profil. Poglej: http://sl.netlog.com/go/mailurl/type=invite_1&mailid=46293374&id=1&url=-L2dvL3JlZ2lzdGVyL2lkPTczNzA3MzQwMCZpPXQ5MQ__ Pozdrav, Robert ---------------------------------------------------------------- Ne ?eli? ve? prejemati povabil od svojih prijateljev? http://sl.netlog.com/go/mailurl/type=invite_1&mailid=46293374&id=2&url=-L2dvL25vbWFpbHMvaW52aXRlL2VtYWlsPS1ZMmx6WTI4dGJuTndRSEIxWTJzdWJtVjBhR1Z5TG01bGRBX18mY29kZT0xNDQxNTEyMiZpZD03MzcwNzM0MDAmaT10OTI_ From zivl at gilat.net Sun Aug 9 03:57:58 2009 From: zivl at gilat.net (Ziv Leyes) Date: Sun, 9 Aug 2009 10:57:58 +0300 Subject: [c-nsp] TACACS/RADUIS/AD Message-ID: Hi all, I'm in need to implement an AAA method other than local for our Cisco devices (routers/switches) I was thinking of using the already existing Active Directory, because all people has an account there and a strict secure password policy. Also when someone quits, their user is always removed from there but I don't always get notifications about personnel changes so to manage another independent user DB is not good for me. At the beginning I was thinking to directly connect the AD servers, but this doesn't give me too much flexibility, I don't manage those servers and I don't want to depend on others regarding the authorizations. I was thinking about a server like radius or tacacs that will check only the user authentication against the AD server and perhaps retrieve a value of which group the user belongs to, let's say I only need two or three degrees of authorization, (read-only, operator, and admins). All the rest of the commands authorization granularity will be performed by the radius/tacacs server, based on the user's groups. Is this possible to implement? If yes, do you have some ideas, tips, howtos? Thanks in advance! Regards, Ziv ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From p.mayers at imperial.ac.uk Sun Aug 9 08:07:33 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Sun, 09 Aug 2009 13:07:33 +0100 Subject: [c-nsp] TACACS/RADUIS/AD In-Reply-To: References: Message-ID: <4A7EBC05.60000@imperial.ac.uk> Ziv Leyes wrote: > Hi all, > > I'm in need to implement an AAA method other than local for our Cisco > devices (routers/switches) > > I was thinking of using the already existing Active Directory, > because all people has an account there and a strict secure password > policy. > > Also when someone quits, their user is always removed from there but > I don't always get notifications about personnel changes so to manage > another independent user DB is not good for me. > > At the beginning I was thinking to directly connect the AD servers, > but this doesn't give me too much flexibility, I don't manage those > servers and I don't want to depend on others regarding the > authorizations. > > I was thinking about a server like radius or tacacs that will check > only the user authentication against the AD server and perhaps > retrieve a value of which group the user belongs to, let's say I only > need two or three degrees of authorization, (read-only, operator, and > admins). All the rest of the commands authorization granularity will > be performed by the radius/tacacs server, based on the user's groups. Beware: Cisco does not support per-command authorisation via Radius - only TACACS. > > > Is this possible to implement? If yes, do you have some ideas, tips, > howtos? It's certainly possible to run a Radius server authenticating against Active Directory, and extract groups (subject to one minor caveat - see below). You'll have to write the config to map those groups to authz levels, but that's not usually hard. FreeRadius can do this trivially. I don't know much about TACACS but I can't imagine it's that hard to make a TACACS server talk to LDAP. N.B. Active Directory groups have one slightly funny aspect, which is that the "primary" group for a user object is *not* stored as a memberOf attribute - it's stored as the numerical RID of the group on the LDAP attribute, and can be difficult to match via LDAP. Also, nested groups are difficult to match via LDAP. From zivl at gilat.net Sun Aug 9 08:46:20 2009 From: zivl at gilat.net (Ziv Leyes) Date: Sun, 9 Aug 2009 15:46:20 +0300 Subject: [c-nsp] TACACS/RADUIS/AD In-Reply-To: <4A7EBC05.60000@imperial.ac.uk> References: <4A7EBC05.60000@imperial.ac.uk> Message-ID: Ok, guys, thanks for the answers, I'm now more confused than before ;-) Let's simplify it, I have cisco devices we authenticate locally on each device. We want to centralize the AAA on a server, so I though to install a tac-plus or a freeradius on a linux box, so far not a problem, the problem is I don't want to make another user management because that won't be much different from managing local users on the devices, so I thought to make the tacacs or radius server interact with the AD/LDAP whatever Windows server that already exist and have by default a managed users list that is dynamically updated as new users come or old users leave. This is the user and password used by everyone to log in to their workstations, so they all remember their password and it's a "secure" one (up and low case, numbers, special charaters) which is also requested from users to change every once in a while. All I need is to see that the user exist and that the password is correct, I was thinking also to retrieve some kind of attribute that will allow me to match it against the tacacs/radius group and then setting a sort of permission for the user, it could be per command based (better) or per general permission (have enable 15 or not) Is this possible or too complicated? Thanks, Ziv -----Original Message----- From: David Barak [mailto:thegameiam at yahoo.com] Sent: Sunday, August 09, 2009 3:07 PM To: Ziv Leyes Cc: cisco-nsp at puck.nether.net Subject: RE: [c-nsp] TACACS/RADUIS/AD A Cisco ACS can perform pass-through authentication against AD servers. There is a client which should be installed on the AD servers to do so. The only real gotcha with this is making sure your groups match. Other than that, it works like a champ. I have not tried to do this with any of the non-Cisco implementations of TACACS+. -David Barak -----Original Message----- From: Phil Mayers [mailto:p.mayers at imperial.ac.uk] Sent: Sunday, August 09, 2009 3:08 PM To: Ziv Leyes Cc: 'Cisco-nsp' Subject: Re: [c-nsp] TACACS/RADUIS/AD Ziv Leyes wrote: > Hi all, > > I'm in need to implement an AAA method other than local for our Cisco > devices (routers/switches) > > I was thinking of using the already existing Active Directory, > because all people has an account there and a strict secure password > policy. > > Also when someone quits, their user is always removed from there but > I don't always get notifications about personnel changes so to manage > another independent user DB is not good for me. > > At the beginning I was thinking to directly connect the AD servers, > but this doesn't give me too much flexibility, I don't manage those > servers and I don't want to depend on others regarding the > authorizations. > > I was thinking about a server like radius or tacacs that will check > only the user authentication against the AD server and perhaps > retrieve a value of which group the user belongs to, let's say I only > need two or three degrees of authorization, (read-only, operator, and > admins). All the rest of the commands authorization granularity will > be performed by the radius/tacacs server, based on the user's groups. Beware: Cisco does not support per-command authorisation via Radius - only TACACS. > > > Is this possible to implement? If yes, do you have some ideas, tips, > howtos? It's certainly possible to run a Radius server authenticating against Active Directory, and extract groups (subject to one minor caveat - see below). You'll have to write the config to map those groups to authz levels, but that's not usually hard. FreeRadius can do this trivially. I don't know much about TACACS but I can't imagine it's that hard to make a TACACS server talk to LDAP. N.B. Active Directory groups have one slightly funny aspect, which is that the "primary" group for a user object is *not* stored as a memberOf attribute - it's stored as the numerical RID of the group on the LDAP attribute, and can be difficult to match via LDAP. Also, nested groups are difficult to match via LDAP. ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ __________ Information from ESET NOD32 Antivirus, version of virus signature database 4319 (20090809) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __________ Information from ESET NOD32 Antivirus, version of virus signature database 4319 (20090809) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From thegameiam at yahoo.com Sun Aug 9 08:07:29 2009 From: thegameiam at yahoo.com (David Barak) Date: Sun, 9 Aug 2009 05:07:29 -0700 (PDT) Subject: [c-nsp] TACACS/RADUIS/AD In-Reply-To: Message-ID: <245035.47642.qm@web31808.mail.mud.yahoo.com> A Cisco ACS can perform pass-through authentication against AD servers. There is a client which should be installed on the AD servers to do so. The only real gotcha with this is making sure your groups match. Other than that, it works like a champ. I have not tried to do this with any of the non-Cisco implementations of TACACS+. -David Barak Ziv Leyes wrote: > Hi all, > I'm in need to implement an AAA method other than local for our Cisco devices (routers/switches) > I was thinking of using the already existing Active Directory, because all people has an account there and a strict secure password policy. > Also when someone quits, their user is always removed from there but I don't always get notifications about personnel changes so to manage another independent user DB is not good for me. > At the beginning I was thinking to directly connect the AD servers, but this doesn't give me too much flexibility, I don't manage those servers and I don't want to depend on others regarding the authorizations. > I was thinking about a server like radius or tacacs that will check only the user authentication against the AD server and perhaps retrieve a value of which group the user belongs to, let's say I only need two or three degrees of authorization, (read-only, operator, and admins). All the rest of the commands authorization granularity will be performed by the radius/tacacs server, based on the user's groups. > Is this possible to implement? If yes, do you have some ideas, tips, howtos? > Thanks in advance! > Regards, > Ziv > > > ************************************************************************************ > This footnote confirms that this email message has been scanned by > PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. > ************************************************************************************ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rwest at zyedge.com Sun Aug 9 10:25:06 2009 From: rwest at zyedge.com (Ryan West) Date: Sun, 9 Aug 2009 10:25:06 -0400 Subject: [c-nsp] TACACS/RADUIS/AD In-Reply-To: References: <4A7EBC05.60000@imperial.ac.uk> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2E9D@zy-ex1.zyedge.local> Ziv, I think Phil pretty much covered everything already, it sounds like you're going to lean towards the tac-plus implementation. Here is a walkthrough for getting it going with backend LDAP authentication, there are some extra functions in his blog as well, like a TACACS log viewer: http://www.sweetfixes.com/blogs/robert/archive/2008/11/20/configuring-a-tacacs-server-on-ubuntu-8-10-linux.aspx I can't comment on the structure of your AD, but you can limit your query scope to a particular starting OU and avoid unwanted built-in accounts or sets of users. The rest of your command sets or privilege levels would be defined in the /etc/tacplus.conf file. -ryan From zivl at gilat.net Sun Aug 9 10:41:48 2009 From: zivl at gilat.net (Ziv Leyes) Date: Sun, 9 Aug 2009 17:41:48 +0300 Subject: [c-nsp] TACACS/RADUIS/AD In-Reply-To: <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2E9D@zy-ex1.zyedge.local> References: <4A7EBC05.60000@imperial.ac.uk> <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2E9D@zy-ex1.zyedge.local> Message-ID: Thank you very much! That looks like something that will help me get started with -----Original Message----- From: Ryan West [mailto:rwest at zyedge.com] Sent: Sunday, August 09, 2009 5:25 PM To: Ziv Leyes Cc: 'Cisco-nsp' Subject: RE: [c-nsp] TACACS/RADUIS/AD Ziv, I think Phil pretty much covered everything already, it sounds like you're going to lean towards the tac-plus implementation. Here is a walkthrough for getting it going with backend LDAP authentication, there are some extra functions in his blog as well, like a TACACS log viewer: http://www.sweetfixes.com/blogs/robert/archive/2008/11/20/configuring-a-tacacs-server-on-ubuntu-8-10-linux.aspx I can't comment on the structure of your AD, but you can limit your query scope to a particular starting OU and avoid unwanted built-in accounts or sets of users. The rest of your command sets or privilege levels would be defined in the /etc/tacplus.conf file. -ryan ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ __________ Information from ESET NOD32 Antivirus, version of virus signature database 4319 (20090809) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __________ Information from ESET NOD32 Antivirus, version of virus signature database 4319 (20090809) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From andy.saykao at staff.netspace.net.au Sun Aug 9 18:42:33 2009 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Mon, 10 Aug 2009 08:42:33 +1000 Subject: [c-nsp] soft-disco/redirection References: Message-ID: <56F211C5E3F24F47B103EA1B253822BE044AAB04@vic-cr-ex1.staff.netspace.net.au> We use SSG which is what Arie's talking about in this previous email. You basically tunnel users who haven't paid their bill to a SSG LNS router and lock them down to the dns and url's they can access. You can read more about what some people do from this older post: http://puck.nether.net/pipermail/cisco-bba/2007-November/000985.html SSG information here: http://www.cisco.com/en/US/tech/tk888/tk890/tsd_technology_support_proto col_home.html Cheers. Andy This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From gsgranados at comcast.net Sun Aug 9 18:58:15 2009 From: gsgranados at comcast.net (Scott Granados) Date: Sun, 9 Aug 2009 15:58:15 -0700 Subject: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client andinside network? References: <002b01ca17a0$4d104ac0$2208120a@am.thmulti.com> <17838240D9A5544AAA5FF95F8D5203160676BDAA@ad-exh01.adhost.lan> Message-ID: <00df01ca1944$e1a52ed0$bf00a8c0@am.thmulti.com> Hi, just to follow up on this. Thanks to everyone who responded this solution worked. I adjusted the routes as Mike and Randy and others suggested and things seem to be working now. Thanks to everyone for the help Scott ----- Original Message ----- From: "Michael K. Smith - Adhost" To: "Scott Granados" ; Sent: Friday, August 07, 2009 2:40 PM Subject: RE: [c-nsp] ASA5520,can't pass traffic over ipsec tunnel between Cisco client andinside network? > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Scott Granados > Sent: Friday, August 07, 2009 1:47 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] ASA5520,can't pass traffic over ipsec tunnel between > Cisco client andinside network? > > Hi, I'm having difficulties configuring VPN tunnels between a PC with > the > Cisco VPN client (windows XP) and an ASA5520. > > BACKGROUND > > I have an ASA5520 with a public interface of 206.x.x.232 and an inside > address of 10.18.14.6. The outside interface is connected to the > public > internet directly, the inside interface is attached to a switch with > layer 3 > capabilities and has an address of 10.18.14.1/24. The default route is > pointed to the public Internet gateway and the 10.18.0.0/16 network is > routed via the 10.18.14.1 inside address. The VPN device is running > version > 7 software (according to the VPN client log file). > > PROBLEM > > > When I initiate a connection from the PC to the public facing > interface > over an external network the session authenticates and reports > connected, > the client is assigned an address from the correct pool, but I'm not > able to > pass traffic. Looking at the stats the routes learned appear > (10.18.0.0/16) > or what ever routes I added to the split-tunnel network list. I do > notice > that the tunnel stats do not show the encrypted packet count increasing > so I > assume I'm not tagging something correctly or the ASA is confused about > what > to encrypt. I've been using the Cisco ASA configuration examples as a > starting point but think I'm missing the point somewhere. Any pointers > would be appreciated, config tidbits follow. > > split-tunnel ACL I would imagine having the /16 that encompasses the /24 of your inside interface and your VPN pool is a "bad thing." The /16 route is injected into the tunnel, which encompasses your default gateway for the VPN. But, you have forwarded all that traffic to the .1 address. As a start, I would get more specific on your subnets, since the 10.18.14.0/24 is physically tied to the ASA. Why not try more specifics like 10.18.1.0/24, 10.18.2.0/24, etc. and see if that helps. Regards, Mike From tom at snnap.net Sun Aug 9 22:01:34 2009 From: tom at snnap.net (Tom Storey) Date: Mon, 10 Aug 2009 11:01:34 +0900 (EIT) Subject: [c-nsp] Packet drops on MPLS xconnect Message-ID: <55338.172.25.144.4.1249869694.squirrel@imap.snnap.net> Hi all, I am experiencing packet drops in the tx direction of an MPLS based xconnect. The xconnect is between a 7304 NPE-G100 and a 7206VXR NPE-G1, and only seems to be an issue with tx from the 7304. rx on the 7304 is fine, and tx and rx on the 7206 are also fine. Moving the xconnect from the 7304 onto another 7206VXR NPE-G1 resolves the issue. Ive tried an IOS upgrade, reboot, rebuild of the xconnect, but to no avail. Ive also tried turning on various debug commands but wasnt able to obtain any usefil hints as to what the problem is. Here is part of the output of a "show mpls l2 vc detail" for the xconnect: VC statistics: packet totals: receive 545, send 485 byte totals: receive 72955, send 61850 packet drops: receive 0, seq error 0, send 60 This was captured after the reboot so there isnt much happening, but you can see there are tx packet drops. Ive used various debug commands to try and get something to work on, including the following: debug mpls l2 vc event debug mpls l2 vc fsm debug mpls l2transport signaling message debug mpls l2 packet error I was hoping the last one would reveal something interesting, but I only seemed to get output from the first 1-2 commands. The xconnect establishes with no problems, and it will stay up, it just seems to be dropping packets for some reason. Is anyone familiar with the causes of these types of issues and what else can be looked at/debugged and how to resolve it? Thanks, Tom From tom at snnap.net Sun Aug 9 22:30:58 2009 From: tom at snnap.net (Tom Storey) Date: Mon, 10 Aug 2009 11:30:58 +0900 (EIT) Subject: [c-nsp] Packet drops on MPLS xconnect Message-ID: <53380.172.25.144.4.1249871458.squirrel@imap.snnap.net> Nevermind, I reckon Ive got it sorted. MTU strikes again. :-) > Hi all, > > I am experiencing packet drops in the tx direction of an MPLS based > xconnect. > > The xconnect is between a 7304 NPE-G100 and a 7206VXR NPE-G1, and only > seems to be an issue with tx from the 7304. rx on the 7304 is fine, and tx > and rx on the 7206 are also fine. > > Moving the xconnect from the 7304 onto another 7206VXR NPE-G1 resolves the > issue. > > Ive tried an IOS upgrade, reboot, rebuild of the xconnect, but to no > avail. > > Ive also tried turning on various debug commands but wasnt able to obtain > any usefil hints as to what the problem is. > > Here is part of the output of a "show mpls l2 vc detail" for the xconnect: > > VC statistics: > packet totals: receive 545, send 485 > byte totals: receive 72955, send 61850 > packet drops: receive 0, seq error 0, send 60 > > This was captured after the reboot so there isnt much happening, but you > can see there are tx packet drops. > > Ive used various debug commands to try and get something to work on, > including the following: > > debug mpls l2 vc event > debug mpls l2 vc fsm > debug mpls l2transport signaling message > debug mpls l2 packet error > > I was hoping the last one would reveal something interesting, but I only > seemed to get output from the first 1-2 commands. > > The xconnect establishes with no problems, and it will stay up, it just > seems to be dropping packets for some reason. > > Is anyone familiar with the causes of these types of issues and what else > can be looked at/debugged and how to resolve it? > > Thanks, > Tom > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From brett at looney.id.au Sun Aug 9 19:27:47 2009 From: brett at looney.id.au (Brett Looney) Date: Mon, 10 Aug 2009 07:27:47 +0800 Subject: [c-nsp] TACACS/RADUIS/AD In-Reply-To: References: <4A7EBC05.60000@imperial.ac.uk> Message-ID: <04cc01ca1949$06672350$133569f0$@id.au> > Let's simplify it, > I have cisco devices we authenticate locally on each device. > We want to centralize the AAA on a server, so I though to > install a tac-plus or a freeradius on a linux box, You can do (almost) everything you want by using the IAS (Internet Authentication Service - the badly named RADIUS server) that is included with your Windows servers. You can create groups; set up those groups so that different authentication parameters are returned; set up command group with different "enable" levels on the devices and have your different levels of authorisation. It isn't the simplest setup but I have done it before and it works fine. It avoids having to have another server in the mix; it is free (which is good for most people); and if you want redundancy you can simply set up IAS on multiple AD servers and point your devices to them as you see fit. The only downside is you can't do per-command authorisation because RADIUS doesn't support that. B. From mtinka at globaltransit.net Sun Aug 9 23:26:49 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Mon, 10 Aug 2009 11:26:49 +0800 Subject: [c-nsp] Cisco 7206 - IOS version for L2TPV3 In-Reply-To: <4A7B02DE.6040601@nexus6.co.za> References: <4A7B02DE.6040601@nexus6.co.za> Message-ID: <200908101126.56928.mtinka@globaltransit.net> On Friday 07 August 2009 12:20:46 am Andy Ashley wrote: > I noticed that the BGP sessions had high InQ and OutQ > values of 300+ where they usually sit at 0 and router was > generally not very responsive on the command line. Sounds like an MTU issue between your BGP speakers. Can you verify the negotiated MSS over the BGP session and ensure all transit interfaces can actually support that value, at a minimum?: #sh ip bgp neighbors 1.2.3.4 | i Datagram Datagrams (max data segment is 1500 bytes): # Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From jckdaniels12 at gmail.com Mon Aug 10 00:55:24 2009 From: jckdaniels12 at gmail.com (jack daniels) Date: Mon, 10 Aug 2009 10:25:24 +0530 Subject: [c-nsp] ALARM CARD ERROR Message-ID: <8bb137f40908092155t24d11bc7g6a0776aa07b4f545@mail.gmail.com> Hi All I'm getting below error on GSR 12416 ALARM CARD - IOS 12.0(32)SY6 WARNING: Unknown MBUS agent controller type, slot 24 Contact your technical support representative.<<<<<<<<<<<<<<<<<<<<<<<<<<<<< Hi All, We had a requirement in which customer wants that the ISP- AS should not be visible when route are advertised to internet via a upstream(L2 VPN solution). Can we use BGP command no-prepend with Replace AS attribute to hide ISP AS in internet. ------------ Can we peer with customer using local AS which will be private AS.We will use no prepend command along with Replace AS which will replace ISP AS with the private AS which is used for Peering.While going out to any international Peer we will remove private AS . On internet only customer AS and Peer AS will be visible. Please advise is this solution will work . Also advise if any better solution for this scenario. Thanks and Regards J.Daniels From affanzbasalamah at gmail.com Mon Aug 10 01:46:46 2009 From: affanzbasalamah at gmail.com (Affan Basalamah) Date: Mon, 10 Aug 2009 12:46:46 +0700 Subject: [c-nsp] TestMacNotification test problem on 7600 SRC3, SUP720-3B, X6748-DFC3B Message-ID: Hi all, I would like to know what problem usually happen to the router (7600 SRC3, SUP720-3B, X6748-DFC) which most of the time failing the TestmacNotification diagnostic test. Router# sh diagnostic result module 3 detail 12) TestMacNotification -------------> . Error code ------------------> 1 (DIAG_FAILURE) Total run count -------------> 13 Last test execution time ----> Aug 10 2009 11:39:09 First test failure time -----> Aug 10 2009 11:20:28 Last test failure time ------> Aug 10 2009 11:39:09 Last test pass time ---------> Aug 10 2009 11:31:58 Total failure count ---------> 7 Consecutive failure count ---> 3 And sometimes the linecard is failing the test consecutively and make the linecard reset. Please help me to troubleshoot this problem. Thanks! -affan From brett at looney.id.au Mon Aug 10 03:49:24 2009 From: brett at looney.id.au (Brett Looney) Date: Mon, 10 Aug 2009 15:49:24 +0800 Subject: [c-nsp] TACACS/RADUIS/AD In-Reply-To: References: <4A7EBC05.60000@imperial.ac.uk> <04cc01ca1949$06672350$133569f0$@id.au> <052d01ca198b$4c49bd50$e4dd37f0$@id.au> Message-ID: <053401ca198f$19175e20$4b461a60$@id.au> Just to keep the list archives up-to-date with things so that other people can benefit: Between us, Ziv came up with this link: http://www.blindhog.net/cisco-aaa-login-authentication-with-radius-ms-ias/ And there is a much older guide on the Cisco website: http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008009465c. shtml B. From david.freedman at uk.clara.net Mon Aug 10 06:32:21 2009 From: david.freedman at uk.clara.net (David Freedman) Date: Mon, 10 Aug 2009 11:32:21 +0100 Subject: [c-nsp] TACACS/RADUIS/AD In-Reply-To: References: Message-ID: You can also use RADIATOR radius server (http://www.open.com.au/radiator/) which is as flexible (if not more IMHO) as freeradius and has the added benefit of a TACACS+ interface to routers. It is written in and configured with PERL. Unfortunately, it costs money (but the sum is trivial for the functionality AFAIK) Dave Ziv Leyes wrote: > Hi all, > > I'm in need to implement an AAA method other than local for our Cisco devices (routers/switches) > > I was thinking of using the already existing Active Directory, because all people has an account there and a strict secure password policy. > > Also when someone quits, their user is always removed from there but I don't always get notifications about personnel changes so to manage another independent user DB is not good for me. > > At the beginning I was thinking to directly connect the AD servers, but this doesn't give me too much flexibility, I don't manage those servers and I don't want to depend on others regarding the authorizations. > > I was thinking about a server like radius or tacacs that will check only the user authentication against the AD server and perhaps retrieve a value of which group the user belongs to, let's say I only need two or three degrees of authorization, (read-only, operator, and admins). All the rest of the commands authorization granularity will be performed by the radius/tacacs server, based on the user's groups. > > Is this possible to implement? If yes, do you have some ideas, tips, howtos? > > Thanks in advance! > > Regards, > > > > Ziv > > > > > > > ************************************************************************************ > This footnote confirms that this email message has been scanned by > PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. > ************************************************************************************ > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From david.freedman at uk.clara.net Mon Aug 10 06:33:32 2009 From: david.freedman at uk.clara.net (David Freedman) Date: Mon, 10 Aug 2009 11:33:32 +0100 Subject: [c-nsp] HIDE AS BGP In-Reply-To: <8bb137f40908092151vf8ea9fbr7eebc2b4afb82b25@mail.gmail.com> References: <8bb137f40908092151vf8ea9fbr7eebc2b4afb82b25@mail.gmail.com> Message-ID: <4A7FF77C.6000703@uk.clara.net> If the ISP is in the middle , who is the upstream and what does the L2VPN do? can you provide a simple diagram? Dave. jack daniels wrote: > Hi All, > > We had a requirement in which customer wants that the ISP- AS should not be > visible when route are advertised to internet via a upstream(L2 VPN > solution). > Can we use BGP command no-prepend with Replace AS attribute to hide ISP AS > in internet. ------------ > > Can we peer with customer using local AS which will be private AS.We will > use no prepend command along with Replace AS which will replace ISP AS with > the private AS which is used for Peering.While going out to any > international Peer we will remove private AS . On internet only customer AS > and Peer AS will be visible. > > Please advise is this solution will work . Also advise if any better > solution for this scenario. > > > Thanks and Regards > J.Daniels > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From david.freedman at uk.clara.net Mon Aug 10 06:33:32 2009 From: david.freedman at uk.clara.net (David Freedman) Date: Mon, 10 Aug 2009 11:33:32 +0100 Subject: [c-nsp] HIDE AS BGP In-Reply-To: <8bb137f40908092151vf8ea9fbr7eebc2b4afb82b25@mail.gmail.com> References: <8bb137f40908092151vf8ea9fbr7eebc2b4afb82b25@mail.gmail.com> Message-ID: <4A7FF77C.6000703@uk.clara.net> If the ISP is in the middle , who is the upstream and what does the L2VPN do? can you provide a simple diagram? Dave. jack daniels wrote: > Hi All, > > We had a requirement in which customer wants that the ISP- AS should not be > visible when route are advertised to internet via a upstream(L2 VPN > solution). > Can we use BGP command no-prepend with Replace AS attribute to hide ISP AS > in internet. ------------ > > Can we peer with customer using local AS which will be private AS.We will > use no prepend command along with Replace AS which will replace ISP AS with > the private AS which is used for Peering.While going out to any > international Peer we will remove private AS . On internet only customer AS > and Peer AS will be visible. > > Please advise is this solution will work . Also advise if any better > solution for this scenario. > > > Thanks and Regards > J.Daniels > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jckdaniels12 at gmail.com Mon Aug 10 07:19:24 2009 From: jckdaniels12 at gmail.com (jack daniels) Date: Mon, 10 Aug 2009 16:49:24 +0530 Subject: [c-nsp] HIDE AS BGP In-Reply-To: <4A7FF77C.6000703@uk.clara.net> References: <8bb137f40908092151vf8ea9fbr7eebc2b4afb82b25@mail.gmail.com> <4A7FF77C.6000703@uk.clara.net> Message-ID: <8bb137f40908100419x5566c88cv2a15cc53dc02b1c9@mail.gmail.com> Hi, Customer---ISP1---ISP2---Internet using "local-as no-prepend replace-as" (Cisco commands) configured for ISP1 BGP peering sessions with "Customer" and "ISP2" would do the trick of hiding ISP1's AS#. ISP1 will pretend to look like "Customer" to ISP2, and look like "ISP2" to "Customer". Furthermore, you may use tunneling in ISP1 (e.g. deploy MPLS) and make it look almost completely transparent to "Customer". The following conditions apply: If the AS_PATH includes both private and public AS numbers, BGP doesn't remove the private AS numbers. This situation is considered a configuration error.<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< Please advise how to go for this. Regards J.Daniels On 8/10/09, David Freedman wrote: > > If the ISP is in the middle , who is the upstream and what does the > L2VPN do? can you provide a simple diagram? > > Dave. > > jack daniels wrote: > > Hi All, > > > > We had a requirement in which customer wants that the ISP- AS should not > be > > visible when route are advertised to internet via a upstream(L2 VPN > > solution). > > Can we use BGP command no-prepend with Replace AS attribute to hide ISP > AS > > in internet. ------------ > > > > Can we peer with customer using local AS which will be private AS.We will > > use no prepend command along with Replace AS which will replace ISP AS > with > > the private AS which is used for Peering.While going out to any > > international Peer we will remove private AS . On internet only customer > AS > > and Peer AS will be visible. > > > > Please advise is this solution will work . Also advise if any better > > solution for this scenario. > > > > > > Thanks and Regards > > J.Daniels > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > From jckdaniels12 at gmail.com Mon Aug 10 07:59:23 2009 From: jckdaniels12 at gmail.com (jack daniels) Date: Mon, 10 Aug 2009 17:29:23 +0530 Subject: [c-nsp] HIDE AS BGP In-Reply-To: <8bb137f40908100419x5566c88cv2a15cc53dc02b1c9@mail.gmail.com> References: <8bb137f40908092151vf8ea9fbr7eebc2b4afb82b25@mail.gmail.com> <4A7FF77C.6000703@uk.clara.net> <8bb137f40908100419x5566c88cv2a15cc53dc02b1c9@mail.gmail.com> Message-ID: <8bb137f40908100459s1f74f6e6t676ceeb02e24411c@mail.gmail.com> Hi , Just to be more specific on the solution requirement - Customer---ISP1---ISP2---Internet Internet should not see ISP1 AS number . I 'm looking for L3 solution. Thanks and Regards J.daniels On 8/10/09, jack daniels wrote: > Hi, > > Customer---ISP1---ISP2---Internet > > using "local-as no-prepend replace-as" (Cisco commands) > configured for ISP1 BGP peering sessions with "Customer" and "ISP2" > would do the trick of hiding ISP1's AS#. ISP1 will pretend to look > like "Customer" to ISP2, and look like "ISP2" to "Customer". > Furthermore, you may use tunneling in ISP1 (e.g. deploy MPLS) and make > it look almost completely transparent to "Customer". > > The following conditions apply: > If the AS_PATH includes both private and public AS numbers, BGP doesn't > remove the private AS numbers. This situation is considered a configuration > error.<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< > > Please advise how to go for this. > Regards > J.Daniels > > > On 8/10/09, David Freedman wrote: >> >> If the ISP is in the middle , who is the upstream and what does the >> L2VPN do? can you provide a simple diagram? >> >> Dave. >> >> jack daniels wrote: >> > Hi All, >> > >> > We had a requirement in which customer wants that the ISP- AS should not >> be >> > visible when route are advertised to internet via a upstream(L2 VPN >> > solution). >> > Can we use BGP command no-prepend with Replace AS attribute to hide ISP >> AS >> > in internet. ------------ >> > >> > Can we peer with customer using local AS which will be private AS.We >> will >> > use no prepend command along with Replace AS which will replace ISP AS >> with >> > the private AS which is used for Peering.While going out to any >> > international Peer we will remove private AS . On internet only customer >> AS >> > and Peer AS will be visible. >> > >> > Please advise is this solution will work . Also advise if any better >> > solution for this scenario. >> > >> > >> > Thanks and Regards >> > J.Daniels >> > _______________________________________________ >> > cisco-nsp mailing list cisco-nsp at puck.nether.net >> > https://puck.nether.net/mailman/listinfo/cisco-nsp >> > archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > >> >> > From td_miles at yahoo.com Mon Aug 10 08:43:59 2009 From: td_miles at yahoo.com (Tony) Date: Mon, 10 Aug 2009 05:43:59 -0700 (PDT) Subject: [c-nsp] cross-vrf tunnels Message-ID: <795601.43456.qm@web110114.mail.gq1.yahoo.com> Hi all, I want to route traffic from one VRF to another VRF on the same router. I did some searching and came across a prior discussion of this very same topic: http://puck.nether.net/pipermail/cisco-nsp/2009-February/058594.html So I decided to create a tunnel between two VRF's on the same box using loopback addresses for the tunnels. I set it all up and I can ping from the IP of one end of the tunnel in one VRF to the other end of the tunnel in the second VRF. The problem I have is that traffic from other sources isn't going over the tunnel properly. The config looks something like this: ! interface Loopback 501 ip address 10.1.41.201 255.255.255.255 ! interface Loopback 502 ip address 10.1.41.202 255.255.255.255 ! interface Tunnel 501 ip vrf forwarding vrf1 ip address 10.1.41.197 255.255.255.252 tunnel source Loopback 501 tunnel destination 10.1.41.202 ! interface Tunnel 502 ip vrf forward vrf2 ip address 10.1.41.198 255.255.255.252 tunnel source Loopback 502 tunnel destination 10.1.41.201 ! I setup a test lab with a 2611 router either side of a 7206 running 12.2(33)SRC (which is doing the VRF crossover). It's all ethernet, no BGP, just two local VRF's on the 7200, nothing fancy. When I attempt to ping the 2611 router on the other side (via my loopback tunnel crossover connection) I get no response. If I look at the stats on the tunnel interface it's as if the traffic isn't going into the tunnel. The input and output counters are all staying the same. This contrasts to when I ping directly from one end of the tunnel to the other as the counters do increase (and I get responses back). If I enable some debug, I get the following: * Tunnel502: adjacency fixup, 10.1.41.202->10.1.41.201, tos set to 0x0 * CEF-Drop: Packet from 10.1.41.202 (Nu0) to 10.1.41.201, Unclassified reason Which shows that my packet across the tunnel is being dropped, but I don't know why. When I do the ping direct from one tunnel end IP to the other, I see the normal sequence of events I would expect (packet routed via RIB, packet goes into tunnel, GRE encap, packet from one loopback to other, GRE decap, etc). Is this supposed to work ? Does anyone else have it working ? What might I be doing wrong ? Many thanks, Tony. From Jeff.Wojciechowski at midlandpaper.com Mon Aug 10 08:53:08 2009 From: Jeff.Wojciechowski at midlandpaper.com (Jeff Wojciechowski) Date: Mon, 10 Aug 2009 07:53:08 -0500 Subject: [c-nsp] IPSLAs with OpenNMS or Other? In-Reply-To: <1249731409.3129.29.camel@abehat.net.rm.dk> References: <6B8401A83219DF499C34DEAEE9A599921256B58E2A@XBOX.midlandpaper.com> <6B8401A83219DF499C34DEAEE9A599921256B58E7E@XBOX.midlandpaper.com> <1249731409.3129.29.camel@abehat.net.rm.dk> Message-ID: <6B8401A83219DF499C34DEAEE9A599921256B58EB5@XBOX.midlandpaper.com> Thanks Peter. I appreciate the insight. -Jeff -----Original Message----- From: Peter Rathlev [mailto:peter at rathlev.dk] Sent: Saturday, August 08, 2009 6:37 AM To: Jeff Wojciechowski Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] IPSLAs with OpenNMS or Other? I'll give it a shot, even though we don't really have a planned professional setup. :-) We only use the data for internal purposes. We're an enterprise and our SLAs (OLAs) currently do not require us to present any data on latency/jitter/loss. We use Cacti to graph the results. For voice circuits we typically measure "standard" 20 packets, 192 bytes payload, 20 ms interval with a jitter probe. We always use both an EF-marked and a DSCP0-marked. For data circuit quality we use N x 1000 packets, 384 bytes payload, 50 ms interval, also a jitter probe. This means they run for longer time and thus will catch the extreme jitter. OTOH it gives a good picture of the base line. Regarding the questions: > 1) Is it best to locate the IPSLA monitor on the switch near the phone > system or on the WAN edge router (right now we even have anything > resembling congestion is on our WAN links)? I'd locate the measuring unit as close to the phone system as possible, unless of course your part of the responsibility only goes to the edge router. > 2) Any gotchas that I need to look out for? (False positives on bad > performance, etc - for a start I plan on marking the test traffic with > the same ToS bit that our VoIP will be marked so it gets the same > priority) We often use 3560 and 3750 switches as responders (they happen to be in the right place) and see very varying quality compared to a 2800 in the same place. I guess that's because of a slow processor or something. > 3) This should be simple but whats the minimum IOS flavor required to > configure the IPSLA monitor (2811 router if I decide to make the WAN > router the IPSLA monitor or 3560 switch if I decide to locate monitor > to the switch the PBX is on) (I cant figure out the IOS feature > browser to save my life - sorry I am a N00b) I seem to remember that the 2800 requires an Enterprise Base license to run IP SLA probes. I don't know about 3560 since we only use those as responders. I think almost all currently availably IOS versions support either "rtr" or "ip sla monitor" and a jitter probe. > 4) Suggestion on other tools other than OpenNMS to monitor IPSLA > stats? Cacti works very well for us. > 5) Suggested intervals, packet sizes, anything else of each test? We largely went for the defaults believing (possibly naively) that this would follow some "industry standard". Regards, Peter From jfitz at Princeton.EDU Mon Aug 10 09:24:22 2009 From: jfitz at Princeton.EDU (Jeff Fitzwater) Date: Mon, 10 Aug 2009 09:24:22 -0400 Subject: [c-nsp] cross-vrf tunnels In-Reply-To: <795601.43456.qm@web110114.mail.gq1.yahoo.com> References: <795601.43456.qm@web110114.mail.gq1.yahoo.com> Message-ID: I believe your problem is that both ends of the tunnel have the same mac address causing arp to fail. You can change one end and it should work. I had similar problem with VRF path back to global on the same router, but I had to use the physical interfaces to get around the "single lookup in cef issue". Jeff Fitzwater OIT Network Systems Princeton University On Aug 10, 2009, at 8:43 AM, Tony wrote: > Hi all, > > I want to route traffic from one VRF to another VRF on the same > router. I did some searching and came across a prior discussion of > this very same topic: > > http://puck.nether.net/pipermail/cisco-nsp/2009-February/058594.html > > So I decided to create a tunnel between two VRF's on the same box > using loopback addresses for the tunnels. > > I set it all up and I can ping from the IP of one end of the tunnel > in one VRF to the other end of the tunnel in the second VRF. > > The problem I have is that traffic from other sources isn't going > over the tunnel properly. > > The config looks something like this: > > ! > interface Loopback 501 > ip address 10.1.41.201 255.255.255.255 > ! > interface Loopback 502 > ip address 10.1.41.202 255.255.255.255 > ! > interface Tunnel 501 > ip vrf forwarding vrf1 > ip address 10.1.41.197 255.255.255.252 > tunnel source Loopback 501 > tunnel destination 10.1.41.202 > ! > interface Tunnel 502 > ip vrf forward vrf2 > ip address 10.1.41.198 255.255.255.252 > tunnel source Loopback 502 > tunnel destination 10.1.41.201 > ! > > I setup a test lab with a 2611 router either side of a 7206 running > 12.2(33)SRC (which is doing the VRF crossover). It's all ethernet, > no BGP, just two local VRF's on the 7200, nothing fancy. > > When I attempt to ping the 2611 router on the other side (via my > loopback tunnel crossover connection) I get no response. > > If I look at the stats on the tunnel interface it's as if the > traffic isn't going into the tunnel. The input and output counters > are all staying the same. This contrasts to when I ping directly > from one end of the tunnel to the other as the counters do increase > (and I get responses back). > > If I enable some debug, I get the following: > * Tunnel502: adjacency fixup, 10.1.41.202->10.1.41.201, tos set to 0x0 > * CEF-Drop: Packet from 10.1.41.202 (Nu0) to 10.1.41.201, > Unclassified reason > > Which shows that my packet across the tunnel is being dropped, but I > don't know why. > > When I do the ping direct from one tunnel end IP to the other, I see > the normal sequence of events I would expect (packet routed via RIB, > packet goes into tunnel, GRE encap, packet from one loopback to > other, GRE decap, etc). > > Is this supposed to work ? Does anyone else have it working ? What > might I be doing wrong ? > > Many thanks, > Tony. > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From david.freedman at uk.clara.net Mon Aug 10 09:24:20 2009 From: david.freedman at uk.clara.net (David Freedman) Date: Mon, 10 Aug 2009 14:24:20 +0100 Subject: [c-nsp] HIDE AS BGP In-Reply-To: <8bb137f40908100459s1f74f6e6t676ceeb02e24411c@mail.gmail.com> References: <8bb137f40908092151vf8ea9fbr7eebc2b4afb82b25@mail.gmail.com> <4A7FF77C.6000703@uk.clara.net> <8bb137f40908100419x5566c88cv2a15cc53dc02b1c9@mail.gmail.com> <8bb137f40908100459s1f74f6e6t676ceeb02e24411c@mail.gmail.com> Message-ID: <4A801F84.9000104@uk.clara.net> Well, not sure how your solution would work, the dual-as configuration will not achieve this unless it is between ISP2 and ISP1 which is unlikely to be the case. ISP2 will not accept the customer's in updates directly from ISP1 without disabling "bgp enforce-first-as" which it is unlikely to want to do. jack daniels wrote: > Hi , > > Just to be more specific on the solution requirement - > > Customer---ISP1---ISP2---Internet > > > Internet should not see ISP1 AS number . I 'm looking for L3 solution. > > Thanks and Regards > J.daniels > > > On 8/10/09, jack daniels wrote: > > >> Hi, >> >> Customer---ISP1---ISP2---Internet >> >> using "local-as no-prepend replace-as" (Cisco commands) >> configured for ISP1 BGP peering sessions with "Customer" and "ISP2" >> would do the trick of hiding ISP1's AS#. ISP1 will pretend to look >> like "Customer" to ISP2, and look like "ISP2" to "Customer". >> Furthermore, you may use tunneling in ISP1 (e.g. deploy MPLS) and make >> it look almost completely transparent to "Customer". >> >> The following conditions apply: >> If the AS_PATH includes both private and public AS numbers, BGP doesn't >> remove the private AS numbers. This situation is considered a configuration >> error.<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< >> >> Please advise how to go for this. >> Regards >> J.Daniels >> >> >> On 8/10/09, David Freedman wrote: >>> If the ISP is in the middle , who is the upstream and what does the >>> L2VPN do? can you provide a simple diagram? >>> >>> Dave. >>> >>> jack daniels wrote: >>>> Hi All, >>>> >>>> We had a requirement in which customer wants that the ISP- AS should not >>> be >>>> visible when route are advertised to internet via a upstream(L2 VPN >>>> solution). >>>> Can we use BGP command no-prepend with Replace AS attribute to hide ISP >>> AS >>>> in internet. ------------ >>>> >>>> Can we peer with customer using local AS which will be private AS.We >>> will >>>> use no prepend command along with Replace AS which will replace ISP AS >>> with >>>> the private AS which is used for Peering.While going out to any >>>> international Peer we will remove private AS . On internet only customer >>> AS >>>> and Peer AS will be visible. >>>> >>>> Please advise is this solution will work . Also advise if any better >>>> solution for this scenario. >>>> >>>> >>>> Thanks and Regards >>>> J.Daniels >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> >>> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From david.freedman at uk.clara.net Mon Aug 10 09:24:20 2009 From: david.freedman at uk.clara.net (David Freedman) Date: Mon, 10 Aug 2009 14:24:20 +0100 Subject: [c-nsp] HIDE AS BGP In-Reply-To: <8bb137f40908100459s1f74f6e6t676ceeb02e24411c@mail.gmail.com> References: <8bb137f40908092151vf8ea9fbr7eebc2b4afb82b25@mail.gmail.com> <4A7FF77C.6000703@uk.clara.net> <8bb137f40908100419x5566c88cv2a15cc53dc02b1c9@mail.gmail.com> <8bb137f40908100459s1f74f6e6t676ceeb02e24411c@mail.gmail.com> Message-ID: <4A801F84.9000104@uk.clara.net> Well, not sure how your solution would work, the dual-as configuration will not achieve this unless it is between ISP2 and ISP1 which is unlikely to be the case. ISP2 will not accept the customer's in updates directly from ISP1 without disabling "bgp enforce-first-as" which it is unlikely to want to do. jack daniels wrote: > Hi , > > Just to be more specific on the solution requirement - > > Customer---ISP1---ISP2---Internet > > > Internet should not see ISP1 AS number . I 'm looking for L3 solution. > > Thanks and Regards > J.daniels > > > On 8/10/09, jack daniels wrote: > > >> Hi, >> >> Customer---ISP1---ISP2---Internet >> >> using "local-as no-prepend replace-as" (Cisco commands) >> configured for ISP1 BGP peering sessions with "Customer" and "ISP2" >> would do the trick of hiding ISP1's AS#. ISP1 will pretend to look >> like "Customer" to ISP2, and look like "ISP2" to "Customer". >> Furthermore, you may use tunneling in ISP1 (e.g. deploy MPLS) and make >> it look almost completely transparent to "Customer". >> >> The following conditions apply: >> If the AS_PATH includes both private and public AS numbers, BGP doesn't >> remove the private AS numbers. This situation is considered a configuration >> error.<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< >> >> Please advise how to go for this. >> Regards >> J.Daniels >> >> >> On 8/10/09, David Freedman wrote: >>> If the ISP is in the middle , who is the upstream and what does the >>> L2VPN do? can you provide a simple diagram? >>> >>> Dave. >>> >>> jack daniels wrote: >>>> Hi All, >>>> >>>> We had a requirement in which customer wants that the ISP- AS should not >>> be >>>> visible when route are advertised to internet via a upstream(L2 VPN >>>> solution). >>>> Can we use BGP command no-prepend with Replace AS attribute to hide ISP >>> AS >>>> in internet. ------------ >>>> >>>> Can we peer with customer using local AS which will be private AS.We >>> will >>>> use no prepend command along with Replace AS which will replace ISP AS >>> with >>>> the private AS which is used for Peering.While going out to any >>>> international Peer we will remove private AS . On internet only customer >>> AS >>>> and Peer AS will be visible. >>>> >>>> Please advise is this solution will work . Also advise if any better >>>> solution for this scenario. >>>> >>>> >>>> Thanks and Regards >>>> J.Daniels >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> >>> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From markom at markom.info Mon Aug 10 09:36:38 2009 From: markom at markom.info (Marko Milivojevic) Date: Mon, 10 Aug 2009 13:36:38 +0000 Subject: [c-nsp] HIDE AS BGP In-Reply-To: <8bb137f40908100459s1f74f6e6t676ceeb02e24411c@mail.gmail.com> References: <8bb137f40908092151vf8ea9fbr7eebc2b4afb82b25@mail.gmail.com> <4A7FF77C.6000703@uk.clara.net> <8bb137f40908100419x5566c88cv2a15cc53dc02b1c9@mail.gmail.com> <8bb137f40908100459s1f74f6e6t676ceeb02e24411c@mail.gmail.com> Message-ID: You can use CSC in ISP1 and run BGP directly between Customer and ISP2. On Mon, Aug 10, 2009 at 11:59, jack daniels wrote: > Hi , > > Just to be more specific on the solution requirement - > > Customer---ISP1---ISP2---Internet > > > Internet should not see ISP1 AS number . I 'm looking for L3 solution. From frosya84 at mail.ru Mon Aug 10 09:42:47 2009 From: frosya84 at mail.ru (=?koi8-r?Q?=EF=CC=D8=C7=C1_=F2=D5=D6=C1=CE=D3=CB=C1=D1?=) Date: Mon, 10 Aug 2009 17:42:47 +0400 Subject: [c-nsp] =?koi8-r?b?Q2lzY28gNzIwNiAtIElPUyB2ZXJzaW9uIGZvciBMMlRQ?= =?koi8-r?b?VjM=?= Message-ID: Hi, We are using 12.2(31)SB11 for 7206VXR (G1/G2). Maybe little old, but BGP sessions, EVC (xconnect) is stable enough on it. Instead RADIUS we're using TACACS Best regards, Olga From frosya84 at mail.ru Mon Aug 10 10:10:57 2009 From: frosya84 at mail.ru (=?koi8-r?Q?=EF=CC=D8=C7=C1_=F2=D5=D6=C1=CE=D3=CB=C1=D1?=) Date: Mon, 10 Aug 2009 18:10:57 +0400 Subject: [c-nsp] MPLS QoS at SPA-5X1GE-V2, SIP 400, 7604RSP720 (Ruzhanskaya Olga) Message-ID: Hello List! In our MPLS network we use 7604RSP720 with SPA-5X1GE-V2 installed in SIP 400 as PE router, where clients services terminates. As in MPLS edge, we perform "typical" traffic classification and marking. Standart policy-map looks like this (matching based on DSCP, marking with MPLS EXP): Policy Map Network-VoIP-In Class qos-realtime set mpls experimental imposition 5 ... Class class-default set mpls experimental imposition 0 Class Map match-any qos-realtime (id 21) Match ip dscp ef (46) For example, we have two subinterfaces, gi3/0/0.210 and gi3/0/0.211. Both of them have policy-map looks like described one. If packet enters gi3/0/0.210 with DSCP=EF and go to gi3/0/0.211, it appears with DSCP=CS5. Is this normal? For 76x, it is. Because of 76x platform QoS realization traffic local for router (IP-IP), router overwrites DSCP value of packet when such policy-map in use: http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/guide/mplsqos.html#wp1475897 I've even opened a case, but the best proposed approach was to distinguish with ACL IP-IP traffic and IP-MPLS traffic. This is a bad solution for us: increased load on router, many hand-work and we have hundreds of such circuits.. We are trying to resolve this problem from April - and no sufficient solution.. Maybe someone have resolved this? P.S. "no mls qos rewite ip dscp" doesn't work properly on PFC MPLS, already tried. Best regards, Olga From linux.yahoo at gmail.com Mon Aug 10 10:51:39 2009 From: linux.yahoo at gmail.com (Manu Chao) Date: Mon, 10 Aug 2009 16:51:39 +0200 Subject: [c-nsp] VSS Best Practices In-Reply-To: <23603.203.163.71.197.1249516211.squirrel@mail.orcon.net.nz> References: <23603.203.163.71.197.1249516211.squirrel@mail.orcon.net.nz> Message-ID: <7100ed370908100751v11df5501u3c348997109e7019@mail.gmail.com> Cisco Best Practice will be use PAgP if you want to like to avoid VSS dual active scenario (better than BFD) On Thu, Aug 6, 2009 at 1:50 AM, Ivan wrote: > Cisco VSS best practice document states > > Recommendations > * Always run L2 or L3 MEC. > * Do not use on and off options with PAgP or LACP or Trunk > protocol negotiation. > o PAgP ? Run Desirable-Desirable with MEC links. > o LACP ? Run Active-Active with MEC links. > o Trunk ? Run Desirable-Desirable with MEC links. > > > > http://www.cisco.com/en/US/products/ps9336/products_tech_note09186a0080a7c837.shtml > > There is not really any explanation of the reasoning behind these > recommendations. If anyone can explain the rational that would be great. > I would also be interested to hear what settings people are using in > production, why and how that is going. > > Generally in non VSS setups I have found setting links explicitly to trunk > mode and as etherchannel members has been reliable and would like to > understand why they are not recommended above. > > Thanks > > Ivan > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jckdaniels12 at gmail.com Mon Aug 10 11:00:41 2009 From: jckdaniels12 at gmail.com (jack daniels) Date: Mon, 10 Aug 2009 20:30:41 +0530 Subject: [c-nsp] HIDE AS BGP In-Reply-To: References: <8bb137f40908092151vf8ea9fbr7eebc2b4afb82b25@mail.gmail.com> <4A7FF77C.6000703@uk.clara.net> <8bb137f40908100419x5566c88cv2a15cc53dc02b1c9@mail.gmail.com> <8bb137f40908100459s1f74f6e6t676ceeb02e24411c@mail.gmail.com> Message-ID: <8bb137f40908100800w46d67c33w9006ee35bc7c51c4@mail.gmail.com> Hi Mark, can you please put more light on the example you proposed . Thanks and Regards J.Daniels On 8/10/09, Marko Milivojevic wrote: > > You can use CSC in ISP1 and run BGP directly between Customer and ISP2. > > On Mon, Aug 10, 2009 at 11:59, jack daniels wrote: > > Hi , > > > > Just to be more specific on the solution requirement - > > > > Customer---ISP1---ISP2---Internet > > > > > > Internet should not see ISP1 AS number . I 'm looking for L3 solution. > From linux.yahoo at gmail.com Mon Aug 10 11:51:22 2009 From: linux.yahoo at gmail.com (Manu Chao) Date: Mon, 10 Aug 2009 17:51:22 +0200 Subject: [c-nsp] cross-vrf tunnels In-Reply-To: <795601.43456.qm@web110114.mail.gq1.yahoo.com> References: <795601.43456.qm@web110114.mail.gq1.yahoo.com> Message-ID: <7100ed370908100851w734a1907s66f6bfd0e5694a01@mail.gmail.com> You can do it just by using Routing Target Import / Export Communities On Mon, Aug 10, 2009 at 2:43 PM, Tony wrote: > Hi all, > > I want to route traffic from one VRF to another VRF on the same router. I > did some searching and came across a prior discussion of this very same > topic: > > http://puck.nether.net/pipermail/cisco-nsp/2009-February/058594.html > > So I decided to create a tunnel between two VRF's on the same box using > loopback addresses for the tunnels. > > I set it all up and I can ping from the IP of one end of the tunnel in one > VRF to the other end of the tunnel in the second VRF. > > The problem I have is that traffic from other sources isn't going over the > tunnel properly. > > The config looks something like this: > > ! > interface Loopback 501 > ip address 10.1.41.201 255.255.255.255 > ! > interface Loopback 502 > ip address 10.1.41.202 255.255.255.255 > ! > interface Tunnel 501 > ip vrf forwarding vrf1 > ip address 10.1.41.197 255.255.255.252 > tunnel source Loopback 501 > tunnel destination 10.1.41.202 > ! > interface Tunnel 502 > ip vrf forward vrf2 > ip address 10.1.41.198 255.255.255.252 > tunnel source Loopback 502 > tunnel destination 10.1.41.201 > ! > > I setup a test lab with a 2611 router either side of a 7206 running > 12.2(33)SRC (which is doing the VRF crossover). It's all ethernet, no BGP, > just two local VRF's on the 7200, nothing fancy. > > When I attempt to ping the 2611 router on the other side (via my loopback > tunnel crossover connection) I get no response. > > If I look at the stats on the tunnel interface it's as if the traffic isn't > going into the tunnel. The input and output counters are all staying the > same. This contrasts to when I ping directly from one end of the tunnel to > the other as the counters do increase (and I get responses back). > > If I enable some debug, I get the following: > * Tunnel502: adjacency fixup, 10.1.41.202->10.1.41.201, tos set to 0x0 > * CEF-Drop: Packet from 10.1.41.202 (Nu0) to 10.1.41.201, Unclassified > reason > > Which shows that my packet across the tunnel is being dropped, but I don't > know why. > > When I do the ping direct from one tunnel end IP to the other, I see the > normal sequence of events I would expect (packet routed via RIB, packet goes > into tunnel, GRE encap, packet from one loopback to other, GRE decap, etc). > > Is this supposed to work ? Does anyone else have it working ? What might I > be doing wrong ? > > Many thanks, > Tony. > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jon at defenderhosting.com Mon Aug 10 11:52:30 2009 From: jon at defenderhosting.com (Jon Wolberg) Date: Mon, 10 Aug 2009 11:52:30 -0400 (EDT) Subject: [c-nsp] SSH no longer functions after hostname change Message-ID: <1651088143.2146011249919550531.JavaMail.root@mail.dtgmail.com> Hello- We recently changed some of our hostnames on various legacy switches to follow our naming convention, and after one change I can no longer SSH to the switch. I get the below errors on the console with debug ip ssh client running: Aug 10 11:23:44 EST: SSH5: sent protocol version id SSH-2.0-Cisco-1.25 Aug 10 11:23:44 EST: SSH5: protocol version id is - SSH-2.0-OpenSSH_4.3 Aug 10 11:23:44 EST: SSH2 5: RSA_sign: private key not found Aug 10 11:23:44 EST: SSH2 5: signature creation failed, status -1 Aug 10 11:23:44 EST: SSH5: Session disconnected - error 0x00 I zero'ized the old keys and re-generated as well as set the hostname back to the original and zero'ized and re-generated to no avail. Nothing shows up on Google and I can find no errata related to SSH access on the version of code we are running. Has anyone encountered this before? This is a 3750 running 12.2(44)SE2 Jon Wolberg Systems Engineer Virtacore Systems Inc. "We Virtualize IT!" From jon at defenderhosting.com Mon Aug 10 12:19:37 2009 From: jon at defenderhosting.com (Jon Wolberg) Date: Mon, 10 Aug 2009 12:19:37 -0400 (EDT) Subject: [c-nsp] SSH no longer functions after hostname change In-Reply-To: <002001ca19d6$16a5a290$43f0e7b0$@org> Message-ID: <305794761.2147971249921175732.JavaMail.root@mail.dtgmail.com> Hi Paul- The funny thing is this is the only switch causing problems. We changed the hostnames on over a dozen others without any issues. I tried re-generating the keys to no avail. Jon Wolberg Systems Engineer Virtacore Systems Inc. "We Virtualize IT!" ----- Original Message ----- From: "Paul Stewart" To: "Jon Wolberg" , cisco-nsp at puck.nether.net Sent: Monday, August 10, 2009 12:17:14 PM GMT -05:00 US/Canada Eastern Subject: RE: [c-nsp] SSH no longer functions after hostname change Normally all we do is a "crypto key gen rsa" if a hostname changes and we continue on... this regens the keys and stops/starts the SSH process.... Paul -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jon Wolberg Sent: Monday, August 10, 2009 11:53 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] SSH no longer functions after hostname change Hello- We recently changed some of our hostnames on various legacy switches to follow our naming convention, and after one change I can no longer SSH to the switch. I get the below errors on the console with debug ip ssh client running: Aug 10 11:23:44 EST: SSH5: sent protocol version id SSH-2.0-Cisco-1.25 Aug 10 11:23:44 EST: SSH5: protocol version id is - SSH-2.0-OpenSSH_4.3 Aug 10 11:23:44 EST: SSH2 5: RSA_sign: private key not found Aug 10 11:23:44 EST: SSH2 5: signature creation failed, status -1 Aug 10 11:23:44 EST: SSH5: Session disconnected - error 0x00 I zero'ized the old keys and re-generated as well as set the hostname back to the original and zero'ized and re-generated to no avail. Nothing shows up on Google and I can find no errata related to SSH access on the version of code we are running. Has anyone encountered this before? This is a 3750 running 12.2(44)SE2 Jon Wolberg Systems Engineer Virtacore Systems Inc. "We Virtualize IT!" _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From rwest at zyedge.com Mon Aug 10 12:23:58 2009 From: rwest at zyedge.com (Ryan West) Date: Mon, 10 Aug 2009 12:23:58 -0400 Subject: [c-nsp] SSH no longer functions after hostname change In-Reply-To: <305794761.2147971249921175732.JavaMail.root@mail.dtgmail.com> References: <002001ca19d6$16a5a290$43f0e7b0$@org> <305794761.2147971249921175732.JavaMail.root@mail.dtgmail.com> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2EDF@zy-ex1.zyedge.local> I hate to mention this as an option, but have you rebooted it yet? -ryan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jon Wolberg Sent: Monday, August 10, 2009 12:20 PM To: Paul Stewart Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] SSH no longer functions after hostname change Hi Paul- The funny thing is this is the only switch causing problems. We changed the hostnames on over a dozen others without any issues. I tried re-generating the keys to no avail. Jon Wolberg Systems Engineer Virtacore Systems Inc. "We Virtualize IT!" ----- Original Message ----- From: "Paul Stewart" To: "Jon Wolberg" , cisco-nsp at puck.nether.net Sent: Monday, August 10, 2009 12:17:14 PM GMT -05:00 US/Canada Eastern Subject: RE: [c-nsp] SSH no longer functions after hostname change Normally all we do is a "crypto key gen rsa" if a hostname changes and we continue on... this regens the keys and stops/starts the SSH process.... Paul -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jon Wolberg Sent: Monday, August 10, 2009 11:53 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] SSH no longer functions after hostname change Hello- We recently changed some of our hostnames on various legacy switches to follow our naming convention, and after one change I can no longer SSH to the switch. I get the below errors on the console with debug ip ssh client running: Aug 10 11:23:44 EST: SSH5: sent protocol version id SSH-2.0-Cisco-1.25 Aug 10 11:23:44 EST: SSH5: protocol version id is - SSH-2.0-OpenSSH_4.3 Aug 10 11:23:44 EST: SSH2 5: RSA_sign: private key not found Aug 10 11:23:44 EST: SSH2 5: signature creation failed, status -1 Aug 10 11:23:44 EST: SSH5: Session disconnected - error 0x00 I zero'ized the old keys and re-generated as well as set the hostname back to the original and zero'ized and re-generated to no avail. Nothing shows up on Google and I can find no errata related to SSH access on the version of code we are running. Has anyone encountered this before? This is a 3750 running 12.2(44)SE2 Jon Wolberg Systems Engineer Virtacore Systems Inc. "We Virtualize IT!" _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From jon at defenderhosting.com Mon Aug 10 11:34:26 2009 From: jon at defenderhosting.com (jon at defenderhosting.com) Date: Mon, 10 Aug 2009 11:34:26 -0400 (EDT) Subject: [c-nsp] SSH no longer functions In-Reply-To: <446521240.2143611249918367658.JavaMail.root@mail.dtgmail.com> Message-ID: <1704111585.2143691249918466670.JavaMail.root@mail.dtgmail.com> Hello- We recently changed some of our hostnames on various legacy switches to follow our naming convention, and after one change I can no longer SSH to the switch. I get the below errors on the console with debug ip ssh client running: Aug 10 11:23:44 EST: SSH5: sent protocol version id SSH-2.0-Cisco-1.25 Aug 10 11:23:44 EST: SSH5: protocol version id is - SSH-2.0-OpenSSH_4.3 Aug 10 11:23:44 EST: SSH2 5: RSA_sign: private key not found Aug 10 11:23:44 EST: SSH2 5: signature creation failed, status -1 Aug 10 11:23:44 EST: SSH5: Session disconnected - error 0x00 I zero'ized the old keys and re-generated as well as set the hostname back to the original and zero'ized and re-generated to no avail. Nothing shows up on Google and I can find no errata related to SSH access on the version of code we are running. Has anyone encountered this before? This is a 3750 running 12.2(44)SE2 Jon Wolberg Systems Engineer Virtacore Systems Inc. "We Virtualize IT!" From ip at ioshints.info Mon Aug 10 12:30:30 2009 From: ip at ioshints.info (Ivan Pepelnjak) Date: Mon, 10 Aug 2009 18:30:30 +0200 Subject: [c-nsp] HIDE AS BGP In-Reply-To: <8bb137f40908100800w46d67c33w9006ee35bc7c51c4@mail.gmail.com> References: <8bb137f40908092151vf8ea9fbr7eebc2b4afb82b25@mail.gmail.com><4A7FF77C.6000703@uk.clara.net><8bb137f40908100419x5566c88cv2a15cc53dc02b1c9@mail.gmail.com><8bb137f40908100459s1f74f6e6t676ceeb02e24411c@mail.gmail.com> <8bb137f40908100800w46d67c33w9006ee35bc7c51c4@mail.gmail.com> Message-ID: <004b01ca19d7$e139e010$0a00000a@nil.si> Much easier: run multihop EBGP session between Customer and ISP2 (plus the regular EBGP session Customer-ISP1). Just make sure something reachable within ISP1 is announced as the next-hop. > -----Original Message----- > From: jack daniels [mailto:jckdaniels12 at gmail.com] > Sent: Monday, August 10, 2009 5:01 PM > To: Marko Milivojevic > Cc: Cisco-NSP > Subject: Re: [c-nsp] HIDE AS BGP > > Hi Mark, > > can you please put more light on the example you proposed . > > Thanks and Regards > J.Daniels > > > On 8/10/09, Marko Milivojevic wrote: > > > > You can use CSC in ISP1 and run BGP directly between > Customer and ISP2. > > > > On Mon, Aug 10, 2009 at 11:59, jack > daniels wrote: > > > Hi , > > > > > > Just to be more specific on the solution requirement - > > > > > > Customer---ISP1---ISP2---Internet > > > > > > > > > Internet should not see ISP1 AS number . I 'm looking for > L3 solution. > > > > From jon at defenderhosting.com Mon Aug 10 12:41:38 2009 From: jon at defenderhosting.com (jon at defenderhosting.com) Date: Mon, 10 Aug 2009 12:41:38 -0400 (EDT) Subject: [c-nsp] SSH no longer functions after hostname change In-Reply-To: <233097658.2149811249922487269.JavaMail.root@mail.dtgmail.com> Message-ID: <908369987.2149831249922498535.JavaMail.root@mail.dtgmail.com> Hi Ryan/Paul- Not without scheduling a maintenance window which I was hoping to avoid. I am sure a reload would fix the problem as i'd also use it as an opportunity to upgrade the code since I am a half dozen revs behind and have switches running newer versions without any stability issues. Jon Wolberg Systems Engineer Virtacore Systems Inc. "We Virtualize IT!" ----- Original Message ----- From: "Paul Stewart" To: "Jon Wolberg" Cc: cisco-nsp at puck.nether.net Sent: Monday, August 10, 2009 12:35:14 PM GMT -05:00 US/Canada Eastern Subject: RE: [c-nsp] SSH no longer functions after hostname change That is very strange.... are you able to kick the switch (power cycle) to see if it resolves or not? I know you shouldn't have to but I'm out of answers too ;) -----Original Message----- From: Jon Wolberg [mailto:jon at defenderhosting.com] Sent: Monday, August 10, 2009 12:20 PM To: Paul Stewart Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] SSH no longer functions after hostname change Hi Paul- The funny thing is this is the only switch causing problems. We changed the hostnames on over a dozen others without any issues. I tried re-generating the keys to no avail. Jon Wolberg Systems Engineer Virtacore Systems Inc. "We Virtualize IT!" ----- Original Message ----- From: "Paul Stewart" To: "Jon Wolberg" , cisco-nsp at puck.nether.net Sent: Monday, August 10, 2009 12:17:14 PM GMT -05:00 US/Canada Eastern Subject: RE: [c-nsp] SSH no longer functions after hostname change Normally all we do is a "crypto key gen rsa" if a hostname changes and we continue on... this regens the keys and stops/starts the SSH process.... Paul -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jon Wolberg Sent: Monday, August 10, 2009 11:53 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] SSH no longer functions after hostname change Hello- We recently changed some of our hostnames on various legacy switches to follow our naming convention, and after one change I can no longer SSH to the switch. I get the below errors on the console with debug ip ssh client running: Aug 10 11:23:44 EST: SSH5: sent protocol version id SSH-2.0-Cisco-1.25 Aug 10 11:23:44 EST: SSH5: protocol version id is - SSH-2.0-OpenSSH_4.3 Aug 10 11:23:44 EST: SSH2 5: RSA_sign: private key not found Aug 10 11:23:44 EST: SSH2 5: signature creation failed, status -1 Aug 10 11:23:44 EST: SSH5: Session disconnected - error 0x00 I zero'ized the old keys and re-generated as well as set the hostname back to the original and zero'ized and re-generated to no avail. Nothing shows up on Google and I can find no errata related to SSH access on the version of code we are running. Has anyone encountered this before? This is a 3750 running 12.2(44)SE2 Jon Wolberg Systems Engineer Virtacore Systems Inc. "We Virtualize IT!" _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From dudepron at gmail.com Mon Aug 10 12:45:05 2009 From: dudepron at gmail.com (Aaron) Date: Mon, 10 Aug 2009 12:45:05 -0400 Subject: [c-nsp] ALARM CARD ERROR In-Reply-To: <8bb137f40908092155t24d11bc7g6a0776aa07b4f545@mail.gmail.com> References: <8bb137f40908092155t24d11bc7g6a0776aa07b4f545@mail.gmail.com> Message-ID: <480dad640908100945u3574e534p957306c49d5d3ab@mail.gmail.com> Open a tac case. On Mon, Aug 10, 2009 at 00:55, jack daniels wrote: > Hi All > > I'm getting below error on GSR 12416 ALARM CARD - > > IOS 12.0(32)SY6 > > > > WARNING: Unknown MBUS agent controller type, slot 24 > Contact your technical support > representative.<<<<<<<<<<<<<<<<<<<<<<<<<<<<< > > > sh diag 24 > > SLOT 24 (ALM 0 ): Alarm Module(16) > MAIN: type 64, 800-5570-05 rev C0 > Deviation: 0 > HW config: 0x00 SW key: 00-00-00 > PCA: 73-4266-04 rev B0 ver 3 > Design Release 1.0 S/N SAL1250CZJ9 > MBUS: Unknown (0) 00-0000-00 rev 70 dev 0 > HW version 1.2 S/N SAL1248BSQ5 > Test hist: 0x00 RMA#: 00-00-00 RMA hist: 0x00 > DIAG: Test count: 0x00000000 Test results: 0x00000000 > FRU: Linecard/Module: GSR16-ALRM= > MBUS Agent Software version 2.68 (RAM) (ROM version is 3.66) > > > > > sh gsr > Slot 0 type = Modular SPA Interface Card > state = IOS RUN Line Card Enabled > subslot 0/0: SPA-1X10GE-L-V2 (0x50C), status is ok > subslot 0/1: Empty > subslot 0/2: Empty > subslot 0/3: Empty > Slot 5 type = Modular SPA Interface Card > state = IOS RUN Line Card Enabled > subslot 5/0: SPA-2XOC48POS/RPR (0x46F), status is ok > subslot 5/1: SPA-5X1GE-V2 (0x50A), status is ok > subslot 5/2: Empty > subslot 5/3: Empty > Slot 6 type = Modular SPA Interface Card > state = IOS RUN Line Card Enabled > subslot 6/0: SPA-4XT3/E3 (0x40B), status is ok > subslot 6/1: SPA-4XT3/E3 (0x40B), status is ok > subslot 6/2: SPA-8XOC3-POS (0x505), status is ok > subslot 6/3: SPA-8XOC3-POS (0x505), status is ok > Slot 7 type = Performance Route Processor > state = ACTV RP IOS Running ACTIVE > Slot 8 type = Performance Route Processor > state = STBY RP IOS Running STANDBY > Slot 9 type = Modular SPA Interface Card > state = IOS RUN Line Card Enabled > subslot 9/0: SPA-1X10GE-L-V2 (0x50C), status is ok > subslot 9/1: Empty > subslot 9/2: Empty > subslot 9/3: Empty > Slot 14 type = Modular SPA Interface Card > state = IOS RUN Line Card Enabled > subslot 14/0: SPA-2XOC48POS/RPR (0x46F), status is ok > subslot 14/1: SPA-5X1GE-V2 (0x50A), status is ok > subslot 14/2: Empty > subslot 14/3: Empty > Slot 15 type = Modular SPA Interface Card > state = IOS RUN Line Card Enabled > subslot 15/0: SPA-4XOC12-POS (0x507), status is ok > subslot 15/1: SPA-8XOC3-POS (0x505), status is ok > subslot 15/2: SPA-4XT3/E3 (0x40B), status is ok > subslot 15/3: Empty > Slot 16 type = Clock Scheduler Card OC192 Dual Priority > state = Card Powered > Slot 17 type = Clock Scheduler Card OC192 Dual Priority > state = Card Powered PRIMARY CLOCK > Slot 18 type = Switch Fabric Card 16XOC192 > state = Card Powered > Slot 19 type = Switch Fabric Card 16XOC192 > state = Card Powered > Slot 20 type = Switch Fabric Card 16XOC192 > state = Card Powered > Slot 24 type = Alarm Module(16) > state = Card Powered > Slot 25 type = Alarm Module(16) > state = Card Powered > Slot 27 type = Bus Board(16) > state = Card Powered > Slot 28 type = Blower Module(16) > state = Card Powered > Slot 29 type = Blower Module(16) > state = Card Powered > > > Thanks and Regards > J.Daniels > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From paul at paulstewart.org Mon Aug 10 12:35:14 2009 From: paul at paulstewart.org (Paul Stewart) Date: Mon, 10 Aug 2009 12:35:14 -0400 Subject: [c-nsp] SSH no longer functions after hostname change In-Reply-To: <305794761.2147971249921175732.JavaMail.root@mail.dtgmail.com> References: <002001ca19d6$16a5a290$43f0e7b0$@org> <305794761.2147971249921175732.JavaMail.root@mail.dtgmail.com> Message-ID: <002101ca19d8$9924b330$cb6e1990$@org> That is very strange.... are you able to kick the switch (power cycle) to see if it resolves or not? I know you shouldn't have to but I'm out of answers too ;) -----Original Message----- From: Jon Wolberg [mailto:jon at defenderhosting.com] Sent: Monday, August 10, 2009 12:20 PM To: Paul Stewart Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] SSH no longer functions after hostname change Hi Paul- The funny thing is this is the only switch causing problems. We changed the hostnames on over a dozen others without any issues. I tried re-generating the keys to no avail. Jon Wolberg Systems Engineer Virtacore Systems Inc. "We Virtualize IT!" ----- Original Message ----- From: "Paul Stewart" To: "Jon Wolberg" , cisco-nsp at puck.nether.net Sent: Monday, August 10, 2009 12:17:14 PM GMT -05:00 US/Canada Eastern Subject: RE: [c-nsp] SSH no longer functions after hostname change Normally all we do is a "crypto key gen rsa" if a hostname changes and we continue on... this regens the keys and stops/starts the SSH process.... Paul -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jon Wolberg Sent: Monday, August 10, 2009 11:53 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] SSH no longer functions after hostname change Hello- We recently changed some of our hostnames on various legacy switches to follow our naming convention, and after one change I can no longer SSH to the switch. I get the below errors on the console with debug ip ssh client running: Aug 10 11:23:44 EST: SSH5: sent protocol version id SSH-2.0-Cisco-1.25 Aug 10 11:23:44 EST: SSH5: protocol version id is - SSH-2.0-OpenSSH_4.3 Aug 10 11:23:44 EST: SSH2 5: RSA_sign: private key not found Aug 10 11:23:44 EST: SSH2 5: signature creation failed, status -1 Aug 10 11:23:44 EST: SSH5: Session disconnected - error 0x00 I zero'ized the old keys and re-generated as well as set the hostname back to the original and zero'ized and re-generated to no avail. Nothing shows up on Google and I can find no errata related to SSH access on the version of code we are running. Has anyone encountered this before? This is a 3750 running 12.2(44)SE2 Jon Wolberg Systems Engineer Virtacore Systems Inc. "We Virtualize IT!" _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From jared at puck.nether.net Mon Aug 10 12:55:02 2009 From: jared at puck.nether.net (Jared Mauch) Date: Mon, 10 Aug 2009 12:55:02 -0400 Subject: [c-nsp] SSH no longer functions after hostname change In-Reply-To: <908369987.2149831249922498535.JavaMail.root@mail.dtgmail.com> References: <908369987.2149831249922498535.JavaMail.root@mail.dtgmail.com> Message-ID: You should call TAC and your SE/AM as well to insure they capture what happened to avoid this defect in the future. You may also be able to entirely disable/restart the SSH subsystem, or at least make sure they have the ability to restart it. If Cisco doesn't make progress on this front, I'm not sure how they will continue to survive. The internet of 2000 and later really needs protected memory and restartable processes instead of the old tech support "have you turned it off and back on again" policy of dealing with defects. While that has a place, certainly this is not one of them. - Jared On Aug 10, 2009, at 12:41 PM, jon at defenderhosting.com wrote: > Hi Ryan/Paul- > > Not without scheduling a maintenance window which I was hoping to > avoid. I am sure a reload would fix the problem as i'd also use it > as an opportunity to upgrade the code since I am a half dozen revs > behind and have switches running newer versions without any > stability issues. > > > Jon Wolberg > Systems Engineer > Virtacore Systems Inc. > "We Virtualize IT!" > > > ----- Original Message ----- > From: "Paul Stewart" > To: "Jon Wolberg" > Cc: cisco-nsp at puck.nether.net > Sent: Monday, August 10, 2009 12:35:14 PM GMT -05:00 US/Canada Eastern > Subject: RE: [c-nsp] SSH no longer functions after hostname change > > That is very strange.... are you able to kick the switch (power > cycle) to see if it resolves or not? I know you shouldn't have to > but I'm out of answers too ;) > > -----Original Message----- > From: Jon Wolberg [mailto:jon at defenderhosting.com] > Sent: Monday, August 10, 2009 12:20 PM > To: Paul Stewart > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] SSH no longer functions after hostname change > > Hi Paul- > > The funny thing is this is the only switch causing problems. We > changed the hostnames on over a dozen others without any issues. > > I tried re-generating the keys to no avail. > > > Jon Wolberg > Systems Engineer > Virtacore Systems Inc. > "We Virtualize IT!" > > > ----- Original Message ----- > From: "Paul Stewart" > To: "Jon Wolberg" , cisco-nsp at puck.nether.net > Sent: Monday, August 10, 2009 12:17:14 PM GMT -05:00 US/Canada Eastern > Subject: RE: [c-nsp] SSH no longer functions after hostname change > > Normally all we do is a "crypto key gen rsa" if a hostname changes > and we > continue on... this regens the keys and stops/starts the SSH > process.... > > Paul > > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jon Wolberg > Sent: Monday, August 10, 2009 11:53 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] SSH no longer functions after hostname change > > Hello- > > We recently changed some of our hostnames on various legacy switches > to > follow our naming convention, and after one change I can no longer > SSH to > the switch. > > I get the below errors on the console with debug ip ssh client > running: > > Aug 10 11:23:44 EST: SSH5: sent protocol version id SSH-2.0-Cisco-1.25 > Aug 10 11:23:44 EST: SSH5: protocol version id is - SSH-2.0- > OpenSSH_4.3 > Aug 10 11:23:44 EST: SSH2 5: RSA_sign: private key not found > Aug 10 11:23:44 EST: SSH2 5: signature creation failed, status -1 > Aug 10 11:23:44 EST: SSH5: Session disconnected - error 0x00 > > I zero'ized the old keys and re-generated as well as set the > hostname back > to the original and zero'ized and re-generated to no avail. Nothing > shows > up on Google and I can find no errata related to SSH access on the > version > of code we are running. > > Has anyone encountered this before? This is a 3750 running > 12.2(44)SE2 > > > Jon Wolberg > Systems Engineer > Virtacore Systems Inc. > "We Virtualize IT!" > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From paul at paulstewart.org Mon Aug 10 12:17:14 2009 From: paul at paulstewart.org (Paul Stewart) Date: Mon, 10 Aug 2009 12:17:14 -0400 Subject: [c-nsp] SSH no longer functions after hostname change In-Reply-To: <1651088143.2146011249919550531.JavaMail.root@mail.dtgmail.com> References: <1651088143.2146011249919550531.JavaMail.root@mail.dtgmail.com> Message-ID: <002001ca19d6$16a5a290$43f0e7b0$@org> Normally all we do is a "crypto key gen rsa" if a hostname changes and we continue on... this regens the keys and stops/starts the SSH process.... Paul -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jon Wolberg Sent: Monday, August 10, 2009 11:53 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] SSH no longer functions after hostname change Hello- We recently changed some of our hostnames on various legacy switches to follow our naming convention, and after one change I can no longer SSH to the switch. I get the below errors on the console with debug ip ssh client running: Aug 10 11:23:44 EST: SSH5: sent protocol version id SSH-2.0-Cisco-1.25 Aug 10 11:23:44 EST: SSH5: protocol version id is - SSH-2.0-OpenSSH_4.3 Aug 10 11:23:44 EST: SSH2 5: RSA_sign: private key not found Aug 10 11:23:44 EST: SSH2 5: signature creation failed, status -1 Aug 10 11:23:44 EST: SSH5: Session disconnected - error 0x00 I zero'ized the old keys and re-generated as well as set the hostname back to the original and zero'ized and re-generated to no avail. Nothing shows up on Google and I can find no errata related to SSH access on the version of code we are running. Has anyone encountered this before? This is a 3750 running 12.2(44)SE2 Jon Wolberg Systems Engineer Virtacore Systems Inc. "We Virtualize IT!" _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From moua0100 at umn.edu Mon Aug 10 13:41:48 2009 From: moua0100 at umn.edu (Ge Moua) Date: Mon, 10 Aug 2009 12:41:48 -0500 Subject: [c-nsp] SSH no longer functions after hostname change In-Reply-To: References: <908369987.2149831249922498535.JavaMail.root@mail.dtgmail.com> Message-ID: <4A805BDC.7020401@umn.edu> We saw similar symptoms on cat6k; even a reboot & regen rssa key did not fix the ssh issue; turned out to be some sort of conflict with IP SLA, removed that then all was working. Regards, Ge Moua | Email: moua0100 at umn.edu Network Design Engineer University of Minnesota | Networking & Telecommunications Services Jared Mauch wrote: > You should call TAC and your SE/AM as well to insure they capture what > happened to avoid this defect in the future. You may also be able to > entirely disable/restart the SSH subsystem, or at least make sure they > have the ability to restart it. If Cisco doesn't make progress on > this front, I'm not sure how they will continue to survive. The > internet of 2000 and later really needs protected memory and > restartable processes instead of the old tech support "have you turned > it off and back on again" policy of dealing with defects. While that > has a place, certainly this is not one of them. > > - Jared > > On Aug 10, 2009, at 12:41 PM, jon at defenderhosting.com wrote: > >> Hi Ryan/Paul- >> >> Not without scheduling a maintenance window which I was hoping to >> avoid. I am sure a reload would fix the problem as i'd also use it >> as an opportunity to upgrade the code since I am a half dozen revs >> behind and have switches running newer versions without any stability >> issues. >> >> >> Jon Wolberg >> Systems Engineer >> Virtacore Systems Inc. >> "We Virtualize IT!" >> >> >> ----- Original Message ----- >> From: "Paul Stewart" >> To: "Jon Wolberg" >> Cc: cisco-nsp at puck.nether.net >> Sent: Monday, August 10, 2009 12:35:14 PM GMT -05:00 US/Canada Eastern >> Subject: RE: [c-nsp] SSH no longer functions after hostname change >> >> That is very strange.... are you able to kick the switch (power >> cycle) to see if it resolves or not? I know you shouldn't have to >> but I'm out of answers too ;) >> >> -----Original Message----- >> From: Jon Wolberg [mailto:jon at defenderhosting.com] >> Sent: Monday, August 10, 2009 12:20 PM >> To: Paul Stewart >> Cc: cisco-nsp at puck.nether.net >> Subject: Re: [c-nsp] SSH no longer functions after hostname change >> >> Hi Paul- >> >> The funny thing is this is the only switch causing problems. We >> changed the hostnames on over a dozen others without any issues. >> >> I tried re-generating the keys to no avail. >> >> >> Jon Wolberg >> Systems Engineer >> Virtacore Systems Inc. >> "We Virtualize IT!" >> >> >> ----- Original Message ----- >> From: "Paul Stewart" >> To: "Jon Wolberg" , cisco-nsp at puck.nether.net >> Sent: Monday, August 10, 2009 12:17:14 PM GMT -05:00 US/Canada Eastern >> Subject: RE: [c-nsp] SSH no longer functions after hostname change >> >> Normally all we do is a "crypto key gen rsa" if a hostname changes >> and we >> continue on... this regens the keys and stops/starts the SSH process.... >> >> Paul >> >> >> >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jon Wolberg >> Sent: Monday, August 10, 2009 11:53 AM >> To: cisco-nsp at puck.nether.net >> Subject: [c-nsp] SSH no longer functions after hostname change >> >> Hello- >> >> We recently changed some of our hostnames on various legacy switches to >> follow our naming convention, and after one change I can no longer >> SSH to >> the switch. >> >> I get the below errors on the console with debug ip ssh client running: >> >> Aug 10 11:23:44 EST: SSH5: sent protocol version id SSH-2.0-Cisco-1.25 >> Aug 10 11:23:44 EST: SSH5: protocol version id is - SSH-2.0-OpenSSH_4.3 >> Aug 10 11:23:44 EST: SSH2 5: RSA_sign: private key not found >> Aug 10 11:23:44 EST: SSH2 5: signature creation failed, status -1 >> Aug 10 11:23:44 EST: SSH5: Session disconnected - error 0x00 >> >> I zero'ized the old keys and re-generated as well as set the hostname >> back >> to the original and zero'ized and re-generated to no avail. Nothing >> shows >> up on Google and I can find no errata related to SSH access on the >> version >> of code we are running. >> >> Has anyone encountered this before? This is a 3750 running 12.2(44)SE2 >> >> >> Jon Wolberg >> Systems Engineer >> Virtacore Systems Inc. >> "We Virtualize IT!" >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jon at defenderhosting.com Mon Aug 10 14:09:41 2009 From: jon at defenderhosting.com (Jon Wolberg) Date: Mon, 10 Aug 2009 14:09:41 -0400 (EDT) Subject: [c-nsp] SSH no longer functions after hostname change In-Reply-To: <4A805BDC.7020401@umn.edu> Message-ID: <1839562794.2157121249927781445.JavaMail.root@mail.dtgmail.com> Jared- Unfortunately we do not have SmartNET for this specific device, although we do have coverage for our higher up infrastructure. I do not know Cisco's policy on supporting devices without a contract but I highly doubt they would work with me to a resolution without an existing SmartNET contract for this device. I will try JF's solution ( I did this already but did not do it in the specific order he mentioned ) and then schedule a reload if that fails. Thanks. Jon Wolberg Systems Engineer Virtacore Systems Inc. "We Virtualize IT!" ----- Original Message ----- From: "Ge Moua" To: "Jared Mauch" Cc: "Jon Wolberg" , cisco-nsp at puck.nether.net Sent: Monday, August 10, 2009 1:41:48 PM GMT -05:00 US/Canada Eastern Subject: Re: [c-nsp] SSH no longer functions after hostname change We saw similar symptoms on cat6k; even a reboot & regen rssa key did not fix the ssh issue; turned out to be some sort of conflict with IP SLA, removed that then all was working. Regards, Ge Moua | Email: moua0100 at umn.edu Network Design Engineer University of Minnesota | Networking & Telecommunications Services Jared Mauch wrote: > You should call TAC and your SE/AM as well to insure they capture what > happened to avoid this defect in the future. You may also be able to > entirely disable/restart the SSH subsystem, or at least make sure they > have the ability to restart it. If Cisco doesn't make progress on > this front, I'm not sure how they will continue to survive. The > internet of 2000 and later really needs protected memory and > restartable processes instead of the old tech support "have you turned > it off and back on again" policy of dealing with defects. While that > has a place, certainly this is not one of them. > > - Jared > > On Aug 10, 2009, at 12:41 PM, jon at defenderhosting.com wrote: > >> Hi Ryan/Paul- >> >> Not without scheduling a maintenance window which I was hoping to >> avoid. I am sure a reload would fix the problem as i'd also use it >> as an opportunity to upgrade the code since I am a half dozen revs >> behind and have switches running newer versions without any stability >> issues. >> >> >> Jon Wolberg >> Systems Engineer >> Virtacore Systems Inc. >> "We Virtualize IT!" >> >> >> ----- Original Message ----- >> From: "Paul Stewart" >> To: "Jon Wolberg" >> Cc: cisco-nsp at puck.nether.net >> Sent: Monday, August 10, 2009 12:35:14 PM GMT -05:00 US/Canada Eastern >> Subject: RE: [c-nsp] SSH no longer functions after hostname change >> >> That is very strange.... are you able to kick the switch (power >> cycle) to see if it resolves or not? I know you shouldn't have to >> but I'm out of answers too ;) >> >> -----Original Message----- >> From: Jon Wolberg [mailto:jon at defenderhosting.com] >> Sent: Monday, August 10, 2009 12:20 PM >> To: Paul Stewart >> Cc: cisco-nsp at puck.nether.net >> Subject: Re: [c-nsp] SSH no longer functions after hostname change >> >> Hi Paul- >> >> The funny thing is this is the only switch causing problems. We >> changed the hostnames on over a dozen others without any issues. >> >> I tried re-generating the keys to no avail. >> >> >> Jon Wolberg >> Systems Engineer >> Virtacore Systems Inc. >> "We Virtualize IT!" >> >> >> ----- Original Message ----- >> From: "Paul Stewart" >> To: "Jon Wolberg" , cisco-nsp at puck.nether.net >> Sent: Monday, August 10, 2009 12:17:14 PM GMT -05:00 US/Canada Eastern >> Subject: RE: [c-nsp] SSH no longer functions after hostname change >> >> Normally all we do is a "crypto key gen rsa" if a hostname changes >> and we >> continue on... this regens the keys and stops/starts the SSH process.... >> >> Paul >> >> >> >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jon Wolberg >> Sent: Monday, August 10, 2009 11:53 AM >> To: cisco-nsp at puck.nether.net >> Subject: [c-nsp] SSH no longer functions after hostname change >> >> Hello- >> >> We recently changed some of our hostnames on various legacy switches to >> follow our naming convention, and after one change I can no longer >> SSH to >> the switch. >> >> I get the below errors on the console with debug ip ssh client running: >> >> Aug 10 11:23:44 EST: SSH5: sent protocol version id SSH-2.0-Cisco-1.25 >> Aug 10 11:23:44 EST: SSH5: protocol version id is - SSH-2.0-OpenSSH_4.3 >> Aug 10 11:23:44 EST: SSH2 5: RSA_sign: private key not found >> Aug 10 11:23:44 EST: SSH2 5: signature creation failed, status -1 >> Aug 10 11:23:44 EST: SSH5: Session disconnected - error 0x00 >> >> I zero'ized the old keys and re-generated as well as set the hostname >> back >> to the original and zero'ized and re-generated to no avail. Nothing >> shows >> up on Google and I can find no errata related to SSH access on the >> version >> of code we are running. >> >> Has anyone encountered this before? This is a 3750 running 12.2(44)SE2 >> >> >> Jon Wolberg >> Systems Engineer >> Virtacore Systems Inc. >> "We Virtualize IT!" >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jon at defenderhosting.com Mon Aug 10 14:15:24 2009 From: jon at defenderhosting.com (Jon Wolberg) Date: Mon, 10 Aug 2009 14:15:24 -0400 (EDT) Subject: [c-nsp] SSH no longer functions after hostname change In-Reply-To: <4A804DD8.5020907@emich.edu> Message-ID: <2007826425.2157421249928124288.JavaMail.root@mail.dtgmail.com> All- Using the exact order that JF listed below it worked perfect and resolved my issue. I can now SSH to this device again. Thanks. Jon Wolberg Systems Engineer Virtacore Systems Inc. "We Virtualize IT!" ----- Original Message ----- From: "jf" To: "Jon Wolberg" Cc: cisco-nsp at puck.nether.net Sent: Monday, August 10, 2009 12:42:00 PM GMT -05:00 US/Canada Eastern Subject: Re: [c-nsp] SSH no longer functions after hostname change We experienced this problem on a 3550 12g several years ago. We solved it by temporarily changing the configured hostname back, zeroing the key, changing the hostname again, and regenerating. Jon Wolberg wrote: > Hello- > > We recently changed some of our hostnames on various legacy switches to follow our naming convention, and after one change I can no longer SSH to the switch. > > I get the below errors on the console with debug ip ssh client running: > > Aug 10 11:23:44 EST: SSH5: sent protocol version id SSH-2.0-Cisco-1.25 > Aug 10 11:23:44 EST: SSH5: protocol version id is - SSH-2.0-OpenSSH_4.3 > Aug 10 11:23:44 EST: SSH2 5: RSA_sign: private key not found > Aug 10 11:23:44 EST: SSH2 5: signature creation failed, status -1 > Aug 10 11:23:44 EST: SSH5: Session disconnected - error 0x00 > > I zero'ized the old keys and re-generated as well as set the hostname back to the original and zero'ized and re-generated to no avail. Nothing shows up on Google and I can find no errata related to SSH access on the version of code we are running. > > Has anyone encountered this before? This is a 3750 running 12.2(44)SE2 > > > Jon Wolberg > Systems Engineer > Virtacore Systems Inc. > "We Virtualize IT!" > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From tdurack at gmail.com Mon Aug 10 14:16:50 2009 From: tdurack at gmail.com (Tim Durack) Date: Mon, 10 Aug 2009 14:16:50 -0400 Subject: [c-nsp] mvrf leaking Message-ID: <9e246b4d0908101116v766f4bedjfb4e7c13d3555b6e@mail.gmail.com> Anyone know if an mvrf can be "leaked" across several vrfs? ip vrf mvpn-cus1 rd 10.0.0.1:201 route-target export 65000:201 route-target import 65000:201 route-target import 65000:202 mdt default 239.1.1.1 ! ip vrf mvpn-cus2 rd 10.0.0.1:202 route-target export 65000:202 route-target import 65000:202 route-target import 65000:201 mdt default 239.1.1.1 ! Cisco doc says: "When configuring the default MDT, note the following information: ?The group_address is the multicast IPv4 address of the default MDT group. This address serves as an identifier for the MVRF community, because all provider-edge (PE) routers configured with this same group address become members of the group, which allows them to receive the PIM control messages and multicast traffic that are sent by other members of the group. ?This same default MDT must be configured on each PE router to enable the PE routers to receive multicast traffic for this particular MVRF." Which makes me think it might work... Tim:> From gsgranados at comcast.net Mon Aug 10 14:20:01 2009 From: gsgranados at comcast.net (Scott Granados) Date: Mon, 10 Aug 2009 11:20:01 -0700 Subject: [c-nsp] ASA5520 different crypt options and general tuning question? Message-ID: <002101ca19e7$30fb3630$2208120a@am.thmulti.com> Hi, thanks to many on this list and the great pointers I now have a working pair of ASA5520 devices with Cisco VPN client remote access working correctly. My question is a two parter. First, I see several encryption options including 3DES, DES and various AES entries with different bit counts. I understand generally what these different options do and what the associated hash options are used for but is there a better crypt type and hash type for differing jobs? When would you want to use 3DES instead of say aes-256? Is there ever a reason you'd use MD5 instead of sha??? Secondly, are there any good general documents for performance tuning? (maybe something that helps detail which knobs to twittle and why?) As always, any pointers would be greatly appreciated. Thanks Scott From jared.a.gillis at gmail.com Mon Aug 10 15:05:05 2009 From: jared.a.gillis at gmail.com (Jared Gillis) Date: Mon, 10 Aug 2009 12:05:05 -0700 Subject: [c-nsp] IS-IS route separation/filtering In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78407C2FE1C@xmb-ams-333.emea.cisco.com> References: <4A79E416.7040909@gmail.com> <4A7A0187.8070807@gmail.com><1249549131.28552.14.camel@daniel.office.bit.nl> <4A7B254B.8040607@gmail.com> <70B7A1CCBFA5C649BD562B6D9F7ED78407C2FE1C@xmb-ams-333.emea.cisco.com> Message-ID: <4A806F61.1000600@gmail.com> Oliver Boehmer (oboehmer) wrote: > Well.. not sure how large you want to grow your L1 area, but you could > investigate "advertise-passive-only" to only adveritse the loopbacks > (all customer routes should be in BGP if you need to plan for growth), > and you'll be fine, even with a 1000 nodes in the area. And if you reach > this number, address summarization (and the implications of it) will > become an issue (even with OSPF).. > >> It's looking like we might have to run OSPF on this, but we'd really >> rather stick with IS-IS. It seems that OSPF's ability to put >> individual interfaces into different areas might be the required >> feature that forces us that way. That is, unless anyone knows a way >> to put an IS-IS router into different areas aside from assigning >> multiple NET addresses... > > No, doesn't work with Integrated ISIS (only CLNS allows you to use > different ISIS areas on a single node).. Hm, I think I may have found my answer in IS-IS Multiarea: http://www.cisco.com/en/US/products/ps6599/products_data_sheet09186a00800e9780.html I've configured it up in our lab, and running IP IS-IS it seems to do exactly what I need. I've got my Router A set up running multi-area with one L2 instance for backbone and multiple L1 instances for each L1 stub area. The L1 areas only see their own internal routes, plus default towards Router A, and I have full connectivity from stub to stub. > > oli From eng_mssk at hotmail.com Mon Aug 10 15:20:57 2009 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Mon, 10 Aug 2009 22:20:57 +0300 Subject: [c-nsp] IPSEC VPN Message-ID: hi i configured the below on GNS3 simulator Router(config)#crypto isakmp policy 1 Router(config-isakmp)#authentication pre-share Router(config)#crypto isakmp key VPNKEY address x.x.x.x Router(config)#access-list extended LIST Router(config-list)#permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 Router(config)#crypto ipsec transform-set SET Router(config)#crypto map MAP 10 ipsec-isakmp Router(config-crypto-map)#set peer x.x.x.x Router(config-crypto-map)#set transform-set SET Router(config-crypto-map)#match address LIST Router(config)#interface f0/0 Router(config-if)#crypto map MAP and im trying to ping 192.168.2.1 source 192.168.1.1 (loopbacks) but im not able to , and the show crypto isakmp sa produces empty o/p am i missing something here ?? _________________________________________________________________ Drag n? drop?Get easy photo sharing with Windows Live? Photos. http://www.microsoft.com/windows/windowslive/products/photos.aspx From mksmith at adhost.com Mon Aug 10 15:30:54 2009 From: mksmith at adhost.com (Michael K. Smith - Adhost) Date: Mon, 10 Aug 2009 12:30:54 -0700 Subject: [c-nsp] IPSEC VPN In-Reply-To: References: Message-ID: <17838240D9A5544AAA5FF95F8D5203160676BE9C@ad-exh01.adhost.lan> Hi Mohammad: > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Mohammad Khalil > Sent: Monday, August 10, 2009 12:21 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] IPSEC VPN > > > hi > i configured the below on GNS3 simulator > > Router(config)#crypto isakmp policy 1 > > Router(config-isakmp)#authentication pre-share > Router(config)#crypto isakmp key VPNKEY address x.x.x.x > > Router(config)#access-list extended LIST > > Router(config-list)#permit ip 192.168.1.0 0.0.0.255 192.168.2.0 > 0.0.0.255 > > Router(config)#crypto ipsec transform-set SET > > Router(config)#crypto map MAP 10 ipsec-isakmp > > Router(config-crypto-map)#set peer x.x.x.x > > Router(config-crypto-map)#set transform-set SET > > Router(config-crypto-map)#match address LIST > > Router(config)#interface f0/0 > > Router(config-if)#crypto map MAP > > and im trying to ping 192.168.2.1 source 192.168.1.1 (loopbacks) but im > not able to , and the show crypto isakmp sa produces empty o/p > > am i missing something here ?? > nat (inside) 0 access-list LIST If the .1 address in both subnets are the firewall IP addresses you won't be able to ping them. Instead, try pinging through them to a host on either side. Finally, "debug crypto isakmp" and "debug crypto ipsec" are your friend, along with a "term mon" :-) Regards, Mike From eninja at gmail.com Mon Aug 10 15:49:35 2009 From: eninja at gmail.com (Eninja) Date: Mon, 10 Aug 2009 21:49:35 +0200 Subject: [c-nsp] SSH no longer functions after hostname change In-Reply-To: <305794761.2147971249921175732.JavaMail.root@mail.dtgmail.com> References: <305794761.2147971249921175732.JavaMail.root@mail.dtgmail.com> Message-ID: <2670183C-4DD5-4777-892E-5E3D7F4E66D5@gmail.com> Jon, What is different with respect to software version, SSH config & platform between this swtich and the dozen others that (could be seeing a similar problem but) aren't? -Eninja On Aug 10, 2009, at 6:19 PM, Jon Wolberg wrote: > Hi Paul- > > The funny thing is this is the only switch causing problems. We > changed the hostnames on over a dozen others without any issues. > > I tried re-generating the keys to no avail. > > > Jon Wolberg > Systems Engineer > Virtacore Systems Inc. > "We Virtualize IT!" > > > ----- Original Message ----- > From: "Paul Stewart" > To: "Jon Wolberg" , cisco-nsp at puck.nether.net > Sent: Monday, August 10, 2009 12:17:14 PM GMT -05:00 US/Canada Eastern > Subject: RE: [c-nsp] SSH no longer functions after hostname change > > Normally all we do is a "crypto key gen rsa" if a hostname changes > and we > continue on... this regens the keys and stops/starts the SSH > process.... > > Paul > > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jon Wolberg > Sent: Monday, August 10, 2009 11:53 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] SSH no longer functions after hostname change > > Hello- > > We recently changed some of our hostnames on various legacy switches > to > follow our naming convention, and after one change I can no longer > SSH to > the switch. > > I get the below errors on the console with debug ip ssh client > running: > > Aug 10 11:23:44 EST: SSH5: sent protocol version id SSH-2.0-Cisco-1.25 > Aug 10 11:23:44 EST: SSH5: protocol version id is - SSH-2.0- > OpenSSH_4.3 > Aug 10 11:23:44 EST: SSH2 5: RSA_sign: private key not found > Aug 10 11:23:44 EST: SSH2 5: signature creation failed, status -1 > Aug 10 11:23:44 EST: SSH5: Session disconnected - error 0x00 > > I zero'ized the old keys and re-generated as well as set the > hostname back > to the original and zero'ized and re-generated to no avail. Nothing > shows > up on Google and I can find no errata related to SSH access on the > version > of code we are running. > > Has anyone encountered this before? This is a 3750 running 12.2(44)SE2 > > > Jon Wolberg > Systems Engineer > Virtacore Systems Inc. > "We Virtualize IT!" > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From daryl at introspect.net Mon Aug 10 15:52:53 2009 From: daryl at introspect.net (Daryl G. Jurbala) Date: Mon, 10 Aug 2009 15:52:53 -0400 Subject: [c-nsp] Best bang for the buck in L2TP devices Message-ID: So I'm running unencrypted L2TP back to my colo and currently have about 300 clients terminated to a 3825. Anyone have a good feeling for what the best bang for the buck would be to scale that up to 5000? I am looking at the ASA 5540s, but even Cisco pre-sales doesn't seem to be able to tell me how many L2TP connections they support, whether the AnyConnect essentials licensing is what is needed for L2TP, etc, etc. Thanks, Daryl From peter at rathlev.dk Mon Aug 10 15:54:32 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Mon, 10 Aug 2009 21:54:32 +0200 Subject: [c-nsp] ASA5520 different crypt options and general tuning question? In-Reply-To: <002101ca19e7$30fb3630$2208120a@am.thmulti.com> References: <002101ca19e7$30fb3630$2208120a@am.thmulti.com> Message-ID: <1249934072.2853.4.camel@abehat.net.rm.dk> On Mon, 2009-08-10 at 11:20 -0700, Scott Granados wrote: > When would you want to use 3DES instead of say aes-256? Is > there ever a reason you'd use MD5 instead of sha??? Legacy. You might need to establish a tunnel to some device that doesn't know AES and/or SHA1. > Secondly, are there any good general documents for performance tuning? Generally AES is better suited to 32-bit processors than 3DES, the latter being a 168-bit cipher (3 x 56-bit) more suited for 7-bit processors. So in theory you'd get better performance from a 128-bit AES cipher than a 168-bit 3DES cipher and you would have better security. Regards, Peter From jon at defenderhosting.com Mon Aug 10 15:56:27 2009 From: jon at defenderhosting.com (Jon Wolberg) Date: Mon, 10 Aug 2009 15:56:27 -0400 (EDT) Subject: [c-nsp] SSH no longer functions after hostname change In-Reply-To: <2670183C-4DD5-4777-892E-5E3D7F4E66D5@gmail.com> Message-ID: <1879072909.2164421249934187667.JavaMail.root@mail.dtgmail.com> Hello- Nothing, they are all identical switches running the same IOS. Jon Wolberg Systems Engineer Virtacore Systems Inc. "We Virtualize IT!" ----- Original Message ----- From: "Eninja" To: "Jon Wolberg" Cc: "Paul Stewart" , cisco-nsp at puck.nether.net, "Eninja" Sent: Monday, August 10, 2009 3:49:35 PM GMT -05:00 US/Canada Eastern Subject: Re: [c-nsp] SSH no longer functions after hostname change Jon, What is different with respect to software version, SSH config & platform between this swtich and the dozen others that (could be seeing a similar problem but) aren't? -Eninja On Aug 10, 2009, at 6:19 PM, Jon Wolberg wrote: > Hi Paul- > > The funny thing is this is the only switch causing problems. We > changed the hostnames on over a dozen others without any issues. > > I tried re-generating the keys to no avail. > > > Jon Wolberg > Systems Engineer > Virtacore Systems Inc. > "We Virtualize IT!" > > > ----- Original Message ----- > From: "Paul Stewart" > To: "Jon Wolberg" , cisco-nsp at puck.nether.net > Sent: Monday, August 10, 2009 12:17:14 PM GMT -05:00 US/Canada Eastern > Subject: RE: [c-nsp] SSH no longer functions after hostname change > > Normally all we do is a "crypto key gen rsa" if a hostname changes > and we > continue on... this regens the keys and stops/starts the SSH > process.... > > Paul > > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jon Wolberg > Sent: Monday, August 10, 2009 11:53 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] SSH no longer functions after hostname change > > Hello- > > We recently changed some of our hostnames on various legacy switches > to > follow our naming convention, and after one change I can no longer > SSH to > the switch. > > I get the below errors on the console with debug ip ssh client > running: > > Aug 10 11:23:44 EST: SSH5: sent protocol version id SSH-2.0-Cisco-1.25 > Aug 10 11:23:44 EST: SSH5: protocol version id is - SSH-2.0- > OpenSSH_4.3 > Aug 10 11:23:44 EST: SSH2 5: RSA_sign: private key not found > Aug 10 11:23:44 EST: SSH2 5: signature creation failed, status -1 > Aug 10 11:23:44 EST: SSH5: Session disconnected - error 0x00 > > I zero'ized the old keys and re-generated as well as set the > hostname back > to the original and zero'ized and re-generated to no avail. Nothing > shows > up on Google and I can find no errata related to SSH access on the > version > of code we are running. > > Has anyone encountered this before? This is a 3750 running 12.2(44)SE2 > > > Jon Wolberg > Systems Engineer > Virtacore Systems Inc. > "We Virtualize IT!" > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From nigel at theroys.me.uk Mon Aug 10 15:14:06 2009 From: nigel at theroys.me.uk (Nigel Roy) Date: Mon, 10 Aug 2009 20:14:06 +0100 Subject: [c-nsp] MPLS QoS at SPA-5X1GE-V2, SIP 400, 7604RSP720 (Ruzhanskaya Olga) In-Reply-To: Message-ID: <200981020146.055612@SystemLink> Hi Olga, Came across the same problem as you recently on some of our 7600 PE routers. Like you I raised it as a TAC case as I thought it was a bug but after a couple of weeks the TAC engineer discovered exactly what you say. For locally routed packets (IP-IP) the set mpls exp overwrites the DSCP value. Works fine when going from IP-MPLS though! Because you can never be certain whether packets are going to be locally or MPLS switched the command becomes useless. They did say they would try and find an alternative but they never cam up with anything. The alternative I have tested is what we are thinking of using. This uses the global dscp-exp mutation map. This is enabled by default but obviously is overridden by the policy-map set mpls exp command. This worked in the tests I have done but the documentation states "?This command is supported in PFC3BXL or PFC3B mode only.? This is not a problem for us as the hardware we are using matches the requirement. The following is used in global config to modify the default setting for the dscp-exp map: mls qos map dscp-exp 46 to 5 mls qos map dscp-exp 10 18 26 40 45 to 2 mls qos map dscp-exp 1 2 3 4 5 6 7 8 to 1 The only other possibility I started to look at was "table-maps" however they were not supported in the IOS we use and I am not even sure if there is an IOS for the 7600s that supports them. Regards Nigel > Hello List! > > In our MPLS network we use 7604RSP720 with SPA-5X1GE-V2 installed > in SIP 400 as PE router, where clients services terminates. As in > MPLS edge, we perform "typical" traffic classification and marking. > Standart policy-map looks like this (matching based on DSCP, > marking with MPLS EXP): Policy Map Network-VoIP-In Class qos- > realtime set mpls experimental imposition 5 ... Class class-default > set mpls experimental imposition 0 Class Map match-any qos-realtime > (id 21) Match ip dscp ef (46) > > For example, we have two subinterfaces, gi3/0/0.210 and > gi3/0/0.211. Both of them have policy-map looks like described one. > If packet enters gi3/0/0.210 with DSCP=EF and go to gi3/0/0.211, it > appears with DSCP=CS5. Is this normal? > For 76x, it is. > Because of 76x platform QoS realization traffic local for router > (IP-IP), router overwrites DSCP value of packet when such policy- > map in use: > http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/ > guide/mplsqos.html#wp1475897 > > I've even opened a case, but the best proposed approach was to > distinguish with ACL IP-IP traffic and IP-MPLS traffic. This is a > bad solution for us: increased load on router, many hand-work and > we have hundreds of such circuits.. > > We are trying to resolve this problem from April - and no > sufficient solution.. Maybe someone have resolved this? > > P.S. "no mls qos rewite ip dscp" doesn't work properly on PFC MPLS, > already tried. > > Best regards, > Olga > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp archive at > http://puck.nether.net/pipermail/cisco-nsp/ From A.L.M.Buxey at lboro.ac.uk Mon Aug 10 16:08:11 2009 From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey) Date: Mon, 10 Aug 2009 21:08:11 +0100 Subject: [c-nsp] Best bang for the buck in L2TP devices In-Reply-To: References: Message-ID: <20090810200811.GA15910@lboro.ac.uk> Hi, > I am looking at the ASA 5540s, but even Cisco pre-sales doesn't seem to > be able to tell me how many L2TP connections they support, whether the > AnyConnect essentials licensing is what is needed for L2TP, etc, etc. if you can go with standard IPSec to handle transit then its unlimited. if you have to go anyconnect/SSL then you pay for clients. i cant say how much bang you'll get with a 5540 off-hand.... thats also related to how much data is in transit rather than number of connections alan From peter at rathlev.dk Mon Aug 10 16:12:25 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Mon, 10 Aug 2009 22:12:25 +0200 Subject: [c-nsp] IPSEC VPN In-Reply-To: References: Message-ID: <1249935146.2853.21.camel@abehat.net.rm.dk> On Mon, 2009-08-10 at 22:20 +0300, Mohammad Khalil wrote: > i configured the below on GNS3 simulator > > Router(config)#crypto isakmp policy 1 > Router(config-isakmp)#authentication pre-share > Router(config)#crypto isakmp key VPNKEY address x.x.x.x > Router(config)#access-list extended LIST > Router(config-list)#permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 > Router(config)#crypto ipsec transform-set SET > Router(config)#crypto map MAP 10 ipsec-isakmp > Router(config-crypto-map)#set peer x.x.x.x > Router(config-crypto-map)#set transform-set SET > Router(config-crypto-map)#match address LIST > Router(config)#interface f0/0 > Router(config-if)#crypto map MAP > > and im trying to ping 192.168.2.1 source 192.168.1.1 (loopbacks) but > im not able to , and the show crypto isakmp sa produces empty o/p > > am i missing something here ?? That's hard to say without knowing what's in the other end. :-) Or are both ends configured the same? You haven't defined any explicit encryption or hashing in your ISAKMP policy. AFAICT a 7200 running 12.4 defaults to single DES encryption and SHA hashing with a lifetime of 86400 seconds. I don't understand the "crypto ipsec transform-set SET"; wasn't there supposed to be an IPSec transform set after this? Like "esp-aes 128 esp-sha-hmac"? Otherwise, as Michael mentions, debug is a good thing. A "debug crypto isakmp" probably tells relevant things. (Though this seems to be IOS and not PIX.) We have something like this in a working configuration: ip access-list extended SomeCryptoACL permit gre host 10.0.0.2 host 10.0.0.1 ! crypto isakmp policy 15 encr 3des hash md5 authentication pre-share lifetime 43200 ! crypto keyring SomeKeyRing pre-shared-key address 10.0.0.1 key SomeKey ! crypto isakmp profile SomeISAKMPProfile keyring SomeKeyRing match identity address 10.0.0.1 255.255.255.255 initiate mode aggressive ! crypto ipsec transform-set MD5_3DES esp-3des esp-md5-hmac ! crypto map SomeCryptoMap 5 ipsec-isakmp description Some description set peer 10.0.0.1 set transform-set MD5_3DES set isakmp-profile SomeISAKMPProfile match address SomeCryptoACL ! interface GigabitEthernet0/1 ip address 10.0.0.2 255.255.255.0 crypto map SomeCryptoMap ! This isn't best practise, but it does work. Regards, Peter From rodunn at cisco.com Mon Aug 10 16:14:32 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Mon, 10 Aug 2009 16:14:32 -0400 Subject: [c-nsp] mvrf leaking In-Reply-To: <9e246b4d0908101116v766f4bedjfb4e7c13d3555b6e@mail.gmail.com> References: <9e246b4d0908101116v766f4bedjfb4e7c13d3555b6e@mail.gmail.com> Message-ID: <4A807FA8.4010901@cisco.com> I don't *think* so. I think to get traffic from the VRF's you need MVPN Extranet support: http://www.cisco.com/en/US/docs/ios/12_2sb/feature/guide/extvpnsb.html Rodney Tim Durack wrote: > Anyone know if an mvrf can be "leaked" across several vrfs? > > ip vrf mvpn-cus1 > rd 10.0.0.1:201 > route-target export 65000:201 > route-target import 65000:201 > route-target import 65000:202 > mdt default 239.1.1.1 > ! > ip vrf mvpn-cus2 > rd 10.0.0.1:202 > route-target export 65000:202 > route-target import 65000:202 > route-target import 65000:201 > mdt default 239.1.1.1 > ! > > Cisco doc says: > > "When configuring the default MDT, note the following information: > ?The group_address is the multicast IPv4 address of the default MDT > group. This address serves as an identifier for the MVRF community, > because all provider-edge (PE) routers configured with this same group > address become members of the group, which allows them to receive the > PIM control messages and multicast traffic that are sent by other > members of the group. > ?This same default MDT must be configured on each PE router to enable > the PE routers to receive multicast traffic for this particular MVRF." > > Which makes me think it might work... > > Tim:> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From cisco-nsp at itpro.co.nz Mon Aug 10 16:15:36 2009 From: cisco-nsp at itpro.co.nz (Ivan) Date: Tue, 11 Aug 2009 08:15:36 +1200 Subject: [c-nsp] VSS Best Practices In-Reply-To: <7100ed370908100751v11df5501u3c348997109e7019@mail.gmail.com> References: <23603.203.163.71.197.1249516211.squirrel@mail.orcon.net.nz> <7100ed370908100751v11df5501u3c348997109e7019@mail.gmail.com> Message-ID: <4A807FE8.40808@itpro.co.nz> Thanks for the reply. I am aware of three options for dual active detection *Enhanced PAgP - requires selected switches with specific IOS versions on the other end to work *BFD *Fast Hello I understand that if using ePAgP as the dual active detection method then running PAgP on channels is required. Not everyone will select this method (I have selected Fast Hello). I don't believe the section of the best practice guide below relates directly to dual-active detection as LACP is presented as a recommended option. Any other ideas for why explicit trunks are not recommend are welcome. Ivan > Cisco Best Practice will be use PAgP if you want to like to avoid VSS > dual active scenario (better than BFD) > > On Thu, Aug 6, 2009 at 1:50 AM, Ivan > wrote: > > Cisco VSS best practice document states > > Recommendations > * Always run L2 or L3 MEC. > * Do not use on and off options with PAgP or LACP or Trunk > protocol negotiation. > o PAgP ? Run Desirable-Desirable with MEC links. > o LACP ? Run Active-Active with MEC links. > o Trunk ? Run Desirable-Desirable with MEC links. > > > http://www.cisco.com/en/US/products/ps9336/products_tech_note09186a0080a7c837.shtml > > There is not really any explanation of the reasoning behind these > recommendations. If anyone can explain the rational that would be > great. > I would also be interested to hear what settings people are using in > production, why and how that is going. > > Generally in non VSS setups I have found setting links explicitly > to trunk > mode and as etherchannel members has been reliable and would like to > understand why they are not recommended above. > > Thanks > > Ivan > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From vanormer at gmail.com Mon Aug 10 16:34:57 2009 From: vanormer at gmail.com (Robert VanOrmer) Date: Mon, 10 Aug 2009 15:34:57 -0500 Subject: [c-nsp] Disabling ssh v1 on IOS Message-ID: <020f01ca19fa$07d70190$178504b0$@com> Anyone know of a way to disable an IOS device 12.2(18)SXF15a in test) from accepting SSH v1 connections and maintaining SSH v2 sessions? I want to be able to connect to the device, but with SSHv2 only. I haven't found any option for this. From gsgranados at comcast.net Mon Aug 10 16:35:01 2009 From: gsgranados at comcast.net (Scott Granados) Date: Mon, 10 Aug 2009 13:35:01 -0700 Subject: [c-nsp] ASA5520 different crypt options and general tuning question? References: <002101ca19e7$30fb3630$2208120a@am.thmulti.com> <1249934072.2853.4.camel@abehat.net.rm.dk> Message-ID: <005201ca19fa$0e7e7f50$2208120a@am.thmulti.com> Peter, thank you this makes a lot of sense. Thanks Scott ----- Original Message ----- From: "Peter Rathlev" To: "Scott Granados" Cc: Sent: Monday, August 10, 2009 12:54 PM Subject: Re: [c-nsp] ASA5520 different crypt options and general tuning question? > On Mon, 2009-08-10 at 11:20 -0700, Scott Granados wrote: >> When would you want to use 3DES instead of say aes-256? Is >> there ever a reason you'd use MD5 instead of sha??? > > Legacy. You might need to establish a tunnel to some device that doesn't > know AES and/or SHA1. > >> Secondly, are there any good general documents for performance tuning? > > Generally AES is better suited to 32-bit processors than 3DES, the > latter being a 168-bit cipher (3 x 56-bit) more suited for 7-bit > processors. So in theory you'd get better performance from a 128-bit AES > cipher than a 168-bit 3DES cipher and you would have better security. > > Regards, > Peter > > From erey at ernw.de Mon Aug 10 15:51:33 2009 From: erey at ernw.de (Enno Rey) Date: Mon, 10 Aug 2009 21:51:33 +0200 Subject: [c-nsp] IPSEC VPN In-Reply-To: References: Message-ID: <20090810195133.GO20887@ws25.ernw.de> no idea if you need this on the simulator, but on older platforms it was mandatory to "crypto isakmp enable" thanks, Enno On Mon, Aug 10, 2009 at 10:20:57PM +0300, Mohammad Khalil wrote: > > hi > i configured the below on GNS3 simulator > > Router(config)#crypto isakmp policy 1 > > Router(config-isakmp)#authentication pre-share > Router(config)#crypto isakmp key VPNKEY address x.x.x.x > > Router(config)#access-list extended LIST > > Router(config-list)#permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 > > Router(config)#crypto ipsec transform-set SET > > Router(config)#crypto map MAP 10 ipsec-isakmp > > Router(config-crypto-map)#set peer x.x.x.x > > Router(config-crypto-map)#set transform-set SET > > Router(config-crypto-map)#match address LIST > > Router(config)#interface f0/0 > > Router(config-if)#crypto map MAP > > and im trying to ping 192.168.2.1 source 192.168.1.1 (loopbacks) but im not able to , and the show crypto isakmp sa produces empty o/p > > am i missing something here ?? > > > > > _________________________________________________________________ > Drag n? drop?Get easy photo sharing with Windows Live? Photos. > > http://www.microsoft.com/windows/windowslive/products/photos.aspx > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Enno Rey ERNW GmbH - Breslauer Str. 28 - 69124 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 PGP FP 055F B3F3 FE9D 71DD C0D5 444E C611 033E 3296 1CC1 Handelsregister Mannheim: HRB 337135 Geschaeftsfuehrer: Enno Rey From A.L.M.Buxey at lboro.ac.uk Mon Aug 10 16:47:40 2009 From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey) Date: Mon, 10 Aug 2009 21:47:40 +0100 Subject: [c-nsp] Disabling ssh v1 on IOS In-Reply-To: <020f01ca19fa$07d70190$178504b0$@com> References: <020f01ca19fa$07d70190$178504b0$@com> Message-ID: <20090810204740.GB16014@lboro.ac.uk> Hi, > Anyone know of a way to disable an IOS device 12.2(18)SXF15a in test) from > accepting SSH v1 connections and maintaining SSH v2 sessions? I want to be > able to connect to the device, but with SSHv2 only. I haven't found any > option for this. ip ssh version 2 ? alan From jared at puck.nether.net Mon Aug 10 16:51:41 2009 From: jared at puck.nether.net (Jared Mauch) Date: Mon, 10 Aug 2009 16:51:41 -0400 Subject: [c-nsp] Disabling ssh v1 on IOS In-Reply-To: <020f01ca19fa$07d70190$178504b0$@com> References: <020f01ca19fa$07d70190$178504b0$@com> Message-ID: conf t ip ssh version 2 ? - Jared On Aug 10, 2009, at 4:34 PM, Robert VanOrmer wrote: > Anyone know of a way to disable an IOS device 12.2(18)SXF15a in > test) from > accepting SSH v1 connections and maintaining SSH v2 sessions? I > want to be > able to connect to the device, but with SSHv2 only. I haven't found > any > option for this. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From tdurack at gmail.com Mon Aug 10 17:02:42 2009 From: tdurack at gmail.com (Tim Durack) Date: Mon, 10 Aug 2009 17:02:42 -0400 Subject: [c-nsp] mvrf leaking In-Reply-To: <4A807FA8.4010901@cisco.com> References: <9e246b4d0908101116v766f4bedjfb4e7c13d3555b6e@mail.gmail.com> <4A807FA8.4010901@cisco.com> Message-ID: <9e246b4d0908101402i1cad1612r70f29f68b0292fe9@mail.gmail.com> On Mon, Aug 10, 2009 at 4:14 PM, Rodney Dunn wrote: > I don't *think* so. I think to get traffic from the VRF's you need MVPN > Extranet support: > > http://www.cisco.com/en/US/docs/ios/12_2sb/feature/guide/extvpnsb.html > > Rodney Thanks for the link - this looks useful. Will see what I can make work. Tim:> From ross at kallisti.us Mon Aug 10 17:37:19 2009 From: ross at kallisti.us (Ross Vandegrift) Date: Mon, 10 Aug 2009 17:37:19 -0400 Subject: [c-nsp] VSS Best Practices In-Reply-To: <4A807FE8.40808@itpro.co.nz> References: <23603.203.163.71.197.1249516211.squirrel@mail.orcon.net.nz> <7100ed370908100751v11df5501u3c348997109e7019@mail.gmail.com> <4A807FE8.40808@itpro.co.nz> Message-ID: <20090810213719.GA31785@kallisti.us> On Tue, Aug 11, 2009 at 08:15:36AM +1200, Ivan wrote: > I don't believe the section of the best practice guide below relates > directly to dual-active detection as LACP is presented as a recommended > option. Any other ideas for why explicit trunks are not recommend are > welcome. LACP does a good job of detecting when links have mis-matched speed or duplex parameters. My guess for Cisco's rationale would be that it prevents accidental misconfiguration from splitting your stack. I've seen accidently broken LACP port-channel members, and IOS splits off the incompatible members into another sub-group (that gets named like "Po4A"). This can happen while leaving the currently-active member of the bundle undisturbed. On the other hand, I've also seen statically configured port-channels have members with speed and duplex broken. This way lies madness - some platforms handle this gracefully (2960 forcibly disables the just-changed member), others don't (6500 stops switching on the port channel and any members, causing loss of connectivity). Ross -- Ross Vandegrift ross at kallisti.us "If the fight gets hot, the songs get hotter. If the going gets tough, the songs get tougher." --Woody Guthrie From jmenendez at mecon.gov.ar Mon Aug 10 16:51:21 2009 From: jmenendez at mecon.gov.ar (Juan Angel Menendez) Date: Mon, 10 Aug 2009 17:51:21 -0300 Subject: [c-nsp] Disabling ssh v1 on IOS In-Reply-To: <020f01ca19fa$07d70190$178504b0$@com> References: <020f01ca19fa$07d70190$178504b0$@com> Message-ID: <200908102051.n7AKp4WG031205@racing2.mecon.ar> ip ssh version 2 At 17:34 10/08/2009, Robert VanOrmer wrote: >Anyone know of a way to disable an IOS device 12.2(18)SXF15a in test) from >accepting SSH v1 connections and maintaining SSH v2 sessions? I want to be >able to connect to the device, but with SSHv2 only. I haven't found any >option for this. > >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ From td_miles at yahoo.com Mon Aug 10 17:54:51 2009 From: td_miles at yahoo.com (Tony) Date: Mon, 10 Aug 2009 14:54:51 -0700 (PDT) Subject: [c-nsp] cross-vrf tunnels In-Reply-To: Message-ID: <525717.65310.qm@web110113.mail.gq1.yahoo.com> Hi Jeff, Thanks for the suggestion. The tunnel interfaces don't have a MAC address (under "show int tun501"), but I added a different one to each tunnel anyway (and now it. The outcome was no different, still no traffic and packets still being dropped by CEF. I tried to add a MAC to the loopback interfaces, but it wouldn't let me. So your tunnel from VRF to global routing table works ok ? I have been looking at stuff on packet recirculation, but it all seems to apply to 6500/7600 with no references for anything smaller than this ? I am aware that I could leak routes between VRF's, but I'd prefer to do it this way if it's at all possible. Thanks, Tony. --- On Mon, 10/8/09, Jeff Fitzwater wrote: > From: Jeff Fitzwater > Subject: Re: [c-nsp] cross-vrf tunnels > To: "Tony" > Cc: cisco-nsp at puck.nether.net > Date: Monday, 10 August, 2009, 11:24 PM > I believe your problem is that both > ends of the tunnel have the same mac address causing arp to > fail.? You can change one end and it should work. > > I had similar problem with VRF path back to global on the > same router, but I had to use the physical interfaces to get > around the "single lookup in cef issue". > > > > Jeff Fitzwater > OIT Network Systems > Princeton University > On Aug 10, 2009, at 8:43 AM, Tony wrote: > > > Hi all, > > > > I want to route traffic from one VRF to another VRF on > the same router. I did some searching and came across a > prior discussion of this very same topic: > > > > http://puck.nether.net/pipermail/cisco-nsp/2009-February/058594.html > > > > So I decided to create a tunnel between two VRF's on > the same box using loopback addresses for the tunnels. > > > > I set it all up and I can ping from the IP of one end > of the tunnel in one VRF to the other end of the tunnel in > the second VRF. > > > > The problem I have is that traffic from other sources > isn't going over the tunnel properly. > > > > The config looks something like this: > > > > ! > > interface Loopback 501 > >? ip address 10.1.41.201 255.255.255.255 > > ! > > interface Loopback 502 > >? ip address 10.1.41.202 255..255.255.255 > > ! > > interface Tunnel 501 > >? ip vrf forwarding vrf1 > >? ip address 10.1.41.197 255.255.255.252 > >? tunnel source Loopback 501 > >? tunnel destination 10.1.41.202 > > ! > > interface Tunnel 502 > >? ip vrf forward vrf2 > >? ip address 10.1.41.198 255.255.255.252 > >? tunnel source Loopback 502 > >? tunnel destination 10.1.41.201 > > ! > > > > I setup a test lab with a 2611 router either side of a > 7206 running 12.2(33)SRC (which is doing the VRF crossover). > It's all ethernet, no BGP, just two local VRF's on the 7200, > nothing fancy. > > > > When I attempt to ping the 2611 router on the other > side (via my loopback tunnel crossover connection) I get no > response. > > > > If I look at the stats on the tunnel interface it's as > if the traffic isn't going into the tunnel. The input and > output counters are all staying the same. This contrasts to > when I ping directly from one end of the tunnel to the other > as the counters do increase (and I get responses back). > > > > If I enable some debug, I get the following: > > * Tunnel502: adjacency fixup, > 10.1.41.202->10.1.41.201, tos set to 0x0 > > * CEF-Drop: Packet from 10.1.41.202 (Nu0) to > 10..1.41.201, Unclassified reason > > > > Which shows that my packet across the tunnel is being > dropped, but I don't know why. > > > > When I do the ping direct from one tunnel end IP to > the other, I see the normal sequence of events I would > expect (packet routed via RIB, packet goes into tunnel, GRE > encap, packet from one loopback to other, GRE decap, etc). > > > > Is this supposed to work ? Does anyone else have it > working ? What might I be doing wrong ? > > > > Many thanks, > > Tony. > > > > > > > > > > > > _______________________________________________ > > cisco-nsp mailing list? cisco-nsp at puck.nether..net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From damin at nacs.net Mon Aug 10 17:24:37 2009 From: damin at nacs.net (Gregory Boehnlein) Date: Mon, 10 Aug 2009 17:24:37 -0400 Subject: [c-nsp] Linux Com Driver to Modem on Cisco Terminal Server Message-ID: <06cb01ca1a00$f9f4c290$edde47b0$@net> Hello, Received a request from a client that needs to access a modem on a Cisco router from standard serial applications on a Linux box. These are for standard applications that do modem control (I.E. ATDT1XXXXXXXXX etc..) and not PPP. There used to be a few piece of software out there that did it, but I can't seem to find any of them. Anyone have any solutions for this? From vanormer at gmail.com Mon Aug 10 18:16:38 2009 From: vanormer at gmail.com (Robert VanOrmer) Date: Mon, 10 Aug 2009 17:16:38 -0500 Subject: [c-nsp] Disabling ssh v1 on IOS Message-ID: <021a01ca1a08$3b8bf910$b2a3eb30$@com> >Date: Mon, 10 Aug 2009 21:47:40 +0100 >From: Alan Buxey >To: Robert VanOrmer >Cc: cisco-nsp at puck.nether.net >Subject: Re: [c-nsp] Disabling ssh v1 on IOS >Message-ID: <20090810204740.GB16014 at lboro.ac.uk> >Content-Type: text/plain; charset=us-ascii > >Hi, >> Anyone know of a way to disable an IOS device 12.2(18)SXF15a in test) from >> accepting SSH v1 connections and maintaining SSH v2 sessions? I want to be >> able to connect to the device, but with SSHv2 only. I haven't found any >> option for this. > >ip ssh version 2 ? Yes, that will do it.. and I feel like an idiot for missing that. Thanks for the post. >alan > > >------------------------------ From stephane.tsacas at gmail.com Mon Aug 10 18:29:22 2009 From: stephane.tsacas at gmail.com (Stephane Tsacas) Date: Tue, 11 Aug 2009 00:29:22 +0200 Subject: [c-nsp] Linux Com Driver to Modem on Cisco Terminal Server In-Reply-To: <06cb01ca1a00$f9f4c290$edde47b0$@net> References: <06cb01ca1a00$f9f4c290$edde47b0$@net> Message-ID: On Mon, Aug 10, 2009 at 23:24, Gregory Boehnlein wrote: > Hello, > Received a request from a client that needs to access a modem on a > Cisco router from standard serial applications on a Linux box. These are > for > standard applications that do modem control (I.E. ATDT1XXXXXXXXX etc..) and > not PPP. > > There used to be a few piece of software out there that did it, but > I can't seem to find any of them. Anyone have any solutions for this? > Something like "tip" but for Linux ? http://www.freebsd.org/cgi/man.cgi?query=tip&apropos=0&sektion=0&manpath=FreeBSD+7.2-RELEASE&format=html This is what you're looking for ? -- Stephane http://3w.posterous.com From NMaio at guesswho.com Mon Aug 10 17:02:28 2009 From: NMaio at guesswho.com (NMaio at guesswho.com) Date: Mon, 10 Aug 2009 17:02:28 -0400 Subject: [c-nsp] Disabling ssh v1 on IOS In-Reply-To: <020f01ca19fa$07d70190$178504b0$@com> References: <020f01ca19fa$07d70190$178504b0$@com> Message-ID: Robert, By specifying the command "ip ssh version 2" you should be disabling SSHv1. The default is to specify neither which means you will accept both v1 and v2. Nick -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Robert VanOrmer Sent: Monday, August 10, 2009 4:35 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Disabling ssh v1 on IOS Anyone know of a way to disable an IOS device 12.2(18)SXF15a in test) from accepting SSH v1 connections and maintaining SSH v2 sessions? I want to be able to connect to the device, but with SSHv2 only. I haven't found any option for this. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From streiner at cluebyfour.org Mon Aug 10 18:14:53 2009 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Mon, 10 Aug 2009 18:14:53 -0400 (EDT) Subject: [c-nsp] Linux Com Driver to Modem on Cisco Terminal Server In-Reply-To: <06cb01ca1a00$f9f4c290$edde47b0$@net> References: <06cb01ca1a00$f9f4c290$edde47b0$@net> Message-ID: On Mon, 10 Aug 2009, Gregory Boehnlein wrote: > Received a request from a client that needs to access a modem on a > Cisco router from standard serial applications on a Linux box. These are for > standard applications that do modem control (I.E. ATDT1XXXXXXXXX etc..) and > not PPP. > > There used to be a few piece of software out there that did it, but > I can't seem to find any of them. Anyone have any solutions for this? Depending on how low-level you want to get, you could probably do what you need with Minicom, Kermit, Seyon (X11), and a few others. Some of these can also work with scripts to automate tasks. More info on how serial com devices are created and used in Linux may be found at http://tldp.org/HOWTO/Modem-HOWTO.html jms From tony at cambiumdata.com Mon Aug 10 19:25:48 2009 From: tony at cambiumdata.com (Tony Underwood) Date: Mon, 10 Aug 2009 16:25:48 -0700 Subject: [c-nsp] SSH no longer functions after hostname change In-Reply-To: <1879072909.2164421249934187667.JavaMail.root@mail.dtgmail.com> References: <2670183C-4DD5-4777-892E-5E3D7F4E66D5@gmail.com> <1879072909.2164421249934187667.JavaMail.root@mail.dtgmail.com> Message-ID: <0F205F18DCB4724DB15EAF8FF93E0A21129EE5014C@P3PW5EX1MB04.EX1.SECURESERVER.NET> I know you have to have a hostname configured to generate a key on the box, so it's obviously using the hostname at some level in the key. Whenever I change a hostname I've experienced the same result, but regenerating the key always fixes the problem. "crypto key gen rsa" as someone mentioned earlier. Tony Underwood Cambium Data Inc. 5050 So. 111th St. Omaha, NE 68137 (402) 514-3201 (402) 960-3107 - C http://www.CambiumData.com -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jon Wolberg Sent: Monday, August 10, 2009 2:56 PM To: Eninja Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] SSH no longer functions after hostname change Hello- Nothing, they are all identical switches running the same IOS. Jon Wolberg Systems Engineer Virtacore Systems Inc. "We Virtualize IT!" ----- Original Message ----- From: "Eninja" To: "Jon Wolberg" Cc: "Paul Stewart" , cisco-nsp at puck.nether.net, "Eninja" Sent: Monday, August 10, 2009 3:49:35 PM GMT -05:00 US/Canada Eastern Subject: Re: [c-nsp] SSH no longer functions after hostname change Jon, What is different with respect to software version, SSH config & platform between this swtich and the dozen others that (could be seeing a similar problem but) aren't? -Eninja On Aug 10, 2009, at 6:19 PM, Jon Wolberg wrote: > Hi Paul- > > The funny thing is this is the only switch causing problems. We > changed the hostnames on over a dozen others without any issues. > > I tried re-generating the keys to no avail. > > > Jon Wolberg > Systems Engineer > Virtacore Systems Inc. > "We Virtualize IT!" > > > ----- Original Message ----- > From: "Paul Stewart" > To: "Jon Wolberg" , cisco-nsp at puck.nether.net > Sent: Monday, August 10, 2009 12:17:14 PM GMT -05:00 US/Canada Eastern > Subject: RE: [c-nsp] SSH no longer functions after hostname change > > Normally all we do is a "crypto key gen rsa" if a hostname changes > and we > continue on... this regens the keys and stops/starts the SSH > process.... > > Paul > > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jon Wolberg > Sent: Monday, August 10, 2009 11:53 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] SSH no longer functions after hostname change > > Hello- > > We recently changed some of our hostnames on various legacy switches > to > follow our naming convention, and after one change I can no longer > SSH to > the switch. > > I get the below errors on the console with debug ip ssh client > running: > > Aug 10 11:23:44 EST: SSH5: sent protocol version id SSH-2.0-Cisco-1.25 > Aug 10 11:23:44 EST: SSH5: protocol version id is - SSH-2.0- > OpenSSH_4.3 > Aug 10 11:23:44 EST: SSH2 5: RSA_sign: private key not found > Aug 10 11:23:44 EST: SSH2 5: signature creation failed, status -1 > Aug 10 11:23:44 EST: SSH5: Session disconnected - error 0x00 > > I zero'ized the old keys and re-generated as well as set the > hostname back > to the original and zero'ized and re-generated to no avail. Nothing > shows > up on Google and I can find no errata related to SSH access on the > version > of code we are running. > > Has anyone encountered this before? This is a 3750 running 12.2(44)SE2 > > > Jon Wolberg > Systems Engineer > Virtacore Systems Inc. > "We Virtualize IT!" > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ayourtch at gmail.com Mon Aug 10 19:32:20 2009 From: ayourtch at gmail.com (Andrew Yourtchenko) Date: Tue, 11 Aug 2009 01:32:20 +0200 Subject: [c-nsp] Linux Com Driver to Modem on Cisco Terminal Server In-Reply-To: <06cb01ca1a00$f9f4c290$edde47b0$@net> References: <06cb01ca1a00$f9f4c290$edde47b0$@net> Message-ID: <530c5af60908101632y24d4e653kbe4361aa3ed76cb@mail.gmail.com> Hi Gregory, http://www.net-track.ch/opensource/remtty/ - does that fit the bill ? thanks, andrew NB: to get it working on a x86_64 system you need to carefully weed out all the compilation warnings before it runs correctly. On Mon, Aug 10, 2009 at 11:24 PM, Gregory Boehnlein wrote: > Hello, > Received a request from a client that needs to access a modem on a > Cisco router from standard serial applications on a Linux box. These are for > standard applications that do modem control (I.E. ATDT1XXXXXXXXX etc..) and > not PPP. > > There used to be a few piece of software out there that did it, but > I can't seem to find any of them. Anyone have any solutions for this? > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From moua0100 at umn.edu Mon Aug 10 20:53:26 2009 From: moua0100 at umn.edu (Ge Moua) Date: Mon, 10 Aug 2009 19:53:26 -0500 Subject: [c-nsp] Linux Com Driver to Modem on Cisco Terminal Server In-Reply-To: <06cb01ca1a00$f9f4c290$edde47b0$@net> References: <06cb01ca1a00$f9f4c290$edde47b0$@net> Message-ID: <4A80C106.2050703@umn.edu> I like "minicom". Regards, Ge Moua | Email: moua0100 at umn.edu Network Design Engineer University of Minnesota | Networking & Telecommunications Services Gregory Boehnlein wrote: > Hello, > Received a request from a client that needs to access a modem on a > Cisco router from standard serial applications on a Linux box. These are for > standard applications that do modem control (I.E. ATDT1XXXXXXXXX etc..) and > not PPP. > > There used to be a few piece of software out there that did it, but > I can't seem to find any of them. Anyone have any solutions for this? > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From meenoo at gmail.com Mon Aug 10 22:11:30 2009 From: meenoo at gmail.com (Meenoo Shivdasani) Date: Mon, 10 Aug 2009 22:11:30 -0400 Subject: [c-nsp] ASA 5505 stops servicing inbound connections Message-ID: I have an ASA 5505 that randomly stops handling incoming connections to the servers that are behind it. When it fails, the only solution that I have (since it's remote) is to have it power-cycled. I have it logging to a log server, but nothing in the logs seems to be illuminating. System image file is "disk0:/asa724-k8.bin" Anyone run into this one? Thanks in advance, M From rwest at zyedge.com Mon Aug 10 22:17:50 2009 From: rwest at zyedge.com (Ryan West) Date: Mon, 10 Aug 2009 22:17:50 -0400 Subject: [c-nsp] ASA 5505 stops servicing inbound connections In-Reply-To: References: Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2F59@zy-ex1.zyedge.local> Post a show ver, you might be hitting a 10 user license count issue. What is your trap logging set to? -ryan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Meenoo Shivdasani Sent: Monday, August 10, 2009 10:12 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] ASA 5505 stops servicing inbound connections I have an ASA 5505 that randomly stops handling incoming connections to the servers that are behind it. When it fails, the only solution that I have (since it's remote) is to have it power-cycled. I have it logging to a log server, but nothing in the logs seems to be illuminating. System image file is "disk0:/asa724-k8.bin" Anyone run into this one? Thanks in advance, M _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From jckdaniels12 at gmail.com Mon Aug 10 22:45:46 2009 From: jckdaniels12 at gmail.com (jack daniels) Date: Tue, 11 Aug 2009 08:15:46 +0530 Subject: [c-nsp] ALARM CARD ERROR In-Reply-To: <480dad640908100945u3574e534p957306c49d5d3ab@mail.gmail.com> References: <8bb137f40908092155t24d11bc7g6a0776aa07b4f545@mail.gmail.com> <480dad640908100945u3574e534p957306c49d5d3ab@mail.gmail.com> Message-ID: <8bb137f40908101945r72b8a8fes8c581ad05395b4bc@mail.gmail.com> Hi, opened just tac case and as per them its a hardware isssue . Thanks and Regards J.Daniels On 8/10/09, Aaron wrote: > > Open a tac case. > > On Mon, Aug 10, 2009 at 00:55, jack daniels wrote: > >> Hi All >> >> I'm getting below error on GSR 12416 ALARM CARD - >> >> IOS 12.0(32)SY6 >> >> >> >> WARNING: Unknown MBUS agent controller type, slot 24 >> Contact your technical support >> representative.<<<<<<<<<<<<<<<<<<<<<<<<<<<<<> >> >> >> sh diag 24 >> >> SLOT 24 (ALM 0 ): Alarm Module(16) >> MAIN: type 64, 800-5570-05 rev C0 >> Deviation: 0 >> HW config: 0x00 SW key: 00-00-00 >> PCA: 73-4266-04 rev B0 ver 3 >> Design Release 1.0 S/N SAL1250CZJ9 >> MBUS: Unknown (0) 00-0000-00 rev 70 dev 0 >> HW version 1.2 S/N SAL1248BSQ5 >> Test hist: 0x00 RMA#: 00-00-00 RMA hist: 0x00 >> DIAG: Test count: 0x00000000 Test results: 0x00000000 >> FRU: Linecard/Module: GSR16-ALRM= >> MBUS Agent Software version 2.68 (RAM) (ROM version is 3.66) >> >> >> >> >> sh gsr >> Slot 0 type = Modular SPA Interface Card >> state = IOS RUN Line Card Enabled >> subslot 0/0: SPA-1X10GE-L-V2 (0x50C), status is ok >> subslot 0/1: Empty >> subslot 0/2: Empty >> subslot 0/3: Empty >> Slot 5 type = Modular SPA Interface Card >> state = IOS RUN Line Card Enabled >> subslot 5/0: SPA-2XOC48POS/RPR (0x46F), status is ok >> subslot 5/1: SPA-5X1GE-V2 (0x50A), status is ok >> subslot 5/2: Empty >> subslot 5/3: Empty >> Slot 6 type = Modular SPA Interface Card >> state = IOS RUN Line Card Enabled >> subslot 6/0: SPA-4XT3/E3 (0x40B), status is ok >> subslot 6/1: SPA-4XT3/E3 (0x40B), status is ok >> subslot 6/2: SPA-8XOC3-POS (0x505), status is ok >> subslot 6/3: SPA-8XOC3-POS (0x505), status is ok >> Slot 7 type = Performance Route Processor >> state = ACTV RP IOS Running ACTIVE >> Slot 8 type = Performance Route Processor >> state = STBY RP IOS Running STANDBY >> Slot 9 type = Modular SPA Interface Card >> state = IOS RUN Line Card Enabled >> subslot 9/0: SPA-1X10GE-L-V2 (0x50C), status is ok >> subslot 9/1: Empty >> subslot 9/2: Empty >> subslot 9/3: Empty >> Slot 14 type = Modular SPA Interface Card >> state = IOS RUN Line Card Enabled >> subslot 14/0: SPA-2XOC48POS/RPR (0x46F), status is ok >> subslot 14/1: SPA-5X1GE-V2 (0x50A), status is ok >> subslot 14/2: Empty >> subslot 14/3: Empty >> Slot 15 type = Modular SPA Interface Card >> state = IOS RUN Line Card Enabled >> subslot 15/0: SPA-4XOC12-POS (0x507), status is ok >> subslot 15/1: SPA-8XOC3-POS (0x505), status is ok >> subslot 15/2: SPA-4XT3/E3 (0x40B), status is ok >> subslot 15/3: Empty >> Slot 16 type = Clock Scheduler Card OC192 Dual Priority >> state = Card Powered >> Slot 17 type = Clock Scheduler Card OC192 Dual Priority >> state = Card Powered PRIMARY CLOCK >> Slot 18 type = Switch Fabric Card 16XOC192 >> state = Card Powered >> Slot 19 type = Switch Fabric Card 16XOC192 >> state = Card Powered >> Slot 20 type = Switch Fabric Card 16XOC192 >> state = Card Powered >> Slot 24 type = Alarm Module(16) >> state = Card Powered >> Slot 25 type = Alarm Module(16) >> state = Card Powered >> Slot 27 type = Bus Board(16) >> state = Card Powered >> Slot 28 type = Blower Module(16) >> state = Card Powered >> Slot 29 type = Blower Module(16) >> state = Card Powered >> >> >> Thanks and Regards >> J.Daniels >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > From jckdaniels12 at gmail.com Mon Aug 10 22:43:49 2009 From: jckdaniels12 at gmail.com (jack daniels) Date: Tue, 11 Aug 2009 08:13:49 +0530 Subject: [c-nsp] HIDE AS BGP In-Reply-To: <004b01ca19d7$e139e010$0a00000a@nil.si> References: <8bb137f40908092151vf8ea9fbr7eebc2b4afb82b25@mail.gmail.com> <4A7FF77C.6000703@uk.clara.net> <8bb137f40908100419x5566c88cv2a15cc53dc02b1c9@mail.gmail.com> <8bb137f40908100459s1f74f6e6t676ceeb02e24411c@mail.gmail.com> <8bb137f40908100800w46d67c33w9006ee35bc7c51c4@mail.gmail.com> <004b01ca19d7$e139e010$0a00000a@nil.si> Message-ID: <8bb137f40908101943p480c3308lda92404c528dde90@mail.gmail.com> Hi, Thanks All got it now :) Regards J.Daniels On 8/10/09, Ivan Pepelnjak wrote: > > Much easier: run multihop EBGP session between Customer and ISP2 (plus the > regular EBGP session Customer-ISP1). Just make sure something reachable > within ISP1 is announced as the next-hop. > > > -----Original Message----- > > From: jack daniels [mailto:jckdaniels12 at gmail.com] > > Sent: Monday, August 10, 2009 5:01 PM > > To: Marko Milivojevic > > Cc: Cisco-NSP > > Subject: Re: [c-nsp] HIDE AS BGP > > > > Hi Mark, > > > > can you please put more light on the example you proposed . > > > > Thanks and Regards > > J.Daniels > > > > > > On 8/10/09, Marko Milivojevic wrote: > > > > > > You can use CSC in ISP1 and run BGP directly between > > Customer and ISP2. > > > > > > On Mon, Aug 10, 2009 at 11:59, jack > > daniels wrote: > > > > Hi , > > > > > > > > Just to be more specific on the solution requirement - > > > > > > > > Customer---ISP1---ISP2---Internet > > > > > > > > > > > > Internet should not see ISP1 AS number . I 'm looking for > > L3 solution. > > > > > > > > > From zivl at gilat.net Tue Aug 11 02:52:05 2009 From: zivl at gilat.net (Ziv Leyes) Date: Tue, 11 Aug 2009 09:52:05 +0300 Subject: [c-nsp] Linux Com Driver to Modem on Cisco Terminal Server In-Reply-To: <4A80C106.2050703@umn.edu> References: <06cb01ca1a00$f9f4c290$edde47b0$@net> <4A80C106.2050703@umn.edu> Message-ID: First of all, to access a modem connected to an async or aux port of a router it's possible by telneting the router on port 2000 + the line number the modem is connected, if you perform a "show line" command on the router you'll get something like this, for example: Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int 0 CTY - - - - - 0 0 0/0 - 1 AUX 0/0 - - - - - 0 0 0/0 - * 2 VTY - - - - - 22 0 0/0 - In this case, if the modem was connected to the AUX port you would telnet the router on port 2001 and you can get direct access to modem control and be able to perform any AT commands. I also like minicom for direct serial access, but now for normal console I use a nice graphical took named gtk term which is more simple and friendly if you're in a GUI environment, for the command line and specific modem protocols and commands support, minicom is still the one you want. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ge Moua Sent: Tuesday, August 11, 2009 3:53 AM To: Gregory Boehnlein Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Linux Com Driver to Modem on Cisco Terminal Server I like "minicom". Regards, Ge Moua | Email: moua0100 at umn.edu Network Design Engineer University of Minnesota | Networking & Telecommunications Services Gregory Boehnlein wrote: > Hello, > Received a request from a client that needs to access a modem on a > Cisco router from standard serial applications on a Linux box. These are for > standard applications that do modem control (I.E. ATDT1XXXXXXXXX etc..) and > not PPP. > > There used to be a few piece of software out there that did it, but > I can't seem to find any of them. Anyone have any solutions for this? > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ __________ Information from ESET NOD32 Antivirus, version of virus signature database 4324 (20090811) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __________ Information from ESET NOD32 Antivirus, version of virus signature database 4324 (20090811) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From zivl at gilat.net Tue Aug 11 02:56:10 2009 From: zivl at gilat.net (Ziv Leyes) Date: Tue, 11 Aug 2009 09:56:10 +0300 Subject: [c-nsp] SSH no longer functions after hostname change In-Reply-To: <2007826425.2157421249928124288.JavaMail.root@mail.dtgmail.com> References: <4A804DD8.5020907@emich.edu> <2007826425.2157421249928124288.JavaMail.root@mail.dtgmail.com> Message-ID: That should be the exact procedure to follow when changing hostnames, even if on most devices there are no problems, the best is to follow this sequence 1. Zeroize the key 2. Change hostname 3. Generate a new key -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jon Wolberg Sent: Monday, August 10, 2009 9:15 PM To: jf Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] SSH no longer functions after hostname change All- Using the exact order that JF listed below it worked perfect and resolved my issue. I can now SSH to this device again. Thanks. Jon Wolberg Systems Engineer Virtacore Systems Inc. "We Virtualize IT!" ----- Original Message ----- From: "jf" To: "Jon Wolberg" Cc: cisco-nsp at puck.nether.net Sent: Monday, August 10, 2009 12:42:00 PM GMT -05:00 US/Canada Eastern Subject: Re: [c-nsp] SSH no longer functions after hostname change We experienced this problem on a 3550 12g several years ago. We solved it by temporarily changing the configured hostname back, zeroing the key, changing the hostname again, and regenerating. Jon Wolberg wrote: > Hello- > > We recently changed some of our hostnames on various legacy switches to follow our naming convention, and after one change I can no longer SSH to the switch. > > I get the below errors on the console with debug ip ssh client running: > > Aug 10 11:23:44 EST: SSH5: sent protocol version id SSH-2.0-Cisco-1.25 > Aug 10 11:23:44 EST: SSH5: protocol version id is - SSH-2.0-OpenSSH_4.3 > Aug 10 11:23:44 EST: SSH2 5: RSA_sign: private key not found > Aug 10 11:23:44 EST: SSH2 5: signature creation failed, status -1 > Aug 10 11:23:44 EST: SSH5: Session disconnected - error 0x00 > > I zero'ized the old keys and re-generated as well as set the hostname back to the original and zero'ized and re-generated to no avail. Nothing shows up on Google and I can find no errata related to SSH access on the version of code we are running. > > Has anyone encountered this before? This is a 3750 running 12.2(44)SE2 > > > Jon Wolberg > Systems Engineer > Virtacore Systems Inc. > "We Virtualize IT!" > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ __________ Information from ESET NOD32 Antivirus, version of virus signature database 4324 (20090811) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __________ Information from ESET NOD32 Antivirus, version of virus signature database 4324 (20090811) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From gert at greenie.muc.de Tue Aug 11 03:10:25 2009 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 11 Aug 2009 09:10:25 +0200 Subject: [c-nsp] Linux Com Driver to Modem on Cisco Terminal Server In-Reply-To: References: <06cb01ca1a00$f9f4c290$edde47b0$@net> Message-ID: <20090811071025.GZ290@greenie.muc.de> Hi, On Mon, Aug 10, 2009 at 06:14:53PM -0400, Justin M. Streiner wrote: > On Mon, 10 Aug 2009, Gregory Boehnlein wrote: > > > Received a request from a client that needs to access a modem on a > >Cisco router from standard serial applications on a Linux box. These are > >for > >standard applications that do modem control (I.E. ATDT1XXXXXXXXX etc..) and > >not PPP. > > > > There used to be a few piece of software out there that did it, but > >I can't seem to find any of them. Anyone have any solutions for this? > > Depending on how low-level you want to get, you could probably do what you > need with Minicom, Kermit, Seyon (X11), and a few others. Some of these > can also work with scripts to automate tasks. I think the issue here is "the modem is not connected to the linux box" (but built-in to the Cisco router), so you need some glue logic to connect /dev/ttySOMETHING on the Linux side to the Cisco modem ("telnet cisco 20xx"). Unfortunately, I do not have an *answer* for that question either. I did some googling, and found one page mention "ser2net" (which is not exactly what Gregory needs, but could be tweaked) and another page mentioned that "socat" has a "pty" option that will connect a pseudo tty on one side to "whatever you want on the other side" - this could be a port on the Cisco side. Further hits mentioned: - Tibbo VSPDL - http://soi.tibbo.com/vspdl.html, a kernel level "virtual serial port" driver - TTY redirector - http://www.ttyredirector.com/ (commercial, but targets *exactly* this problem - "an application on the Linux side, talking to a Cisco ASxxx server" [among others]) - Remserial - http://lpccomp.bc.ca/remserial/ gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From gert at greenie.muc.de Tue Aug 11 04:03:18 2009 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 11 Aug 2009 10:03:18 +0200 Subject: [c-nsp] ASA5520 different crypt options and general tuning question? In-Reply-To: <002101ca19e7$30fb3630$2208120a@am.thmulti.com> References: <002101ca19e7$30fb3630$2208120a@am.thmulti.com> Message-ID: <20090811080318.GA290@greenie.muc.de> Hi, On Mon, Aug 10, 2009 at 11:20:01AM -0700, Scott Granados wrote: > hash type for differing jobs? When would you want to use 3DES instead of > say aes-256? Is there ever a reason you'd use MD5 instead of sha??? Sometimes you need to VPN to remote decices that have problems with AES or with SHA - buggy implementations, old implementations, slow CPUs (which might you choose AES128 vs. AES256), ... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From A.L.M.Buxey at lboro.ac.uk Tue Aug 11 05:39:35 2009 From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey) Date: Tue, 11 Aug 2009 10:39:35 +0100 Subject: [c-nsp] ASA 5505 stops servicing inbound connections In-Reply-To: <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2F59@zy-ex1.zyedge.local> References: <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2F59@zy-ex1.zyedge.local> Message-ID: <20090811093935.GC17453@lboro.ac.uk> Hi, > Post a show ver, you might be hitting a 10 user license count issue. we hit a wierd bug a while back in which the connection counts were being lowered by an extra 1 for each session finished by another user..... which then led to a situation where users lost ability to connect to any new session (active sessions fine). nasty. fixed. why 7.x - join the 8.x train? alan From gkg at gmx.de Tue Aug 11 05:44:38 2009 From: gkg at gmx.de (Garry) Date: Tue, 11 Aug 2009 11:44:38 +0200 Subject: [c-nsp] Anybody noticed yet? CSC 6.3 phones home :( Message-ID: <4A813D86.80805@gmx.de> Hi ::/0, I just received a call from one of our customers, who was having some problems with duplicate records being created in a remote system ... the system is used through a web interface, and data is stored via a GET operation ... (no, I did not implement that system, as I would have opted to use both SSL as well as decent authentication & POST instead) Anyway, it turns out the duplicate requests were created an IP 150.70.84.25, which according to some research turns out to be used by Trend Micro, Japan (APNIC records are pretty unusable, though, as usual) According to the customer, the behavior started around July 30th, which is a couple days after I upgraded the customer ASA / CSC, which 6.3.1172 installed on the CSC ... So it turns out that the new release uses a subset of URLs requested, transfers those to TM, which in turn probably uses them to find potential malware ... as such, this might be OK, but I could not locate ANYWHERE in the CSC where there is an option to disable this function, or at least an information about that feature having been introduced ... (previous releases to my knowledge didn't do that ...) Anybody else notice this yet? I just opened a ticket with TAC and complained about it ... for me, it's a pretty bad case of security and confidentiality breach ... but maybe that's just me ... -garry From asturluismi at gmail.com Tue Aug 11 07:14:25 2009 From: asturluismi at gmail.com (luismi) Date: Tue, 11 Aug 2009 13:14:25 +0200 Subject: [c-nsp] Etherchannel between 2x2960 and 1x7600 Message-ID: <1249989265.10538.2.camel@dsba-ipso> Hi all, I would like to know if it is possible to create an etherchannel between just 1 router 7600 and 2 switches 2960 connected between them by a trunk. The schema would be.... 2960-------\ | \ Trunk FEC----7600 | / 2960-------/ Is it possible? From peter at rathlev.dk Tue Aug 11 07:32:07 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Tue, 11 Aug 2009 13:32:07 +0200 Subject: [c-nsp] Etherchannel between 2x2960 and 1x7600 In-Reply-To: <1249989265.10538.2.camel@dsba-ipso> References: <1249989265.10538.2.camel@dsba-ipso> Message-ID: <1249990327.4222.3.camel@abehat.net.rm.dk> On Tue, 2009-08-11 at 13:14 +0200, luismi wrote: > I would like to know if it is possible to create an etherchannel > between just 1 router 7600 and 2 switches 2960 connected between them > by a trunk. > > The schema would be.... > > 2960-------\ > | \ > Trunk FEC----7600 > | / > 2960-------/ > > Is it possible? No. Bundling interfaces in port-channels is only possible between exactly two distinct STP nodes since port-channels break the split-horizon rule (sort of, on a physical interface level). What would you achieve by this? There might be another solution to your needs. Regards, Peter From braaen at zcorum.com Tue Aug 11 07:50:56 2009 From: braaen at zcorum.com (Brian Raaen) Date: Tue, 11 Aug 2009 07:50:56 -0400 Subject: [c-nsp] Etherchannel between 2x2960 and 1x7600 In-Reply-To: <1249989265.10538.2.camel@dsba-ipso> References: <1249989265.10538.2.camel@dsba-ipso> Message-ID: <4A815B20.9040702@zcorum.com> Are the 2960's in a stack, and you are trying to terminate an etherchannel for the stack? I'd have to double check but, I believe that I have this set up on a 7200 that is termination PPPoE. luismi wrote: > Hi all, > > I would like to know if it is possible to create an etherchannel between > just 1 router 7600 and 2 switches 2960 connected between them by a > trunk. > > The schema would be.... > > 2960-------\ > | \ > Trunk FEC----7600 > | / > 2960-------/ > > Is it possible? > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From asturluismi at gmail.com Tue Aug 11 08:00:46 2009 From: asturluismi at gmail.com (luismi) Date: Tue, 11 Aug 2009 14:00:46 +0200 Subject: [c-nsp] Etherchannel between 2x2960 and 1x7600 In-Reply-To: <1249990327.4222.3.camel@abehat.net.rm.dk> References: <1249989265.10538.2.camel@dsba-ipso> <1249990327.4222.3.camel@abehat.net.rm.dk> Message-ID: <1249992046.10538.4.camel@dsba-ipso> Well, I would like to see if it could be possible to improve the HA, I didn't expect that 2960 had support for this idea. So far, the schema we have here is working ok without FEC. Just want to know if we could do it better. From asturluismi at gmail.com Tue Aug 11 08:01:08 2009 From: asturluismi at gmail.com (luismi) Date: Tue, 11 Aug 2009 14:01:08 +0200 Subject: [c-nsp] Etherchannel between 2x2960 and 1x7600 In-Reply-To: <4A815B20.9040702@zcorum.com> References: <1249989265.10538.2.camel@dsba-ipso> <4A815B20.9040702@zcorum.com> Message-ID: <1249992068.10538.6.camel@dsba-ipso> 2960 doesn't support stack as far as I know. it could support cluster, I think. From rwest at zyedge.com Tue Aug 11 08:19:35 2009 From: rwest at zyedge.com (Ryan West) Date: Tue, 11 Aug 2009 08:19:35 -0400 Subject: [c-nsp] Etherchannel between 2x2960 and 1x7600 In-Reply-To: <1249992068.10538.6.camel@dsba-ipso> References: <1249989265.10538.2.camel@dsba-ipso> <4A815B20.9040702@zcorum.com> <1249992068.10538.6.camel@dsba-ipso> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2F5C@zy-ex1.zyedge.local> 2960's will not support stacking and yes, they do support clustering, but pretty much every low end switch supports that. To achieve this type of channeling, you would need 2970's or 3750's with stackwise and then I think you're limited to LACP and regular etherchannel only. -ryan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of luismi Sent: Tuesday, August 11, 2009 8:01 AM To: Brian Raaen Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Etherchannel between 2x2960 and 1x7600 2960 doesn't support stack as far as I know. it could support cluster, I think. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From asturluismi at gmail.com Tue Aug 11 08:21:42 2009 From: asturluismi at gmail.com (luismi) Date: Tue, 11 Aug 2009 14:21:42 +0200 Subject: [c-nsp] Etherchannel between 2x2960 and 1x7600 In-Reply-To: <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2F5C@zy-ex1.zyedge.local> References: <1249989265.10538.2.camel@dsba-ipso> <4A815B20.9040702@zcorum.com> <1249992068.10538.6.camel@dsba-ipso> <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2F5C@zy-ex1.zyedge.local> Message-ID: <1249993302.10538.8.camel@dsba-ipso> Ok, thanks for the info, I think we will continue with our actual topology for a while :-D From vijay.ramcharan at verizonbusiness.com Tue Aug 11 09:17:20 2009 From: vijay.ramcharan at verizonbusiness.com (Ramcharan, Vijay A) Date: Tue, 11 Aug 2009 13:17:20 +0000 Subject: [c-nsp] Etherchannel between 2x2960 and 1x7600 In-Reply-To: <1249993302.10538.8.camel@dsba-ipso> Message-ID: <8171C8272CE8FE4A8F5BFF8A97CE6AB3013A8429@ASHEVS006.mcilink.com> There is perhaps another possibility if you are looking for simple physical layer redundancy. Since you have one router and two switches I assume that you're looking to do just that. You could use IRB and create a bridge group on the router and do your layer 3 config on the bvi. I'm only throwing this out as a possibility as I've never actually used this in a production environment. Don't see why it won't work though. Vijay Ramcharan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of luismi Sent: Tuesday, August 11, 2009 8:22 AM To: Ryan West Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Etherchannel between 2x2960 and 1x7600 Ok, thanks for the info, I think we will continue with our actual topology for a while :-D _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ______________________________________________________________________ This e-mail has been scanned by Verizon Managed Email Content Service, using Skeptic(tm) technology powered by MessageLabs. For more information on Verizon Managed Email Content Service, visit http://www.verizonbusiness.com. ______________________________________________________________________ From damin at nacs.net Tue Aug 11 09:22:03 2009 From: damin at nacs.net (Gregory Boehnlein) Date: Tue, 11 Aug 2009 09:22:03 -0400 Subject: [c-nsp] Linux Com Driver to Modem on Cisco Terminal Server In-Reply-To: <20090811071025.GZ290@greenie.muc.de> References: <06cb01ca1a00$f9f4c290$edde47b0$@net> <20090811071025.GZ290@greenie.muc.de> Message-ID: <087101ca1a86$b9eb35e0$2dc1a1a0$@net> Thank you everyone for your responses.. I got great feedback and information. They two options that look the most promising: Commercial: TTYredirector OpenSource: remtty Excellent! This is why I love c-nsp! From nbernadeau at gallantsys.com Tue Aug 11 10:47:55 2009 From: nbernadeau at gallantsys.com (Nathaniel Bernadeau) Date: Tue, 11 Aug 2009 10:47:55 -0400 Subject: [c-nsp] Tech question about 15216-EDFA-2 Message-ID: <4A81849B.8080808@gallantsys.com> Our Customer is have problems getting them to work in what is called ASH mode. The units have 2 methods of provisioning, ASH and TL1 mode. They do not want to use TL1 mode as they are familiar with ASH mode better. Cisco told them that the unit internal software cannot be converted from TL1 to ASH mode since they are to old. Even though the manual states that it should work. Is there some sort of command that is not listed in the manual that can convert the shell from TL1 to ASH? --- regards, Nathaniel Bernadeau Gallant Systems, LLC 11064 Livingston RD Suite 106-C Fort Washington, MD 20744 Toll Free: 888-836-3751 Ph: 301-627-6358 Fax: 240-823-6897 Cell: 202-246-2229 nbernadeau at gallantsys.com www.gallantsys.com From asturluismi at gmail.com Tue Aug 11 11:11:34 2009 From: asturluismi at gmail.com (luismi) Date: Tue, 11 Aug 2009 17:11:34 +0200 Subject: [c-nsp] Etherchannel between 2x2960 and 1x7600 In-Reply-To: <8171C8272CE8FE4A8F5BFF8A97CE6AB3013A8429@ASHEVS006.mcilink.com> References: <8171C8272CE8FE4A8F5BFF8A97CE6AB3013A8429@ASHEVS006.mcilink.com> Message-ID: <1250003494.10538.10.camel@dsba-ipso> I take note about your idea but I never worked with bvi interfaces and I should check that before in the lab. Thanks anyway :D From Jason.Mishka at UToledo.Edu Tue Aug 11 11:44:03 2009 From: Jason.Mishka at UToledo.Edu (Mishka, Jason) Date: Tue, 11 Aug 2009 11:44:03 -0400 Subject: [c-nsp] ASA 5505 stops servicing inbound connections In-Reply-To: <20090811093935.GC17453@lboro.ac.uk> References: <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2F59@zy-ex1.zyedge.local> <20090811093935.GC17453@lboro.ac.uk> Message-ID: You could also have exhausted your translation of number of connections. Try 'show xlate' and 'show conn' to see what this is like. Rebooting would clear all xlates and connections so you should do this before you reboot if it happens again. Jason > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Alan Buxey > Sent: Tuesday, August 11, 2009 5:40 AM > To: Ryan West > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] ASA 5505 stops servicing inbound connections > > Hi, > > Post a show ver, you might be hitting a 10 user license count issue. > > we hit a wierd bug a while back in which the connection counts > were being lowered by an extra 1 for each session > finished by another user..... which then led to a situation where > users lost ability to connect to any new session (active sessions fine). > nasty. fixed. > > why 7.x - join the 8.x train? > > alan > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From tsuther at i3businesssolutions.com Tue Aug 11 12:29:30 2009 From: tsuther at i3businesssolutions.com (Tom Sutherland) Date: Tue, 11 Aug 2009 12:29:30 -0400 Subject: [c-nsp] Linux Com Driver to Modem on Cisco Terminal Server In-Reply-To: References: <06cb01ca1a00$f9f4c290$edde47b0$@net> Message-ID: <1250008170.4502.11.camel@angry-butler09> I use "cu" - looks to be a lot like "tip" http://www.computerhope.com/unix/ucu.htm On Mon, 2009-08-10 at 18:29 -0400, Stephane Tsacas wrote: > On Mon, Aug 10, 2009 at 23:24, Gregory Boehnlein wrote: > > > Hello, > > Received a request from a client that needs to access a modem on a > > Cisco router from standard serial applications on a Linux box. These are > > for > > standard applications that do modem control (I.E. ATDT1XXXXXXXXX etc..) and > > not PPP. > > > > There used to be a few piece of software out there that did it, but > > I can't seem to find any of them. Anyone have any solutions for this? > > > > Something like "tip" but for Linux ? > http://www.freebsd.org/cgi/man.cgi?query=tip&apropos=0&sektion=0&manpath=FreeBSD+7.2-RELEASE&format=html > This > is what you're looking for ? > From damin at nacs.net Tue Aug 11 12:51:28 2009 From: damin at nacs.net (Gregory Boehnlein) Date: Tue, 11 Aug 2009 12:51:28 -0400 Subject: [c-nsp] Linux Com Driver to Modem on Cisco Terminal Server In-Reply-To: <1250008170.4502.11.camel@angry-butler09> References: <06cb01ca1a00$f9f4c290$edde47b0$@net> <1250008170.4502.11.camel@angry-butler09> Message-ID: <0a0c01ca1aa3$fb93f690$f2bbe3b0$@net> > I use "cu" - looks to be a lot like "tip" > > http://www.computerhope.com/unix/ucu.htm Per the E-mail, the issue is that I need things like HylaFax and other commercial software that relies on direct access to the /dev/tty device to access a modem on a remote Cisco box.. Minicom, CU, all of that is great, but I can't have Hylafax use Minicom to communicate w/ a remote modem. I need a driver that appears to be a serial port on the Linux box, that is connected to a remote modem on the Cisco so that proprietary software can communicate w/ the modem as if it were locally attached. From khunt at huntbrothers.com Tue Aug 11 09:51:26 2009 From: khunt at huntbrothers.com (Kevin Hunt) Date: Tue, 11 Aug 2009 08:51:26 -0500 Subject: [c-nsp] ASA 5505 stops servicing inbound connections In-Reply-To: Message-ID: Are you logging via TCP or UDP ? If you are logging via TCP to a logging server and the logging server is down, the pix will only permit a limited number of logs to be "uncomfirmed" and then it will stop all traffic as a security measure. At least this was the rule in pix 6.3.5, I've not researched it on the ASA platform... W. Kevin Hunt On 8/10/09 9:11 PM, "Meenoo Shivdasani" wrote: > I have an ASA 5505 that randomly stops handling incoming connections > to the servers that are behind it. When it fails, the only solution > that I have (since it's remote) is to have it power-cycled. I have it > logging to a log server, but nothing in the logs seems to be > illuminating. > > System image file is "disk0:/asa724-k8.bin" > > Anyone run into this one? > > Thanks in advance, > > M > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- W. Kevin Hunt CCIE #11841 Linux+ SME From mike-cisconsplist at tiedyenetworks.com Tue Aug 11 12:39:55 2009 From: mike-cisconsplist at tiedyenetworks.com (Mike) Date: Tue, 11 Aug 2009 09:39:55 -0700 Subject: [c-nsp] pseudowire over ip/mpls Message-ID: <4A819EDB.7070602@tiedyenetworks.com> Hello, This may not be a strictly cisco question, but does anyone here have good operational experience with pseudowire (t1 and ds3) carried over ip/mpls? I'm just interested in real world experiences and deployment scenarios that have went live. I previously posted to the nanog list without success. Thank you. From meenoo at gmail.com Tue Aug 11 14:11:53 2009 From: meenoo at gmail.com (Meenoo Shivdasani) Date: Tue, 11 Aug 2009 14:11:53 -0400 Subject: [c-nsp] ASA 5505 stops servicing inbound connections In-Reply-To: References: Message-ID: The license is a 10-user license, but that's 10 internal hosts, not external hosts. trap logging was set to informational -- now set to debug. 7.x rather than 8.x because there was a deadline for installing the system and that's what it shipped with. It's not dying because of the logging -- this is the 3rd time it's done this and logging wasn't set up the first time. It also continues to log other messages -- it logs that it's sending syslog data to an internal server and it logs that certain traffic is denied: "Deny tcp src outside" for example. Shortly before it died, it logged "%ASA-6-302010: 190 in use, 837 most used" and right after it stopped handling connections it logged "%ASA-6-302010: 2 in use, 837 most used" so I don't think that it's a connection limitation. M From moua0100 at umn.edu Tue Aug 11 14:19:08 2009 From: moua0100 at umn.edu (Ge Moua) Date: Tue, 11 Aug 2009 13:19:08 -0500 Subject: [c-nsp] pseudowire over ip/mpls In-Reply-To: <4A819EDB.7070602@tiedyenetworks.com> References: <4A819EDB.7070602@tiedyenetworks.com> Message-ID: <4A81B61C.60709@umn.edu> Been doing that for a few years over here; works fairly good (although ds-z ckts are pricey). Regards, Ge Moua | Email: moua0100 at umn.edu Network Design Engineer University of Minnesota | Networking & Telecommunications Services Mike wrote: > Hello, > > This may not be a strictly cisco question, but does anyone here have > good operational experience with pseudowire (t1 and ds3) carried over > ip/mpls? I'm just interested in real world experiences and deployment > scenarios that have went live. I previously posted to the nanog list > without success. > > Thank you. > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From deric.kwok2000 at gmail.com Tue Aug 11 14:29:13 2009 From: deric.kwok2000 at gmail.com (Deric Kwok) Date: Tue, 11 Aug 2009 14:29:13 -0400 Subject: [c-nsp] help: can someone know about linksys? Message-ID: <40d8a95a0908111129p7d3fc6d0ma199246f504527a3@mail.gmail.com> Hi all Can can someone know about linksys? eg: forum as cisco I have rv082 but don't have any manuel I don't know how to connect and configure it too as don't have any console port Thank you for your help From gsgranados at comcast.net Tue Aug 11 14:39:20 2009 From: gsgranados at comcast.net (Scott Granados) Date: Tue, 11 Aug 2009 11:39:20 -0700 Subject: [c-nsp] VPN-3000 and PIX VPN peer change question? Message-ID: <009e01ca1ab3$0e0383e0$2208120a@am.thmulti.com> Hi, I have a question about upgrading a connection for a remote site and changing the VPN peer on a VPN-3000. BACKGROUND In the field I have a branch office with a Pix that provides their office connectivity and VPN tunnel back to HQ. The branch office is having its bandwidth increased by swapping to a new provider that offers a metro E package. The IP addressing of the firewall will change but all the other services and internal addressing remain the same. At HQ I have a VPN-3000 with that wonderful point / click thingy instead of a real usable command interface. On the VPN-3000 I have a profile that sets up a lan to lan VPN (their wording) back to the Pix at the branch. QUESTION My question is assuming the Pix in the field is updated and all other things work will I simply need to change the peer address on the VPN-3000 to reconnect the VPN? Also, am I correct in my thinking that you change the peer address under configuration / policies / ipsec / L2L/ (profile)? There's a peer address that matches my far end, are there any other instances or things I should adjust? Pointers would be appreciated. To me it looks like I make this one change and it should work but I want to make sure before I have a guy sitting in the field holding his shmeckle while I try to figure things out.:) Thanks Scott From brandon at burn.net Tue Aug 11 14:40:16 2009 From: brandon at burn.net (Brandon Applegate) Date: Tue, 11 Aug 2009 14:40:16 -0400 (EDT) Subject: [c-nsp] Linux Com Driver to Modem on Cisco Terminal Server In-Reply-To: <0a0c01ca1aa3$fb93f690$f2bbe3b0$@net> References: <06cb01ca1a00$f9f4c290$edde47b0$@net> <1250008170.4502.11.camel@angry-butler09> <0a0c01ca1aa3$fb93f690$f2bbe3b0$@net> Message-ID: On Tue, 11 Aug 2009, Gregory Boehnlein wrote: >> I use "cu" - looks to be a lot like "tip" >> >> http://www.computerhope.com/unix/ucu.htm > > Per the E-mail, the issue is that I need things like HylaFax and other > commercial software that relies on direct access to the /dev/tty device to > access a modem on a remote Cisco box.. > > Minicom, CU, all of that is great, but I can't have Hylafax use Minicom to > communicate w/ a remote modem. > > I need a driver that appears to be a serial port on the Linux box, that is > connected to a remote modem on the Cisco so that proprietary software can > communicate w/ the modem as if it were locally attached. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > What about socat ? http://www.dest-unreach.org/socat/ Surely your distro has packages in $repo. You could have this start from and rc script. socat PTY,link=$HOME/dev/vmodem0,raw,echo=0,waitslave EXEC:'"ssh modemserver.us.org socat - /dev/ttyS0,nonblock,raw,echo=0"' Yours would be even simpler, as the right hand side would be (probably) just a tcp-connect: -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996 "SH1-0151. This is the serial number, of our orbital gun." From steve.tillinger at sourcemedia.com Tue Aug 11 14:44:56 2009 From: steve.tillinger at sourcemedia.com (Tillinger, Steve) Date: Tue, 11 Aug 2009 14:44:56 -0400 Subject: [c-nsp] ASA 5505 stops servicing inbound connections Message-ID: Have you tried "sh local" ? That should tell you if you're hitting the 10 user limit. # sh loc Detected interface 'outside' as the Internet interface. Host limit applies to all other interfaces. Current host count: 4, towards licensed host limit of: 10 -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Meenoo Shivdasani Sent: Tuesday, August 11, 2009 2:12 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] ASA 5505 stops servicing inbound connections The license is a 10-user license, but that's 10 internal hosts, not external hosts. trap logging was set to informational -- now set to debug. 7.x rather than 8.x because there was a deadline for installing the system and that's what it shipped with. It's not dying because of the logging -- this is the 3rd time it's done this and logging wasn't set up the first time. It also continues to log other messages -- it logs that it's sending syslog data to an internal server and it logs that certain traffic is denied: "Deny tcp src outside" for example. Shortly before it died, it logged "%ASA-6-302010: 190 in use, 837 most used" and right after it stopped handling connections it logged "%ASA-6-302010: 2 in use, 837 most used" so I don't think that it's a connection limitation. M _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ "This communication is intended solely for the addressee and is confidential and not for third party unauthorized distribution" From meenoo at gmail.com Tue Aug 11 16:06:39 2009 From: meenoo at gmail.com (Meenoo Shivdasani) Date: Tue, 11 Aug 2009 16:06:39 -0400 Subject: [c-nsp] ASA 5505 stops servicing inbound connections In-Reply-To: References: Message-ID: On Tue, Aug 11, 2009 at 2:44 PM, Tillinger, Steve wrote: > Have you tried "sh local" ? ? That should tell you if you're hitting the > 10 user limit. "Detected interface 'outside' as the Internet interface. Host limit applies to all other interfaces. Current host count: 2, towards licensed host limit of: 10 Interface dmz: 2 active, 2 maximum active, 0 denied" The connections that get dropped are hitting the outside interface. Also, the firewall is non-responsive to remote login via SSH or ASDM when this happens. M From steve.tillinger at sourcemedia.com Tue Aug 11 16:17:44 2009 From: steve.tillinger at sourcemedia.com (Tillinger, Steve) Date: Tue, 11 Aug 2009 16:17:44 -0400 Subject: [c-nsp] ASA 5505 stops servicing inbound connections Message-ID: OK so it's not the host count. Maybe the number of connections? I'm out of ideas. # sh res usa Resource Current Peak Limit Denied Context SSH 1 1 5 0 System Conns 15 129 280000 0 System Hosts 63 95 N/A 0 System -----Original Message----- From: Meenoo Shivdasani [mailto:meenoo at gmail.com] Sent: Tuesday, August 11, 2009 4:07 PM To: Tillinger, Steve Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] ASA 5505 stops servicing inbound connections On Tue, Aug 11, 2009 at 2:44 PM, Tillinger, Steve wrote: > Have you tried "sh local" ? ? That should tell you if you're hitting the > 10 user limit. "Detected interface 'outside' as the Internet interface. Host limit applies to all other interfaces. Current host count: 2, towards licensed host limit of: 10 Interface dmz: 2 active, 2 maximum active, 0 denied" The connections that get dropped are hitting the outside interface. Also, the firewall is non-responsive to remote login via SSH or ASDM when this happens. M "This communication is intended solely for the addressee and is confidential and not for third party unauthorized distribution" From wim.holemans at ua.ac.be Tue Aug 11 16:35:44 2009 From: wim.holemans at ua.ac.be (Holemans Wim) Date: Tue, 11 Aug 2009 22:35:44 +0200 Subject: [c-nsp] ASA 5505 stops servicing inbound connections In-Reply-To: References: Message-ID: Look in the log files for the following error : <160>Aug 01 2009 15:29:49: %ASA-0-716528: Unexpected fiber scheduler error; possible out-of-memory condition This kills our asa's (running version 8) on a regular basis (once a month), reload is the only way to resolve this. We have a case open for this, but without any good respons from cisco yet. Wim Holemans Network Services University of Antwerp -----Oorspronkelijk bericht----- Van: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] Namens Meenoo Shivdasani Verzonden: dinsdag 11 augustus 2009 22:07 Aan: Tillinger, Steve CC: cisco-nsp at puck.nether.net Onderwerp: Re: [c-nsp] ASA 5505 stops servicing inbound connections On Tue, Aug 11, 2009 at 2:44 PM, Tillinger, Steve wrote: > Have you tried "sh local" ? ? That should tell you if you're hitting the > 10 user limit. "Detected interface 'outside' as the Internet interface. Host limit applies to all other interfaces. Current host count: 2, towards licensed host limit of: 10 Interface dmz: 2 active, 2 maximum active, 0 denied" The connections that get dropped are hitting the outside interface. Also, the firewall is non-responsive to remote login via SSH or ASDM when this happens. M _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From rwest at zyedge.com Tue Aug 11 16:44:12 2009 From: rwest at zyedge.com (Ryan West) Date: Tue, 11 Aug 2009 16:44:12 -0400 Subject: [c-nsp] ASA 5505 stops servicing inbound connections In-Reply-To: References: Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2FCD@zy-ex1.zyedge.local> Is this on 8.2.x or 8.0? I'm making an assumption that it's not a 5580-SMP. If it is 8.2.x, you may not have enough memory, our test FW is having similar issues with 8.2.1(3). I just ordered some "Cisco compatible" RAM (Kingston Value Select) to help out with it. -ryan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Holemans Wim Sent: Tuesday, August 11, 2009 4:36 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] ASA 5505 stops servicing inbound connections Look in the log files for the following error : <160>Aug 01 2009 15:29:49: %ASA-0-716528: Unexpected fiber scheduler error; possible out-of-memory condition This kills our asa's (running version 8) on a regular basis (once a month), reload is the only way to resolve this. We have a case open for this, but without any good respons from cisco yet. Wim Holemans Network Services University of Antwerp -----Oorspronkelijk bericht----- Van: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] Namens Meenoo Shivdasani Verzonden: dinsdag 11 augustus 2009 22:07 Aan: Tillinger, Steve CC: cisco-nsp at puck.nether.net Onderwerp: Re: [c-nsp] ASA 5505 stops servicing inbound connections On Tue, Aug 11, 2009 at 2:44 PM, Tillinger, Steve wrote: > Have you tried "sh local" ? ? That should tell you if you're hitting the > 10 user limit. "Detected interface 'outside' as the Internet interface. Host limit applies to all other interfaces. Current host count: 2, towards licensed host limit of: 10 Interface dmz: 2 active, 2 maximum active, 0 denied" The connections that get dropped are hitting the outside interface. Also, the firewall is non-responsive to remote login via SSH or ASDM when this happens. M _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From lmeade at signal.ca Tue Aug 11 17:30:17 2009 From: lmeade at signal.ca (Leslie Meade) Date: Tue, 11 Aug 2009 14:30:17 -0700 Subject: [c-nsp] ASDM not working after upgrades Message-ID: I am getting the error of Unable to launch device manager from 10.1.254.254 I have uploaded the correct files and change the config to match ASA5540-01# sh run asdm asdm image disk0:/asdm-621.bin asdm location 10.1.6.25 255.255.255.255 inside asdm history enable ASA5540-01# sh run http http server enable http 10.1.6.0 255.255.255.0 inside ASA5540-01# sh flash --#-- --length-- -----date/time------ path 131 11348300 Aug 11 2009 10:09:00 asdm-621.bin 132 16275456 Aug 11 2009 10:10:10 asa821-k8.bin If I roll back to the older code and asdm it works fine. Any ideas Leslie From A.L.M.Buxey at lboro.ac.uk Tue Aug 11 17:36:59 2009 From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey) Date: Tue, 11 Aug 2009 22:36:59 +0100 Subject: [c-nsp] help: can someone know about linksys? In-Reply-To: <40d8a95a0908111129p7d3fc6d0ma199246f504527a3@mail.gmail.com> References: <40d8a95a0908111129p7d3fc6d0ma199246f504527a3@mail.gmail.com> Message-ID: <20090811213659.GA22615@lboro.ac.uk> Hi, > Hi all > > Can can someone know about linksys? > > eg: forum as cisco > > I have rv082 but don't have any manuel and your place of work blocks Google or Bing? http://www.retrevo.com/support/Linksys-RV082-Routers-manual/id/420bh939/t/2/ alan> From gsgranados at comcast.net Tue Aug 11 17:43:46 2009 From: gsgranados at comcast.net (Scott Granados) Date: Tue, 11 Aug 2009 14:43:46 -0700 Subject: [c-nsp] ASDM not working after upgrades References: Message-ID: <00ea01ca1acc$d3338520$0202fea9@am.thmulti.com> Count your blessings? :) That ASDM deal sucks big hairy ones not to mention is utterly inaccessible with a screen reader. ----- Original Message ----- From: "Leslie Meade" To: Sent: Tuesday, August 11, 2009 2:30 PM Subject: [c-nsp] ASDM not working after upgrades >I am getting the error of > Unable to launch device manager from 10.1.254.254 > > I have uploaded the correct files and change the config to match > > ASA5540-01# sh run asdm > asdm image disk0:/asdm-621.bin > asdm location 10.1.6.25 255.255.255.255 inside > asdm history enable > > ASA5540-01# sh run http > http server enable > http 10.1.6.0 255.255.255.0 inside > > ASA5540-01# sh flash > --#-- --length-- -----date/time------ path > 131 11348300 Aug 11 2009 10:09:00 asdm-621.bin > 132 16275456 Aug 11 2009 10:10:10 asa821-k8.bin > > If I roll back to the older code and asdm it works fine. Any ideas > > > Leslie > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From lmeade at signal.ca Tue Aug 11 17:47:22 2009 From: lmeade at signal.ca (Leslie Meade) Date: Tue, 11 Aug 2009 14:47:22 -0700 Subject: [c-nsp] ASDM not working after upgrades In-Reply-To: <607f1e0a0908111437rb955ffeka65037d7b8ca83cf@mail.gmail.com> References: <607f1e0a0908111437rb955ffeka65037d7b8ca83cf@mail.gmail.com> Message-ID: I thought that but I cannot find where it is in the doco on what version of java to use -----Original Message----- From: Charles Mills [mailto:w3yni1 at gmail.com] Sent: Tuesday, August 11, 2009 2:38 PM To: Leslie Meade Subject: Re: [c-nsp] ASDM not working after upgrades Shooting from the hip...java version? On Tue, Aug 11, 2009 at 5:30 PM, Leslie Meade wrote: > I am getting the error of > Unable to launch device manager from 10.1.254.254 > > I have uploaded the correct files and change the config to match > > ASA5540-01# sh run asdm > asdm image disk0:/asdm-621.bin > asdm location 10.1.6.25 255.255.255.255 inside asdm history enable > > ASA5540-01# sh run http > http server enable > http 10.1.6.0 255.255.255.0 inside > > ASA5540-01# sh flash > --#-- ?--length-- ?-----date/time------ ?path > ?131 ?11348300 ? ?Aug 11 2009 10:09:00 ?asdm-621.bin > ?132 ?16275456 ? ?Aug 11 2009 10:10:10 ?asa821-k8.bin > > If I roll back to the older code and asdm it works fine. Any ideas > > > Leslie > > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From erey at ernw.de Tue Aug 11 18:16:07 2009 From: erey at ernw.de (Enno Rey) Date: Wed, 12 Aug 2009 00:16:07 +0200 Subject: [c-nsp] ASDM not working after upgrades In-Reply-To: References: Message-ID: <20090811221607.GT98052@ws25.ernw.de> Hi, haven't touched the stuff for a while... but imho your config only allows http(s) connections for 10.1.6.0/24 whereas the denied connection comes from 10.1.254.254 ... thanks, Enno On Tue, Aug 11, 2009 at 02:30:17PM -0700, Leslie Meade wrote: > I am getting the error of > Unable to launch device manager from 10.1.254.254 > > I have uploaded the correct files and change the config to match > > ASA5540-01# sh run asdm > asdm image disk0:/asdm-621.bin > asdm location 10.1.6.25 255.255.255.255 inside > asdm history enable > > ASA5540-01# sh run http > http server enable > http 10.1.6.0 255.255.255.0 inside > > ASA5540-01# sh flash > --#-- --length-- -----date/time------ path > 131 11348300 Aug 11 2009 10:09:00 asdm-621.bin > 132 16275456 Aug 11 2009 10:10:10 asa821-k8.bin > > If I roll back to the older code and asdm it works fine. Any ideas > > > Leslie > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Enno Rey ERNW GmbH - Breslauer Str. 28 - 69124 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 PGP FP 055F B3F3 FE9D 71DD C0D5 444E C611 033E 3296 1CC1 Handelsregister Mannheim: HRB 337135 Geschaeftsfuehrer: Enno Rey From justin at justinshore.com Tue Aug 11 18:16:11 2009 From: justin at justinshore.com (Justin Shore) Date: Tue, 11 Aug 2009 17:16:11 -0500 Subject: [c-nsp] EEM applets and conditional statements Message-ID: <4A81EDAB.2030409@justinshore.com> I'm having trouble figuring out how to use the conditional capabilities of EEM applets to do something fairly simple. I'd like to check for DHCP conflicts on a schedule and if any exist I'd like to generate a syslog message and send an email. What I can't figure out how to do is parse the output of 'sh ip dh con' and if then perform an action if there are any conflicts (ie, more than just the single header line in the output). I've gone through some of the EEM community scripts but they all seem to be full blown TCL scripts. I'm thinking that I can handle this with a simple applet. The applets have if, for, and while capabilities but I haven't figured out how to apply them to parsing command output? Any suggestions or pointers? Example scripts that demonstrate how to use the EEM logic capabilities would be fine too. I can build off that to do what I need. Thanks Justin From larry at maxqe.com Tue Aug 11 19:09:02 2009 From: larry at maxqe.com (Larry) Date: Tue, 11 Aug 2009 18:09:02 -0500 Subject: [c-nsp] help: can someone know about linksys? In-Reply-To: <40d8a95a0908111129p7d3fc6d0ma199246f504527a3@mail.gmail.com> References: <40d8a95a0908111129p7d3fc6d0ma199246f504527a3@mail.gmail.com> Message-ID: <4A81FA0E.5000508@maxqe.com> http://lmgtfy.com/?q=Linksys+rv082+manual Deric Kwok wrote: > Hi all > > Can can someone know about linksys? > > eg: forum as cisco > > I have rv082 but don't have any manuel > > I don't know how to connect and configure it too as don't have any console > port > > Thank you for your help > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6635 bytes Desc: S/MIME Cryptographic Signature URL: From sidney.boumendil at gmail.com Tue Aug 11 19:40:07 2009 From: sidney.boumendil at gmail.com (Sidney Boumendil) Date: Wed, 12 Aug 2009 01:40:07 +0200 Subject: [c-nsp] BFD static routes on 6500 SXI Message-ID: <41522e900908111640m70672fdcm3567024f1ca87def@mail.gmail.com> Hi list, I am pretty much confused whether bfd for static routes is actualy supported on 6500 running SXI release. On 7600 it's been added starting with SRC (cf http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6970/ps1838/prod_presentation0900aecd8072c43a.pdf ). SXI release notes exhibits the exact same feature (cf http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6970/ps6017/ps9673/prod_presentation_12_2_33_SXI.pdf) yet I've tried SXI2 and the command 'ip route static bfd' is simply not available. Anyone has information on that ? Thanks! Sidney PS: feature navigator do not list 6500 as a supported platform for BFD static routes From deric.kwok2000 at gmail.com Tue Aug 11 21:09:55 2009 From: deric.kwok2000 at gmail.com (Deric Kwok) Date: Tue, 11 Aug 2009 21:09:55 -0400 Subject: [c-nsp] vpn configure Message-ID: <40d8a95a0908111809r4d03b3edr1580ad5869ffc2e1@mail.gmail.com> Hi How can I configure remote subnet and local subnet for vpn in cli? ls pix only accessed by https in inside for configuration? No other way for http configuration outside? Thank you From rwest at zyedge.com Tue Aug 11 21:28:57 2009 From: rwest at zyedge.com (Ryan West) Date: Tue, 11 Aug 2009 21:28:57 -0400 Subject: [c-nsp] vpn configure In-Reply-To: <40d8a95a0908111809r4d03b3edr1580ad5869ffc2e1@mail.gmail.com> References: <40d8a95a0908111809r4d03b3edr1580ad5869ffc2e1@mail.gmail.com> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2FEC@zy-ex1.zyedge.local> You can configure the PIX for local and remote subnets using your interesting traffic ACL. Access-list vpn_myacl permit ip The PIX can be configured from the outside using PDM: http outside hth -ryan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Deric Kwok Sent: Tuesday, August 11, 2009 9:10 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] vpn configure Hi How can I configure remote subnet and local subnet for vpn in cli? ls pix only accessed by https in inside for configuration? No other way for http configuration outside? Thank you _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From rodunn at cisco.com Tue Aug 11 22:03:46 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Tue, 11 Aug 2009 22:03:46 -0400 Subject: [c-nsp] EEM applets and conditional statements In-Reply-To: <4A81EDAB.2030409@justinshore.com> References: <4A81EDAB.2030409@justinshore.com> Message-ID: <4A822302.7050804@cisco.com> I don't think you can do it with an EEM applet to compare data in the output. I think you need to do it via a TCL script where you can save the variables. Rodney Justin Shore wrote: > I'm having trouble figuring out how to use the conditional capabilities > of EEM applets to do something fairly simple. I'd like to check for > DHCP conflicts on a schedule and if any exist I'd like to generate a > syslog message and send an email. What I can't figure out how to do is > parse the output of 'sh ip dh con' and if then perform an action if > there are any conflicts (ie, more than just the single header line in > the output). I've gone through some of the EEM community scripts but > they all seem to be full blown TCL scripts. I'm thinking that I can > handle this with a simple applet. The applets have if, for, and while > capabilities but I haven't figured out how to apply them to parsing > command output? > > Any suggestions or pointers? Example scripts that demonstrate how to > use the EEM logic capabilities would be fine too. I can build off that > to do what I need. > > Thanks > Justin > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rodunn at cisco.com Tue Aug 11 22:06:25 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Tue, 11 Aug 2009 22:06:25 -0400 Subject: [c-nsp] BFD static routes on 6500 SXI In-Reply-To: <41522e900908111640m70672fdcm3567024f1ca87def@mail.gmail.com> References: <41522e900908111640m70672fdcm3567024f1ca87def@mail.gmail.com> Message-ID: <4A8223A1.8090706@cisco.com> It's not there yet Sidney. It's on the roadmap. Rodney Sidney Boumendil wrote: > Hi list, > > I am pretty much confused whether bfd for static routes is actualy supported > on 6500 running SXI release. > On 7600 it's been added starting with SRC (cf > http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6970/ps1838/prod_presentation0900aecd8072c43a.pdf > ). > SXI release notes exhibits the exact same feature (cf > http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6970/ps6017/ps9673/prod_presentation_12_2_33_SXI.pdf) > yet I've tried SXI2 and the command 'ip route static bfd' is simply not > available. > > Anyone has information on that ? > > Thanks! > > Sidney > > PS: feature navigator do not list 6500 as a supported platform for BFD > static routes > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From engel.labiro at gmail.com Tue Aug 11 22:14:09 2009 From: engel.labiro at gmail.com (Engelhard Mahandar Labiro) Date: Wed, 12 Aug 2009 11:14:09 +0900 Subject: [c-nsp] vpn configure In-Reply-To: <40d8a95a0908111809r4d03b3edr1580ad5869ffc2e1@mail.gmail.com> References: <40d8a95a0908111809r4d03b3edr1580ad5869ffc2e1@mail.gmail.com> Message-ID: <74b0c3330908111914w4b56fa43u1dcb6c872e0f4c4a@mail.gmail.com> > How can I configure remote subnet and local subnet for vpn in cli? > > ls pix only accessed by https in inside for configuration? > > No other way for http configuration outside? I won't enable HTTP on an outside I/F let alone a Firewall that suppose to be secured. Better to enable an IPSec tunnel to the Firewall and access the ASDM through the tunnel using the Firewall's management IP address. Engel From dale.shaw+cisco-nsp at gmail.com Tue Aug 11 23:41:48 2009 From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw) Date: Wed, 12 Aug 2009 13:41:48 +1000 Subject: [c-nsp] OT: Learning about SONET/SDH In-Reply-To: <3329cbb40908112040n10bcc440x1825f50467775c30@mail.gmail.com> References: <3329cbb40908112040n10bcc440x1825f50467775c30@mail.gmail.com> Message-ID: <3329cbb40908112041w1e726f3u66b05c19d4c20ba2@mail.gmail.com> Hi all, I'd like to learn more about SONET/SDH, as deployed in carrier transmission networks. Something practical that starts from the beginning would be best, as I have had very little exposure to this stuff to date. Some of the books I've read about are very much buried in the land of academia. I can Google as well as the next person, but pointers to good resources are appreciated. cheers, Dale From ip at ioshints.info Wed Aug 12 00:16:02 2009 From: ip at ioshints.info (Ivan Pepelnjak) Date: Wed, 12 Aug 2009 06:16:02 +0200 Subject: [c-nsp] EEM applets and conditional statements In-Reply-To: <4A822302.7050804@cisco.com> References: <4A81EDAB.2030409@justinshore.com> <4A822302.7050804@cisco.com> Message-ID: <002101ca1b03$9bd2b650$0a00000a@nil.si> You can do it with EEM 3.0 (12.4(22)T if I'm not mistaken). Unfortunately I haven't been writing about this feature yet, but here's a sample applet that compares DHCP-acquired address to the previously-acquired one, maybe it will come handy: event manager applet DetectDHCPChange event syslog pattern "DHCP-6-ADDRESS_ASSIGN" action 1.0 regexp "Interface (.*) assigned DHCP address ([0-9.]+)" "$_syslog_msg" match interface ipaddress action 2.0 context retrieve key DHCP_address variable "addr" action 2.3 set oldip "$addr" action 2.4 set addr "$ipaddress" action 2.5 context save key DHCP_address variable "addr" action 8.0 if $ipaddress ne $oldip action 9.1 info type routername action 9.2 mail server "$_mail_smtp" to "$_mail_rcpt" from "$_info_routername@$_mail_domain" subject "DHCP address on $interface changed to $ipaddress" body "\n$_syslog_msg" action 9.3 syslog msg "address changed to $ipaddress, e-mail sent to the operator" action 9.4 else action 9.5 syslog msg "DHCP address on $interface still $ipaddress" action 9.9 end ! event manager applet SetDHCPKey event syslog pattern "SYS-5-RESTART" action 1.0 set addr "" action 1.1 context save key DHCP_address variable "addr" This article has a sample applet that uses command output (in $_cli_result variable) http://wiki.nil.com/Send_a_list_of_high-CPU_processes_on_CPU_overload Hope this helps Ivan http://www.ioshints.info/about http://blog.ioshints.info/ > -----Original Message----- > From: Rodney Dunn [mailto:rodunn at cisco.com] > Sent: Wednesday, August 12, 2009 4:04 AM > To: Justin Shore > Cc: 'Cisco-nsp' > Subject: Re: [c-nsp] EEM applets and conditional statements > > I don't think you can do it with an EEM applet to compare > data in the output. I think you need to do it via a TCL > script where you can save the variables. > > Rodney > > > > Justin Shore wrote: > > I'm having trouble figuring out how to use the conditional > > capabilities of EEM applets to do something fairly simple. > I'd like > > to check for DHCP conflicts on a schedule and if any exist > I'd like to > > generate a syslog message and send an email. What I can't > figure out > > how to do is parse the output of 'sh ip dh con' and if then > perform an > > action if there are any conflicts (ie, more than just the single > > header line in the output). I've gone through some of the EEM > > community scripts but they all seem to be full blown TCL > scripts. I'm > > thinking that I can handle this with a simple applet. The applets > > have if, for, and while capabilities but I haven't figured > out how to > > apply them to parsing command output? > > > > Any suggestions or pointers? Example scripts that > demonstrate how to > > use the EEM logic capabilities would be fine too. I can build off > > that to do what I need. > > > > Thanks > > Justin > > > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From abalashov at evaristesys.com Wed Aug 12 00:55:45 2009 From: abalashov at evaristesys.com (Alex Balashov) Date: Wed, 12 Aug 2009 00:55:45 -0400 Subject: [c-nsp] OT: Learning about SONET/SDH In-Reply-To: <3329cbb40908112041w1e726f3u66b05c19d4c20ba2@mail.gmail.com> References: <3329cbb40908112040n10bcc440x1825f50467775c30@mail.gmail.com> <3329cbb40908112041w1e726f3u66b05c19d4c20ba2@mail.gmail.com> Message-ID: <4A824B51.3010500@evaristesys.com> I got a lot of mileage out of: http://search.barnesandnoble.com/SONET-SDH-3rd-Edition/Walter-J-Goralski/e/9780072225242 Dale Shaw wrote: > Hi all, > > I'd like to learn more about SONET/SDH, as deployed in carrier > transmission networks. > > Something practical that starts from the beginning would be best, as I > have had very little exposure to this stuff to date. Some of the books > I've read about are very much buried in the land of academia. > > I can Google as well as the next person, but pointers to good > resources are appreciated. > > cheers, > Dale > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Alex Balashov Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 From engel.labiro at gmail.com Wed Aug 12 01:35:35 2009 From: engel.labiro at gmail.com (Engelhard Mahandar Labiro) Date: Wed, 12 Aug 2009 14:35:35 +0900 Subject: [c-nsp] OT: Learning about SONET/SDH In-Reply-To: <3329cbb40908112041w1e726f3u66b05c19d4c20ba2@mail.gmail.com> References: <3329cbb40908112040n10bcc440x1825f50467775c30@mail.gmail.com> <3329cbb40908112041w1e726f3u66b05c19d4c20ba2@mail.gmail.com> Message-ID: <74b0c3330908112235l49402f08n2cb718948e19b824@mail.gmail.com> As always a book from Cisco Press. It covers some case studies to design and implement SONET/SDH Optical Network Design and Implementation by Vivek Alwayn Publisher: Cisco Press Pub Date: March 17, 2004 Print ISBN-10: 1-58705-105-2 Print ISBN-13: 978-1-58705-105-0 Pages: 840 HTH Engel On Wed, Aug 12, 2009 at 12:41 PM, Dale Shaw wrote: > Hi all, > > I'd like to learn more about SONET/SDH, as deployed in carrier > transmission networks. > > Something practical that starts from the beginning would be best, as I > have had very little exposure to this stuff to date. Some of the books > I've read about are very much buried in the land of academia. > > I can Google as well as the next person, but pointers to good > resources are appreciated. > > cheers, > Dale > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jckdaniels12 at gmail.com Wed Aug 12 01:54:15 2009 From: jckdaniels12 at gmail.com (jack daniels) Date: Wed, 12 Aug 2009 11:24:15 +0530 Subject: [c-nsp] OT:SUSHI REGISTER RESET ERROR Message-ID: <8bb137f40908112254j7d9ea69aj42613f00bcac743b@mail.gmail.com> Hi all, I'm getting below error in gsr chassis 12416 , please suggest 048724: .Aug 11 20:09:13.853 IST: %MBUS-6-SWITCHED_FABCLK: Slot 9 primary clock switched to clock 0 048725: .Aug 11 20:09:17.191 IST: %FABRIC-3-ERR_HANDLE: Reconfigure all fabric cards due to SUSHI REGISTER RESET ERROR error from slot 18 048726: .Aug 11 20:09:18.067 IST: %MBUS-6-SWITCHED_FABCLK: Slot 0 primary clock switched to clock 0 048727: .Aug 11 20:09:18.067 IST: %MBUS-6-SWITCHED_FABCLK: Slot 9 primary clock switched to clock 0 048728: .Aug 11 20:09:21.413 IST: %FABRIC-3-ERR_HANDLE: Reconfigure all fabric cards due to SUSHI REGISTER RESET ERROR error from slot 18 048729: .Aug 11 20:09:22.289 IST: %MBUS-6-SWITCHED_FABCLK: Slot 0 primary clock switched to clock 0 048730: .Aug 11 20:09:22.289 IST: %MBUS-6-SWITCHED_FABCLK: Slot 9 primary clock switched to clock 0 048731: .Aug 11 20:09:25.627 IST: %FABRIC-3-ERR_HANDLE: Reconfigure all fabric cards due to SUSHI REGISTER RESET ERROR error from slot 18 048732: .Aug 11 20:09:26.502 IST: %MBUS-6-SWITCHED_FABCLK: Slot 0 primary clock switched to clock 0 048733: .Aug 11 20:09:26.502 IST: %MBUS-6-SWITCHED_FABCLK: Slot 9 primary clock switched to clock 0 048734: .Aug 11 20:09:29.841 IST: %FABRIC-3-ERR_HANDLE: Reconfigure all fabric cards due to SUSHI REGISTER RESET ERROR error from slot 18 048735: .Aug 11 20:09:30.716 IST: %MBUS-6-SWITCHED_FABCLK: Slot 0 primary clock switched to clock 0 048736: .Aug 11 20:09:30.716 IST: %MBUS-6-SWITCHED_FABCLK: Slot 9 primary clock switched to clock 0 048737: .Aug 11 20:09:34.054 IST: %FABRIC-3-ERR_HANDLE: Reconfigure all fabric cards due to SUSHI REGISTER RESET ERROR error from slot 18 sh gsr Slot 0 type = Modular SPA Interface Card state = IOS RUN Line Card Enabled subslot 0/0: SPA-1X10GE-L-V2 (0x50C), status is ok subslot 0/1: Empty subslot 0/2: Empty subslot 0/3: Empty Slot 6 type = Modular SPA Interface Card state = RTRYWAIT Waiting to retry download after persistent failures Slot 7 type = Performance Route Processor state = ACTV RP IOS Running ACTIVE Slot 8 type = Performance Route Processor state = RP RDY Route Processor Powered Slot 9 type = Modular SPA Interface Card state = IOS RUN Line Card Enabled subslot 9/0: Empty subslot 9/1: Empty subslot 9/2: Empty subslot 9/3: Empty Slot 15 type = Modular SPA Interface Card state = RTRYWAIT Waiting to retry download after persistent failures Slot 16 type = Clock Scheduler Card OC192 Dual Priority state = Card Powered Slot 17 type = Clock Scheduler Card OC192 Dual Priority state = Card Powered PRIMARY CLOCK Slot 18 type = Switch Fabric Card 16XOC192 state = Card Powered Slot 19 type = Switch Fabric Card 16XOC192 state = Card Powered Slot 20 type = Switch Fabric Card 16XOC192 state = Card Powered Slot 24 type = Alarm Module(16) state = Card Powered Slot 25 type = Alarm Module(16) state = Card Powered Slot 27 type = Bus Board(16) state = Card Powered Slot 28 type = Blower Module(16) state = Card Powered Slot 29 type = Blower Module(16) state = Card Powered sh led SLOT 0 : RUN IOS SLOT 6 : WAITRTRY SLOT 7 : RP ACTV SLOT 8 : INITMEM SLOT 9 : RUN IOS SLOT 15 : WAITRTRY Regards From howard at leadmon.net Wed Aug 12 02:47:16 2009 From: howard at leadmon.net (Howard Leadmon) Date: Wed, 12 Aug 2009 02:47:16 -0400 Subject: [c-nsp] Cisco ASA PAT issues with dynamic translations, any ideas? Message-ID: <000001ca1b18$be72cc80$3b586580$@net> OK, I am sure this is just something I haven't run into before, but I just setup an ASA5520, and overall it's doing well, except this one gotcha. We are using it in routed/NAT mode, but some internal servers need to be on their own external IP's as well, we have multiple DNS, Mail, and so on servers in the network. I have the external IP's on the firewall, mapped to the specific internal servers, and all is well. Also my TCP mappings all seem to be fine, but when I try and put in a translation for UDP on port 53 it has a cow. ERROR: unable to reserve port 53 for static PAT ERROR: unable to download policy So needless to say the outside DNS queries to that server are NOT working.. L Here is some of my config, hopefully I don't need to post it all as it's quite extensive (with multiple VPN's and so on), so I will try and post what I think are the relevant parts. name 10.98.4.33 MAIL1-Inside name 207.xx.xx.33 MAIL1-Outside object-group protocol TCPUDP protocol-object udp protocol-object tcp access-list Internet_access_in remark DNS Server on MAIL1 access-list Internet_access_in extended permit object-group TCPUDP any host MAIL1-Outside eq domain nat-control global (Internet) 101 interface global (Internet) 102 MAIL1-Outside netmask 255.0.0.0 nat (LAN) 0 access-list LAN_nat0_outbound nat (LAN) 102 MAIL1-Inside 255.255.255.255 nat (LAN) 101 0.0.0.0 0.0.0.0 static (LAN,Internet) tcp MAIL1-Outside domain MAIL1-Inside domain netmask 255.255.255.255 static (LAN,Internet) tcp MAIL1-Outside smtp MAIL1-Inside smtp netmask 255.255.255.255 NOTE: The TCP static translations above works just fine, but if I try and put in a UDP translation as well like this: static (LAN,Internet) udp MAIL1-Outside domain MAIL1-Inside domain netmask 255.255.255.255 The ASA throws a bitch and kicks out "ERROR: unable to reserve port 53 for static PAT" error. Of course without UDP on port 53 working, DNS lookups from that machine to the outside world are dead. What am I missing here?? I know if I didn't have it on it's own specific external IP, then I could put in the UDP rule (as I have some in for servers that don't need there own), but if I pull that, then I don't have the server on it's own IP, and then mail/SMTP service becomes an issue as some sites reject unreachable mail servers. So I guess the million dollar question is, how can I have the MAIL1 server on it's own specific outside IP address, and also have it responding to UDP DNS queries. I am sure I am missing something silly here, and this is running "Cisco Adaptive Security Appliance Software Version 8.2(1)" software, so is current. Any input on how to resolve this would be most appreciated.. --- Howard Leadmon - howard at leadmon.net From CJones at enterprisedata.com.au Wed Aug 12 03:32:45 2009 From: CJones at enterprisedata.com.au (Chris Jones) Date: Wed, 12 Aug 2009 17:32:45 +1000 Subject: [c-nsp] Cisco ASA PAT issues with dynamic translations, any ideas? In-Reply-To: <000001ca1b18$be72cc80$3b586580$@net> References: <000001ca1b18$be72cc80$3b586580$@net> Message-ID: <61C1A30B39817D4DACC0C5CA4DF79CCA07352802@syd1exstore01.entdata.local> Hi Howard, What about doing something like: static (LAN,Internet) MAIL1-Outside MAIL1-Inside netmask 255.255.255.255 Then using the ACL on the outside interface to control the access. With that, you wouldn't need an individual mapping for each port - only to open it in the ACL. Regards, Chris -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Howard Leadmon Sent: Wednesday, 12 August 2009 4:47 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Cisco ASA PAT issues with dynamic translations, any ideas? OK, I am sure this is just something I haven't run into before, but I just setup an ASA5520, and overall it's doing well, except this one gotcha. We are using it in routed/NAT mode, but some internal servers need to be on their own external IP's as well, we have multiple DNS, Mail, and so on servers in the network. I have the external IP's on the firewall, mapped to the specific internal servers, and all is well. Also my TCP mappings all seem to be fine, but when I try and put in a translation for UDP on port 53 it has a cow. ERROR: unable to reserve port 53 for static PAT ERROR: unable to download policy So needless to say the outside DNS queries to that server are NOT working.. L Here is some of my config, hopefully I don't need to post it all as it's quite extensive (with multiple VPN's and so on), so I will try and post what I think are the relevant parts. name 10.98.4.33 MAIL1-Inside name 207.xx.xx.33 MAIL1-Outside object-group protocol TCPUDP protocol-object udp protocol-object tcp access-list Internet_access_in remark DNS Server on MAIL1 access-list Internet_access_in extended permit object-group TCPUDP any host MAIL1-Outside eq domain nat-control global (Internet) 101 interface global (Internet) 102 MAIL1-Outside netmask 255.0.0.0 nat (LAN) 0 access-list LAN_nat0_outbound nat (LAN) 102 MAIL1-Inside 255.255.255.255 nat (LAN) 101 0.0.0.0 0.0.0.0 static (LAN,Internet) tcp MAIL1-Outside domain MAIL1-Inside domain netmask 255.255.255.255 static (LAN,Internet) tcp MAIL1-Outside smtp MAIL1-Inside smtp netmask 255.255.255.255 NOTE: The TCP static translations above works just fine, but if I try and put in a UDP translation as well like this: static (LAN,Internet) udp MAIL1-Outside domain MAIL1-Inside domain netmask 255.255.255.255 The ASA throws a bitch and kicks out "ERROR: unable to reserve port 53 for static PAT" error. Of course without UDP on port 53 working, DNS lookups from that machine to the outside world are dead. What am I missing here?? I know if I didn't have it on it's own specific external IP, then I could put in the UDP rule (as I have some in for servers that don't need there own), but if I pull that, then I don't have the server on it's own IP, and then mail/SMTP service becomes an issue as some sites reject unreachable mail servers. So I guess the million dollar question is, how can I have the MAIL1 server on it's own specific outside IP address, and also have it responding to UDP DNS queries. I am sure I am missing something silly here, and this is running "Cisco Adaptive Security Appliance Software Version 8.2(1)" software, so is current. Any input on how to resolve this would be most appreciated.. --- Howard Leadmon - howard at leadmon.net _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you receive this email by mistake, please notify the author and do not make any use of the email. We do not waive any privilege, confidentiality or copyright associated with it. Please consider the environment before printing this e-mail. From kron at linkey.ru Wed Aug 12 04:46:17 2009 From: kron at linkey.ru (Aleksandr Gurbo) Date: Wed, 12 Aug 2009 12:46:17 +0400 Subject: [c-nsp] 6VPE, redistribute routes Message-ID: <20090812124617.5b411932.kron@linkey.ru> Hello, I have test lab with two routers connected together. c7507-----c7604 I can redistribute default ipv6 route from c7507(default table) to c7604(default table). I would like to know if it is possible to redistribute default ipv6 route from c7507(default table) to VRF vpnv6 on c7604? -- Alexandr Gurbo From deric.kwok2000 at gmail.com Wed Aug 12 06:59:10 2009 From: deric.kwok2000 at gmail.com (Deric Kwok) Date: Wed, 12 Aug 2009 06:59:10 -0400 Subject: [c-nsp] vpn configure In-Reply-To: <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2FEC@zy-ex1.zyedge.local> References: <40d8a95a0908111809r4d03b3edr1580ad5869ffc2e1@mail.gmail.com> <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2FEC@zy-ex1.zyedge.local> Message-ID: <40d8a95a0908120359m1e6fbb1do21b13dcd04da5fec@mail.gmail.com> Thank you Do you know what is cli to configure remote subnet and local subnet for vpn? On Tue, Aug 11, 2009 at 9:28 PM, Ryan West wrote: > You can configure the PIX for local and remote subnets using your > interesting traffic ACL. > > Access-list vpn_myacl permit ip > > > The PIX can be configured from the outside using PDM: > http outside > > hth > > -ryan > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto: > cisco-nsp-bounces at puck.nether.net] On Behalf Of Deric Kwok > Sent: Tuesday, August 11, 2009 9:10 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] vpn configure > > Hi > > How can I configure remote subnet and local subnet for vpn in cli? > > ls pix only accessed by https in inside for configuration? > > No other way for http configuration outside? > > Thank you > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From kron at linkey.ru Wed Aug 12 08:43:35 2009 From: kron at linkey.ru (Aleksandr Gurbo) Date: Wed, 12 Aug 2009 16:43:35 +0400 Subject: [c-nsp] 6VPE, redistribute routes In-Reply-To: <20090812124617.5b411932.kron@linkey.ru> References: <20090812124617.5b411932.kron@linkey.ru> Message-ID: <20090812164335.55902512.kron@linkey.ru> > I have test lab with two routers connected together. > c7507-----c7604 > I can redistribute default ipv6 route from c7507(default table) to c7604(default table). > I would like to know if it is possible to redistribute default ipv6 route from c7507(default table) to VRF vpnv6 on c7604? I redistributed ipv6 default route throught eBGP between c7507(default table) and VRF vpnv6 on c7604. See page 26. http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6553/prod_presentation0900aecd80311df4.pdf I would like to know if it is possible to redistribute default ipv6 route throught OSPFv3? -- Alexandr Gurbo From rwest at zyedge.com Wed Aug 12 08:50:14 2009 From: rwest at zyedge.com (Ryan West) Date: Wed, 12 Aug 2009 08:50:14 -0400 Subject: [c-nsp] vpn configure In-Reply-To: <40d8a95a0908120359m1e6fbb1do21b13dcd04da5fec@mail.gmail.com> References: <40d8a95a0908111809r4d03b3edr1580ad5869ffc2e1@mail.gmail.com> <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2FEC@zy-ex1.zyedge.local> <40d8a95a0908120359m1e6fbb1do21b13dcd04da5fec@mail.gmail.com> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E1401248E2694C2@zy-ex1.zyedge.local> Deric, It was listed in my original reply: Access-list vpn_myacl permit ip Assuming you're doing NAT, then you would apply that same ACL to your noNAT ACL. The "vpn_myacl" interesting traffic ACL is then called from the 'crypto map match address vpn_myacl' command. -ryan From: Deric Kwok [mailto:deric.kwok2000 at gmail.com] Sent: Wednesday, August 12, 2009 6:59 AM To: Ryan West; engel.labiro at gmail.com Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] vpn configure Thank you Do you know what is cli to configure remote subnet and local subnet for vpn? On Tue, Aug 11, 2009 at 9:28 PM, Ryan West > wrote: You can configure the PIX for local and remote subnets using your interesting traffic ACL. Access-list vpn_myacl permit ip The PIX can be configured from the outside using PDM: http outside hth -ryan From jcartier at acs.on.ca Wed Aug 12 09:31:19 2009 From: jcartier at acs.on.ca (Jeff Cartier) Date: Wed, 12 Aug 2009 09:31:19 -0400 Subject: [c-nsp] Cisco 6509-E & WiSM - OIR Message-ID: Does anyone know if a Cisco 6509-E w/ Sup720 & WiSM will support OIR? I've dug around Google and Cisco, but haven't found a concrete 'YES'. My gut feeling is telling me it's okay; but I figure I'd ask the group J Thanks!!! From cchurc05 at harris.com Wed Aug 12 09:51:30 2009 From: cchurc05 at harris.com (Church, Charles) Date: Wed, 12 Aug 2009 08:51:30 -0500 Subject: [c-nsp] ASDM not working after upgrades In-Reply-To: <00ea01ca1acc$d3338520$0202fea9@am.thmulti.com> References: <00ea01ca1acc$d3338520$0202fea9@am.thmulti.com> Message-ID: Can you HTTPS to the device using a normal browser and get the initial screen? Chuck ----- Original Message ----- From: "Leslie Meade" To: Sent: Tuesday, August 11, 2009 2:30 PM Subject: [c-nsp] ASDM not working after upgrades >I am getting the error of > Unable to launch device manager from 10.1.254.254 > > I have uploaded the correct files and change the config to match > > ASA5540-01# sh run asdm > asdm image disk0:/asdm-621.bin > asdm location 10.1.6.25 255.255.255.255 inside > asdm history enable > > ASA5540-01# sh run http > http server enable > http 10.1.6.0 255.255.255.0 inside > > ASA5540-01# sh flash > --#-- --length-- -----date/time------ path > 131 11348300 Aug 11 2009 10:09:00 asdm-621.bin > 132 16275456 Aug 11 2009 10:10:10 asa821-k8.bin > > If I roll back to the older code and asdm it works fine. Any ideas > > > Leslie > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From nick at inex.ie Wed Aug 12 10:08:52 2009 From: nick at inex.ie (Nick Hilliard) Date: Wed, 12 Aug 2009 15:08:52 +0100 Subject: [c-nsp] Cisco 6509-E & WiSM - OIR In-Reply-To: References: Message-ID: <4A82CCF4.7020205@inex.ie> On 12/08/2009 14:31, Jeff Cartier wrote: > Does anyone know if a Cisco 6509-E w/ Sup720& WiSM will support OIR? > > I've dug around Google and Cisco, but haven't found a concrete 'YES'. > > My gut feeling is telling me it's okay; but I figure I'd ask the group J "Online insertion and removal" or "online insertion and reload"? Definitely the latter. Unfortunately, OIR stability is a hardware problem and cannot really be avoided on the c65k/c76k chassis, regardless of the line card in question. There's a little more information on: http://en.wikipedia.org/wiki/Catalyst_6500#Online_Insertion_.26_Removal Personally, I've never had any problems, but as a matter of policy I don't do line card changes outside maintenance windows (except in specifically defined cases of emergency). It's embarrassing to have to tell people that their downtime was due to avoidable operator error. Nick From KaeglerM at tessco.com Wed Aug 12 10:31:59 2009 From: KaeglerM at tessco.com (Kaegler, Mike) Date: Wed, 12 Aug 2009 10:31:59 -0400 Subject: [c-nsp] Cisco 6509-E & WiSM - OIR In-Reply-To: Message-ID: On 8/12/09 9:31 AM, "Jeff Cartier" wrote: > Does anyone know if a Cisco 6509-E w/ Sup720 & WiSM will support OIR? > I've dug around Google and Cisco, but haven't found a concrete 'YES'. > My gut feeling is telling me it's okay; but I figure I'd ask the group J > Thanks!!! I've done it several times with a WiSM without problem. I'd avoid OIR of anything on the 6500 platform during production hours. During an OIR, the backplane stalls (by design). Several things can cause the bus not to un-stall for longer than the magic reload timer. If this is your first WiSM in the chasis, you'll need to do some special configuration on the sup before you can do much with it. -mKaegler -- Michael Kaegler, TESSCO Technologies: Engineering, 410 229 1295 Your wireless success, nothing less. http://www.tessco.com/ From BBlackford at nwresd.k12.or.us Wed Aug 12 11:25:51 2009 From: BBlackford at nwresd.k12.or.us (Bill Blackford) Date: Wed, 12 Aug 2009 08:25:51 -0700 Subject: [c-nsp] IOS Recommendation | 7600/RSP720-3CXL Message-ID: <6069A203FD01884885C037F81DD75080171D1F9DFA@wsc-mail-01.intra.nwresd.k12.or.us> I'm looking for a recommendation for upgrade and perhaps some possible explanation of the code branches. I am currently on 12.2(33)SRB1. The role of the box is Internet border, two full feeds, 10 other bilateral peers. No MPLS. Do I stick with SRB (I believe it's up to SRB6 now) or jump up to SRD2a? Any personal experience from the trenches would be appreciated. Thank you -b -- Bill Blackford Senior Network Engineer Technology Systems Group Northwest Regional ESD my /home away from home From Steven.Raymond at integratelecom.com Wed Aug 12 11:45:18 2009 From: Steven.Raymond at integratelecom.com (Raymond, Steven) Date: Wed, 12 Aug 2009 08:45:18 -0700 Subject: [c-nsp] IOS Recommendation | 7600/RSP720-3CXL In-Reply-To: <6069A203FD01884885C037F81DD75080171D1F9DFA@wsc-mail-01.intra.nwresd.k12.or.us> References: <6069A203FD01884885C037F81DD75080171D1F9DFA@wsc-mail-01.intra.nwresd.k12.or.us> Message-ID: <775A75B5625C6B418FC01477094E0BCC259C886A02@IDCMAILBOX1.ads.integratelecom.com> > I'm looking for a recommendation for upgrade and perhaps some possible > explanation of the code branches. > > I am currently on 12.2(33)SRB1. The role of the box is Internet border, > two full feeds, 10 other bilateral peers. No MPLS. > > Do I stick with SRB (I believe it's up to SRB6 now) or jump up to SRD2a? > > Any personal experience from the trenches would be appreciated. We had bad results with all of SRB. SRC3 seemed better but had a bad BFD bug that TAC couldn't resolve. Have found the least bugs in SRD1, but non-cisco bgp neighbors sometimes require the use of hidden command "neighbor x.x.x.x dont-capability-negotiate" or the session won't restore. SRB issues we remember: SRB1 CSCek71050 Symptoms: Compared to other Cisco IOS software releases, unusually high CPU usage may occur in the BGP router process on a Cisco 7600 series that runs Cisco IOS Release 12.2(33)SRB1. from SRB2 - very nasty bug with SIP/6700 linecards. linecard would stop forwarding, only fix was to reset both cards CSCsl50569 sh mem causes primary supervisor to fail, sh mem sum does not. Occurs in SRB2 and SRB3, only fix is upgrade When deleting multilink member via 'no controller bla' if the multilink-group config is still under the serial interface it will eventually cause the SPA to reload. May take up to 24 hrs, also, no new multilinks will work until SPA is reset Similar bug is when adding a multilink configuration to serial interface with service-policy applied, no multilinks will enable and SPA will eventually reload SRB3 Caused router to misreport sampled traffic drastically as the linecards stop sending netflow. CSCsq14299 SRB4 BGP phantom announcements stops sending routes to peers. BGP is up and fine but neighbors get no routes, can be seen in "show ip bgp neighbor" as "prefixes total 0". Possibly related to CSCsm57494. SRB5 Appears to have same netflow bug as SRB3. Tech added removed static route pointing to serial interface and added it back which caused standby to reload. Still undetermined if that was root cause From gert at greenie.muc.de Wed Aug 12 12:31:38 2009 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 12 Aug 2009 18:31:38 +0200 Subject: [c-nsp] Cisco 6509-E & WiSM - OIR In-Reply-To: <4A82CCF4.7020205@inex.ie> References: <4A82CCF4.7020205@inex.ie> Message-ID: <20090812163138.GG29143@greenie.muc.de> Hi, On Wed, Aug 12, 2009 at 03:08:52PM +0100, Nick Hilliard wrote: > >My gut feeling is telling me it's okay; but I figure I'd ask the group J > > "Online insertion and removal" or "online insertion and reload"? > > Definitely the latter. Unfortunately, OIR stability is a hardware problem > and cannot really be avoided on the c65k/c76k chassis, regardless of the > line card in question. > > There's a little more information on: > > http://en.wikipedia.org/wiki/Catalyst_6500#Online_Insertion_.26_Removal > > Personally, I've never had any problems, [..] Personally, I think that this is all folklore from the 7500 times... We *never* had any problems with OIR on 7200 or 6500/7600 platforms - but lots of fun with CyBUS stalls and crashes on 7500... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 303 bytes Desc: not available URL: From rodunn at cisco.com Wed Aug 12 13:48:32 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Wed, 12 Aug 2009 13:48:32 -0400 Subject: [c-nsp] IOS Upgrade Planner changes thread Message-ID: <4A830070.2020101@cisco.com> Can someone point me to the thread about the new IOS Upgrade Planner changes that were made to the list? I can't seem to find it. Rodney From shaw38 at gmail.com Wed Aug 12 13:50:14 2009 From: shaw38 at gmail.com (Steve Shaw) Date: Wed, 12 Aug 2009 13:50:14 -0400 Subject: [c-nsp] Cisco 6509-E & WiSM - OIR In-Reply-To: <20090812163138.GG29143@greenie.muc.de> References: <4A82CCF4.7020205@inex.ie> <20090812163138.GG29143@greenie.muc.de> Message-ID: <1d3cfae10908121050y6e85d991t4bf8c07e0c5a02ee@mail.gmail.com> Guys, I second (or third) the "do it inside a maintenance window" recommendation. The effect of doing an OIR in a 6500 chassis really depends on the types of modules within the chassis at that time....basically-- DFCs = OK CFC=bus stall i.e. traffic loss I've personally been bitten by doing an OIR during the day in a 6500 with CFC modules. Here's some literature from Cisco: http://www.cisco.com/en/US/products/hw/switches/ps708/products_qanda_item09186a00809a7673.shtml#qa4 The addition of a DFC module effectively disconnects a module from the Data Bus. As such, a DFC-enabled module is not subject to the bus stall mechanism that occurs when a module is inserted or removed from the chassis. Throughout these Online Insertion and Removal (OIR) events, the Data Bus is temporarily paused for just enough time to ensure that the insertion/removal process does not cause any data corruption on the backplane. This protection mechanism causes a very brief amount of packet loss (sub-second, but dependent on the time it takes to fully insert a module). A module with a DFC onboard is not directly affected by this stall mechanism and does not have any packet loss on OIR. -Steve On Wed, Aug 12, 2009 at 12:31 PM, Gert Doering wrote: > Hi, > > On Wed, Aug 12, 2009 at 03:08:52PM +0100, Nick Hilliard wrote: > > >My gut feeling is telling me it's okay; but I figure I'd ask the group J > > > > "Online insertion and removal" or "online insertion and reload"? > > > > Definitely the latter. Unfortunately, OIR stability is a hardware > problem > > and cannot really be avoided on the c65k/c76k chassis, regardless of the > > line card in question. > > > > There's a little more information on: > > > > http://en.wikipedia.org/wiki/Catalyst_6500#Online_Insertion_.26_Removal > > > > Personally, I've never had any problems, [..] > > Personally, I think that this is all folklore from the 7500 times... > > We *never* had any problems with OIR on 7200 or 6500/7600 platforms - but > lots of fun with CyBUS stalls and crashes on 7500... > > gert > > -- > USENET is *not* the non-clickable part of WWW! > // > www.muc.de/~gert/ > Gert Doering - Munich, Germany > gert at greenie.muc.de > fax: +49-89-35655025 > gert at net.informatik.tu-muenchen.de > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From mhuff at ox.com Wed Aug 12 13:53:26 2009 From: mhuff at ox.com (Matthew Huff) Date: Wed, 12 Aug 2009 13:53:26 -0400 Subject: [c-nsp] Cisco 6509-E & WiSM - OIR In-Reply-To: <20090812163138.GG29143@greenie.muc.de> References: <4A82CCF4.7020205@inex.ie> <20090812163138.GG29143@greenie.muc.de> Message-ID: <483E6B0272B0284BA86D7596C40D29F9D122BBDAA0@PUR-EXCH07.ox.com> Not folklore. I've had a 6509 with Sup 720-3B crash twice during OIR. Cisco claims the first time I inserted too fast, the second time too slow. I've also had a 6509 linecard scorch the backplane due to a short. Not a fun day. ---- Matthew Huff?????? | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff? | Fax:?? 914-460-4139 > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Gert Doering > Sent: Wednesday, August 12, 2009 12:32 PM > To: Nick Hilliard > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Cisco 6509-E & WiSM - OIR > > Hi, > > On Wed, Aug 12, 2009 at 03:08:52PM +0100, Nick Hilliard wrote: > > >My gut feeling is telling me it's okay; but I figure I'd ask the > group J > > > > "Online insertion and removal" or "online insertion and reload"? > > > > Definitely the latter. Unfortunately, OIR stability is a hardware > problem > > and cannot really be avoided on the c65k/c76k chassis, regardless of > the > > line card in question. > > > > There's a little more information on: > > > > > http://en.wikipedia.org/wiki/Catalyst_6500#Online_Insertion_.26_Removal > > > > Personally, I've never had any problems, [..] > > Personally, I think that this is all folklore from the 7500 times... > > We *never* had any problems with OIR on 7200 or 6500/7600 platforms - > but > lots of fun with CyBUS stalls and crashes on 7500... > > gert > > -- > USENET is *not* the non-clickable part of WWW! > > //www.muc.de/~gert/ > Gert Doering - Munich, Germany > gert at greenie.muc.de > fax: +49-89-35655025 gert at net.informatik.tu- > muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4229 bytes Desc: not available URL: From rodunn at cisco.com Wed Aug 12 14:21:43 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Wed, 12 Aug 2009 14:21:43 -0400 Subject: [c-nsp] IOS Recommendation | 7600/RSP720-3CXL In-Reply-To: <6069A203FD01884885C037F81DD75080171D1F9DFA@wsc-mail-01.intra.nwresd.k12.or.us> References: <6069A203FD01884885C037F81DD75080171D1F9DFA@wsc-mail-01.intra.nwresd.k12.or.us> Message-ID: <4A830837.3070105@cisco.com> If you are going to move go to the latest SRB rebuild on Cisco.com. There were a ton of fixes in the early SRB releases due to a huge quality push on that throttle. SRC and SRD simply have less field exposure. Rodney Bill Blackford wrote: > I'm looking for a recommendation for upgrade and perhaps some possible explanation of the code branches. > > I am currently on 12.2(33)SRB1. The role of the box is Internet border, two full feeds, 10 other bilateral peers. No MPLS. > > Do I stick with SRB (I believe it's up to SRB6 now) or jump up to SRD2a? > > Any personal experience from the trenches would be appreciated. > > Thank you > > -b > > -- > Bill Blackford > Senior Network Engineer > Technology Systems Group > Northwest Regional ESD > > my /home away from home > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From gtb at slac.stanford.edu Wed Aug 12 14:49:40 2009 From: gtb at slac.stanford.edu (Buhrmaster, Gary) Date: Wed, 12 Aug 2009 11:49:40 -0700 Subject: [c-nsp] Cisco 6509-E & WiSM - OIR In-Reply-To: <20090812163138.GG29143@greenie.muc.de> References: <4A82CCF4.7020205@inex.ie> <20090812163138.GG29143@greenie.muc.de> Message-ID: > > Personally, I've never had any problems, [..] > > Personally, I think that this is all folklore from the 7500 times... *Personally* I have never had a problem. However, I *have* seen a bus reset/hang on a 6500 OIR when a card was inserted by former colleague. His memory about whether he inserted it quickly, slowly, partially in and then pulled back out, or whatever, was a little imprecise after the experience. Given the number of 6500 OIRs I have participated in, it is by experiment statistically hard to get wrong, but some people do manage some of the time. (I do not have enough statistics to determine if we can qualify particular people as being special, but I do have some anecdotal evidence.) Gary From maddison at lightbound.net Wed Aug 12 14:44:07 2009 From: maddison at lightbound.net (Matt Addison) Date: Wed, 12 Aug 2009 14:44:07 -0400 Subject: [c-nsp] IOS Recommendation | 7600/RSP720-3CXL In-Reply-To: <775A75B5625C6B418FC01477094E0BCC259C886A02@IDCMAILBOX1.ads.integratelecom.com> References: <6069A203FD01884885C037F81DD75080171D1F9DFA@wsc-mail-01.intra.nwresd.k12.or.us> <775A75B5625C6B418FC01477094E0BCC259C886A02@IDCMAILBOX1.ads.integratelecom.com> Message-ID: > Have found the least bugs in SRD1, but non-cisco bgp neighbors > sometimes require the use of hidden command "neighbor x.x.x.x dont- > capability-negotiate" or the session won't restore. We're also quite happy with SRD1. Early SRBx had a few issues with OSPF, and SSO/ISSU with static routes up until B4 or so. SRC1 (and everything up to it presumably) have some bugs in the how PPP (at least on T1/DS3, not sure about POS) gets put on the fabric which affects interop with non-Cisco PPP implementations, I hear that fix also made it into SRC2 but we migrated to SRD1 because at that time SRC2 was still a month or two out. ~Matt From Kiran.Oddiraju at cbre.com Wed Aug 12 15:57:43 2009 From: Kiran.Oddiraju at cbre.com (Oddiraju, Kiran @ London SMC) Date: Wed, 12 Aug 2009 20:57:43 +0100 Subject: [c-nsp] DS3 circuit error Message-ID: Hi Guys, Our T3 controller is down and the SP has asked me what I am seeing on my end. Below is the show controllers command on my router. Could you tell me where the problem is based on the output below? Router#sh controllers t3 T3 3/0 is down. Applique type is Subrate T3 Description: Carrier_Circuit_ID Transmitter is sending remote alarm. Receiver is getting AIS. MDL transmission is disabled FEAC code received: No code is being received Framing is C-BIT Parity, Line Code is B3ZS, Clock Source is Line Data in current interval (250 seconds elapsed): 0 Line Code Violations, 0 P-bit Coding Violation 0 C-bit Coding Violation, 0 P-bit Err Secs 0 P-bit Severely Err Secs, 0 Severely Err Framing Secs 250 Unavailable Secs, 0 Line Errored Secs 0 C-bit Errored Secs, 0 C-bit Severely Errored Secs Cheers, K CB Richard Ellis Limited, Registered Office: St Martin's Court, 10 Paternoster Row, London, EC4M 7HP, registered in England and Wales No. 3536032. Regulated by the RICS and an appointed representative of CB Richard Ellis Indirect Investment Services Limited which is authorised and regulated by the Financial Services Authority. This communication is from CB Richard Ellis Limited or one of its associated/subsidiary companies. This communication contains information which is confidential and may be privileged. If you are not the intended recipient, please contact the sender immediately. Any use of its contents is strictly prohibited and you must not copy, send or disclose it, or rely on its contents in any way whatsoever. Reasonable care has been taken to ensure that this communication (and any attachments or hyperlinks contained within it) is free from computer viruses. No responsibility is accepted by CB Richard Ellis Limited or its associated/subsidiary companies and the recipient should carry out any appropriate virus checks. From MatlockK at exempla.org Wed Aug 12 16:08:24 2009 From: MatlockK at exempla.org (Matlock, Kenneth L) Date: Wed, 12 Aug 2009 14:08:24 -0600 Subject: [c-nsp] DS3 circuit error In-Reply-To: References: Message-ID: <4288131ED5E3024C9CD4782CECCAD2C7065D3959@LMC-MAIL2.exempla.org> " Receiver is getting AIS." Looks like you have an open in the circuit. Your device is reporting an AIS (All ones, usually indicative of an open circuit). Ken Matlock Network Analyst Exempla Healthcare (303) 467-4671 matlockk at exempla.org -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Oddiraju, Kiran @ London SMC Sent: Wednesday, August 12, 2009 1:58 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] DS3 circuit error Hi Guys, Our T3 controller is down and the SP has asked me what I am seeing on my end. Below is the show controllers command on my router. Could you tell me where the problem is based on the output below? Router#sh controllers t3 T3 3/0 is down. Applique type is Subrate T3 Description: Carrier_Circuit_ID Transmitter is sending remote alarm. Receiver is getting AIS. MDL transmission is disabled FEAC code received: No code is being received Framing is C-BIT Parity, Line Code is B3ZS, Clock Source is Line Data in current interval (250 seconds elapsed): 0 Line Code Violations, 0 P-bit Coding Violation 0 C-bit Coding Violation, 0 P-bit Err Secs 0 P-bit Severely Err Secs, 0 Severely Err Framing Secs 250 Unavailable Secs, 0 Line Errored Secs 0 C-bit Errored Secs, 0 C-bit Severely Errored Secs Cheers, K CB Richard Ellis Limited, Registered Office: St Martin's Court, 10 Paternoster Row, London, EC4M 7HP, registered in England and Wales No. 3536032. Regulated by the RICS and an appointed representative of CB Richard Ellis Indirect Investment Services Limited which is authorised and regulated by the Financial Services Authority. This communication is from CB Richard Ellis Limited or one of its associated/subsidiary companies. This communication contains information which is confidential and may be privileged. If you are not the intended recipient, please contact the sender immediately. Any use of its contents is strictly prohibited and you must not copy, send or disclose it, or rely on its contents in any way whatsoever. Reasonable care has been taken to ensure that this communication (and any attachments or hyperlinks contained within it) is free from computer viruses. No responsibility is accepted by CB Richard Ellis Limited or its associated/subsidiary companies and the recipient should carry out any appropriate virus checks. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From petelists at templin.org Wed Aug 12 16:12:08 2009 From: petelists at templin.org (Pete Templin) Date: Wed, 12 Aug 2009 15:12:08 -0500 Subject: [c-nsp] DS3 circuit error In-Reply-To: References: Message-ID: <4A832218.30805@templin.org> Oddiraju, Kiran @ London SMC wrote: > Our T3 controller is down and the SP has asked me what I am seeing on my > end. Below is the show controllers command on my router. Could you tell > me where the problem is based on the output below? > > Router#sh controllers t3 > T3 3/0 is down. > Applique type is Subrate T3 > Description: Carrier_Circuit_ID > Transmitter is sending remote alarm. > Receiver is getting AIS. You're seeing AIS from the carrier and sending 'remote alarm' because of the inbound AIS. My circuit-fu is a little rusty, but I think this means that the inbound side of the circuit is good end-to-end, but the outbound side of the circuit has a problem between your end and the other end. The far-side router (or whatever) is seeing an LOS/LOF/xxx and is announcing that to your router. Middle of circuit, towards far side: Far side of circuit: into router AIS out of router Circuit, towards near side: AIS (indicates problem on opposite side of circuit) Near side of circuit: AIS into router (opposite direction is bad) out of router (acknowledging same-direction alarm to carrier) pt From jay at west.net Wed Aug 12 16:52:03 2009 From: jay at west.net (Jay Hennigan) Date: Wed, 12 Aug 2009 13:52:03 -0700 Subject: [c-nsp] DS3 circuit error In-Reply-To: References: Message-ID: <4A832B73.3090706@west.net> Oddiraju, Kiran @ London SMC wrote: > Hi Guys, > > > > Our T3 controller is down and the SP has asked me what I am seeing on my > end. Below is the show controllers command on my router. Could you tell > me where the problem is based on the output below? > > > > Router#sh controllers t3 > > T3 3/0 is down. > > Applique type is Subrate T3 > > Description: Carrier_Circuit_ID > > Transmitter is sending remote alarm. You are sending a signal to the other end reporting that the signal that you are receiving is unacceptable. This is happening because... > Receiver is getting AIS. You are receiving all 1s from the other end. Typically, this means that there is a problem with the equipment sending toward you. Something upstream has lost signal and is sending an AIS (Alarm Indication Signal) to you. You respond by sending RAI (Remote Alarm Indicator) notifying the other end of the bad signal that you are receiving. More info here: http://www.cisco.com/en/US/tech/tk713/tk628/technologies_tech_note09186a0080344194.shtml which shortens to: http://tinyurl.com/r6jvzo -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV From gert at greenie.muc.de Wed Aug 12 16:53:32 2009 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 12 Aug 2009 22:53:32 +0200 Subject: [c-nsp] Cisco 6509-E & WiSM - OIR In-Reply-To: <483E6B0272B0284BA86D7596C40D29F9D122BBDAA0@PUR-EXCH07.ox.com> References: <4A82CCF4.7020205@inex.ie> <20090812163138.GG29143@greenie.muc.de> <483E6B0272B0284BA86D7596C40D29F9D122BBDAA0@PUR-EXCH07.ox.com> Message-ID: <20090812205332.GI29143@greenie.muc.de> Hi, On Wed, Aug 12, 2009 at 01:53:26PM -0400, Matthew Huff wrote: > Not folklore. > > I've had a 6509 with Sup 720-3B crash twice during OIR. Cisco claims the > first time I inserted too fast, the second time too slow. I've also had a > 6509 linecard scorch the backplane due to a short. Not a fun day. OK - noted. We'll do it in maintenance windows... :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 303 bytes Desc: not available URL: From randy_94108 at yahoo.com Wed Aug 12 16:20:01 2009 From: randy_94108 at yahoo.com (Randy) Date: Wed, 12 Aug 2009 13:20:01 -0700 (PDT) Subject: [c-nsp] DS3 circuit error In-Reply-To: Message-ID: <498318.85099.qm@web80508.mail.mud.yahoo.com> ...at the far-end...:-) Tell your SP you are Rx is AIS --- On Wed, 8/12/09, Oddiraju, Kiran @ London SMC wrote: From: Oddiraju, Kiran @ London SMC Subject: [c-nsp] DS3 circuit error To: cisco-nsp at puck.nether.net Date: Wednesday, August 12, 2009, 12:57 PM Hi Guys, Our T3 controller is down and the SP has asked me what I am seeing on my end. Below is the show controllers command on my router. Could you tell me where the problem is based on the output below? Router#sh controllers t3 T3 3/0 is down. ? Applique type is Subrate T3 ? Description: Carrier_Circuit_ID? ? Transmitter is sending remote alarm. ? Receiver is getting AIS. ? MDL transmission is disabled ? FEAC code received: No code is being received ? Framing is C-BIT Parity, Line Code is B3ZS, Clock Source is Line ? Data in current interval (250 seconds elapsed): ? ???0 Line Code Violations, 0 P-bit Coding Violation ? ???0 C-bit Coding Violation, 0 P-bit Err Secs ? ???0 P-bit Severely Err Secs, 0 Severely Err Framing Secs ? ???250 Unavailable Secs, 0 Line Errored Secs ? ???0 C-bit Errored Secs, 0 C-bit Severely Errored Secs Cheers, K CB Richard Ellis Limited, Registered Office: St Martin's Court, 10 Paternoster Row, London, EC4M 7HP, registered in England and Wales No. 3536032. Regulated by the RICS and an appointed representative of CB Richard Ellis Indirect Investment Services Limited which is authorised and regulated by the Financial Services Authority. This communication is from CB Richard Ellis Limited or one of its associated/subsidiary companies. This communication contains information which is confidential and may be privileged. If you are not the intended recipient, please contact the sender immediately. Any use of its contents is strictly prohibited and you must not copy, send or disclose it, or rely on its contents in any way whatsoever. Reasonable care has been taken to ensure that this communication (and any attachments or hyperlinks contained within it) is free from computer viruses. No responsibility is accepted by CB Richard Ellis Limited or its associated/subsidiary companies and the recipient should carry out any appropriate virus checks. _______________________________________________ cisco-nsp mailing list? cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From felixnkansah at gmail.com Wed Aug 12 17:42:58 2009 From: felixnkansah at gmail.com (Felix Nkansah) Date: Wed, 12 Aug 2009 21:42:58 +0000 Subject: [c-nsp] OT: Difference between the CSS and ACE Message-ID: <18dba4e50908121442k5cc09494vc9509b9c02ff2634@mail.gmail.com> Hi Team, Pardon me if this question seems dumb. I have deployed a number of Cisco Content Services Switches for clients who needed Layer 4-7 application load balancing and acceleration for their web-based applications in the data centre. I am presently reviewing the datasheet of the Cisco Application Control Engine and find its role to be similar to the CSS. Under what scenarios or requirements would one prefer the ACE to the CSS? In what way is the ACE different from the CSS? Thanks in advance for your replies. Felix From eninja at gmail.com Wed Aug 12 17:45:11 2009 From: eninja at gmail.com (e ninja) Date: Wed, 12 Aug 2009 14:45:11 -0700 Subject: [c-nsp] OT:SUSHI REGISTER RESET ERROR In-Reply-To: <8bb137f40908112254j7d9ea69aj42613f00bcac743b@mail.gmail.com> References: <8bb137f40908112254j7d9ea69aj42613f00bcac743b@mail.gmail.com> Message-ID: Jack, What changed prior to the errors? Also, is this a lab or production device? Either way, reply all (or unicast) the complete sh tech and sh log along with a sh controller fia from an attach session to all LCs. -Eninja On Tue, Aug 11, 2009 at 10:54 PM, jack daniels wrote: > Hi all, > > I'm getting below error in gsr chassis 12416 , please suggest > > 048724: .Aug 11 20:09:13.853 IST: %MBUS-6-SWITCHED_FABCLK: Slot 9 primary > clock switched to clock 0 > 048725: .Aug 11 20:09:17.191 IST: %FABRIC-3-ERR_HANDLE: Reconfigure all > fabric cards due to SUSHI REGISTER RESET ERROR error from slot 18 > 048726: .Aug 11 20:09:18.067 IST: %MBUS-6-SWITCHED_FABCLK: Slot 0 primary > clock switched to clock 0 > 048727: .Aug 11 20:09:18.067 IST: %MBUS-6-SWITCHED_FABCLK: Slot 9 primary > clock switched to clock 0 > 048728: .Aug 11 20:09:21.413 IST: %FABRIC-3-ERR_HANDLE: Reconfigure all > fabric cards due to SUSHI REGISTER RESET ERROR error from slot 18 > 048729: .Aug 11 20:09:22.289 IST: %MBUS-6-SWITCHED_FABCLK: Slot 0 primary > clock switched to clock 0 > 048730: .Aug 11 20:09:22.289 IST: %MBUS-6-SWITCHED_FABCLK: Slot 9 primary > clock switched to clock 0 > 048731: .Aug 11 20:09:25.627 IST: %FABRIC-3-ERR_HANDLE: Reconfigure all > fabric cards due to SUSHI REGISTER RESET ERROR error from slot 18 > 048732: .Aug 11 20:09:26.502 IST: %MBUS-6-SWITCHED_FABCLK: Slot 0 primary > clock switched to clock 0 > 048733: .Aug 11 20:09:26.502 IST: %MBUS-6-SWITCHED_FABCLK: Slot 9 primary > clock switched to clock 0 > 048734: .Aug 11 20:09:29.841 IST: %FABRIC-3-ERR_HANDLE: Reconfigure all > fabric cards due to SUSHI REGISTER RESET ERROR error from slot 18 > 048735: .Aug 11 20:09:30.716 IST: %MBUS-6-SWITCHED_FABCLK: Slot 0 primary > clock switched to clock 0 > 048736: .Aug 11 20:09:30.716 IST: %MBUS-6-SWITCHED_FABCLK: Slot 9 primary > clock switched to clock 0 > 048737: .Aug 11 20:09:34.054 IST: %FABRIC-3-ERR_HANDLE: Reconfigure all > fabric cards due to SUSHI REGISTER RESET ERROR error from slot 18 > > > sh gsr > Slot 0 type = Modular SPA Interface Card > state = IOS RUN Line Card Enabled > subslot 0/0: SPA-1X10GE-L-V2 (0x50C), status is ok > subslot 0/1: Empty > subslot 0/2: Empty > subslot 0/3: Empty > Slot 6 type = Modular SPA Interface Card > state = RTRYWAIT Waiting to retry download after persistent > failures > Slot 7 type = Performance Route Processor > state = ACTV RP IOS Running ACTIVE > Slot 8 type = Performance Route Processor > state = RP RDY Route Processor Powered > Slot 9 type = Modular SPA Interface Card > state = IOS RUN Line Card Enabled > subslot 9/0: Empty > subslot 9/1: Empty > subslot 9/2: Empty > subslot 9/3: Empty > Slot 15 type = Modular SPA Interface Card > state = RTRYWAIT Waiting to retry download after persistent > failures > Slot 16 type = Clock Scheduler Card OC192 Dual Priority > state = Card Powered > Slot 17 type = Clock Scheduler Card OC192 Dual Priority > state = Card Powered PRIMARY CLOCK > Slot 18 type = Switch Fabric Card 16XOC192 > state = Card Powered > Slot 19 type = Switch Fabric Card 16XOC192 > state = Card Powered > Slot 20 type = Switch Fabric Card 16XOC192 > state = Card Powered > Slot 24 type = Alarm Module(16) > state = Card Powered > Slot 25 type = Alarm Module(16) > state = Card Powered > Slot 27 type = Bus Board(16) > state = Card Powered > Slot 28 type = Blower Module(16) > state = Card Powered > Slot 29 type = Blower Module(16) > > state = Card Powered > > > sh led > SLOT 0 : RUN IOS > SLOT 6 : WAITRTRY > SLOT 7 : RP ACTV > SLOT 8 : INITMEM > SLOT 9 : RUN IOS > SLOT 15 : WAITRTRY > > Regards > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From Kiran.Oddiraju at cbre.com Wed Aug 12 18:01:10 2009 From: Kiran.Oddiraju at cbre.com (Oddiraju, Kiran @ London SMC) Date: Wed, 12 Aug 2009 23:01:10 +0100 Subject: [c-nsp] DS3 circuit error In-Reply-To: <4A832B73.3090706@west.net> References: <4A832B73.3090706@west.net> Message-ID: Cheers Jay. Have logged a call with the SP based on the below explanation... :-) Many thanks for your input guys -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jay Hennigan Sent: 12 August 2009 21:52 To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] DS3 circuit error Oddiraju, Kiran @ London SMC wrote: > Hi Guys, > > > > Our T3 controller is down and the SP has asked me what I am seeing on my > end. Below is the show controllers command on my router. Could you tell > me where the problem is based on the output below? > > > > Router#sh controllers t3 > > T3 3/0 is down. > > Applique type is Subrate T3 > > Description: Carrier_Circuit_ID > > Transmitter is sending remote alarm. You are sending a signal to the other end reporting that the signal that you are receiving is unacceptable. This is happening because... > Receiver is getting AIS. You are receiving all 1s from the other end. Typically, this means that there is a problem with the equipment sending toward you. Something upstream has lost signal and is sending an AIS (Alarm Indication Signal) to you. You respond by sending RAI (Remote Alarm Indicator) notifying the other end of the bad signal that you are receiving. More info here: http://www.cisco.com/en/US/tech/tk713/tk628/technologies_tech_note09186a 0080344194.shtml which shortens to: http://tinyurl.com/r6jvzo -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ CB Richard Ellis Limited, Registered Office: St Martin's Court, 10 Paternoster Row, London, EC4M 7HP, registered in England and Wales No. 3536032. Regulated by the RICS and an appointed representative of CB Richard Ellis Indirect Investment Services Limited which is authorised and regulated by the Financial Services Authority. This communication is from CB Richard Ellis Limited or one of its associated/subsidiary companies. This communication contains information which is confidential and may be privileged. If you are not the intended recipient, please contact the sender immediately. Any use of its contents is strictly prohibited and you must not copy, send or disclose it, or rely on its contents in any way whatsoever. Reasonable care has been taken to ensure that this communication (and any attachments or hyperlinks contained within it) is free from computer viruses. No responsibility is accepted by CB Richard Ellis Limited or its associated/subsidiary companies and the recipient should carry out any appropriate virus checks. From ras at e-gerbil.net Wed Aug 12 18:01:12 2009 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Wed, 12 Aug 2009 17:01:12 -0500 Subject: [c-nsp] IOS Recommendation | 7600/RSP720-3CXL In-Reply-To: <4A830837.3070105@cisco.com> References: <6069A203FD01884885C037F81DD75080171D1F9DFA@wsc-mail-01.intra.nwresd.k12.or.us> <4A830837.3070105@cisco.com> Message-ID: <20090812220112.GO51443@gerbil.cluepon.net> On Wed, Aug 12, 2009 at 02:21:43PM -0400, Rodney Dunn wrote: > If you are going to move go to the latest SRB rebuild on Cisco.com. > > There were a ton of fixes in the early SRB releases due to a huge > quality push on that throttle. > > SRC and SRD simply have less field exposure. I can actually name quite a few major networks who are running SRC in very widespread deployment, including mine, and a couple of tier 1's. From what I've seen this is actually the train with the most service provider field exposure, and amazingly enough (not trying to jinx it here) SRC4 has been solid for us so far. We did hit quite a few serious issues in the earlier builds, things like BGP announcements which stopped working until you deleted and readded the neighbor, rsvp that didn't actually reserve bandwidth, many SNMP counter issues, a runaway CPU loop in the BGP process, etc, but they've all been fixed in SRC4. The biggest issue we've encountered so far is that when you reload the router to upgrade to SRC4 the "switchport trunk allowed vlan" list on trunk ports tends to drop vlan IDs during the reboot (particularly on port-channels and port-channel members, causing port-channel desyncs). Comparing the before and after in rancid will save you a lot of grief, we've seen this happen at least a dozen times now so it definitely appears to be an SRC4 specific issue. -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From William.Murphy at uth.tmc.edu Wed Aug 12 18:10:38 2009 From: William.Murphy at uth.tmc.edu (Murphy, William) Date: Wed, 12 Aug 2009 17:10:38 -0500 Subject: [c-nsp] OT: Difference between the CSS and ACE In-Reply-To: <18dba4e50908121442k5cc09494vc9509b9c02ff2634@mail.gmail.com> References: <18dba4e50908121442k5cc09494vc9509b9c02ff2634@mail.gmail.com> Message-ID: I believe the ACE supports multiple contexts so it's like having a bunch of independent (virtual) load balancers... Bill Murphy Network Architect The University of Texas Health Science Center at Houston -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Felix Nkansah Sent: Wednesday, August 12, 2009 4:43 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] OT: Difference between the CSS and ACE Hi Team, Pardon me if this question seems dumb. I have deployed a number of Cisco Content Services Switches for clients who needed Layer 4-7 application load balancing and acceleration for their web-based applications in the data centre. I am presently reviewing the datasheet of the Cisco Application Control Engine and find its role to be similar to the CSS. Under what scenarios or requirements would one prefer the ACE to the CSS? In what way is the ACE different from the CSS? Thanks in advance for your replies. Felix _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4327 bytes Desc: not available URL: From tvarriale at comcast.net Wed Aug 12 19:36:20 2009 From: tvarriale at comcast.net (Tony Varriale) Date: Wed, 12 Aug 2009 18:36:20 -0500 Subject: [c-nsp] OT: Difference between the CSS and ACE References: <18dba4e50908121442k5cc09494vc9509b9c02ff2634@mail.gmail.com> Message-ID: ACE is the product moving forward. Althought the EoL/S hasn't been announced the writing is on the wall. The most important thing moving forward is that your existing requirements on CSS map into ACE. The ACE doesn't have feature parity yet (and the blade and appliance even have different stuff) so be careful. tv ----- Original Message ----- From: "Felix Nkansah" To: Sent: Wednesday, August 12, 2009 4:42 PM Subject: [c-nsp] OT: Difference between the CSS and ACE > Hi Team, > Pardon me if this question seems dumb. I have deployed a number of Cisco > Content Services Switches for clients who needed Layer 4-7 application > load > balancing and acceleration for their web-based applications in the data > centre. > > I am presently reviewing the datasheet of the Cisco Application Control > Engine and find its role to be similar to the CSS. > > Under what scenarios or requirements would one prefer the ACE to the CSS? > In > what way is the ACE different from the CSS? > > Thanks in advance for your replies. > > Felix > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From andy.saykao at staff.netspace.net.au Wed Aug 12 19:51:37 2009 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Thu, 13 Aug 2009 09:51:37 +1000 Subject: [c-nsp] Trying to collect flows for NAT VRF aware traffic Message-ID: <56F211C5E3F24F47B103EA1B253822BE044AAB27@vic-cr-ex1.staff.netspace.net.au> Hi All, I've set up an MPLS L3 VPN Internet Gateway on one of our PE routers and need some ideas on how to collect netflow for public IP's in the NAT-POOL so we can bill the customer for usage. We are using NAT VRF aware as seen by the config below. -------------------------------------------------------- PE Config: -------------------------------------------------------- interface GigabitEthernet0/0.1 description Router / MPLS Backbone encapsulation dot1Q 1 native ip address A.B.C.D X.X.X.X ip nat inside ip flow ingress mpls ip ! interface GigabitEthernet0/0.20 description VPN Internet Gateway encapsulation dot1Q 20 ip address 172.16.76.10 255.255.255.248 ip nat outside ip flow ingress ip flow egress ! ip route vrf NSTEST 0.0.0.0 0.0.0.0 GigabitEthernet0/0.20 172.16.76.9 global ip route 210.15.226.136 255.255.255.252 Null0 ! ip nat pool NSTEST-NAT-POOL 210.15.226.137 210.15.226.137 netmask 255.255.255.252 ip nat inside source list NSTEST-NAT-ACL pool NSTEST-NAT-POOL vrf NSTEST overload ! ip access-list standard NSTEST-NAT-ACL permit 192.168.0.0 0.0.255.255 ! ip flow-export source Loopback0 ip flow-export version 5 ip flow-export destination X.X.X.X 5000 ip flow-export destination X.X.X.X 5000 -------------------------------------------------------- P Config: -------------------------------------------------------- interface Vlan1 description Router / MPLS Backbone bandwidth 10000000 ip address A.B.C.D X.X.X.X no ip redirects no ip mroute-cache load-interval 30 tag-switching ip ! interface Vlan20 description VPN Internet Gateway ip address 172.16.76.9 255.255.255.248 no ip redirects load-interval 30 ! ip route 210.15.226.136 255.255.255.252 Vlan20 172.16.76.10 -------------------------------------------------------- When I do a "sh ip cache flow", I can see flows in one direction only and with the public NAT IP as the source IP. For billing purposes we need to see the public NAT IP in the destination fields so we can count their download usage. #sh ip cache flow | inc 210.15.226.137 SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts Gi0/0.1 210.15.226.137 Gi0/0.20* 203.10.110.102 01 0000 0800 549 I have both "ip flow ingress" and "ip flow egress" on the nat outside interface on the PE (Gi0/0.20) so not sure why I'm not seeing bidirectional flows. I'm thinking that a NAT lookup/translation is performed first on the return traffic through the PE (Gi0/020) before flows are process/captured - hence why I don't see any flows going to the public NAT IP. Is this correct? Any ideas how to capture flows for these public IP's in the NAT POOL? Do I need to capture flows at the P router on Vlan 20?? Thanks. Andy This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From tvarriale at comcast.net Wed Aug 12 21:35:11 2009 From: tvarriale at comcast.net (Tony Varriale) Date: Wed, 12 Aug 2009 20:35:11 -0500 Subject: [c-nsp] OT: Difference between the CSS and ACE References: <18dba4e50908121442k5cc09494vc9509b9c02ff2634@mail.gmail.com> Message-ID: <5EA079600C21483AA3969AE02D64B11F@flamdt01> Just to be clear, the writing is on the wall for CSS not ACE. tv ----- Original Message ----- From: "Tony Varriale" To: Sent: Wednesday, August 12, 2009 6:36 PM Subject: Re: [c-nsp] OT: Difference between the CSS and ACE > ACE is the product moving forward. Althought the EoL/S hasn't been > announced the writing is on the wall. > > The most important thing moving forward is that your existing requirements > on CSS map into ACE. The ACE doesn't have feature parity yet (and the > blade and appliance even have different stuff) so be careful. > > tv > ----- Original Message ----- > From: "Felix Nkansah" > To: > Sent: Wednesday, August 12, 2009 4:42 PM > Subject: [c-nsp] OT: Difference between the CSS and ACE > > >> Hi Team, >> Pardon me if this question seems dumb. I have deployed a number of Cisco >> Content Services Switches for clients who needed Layer 4-7 application >> load >> balancing and acceleration for their web-based applications in the data >> centre. >> >> I am presently reviewing the datasheet of the Cisco Application Control >> Engine and find its role to be similar to the CSS. >> >> Under what scenarios or requirements would one prefer the ACE to the CSS? >> In >> what way is the ACE different from the CSS? >> >> Thanks in advance for your replies. >> >> Felix >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From esavage at digitalrage.org Wed Aug 12 21:12:35 2009 From: esavage at digitalrage.org (Elijah Savage) Date: Wed, 12 Aug 2009 21:12:35 -0400 Subject: [c-nsp] EVDO Technology Message-ID: All, I would appreciate speaking with anyone using EVDO technology to deliver WAN services. Specifically I am looking for reputable kit's you have used to extend EVDO outside of your computer rooms to get better signal or better antenna's you have used. Thank you From jckdaniels12 at gmail.com Thu Aug 13 01:15:31 2009 From: jckdaniels12 at gmail.com (jack daniels) Date: Thu, 13 Aug 2009 10:45:31 +0530 Subject: [c-nsp] OT:SUSHI REGISTER RESET ERROR In-Reply-To: References: <8bb137f40908112254j7d9ea69aj42613f00bcac743b@mail.gmail.com> Message-ID: <8bb137f40908122215g2951d36cm79239279578250d7@mail.gmail.com> Hi All, I found this error was coming on SLOT 18 which is SFC. EARLIER OUTPUT WAS - sh led SLOT 0 : RUN IOS SLOT 6 : WAITRTRY SLOT 7 : RP ACTV SLOT 8 : INITMEM SLOT 9 : RUN IOS SLOT 15 : WAITRTRY FOR TROUBLESHOOT , then I saw - 1) output of sh gsr Slot 18 type = Switch Fabric Card 16XOC192 state = Card Powered<<<<<<<<<<<<<<<<<<<<< Slot 19 type = Switch Fabric Card 16XOC192 state = Card Powered<<<<<<<<<<<<<<<<<<<<<<< Slot 20 type = Switch Fabric Card 16XOC192 state = Card Powered<<<<<<<<<<<<<<<<<<<<<<< 2) Again executed show gsr command and found - Slot 17 type = Clock Scheduler Card OC192 Dual Priority state = Card NOT Powered; Power cycle fabric cards PRIMARY CLOCK<<<<<<<<<<<<<<<<<<<<<<<<<<<<< Slot 18 type = Switch Fabric Card 16XOC192 state = Card NOT Powered; Power cycle fabric cards<<<<<<<<<<<<<<<<<<<<<<< Slot 19 type = Switch Fabric Card 16XOC192 state = Card NOT Po<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< 3) After shutting down SFC ? slot 18 <<<<<<<<<<<<<<<<<<<<<<<<<<< sh led SLOT 0 : RUN IOS SLOT 6 : RUN IOS SLOT 7 : RP STBY SLOT 8 : RP ACTV SLOT 9 : RUN IOS SLOT 15 : RUN IOS At the moment all cards show powered up and in RUN IOS mode. 4) sh controller fia Fabric configuration: 10Gbps bandwidth, nonredundant fabric<<<<<<<<<<<<<<<<<<<<<<< Master Scheduler: Slot 17 Backup Scheduler: Slot 16 Fab epoch no 235 Halt count 0 >From Fabric FIA Errors ----------------------- redund overflow 0 cell drops 0 cell parity 0 Switch cards present 0x001B Slots 16 17 19 20 Switch cards monitored 0x001B Slots 16 17 19 20 CAN someone guide me why shutting down one SFC in slot 18 all LC 0,615 and 7 came in IOS RUN mode and started working. I think - Each LC is connected in 10 Gbps mode via 4 link to switch fabric . Now what I know is for full b/w mode 10 Gbps half duplex , you require atleast 2 SFC online working. But if you see all SFC went to power down and then power up state , so why few LC cards were still online. Please ALSO guide - what is signiface of 2 SFC or 1 SFC running . Regards On 8/13/09, e ninja wrote: > > Jack, > > What changed prior to the errors? Also, is this a lab or production device? > > > Either way, reply all (or unicast) the complete sh tech and sh log along > with a sh controller fia from an attach session to all LCs. > > -Eninja > > > On Tue, Aug 11, 2009 at 10:54 PM, jack daniels wrote: > >> Hi all, >> >> I'm getting below error in gsr chassis 12416 , please suggest >> >> 048724: .Aug 11 20:09:13.853 IST: %MBUS-6-SWITCHED_FABCLK: Slot 9 primary >> clock switched to clock 0 >> 048725: .Aug 11 20:09:17.191 IST: %FABRIC-3-ERR_HANDLE: Reconfigure all >> fabric cards due to SUSHI REGISTER RESET ERROR error from slot 18 >> 048726: .Aug 11 20:09:18.067 IST: %MBUS-6-SWITCHED_FABCLK: Slot 0 primary >> clock switched to clock 0 >> 048727: .Aug 11 20:09:18.067 IST: %MBUS-6-SWITCHED_FABCLK: Slot 9 primary >> clock switched to clock 0 >> 048728: .Aug 11 20:09:21.413 IST: %FABRIC-3-ERR_HANDLE: Reconfigure all >> fabric cards due to SUSHI REGISTER RESET ERROR error from slot 18 >> 048729: .Aug 11 20:09:22.289 IST: %MBUS-6-SWITCHED_FABCLK: Slot 0 primary >> clock switched to clock 0 >> 048730: .Aug 11 20:09:22.289 IST: %MBUS-6-SWITCHED_FABCLK: Slot 9 primary >> clock switched to clock 0 >> 048731: .Aug 11 20:09:25.627 IST: %FABRIC-3-ERR_HANDLE: Reconfigure all >> fabric cards due to SUSHI REGISTER RESET ERROR error from slot 18 >> 048732: .Aug 11 20:09:26.502 IST: %MBUS-6-SWITCHED_FABCLK: Slot 0 primary >> clock switched to clock 0 >> 048733: .Aug 11 20:09:26.502 IST: %MBUS-6-SWITCHED_FABCLK: Slot 9 primary >> clock switched to clock 0 >> 048734: .Aug 11 20:09:29.841 IST: %FABRIC-3-ERR_HANDLE: Reconfigure all >> fabric cards due to SUSHI REGISTER RESET ERROR error from slot 18 >> 048735: .Aug 11 20:09:30.716 IST: %MBUS-6-SWITCHED_FABCLK: Slot 0 primary >> clock switched to clock 0 >> 048736: .Aug 11 20:09:30.716 IST: %MBUS-6-SWITCHED_FABCLK: Slot 9 primary >> clock switched to clock 0 >> 048737: .Aug 11 20:09:34.054 IST: %FABRIC-3-ERR_HANDLE: Reconfigure all >> fabric cards due to SUSHI REGISTER RESET ERROR error from slot 18 >> >> >> sh gsr >> Slot 0 type = Modular SPA Interface Card >> state = IOS RUN Line Card Enabled >> subslot 0/0: SPA-1X10GE-L-V2 (0x50C), status is ok >> subslot 0/1: Empty >> subslot 0/2: Empty >> subslot 0/3: Empty >> Slot 6 type = Modular SPA Interface Card >> state = RTRYWAIT Waiting to retry download after persistent >> failures >> Slot 7 type = Performance Route Processor >> state = ACTV RP IOS Running ACTIVE >> Slot 8 type = Performance Route Processor >> state = RP RDY Route Processor Powered >> Slot 9 type = Modular SPA Interface Card >> state = IOS RUN Line Card Enabled >> subslot 9/0: Empty >> subslot 9/1: Empty >> subslot 9/2: Empty >> subslot 9/3: Empty >> Slot 15 type = Modular SPA Interface Card >> state = RTRYWAIT Waiting to retry download after persistent >> failures >> Slot 16 type = Clock Scheduler Card OC192 Dual Priority >> state = Card Powered >> Slot 17 type = Clock Scheduler Card OC192 Dual Priority >> state = Card Powered PRIMARY CLOCK >> Slot 18 type = Switch Fabric Card 16XOC192 >> state = Card Powered >> Slot 19 type = Switch Fabric Card 16XOC192 >> state = Card Powered >> Slot 20 type = Switch Fabric Card 16XOC192 >> state = Card Powered >> Slot 24 type = Alarm Module(16) >> state = Card Powered >> Slot 25 type = Alarm Module(16) >> state = Card Powered >> Slot 27 type = Bus Board(16) >> state = Card Powered >> Slot 28 type = Blower Module(16) >> state = Card Powered >> Slot 29 type = Blower Module(16) >> >> state = Card Powered >> >> >> sh led >> SLOT 0 : RUN IOS >> SLOT 6 : WAITRTRY >> SLOT 7 : RP ACTV >> SLOT 8 : INITMEM >> SLOT 9 : RUN IOS >> SLOT 15 : WAITRTRY >> >> Regards >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > From jmaimon at ttec.com Thu Aug 13 09:04:27 2009 From: jmaimon at ttec.com (Joe Maimon) Date: Thu, 13 Aug 2009 09:04:27 -0400 Subject: [c-nsp] Route redistribution and selection Message-ID: <4A840F5B.2030800@ttec.com> We are having a problem where routes originated by the customer because of their backup paths are preventing the mpls bgp routes from being installed and used on the PE. Customer has an eigrp routed network. We are hosting a bgp mpls network for the customer. At the Customer's HQ PE router, we talk eigrp to the customer. The customer has an alternate path to the sites served by the bgp mpls network. We allow redistribution of eigrp routes into bgp to advertise to the mpls bgp sites. This includes the sites known prefixes themselves, due to the potential for the backup path becoming the better/only one. We redistribute the bgp routes for the mpls sites into eigrp. Normally this is a fairly common setup and works very well, and has for quite some time with this customer. However, on one PE we have been having issues where the customer backup path eigrp routes are installed into the PE routing table, the bgp routes show the originated via eigrp routes as the best and used path our of both the local originated via eigrp and the P mpls bgp learned route. The current fix is to flap the customer eigrp connection or have the customer withdraw the backup path routes. The P routers and the PE routers are an ebgp connection. The eigrp route has an admin distance of 170 and the ebgp route when installed has an admin distance of 20. We have tried setting the weight, local preference, metric of the mpls P router prefixes to cause the route to be preferred over the redistributed locally from eigrp route. The PE router running rsp-jk9o3sv-mz.124-18a.bin Any insight would be greatly appreciated. Thanks, Joe From jmaimon at ttec.com Thu Aug 13 09:34:39 2009 From: jmaimon at ttec.com (Joe Maimon) Date: Thu, 13 Aug 2009 09:34:39 -0400 Subject: [c-nsp] IOS Recommendation | 7600/RSP720-3CXL In-Reply-To: <775A75B5625C6B418FC01477094E0BCC259C886A02@IDCMAILBOX1.ads.integratelecom.com> References: <6069A203FD01884885C037F81DD75080171D1F9DFA@wsc-mail-01.intra.nwresd.k12.or.us> <775A75B5625C6B418FC01477094E0BCC259C886A02@IDCMAILBOX1.ads.integratelecom.com> Message-ID: <4A84166F.4050400@ttec.com> Raymond, Steven wrote: > > Have found the least bugs in SRD1, but non-cisco bgp neighbors sometimes require the use of hidden command "neighbor x.x.x.x dont-capability-negotiate" or the session won't restore. > I recall being on the other end of that one. Good tip. From felixnkansah at gmail.com Thu Aug 13 09:41:27 2009 From: felixnkansah at gmail.com (Felix Nkansah) Date: Thu, 13 Aug 2009 13:41:27 +0000 Subject: [c-nsp] OT: Internet Web Caching Solution Message-ID: <18dba4e50908130641h40165942ia3f032fa779c5f63@mail.gmail.com> Hi, I am looking for a web caching and acceleration platform. The Cisco Cache Engines were replaced by the Content Engines which has also been replaced with the WAE running ACNS software. The datasheets on ACNS seem to imply caching and acceleration of multimedia traffic between branch offices and central office, with ACNS appliances at both ends. That is not what I am looking for. I want a one-site appliance for Internet web traffic caching only. Many thanks for your clarification. Felix From luan at netcraftsmen.net Thu Aug 13 09:44:25 2009 From: luan at netcraftsmen.net (Luan Nguyen) Date: Thu, 13 Aug 2009 09:44:25 -0400 Subject: [c-nsp] Route redistribution and selection In-Reply-To: <4A840F5B.2030800@ttec.com> References: <4A840F5B.2030800@ttec.com> Message-ID: <001801ca1c1c$2bf9be90$83ed3bb0$@net> You might want to check this link out: http://wiki.nil.com/Multihomed_MPLS_VPN_sites_running_EIGRP Regards, ------------------------------- Luan Nguyen Chesapeake NetCraftsmen, LLC. http://www.netcraftsmen.net ------------------------------ -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joe Maimon Sent: Thursday, August 13, 2009 9:04 AM To: cisco-nsp Subject: [c-nsp] Route redistribution and selection We are having a problem where routes originated by the customer because of their backup paths are preventing the mpls bgp routes from being installed and used on the PE. Customer has an eigrp routed network. We are hosting a bgp mpls network for the customer. At the Customer's HQ PE router, we talk eigrp to the customer. The customer has an alternate path to the sites served by the bgp mpls network. We allow redistribution of eigrp routes into bgp to advertise to the mpls bgp sites. This includes the sites known prefixes themselves, due to the potential for the backup path becoming the better/only one. We redistribute the bgp routes for the mpls sites into eigrp. Normally this is a fairly common setup and works very well, and has for quite some time with this customer. However, on one PE we have been having issues where the customer backup path eigrp routes are installed into the PE routing table, the bgp routes show the originated via eigrp routes as the best and used path our of both the local originated via eigrp and the P mpls bgp learned route. The current fix is to flap the customer eigrp connection or have the customer withdraw the backup path routes. The P routers and the PE routers are an ebgp connection. The eigrp route has an admin distance of 170 and the ebgp route when installed has an admin distance of 20. We have tried setting the weight, local preference, metric of the mpls P router prefixes to cause the route to be preferred over the redistributed locally from eigrp route. The PE router running rsp-jk9o3sv-mz.124-18a.bin Any insight would be greatly appreciated. Thanks, Joe _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From jmaimon at ttec.com Thu Aug 13 09:44:13 2009 From: jmaimon at ttec.com (Joe Maimon) Date: Thu, 13 Aug 2009 09:44:13 -0400 Subject: [c-nsp] SHDSL Wic in a 1751-1 CPE Message-ID: <4A8418AD.2070508@ttec.com> I am testing a turnkey CPE solution combining T1, SDSL, ADSL and PRI handoff to customer PBX, with the 1751 transcoding SIP to PRI channels. A CPE I am testing with a WIC-1SHDSL-V2 doesnt seem to be training properly. The controller continues to report DSL firmware download in progress, please wait I have had good experience with the ADSL wic, but the SHDSL wic seems to be far less useful. Any tips or pointers would be greatly appreciated. Thanks, Joe Router#sh controllers dsl 0/0 DSL 0/0 controller DOWN SLOT 0: Globespan xDSL controller chipset DSL mode: Not Trained Frame mode: Utopia Configured Line rate: 2304Kbps Line Re-activated 0 times after system bootup LOSW Defect alarm: ACTIVE CRC per second alarm: ACTIVE Line termination: CPE FPGA Revision: 0xB2 Current 15 min CRC: 0 Current 15 min LOSW Defect: 0 Current 15 min ES: 0 Current 15 min SES: 0 Current 15 min UAS: 833 Previous 15 min CRC: 0 Previous 15 min LOSW Defect: 0 Previous 15 min ES: 0 Previous 15 min SES: 0 Previous 15 min UAS: 900 Line-0 status Chipset Version: 0 Firmware Version: R3.0.1 Modem Status: Handshake, Status 10 Last Fail Mode: No Failure status:0x0 DSL firmware download in progress, please wait Dying Gasp: Present Router#sh inv NAME: "1751-V chassis", DESCR: "1751-V chassis, Hw Serial#: 3808685901, Hw Revision: 0x600" PID: 1751-V , VID: 0x600, SN: FOC09331N37 (3808685901) NAME: "Chassis Slot", DESCR: "1700 Chassis Slot" PID: 1700 Chassis Slot , VID: , SN: NAME: "C1751 Mainboard", DESCR: "C1751 Mainboard" PID: C1751 Mainboard , VID: 0x600, SN: FOC09331N37 (3808685901) NAME: "Daughter card slot:0", DESCR: "1700 DaughterCard Slot" PID: 1700 DaughterCard Slot, VID: , SN: NAME: "WAN Interface Card - T1E1 or ATM (With GSHDSL-F module)", DESCR: "WAN Interface Card - T1E1 or ATM (With GSHDSL-F module)" PID: WIC-1SHDSL-V2 , VID: V02 , SN: FOC085029XC NAME: "ATM0/0", DESCR: "DSLSAR" PID: DSLSAR , VID: , SN: NAME: "Daughter card slot:1", DESCR: "1700 DaughterCard Slot" PID: 1700 DaughterCard Slot, VID: , SN: NAME: "WAN Interface Card - Ethernet", DESCR: "WAN Interface Card - Ethernet" PID: WIC-1ENET= , VID: 3.0, SN: VMS06050AZH NAME: "Ethernet1/0", DESCR: "PQUICC Ethernet" PID: PQUICC Ethernet , VID: , SN: NAME: "Daughter card slot:2", DESCR: "1700 DaughterCard Slot" PID: 1700 DaughterCard Slot, VID: , SN: NAME: "One port T1 voice interface daughtercard", DESCR: "One port T1 voice interface daughtercard" PID: VWIC-1MFT-T1= , VID: 1.0, SN: 31795887 NAME: "T1 2/0", DESCR: "T1 2/0" PID: T1 2/0 , VID: , SN: NAME: "DSP Module Slot 0", DESCR: "Packet Voice DSP Module Slot 0" PID: Packet Voice DSP Module Slot 0, VID: , SN: NAME: "DSP Module 0", DESCR: "Packet Voice DSP Module with 4 Unknown DSPs" PID: Packet Voice DSP Module with 4 Unknown DSPs, VID: 2.2, SN: ICP0411000Z NAME: "DSP Port 0/0", DESCR: "Unknown" PID: Unknown , VID: , SN: NAME: "DSP Port 0/1", DESCR: "Unknown" PID: Unknown , VID: , SN: NAME: "DSP Port 0/2", DESCR: "Unknown" PID: Unknown , VID: , SN: NAME: "DSP Port 0/3", DESCR: "Unknown" PID: Unknown , VID: , SN: NAME: "DSP Module Slot 1", DESCR: "Packet Voice DSP Module Slot 1" PID: Packet Voice DSP Module Slot 1, VID: , SN: NAME: "FastEthernet0/0", DESCR: "PQUICC_FEC" PID: PQUICC_FEC , VID: , SN: Router#sh ver Cisco IOS Software, C1700 Software (C1700-ADVENTERPRISEK9-M), Version 12.4(25a), RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2009 by Cisco Systems, Inc. Compiled Fri 22-May-09 20:24 by prod_rel_team ROM: System Bootstrap, Version 12.2(7r)XM2, RELEASE SOFTWARE (fc1) Router uptime is 7 hours, 14 minutes System returned to ROM by reload System image file is "flash:c1700-adventerprisek9-mz.124-25a.bin" This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export at cisco.com. Cisco 1751-V (MPC860P) processor (revision 0x600) with 118570K/12502K bytes of memory. Processor board ID FOC09331N37 (3808685901), with hardware revision 0000 MPC860P processor: part number 5, mask 2 1 DSL controller 1 Ethernet interface 1 FastEthernet interface 1 ATM interface 1 Channelized T1/PRI port 32K bytes of NVRAM. 32768K bytes of processor board System flash (Read/Write) Configuration register is 0x2102 Router#sh conf | b DSL controller DSL 0/0 mode atm line-term cpe line-mode 2-wire line-zero dsl-mode shdsl symmetric annex A-B-ANFP line-rate 2304 From lists at motorcitynet.com Thu Aug 13 09:46:36 2009 From: lists at motorcitynet.com (M Callahan) Date: Thu, 13 Aug 2009 09:46:36 -0400 Subject: [c-nsp] Open Source Substitute for Cisco's Secure ACS? Message-ID: <50797b9b0908130646t5233893co25f7964658878ec1@mail.gmail.com> We're currently using a very dated version of Cisco's Secure ACS to authenticate a relatively small group of PPPoE ADSL users. We have a planned hardware upgrade for this system, but no funding for updated ACS software. That said, I was wondering what open source alternatives folks on the list have found to be an adequate substitute for ACS. Thanks, Mike From rodunn at cisco.com Thu Aug 13 10:01:45 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Thu, 13 Aug 2009 10:01:45 -0400 Subject: [c-nsp] Feedback on Bug Toolkit (BTK), IOS Software Download Planner, etc... Message-ID: <4A841CC9.4090909@cisco.com> I got involved through a few channels and encouraged the teams responsible for some of the Cisco.com Support tools to leverage this forum directly for feedback. They were very interested in the idea. Can those of you that care enough to give direct feedback based on the past threads around IOS Upgrade Planner, Bug Toolkit, etc. please take a few minutes and compose an email directly to: Wilson Shiu (wshiu) He is the point of contact for feedback. They are eager to listen so now is a good time to get involved. I encourage you guys to take advantage of this. Thanks Rodney From luan at netcraftsmen.net Thu Aug 13 10:05:08 2009 From: luan at netcraftsmen.net (Luan Nguyen) Date: Thu, 13 Aug 2009 10:05:08 -0400 Subject: [c-nsp] OT: Internet Web Caching Solution In-Reply-To: <18dba4e50908130641h40165942ia3f032fa779c5f63@mail.gmail.com> References: <18dba4e50908130641h40165942ia3f032fa779c5f63@mail.gmail.com> Message-ID: <001901ca1c1f$10ce4d40$326ae7c0$@net> WAAS and ACNS are two different animals. WAAS is double-ended (there has to be a device at both ends) and ACNS is single-ended, acting as a caching device (though it can have information pushed to it from a central manager). Typically - WAAS between remote site and central site; ACNS between remote site and the Internet, or as a push client receiving content from a central site. Hope that help. Regards, ---------------------------------- Luan Nguyen Chesapeake NetCraftsmen, LLC. http://www.netcraftsmen.net --------------------------------- -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Felix Nkansah Sent: Thursday, August 13, 2009 9:41 AM To: Cisco certification; cisco-nsp at puck.nether.net Subject: [c-nsp] OT: Internet Web Caching Solution Hi, I am looking for a web caching and acceleration platform. The Cisco Cache Engines were replaced by the Content Engines which has also been replaced with the WAE running ACNS software. The datasheets on ACNS seem to imply caching and acceleration of multimedia traffic between branch offices and central office, with ACNS appliances at both ends. That is not what I am looking for. I want a one-site appliance for Internet web traffic caching only. Many thanks for your clarification. Felix _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From p.mayers at imperial.ac.uk Thu Aug 13 10:13:01 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Thu, 13 Aug 2009 15:13:01 +0100 Subject: [c-nsp] Open Source Substitute for Cisco's Secure ACS? In-Reply-To: <50797b9b0908130646t5233893co25f7964658878ec1@mail.gmail.com> References: <50797b9b0908130646t5233893co25f7964658878ec1@mail.gmail.com> Message-ID: <4A841F6D.3070209@imperial.ac.uk> M Callahan wrote: > We're currently using a very dated version of Cisco's Secure ACS to > authenticate a relatively small group of PPPoE ADSL users. We have a > planned hardware upgrade for this system, but no funding for updated ACS > software. That said, I was wondering what open source alternatives folks on > the list have found to be an adequate substitute for ACS. FreeRadius From felixnkansah at gmail.com Thu Aug 13 10:13:35 2009 From: felixnkansah at gmail.com (Felix Nkansah) Date: Thu, 13 Aug 2009 14:13:35 +0000 Subject: [c-nsp] OT: Internet Web Caching Solution In-Reply-To: <6ce8ea5f0908130710s2a5e95f7m791004faf9fab86c@mail.gmail.com> References: <18dba4e50908130641h40165942ia3f032fa779c5f63@mail.gmail.com> <6ce8ea5f0908130710s2a5e95f7m791004faf9fab86c@mail.gmail.com> Message-ID: <18dba4e50908130713g32abb4dfm736415bd5683ff9b@mail.gmail.com> Hi Shiran, I must say that I am NOT looking for a WAN optimization tool. I want an Internet web proxy, caching and acceleration appliance. Is that also covered by Expand Networks? Many Thanks. On Thu, Aug 13, 2009 at 2:10 PM, shiran guez wrote: > I can suggest a better solution "Expand Networks" one of the leaders in the > last several years in WAN optimization > > ( for being frankly i would indicate that I work for Expand as 3rd level > Eng) > > > On Thu, Aug 13, 2009 at 4:41 PM, Felix Nkansah wrote: > >> Hi, >> I am looking for a web caching and acceleration platform. >> >> The Cisco Cache Engines were replaced by the Content Engines which has >> also >> been replaced with the WAE running ACNS software. >> >> The datasheets on ACNS seem to imply caching and acceleration of >> multimedia >> traffic between branch offices and central office, with ACNS appliances at >> both ends. >> >> That is not what I am looking for. I want a one-site appliance for >> Internet >> web traffic caching only. >> >> Many thanks for your clarification. >> >> Felix >> >> >> Blogs and organic groups at http://www.ccie.net >> >> _______________________________________________________________________ >> Subscription information may be found at: >> http://www.groupstudy.com/list/CCIELab.html >> >> >> >> >> >> >> >> > > > -- > Shiran Guez > MCSE CCNP NCE1 JNCIA-ER CCIE #20572 > http://cciep3.blogspot.com > http://www.linkedin.com/in/cciep3 > http://twitter.com/cciep3 > From scott at labyrinth.org Thu Aug 13 10:13:24 2009 From: scott at labyrinth.org (Scott Keoseyan) Date: Thu, 13 Aug 2009 10:13:24 -0400 Subject: [c-nsp] Open Source Substitute for Cisco's Secure ACS? In-Reply-To: <50797b9b0908130646t5233893co25f7964658878ec1@mail.gmail.com> References: <50797b9b0908130646t5233893co25f7964658878ec1@mail.gmail.com> Message-ID: <16038BE5-66F3-4C6D-8A23-B4C6E32AB05B@labyrinth.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://freeradius.org/ Scott On Aug 13, 2009, at 9:46 AM, M Callahan wrote: > We're currently using a very dated version of Cisco's Secure ACS to > authenticate a relatively small group of PPPoE ADSL users. We have a > planned hardware upgrade for this system, but no funding for updated > ACS > software. That said, I was wondering what open source alternatives > folks on > the list have found to be an adequate substitute for ACS. > > Thanks, > > Mike > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ - -- Scott Keoseyan scott at labyrinth.org Homepage - http://www.labyrinth.org/homepages/scott Blog - http://www.labyrinth.org/wp1 PGP Key - http://www.labyrinth.org/homepages/scott/pgp.html -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.12 (Darwin) iEYEARECAAYFAkqEH4gACgkQA7TpMPAlvEcb1gCeLSGwFpDEkckr8qbQLIp9KwN4 n60AoJRmhnjiVJrbL1IkmrS7T/C0N4rt =/Rtk -----END PGP SIGNATURE----- From johnps at IowaTelecom.com Thu Aug 13 10:21:51 2009 From: johnps at IowaTelecom.com (John P. Schneider) Date: Thu, 13 Aug 2009 09:21:51 -0500 Subject: [c-nsp] OT: Internet Web Caching Solution In-Reply-To: <18dba4e50908130641h40165942ia3f032fa779c5f63@mail.gmail.com> References: <18dba4e50908130641h40165942ia3f032fa779c5f63@mail.gmail.com> Message-ID: http://www.peerapp.com/ Regards, John -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Felix Nkansah Sent: Thursday, August 13, 2009 8:41 AM To: Cisco certification; cisco-nsp at puck.nether.net Subject: [c-nsp] OT: Internet Web Caching Solution Hi, I am looking for a web caching and acceleration platform. The Cisco Cache Engines were replaced by the Content Engines which has also been replaced with the WAE running ACNS software. The datasheets on ACNS seem to imply caching and acceleration of multimedia traffic between branch offices and central office, with ACNS appliances at both ends. That is not what I am looking for. I want a one-site appliance for Internet web traffic caching only. Many thanks for your clarification. Felix _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From KaeglerM at tessco.com Thu Aug 13 10:25:12 2009 From: KaeglerM at tessco.com (Kaegler, Mike) Date: Thu, 13 Aug 2009 10:25:12 -0400 Subject: [c-nsp] Open Source Substitute for Cisco's Secure ACS? In-Reply-To: <50797b9b0908130646t5233893co25f7964658878ec1@mail.gmail.com> Message-ID: Assuming you're using TACACS+ to handle this, since radius servers are everywhere... I've been using tac_plus from http://www.pro-bono-publico.de/projects/tac_plus.html (there appear to be several projects named "tac_plus", this was the first one to work well for me.) As an added bonus, the author was happy and eager to help squash a bug I ran into. It'll backend to ldap, radius, or keep a local database. Supports all three A's. -porkchop On 8/13/09 9:46 AM, "M Callahan" wrote: > We're currently using a very dated version of Cisco's Secure ACS to > authenticate a relatively small group of PPPoE ADSL users. We have a > planned hardware upgrade for this system, but no funding for updated ACS > software. That said, I was wondering what open source alternatives folks on > the list have found to be an adequate substitute for ACS. > > Thanks, > > Mike > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Michael Kaegler, TESSCO Technologies: Engineering, 410 229 1295 Your wireless success, nothing less. http://www.tessco.com/ From manafo at hotmail.com Thu Aug 13 10:30:45 2009 From: manafo at hotmail.com (Manaf Al Oqlah) Date: Thu, 13 Aug 2009 17:30:45 +0300 Subject: [c-nsp] Event Manager question Message-ID: Hi all, Can I configure event manager to be started when it gets notification from another router. for example, I want router1 to be configured with policy based routing on a specific interface once the bgp peer on router2 is down. I don't want to permanently configure the PBR since it is consume very high CPU utilizing on router1 Thank you, Manaf From ip at ioshints.info Thu Aug 13 10:31:43 2009 From: ip at ioshints.info (Ivan Pepelnjak) Date: Thu, 13 Aug 2009 16:31:43 +0200 Subject: [c-nsp] Route redistribution and selection In-Reply-To: <001801ca1c1c$2bf9be90$83ed3bb0$@net> References: <4A840F5B.2030800@ttec.com> <001801ca1c1c$2bf9be90$83ed3bb0$@net> Message-ID: <000e01ca1c22$c8b96720$0a00000a@nil.si> @Luan: Thanks for the link :)) @Joe: if you have EBGP sessions with the core MPLS VPN network, you're losing the BGP cost community (resulting in the EIGRP-related redistribution issues). It might be possible to tweak the WEIGHT attribute on the PE routers (the routes redistributed into BGP have very high weight and are thus never replaced by other BGP routes), but you'd probably need access-lists to select the backup routes. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ > -----Original Message----- > From: Luan Nguyen [mailto:luan at netcraftsmen.net] > Sent: Thursday, August 13, 2009 3:44 PM > To: 'Joe Maimon'; 'cisco-nsp' > Subject: Re: [c-nsp] Route redistribution and selection > > You might want to check this link out: > http://wiki.nil.com/Multihomed_MPLS_VPN_sites_running_EIGRP > > Regards, > > ------------------------------- > Luan Nguyen > Chesapeake NetCraftsmen, LLC. > http://www.netcraftsmen.net > ------------------------------ > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joe Maimon > Sent: Thursday, August 13, 2009 9:04 AM > To: cisco-nsp > Subject: [c-nsp] Route redistribution and selection > > We are having a problem where routes originated by the > customer because of their backup paths are preventing the > mpls bgp routes from being installed and used on the PE. > > Customer has an eigrp routed network. > > We are hosting a bgp mpls network for the customer. > > At the Customer's HQ PE router, we talk eigrp to the customer. > > The customer has an alternate path to the sites served by the > bgp mpls network. > > We allow redistribution of eigrp routes into bgp to advertise > to the mpls bgp sites. This includes the sites known prefixes > themselves, due to the potential for the backup path becoming > the better/only one. > > We redistribute the bgp routes for the mpls sites into eigrp. > > Normally this is a fairly common setup and works very well, > and has for quite some time with this customer. > > However, on one PE we have been having issues where the > customer backup path eigrp routes are installed into the PE > routing table, the bgp routes show the originated via eigrp > routes as the best and used path our of both the local > originated via eigrp and the P mpls bgp learned route. > > The current fix is to flap the customer eigrp connection or > have the customer withdraw the backup path routes. > > The P routers and the PE routers are an ebgp connection. The > eigrp route has an admin distance of 170 and the ebgp route > when installed has an admin distance of 20. > > We have tried setting the weight, local preference, metric of > the mpls P > router prefixes to cause the route to be preferred over the > redistributed locally from eigrp route. > > The PE router running rsp-jk9o3sv-mz.124-18a.bin > > Any insight would be greatly appreciated. > > Thanks, > > Joe > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > From rdobbins at arbor.net Thu Aug 13 10:52:50 2009 From: rdobbins at arbor.net (Roland Dobbins) Date: Thu, 13 Aug 2009 21:52:50 +0700 Subject: [c-nsp] Feedback on Bug Toolkit (BTK), IOS Software Download Planner, etc... In-Reply-To: <4A841CC9.4090909@cisco.com> References: <4A841CC9.4090909@cisco.com> Message-ID: <8E5F1F9B-4402-4357-A64B-B056FA8CEF42@arbor.net> On Aug 13, 2009, at 9:01 PM, Rodney Dunn wrote: > They are eager to listen so now is a good time to get involved. Let's all keep in mind that *constructive, actionable, specific* feedback is what's needed, and is what will have an impact. ----------------------------------------------------------------------- Roland Dobbins // Unfortunately, inefficiency scales really well. -- Kevin Lawton From mcgrath at fas.harvard.edu Thu Aug 13 11:05:00 2009 From: mcgrath at fas.harvard.edu (Scott McGrath) Date: Thu, 13 Aug 2009 11:05:00 -0400 Subject: [c-nsp] Open Source Substitute for Cisco's Secure ACS? Message-ID: <13C9443BD0C7344D835569B0CFC9BB75358DB940@HARVBE01.fasmail.priv> Radiator RADIUS server. There are multiple versions of this software and support is available for a reasonable fee runs on Windows/Solaris/Linux Www open com au -----Original Message----- From: "Phil Mayers" Subj: Re: [c-nsp] Open Source Substitute for Cisco's Secure ACS? Date: Thu Aug 13, 2009 10:40 Size: 602 bytes To: "M Callahan" cc: "cisco-nsp at puck.nether.net" M Callahan wrote: > We're currently using a very dated version of Cisco's Secure ACS to > authenticate a relatively small group of PPPoE ADSL users. We have a > planned hardware upgrade for this system, but no funding for updated ACS > software. That said, I was wondering what open source alternatives folks on > the list have found to be an adequate substitute for ACS. FreeRadius _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From rekordmeister at gmail.com Thu Aug 13 11:27:20 2009 From: rekordmeister at gmail.com (MKS) Date: Thu, 13 Aug 2009 15:27:20 +0000 Subject: [c-nsp] STM-1 over Ethernet Message-ID: Hi list I know that this is a bit off topic, but can you know of any cheap devices that can emulate STM-1 over ethernet (or mpls)? or a cheap box that can do ATMoMPLS Thanks in advance MKS From jmaimon at ttec.com Thu Aug 13 11:33:58 2009 From: jmaimon at ttec.com (Joe Maimon) Date: Thu, 13 Aug 2009 11:33:58 -0400 Subject: [c-nsp] Route redistribution and selection In-Reply-To: <000e01ca1c22$c8b96720$0a00000a@nil.si> References: <4A840F5B.2030800@ttec.com> <001801ca1c1c$2bf9be90$83ed3bb0$@net> <000e01ca1c22$c8b96720$0a00000a@nil.si> Message-ID: <4A843266.9050109@ttec.com> Quite gorgeous. Lots to think about. Thanks, Joe Ivan Pepelnjak wrote: > @Luan: Thanks for the link :)) > > @Joe: if you have EBGP sessions with the core MPLS VPN network, you're > losing the BGP cost community (resulting in the EIGRP-related redistribution > issues). It might be possible to tweak the WEIGHT attribute on the PE > routers (the routes redistributed into BGP have very high weight and are > thus never replaced by other BGP routes), but you'd probably need > access-lists to select the backup routes. > > Ivan > > http://www.ioshints.info/about > http://blog.ioshints.info/ > >> -----Original Message----- >> From: Luan Nguyen [mailto:luan at netcraftsmen.net] >> Sent: Thursday, August 13, 2009 3:44 PM >> To: 'Joe Maimon'; 'cisco-nsp' >> Subject: Re: [c-nsp] Route redistribution and selection >> >> You might want to check this link out: >> http://wiki.nil.com/Multihomed_MPLS_VPN_sites_running_EIGRP >> >> Regards, >> >> ------------------------------- >> Luan Nguyen >> Chesapeake NetCraftsmen, LLC. >> http://www.netcraftsmen.net >> ------------------------------ >> >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joe Maimon >> Sent: Thursday, August 13, 2009 9:04 AM >> To: cisco-nsp >> Subject: [c-nsp] Route redistribution and selection >> >> We are having a problem where routes originated by the >> customer because of their backup paths are preventing the >> mpls bgp routes from being installed and used on the PE. >> >> Customer has an eigrp routed network. >> >> We are hosting a bgp mpls network for the customer. >> >> At the Customer's HQ PE router, we talk eigrp to the customer. >> >> The customer has an alternate path to the sites served by the >> bgp mpls network. >> >> We allow redistribution of eigrp routes into bgp to advertise >> to the mpls bgp sites. This includes the sites known prefixes >> themselves, due to the potential for the backup path becoming >> the better/only one. >> >> We redistribute the bgp routes for the mpls sites into eigrp. >> >> Normally this is a fairly common setup and works very well, >> and has for quite some time with this customer. >> >> However, on one PE we have been having issues where the >> customer backup path eigrp routes are installed into the PE >> routing table, the bgp routes show the originated via eigrp >> routes as the best and used path our of both the local >> originated via eigrp and the P mpls bgp learned route. >> >> The current fix is to flap the customer eigrp connection or >> have the customer withdraw the backup path routes. >> >> The P routers and the PE routers are an ebgp connection. The >> eigrp route has an admin distance of 170 and the ebgp route >> when installed has an admin distance of 20. >> >> We have tried setting the weight, local preference, metric of >> the mpls P >> router prefixes to cause the route to be preferred over the >> redistributed locally from eigrp route. >> >> The PE router running rsp-jk9o3sv-mz.124-18a.bin >> >> Any insight would be greatly appreciated. >> >> Thanks, >> >> Joe >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> >> > > From tvarriale at comcast.net Thu Aug 13 12:00:54 2009 From: tvarriale at comcast.net (Tony Varriale) Date: Thu, 13 Aug 2009 11:00:54 -0500 Subject: [c-nsp] Feedback on Bug Toolkit (BTK), IOS Software Download Planner, etc... References: <4A841CC9.4090909@cisco.com> <8E5F1F9B-4402-4357-A64B-B056FA8CEF42@arbor.net> Message-ID: <4437558BE1EA4B2F95D6A5947D737288@flamdt01> Hey, you don't work at Cisco anymore! :) tv ----- Original Message ----- From: "Roland Dobbins" To: "Cisco-nsp" Sent: Thursday, August 13, 2009 9:52 AM Subject: Re: [c-nsp] Feedback on Bug Toolkit (BTK),IOS Software Download Planner, etc... > > On Aug 13, 2009, at 9:01 PM, Rodney Dunn wrote: > >> They are eager to listen so now is a good time to get involved. > > Let's all keep in mind that *constructive, actionable, specific* feedback > is what's needed, and is what will have an impact. > > ----------------------------------------------------------------------- > Roland Dobbins // > > Unfortunately, inefficiency scales really well. > > -- Kevin Lawton > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From tvarriale at comcast.net Thu Aug 13 12:01:38 2009 From: tvarriale at comcast.net (Tony Varriale) Date: Thu, 13 Aug 2009 11:01:38 -0500 Subject: [c-nsp] Feedback on Bug Toolkit (BTK), IOS Software Download Planner, etc... References: <4A841CC9.4090909@cisco.com> Message-ID: Rodney, Do you have an official list of items/tools that feedback can be provided on? Or, should we ping Wilson? tv ----- Original Message ----- From: "Rodney Dunn" To: Sent: Thursday, August 13, 2009 9:01 AM Subject: [c-nsp] Feedback on Bug Toolkit (BTK), IOS Software Download Planner,etc... >I got involved through a few channels and encouraged the teams responsible >for some of the Cisco.com Support tools to leverage this forum directly for >feedback. They were very interested in the idea. > > Can those of you that care enough to give direct feedback based on the > past threads around IOS Upgrade Planner, Bug Toolkit, etc. please take a > few minutes and compose an email directly to: > > Wilson Shiu (wshiu) > > He is the point of contact for feedback. > > They are eager to listen so now is a good time to get involved. > > I encourage you guys to take advantage of this. > > Thanks > Rodney > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From eriks at nationalfastfreight.com Thu Aug 13 11:19:53 2009 From: eriks at nationalfastfreight.com (Erik Soosalu) Date: Thu, 13 Aug 2009 11:19:53 -0400 Subject: [c-nsp] OT: Internet Web Caching Solution In-Reply-To: <18dba4e50908130713g32abb4dfm736415bd5683ff9b@mail.gmail.com> References: <18dba4e50908130641h40165942ia3f032fa779c5f63@mail.gmail.com><6ce8ea5f0908130710s2a5e95f7m791004faf9fab86c@mail.gmail.com> <18dba4e50908130713g32abb4dfm736415bd5683ff9b@mail.gmail.com> Message-ID: <0B224A2FE01CC54C860290D42474BF6003DFA649@exchange.nff.local> Squid on a Linux/FreeBSD box McAfee WebGateway (can be bought as an appliance) ISA on Windows Untangle Pretty much any Web filtering package runs on a proxy/cache or includes one. I've run the first three with user loads in 300-400 range with no issues. Thanks, Erik -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Felix Nkansah Sent: Thursday, August 13, 2009 10:14 AM To: shiran guez Cc: Cisco certification; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] OT: Internet Web Caching Solution Hi Shiran, I must say that I am NOT looking for a WAN optimization tool. I want an Internet web proxy, caching and acceleration appliance. Is that also covered by Expand Networks? Many Thanks. On Thu, Aug 13, 2009 at 2:10 PM, shiran guez wrote: > I can suggest a better solution "Expand Networks" one of the leaders in the > last several years in WAN optimization > > ( for being frankly i would indicate that I work for Expand as 3rd level > Eng) > > > On Thu, Aug 13, 2009 at 4:41 PM, Felix Nkansah wrote: > >> Hi, >> I am looking for a web caching and acceleration platform. >> >> The Cisco Cache Engines were replaced by the Content Engines which has >> also >> been replaced with the WAE running ACNS software. >> >> The datasheets on ACNS seem to imply caching and acceleration of >> multimedia >> traffic between branch offices and central office, with ACNS appliances at >> both ends. >> >> That is not what I am looking for. I want a one-site appliance for >> Internet >> web traffic caching only. >> >> Many thanks for your clarification. >> >> Felix >> >> >> Blogs and organic groups at http://www.ccie.net >> >> _______________________________________________________________________ >> Subscription information may be found at: >> http://www.groupstudy.com/list/CCIELab.html >> >> >> >> >> >> >> >> > > > -- > Shiran Guez > MCSE CCNP NCE1 JNCIA-ER CCIE #20572 > http://cciep3.blogspot.com > http://www.linkedin.com/in/cciep3 > http://twitter.com/cciep3 > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ashnet2009 at gmail.com Thu Aug 13 13:07:26 2009 From: ashnet2009 at gmail.com (Ash Net) Date: Thu, 13 Aug 2009 13:07:26 -0400 Subject: [c-nsp] Monitoring Nexus 7000 platform Message-ID: <896a291f0908131007s218f5489rf466cd0ed6e7eb7@mail.gmail.com> Hello, We have recently deployed N7k's in our DC and want to enable monitoring on them. The current ESM systems in Place are HPOV and Concord ehealth. I'd like to get feedback on whether anybody has had experience with Monitoring the 7K chassis with either of the above ESM solutions and/or are using a different system and what it took to get monitoring enabled. Thanks in Advance. From A.L.M.Buxey at lboro.ac.uk Thu Aug 13 13:59:31 2009 From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey) Date: Thu, 13 Aug 2009 18:59:31 +0100 Subject: [c-nsp] Open Source Substitute for Cisco's Secure ACS? In-Reply-To: <13C9443BD0C7344D835569B0CFC9BB75358DB940@HARVBE01.fasmail.priv> References: <13C9443BD0C7344D835569B0CFC9BB75358DB940@HARVBE01.fasmail.priv> Message-ID: <20090813175931.GB14517@lboro.ac.uk> Hi, > Radiator RADIUS server. There are multiple versions of this software and support is available for a reasonable fee runs on Windows/Solaris/Linux with fear of pouring petrol onto a RADIUS flamewar I'd say if the original post aint got funding for ACS then free open source is pushing the answer to FreeRADIUS. alan From rdobbins at arbor.net Thu Aug 13 14:03:40 2009 From: rdobbins at arbor.net (Roland Dobbins) Date: Fri, 14 Aug 2009 01:03:40 +0700 Subject: [c-nsp] Monitoring Nexus 7000 platform In-Reply-To: <896a291f0908131007s218f5489rf466cd0ed6e7eb7@mail.gmail.com> References: <896a291f0908131007s218f5489rf466cd0ed6e7eb7@mail.gmail.com> Message-ID: <352D947C-7CAC-4322-9BAC-830E489CB070@arbor.net> On Aug 14, 2009, at 12:07 AM, Ash Net wrote: > We have recently deployed N7k's in our DC and want to enable > monitoring on them. N7Ks have a dedicated management processor; they also have a management software system which I believe ships with every N7K. They also output operationally useful NetFlow. ----------------------------------------------------------------------- Roland Dobbins // Unfortunately, inefficiency scales really well. -- Kevin Lawton From A.L.M.Buxey at lboro.ac.uk Thu Aug 13 14:08:08 2009 From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey) Date: Thu, 13 Aug 2009 19:08:08 +0100 Subject: [c-nsp] Open Source Substitute for Cisco's Secure ACS? In-Reply-To: References: <50797b9b0908130646t5233893co25f7964658878ec1@mail.gmail.com> Message-ID: <20090813180808.GE14517@lboro.ac.uk> Hi, > I've been using tac_plus from > http://www.pro-bono-publico.de/projects/tac_plus.html (there appear to be > several projects named "tac_plus", this was the first one to work well for > me.) As an added bonus, the author was happy and eager to help squash a bug > I ran into. > It'll backend to ldap, radius, or keep a local database. Supports all three > A's. hmmmm, looks a little more flexible currently that Shrubberys software alan From graham at g-rock.net Thu Aug 13 14:41:52 2009 From: graham at g-rock.net (Graham Wooden) Date: Thu, 13 Aug 2009 14:41:52 -0400 Subject: [c-nsp] Bridge devices - ARP takeover Message-ID: <20090813144152.xzep12cjc0kg48s4@webmail.iamforeverme.com> Hi there, I have a customer hanging off of my edge router (6509/Sup32/12.2.33SXI), doing a Point-to-Point wireless shot from the DC to another site. On myside, it's a L3 VLAN doing a /30 to a smaller Cisco router on the other end. I am then statically routing some additional subnets to the far end router. After about 30 minutes of the link being powered up, the MAC address of local Radio appears to take over the /30, and hence all routing breaks. To fix this, seems to that if I hardcode the MAC that belongs to the Cisco router on the far, all seems good and traffic keeps on trucking. The other fix that was being done until the hardcode went into affect, was power cycling the local radio. My question is this: While the hardcoding seems to be the trick to solve this, is there another command, maybe on the interface to achieve this fix too? I have yet to find out from the customer if there are any MAC/ARP settings in his radios and that could be doing take over on purpose. I am hoping that I can curb this type of behaviour without getting him involved. Thoughts to this? Thanks, -graham From jlewis at lewis.org Thu Aug 13 14:43:21 2009 From: jlewis at lewis.org (Jon Lewis) Date: Thu, 13 Aug 2009 14:43:21 -0400 (EDT) Subject: [c-nsp] Open Source Substitute for Cisco's Secure ACS? In-Reply-To: <20090813175931.GB14517@lboro.ac.uk> References: <13C9443BD0C7344D835569B0CFC9BB75358DB940@HARVBE01.fasmail.priv> <20090813175931.GB14517@lboro.ac.uk> Message-ID: On Thu, 13 Aug 2009, Alan Buxey wrote: > Hi, >> Radiator RADIUS server. There are multiple versions of this software and support is available for a reasonable fee runs on Windows/Solaris/Linux > > with fear of pouring petrol onto a RADIUS flamewar I'd say if > the original post aint got funding for ACS then free open source is > pushing the answer to FreeRADIUS. Compared to Open Source, RADIATOR is not cheap. It's a great product (we've got a site license, and have used it for years) and you do get the source (it's perl)...but it's not free. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From mcgrath at fas.harvard.edu Thu Aug 13 14:46:03 2009 From: mcgrath at fas.harvard.edu (Scott McGrath) Date: Thu, 13 Aug 2009 14:46:03 -0400 Subject: [c-nsp] Open Source Substitute for Cisco's Secure ACS? In-Reply-To: <20090813175931.GB14517@lboro.ac.uk> References: <13C9443BD0C7344D835569B0CFC9BB75358DB940@HARVBE01.fasmail.priv> <20090813175931.GB14517@lboro.ac.uk> Message-ID: <4A845F6B.30907@fas.harvard.edu> Not so much - we use ACS for TACACS services and proxy the TACACS via RADIUS for some application but Cisco ACS is now an appliance and on the close order of 8K + SmartNet so you are looking at 20K $US for a new solution. RADIATOR is open-source but not 'free' it has 200+ authenticators and interfaces to billing systems built in and a basic license and support for 1 yr is under $2000 US Nothing wrong with FreeRADIUS it's just you need to 'roll your own' for a lot of stuff, If your time is worth nothing or it's a hobby or experimental setup FreeRADIUS may be the better choice. But if you want someting with AD, LDAP, Kerberos, Unix, NTLM, SQL etc built in and ready to go RADIATOR is your tool. - Scott Alan Buxey wrote: > Hi, > >> Radiator RADIUS server. There are multiple versions of this software and support is available for a reasonable fee runs on Windows/Solaris/Linux >> > > with fear of pouring petrol onto a RADIUS flamewar I'd say if > the original post aint got funding for ACS then free open source is > pushing the answer to FreeRADIUS. > > alan > From A.L.M.Buxey at lboro.ac.uk Thu Aug 13 14:53:32 2009 From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey) Date: Thu, 13 Aug 2009 19:53:32 +0100 Subject: [c-nsp] Open Source Substitute for Cisco's Secure ACS? In-Reply-To: <4A845F6B.30907@fas.harvard.edu> References: <13C9443BD0C7344D835569B0CFC9BB75358DB940@HARVBE01.fasmail.priv> <20090813175931.GB14517@lboro.ac.uk> <4A845F6B.30907@fas.harvard.edu> Message-ID: <20090813185332.GH14517@lboro.ac.uk> Hi, > > Nothing wrong with FreeRADIUS it's just you need to 'roll your own' for > a lot of stuff, If your time is worth nothing or it's a hobby or > experimental setup FreeRADIUS may be the better choice. But if you want > someting with AD, LDAP, Kerberos, Unix, NTLM, SQL etc built in and > ready to go RADIATOR is your tool. I have to comment on this. AD, LDAP, Kerberos, Unix, NTLM, SQL etc are all built into FreeRADIUS too.. the question is whether your distro has a premade recent version that has it all prebuilt...or, if you built it from source you had all the required libs (eg mysql-devel) installed. of course...you still have to actually configure the mschap or ldap module but thats true of RADIATOR too 8-) alan From rodunn at cisco.com Thu Aug 13 14:55:43 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Thu, 13 Aug 2009 14:55:43 -0400 Subject: [c-nsp] Feedback on Bug Toolkit (BTK), IOS Software Download Planner, etc... In-Reply-To: <4437558BE1EA4B2F95D6A5947D737288@flamdt01> References: <4A841CC9.4090909@cisco.com> <8E5F1F9B-4402-4357-A64B-B056FA8CEF42@arbor.net> <4437558BE1EA4B2F95D6A5947D737288@flamdt01> Message-ID: <4A8461AF.5070607@cisco.com> But he can still "care" (TM). ;) Tony Varriale wrote: > Hey, you don't work at Cisco anymore! :) > > tv > ----- Original Message ----- From: "Roland Dobbins" > To: "Cisco-nsp" > Sent: Thursday, August 13, 2009 9:52 AM > Subject: Re: [c-nsp] Feedback on Bug Toolkit (BTK),IOS Software Download > Planner, etc... > > >> >> On Aug 13, 2009, at 9:01 PM, Rodney Dunn wrote: >> >>> They are eager to listen so now is a good time to get involved. >> >> Let's all keep in mind that *constructive, actionable, specific* >> feedback is what's needed, and is what will have an impact. >> >> ----------------------------------------------------------------------- >> Roland Dobbins // >> >> Unfortunately, inefficiency scales really well. >> >> -- Kevin Lawton >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rodunn at cisco.com Thu Aug 13 15:05:05 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Thu, 13 Aug 2009 15:05:05 -0400 Subject: [c-nsp] Feedback on Bug Toolkit (BTK), IOS Software Download Planner, etc... In-Reply-To: References: <4A841CC9.4090909@cisco.com> Message-ID: <4A8463E1.2030709@cisco.com> I'm getting that for clarity. I'll respond back. Tony Varriale wrote: > Rodney, > > Do you have an official list of items/tools that feedback can be > provided on? Or, should we ping Wilson? > > tv > ----- Original Message ----- From: "Rodney Dunn" > To: > Sent: Thursday, August 13, 2009 9:01 AM > Subject: [c-nsp] Feedback on Bug Toolkit (BTK), IOS Software Download > Planner,etc... > > >> I got involved through a few channels and encouraged the teams >> responsible for some of the Cisco.com Support tools to leverage this >> forum directly for feedback. They were very interested in the idea. >> >> Can those of you that care enough to give direct feedback based on the >> past threads around IOS Upgrade Planner, Bug Toolkit, etc. please take >> a few minutes and compose an email directly to: >> >> Wilson Shiu (wshiu) >> >> He is the point of contact for feedback. >> >> They are eager to listen so now is a good time to get involved. >> >> I encourage you guys to take advantage of this. >> >> Thanks >> Rodney >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From moua0100 at umn.edu Thu Aug 13 15:09:47 2009 From: moua0100 at umn.edu (Ge Moua) Date: Thu, 13 Aug 2009 14:09:47 -0500 Subject: [c-nsp] Open Source Substitute for Cisco's Secure ACS? In-Reply-To: <4A845F6B.30907@fas.harvard.edu> References: <13C9443BD0C7344D835569B0CFC9BB75358DB940@HARVBE01.fasmail.priv> <20090813175931.GB14517@lboro.ac.uk> <4A845F6B.30907@fas.harvard.edu> Message-ID: <4A8464FB.4060801@umn.edu> Yep, RADIATOR is great; we use it over here :-) Regards, Ge Moua | Email: moua0100 at umn.edu Network Design Engineer University of Minnesota | Networking & Telecommunications Services Scott McGrath wrote: > Not so much - we use ACS for TACACS services and proxy the TACACS via > RADIUS for some application but Cisco ACS is now an appliance and on > the close order of 8K + SmartNet so you are looking at 20K $US for a > new solution. > > RADIATOR is open-source but not 'free' it has 200+ authenticators and > interfaces to billing systems built in and a basic license and support > for 1 yr is under $2000 US > > Nothing wrong with FreeRADIUS it's just you need to 'roll your own' > for a lot of stuff, If your time is worth nothing or it's a hobby or > experimental setup FreeRADIUS may be the better choice. But if you > want someting with AD, LDAP, Kerberos, Unix, NTLM, SQL etc built in > and ready to go RADIATOR is your tool. > > - Scott > > Alan Buxey wrote: >> Hi, >> >>> Radiator RADIUS server. There are multiple versions of this >>> software and support is available for a reasonable fee runs on >>> Windows/Solaris/Linux >>> >> >> with fear of pouring petrol onto a RADIUS flamewar I'd say if >> the original post aint got funding for ACS then free open source is >> pushing the answer to FreeRADIUS. >> alan >> > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rodunn at cisco.com Thu Aug 13 15:08:06 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Thu, 13 Aug 2009 15:08:06 -0400 Subject: [c-nsp] Bridge devices - ARP takeover In-Reply-To: <20090813144152.xzep12cjc0kg48s4@webmail.iamforeverme.com> References: <20090813144152.xzep12cjc0kg48s4@webmail.iamforeverme.com> Message-ID: <4A846496.80109@cisco.com> I can't follow the problem. The router should try to defend the mac address it owns but if another device simply takes over for it the only way to resolve that is fix that device. How exactly is it taking over? What is the topo (ascii diagram would work). Rodney Graham Wooden wrote: > Hi there, > > I have a customer hanging off of my edge router (6509/Sup32/12.2.33SXI), > doing a Point-to-Point wireless shot from the DC to another site. > On myside, it's a L3 VLAN doing a /30 to a smaller Cisco router on the > other end. I am then statically routing some additional subnets to the > far end router. > > After about 30 minutes of the link being powered up, the MAC address of > local Radio appears to take over the /30, and hence all routing breaks. > To fix this, seems to that if I hardcode the MAC that belongs to the > Cisco router on the far, all seems good and traffic keeps on trucking. > The other fix that was being done until the hardcode went into affect, > was power cycling the local radio. > > My question is this: While the hardcoding seems to be the trick to > solve this, is there another command, maybe on the interface to achieve > this fix too? > I have yet to find out from the customer if there are any MAC/ARP > settings in his radios and that could be doing take over on purpose. > > I am hoping that I can curb this type of behaviour without getting him > involved. > Thoughts to this? Thanks, > > -graham > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From mhuff at ox.com Thu Aug 13 15:27:47 2009 From: mhuff at ox.com (Matthew Huff) Date: Thu, 13 Aug 2009 15:27:47 -0400 Subject: [c-nsp] Open Source Substitute for Cisco's Secure ACS? In-Reply-To: <4A845F6B.30907@fas.harvard.edu> References: <13C9443BD0C7344D835569B0CFC9BB75358DB940@HARVBE01.fasmail.priv> <20090813175931.GB14517@lboro.ac.uk> <4A845F6B.30907@fas.harvard.edu> Message-ID: <483E6B0272B0284BA86D7596C40D29F9D122BBDAF8@PUR-EXCH07.ox.com> > Not so much - we use ACS for TACACS services and proxy the TACACS via > RADIUS for some application but Cisco ACS is now an appliance and on > the > close order of 8K + SmartNet so you are looking at 20K $US for a new > solution. The newer version 5.0 of ACS is available only as an appliance, but the 4.x is still available for Unix and Windows. Cisco will be providing upgrade paths in the future to 5.0 on the software side. From http://cisco.com/en/US/prod/collateral/netmgtsw/ps5698/ps6767/ps9911/ps9915/ data_sheet_c78-504202.html "Ordering Information Cisco Secure ACS 5.0 does not replace ACS 4.2. Cisco Secure ACS 5.0 is the next-generation platform for centralized identity and access policy management. Some of the key areas of functionality differences include protocol support, external database support, and provisioning interfaces. Customers that choose to deploy ACS 4.2 will have future upgrade paths to the next-generation ACS 5.x platform. Please see the Cisco Secure ACS 5.0 User Guide at http://www.cisco.com/en/US/products/ps9911/tsd_products_support_series_home. html for a more detailed comparison of ACS 4.0 and ACS 5.0." ---- Matthew Huff?????? | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff? | Fax:?? 914-460-4139 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4229 bytes Desc: not available URL: From ip at ioshints.info Thu Aug 13 15:31:51 2009 From: ip at ioshints.info (Ivan Pepelnjak) Date: Thu, 13 Aug 2009 21:31:51 +0200 Subject: [c-nsp] Event Manager question In-Reply-To: References: Message-ID: <002d01ca1c4c$b5dc8220$0a00000a@nil.si> Absolutely, with EEM 3.0 an applet can be triggered with an SNMP trap or inform. The details are here (although the article describes a slightly different task): http://wiki.nil.com/Trigger_EEM_applets_with_SNMP_Informs However, are you absolutely positive there is no other way to get what you need? In many cases you could use a smart routing design instead of the PBR. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ > -----Original Message----- > From: Manaf Al Oqlah [mailto:manafo at hotmail.com] > Sent: Thursday, August 13, 2009 4:31 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Event Manager question > > > Hi all, > > Can I configure event manager to be started when it gets > notification from another router. for example, I want router1 > to be configured with policy based routing on a specific > interface once the bgp peer on router2 is down. I don't want > to permanently configure the PBR since it is consume very > high CPU utilizing on router1 > > Thank you, > Manaf > From jfitz at Princeton.EDU Thu Aug 13 15:55:56 2009 From: jfitz at Princeton.EDU (Jeff Fitzwater) Date: Thu, 13 Aug 2009 15:55:56 -0400 Subject: [c-nsp] Bridge devices - ARP takeover In-Reply-To: <4A846496.80109@cisco.com> References: <20090813144152.xzep12cjc0kg48s4@webmail.iamforeverme.com> <4A846496.80109@cisco.com> Message-ID: It's interesting to note that this occurs at about the default ARP timeout of 1800 seconds (Is that what the router is configured for?). That implies that when the arp times out and the router arps for the other end, it get an ARP REPLY from the wireless device. Is that what you are saying? This would seem to say that the wireless device may have some local proxy arp enabled so it responds to arp requests on the local net. Jeff Fitzwater OIT Network Systems Princeton University On Aug 13, 2009, at 3:08 PM, Rodney Dunn wrote: > I can't follow the problem. > > The router should try to defend the mac address it owns but if > another device simply takes over for it the only way to resolve that > is fix that device. > > How exactly is it taking over? > What is the topo (ascii diagram would work). > > Rodney > > > > Graham Wooden wrote: >> Hi there, >> I have a customer hanging off of my edge router (6509/ >> Sup32/12.2.33SXI), doing a Point-to-Point wireless shot from the DC >> to another site. >> On myside, it's a L3 VLAN doing a /30 to a smaller Cisco router on >> the other end. I am then statically routing some additional subnets >> to the far end router. >> After about 30 minutes of the link being powered up, the MAC >> address of local Radio appears to take over the /30, and hence all >> routing breaks. To fix this, seems to that if I hardcode the MAC >> that belongs to the Cisco router on the far, all seems good and >> traffic keeps on trucking. The other fix that was being done until >> the hardcode went into affect, was power cycling the local radio. >> My question is this: While the hardcoding seems to be the trick to >> solve this, is there another command, maybe on the interface to >> achieve this fix too? >> I have yet to find out from the customer if there are any MAC/ARP >> settings in his radios and that could be doing take over on purpose. >> I am hoping that I can curb this type of behaviour without getting >> him involved. >> Thoughts to this? Thanks, >> -graham >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From graham at g-rock.net Thu Aug 13 16:48:06 2009 From: graham at g-rock.net (Graham Wooden) Date: Thu, 13 Aug 2009 15:48:06 -0500 Subject: [c-nsp] Bridge devices - ARP takeover In-Reply-To: <4A846496.80109@cisco.com> Message-ID: Yeah, kinda messy - sorry about that. It's taking over as when I do a "sh arp ip", instead of seeing the far end router's MAC for the other end of the /30, I see the radio's. c6509/sup32 -> radio <------------------------> radio -> c2621 Between the c6509 and c2621 is a routable /30. I should note that I didn't have this problem when had this setup on a Sup2, and ran fine for several months. Is there a different ARP timeout between the two? On 8/13/09 2:08 PM, "Rodney Dunn" wrote: > I can't follow the problem. > > The router should try to defend the mac address it owns but if another > device simply takes over for it the only way to resolve that is fix that > device. > > How exactly is it taking over? > What is the topo (ascii diagram would work). > > Rodney > > > > Graham Wooden wrote: >> Hi there, >> >> I have a customer hanging off of my edge router (6509/Sup32/12.2.33SXI), >> doing a Point-to-Point wireless shot from the DC to another site. >> On myside, it's a L3 VLAN doing a /30 to a smaller Cisco router on the >> other end. I am then statically routing some additional subnets to the >> far end router. >> >> After about 30 minutes of the link being powered up, the MAC address of >> local Radio appears to take over the /30, and hence all routing breaks. >> To fix this, seems to that if I hardcode the MAC that belongs to the >> Cisco router on the far, all seems good and traffic keeps on trucking. >> The other fix that was being done until the hardcode went into affect, >> was power cycling the local radio. >> >> My question is this: While the hardcoding seems to be the trick to >> solve this, is there another command, maybe on the interface to achieve >> this fix too? >> I have yet to find out from the customer if there are any MAC/ARP >> settings in his radios and that could be doing take over on purpose. >> >> I am hoping that I can curb this type of behaviour without getting him >> involved. >> Thoughts to this? Thanks, >> >> -graham >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ From graham at g-rock.net Thu Aug 13 16:53:39 2009 From: graham at g-rock.net (Graham Wooden) Date: Thu, 13 Aug 2009 15:53:39 -0500 Subject: [c-nsp] Bridge devices - ARP takeover In-Reply-To: Message-ID: I say 30 minutes ... But I just had it occur on less than 5 minutes from having the far end router and radio rebooted. And apparently my attempt to hardcode the MAC addresses on both ends didn't fix it. I am going to start blaming the radios I think ... On 8/13/09 2:55 PM, "Jeff Fitzwater" wrote: > It's interesting to note that this occurs at about the default ARP > timeout of 1800 seconds (Is that what the router is configured > for?). That implies that when the arp times out and the router arps > for the other end, it get an ARP REPLY from the wireless device. Is > that what you are saying? This would seem to say that the wireless > device may have some local proxy arp enabled so it responds to arp > requests on the local net. > > > > Jeff Fitzwater > OIT Network Systems > Princeton University > On Aug 13, 2009, at 3:08 PM, Rodney Dunn wrote: > >> I can't follow the problem. >> >> The router should try to defend the mac address it owns but if >> another device simply takes over for it the only way to resolve that >> is fix that device. >> >> How exactly is it taking over? >> What is the topo (ascii diagram would work). >> >> Rodney >> >> >> >> Graham Wooden wrote: >>> Hi there, >>> I have a customer hanging off of my edge router (6509/ >>> Sup32/12.2.33SXI), doing a Point-to-Point wireless shot from the DC >>> to another site. >>> On myside, it's a L3 VLAN doing a /30 to a smaller Cisco router on >>> the other end. I am then statically routing some additional subnets >>> to the far end router. >>> After about 30 minutes of the link being powered up, the MAC >>> address of local Radio appears to take over the /30, and hence all >>> routing breaks. To fix this, seems to that if I hardcode the MAC >>> that belongs to the Cisco router on the far, all seems good and >>> traffic keeps on trucking. The other fix that was being done until >>> the hardcode went into affect, was power cycling the local radio. >>> My question is this: While the hardcoding seems to be the trick to >>> solve this, is there another command, maybe on the interface to >>> achieve this fix too? >>> I have yet to find out from the customer if there are any MAC/ARP >>> settings in his radios and that could be doing take over on purpose. >>> I am hoping that I can curb this type of behaviour without getting >>> him involved. >>> Thoughts to this? Thanks, >>> -graham >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > From rodunn at cisco.com Thu Aug 13 16:53:34 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Thu, 13 Aug 2009 16:53:34 -0400 Subject: [c-nsp] Bridge devices - ARP takeover In-Reply-To: References: Message-ID: <4A847D4E.1000800@cisco.com> Graham Wooden wrote: > Yeah, kinda messy - sorry about that. > > It's taking over as when I do a "sh arp ip", instead of seeing the far end > router's MAC for the other end of the /30, I see the radio's. > > c6509/sup32 -> radio <------------------------> radio -> c2621 > > Between the c6509 and c2621 is a routable /30. > ok. If the radio responds to an arp on refresh you can't stop that on the hub side unless you statically map it. The router has no way to know who is valid and who isn't. > I should note that I didn't have this problem when had this setup on a Sup2, > and ran fine for several months. Is there a different ARP timeout between > the two? Shouldn't be. The timeout is 4 hrs by default. Have you determined it's 60 seconds prior to the 4 hr default timeout? You could test it by doing a manual "clear arp" as it does the same thing and sends out a unicast refresh. Can you try sh ip arp, clear arp (with debug arp enabled") and get 'sh ip arp' again? > > On 8/13/09 2:08 PM, "Rodney Dunn" wrote: > >> I can't follow the problem. >> >> The router should try to defend the mac address it owns but if another >> device simply takes over for it the only way to resolve that is fix that >> device. >> >> How exactly is it taking over? >> What is the topo (ascii diagram would work). >> >> Rodney >> >> >> >> Graham Wooden wrote: >>> Hi there, >>> >>> I have a customer hanging off of my edge router (6509/Sup32/12.2.33SXI), >>> doing a Point-to-Point wireless shot from the DC to another site. >>> On myside, it's a L3 VLAN doing a /30 to a smaller Cisco router on the >>> other end. I am then statically routing some additional subnets to the >>> far end router. >>> >>> After about 30 minutes of the link being powered up, the MAC address of >>> local Radio appears to take over the /30, and hence all routing breaks. >>> To fix this, seems to that if I hardcode the MAC that belongs to the >>> Cisco router on the far, all seems good and traffic keeps on trucking. >>> The other fix that was being done until the hardcode went into affect, >>> was power cycling the local radio. >>> >>> My question is this: While the hardcoding seems to be the trick to >>> solve this, is there another command, maybe on the interface to achieve >>> this fix too? >>> I have yet to find out from the customer if there are any MAC/ARP >>> settings in his radios and that could be doing take over on purpose. >>> >>> I am hoping that I can curb this type of behaviour without getting him >>> involved. >>> Thoughts to this? Thanks, >>> >>> -graham >>> >>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ashnet2009 at gmail.com Thu Aug 13 17:01:26 2009 From: ashnet2009 at gmail.com (Ash Net) Date: Thu, 13 Aug 2009 17:01:26 -0400 Subject: [c-nsp] Monitoring Nexus 7000 platform In-Reply-To: <352D947C-7CAC-4322-9BAC-830E489CB070@arbor.net> References: <896a291f0908131007s218f5489rf466cd0ed6e7eb7@mail.gmail.com> <352D947C-7CAC-4322-9BAC-830E489CB070@arbor.net> Message-ID: <896a291f0908131401q2d32fdden198fd5f500ce2052@mail.gmail.com> Yep, we know that already. I'm finding that there isn't a lot of management systems (OV/Concord atleast) that can natively monitor the 7k's since they haven't certified the platform yet. Wondering how people are monitoring elements such as CPU Health, intf utilization, topology change event traps of the 7K Chassis etc. There doesn't appear to be a comprehensive MIB that has all the elements defined. It'd be great to hear from folks who have these boxes deployed and have them in any enterprise monitoring systems. On 8/13/09, Roland Dobbins wrote: > > On Aug 14, 2009, at 12:07 AM, Ash Net wrote: > >> We have recently deployed N7k's in our DC and want to enable >> monitoring on them. > > N7Ks have a dedicated management processor; they also have a > management software system which I believe ships with every N7K. > > They also output operationally useful NetFlow. > > ----------------------------------------------------------------------- > Roland Dobbins // > > Unfortunately, inefficiency scales really well. > > -- Kevin Lawton > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jfitz at Princeton.EDU Thu Aug 13 17:01:02 2009 From: jfitz at Princeton.EDU (Jeff Fitzwater) Date: Thu, 13 Aug 2009 17:01:02 -0400 Subject: [c-nsp] Bridge devices - ARP takeover In-Reply-To: References: Message-ID: <5527E0AC-9864-413B-80F9-6993BDC9EAF3@Princeton.EDU> IF you hardcoded the ARP in both routers, then they should never change. So what exactly breaks? Can you ping the other router? What is the other routers ARP entry and visa versa? They better be the ones you put in. Jeff On Aug 13, 2009, at 4:53 PM, Graham Wooden wrote: > I say 30 minutes ... But I just had it occur on less than 5 minutes > from > having the far end router and radio rebooted. And apparently my > attempt to > hardcode the MAC addresses on both ends didn't fix it. I am going > to start > blaming the radios I think ... > > > On 8/13/09 2:55 PM, "Jeff Fitzwater" wrote: > >> It's interesting to note that this occurs at about the default ARP >> timeout of 1800 seconds (Is that what the router is configured >> for?). That implies that when the arp times out and the router arps >> for the other end, it get an ARP REPLY from the wireless device. Is >> that what you are saying? This would seem to say that the wireless >> device may have some local proxy arp enabled so it responds to arp >> requests on the local net. >> >> >> >> Jeff Fitzwater >> OIT Network Systems >> Princeton University >> On Aug 13, 2009, at 3:08 PM, Rodney Dunn wrote: >> >>> I can't follow the problem. >>> >>> The router should try to defend the mac address it owns but if >>> another device simply takes over for it the only way to resolve that >>> is fix that device. >>> >>> How exactly is it taking over? >>> What is the topo (ascii diagram would work). >>> >>> Rodney >>> >>> >>> >>> Graham Wooden wrote: >>>> Hi there, >>>> I have a customer hanging off of my edge router (6509/ >>>> Sup32/12.2.33SXI), doing a Point-to-Point wireless shot from the DC >>>> to another site. >>>> On myside, it's a L3 VLAN doing a /30 to a smaller Cisco router on >>>> the other end. I am then statically routing some additional subnets >>>> to the far end router. >>>> After about 30 minutes of the link being powered up, the MAC >>>> address of local Radio appears to take over the /30, and hence all >>>> routing breaks. To fix this, seems to that if I hardcode the MAC >>>> that belongs to the Cisco router on the far, all seems good and >>>> traffic keeps on trucking. The other fix that was being done until >>>> the hardcode went into affect, was power cycling the local radio. >>>> My question is this: While the hardcoding seems to be the trick to >>>> solve this, is there another command, maybe on the interface to >>>> achieve this fix too? >>>> I have yet to find out from the customer if there are any MAC/ARP >>>> settings in his radios and that could be doing take over on >>>> purpose. >>>> I am hoping that I can curb this type of behaviour without getting >>>> him involved. >>>> Thoughts to this? Thanks, >>>> -graham >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > From rogelio.gamino at dc.gov Thu Aug 13 17:26:45 2009 From: rogelio.gamino at dc.gov (Gamino, Rogelio (OCTO-Contractor)) Date: Thu, 13 Aug 2009 17:26:45 -0400 Subject: [c-nsp] Monitoring Nexus 7000 platform In-Reply-To: <896a291f0908131401q2d32fdden198fd5f500ce2052@mail.gmail.com> References: <896a291f0908131007s218f5489rf466cd0ed6e7eb7@mail.gmail.com> <352D947C-7CAC-4322-9BAC-830E489CB070@arbor.net> <896a291f0908131401q2d32fdden198fd5f500ce2052@mail.gmail.com> Message-ID: Cisco DCNM might give you the info you are looking for. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ash Net Sent: Thursday, August 13, 2009 5:01 PM To: Roland Dobbins; Cisco-nsp Subject: Re: [c-nsp] Monitoring Nexus 7000 platform Yep, we know that already. I'm finding that there isn't a lot of management systems (OV/Concord atleast) that can natively monitor the 7k's since they haven't certified the platform yet. Wondering how people are monitoring elements such as CPU Health, intf utilization, topology change event traps of the 7K Chassis etc. There doesn't appear to be a comprehensive MIB that has all the elements defined. It'd be great to hear from folks who have these boxes deployed and have them in any enterprise monitoring systems. On 8/13/09, Roland Dobbins wrote: > > On Aug 14, 2009, at 12:07 AM, Ash Net wrote: > >> We have recently deployed N7k's in our DC and want to enable >> monitoring on them. > > N7Ks have a dedicated management processor; they also have a > management software system which I believe ships with every N7K. > > They also output operationally useful NetFlow. > > ----------------------------------------------------------------------- > Roland Dobbins // > > Unfortunately, inefficiency scales really well. > > -- Kevin Lawton > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From rshughes at gmail.com Thu Aug 13 17:30:39 2009 From: rshughes at gmail.com (Ryan Hughes) Date: Thu, 13 Aug 2009 17:30:39 -0400 Subject: [c-nsp] Monitoring Nexus 7000 platform In-Reply-To: <896a291f0908131401q2d32fdden198fd5f500ce2052@mail.gmail.com> References: <896a291f0908131007s218f5489rf466cd0ed6e7eb7@mail.gmail.com> <352D947C-7CAC-4322-9BAC-830E489CB070@arbor.net> <896a291f0908131401q2d32fdden198fd5f500ce2052@mail.gmail.com> Message-ID: >From what I've seen on much of the new DC equipment, Cisco focused more on XML than SNMP for the monitoring hook into the Nexus gear. I know many of the features you're asking for were bolted on per customer requests but I haven't seen any specific templates out there around this. I'd be interested in to hear what some of the TME's who pay attention to this have to say. DCNM is the platform that Cisco deployment to handle management/monitoring for the Nexus but I haven't seen many customers buy it yet ( IIRC - it makes excellent use of the XML API's available ). Ryan On Thu, Aug 13, 2009 at 5:01 PM, Ash Net wrote: > Yep, we know that already. I'm finding that there isn't a lot of > management systems (OV/Concord atleast) that can natively monitor the > 7k's since they haven't certified the platform yet. > > Wondering how people are monitoring elements such as CPU Health, intf > utilization, topology change event traps of the 7K Chassis etc. There > doesn't appear to be a comprehensive MIB that has all the elements > defined. > > It'd be great to hear from folks who have these boxes deployed and > have them in any enterprise monitoring systems. > > > > On 8/13/09, Roland Dobbins wrote: > > > > On Aug 14, 2009, at 12:07 AM, Ash Net wrote: > > > >> We have recently deployed N7k's in our DC and want to enable > >> monitoring on them. > > > > N7Ks have a dedicated management processor; they also have a > > management software system which I believe ships with every N7K. > > > > They also output operationally useful NetFlow. > > > > ----------------------------------------------------------------------- > > Roland Dobbins // > > > > Unfortunately, inefficiency scales really well. > > > > -- Kevin Lawton > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From rodunn at cisco.com Thu Aug 13 17:58:54 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Thu, 13 Aug 2009 17:58:54 -0400 Subject: [c-nsp] Bridge devices - ARP takeover In-Reply-To: <5527E0AC-9864-413B-80F9-6993BDC9EAF3@Princeton.EDU> References: <5527E0AC-9864-413B-80F9-6993BDC9EAF3@Princeton.EDU> Message-ID: <4A848C9E.8030909@cisco.com> I've seen some funky things like this before, ie: with cable modems that are supposed to be L1 only transparent but monkey up the stack. If he hardcoded the mac's the adj should never change for CEF. Verify it with 'sh adj detail' and sh ip arp. Rodney Jeff Fitzwater wrote: > IF you hardcoded the ARP in both routers, then they should never > change. So what exactly breaks? Can you ping the other router? What > is the other routers ARP entry and visa versa? They better be the ones > you put in. > > > > Jeff > On Aug 13, 2009, at 4:53 PM, Graham Wooden wrote: > >> I say 30 minutes ... But I just had it occur on less than 5 minutes from >> having the far end router and radio rebooted. And apparently my >> attempt to >> hardcode the MAC addresses on both ends didn't fix it. I am going to >> start >> blaming the radios I think ... >> >> >> On 8/13/09 2:55 PM, "Jeff Fitzwater" wrote: >> >>> It's interesting to note that this occurs at about the default ARP >>> timeout of 1800 seconds (Is that what the router is configured >>> for?). That implies that when the arp times out and the router arps >>> for the other end, it get an ARP REPLY from the wireless device. Is >>> that what you are saying? This would seem to say that the wireless >>> device may have some local proxy arp enabled so it responds to arp >>> requests on the local net. >>> >>> >>> >>> Jeff Fitzwater >>> OIT Network Systems >>> Princeton University >>> On Aug 13, 2009, at 3:08 PM, Rodney Dunn wrote: >>> >>>> I can't follow the problem. >>>> >>>> The router should try to defend the mac address it owns but if >>>> another device simply takes over for it the only way to resolve that >>>> is fix that device. >>>> >>>> How exactly is it taking over? >>>> What is the topo (ascii diagram would work). >>>> >>>> Rodney >>>> >>>> >>>> >>>> Graham Wooden wrote: >>>>> Hi there, >>>>> I have a customer hanging off of my edge router (6509/ >>>>> Sup32/12.2.33SXI), doing a Point-to-Point wireless shot from the DC >>>>> to another site. >>>>> On myside, it's a L3 VLAN doing a /30 to a smaller Cisco router on >>>>> the other end. I am then statically routing some additional subnets >>>>> to the far end router. >>>>> After about 30 minutes of the link being powered up, the MAC >>>>> address of local Radio appears to take over the /30, and hence all >>>>> routing breaks. To fix this, seems to that if I hardcode the MAC >>>>> that belongs to the Cisco router on the far, all seems good and >>>>> traffic keeps on trucking. The other fix that was being done until >>>>> the hardcode went into affect, was power cycling the local radio. >>>>> My question is this: While the hardcoding seems to be the trick to >>>>> solve this, is there another command, maybe on the interface to >>>>> achieve this fix too? >>>>> I have yet to find out from the customer if there are any MAC/ARP >>>>> settings in his radios and that could be doing take over on purpose. >>>>> I am hoping that I can curb this type of behaviour without getting >>>>> him involved. >>>>> Thoughts to this? Thanks, >>>>> -graham >>>>> _______________________________________________ >>>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> >> From jcdarby at usgs.gov Thu Aug 13 18:09:51 2009 From: jcdarby at usgs.gov (Justin C. Darby) Date: Thu, 13 Aug 2009 17:09:51 -0500 Subject: [c-nsp] Monitoring Nexus 7000 platform In-Reply-To: References: <896a291f0908131007s218f5489rf466cd0ed6e7eb7@mail.gmail.com> <352D947C-7CAC-4322-9BAC-830E489CB070@arbor.net> <896a291f0908131401q2d32fdden198fd5f500ce2052@mail.gmail.com> Message-ID: <4A848F2F.8090502@usgs.gov> We use DCNM for real-time monitoring here (e.g. we use it to troubleshoot issues as they arise) - works great for this purpose, though in my opinion the configuration interface is a little over-complicated compared to just using the CLI, which is a bad sign. :) The XML interface is very, very well documented. Each revision of NX-OS ships with a new XML spec package to describe the interfaces. You can do a lot more than just monitor things with the XML interfaces - e.g. automate port provisioning tasks in an in-house product/app. We're planning to use some of this functionality to integrate switch configurations into our inventory system (eventually). If you hit up the downloads page for NX-OS you should see a zip file of XML specifications in there. Justin Ryan Hughes wrote: > >From what I've seen on much of the new DC equipment, Cisco focused more on > XML than SNMP for the monitoring hook into the Nexus gear. I know many of > the features you're asking for were bolted on per customer requests but I > haven't seen any specific templates out there around this. I'd be interested > in to hear what some of the TME's who pay attention to this have to say. > DCNM is the platform that Cisco deployment to handle management/monitoring > for the Nexus but I haven't seen many customers buy it yet ( IIRC - it makes > excellent use of the XML API's available ). > Ryan > > On Thu, Aug 13, 2009 at 5:01 PM, Ash Net wrote: > > >> Yep, we know that already. I'm finding that there isn't a lot of >> management systems (OV/Concord atleast) that can natively monitor the >> 7k's since they haven't certified the platform yet. >> >> Wondering how people are monitoring elements such as CPU Health, intf >> utilization, topology change event traps of the 7K Chassis etc. There >> doesn't appear to be a comprehensive MIB that has all the elements >> defined. >> >> It'd be great to hear from folks who have these boxes deployed and >> have them in any enterprise monitoring systems. >> >> >> >> On 8/13/09, Roland Dobbins wrote: >> >>> On Aug 14, 2009, at 12:07 AM, Ash Net wrote: >>> >>> >>>> We have recently deployed N7k's in our DC and want to enable >>>> monitoring on them. >>>> >>> N7Ks have a dedicated management processor; they also have a >>> management software system which I believe ships with every N7K. >>> >>> They also output operationally useful NetFlow. >>> >>> ----------------------------------------------------------------------- >>> Roland Dobbins // >>> >>> Unfortunately, inefficiency scales really well. >>> >>> -- Kevin Lawton >>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >>> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From manafo at hotmail.com Thu Aug 13 18:27:48 2009 From: manafo at hotmail.com (Manaf Al Oqlah) Date: Fri, 14 Aug 2009 01:27:48 +0300 Subject: [c-nsp] Event Manager question In-Reply-To: <002d01ca1c4c$b5dc8220$0a00000a@nil.si> References: <002d01ca1c4c$b5dc8220$0a00000a@nil.si> Message-ID: Hello Ivan, Thank you for your response. In my design, I am load sharing the traffic by multihomed BGP with two ISPs through two local 7600 routers. To avoid any single point of failure, we have a backup link for each ISP connected to each local router. as below: Router1 connected with primary link of ISP1 and backup link of ISP2. Router2 connected with primary link of ISP2 and backup link of ISP1 I only receive default-route from each ISP (primary bgp peer has higher local preference on each router). my network is divided into two subnets (x.x.32.0/20 & x.x.48.0/20) normally, x.x.32.0/20 go through Router1 & ISP1, and x.x.48.0/20 go through Router2 & ISP2 incoming and outgoing. what I need is, once the primary BGP peer of ISP1 on Router1 goes down, the subnet x.x.32.0/20 go to backup link on Router2 which is already has a preferred default route from ISP2 serving the subnet x.x.48.0/20. The same case should be applied vice versa. load sharing for incoming traffic is working properly, but my problem is with outgoing traffic since I am only receiving default-route from each ISP! I know it is a bit complicated but I hope you can give me some help. Thank you, Manaf -------------------------------------------------- From: "Ivan Pepelnjak" Sent: Thursday, August 13, 2009 10:31 PM To: "'Manaf Al Oqlah'" ; Subject: RE: [c-nsp] Event Manager question > Absolutely, with EEM 3.0 an applet can be triggered with an SNMP trap or > inform. The details are here (although the article describes a slightly > different task): > > http://wiki.nil.com/Trigger_EEM_applets_with_SNMP_Informs > > However, are you absolutely positive there is no other way to get what you > need? In many cases you could use a smart routing design instead of the > PBR. > > Ivan > > http://www.ioshints.info/about > http://blog.ioshints.info/ > >> -----Original Message----- >> From: Manaf Al Oqlah [mailto:manafo at hotmail.com] >> Sent: Thursday, August 13, 2009 4:31 PM >> To: cisco-nsp at puck.nether.net >> Subject: [c-nsp] Event Manager question >> >> >> Hi all, >> >> Can I configure event manager to be started when it gets >> notification from another router. for example, I want router1 >> to be configured with policy based routing on a specific >> interface once the bgp peer on router2 is down. I don't want >> to permanently configure the PBR since it is consume very >> high CPU utilizing on router1 >> >> Thank you, >> Manaf >> > > From spencer at ceiva.com Thu Aug 13 17:02:09 2009 From: spencer at ceiva.com (Spencer Barnes) Date: Thu, 13 Aug 2009 14:02:09 -0700 Subject: [c-nsp] Cisco 2960 12.2(50)SE3 - MAC ACL Deny Statement Allowing DHCP Traffic Through? Message-ID: <0BE527EE61205F409B0EDB4F6544552E01FA62B2@stewie.ceiva.local> Hello, I have a Cisco 2960 running 12.2(50)SE3 (c2960-lanbasek9-mz.122-50.SE3.bin). Interface FA0/1 is an uplink to the main network/DHCP server and has no restrictions. FA0/19 is connected to a switch and that switch has a variety of wireless access points. I want to restrict inbound access on FA0/19 to certain MAC addresses. Port FA0/19 has a mac access-group assigned to it and here is the corresponding mac access-list: mac access-list extended frames permit host 0000.0000.0001 any deny host 0000.0000.0002 any Somehow the denied client (0000.0000.0002) is getting DHCP. I sniffed traffic from the DHCP server and indeed, the denied MAC address was making it through. The client is unable to route after getting DHCP so this is almost working but I can't have the denied clients successfully negotiating DHCP before getting blocked. Switchport port-security is working but I don't want to use this method. Scrapping the access-list configuration, if I set switchport security on FA0/19 to a maximum of 1 and add the permitted host (switchport port-security mac-address 0000.0000.0001), the denied host is unable to route or get DHCP. Why does the mac access-list allow the denied host to push DHCP traffic through and how do I prevent this? Spencer From dharmachris at gmail.com Thu Aug 13 18:23:42 2009 From: dharmachris at gmail.com (Christopher Hunt) Date: Thu, 13 Aug 2009 15:23:42 -0700 Subject: [c-nsp] best PE-CE protocol Message-ID: Given a customer with a 10mbps fiber connection into PE1 on a L3 MPLS VPN and also a backup ADSL link to PE2 on the same provider's L3 MPLS VPN, what is the best PE-CE protocol to use? I assume we could run eBGP over both links and weight them from the provider's end, as well as the customer end. But I'm starting to wonder if PE-CE OSPF wouldn't be a better choice. The customer site only hosts a few /24s and the SP would be the default route as the customer is colocating a firewall at the SP's colo. Any experience or opinions would be greatly appreciated. Thanks DC From rwest at zyedge.com Thu Aug 13 18:51:27 2009 From: rwest at zyedge.com (Ryan West) Date: Thu, 13 Aug 2009 18:51:27 -0400 Subject: [c-nsp] Event Manager question In-Reply-To: References: <002d01ca1c4c$b5dc8220$0a00000a@nil.si> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E1401248E2695EC@zy-ex1.zyedge.local> Manaf, Do you have an iBGP peer between the 7600's? Why not just create IGP between the two 7600's or use next-hop-self between the peers and set the default-route received from each other to be higher than the backup default. ISP1 primary local-pref 110, unchanged local-pref for iBGP and then local-pref of 90 for backup link of ISP2 on router 1 and then vice-versa on router 2. Load Sharing with BGP -> http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a00800945bf.shtml If you're feeling brave later, you can look into OER/PfR. -ryan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Manaf Al Oqlah Sent: Thursday, August 13, 2009 6:28 PM To: Ivan Pepelnjak; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Event Manager question Hello Ivan, Thank you for your response. In my design, I am load sharing the traffic by multihomed BGP with two ISPs through two local 7600 routers. To avoid any single point of failure, we have a backup link for each ISP connected to each local router. as below: Router1 connected with primary link of ISP1 and backup link of ISP2. Router2 connected with primary link of ISP2 and backup link of ISP1 I only receive default-route from each ISP (primary bgp peer has higher local preference on each router). my network is divided into two subnets (x.x.32.0/20 & x.x.48.0/20) normally, x.x.32.0/20 go through Router1 & ISP1, and x.x.48.0/20 go through Router2 & ISP2 incoming and outgoing. what I need is, once the primary BGP peer of ISP1 on Router1 goes down, the subnet x.x.32.0/20 go to backup link on Router2 which is already has a preferred default route from ISP2 serving the subnet x.x.48.0/20. The same case should be applied vice versa. load sharing for incoming traffic is working properly, but my problem is with outgoing traffic since I am only receiving default-route from each ISP! I know it is a bit complicated but I hope you can give me some help. Thank you, Manaf -------------------------------------------------- From: "Ivan Pepelnjak" Sent: Thursday, August 13, 2009 10:31 PM To: "'Manaf Al Oqlah'" ; Subject: RE: [c-nsp] Event Manager question > Absolutely, with EEM 3.0 an applet can be triggered with an SNMP trap or > inform. The details are here (although the article describes a slightly > different task): > > http://wiki.nil.com/Trigger_EEM_applets_with_SNMP_Informs > > However, are you absolutely positive there is no other way to get what you > need? In many cases you could use a smart routing design instead of the > PBR. > > Ivan > > http://www.ioshints.info/about > http://blog.ioshints.info/ > >> -----Original Message----- >> From: Manaf Al Oqlah [mailto:manafo at hotmail.com] >> Sent: Thursday, August 13, 2009 4:31 PM >> To: cisco-nsp at puck.nether.net >> Subject: [c-nsp] Event Manager question >> >> >> Hi all, >> >> Can I configure event manager to be started when it gets >> notification from another router. for example, I want router1 >> to be configured with policy based routing on a specific >> interface once the bgp peer on router2 is down. I don't want >> to permanently configure the PBR since it is consume very >> high CPU utilizing on router1 >> >> Thank you, >> Manaf >> > > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From graham at g-rock.net Thu Aug 13 19:08:36 2009 From: graham at g-rock.net (Graham Wooden) Date: Thu, 13 Aug 2009 18:08:36 -0500 Subject: [c-nsp] Bridge devices - ARP takeover In-Reply-To: <4A848C9E.8030909@cisco.com> Message-ID: I know - the whole thing is bizarre. I was able to get access to that remote C2621, and noticed that ip proxy-arp was disabled. I enabled to to match my interface on the 6500. It's been up for close to an hour now with no issues (hopefully I just didn't jinx myself). I removed the hardcoded MACs as that didn't seem to help. And no, I can't see the otherside at all when the issue arises. Here is the "show adj detail" from the VLAN (6500 side). The 172.20.255.248/28 is the secondary address subnet on the VLAN to manage the radios. Poorman's OOB. Radios are .250 and .251. IP Vlan201 12.nn.nn.246(11) 291469 packets, 216514528 bytes epoch 0 sourced in sev-epoch 2 Encap length 14 000628A343000004DEFF70000800 ARP IP Vlan201 172.20.255.250(7) 376 packets, 46187 bytes epoch 0 sourced in sev-epoch 2 Encap length 14 000B6B2E5A2C0004DEFF70000800 ARP IP Vlan201 172.20.255.251(7) 370 packets, 43771 bytes epoch 0 sourced in sev-epoch 2 Encap length 14 000B6B2E59FB0004DEFF70000800 ARP And then from the 2621 side ... IP FastEthernet0/0 172.20.255.251(5) 1983 packets, 266146 bytes 000B6B2E59FB000628A343000800 ARP 03:58:41 Epoch: 0 IP FastEthernet0/0 172.20.255.249(5) 7 packets, 686 bytes 0004DEFF7000000628A343000800 ARP 03:26:18 Epoch: 0 IP FastEthernet0/0 xxxxxx(7) (12.nn.nn.245) 232362 packets, 51704892 bytes 0004DEFF7000000628A343000800 ARP 02:42:29 Epoch: 0 On 8/13/09 4:58 PM, "Rodney Dunn" wrote: > I've seen some funky things like this before, ie: with cable modems that > are supposed to be L1 only transparent but monkey up the stack. > > If he hardcoded the mac's the adj should never change for CEF. > > Verify it with 'sh adj detail' and sh ip arp. > > Rodney > > > > Jeff Fitzwater wrote: >> IF you hardcoded the ARP in both routers, then they should never >> change. So what exactly breaks? Can you ping the other router? What >> is the other routers ARP entry and visa versa? They better be the ones >> you put in. >> >> >> >> Jeff >> On Aug 13, 2009, at 4:53 PM, Graham Wooden wrote: >> >>> I say 30 minutes ... But I just had it occur on less than 5 minutes from >>> having the far end router and radio rebooted. And apparently my >>> attempt to >>> hardcode the MAC addresses on both ends didn't fix it. I am going to >>> start >>> blaming the radios I think ... >>> >>> >>> On 8/13/09 2:55 PM, "Jeff Fitzwater" wrote: >>> >>>> It's interesting to note that this occurs at about the default ARP >>>> timeout of 1800 seconds (Is that what the router is configured >>>> for?). That implies that when the arp times out and the router arps >>>> for the other end, it get an ARP REPLY from the wireless device. Is >>>> that what you are saying? This would seem to say that the wireless >>>> device may have some local proxy arp enabled so it responds to arp >>>> requests on the local net. >>>> >>>> >>>> >>>> Jeff Fitzwater >>>> OIT Network Systems >>>> Princeton University >>>> On Aug 13, 2009, at 3:08 PM, Rodney Dunn wrote: >>>> >>>>> I can't follow the problem. >>>>> >>>>> The router should try to defend the mac address it owns but if >>>>> another device simply takes over for it the only way to resolve that >>>>> is fix that device. >>>>> >>>>> How exactly is it taking over? >>>>> What is the topo (ascii diagram would work). >>>>> >>>>> Rodney >>>>> >>>>> >>>>> >>>>> Graham Wooden wrote: >>>>>> Hi there, >>>>>> I have a customer hanging off of my edge router (6509/ >>>>>> Sup32/12.2.33SXI), doing a Point-to-Point wireless shot from the DC >>>>>> to another site. >>>>>> On myside, it's a L3 VLAN doing a /30 to a smaller Cisco router on >>>>>> the other end. I am then statically routing some additional subnets >>>>>> to the far end router. >>>>>> After about 30 minutes of the link being powered up, the MAC >>>>>> address of local Radio appears to take over the /30, and hence all >>>>>> routing breaks. To fix this, seems to that if I hardcode the MAC >>>>>> that belongs to the Cisco router on the far, all seems good and >>>>>> traffic keeps on trucking. The other fix that was being done until >>>>>> the hardcode went into affect, was power cycling the local radio. >>>>>> My question is this: While the hardcoding seems to be the trick to >>>>>> solve this, is there another command, maybe on the interface to >>>>>> achieve this fix too? >>>>>> I have yet to find out from the customer if there are any MAC/ARP >>>>>> settings in his radios and that could be doing take over on purpose. >>>>>> I am hoping that I can curb this type of behaviour without getting >>>>>> him involved. >>>>>> Thoughts to this? Thanks, >>>>>> -graham >>>>>> _______________________________________________ >>>>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>>> _______________________________________________ >>>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> >>> >>> From netsecuredata at gmail.com Thu Aug 13 19:26:27 2009 From: netsecuredata at gmail.com (Jorge Evangelista) Date: Thu, 13 Aug 2009 18:26:27 -0500 Subject: [c-nsp] How to enable ssh o telnet via outside interface ASA Message-ID: Hi folks I want to configure my ASA for remote access via outside however it configuration do not work, IP are fake for reasons security. My configuration is In the outside interface I have interface Vlan2 nameif outside security-level 1 ip address 200.10.45.98 255.255.255.240 telnet 200.100.50.0 255.255.255.0 outside ssh 200.100.50.0 255.255.255.0 outside Also, I do not have any ACL In the logs I can see: %ASA-4-402117: IPSEC: Received a non-IPSec packet (protocol= TCP) Could you help me with this configuration? Regards. -- "The network is the computer" From kunkel at w-link.net Thu Aug 13 20:30:51 2009 From: kunkel at w-link.net (Rick Kunkel) Date: Thu, 13 Aug 2009 17:30:51 -0700 (Pacific Daylight Time) Subject: [c-nsp] Funny (and hard to describe) AWOL routes Message-ID: Hello all, I've got a problem that I unfortunately don't know a heck of a lot about, which I understand makes answering this question difficult. But I thought I'd pick people's brains in the hopes of at least getting pointed in the right direction. Here's the deal. I run EIGRP for the internal network, and BGP to talk to the outside world. Occasionally, I go to add a new block or router to the EIGRP network, and it just won't work. Strangely, all the "show ip route" commands look good, but traffic just won't get where it's supposed to go. Crazily, sometimes I can get 20-40% of packets through to the internet, but traffic to the internal network is usually lost. However, it sometimes seems as if the traffic might be lost at a border router we have, which is currently getting two full route tables on a Sup2 running IOS 12.1(26)E8. (Yes, I know, impossible.) In an effort to minimize downtime, I can only poke around at things for so long, before performing the wonky fix. The fix... Usually I can do something that will withdraw or otherwise change the new announcement, and then put it back, and it will work. The LAST time this happened, however, when I re-added the new block, suddenly another block on our network became unreachable. It was as if the new block kicked the old one out. To me, this smacks of a memory shortage somewhere, and it's occurred to me that it may be that border router that has a bunch of EIGRP stuff AND the BGP stuff. I've heard tell of the TCAM filling, but that's supposed to log messages, and I've seen none of those. And does EIGRP use the TCAM? Perhaps an OS bug? Anyhow, I don't expect anyone to solve the mystery for me (unless they immediately know what's causing it), but I was hoping for some direction. Any commands I can run to quickly show me exhausted space, etc.? I know the Sup2 needs to be upgraded, but I find myself wondering if that will fix the problem, or if this is a result of something else entirely. This is not a horrendous problem, but it rears its head from time to time, and makes things difficult. Most frustrating of all is that I can't get a bead on it, and have minimal time to troubleshoot on a production network. Any ideas and/or pointers? Thanks much! Rick Kunkel From jared at puck.nether.net Thu Aug 13 21:31:25 2009 From: jared at puck.nether.net (Jared Mauch) Date: Thu, 13 Aug 2009 21:31:25 -0400 Subject: [c-nsp] Funny (and hard to describe) AWOL routes In-Reply-To: References: Message-ID: Your tcam is full. It may not log that, you likely need 12.2sxe or sxf to see the logs on sup2. Cut down the number of routes you listen to from your upstreams, having them send you just their customer routes and use default for the rest. In sup720 and sup1a when the tcam is full it would then process switch. Not sure on sup2 but I presume it's the same. Jared Mauch On Aug 13, 2009, at 8:30 PM, Rick Kunkel wrote: > Hello all, > > I've got a problem that I unfortunately don't know a heck of a lot > about, which I understand makes answering this question difficult. > But I thought I'd pick people's brains in the hopes of at least > getting pointed in the right direction. > > Here's the deal. I run EIGRP for the internal network, and BGP to > talk to the outside world. Occasionally, I go to add a new block or > router to the EIGRP network, and it just won't work. Strangely, all > the "show ip route" commands look good, but traffic just won't get > where it's supposed to go. Crazily, sometimes I can get 20-40% of > packets through to the internet, but traffic to the internal network > is usually lost. However, it sometimes seems as if the traffic > might be lost at a border router we have, which is currently getting > two full route tables on a Sup2 running IOS 12.1(26)E8. (Yes, I > know, impossible.) In an effort to minimize downtime, I can only > poke around at things for so long, before performing the wonky fix. > > The fix... Usually I can do something that will withdraw or > otherwise change the new announcement, and then put it back, and it > will work. > > The LAST time this happened, however, when I re-added the new block, > suddenly another block on our network became unreachable. It was as > if the new block kicked the old one out. > > To me, this smacks of a memory shortage somewhere, and it's occurred > to me that it may be that border router that has a bunch of EIGRP > stuff AND the BGP stuff. I've heard tell of the TCAM filling, but > that's supposed to log messages, and I've seen none of those. And > does EIGRP use the TCAM? Perhaps an OS bug? > > Anyhow, I don't expect anyone to solve the mystery for me (unless > they immediately know what's causing it), but I was hoping for some > direction. Any commands I can run to quickly show me exhausted > space, etc.? I know the Sup2 needs to be upgraded, but I find > myself wondering if that will fix the problem, or if this is a > result of something else entirely. > > This is not a horrendous problem, but it rears its head from time to > time, and makes things difficult. Most frustrating of all is that I > can't get a bead on it, and have minimal time to troubleshoot on a > production network. > > Any ideas and/or pointers? > > Thanks much! > > Rick Kunkel > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rdobbins at arbor.net Thu Aug 13 21:48:03 2009 From: rdobbins at arbor.net (Roland Dobbins) Date: Fri, 14 Aug 2009 08:48:03 +0700 Subject: [c-nsp] Funny (and hard to describe) AWOL routes In-Reply-To: References: Message-ID: On Aug 14, 2009, at 8:31 AM, Jared Mauch wrote: > Not sure on sup2 but I presume it's the same. Yes, it is. Whether or not one sees log messages depends upon one's logging level (I think 3 or above should see it). sh fm sum will show if ACLs are being processed in software due to the TCAM being full. ----------------------------------------------------------------------- Roland Dobbins // Unfortunately, inefficiency scales really well. -- Kevin Lawton From jlewis at lewis.org Thu Aug 13 21:46:33 2009 From: jlewis at lewis.org (Jon Lewis) Date: Thu, 13 Aug 2009 21:46:33 -0400 (EDT) Subject: [c-nsp] Funny (and hard to describe) AWOL routes In-Reply-To: References: Message-ID: On Thu, 13 Aug 2009, Jared Mauch wrote: > Your tcam is full. It may not log that, you likely need 12.2sxe or sxf to see > the logs on sup2. Cut down the number of routes you listen to from your > upstreams, having them send you just their customer routes and use default > for the rest. > > In sup720 and sup1a when the tcam is full it would then process switch. Not > sure on sup2 but I presume it's the same. When we were discussing this on-list a year or more ago, I think someone said that what the sup2 did when tcam filled was IOS version dependent. Newer IOS would process switch. Older IOS would blackhole. I never verified this. I really expected to see messages like this about a year ago. A full view is around 290k routes...way more than the sup2 tcam can handle. This guy has to have been having issues for months. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From ashnet2009 at gmail.com Thu Aug 13 21:50:10 2009 From: ashnet2009 at gmail.com (Ash Net) Date: Thu, 13 Aug 2009 21:50:10 -0400 Subject: [c-nsp] Monitoring Nexus 7000 platform In-Reply-To: <4A848F2F.8090502@usgs.gov> References: <896a291f0908131007s218f5489rf466cd0ed6e7eb7@mail.gmail.com> <352D947C-7CAC-4322-9BAC-830E489CB070@arbor.net> <896a291f0908131401q2d32fdden198fd5f500ce2052@mail.gmail.com> <4A848F2F.8090502@usgs.gov> Message-ID: <896a291f0908131850s404feb69h309a6b704558e09b@mail.gmail.com> Thanks All for the feedback. The only issue with DCNM deployment is its a new tool and there will be a learning curve for the ops team plus will take time to customize the interfaces. We were mainly hoping to get 6K level of monitoring in place for the 7K as well since SNMP is much more prevalent in our envrionment and quick to deploy with DCNM planned in the future. I'm quite surprised to see thus far that not too many orgs have perhaps utilized the snmp monitoring capabilities of the chassis and wondering what Cisco is doing to enable ESM vendors to integrate Nexus platform in the monitoring suite. Would still really appreciate If somebody could share there snmp based monitoring experiences. Best, On 8/13/09, Justin C. Darby wrote: > We use DCNM for real-time monitoring here (e.g. we use it to > troubleshoot issues as they arise) - works great for this purpose, > though in my opinion the configuration interface is a little > over-complicated compared to just using the CLI, which is a bad sign. :) > > The XML interface is very, very well documented. Each revision of NX-OS > ships with a new XML spec package to describe the interfaces. You can do > a lot more than just monitor things with the XML interfaces - e.g. > automate port provisioning tasks in an in-house product/app. We're > planning to use some of this functionality to integrate switch > configurations into our inventory system (eventually). > > If you hit up the downloads page for NX-OS you should see a zip file of > XML specifications in there. > > Justin > > Ryan Hughes wrote: >> >From what I've seen on much of the new DC equipment, Cisco focused more >> on >> XML than SNMP for the monitoring hook into the Nexus gear. I know many of >> the features you're asking for were bolted on per customer requests but I >> haven't seen any specific templates out there around this. I'd be >> interested >> in to hear what some of the TME's who pay attention to this have to say. >> DCNM is the platform that Cisco deployment to handle management/monitoring >> for the Nexus but I haven't seen many customers buy it yet ( IIRC - it >> makes >> excellent use of the XML API's available ). >> Ryan >> >> On Thu, Aug 13, 2009 at 5:01 PM, Ash Net wrote: >> >> >>> Yep, we know that already. I'm finding that there isn't a lot of >>> management systems (OV/Concord atleast) that can natively monitor the >>> 7k's since they haven't certified the platform yet. >>> >>> Wondering how people are monitoring elements such as CPU Health, intf >>> utilization, topology change event traps of the 7K Chassis etc. There >>> doesn't appear to be a comprehensive MIB that has all the elements >>> defined. >>> >>> It'd be great to hear from folks who have these boxes deployed and >>> have them in any enterprise monitoring systems. >>> >>> >>> >>> On 8/13/09, Roland Dobbins wrote: >>> >>>> On Aug 14, 2009, at 12:07 AM, Ash Net wrote: >>>> >>>> >>>>> We have recently deployed N7k's in our DC and want to enable >>>>> monitoring on them. >>>>> >>>> N7Ks have a dedicated management processor; they also have a >>>> management software system which I believe ships with every N7K. >>>> >>>> They also output operationally useful NetFlow. >>>> >>>> ----------------------------------------------------------------------- >>>> Roland Dobbins // >>>> >>>> Unfortunately, inefficiency scales really well. >>>> >>>> -- Kevin Lawton >>>> >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> >>>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >>> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > From william.mccall at gmail.com Thu Aug 13 21:50:41 2009 From: william.mccall at gmail.com (William McCall) Date: Thu, 13 Aug 2009 20:50:41 -0500 Subject: [c-nsp] best PE-CE protocol In-Reply-To: References: Message-ID: What kind of boxes are you using for PE? How many VRFs do you have on the box? What code is running? There are limits to the number of OSPF processes (at least on some platforms and code), so I tend to prefer eBGP, but OSPF has its obvious advantages. --William McCall On Thu, Aug 13, 2009 at 5:23 PM, Christopher Hunt wrote: > Given a customer with a 10mbps fiber connection into PE1 on a L3 MPLS VPN > and also a backup ADSL link to PE2 on the same provider's L3 MPLS VPN, what > is the best PE-CE protocol to use? ?I assume we could run eBGP over both > links and weight them from the provider's end, as well as the customer end. > But I'm starting to wonder if PE-CE OSPF wouldn't be a better choice. ?The > customer site only hosts a few /24s and the SP would be the default route as > the customer is colocating a firewall at the SP's colo. ?Any experience or > opinions would be greatly appreciated. > > Thanks > DC > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ltd at cisco.com Thu Aug 13 22:11:23 2009 From: ltd at cisco.com (Lincoln Dale) Date: Fri, 14 Aug 2009 12:11:23 +1000 Subject: [c-nsp] Monitoring Nexus 7000 platform In-Reply-To: <896a291f0908131401q2d32fdden198fd5f500ce2052@mail.gmail.com> References: <896a291f0908131007s218f5489rf466cd0ed6e7eb7@mail.gmail.com> <352D947C-7CAC-4322-9BAC-830E489CB070@arbor.net> <896a291f0908131401q2d32fdden198fd5f500ce2052@mail.gmail.com> Message-ID: <69327D9B-7780-424B-BB28-C839DA21DA08@cisco.com> hi Ash, On 14/08/2009, at 7:01 AM, Ash Net wrote: > Yep, we know that already. I'm finding that there isn't a lot of > management systems (OV/Concord atleast) that can natively monitor the > 7k's since they haven't certified the platform yet. actually, there is quite a lot of management partners that support N7K / NX-OS. a non exhaustive list is: HP Opsware NAS (Configuration and Compliance EMC Smarts (Fault Management) IBM Tivoli Netcool (Fault Management) CA Spectrum (Fault Management) CA eHealth (Network Perf. Monitoring) SolarWinds Orion [Network Performance Monitor , Network Configuration Manager, NetFlow Traffic Analyzer (Network Perf. Monitoring) Alterpoint [Network Authority] (Config. and Compliance BMC BladeLogic for Networks (BCAN) (Compliance) CiscoWorks Lan Management Solution (LMS) (General Purpose) CiscoWorks Network Compliance Manager (NCM) (Compliance) Cisco Network Analysis Module (NAM) (Traffic and Flow Analysis) there is no doubt a more complete list, the above is what i explicitly know about. in addition to the above, there are numerous MIBs, SNMP traps and Netflow v5/v9 that all sorts of 3rd party management and monitoring systems plug in to > > > Wondering how people are monitoring elements such as CPU Health, intf > utilization, topology change event traps of the 7K Chassis etc. There > doesn't appear to be a comprehensive MIB that has all the elements > defined. see http://ftp-sj.cisco.com/pub/mibs/supportlists/nexus7000/Nexus7000MIBSupportList.html for a list of MIBs. we do also have a list of 'key performance indicators' that best practice would say that you poll for. e.g.: MIB: CISCO-PROCESS-MIB OID: cpmCPUTotal5minRev Loc: .1.3.6.1.4.1.9.9.109.1.1.1.1.8 Range: 0..100 (%) Desc: The overall CPU busy percentage in the last 5 minute period. Normal operating range: Value should remain below 80% normal conditions. Poll interval: once every 5 minutes MIB: CISCO-SYSTEM-EXT-MIB OID: cseSysMemoryUtilization Loc: .1.3.6.1.4.1.9.9.305.1.1.2 Range: 0..100 (%) Desc: The average utilization of memory on the active supervisor. Thresholds for RMON should probes should be set based on baselining the memory utilization within a production environment Poll interval: once every 5-15 minutes can provide you with the complete list if you wish (quite long). ping me off list if you want that. interface utilization is provided via standard IF-MIB. suggest you use high speed counters, e.g. ifHCInOctets, ifHCOutOctets, ifHCInUcastPkts, ifHCOutUcastPkts, etc. cheers, lincoln. From sf at lists.esoteric.ca Thu Aug 13 21:51:23 2009 From: sf at lists.esoteric.ca (Stephen Fulton) Date: Thu, 13 Aug 2009 21:51:23 -0400 Subject: [c-nsp] Open Source Substitute for Cisco's Secure ACS? In-Reply-To: <50797b9b0908130646t5233893co25f7964658878ec1@mail.gmail.com> References: <50797b9b0908130646t5233893co25f7964658878ec1@mail.gmail.com> Message-ID: <4A84C31B.3020809@lists.esoteric.ca> For PPPoE, FreeRADIUS is very worthwhile. The options the software provides on on-par with the best commercial RADIUS software. The downside? It is not GUI based (though you can write your own and link it to SQL/LDAP/etc, we have and I suspect most ISP's do) and also, it does involve a learning curve. If you are willing to take the time to read the documentation, and look at the notes associated with most functions (conveniently within the module configurations, usually), and ask intelligent questions on the mailing list, then you'll be fine. If you are looking to use TACACS, others have suggested good alternatives (we will be using TACACS for change management, because it provides finer control with IOS devices [thanks Cisco, grrr]). Any migration should be thought through carefully, with a view to the future. Generally I suggest looking ahead to what you'd like something to be, and use this as an opportunity to make it so. -- Stephen M Callahan wrote: > We're currently using a very dated version of Cisco's Secure ACS to > authenticate a relatively small group of PPPoE ADSL users. We have a > planned hardware upgrade for this system, but no funding for updated ACS > software. That said, I was wondering what open source alternatives folks on > the list have found to be an adequate substitute for ACS. > > Thanks, > > Mike > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From eninja at gmail.com Fri Aug 14 00:13:42 2009 From: eninja at gmail.com (e ninja) Date: Thu, 13 Aug 2009 21:13:42 -0700 Subject: [c-nsp] OT:SUSHI REGISTER RESET ERROR In-Reply-To: <8bb137f40908122215g2951d36cm79239279578250d7@mail.gmail.com> References: <8bb137f40908112254j7d9ea69aj42613f00bcac743b@mail.gmail.com> <8bb137f40908122215g2951d36cm79239279578250d7@mail.gmail.com> Message-ID: Jack, Several things can lead to the symptoms you describe. That is why it is important you shed further light on the events that led to the problem. (i.e what changed? Is this a lab or production device? sh captures? IOS version??? etc) When posting to public fora, it is always a good idea to describe recreate steps to problems so that a clear picture of the issue is projected from the get go to aid troubleshooting and resolution. This will also help the manufacturer learn a thing or two about it and hopefully fix the root cause. Anyhow, your SFC in slot 18 reported SUSHI errors which apparently compromised the fabric integrity and removing it seem to have resolved the problem. As designed, the backup CSC kicked in as a Switch Fabric Card and relinquished its backup CSC duties thus the "nonredundant fabric" output you see in sh cont fia. Your backup CSC will continue to function as an SFC and your fabric will remain nonredundant until you install a working SFC in slot 18. Each SFC/CSC card provides 10-Gbps full-duplex connection to all LCs and 10-Gbps switch fabric does not operate in one-quarter bandwidth mode. http://www.cisco.com/en/US/docs/routers/12000/12016s/maintenance/guides/16084csa.html#wp56884 http://www.cisco.com/en/US/products/hw/routers/ps167/products_tech_note09186a00801e1da7.shtml -Eninja PS. Someone at Cisco's c12k team may want to check the code for notes on when and why we call "SUSHI REGISTER RESET ERROR" and attempt a recreate of this seemingly critical problem as it doesn't have a precedence - at least in the public domain. On Wed, Aug 12, 2009 at 10:15 PM, jack daniels wrote: > Hi All, > > I found this error was coming on SLOT 18 which is SFC. > > EARLIER OUTPUT WAS - > > sh led > SLOT 0 : RUN IOS > SLOT 6 : WAITRTRY > SLOT 7 : RP ACTV > SLOT 8 : INITMEM > SLOT 9 : RUN IOS > SLOT 15 : WAITRTRY > > > > FOR TROUBLESHOOT , then I saw - > > 1) output of sh gsr > > > Slot 18 type = Switch Fabric Card 16XOC192 > state = Card Powered<<<<<<<<<<<<<<<<<<<<< > Slot 19 type = Switch Fabric Card 16XOC192 > state = Card Powered<<<<<<<<<<<<<<<<<<<<<<< > Slot 20 type = Switch Fabric Card 16XOC192 > state = Card Powered<<<<<<<<<<<<<<<<<<<<<<< > > > 2) Again executed show gsr command and found - > > > Slot 17 type = Clock Scheduler Card OC192 Dual Priority > state = Card NOT Powered; Power cycle fabric cards PRIMARY > CLOCK<<<<<<<<<<<<<<<<<<<<<<<<<<<<< > Slot 18 type = Switch Fabric Card 16XOC192 > state = Card NOT Powered; Power cycle fabric > cards<<<<<<<<<<<<<<<<<<<<<<< > Slot 19 type = Switch Fabric Card 16XOC192 > state = Card NOT Po<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< > > > 3) After shutting down SFC ? slot 18 <<<<<<<<<<<<<<<<<<<<<<<<<<< > > sh led > SLOT 0 : RUN IOS > SLOT 6 : RUN IOS > SLOT 7 : RP STBY > SLOT 8 : RP ACTV > SLOT 9 : RUN IOS > SLOT 15 : RUN IOS > > > At the moment all cards show powered up and in RUN IOS mode. > > 4) sh controller fia > Fabric configuration: 10Gbps bandwidth, nonredundant > fabric<<<<<<<<<<<<<<<<<<<<<<< > Master Scheduler: Slot 17 Backup Scheduler: Slot 16 > Fab epoch no 235 Halt count 0 > > From Fabric FIA Errors > ----------------------- > redund overflow 0 cell drops 0 > cell parity 0 > Switch cards present 0x001B Slots 16 17 19 20 > Switch cards monitored 0x001B Slots 16 17 19 20 > > > > > CAN someone guide me why shutting down one SFC in slot 18 all LC 0,615 and > 7 came in IOS RUN mode and started working. > > I think - Each LC is connected in 10 Gbps mode via 4 link to switch fabric > . Now what I know is for full b/w mode 10 Gbps half duplex , you require > atleast 2 SFC online working. But if you see all SFC went to power down and > then power up state , so why few LC cards were still online. > > Please ALSO guide - what is signiface of 2 SFC or 1 SFC running . > > Regards > > On 8/13/09, e ninja wrote: >> >> Jack, >> >> What changed prior to the errors? Also, is this a lab or production >> device? >> >> Either way, reply all (or unicast) the complete sh tech and sh log along >> with a sh controller fia from an attach session to all LCs. >> >> -Eninja >> >> >> On Tue, Aug 11, 2009 at 10:54 PM, jack daniels wrote: >> >>> Hi all, >>> >>> I'm getting below error in gsr chassis 12416 , please suggest >>> >>> 048724: .Aug 11 20:09:13.853 IST: %MBUS-6-SWITCHED_FABCLK: Slot 9 primary >>> clock switched to clock 0 >>> 048725: .Aug 11 20:09:17.191 IST: %FABRIC-3-ERR_HANDLE: Reconfigure all >>> fabric cards due to SUSHI REGISTER RESET ERROR error from slot 18 >>> 048726: .Aug 11 20:09:18.067 IST: %MBUS-6-SWITCHED_FABCLK: Slot 0 primary >>> clock switched to clock 0 >>> 048727: .Aug 11 20:09:18.067 IST: %MBUS-6-SWITCHED_FABCLK: Slot 9 primary >>> clock switched to clock 0 >>> 048728: .Aug 11 20:09:21.413 IST: %FABRIC-3-ERR_HANDLE: Reconfigure all >>> fabric cards due to SUSHI REGISTER RESET ERROR error from slot 18 >>> 048729: .Aug 11 20:09:22.289 IST: %MBUS-6-SWITCHED_FABCLK: Slot 0 primary >>> clock switched to clock 0 >>> 048730: .Aug 11 20:09:22.289 IST: %MBUS-6-SWITCHED_FABCLK: Slot 9 primary >>> clock switched to clock 0 >>> 048731: .Aug 11 20:09:25.627 IST: %FABRIC-3-ERR_HANDLE: Reconfigure all >>> fabric cards due to SUSHI REGISTER RESET ERROR error from slot 18 >>> 048732: .Aug 11 20:09:26.502 IST: %MBUS-6-SWITCHED_FABCLK: Slot 0 primary >>> clock switched to clock 0 >>> 048733: .Aug 11 20:09:26.502 IST: %MBUS-6-SWITCHED_FABCLK: Slot 9 primary >>> clock switched to clock 0 >>> 048734: .Aug 11 20:09:29.841 IST: %FABRIC-3-ERR_HANDLE: Reconfigure all >>> fabric cards due to SUSHI REGISTER RESET ERROR error from slot 18 >>> 048735: .Aug 11 20:09:30.716 IST: %MBUS-6-SWITCHED_FABCLK: Slot 0 primary >>> clock switched to clock 0 >>> 048736: .Aug 11 20:09:30.716 IST: %MBUS-6-SWITCHED_FABCLK: Slot 9 primary >>> clock switched to clock 0 >>> 048737: .Aug 11 20:09:34.054 IST: %FABRIC-3-ERR_HANDLE: Reconfigure all >>> fabric cards due to SUSHI REGISTER RESET ERROR error from slot 18 >>> >>> >>> sh gsr >>> Slot 0 type = Modular SPA Interface Card >>> state = IOS RUN Line Card Enabled >>> subslot 0/0: SPA-1X10GE-L-V2 (0x50C), status is ok >>> subslot 0/1: Empty >>> subslot 0/2: Empty >>> subslot 0/3: Empty >>> Slot 6 type = Modular SPA Interface Card >>> state = RTRYWAIT Waiting to retry download after persistent >>> failures >>> Slot 7 type = Performance Route Processor >>> state = ACTV RP IOS Running ACTIVE >>> Slot 8 type = Performance Route Processor >>> state = RP RDY Route Processor Powered >>> Slot 9 type = Modular SPA Interface Card >>> state = IOS RUN Line Card Enabled >>> subslot 9/0: Empty >>> subslot 9/1: Empty >>> subslot 9/2: Empty >>> subslot 9/3: Empty >>> Slot 15 type = Modular SPA Interface Card >>> state = RTRYWAIT Waiting to retry download after persistent >>> failures >>> Slot 16 type = Clock Scheduler Card OC192 Dual Priority >>> state = Card Powered >>> Slot 17 type = Clock Scheduler Card OC192 Dual Priority >>> state = Card Powered PRIMARY CLOCK >>> Slot 18 type = Switch Fabric Card 16XOC192 >>> state = Card Powered >>> Slot 19 type = Switch Fabric Card 16XOC192 >>> state = Card Powered >>> Slot 20 type = Switch Fabric Card 16XOC192 >>> state = Card Powered >>> Slot 24 type = Alarm Module(16) >>> state = Card Powered >>> Slot 25 type = Alarm Module(16) >>> state = Card Powered >>> Slot 27 type = Bus Board(16) >>> state = Card Powered >>> Slot 28 type = Blower Module(16) >>> state = Card Powered >>> Slot 29 type = Blower Module(16) >>> >>> state = Card Powered >>> >>> >>> sh led >>> SLOT 0 : RUN IOS >>> SLOT 6 : WAITRTRY >>> SLOT 7 : RP ACTV >>> SLOT 8 : INITMEM >>> SLOT 9 : RUN IOS >>> SLOT 15 : WAITRTRY >>> >>> Regards >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> >> > From kunkel at w-link.net Fri Aug 14 00:17:11 2009 From: kunkel at w-link.net (Rick Kunkel) Date: Thu, 13 Aug 2009 21:17:11 -0700 (Pacific Daylight Time) Subject: [c-nsp] Funny (and hard to describe) AWOL routes In-Reply-To: References: Message-ID: Thanks for the input all. It appears unanimous: My TCAM is stuffed. I'm a little baffled by the EIGRP aspect (which I don't think anyone addressed), but it makes sense that it would all be using the same resources. Is there not a simple command to show the used capacity of the TCAM? Thanks! --Rick On Thu, 13 Aug 2009, Jon Lewis wrote: > On Thu, 13 Aug 2009, Jared Mauch wrote: > >> Your tcam is full. It may not log that, you likely need 12.2sxe or sxf to >> see the logs on sup2. Cut down the number of routes you listen to from your >> upstreams, having them send you just their customer routes and use default >> for the rest. >> >> In sup720 and sup1a when the tcam is full it would then process switch. Not >> sure on sup2 but I presume it's the same. > > When we were discussing this on-list a year or more ago, I think someone said > that what the sup2 did when tcam filled was IOS version dependent. Newer IOS > would process switch. Older IOS would blackhole. I never verified this. > > I really expected to see messages like this about a year ago. A full view is > around 290k routes...way more than the sup2 tcam can handle. This guy has to > have been having issues for months. > > ---------------------------------------------------------------------- > Jon Lewis | I route > Senior Network Engineer | therefore you are > Atlantic Net | > _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ > From rdobbins at arbor.net Fri Aug 14 01:02:21 2009 From: rdobbins at arbor.net (Roland Dobbins) Date: Fri, 14 Aug 2009 12:02:21 +0700 Subject: [c-nsp] Funny (and hard to describe) AWOL routes In-Reply-To: References: Message-ID: <471B74F7-6B22-4937-996B-E75934203F21@arbor.net> On Aug 14, 2009, at 11:17 AM, Rick Kunkel wrote: > Is there not a simple command to show the used capacity of the TCAM? sh tcam ? ----------------------------------------------------------------------- Roland Dobbins // Unfortunately, inefficiency scales really well. -- Kevin Lawton From kunkel at w-link.net Fri Aug 14 01:24:58 2009 From: kunkel at w-link.net (Rick Kunkel) Date: Thu, 13 Aug 2009 22:24:58 -0700 (Pacific Daylight Time) Subject: [c-nsp] Funny (and hard to describe) AWOL routes In-Reply-To: <471B74F7-6B22-4937-996B-E75934203F21@arbor.net> References: <471B74F7-6B22-4937-996B-E75934203F21@arbor.net> Message-ID: That all looks pretty good though, unless I'm missing something... Used Free Percent Used Reserved ---- ---- ------------ -------- Labels: 4 508 0 ACL_TCAM Masks: 10 4086 0 0 Entries: 29 32739 0 0 QOS_TCAM Masks: 0 4096 0 0 Entries: 0 32768 0 0 LOU: 0 64 0 ANDOR: 0 16 0 ORAND: 0 16 0 ADJ: 1 1023 0 --Rick On Fri, 14 Aug 2009, Roland Dobbins wrote: > > On Aug 14, 2009, at 11:17 AM, Rick Kunkel wrote: > >> Is there not a simple command to show the used capacity of the TCAM? > > sh tcam ? > > ----------------------------------------------------------------------- > Roland Dobbins // > > Unfortunately, inefficiency scales really well. > > -- Kevin Lawton > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From rdobbins at arbor.net Fri Aug 14 01:32:38 2009 From: rdobbins at arbor.net (Roland Dobbins) Date: Fri, 14 Aug 2009 12:32:38 +0700 Subject: [c-nsp] Funny (and hard to describe) AWOL routes In-Reply-To: References: <471B74F7-6B22-4937-996B-E75934203F21@arbor.net> Message-ID: <3258E125-B153-4CAE-A007-64193847623C@arbor.net> On Aug 14, 2009, at 12:24 PM, Rick Kunkel wrote: > That all looks pretty good though, unless I'm missing something... Try sh mls cef maximum-routes & sh platform hardware capacity pfc I can tell you that as the global table topped 256K entries long ago, you've been hurting for a while if you're taking full tables into a Sup2-based box. ----------------------------------------------------------------------- Roland Dobbins // Unfortunately, inefficiency scales really well. -- Kevin Lawton From rdobbins at arbor.net Fri Aug 14 01:34:29 2009 From: rdobbins at arbor.net (Roland Dobbins) Date: Fri, 14 Aug 2009 12:34:29 +0700 Subject: [c-nsp] Funny (and hard to describe) AWOL routes In-Reply-To: <3258E125-B153-4CAE-A007-64193847623C@arbor.net> References: <471B74F7-6B22-4937-996B-E75934203F21@arbor.net> <3258E125-B153-4CAE-A007-64193847623C@arbor.net> Message-ID: On Aug 14, 2009, at 12:32 PM, Roland Dobbins wrote: > Try sh mls cef maximum-routes & sh platform hardware capacity pfc And sh mls cef su ----------------------------------------------------------------------- Roland Dobbins // Unfortunately, inefficiency scales really well. -- Kevin Lawton From dharmachris at gmail.com Fri Aug 14 01:54:09 2009 From: dharmachris at gmail.com (Christopher Hunt) Date: Thu, 13 Aug 2009 22:54:09 -0700 Subject: [c-nsp] best PE-CE protocol In-Reply-To: References: Message-ID: PE1 is a 7200 VXR NPE-1G, PE2 is a 2851 with 512MB , both running 12.4(9)T or better. For this customer, less than 10 vrfs on each PE On Thu, Aug 13, 2009 at 6:50 PM, William McCall wrote: > What kind of boxes are you using for PE? How many VRFs do you have on > the box? What code is running? > > There are limits to the number of OSPF processes (at least on some > platforms and code), so I tend to prefer eBGP, but OSPF has its > obvious advantages. > > --William McCall > > On Thu, Aug 13, 2009 at 5:23 PM, Christopher Hunt > wrote: > > Given a customer with a 10mbps fiber connection into PE1 on a L3 MPLS VPN > > and also a backup ADSL link to PE2 on the same provider's L3 MPLS VPN, > what > > is the best PE-CE protocol to use? I assume we could run eBGP over both > > links and weight them from the provider's end, as well as the customer > end. > > But I'm starting to wonder if PE-CE OSPF wouldn't be a better choice. > The > > customer site only hosts a few /24s and the SP would be the default route > as > > the customer is colocating a firewall at the SP's colo. Any experience > or > > opinions would be greatly appreciated. > > > > Thanks > > DC > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > From ltd at cisco.com Fri Aug 14 02:17:19 2009 From: ltd at cisco.com (Lincoln Dale) Date: Fri, 14 Aug 2009 16:17:19 +1000 Subject: [c-nsp] Monitoring Nexus 7000 platform In-Reply-To: <4A848F2F.8090502@usgs.gov> References: <896a291f0908131007s218f5489rf466cd0ed6e7eb7@mail.gmail.com> <352D947C-7CAC-4322-9BAC-830E489CB070@arbor.net> <896a291f0908131401q2d32fdden198fd5f500ce2052@mail.gmail.com> <4A848F2F.8090502@usgs.gov> Message-ID: <97229F86-6C23-4BC0-92E3-F4AFA54C7855@cisco.com> On 14/08/2009, at 8:09 AM, Justin C. Darby wrote: > > The XML interface is very, very well documented. Each revision of NX- > OS ships with a new XML spec package to describe the interfaces. You > can do a lot more than just monitor things with the XML interfaces - speaking from the cisco side of the fence, the real benefit of Netconf/ XML is that its pretty much anything you can do in CLI config or exec command wise is available in NetConf/XML "for free". its not like SNMP where one has to create MIBs and write code especially to populate the MIBs. in essence, any output from the switch in CLI can be 'tokenized' into XML. so: in essence, the literally thousands of CLI commands can all be used via CLI or XML, giving you the equivalent of 100% like for like with CLI. its unlikely that SNMP on any box or platform will never have parity - ever - just by virtue of the time/effort and resources required to do so. > e.g. automate port provisioning tasks in an in-house product/app. > We're planning to use some of this functionality to integrate switch > configurations into our inventory system (eventually). beginning with NX-OS 4.2 we've now also allow some variations on XML that makes for (easier) script building. many people like CLI commands for their simplicity - and NX-OS has always allowed preshared ssh keys to be specified in the configuration such that you can 'ssh' into the switch without needing a password or passphrase.[conf t ; username (your_name) sshkey (insert_your_~/.ssh/ identity.pub_here) ] i.e. lincoln-dales-macbook:~ lincolndale$ ssh ltd at ltd-n7010-1 "show module" | head -6 Mod Ports Module-Type Model Status --- ----- -------------------------------- ------------------ ------------ 1 48 10/100/1000 Mbps Ethernet Module N7K-M148GT-11 ok 2 32 10 Gbps Ethernet Module N7K-M132XP-12 ok 5 0 Supervisor module-1X N7K-SUP1 ha- standby 6 0 Supervisor module-1X N7K-SUP1 active * lincoln-dales-macbook:~ lincolndale$ expanding on this concept, with NX-OS 4.2, we've added a couple of new things: 1. the ability to specify multiple CLI commands via ssh, e.g. # remove vlan 5 from trunk port ethernet2/1 lincoln-dales-macbook:~ lincolndale$ ssh ltd at ltd-n7010-1 "conf t ; int ethernet2/1 ; switchport trunk allowed vlan remove 5" lincoln-dales-macbook:~ lincolndale$ # show vlan membership of ethernet2/1 with output in text format lincoln-dales-macbook:~ lincolndale$ ssh ltd at ltd-n7010-1 "show int eth2/1 trunk" -------------------------------------------------------------------------------- Port Vlans Allowed on Trunk -------------------------------------------------------------------------------- Eth2/1 1-4,6-3967,4048-4093 2. the ability to take CLI commands IN to the switch but for the switch to output in XML: # show vlan membership of ethernet2/1 with output in XML lincoln-dales-macbook:~ lincolndale$ ssh ltd at ltd-n7010-1 "show int eth2/1 trunk | xml" Ethernet2/1 Ethernet2/1 1 trunking -- Ethernet2/1 1-4,6-3967,4048-4093 ... why one would ever touch SNMP willingly after using the above is beyond me. :) however, we aren't religious in that regard, if you wish to use SNMP there is support there. cheers, lincoln. From manafo at hotmail.com Fri Aug 14 05:03:25 2009 From: manafo at hotmail.com (Manaf Al Oqlah) Date: Fri, 14 Aug 2009 12:03:25 +0300 Subject: [c-nsp] Event Manager question In-Reply-To: <6E21B2BDEF6E714EA0B5BA8D5D0E1401248E2695EC@zy-ex1.zyedge.local> References: <002d01ca1c4c$b5dc8220$0a00000a@nil.si> <6E21B2BDEF6E714EA0B5BA8D5D0E1401248E2695EC@zy-ex1.zyedge.local> Message-ID: Ryan, I already have iBGP between the 7600's, and already use local-pref 150 for primary links on router1 and router2. but when the primary link from ISP1 on router1 goes down, I want the same subnet go through ISP1 backup link on Router2 ( Router2 already has local-pref 150 for ISP2 primary link), Regards, Manaf -------------------------------------------------- From: "Ryan West" Sent: Friday, August 14, 2009 1:51 AM To: "Manaf Al Oqlah" ; "Ivan Pepelnjak" ; Subject: RE: [c-nsp] Event Manager question > Manaf, > > Do you have an iBGP peer between the 7600's? Why not just create IGP > between the two 7600's or use next-hop-self between the peers and set the > default-route received from each other to be higher than the backup > default. ISP1 primary local-pref 110, unchanged local-pref for iBGP and > then local-pref of 90 for backup link of ISP2 on router 1 and then > vice-versa on router 2. > > Load Sharing with BGP -> > http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a00800945bf.shtml > > If you're feeling brave later, you can look into OER/PfR. > > -ryan > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Manaf Al Oqlah > Sent: Thursday, August 13, 2009 6:28 PM > To: Ivan Pepelnjak; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Event Manager question > > Hello Ivan, > > Thank you for your response. > In my design, I am load sharing the traffic by multihomed BGP with two > ISPs > through two local 7600 routers. To avoid any single point of failure, we > have a backup link for each ISP connected to each local router. as below: > Router1 connected with primary link of ISP1 and backup link of ISP2. > Router2 connected with primary link of ISP2 and backup link of ISP1 > I only receive default-route from each ISP (primary bgp peer has higher > local preference on each router). > my network is divided into two subnets (x.x.32.0/20 & x.x.48.0/20) > normally, x.x.32.0/20 go through Router1 & ISP1, and x.x.48.0/20 go > through > Router2 & ISP2 incoming and outgoing. > > what I need is, once the primary BGP peer of ISP1 on Router1 goes down, > the > subnet x.x.32.0/20 go to backup link on Router2 which is already has a > preferred default route from ISP2 serving the subnet x.x.48.0/20. The same > case should be applied vice versa. > load sharing for incoming traffic is working properly, but my problem is > with outgoing traffic since I am only receiving default-route from each > ISP! > > I know it is a bit complicated but I hope you can give me some help. > > Thank you, > Manaf > -------------------------------------------------- > From: "Ivan Pepelnjak" > Sent: Thursday, August 13, 2009 10:31 PM > To: "'Manaf Al Oqlah'" ; > Subject: RE: [c-nsp] Event Manager question > >> Absolutely, with EEM 3.0 an applet can be triggered with an SNMP trap or >> inform. The details are here (although the article describes a slightly >> different task): >> >> http://wiki.nil.com/Trigger_EEM_applets_with_SNMP_Informs >> >> However, are you absolutely positive there is no other way to get what >> you >> need? In many cases you could use a smart routing design instead of the >> PBR. >> >> Ivan >> >> http://www.ioshints.info/about >> http://blog.ioshints.info/ >> >>> -----Original Message----- >>> From: Manaf Al Oqlah [mailto:manafo at hotmail.com] >>> Sent: Thursday, August 13, 2009 4:31 PM >>> To: cisco-nsp at puck.nether.net >>> Subject: [c-nsp] Event Manager question >>> >>> >>> Hi all, >>> >>> Can I configure event manager to be started when it gets >>> notification from another router. for example, I want router1 >>> to be configured with policy based routing on a specific >>> interface once the bgp peer on router2 is down. I don't want >>> to permanently configure the PBR since it is consume very >>> high CPU utilizing on router1 >>> >>> Thank you, >>> Manaf >>> >> >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From gert at greenie.muc.de Fri Aug 14 05:26:53 2009 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 14 Aug 2009 11:26:53 +0200 Subject: [c-nsp] Bridge devices - ARP takeover In-Reply-To: References: <4A848C9E.8030909@cisco.com> Message-ID: <20090814092653.GU29143@greenie.muc.de> Hi, On Thu, Aug 13, 2009 at 06:08:36PM -0500, Graham Wooden wrote: > I know - the whole thing is bizarre. I was able to get access to that > remote C2621, and noticed that ip proxy-arp was disabled. I enabled to to > match my interface on the 6500. It's been up for close to an hour now with > no issues (hopefully I just didn't jinx myself). "ip proxy-arp" should be always disabled, unless you specifically know that you need it. For a normal point-to-point link between routers, you'll never need it. (Having proxy-arp on-by-default is one of the major design errors that Cisco did - it's seen as a "convenience", because it "makes things works" that would break otherwise. In reality, all it does is "it hides problems", because mis-configured systems still work - until the point where they no longer work, and then it's much harder to find where the brokenness is) To me, this sounds a bit as if the *Radio* is answering the ARP requests on its own, for some sort of "management interface" or so. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 303 bytes Desc: not available URL: From graham at g-rock.net Fri Aug 14 07:57:08 2009 From: graham at g-rock.net (Graham Wooden) Date: Fri, 14 Aug 2009 06:57:08 -0500 Subject: [c-nsp] Bridge devices - ARP takeover In-Reply-To: <20090814092653.GU29143@greenie.muc.de> Message-ID: Agreed on the ip proxy-arp, but if it makes the link work for the time being ... I am waiting access into the radios to see if I can do a true dot1q OOB interface on it. I also lowered the arp timeout to just under 5 minutes. With my SNMP interface scripts running every 5 minutes, I am hoping that with this combination, that it will stay up until I am ready to completely debug it. I appreciate everyone's feedback on this. On 8/14/09 4:26 AM, "Gert Doering" wrote: > Hi, > > On Thu, Aug 13, 2009 at 06:08:36PM -0500, Graham Wooden wrote: >> I know - the whole thing is bizarre. I was able to get access to that >> remote C2621, and noticed that ip proxy-arp was disabled. I enabled to to >> match my interface on the 6500. It's been up for close to an hour now with >> no issues (hopefully I just didn't jinx myself). > > "ip proxy-arp" should be always disabled, unless you specifically know that > you need it. > > For a normal point-to-point link between routers, you'll never need it. > > (Having proxy-arp on-by-default is one of the major design errors that > Cisco did - it's seen as a "convenience", because it "makes things works" > that would break otherwise. In reality, all it does is "it hides problems", > because mis-configured systems still work - until the point where they no > longer work, and then it's much harder to find where the brokenness is) > > > To me, this sounds a bit as if the *Radio* is answering the ARP requests > on its own, for some sort of "management interface" or so. > > gert From gert at greenie.muc.de Fri Aug 14 08:00:38 2009 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 14 Aug 2009 14:00:38 +0200 Subject: [c-nsp] Bridge devices - ARP takeover In-Reply-To: References: <20090814092653.GU29143@greenie.muc.de> Message-ID: <20090814120038.GW29143@greenie.muc.de> Hi, On Fri, Aug 14, 2009 at 06:57:08AM -0500, Graham Wooden wrote: > Agreed on the ip proxy-arp, but if it makes the link work for the time being > ... This would be VERY surprising - "ip proxy-arp" makes a difference only if one of the devices sends ARP requests for IP addresses that are off-link (specifically: that the router with "ip proxy-arp" knows to be off-link and has a route for it). Your routers on both sides shouldn't do any ARPing for off-link addresses unless one of them has a static route pointing to the ethernet itself ("ip route 0.0.0.0 0.0.0.0 ethernet0" is a quite typical example). dot1q-tagging the management interface sounds like a good plan, though :) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 303 bytes Desc: not available URL: From tdurack at gmail.com Fri Aug 14 08:12:47 2009 From: tdurack at gmail.com (Tim Durack) Date: Fri, 14 Aug 2009 08:12:47 -0400 Subject: [c-nsp] Monitoring Nexus 7000 platform In-Reply-To: <97229F86-6C23-4BC0-92E3-F4AFA54C7855@cisco.com> References: <896a291f0908131007s218f5489rf466cd0ed6e7eb7@mail.gmail.com> <352D947C-7CAC-4322-9BAC-830E489CB070@arbor.net> <896a291f0908131401q2d32fdden198fd5f500ce2052@mail.gmail.com> <4A848F2F.8090502@usgs.gov> <97229F86-6C23-4BC0-92E3-F4AFA54C7855@cisco.com> Message-ID: <9e246b4d0908140512m233175d4hcc01afa46ee9048b@mail.gmail.com> On Fri, Aug 14, 2009 at 2:17 AM, Lincoln Dale wrote: > > > many people like CLI commands for their simplicity - and NX-OS has always > allowed preshared ssh keys to be specified in the configuration such that > you can 'ssh' into the switch without needing a password or passphrase.[conf > t ; username (your_name) sshkey (insert_your_~/.ssh/identity.pub_here) ] > If only we could get such sanity in C6K IOS... Tim:> From rodunn at cisco.com Fri Aug 14 09:33:42 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Fri, 14 Aug 2009 09:33:42 -0400 Subject: [c-nsp] Feedback on Bug Toolkit (BTK), IOS Software Download Planner, etc... In-Reply-To: <4A8463E1.2030709@cisco.com> References: <4A841CC9.4090909@cisco.com> <4A8463E1.2030709@cisco.com> Message-ID: <4A8567B6.5080408@cisco.com> Ok...the first list is this. Use Wilson Shiu (wshiu) as the contact for: Bitswapping Tool Bug Tool Kit Cisco Notification System Command Lookup Tool Error Message Decoder File Exchange IP Subnet Calculator MYTECH Support Output Interpreter Product Alert Tool SNMP Object Navigator Special File Access TAC Case Connection TSRT Voice Codec Bandwidth Calculator I'm getting the contact for the Software Center stuff and will report back. Rodney Rodney Dunn wrote: > I'm getting that for clarity. I'll respond back. > > > > Tony Varriale wrote: >> Rodney, >> >> Do you have an official list of items/tools that feedback can be >> provided on? Or, should we ping Wilson? >> >> tv >> ----- Original Message ----- From: "Rodney Dunn" >> To: >> Sent: Thursday, August 13, 2009 9:01 AM >> Subject: [c-nsp] Feedback on Bug Toolkit (BTK), IOS Software Download >> Planner,etc... >> >> >>> I got involved through a few channels and encouraged the teams >>> responsible for some of the Cisco.com Support tools to leverage this >>> forum directly for feedback. They were very interested in the idea. >>> >>> Can those of you that care enough to give direct feedback based on >>> the past threads around IOS Upgrade Planner, Bug Toolkit, etc. please >>> take a few minutes and compose an email directly to: >>> >>> Wilson Shiu (wshiu) >>> >>> He is the point of contact for feedback. >>> >>> They are eager to listen so now is a good time to get involved. >>> >>> I encourage you guys to take advantage of this. >>> >>> Thanks >>> Rodney >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From william.mccall at gmail.com Fri Aug 14 09:55:14 2009 From: william.mccall at gmail.com (William McCall) Date: Fri, 14 Aug 2009 08:55:14 -0500 Subject: [c-nsp] best PE-CE protocol In-Reply-To: References: Message-ID: Certainly there are no technical issues with doing OSPF there... and it may be easier in the long run. In my experience, I like BGP because we get a lot more flexibility in policies, but I don't think that is your concern here. The deciding factor for me would be "how familiar is your customer with BGP vs OSPF?" Pick the one they won't screw up on and it'll be fine. --WM On Fri, Aug 14, 2009 at 12:54 AM, Christopher Hunt wrote: > PE1 is a 7200 VXR NPE-1G, PE2 is a 2851 with 512MB , both running 12.4(9)T > or better.? For this customer, less than 10 vrfs on each PE > > On Thu, Aug 13, 2009 at 6:50 PM, William McCall > wrote: >> >> What kind of boxes are you using for PE? How many VRFs do you have on >> the box? What code is running? >> >> There are limits to the number of OSPF processes (at least on some >> platforms and code), so I tend to prefer eBGP, but OSPF has its >> obvious advantages. >> >> --William McCall >> >> On Thu, Aug 13, 2009 at 5:23 PM, Christopher Hunt >> wrote: >> > Given a customer with a 10mbps fiber connection into PE1 on a L3 MPLS >> > VPN >> > and also a backup ADSL link to PE2 on the same provider's L3 MPLS VPN, >> > what >> > is the best PE-CE protocol to use? ?I assume we could run eBGP over both >> > links and weight them from the provider's end, as well as the customer >> > end. >> > But I'm starting to wonder if PE-CE OSPF wouldn't be a better choice. >> > ?The >> > customer site only hosts a few /24s and the SP would be the default >> > route as >> > the customer is colocating a firewall at the SP's colo. ?Any experience >> > or >> > opinions would be greatly appreciated. >> > >> > Thanks >> > DC >> > _______________________________________________ >> > cisco-nsp mailing list ?cisco-nsp at puck.nether.net >> > https://puck.nether.net/mailman/listinfo/cisco-nsp >> > archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > > From spinthiras.mario at gmail.com Fri Aug 14 15:17:57 2009 From: spinthiras.mario at gmail.com (Mario Spinthiras) Date: Fri, 14 Aug 2009 22:17:57 +0300 Subject: [c-nsp] Network related postgraduate Message-ID: <4f890e580908141217p40bb8c7bv32cce4800a26bb61@mail.gmail.com> Dear all, I understand this isn't the usual topic found in this mailing list however I felt more answers and hints would come out of here than anywhere else. I am looking for a networking related university within the EU (preferably U.K) for postgraduate studies. I am currently a Computer Networks student in London. Particularly I am aiming on an MSc with a research project at the end of it. As far as grades are concerned, I don't think that would be an issue. Any ideas/suggestions are more than welcome. Anyone? Regards, Mario From cisco at peakpeak.com Fri Aug 14 15:26:21 2009 From: cisco at peakpeak.com (Security Team) Date: Fri, 14 Aug 2009 13:26:21 -0600 Subject: [c-nsp] Question for PA OC3 guru? In-Reply-To: Message-ID: I have a telco that wants to hand me an OC3 on which there will be 3 DS3's, all doing different things. One will be a clear channel (pt-pt) DS3, one will contain 28 T1's in the DS1 time slots of the DS3, and one will be unused for the time being. I want to buy a PA card to use in a 7200VXR and found the single-mode fiber one PA-POS-OC3SMI. My question is will this card allow me to take the T1 timeslots of the #2 DS3 and use them like I do elsewhere in a PC-MC-T3 card? Ala: ! ! 1 Channelized T3 port(s) ! controller T3 1/0/0 t1 1 channel-group 0 timeslots 1-24 t1 2 channel-group 0 timeslots 1-24 t1 3 channel-group 0 timeslots 1-24 Etc.etc. If I can use DS3 #1 as a pt-pt serial interface and DS3 #2 as a Chan. DS3 for T1's that would be awesome, that's what I'm looking for. I want to stay away from getting a separate MUX to break the OC3 down into DS3's to feed to separate PA cards if I can help it. Thanks, CJ From ross at wtccommunications.ca Fri Aug 14 14:53:23 2009 From: ross at wtccommunications.ca (Ross Halliday) Date: Fri, 14 Aug 2009 14:53:23 -0400 Subject: [c-nsp] Bridge devices - ARP takeover References: <20090813144152.xzep12cjc0kg48s4@webmail.iamforeverme.com> Message-ID: <151BC03492E46E4CB8D479E42CEF7890A77D61@exchange.wtc.local> I see this happening all the time with cheaper wireless gear. A lot of 802.11-based stuff (Tranzeo comes to mind...) will take over ARP and sometimes even do MAC NAT, which as you can imagine really breaks PPPoE and makes troubleshooting a pain. As a poor man's wireless backhaul the Tranzeo junk has a "PxP" mode of operation which disables this behaviour and turns it from an AP & CPE pair into a PTP link that just passes frames all day. Perhaps this is applicable to your equipment as well? Cheers --- Ross Halliday Network Operations WTC Communications Office: 613-547-6939 x203 Helpdesk: 866-547-6939 option 2 http://www.wtccommunications.ca -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Graham Wooden Sent: Thursday, August 13, 2009 2:42 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Bridge devices - ARP takeover Hi there, I have a customer hanging off of my edge router (6509/Sup32/12.2.33SXI), doing a Point-to-Point wireless shot from the DC to another site. On myside, it's a L3 VLAN doing a /30 to a smaller Cisco router on the other end. I am then statically routing some additional subnets to the far end router. After about 30 minutes of the link being powered up, the MAC address of local Radio appears to take over the /30, and hence all routing breaks. To fix this, seems to that if I hardcode the MAC that belongs to the Cisco router on the far, all seems good and traffic keeps on trucking. The other fix that was being done until the hardcode went into affect, was power cycling the local radio. My question is this: While the hardcoding seems to be the trick to solve this, is there another command, maybe on the interface to achieve this fix too? I have yet to find out from the customer if there are any MAC/ARP settings in his radios and that could be doing take over on purpose. I am hoping that I can curb this type of behaviour without getting him involved. Thoughts to this? Thanks, -graham _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From mulitskiy at acedsl.com Fri Aug 14 16:04:42 2009 From: mulitskiy at acedsl.com (Michael Ulitskiy) Date: Fri, 14 Aug 2009 16:04:42 -0400 Subject: [c-nsp] Multiple power supply failures. Advise needed Message-ID: <200908141604.42069.mulitskiy@acedsl.com> Hello, We have a very strange problem. We have recently changed colo-space provider and since that we had 4 power supply failures in all kind of cisco equipment within 2 month period. According to colo provider we're receiving "clean" power backed up by UPSes and generator. We're currently have 4 20-amps circuits with APC managed PDUs in them and power supply failures happened in 3 of them, so I can't blame it to one specific circuit or PDU. There was no environmental warning in the logs of any cisco devices. I'm completely out of the clues. I'm going to bring it up with our colo-space provider, but I'm afraid they'll need some proof or pointers. Does anybody have any ideas what could be causing this and how I can monitor the specific conditions? Thanks, Michael From bgoulet at harris.com Fri Aug 14 15:20:11 2009 From: bgoulet at harris.com (Goulet, Brian) Date: Fri, 14 Aug 2009 15:20:11 -0400 Subject: [c-nsp] Etherchannel between 2x2960 and 1x7600 In-Reply-To: References: Message-ID: >There is perhaps another possibility if you are looking for simple >physical layer redundancy. Since you have one router and two switches I >assume that you're looking to do just that. You could use IRB and create >a bridge group on the router and do your layer 3 config on the bvi. >I'm only throwing this out as a possibility as I've never actually used >this in a production environment. Don't see why it won't work though. >Vijay Ramcharan i have used this in production and it does work. it was pretty easy to configure. i realize this is a little stale. email que is a bit backed up. Brian From tvarriale at comcast.net Fri Aug 14 16:28:35 2009 From: tvarriale at comcast.net (Tony Varriale) Date: Fri, 14 Aug 2009 15:28:35 -0500 Subject: [c-nsp] Question for PA OC3 guru? References: Message-ID: <2123B2F6BA8B46CDBE731A2FC0AFDBED@flamdt01> Can't do it. You'll have to look at another platform for channelized OC3. tv ----- Original Message ----- From: "Security Team" To: Sent: Friday, August 14, 2009 2:26 PM Subject: [c-nsp] Question for PA OC3 guru? >I have a telco that wants to hand me an OC3 on which there will be 3 DS3's, > all doing different things. One will be a clear channel (pt-pt) DS3, one > will contain 28 T1's in the DS1 time slots of the DS3, and one will be > unused for the time being. > > I want to buy a PA card to use in a 7200VXR and found the single-mode > fiber > one PA-POS-OC3SMI. My question is will this card allow me to take the T1 > timeslots of the #2 DS3 and use them like I do elsewhere in a PC-MC-T3 > card? > Ala: > ! > ! 1 Channelized T3 port(s) > ! > controller T3 1/0/0 > t1 1 channel-group 0 timeslots 1-24 > t1 2 channel-group 0 timeslots 1-24 > t1 3 channel-group 0 timeslots 1-24 > Etc.etc. > > If I can use DS3 #1 as a pt-pt serial interface and DS3 #2 as a Chan. DS3 > for T1's that would be awesome, that's what I'm looking for. I want to > stay > away from getting a separate MUX to break the OC3 down into DS3's to feed > to > separate PA cards if I can help it. > > Thanks, > CJ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From david at davidcoulson.net Fri Aug 14 16:40:03 2009 From: david at davidcoulson.net (David Coulson) Date: Fri, 14 Aug 2009 16:40:03 -0400 Subject: [c-nsp] Question for PA OC3 guru? In-Reply-To: <2123B2F6BA8B46CDBE731A2FC0AFDBED@flamdt01> References: <2123B2F6BA8B46CDBE731A2FC0AFDBED@flamdt01> Message-ID: <4A85CBA3.3020202@davidcoulson.net> It's probably cheaper to pick up an Adtran OC-3 Mux (Opti-3 or something) and use a traditional PA-MC-T3 and a PA-T3 card in a 7200, than it is to find a whole new router to do it :) Tony Varriale wrote: > Can't do it. You'll have to look at another platform for channelized > OC3. From ler762 at gmail.com Fri Aug 14 17:37:54 2009 From: ler762 at gmail.com (Lee) Date: Fri, 14 Aug 2009 17:37:54 -0400 Subject: [c-nsp] Monitoring Nexus 7000 platform In-Reply-To: <97229F86-6C23-4BC0-92E3-F4AFA54C7855@cisco.com> References: <896a291f0908131007s218f5489rf466cd0ed6e7eb7@mail.gmail.com> <352D947C-7CAC-4322-9BAC-830E489CB070@arbor.net> <896a291f0908131401q2d32fdden198fd5f500ce2052@mail.gmail.com> <4A848F2F.8090502@usgs.gov> <97229F86-6C23-4BC0-92E3-F4AFA54C7855@cisco.com> Message-ID: On 8/14/09, Lincoln Dale wrote: .. snip lots of really cool examples .. > why one would ever touch SNMP willingly after using the above is > beyond me. :) Is there an XML equivalent to the Net-SNMP package? For example, finding devices that haven't had their config saved is easy with SNMP: chgTime=`snmpget -OqUtv $DEV ccmHistoryRunningLastChanged.0` savTime=`snmpget -OqUtv $DEV ccmHistoryStartupLastChanged.0` if [ $savTime -lt $chgTime ]; then printf "%-14s config needs to be saved\n" $DEV fi how do you do that with Netconf/XML? Regards, Lee From gert at greenie.muc.de Fri Aug 14 17:39:23 2009 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 14 Aug 2009 23:39:23 +0200 Subject: [c-nsp] instabilities with SXI2? Message-ID: <20090814213923.GB29143@greenie.muc.de> Hi, I'm wondering if one of you is running SXI2 non-modular code and has had negative experiences? We run it on a 7604/Sup720 with no problems at all, and on a 7603/Sup32-10G that is a bit unhappy with us these days - it's spontaneously reloading every few days (twice so far), and after the reload, it claims System returned to ROM by power on at 11:35:27 MET Fri Nov 10 2000 (SP by power on) ... which I'm reasonably sure is a blatant lie (redundant PSUs, connected to different power distribution strips, no works at that time, yadda yadda). (And it was *not* there in the year 2000 either...) After the first crash, I hooked up a console, to see whether it would print anything funny - nothing. Just the normal "configured by..." messages (last line as of 3 days ago), and then the "System Bootstrap" line that the boot ROM prints as the very first line. Nothing in the bootflash, no crashinfo, etc. So, it's either: - SXI2 is bad, and the Sup720 box has been lucky - SXI2 doesn't like the Sup32-10G (or the 7603) - SXI2 is fine, and this specific hardware is flakey TAC case has been opened, but since the box is refusing to give meaningful statements on *why* it's unhappy, this is not proceeding - which is why I hope to hear from you "yes, we've seen that as well" or "no, SXI2 is rock solid for us" evidence. (I won't go in the details of the box's configuration - there is nothing really different from what other boxes do in our network, IPv4, IPv6, MPLS, BGP [with ~500 prefixes only], the full program - but I don't really think this is relevant here, *those* crashes usually look different) thanks, gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 303 bytes Desc: not available URL: From A.L.M.Buxey at lboro.ac.uk Fri Aug 14 18:15:07 2009 From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey) Date: Fri, 14 Aug 2009 23:15:07 +0100 Subject: [c-nsp] instabilities with SXI2? In-Reply-To: <20090814213923.GB29143@greenie.muc.de> References: <20090814213923.GB29143@greenie.muc.de> Message-ID: <20090814221507.GB17986@lboro.ac.uk> hi, we only have 1 box running SXI2 right now, with all the others still on SXI1 and a special debug SXI1 - so far, touch wood, no wierdness or problem on that SXI2 box - we're running the normal IPv4, IPv6, HSRP, SSH etc on non modular. (the debug is because of an SXI1 thing which we're hoping isnt in SXI2 anyway....) alan From jay at west.net Fri Aug 14 18:25:54 2009 From: jay at west.net (Jay Hennigan) Date: Fri, 14 Aug 2009 15:25:54 -0700 Subject: [c-nsp] Question for PA OC3 guru? In-Reply-To: References: Message-ID: <4A85E472.7070202@west.net> Security Team wrote: > I have a telco that wants to hand me an OC3 on which there will be 3 DS3's, > all doing different things. One will be a clear channel (pt-pt) DS3, one > will contain 28 T1's in the DS1 time slots of the DS3, and one will be > unused for the time being. > > I want to buy a PA card to use in a 7200VXR and found the single-mode fiber > one PA-POS-OC3SMI. My question is will this card allow me to take the T1 > timeslots of the #2 DS3 and use them like I do elsewhere in a PC-MC-T3 card? > Ala: > ! > ! 1 Channelized T3 port(s) > ! > controller T3 1/0/0 > t1 1 channel-group 0 timeslots 1-24 > t1 2 channel-group 0 timeslots 1-24 > t1 3 channel-group 0 timeslots 1-24 No such PA. Your best bet is a mux of some sort such as Adtran Optimux, and a then use a PA-T3 and a PA-MC-T3 in the router. I believe that the latest versions of the PA-MC-2T3 are capable of supporting both a clear channel T3 and a channelized one, but if you have an extra PA slot you'll find that the cost of a PA-T3 and a PA-MC-T3 will be a lot less than using one circuit of a dual PA-MC-T3 for a clear channel circuit. -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV From booloo at ucsc.edu Fri Aug 14 17:55:10 2009 From: booloo at ucsc.edu (Mark Boolootian) Date: Fri, 14 Aug 2009 14:55:10 -0700 Subject: [c-nsp] instabilities with SXI2? In-Reply-To: <20090814213923.GB29143@greenie.muc.de> References: <20090814213923.GB29143@greenie.muc.de> Message-ID: <20090814215510.GA72987@root.ucsc.edu> Hi Gert, > I'm wondering if one of you is running SXI2 non-modular code and has had > negative experiences? No negative experiences here so far, though we've only got a couple of weeks of runtime. We've got it loaded on four boxes, all with Sup720-3B/3BXLs. mark From BBlackford at nwresd.k12.or.us Fri Aug 14 20:57:40 2009 From: BBlackford at nwresd.k12.or.us (Bill Blackford) Date: Fri, 14 Aug 2009 17:57:40 -0700 Subject: [c-nsp] instabilities with SXI2? In-Reply-To: <20090814215510.GA72987@root.ucsc.edu> References: <20090814213923.GB29143@greenie.muc.de> <20090814215510.GA72987@root.ucsc.edu> Message-ID: <6069A203FD01884885C037F81DD75080171D1FA0BC@wsc-mail-01.intra.nwresd.k12.or.us> I'm going live with this as well this w/e so I'll be curious to see. -b -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Boolootian Sent: Friday, August 14, 2009 2:55 PM To: Gert Doering Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] instabilities with SXI2? Hi Gert, > I'm wondering if one of you is running SXI2 non-modular code and has had > negative experiences? No negative experiences here so far, though we've only got a couple of weeks of runtime. We've got it loaded on four boxes, all with Sup720-3B/3BXLs. mark _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From grpjl at iastate.edu Fri Aug 14 20:24:13 2009 From: grpjl at iastate.edu (Paul Lustgraaf) Date: Fri, 14 Aug 2009 19:24:13 CDT Subject: [c-nsp] instabilities with SXI2? Message-ID: <200908150024.TAA22170@rv.its.iastate.edu> > I'm wondering if one of you is running SXI2 non-modular code and has had=20 > negative experiences? We've had SXI2 non-modular running on a VSS system now for 10 days. No problems yet. (Crosses fingers, fingers rabbits foot, etc.) (You don't get IPv6 on VSS until SXI2, and that is critical for us.) Paul Lustgraaf "Change is inevitable. Progress is not." Network Engineer Iowa State University Information Technology Services grpjl at iastate.edu Ames, IA 50011 515-294-0324 From jared at puck.nether.net Fri Aug 14 21:13:22 2009 From: jared at puck.nether.net (Jared Mauch) Date: Fri, 14 Aug 2009 21:13:22 -0400 Subject: [c-nsp] instabilities with SXI2? In-Reply-To: <200908150024.TAA22170@rv.its.iastate.edu> References: <200908150024.TAA22170@rv.its.iastate.edu> Message-ID: We've seen worse convergence times as compared to later SXF release in SXH and SXI based releases. I'm still trying to track it down. The most interesting thing was seeing ~18 second ping responses from the device. SXI2 is also the first release where the modular software was viable for us. I've not done a lot of testing with SXI2 yet, but I'm glad to hear others are having good luck with it. (I do have a number of outstanding bugs that we saw in SXI1 that are not fixed until SXI3, including one of the PSIRT issues that went by recently...) - Jared On Aug 14, 2009, at 8:24 PM, Paul Lustgraaf wrote: > >> I'm wondering if one of you is running SXI2 non-modular code and >> has had=20 >> negative experiences? > > We've had SXI2 non-modular running on a VSS system now for 10 days. > No problems yet. > > (Crosses fingers, fingers rabbits foot, etc.) > > (You don't get IPv6 on VSS until SXI2, and that is critical for us.) > > > Paul Lustgraaf "Change is inevitable. Progress is > not." > Network Engineer > Iowa State University Information Technology Services grpjl at iastate.edu > Ames, IA 50011 > 515-294-0324 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From sethm at rollernet.us Fri Aug 14 21:56:00 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Fri, 14 Aug 2009 18:56:00 -0700 Subject: [c-nsp] Multiple power supply failures. Advise needed In-Reply-To: <200908141604.42069.mulitskiy@acedsl.com> References: <200908141604.42069.mulitskiy@acedsl.com> Message-ID: <4A8615B0.8050202@rollernet.us> Michael Ulitskiy wrote: > Hello, > > We have a very strange problem. We have recently changed colo-space provider and since that > we had 4 power supply failures in all kind of cisco equipment within 2 month period. > According to colo provider we're receiving "clean" power backed up by UPSes and generator. > We're currently have 4 20-amps circuits with APC managed PDUs in them and power supply failures > happened in 3 of them, so I can't blame it to one specific circuit or PDU. > There was no environmental warning in the logs of any cisco devices. > I'm completely out of the clues. I'm going to bring it up with our colo-space provider, but I'm afraid > they'll need some proof or pointers. > Does anybody have any ideas what could be causing this and how I can monitor the specific conditions? > Thanks, > If you're having power supplies cook off like that for no apparent reason, I'd get an independent analysis of the power being fed to my outlets. ~Seth From rdobbins at arbor.net Fri Aug 14 21:59:30 2009 From: rdobbins at arbor.net (Roland Dobbins) Date: Sat, 15 Aug 2009 08:59:30 +0700 Subject: [c-nsp] Multiple power supply failures. Advise needed In-Reply-To: <200908141604.42069.mulitskiy@acedsl.com> References: <200908141604.42069.mulitskiy@acedsl.com> Message-ID: On Aug 15, 2009, at 3:04 AM, Michael Ulitskiy wrote: > Does anybody have any ideas what could be causing this and how I can > monitor the specific conditions? Grounding? ----------------------------------------------------------------------- Roland Dobbins // Unfortunately, inefficiency scales really well. -- Kevin Lawton From brian at bluecoat93.org Fri Aug 14 23:03:08 2009 From: brian at bluecoat93.org (Brian Landers) Date: Fri, 14 Aug 2009 23:03:08 -0400 Subject: [c-nsp] Strange thermal issues with 3750E and RPS 2300 Message-ID: <689ea7e40908142003l734229a6s5110958a5f181be2@mail.gmail.com> We have recently implemented a stack of 3750E switches with RPS 2300 redundant power units at two different sites, and are currently seeing a flood of "strange" syslog message from both.? I'll be opening a TAC case, but wanted to reach out to see if anyone else has run into this in case it's something blindingly stupid.? The errors in question: Aug 13 17:00:01 xxx.net 52745: Aug 13 21:00:01.675 UTC: %PLATFORM_ENV-3-RPS_POST_FAILED: RPS POST failed Aug 13 17:00:02 xxx.net 52746: Aug 13 21:00:01.675 UTC: %PLATFORM_ENV-1-RPS_PS_THERMAL_CRITICAL: RPS power supply A temperature has reached critical threshold Aug 13 17:00:02 xxx.net 52747: Aug 13 21:00:01.675 UTC: %PLATFORM_ENV-1-RPS_PS_THERMAL_CRITICAL: RPS power supply B temperature has reached critical threshold [repeat over and over] What's odd about this: - we're seeing the same behavior from two different sites - both are in temperature-controlled data centers sw1.xxx#show env temp TEMPERATURE is OK RPS Name: State: Standby PID: Serial#: Fan: Good Temperature: Green RPS Power Supply A: Failure-Thermal PID : C3K-PWR-750WAC Serial# : DTN1252E0Q8 System Power : Good PoE Power : Good Watts : 300/420 (System/PoE) RPS Power Supply B: Failure-Thermal PID : C3K-PWR-750WAC Serial# : DTN1252E0U3 System Power : Good PoE Power : Good Watts : 300/420 (System/PoE) TIA, B* -- Brian C Landers http://www.packetslave.com/ CCIE #23115, RHCE From edigheorghiu at gmail.com Sat Aug 15 01:40:51 2009 From: edigheorghiu at gmail.com (Eduard Gheorghiu) Date: Sat, 15 Aug 2009 08:40:51 +0300 Subject: [c-nsp] instabilities with SXI2? In-Reply-To: <20090814213923.GB29143@greenie.muc.de> References: <20090814213923.GB29143@greenie.muc.de> Message-ID: <4A864A63.2070108@gmail.com> Hi, I've seen something similar on a 6500 with SXF; the SP is crashing without crashinfo. Just search for any events on SP with: remote command switch show nvlog Eduard Gert Doering wrote: > Hi, > > I'm wondering if one of you is running SXI2 non-modular code and has had > negative experiences? > > We run it on a 7604/Sup720 with no problems at all, and on a 7603/Sup32-10G > that is a bit unhappy with us these days - it's spontaneously reloading > every few days (twice so far), and after the reload, it claims > > System returned to ROM by power on at 11:35:27 MET Fri Nov 10 2000 (SP by power on) > > ... which I'm reasonably sure is a blatant lie (redundant PSUs, connected > to different power distribution strips, no works at that time, yadda yadda). > > (And it was *not* there in the year 2000 either...) > > > After the first crash, I hooked up a console, to see whether it would > print anything funny - nothing. Just the normal "configured by..." > messages (last line as of 3 days ago), and then the "System Bootstrap" > line that the boot ROM prints as the very first line. > > > Nothing in the bootflash, no crashinfo, etc. > > > So, it's either: > > - SXI2 is bad, and the Sup720 box has been lucky > - SXI2 doesn't like the Sup32-10G (or the 7603) > - SXI2 is fine, and this specific hardware is flakey > > TAC case has been opened, but since the box is refusing to give meaningful > statements on *why* it's unhappy, this is not proceeding - which is why > I hope to hear from you "yes, we've seen that as well" or "no, SXI2 is > rock solid for us" evidence. > > (I won't go in the details of the box's configuration - there is nothing > really different from what other boxes do in our network, IPv4, IPv6, > MPLS, BGP [with ~500 prefixes only], the full program - but I don't > really think this is relevant here, *those* crashes usually look different) > > thanks, > > gert > > ------------------------------------------------------------------------ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From lawrencewong72 at yahoo.com Sat Aug 15 03:07:36 2009 From: lawrencewong72 at yahoo.com (Lawrence Wong) Date: Sat, 15 Aug 2009 00:07:36 -0700 (PDT) Subject: [c-nsp] Same VLAN in more than one MST Region Message-ID: <799703.19961.qm@web54202.mail.re2.yahoo.com> Hi everyone, I'm thinking of implementing MST instead of PVST+ in my network and is looking through the various Cisco docs. While the docs stated that a VLAN can only exist in one instance in a region, I've not come across a doc which says that the same VLAN cannot exist in more than one region. i.e. Region A, instance 0: Vlans 1 - 4094 Region B, instance 0: Vlans 10,20,30 Region B, instance 1: Vlans 40,50,60 Region C, instance 0: Vlans 100-200 Region D, instance 0: Vlans 100-200 All switches are in the same network. Would anyone be able to shed some light or experience on this? Thanks and best regards, From gert at greenie.muc.de Sat Aug 15 04:57:39 2009 From: gert at greenie.muc.de (Gert Doering) Date: Sat, 15 Aug 2009 10:57:39 +0200 Subject: [c-nsp] instabilities with SXI2? In-Reply-To: <4A864A63.2070108@gmail.com> References: <20090814213923.GB29143@greenie.muc.de> <4A864A63.2070108@gmail.com> Message-ID: <20090815085739.GD2121@greenie.muc.de> Hi, On Sat, Aug 15, 2009 at 08:40:51AM +0300, Eduard Gheorghiu wrote: > I've seen something similar on a 6500 with SXF; the SP is crashing > without crashinfo. > Just search for any events on SP with: > remote command switch show nvlog Nothing interesting there either... 29. 11/21/2000 19:56:12: pf_redun_negotiate:Initialized as ACTIVE processor 30. 11/25/2000 16:10:13: pf_redun_negotiate:Initialized as ACTIVE processor (I missed to do "ntp update-calendar" and "clock calendar-valid", so the boot time stamps are always year 2000...) Thanks to you all for the feedback so far - so it seems that this hardware is a bit flakey. I'll go discuss that with TAC. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From gert at greenie.muc.de Sat Aug 15 05:32:19 2009 From: gert at greenie.muc.de (Gert Doering) Date: Sat, 15 Aug 2009 11:32:19 +0200 Subject: [c-nsp] Question for PA OC3 guru? In-Reply-To: References: Message-ID: <20090815093219.GE2121@greenie.muc.de> Hi, On Fri, Aug 14, 2009 at 01:26:21PM -0600, Security Team wrote: > I want to buy a PA card to use in a 7200VXR and found the single-mode fiber > one PA-POS-OC3SMI. My question is will this card allow me to take the T1 > timeslots of the #2 DS3 and use them like I do elsewhere in a PC-MC-T3 card? No. The PA-POS-OC3 is "clear channel only". There is a PA-MC-STM1, but to my knowledge, that one *only* does STM-1 and E1, not the amercian SDH variants. Again, to my knowledge, there is no 7200 PA that will do channelized OC3. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From cisco-nsp at ml.karotte.org Sat Aug 15 08:06:37 2009 From: cisco-nsp at ml.karotte.org (Sebastian Wiesinger) Date: Sat, 15 Aug 2009 14:06:37 +0200 Subject: [c-nsp] Same VLAN in more than one MST Region In-Reply-To: <799703.19961.qm@web54202.mail.re2.yahoo.com> References: <799703.19961.qm@web54202.mail.re2.yahoo.com> Message-ID: <20090815120637.GB5907@danton.fire-world.de> * Lawrence Wong [2009-08-15 10:09]: > While the docs stated that a VLAN can only exist in one instance in > a region, I've not come across a doc which says that the same VLAN > cannot exist in more than one region. > > i.e. > > Region A, instance 0: Vlans 1 - 4094 > Region B, instance 0: Vlans 10,20,30 > Region B, instance 1: Vlans 40,50,60 > Region C, instance 0: Vlans 100-200 > Region D, instance 0: Vlans 100-200 > > > All switches are in the same network. > > Would anyone be able to shed some light or experience on this? This is no problem. You'll have region boundaries between the regions. http://www.cisco.com/en/US/tech/tk389/tk621/technologies_white_paper09186a0080094cfc.shtml#region_bound If this is is your first time with MST, please also read the "Common Misconfigurations" chapter on the same page. MST can get quite tricky sometimes. Kind Regards, Sebastian -- New GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) Old GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant From ltd at cisco.com Sun Aug 16 05:41:43 2009 From: ltd at cisco.com (Lincoln Dale) Date: Sun, 16 Aug 2009 19:41:43 +1000 Subject: [c-nsp] Monitoring Nexus 7000 platform In-Reply-To: References: <896a291f0908131007s218f5489rf466cd0ed6e7eb7@mail.gmail.com> <352D947C-7CAC-4322-9BAC-830E489CB070@arbor.net> <896a291f0908131401q2d32fdden198fd5f500ce2052@mail.gmail.com> <4A848F2F.8090502@usgs.gov> <97229F86-6C23-4BC0-92E3-F4AFA54C7855@cisco.com> Message-ID: <3EC4755B-6190-4E73-8D91-7E11E3AA3F5A@cisco.com> On 15/08/2009, at 7:37 AM, Lee wrote: > On 8/14/09, Lincoln Dale wrote: > > .. snip lots of really cool examples .. > >> why one would ever touch SNMP willingly after using the above is >> beyond me. :) > > Is there an XML equivalent to the Net-SNMP package? i'm not aware of any standard perl modules for NetConf, however we (Cisco) and other vendors have sample scripts available which demonstrate how to make use of Netconf with the CPAN Expect and XML::DOM. most sample scripts turn out to be <50 lines of code, e.g. #!/usr/bin/perl # netconf/xml sample demonstration script to gather ip arp table # -- ltd at cisco.com march 2009 die "usage: $0 (switch) (user) (pass) (vrf)\n" if ($#ARGV != 3); ($switch,$user,$pass,$vrf) = @ARGV; $debug = 1; $| = 1; use Expect; use XML::DOM; $Expect::Log_Stdout = 0 if ($debug < 2); # ssh to switch with netconf my $exp = new Expect(); $exp->raw_pty(1); printf STDERR "logging into switch %s as %s\n",$switch,$user if $debug; die "could not spawn ssh: $!\n" if (!$exp->spawn("ssh","-s","-2","-v", $user."@".$switch,"xmlagent")); # send password and login $exp->expect(20, [ qr/Are you sure you want /, sub { my $self = shift; $self->send("yes\n"); exp_continue; }], [ qr/Name or service not known/, sub { die "$switch unknown.\n"; }], [ qr/password: /i, sub { my $self = shift; printf STDERR "sending password\n" if $debug; $self->send($pass."\n"); exp_continue; }], [ qr#(\d+)(.*)#, sub { my $self = shift; printf STDERR "netconf session %d established\n", ($self->matchlist)[0] if $debug; $self->send(wrap_xml(' urn:ietf:params:xml:ns:netconf:base:1.0 ')); exp_continue; }], [ timeout => sub { die "could not login\n"; } ], ']]>]]>'); # collect statistics $exp->send(wrap_rpc("urib",' <'.$vrf.'/> ')); my $raw = read_rpc(30); # printf STDERR "got %s\n",$raw if $debug; my $parser = new XML::DOM::Parser; my $stats = $parser->parsestring($raw); my $nodes = $stats->getElementsByTagName("ROW_adj"); my $n = $nodes->getLength; printf STDERR "found %d adjacencies\n",$n if $debug; for (my $i = 0; $i < $n; $i++) { my $node = $nodes->item($i); # result data will be like this: # # mgmt0 # 10.67.16.12 # 00:05:32 # 001e.c9b4.e670 foreach my $stat ($node->getChildNodes) { next if ($stat->getNodeType() != ELEMENT_NODE); my $key = $stat->getNodeName; my $value = $stat->getFirstChild->getData; printf STDERR " row %d key %s value %s\n",$i,$key, $value if $debug; } } $stats->dispose; exit(0); ############################################### # helper routing to format a netconf request inside rpc wrapper sub wrap_rpc { my $xmlns = shift; my $cmd = shift; $rpc_message_id = 100 if (!defined $rpc_message_id); $rpc_message_id++; return wrap_xml(''.$cmd.''); } ############################################### # helper routine to format a xml requst sub wrap_xml { my $cmd = shift; return ''.$cmd.']]>]]>'; } ############################################### # helper routine to receive a netconf/xml response sub read_rpc { my $timeout = shift; my $data = ""; if ($exp->expect($timeout, ']]>]]>')) { $data = $exp->before().$exp->match(); } $data =~ s/]]>]]>$//g; return $data; } ############################################### # the end > For example, > finding devices that haven't had their config saved is easy with SNMP: > > chgTime=`snmpget -OqUtv $DEV ccmHistoryRunningLastChanged.0` > savTime=`snmpget -OqUtv $DEV ccmHistoryStartupLastChanged.0` > if [ $savTime -lt $chgTime ]; then > printf "%-14s config needs to be saved\n" $DEV > fi > > how do you do that with Netconf/XML? good question. the key to doing something in NetConf is to find a CLI command that provides the data you want. e.g. if there was a CLI command that provided time/datestamps of startup-config vs running- config (or a flag indicating config has changed between them), then you'd do that command. off the top of my head, i can't think of a command that provides that, however one COULD in theory ask the switch to provide a diff between the running-config and the startup-config, e.g. switch# show diff rollback-patch running-config startup-config and if you get any changes then there is a difference. its a bit heavyweight versus a flag, but assuming your script wanted to do something intelligent based on said output, could be useful. NX-OS does support the SNMP trap for ccmCLIRunningConfigChanged so you could use that. another way i can forsee that one could accomplish a simple trigger is an EEM event that creates a file on config-change and clears it on config-save, e.g. event manager applet set_config_changed_flag event cli match "config" action 1 cli echo config_changed > volatile:config_changed action 2 event-default event manager applet clear_config_config_changed event cli match "copy running-config startup-config" action 1 cli delete volatile:config_changed action 2 event-default then your NetConf/XML can do the equivalent of "tail volatile:config_changed" and see what result it gets back. probably overkill but you get the idea - many ways to achieve what you want. cheers, lincoln. > > > Regards, > Lee From edlazerus20 at gmail.com Sun Aug 16 05:52:55 2009 From: edlazerus20 at gmail.com (Ed Lazerus) Date: Sun, 16 Aug 2009 19:52:55 +1000 Subject: [c-nsp] Shape users over quota Message-ID: Dear All, We currently use 7300's as LNS's, we have for a few years worked on user pays excess, like all businesses things change and so must we, we are looking to offer new plans of use quota then we shape you down top 64/64kbps. We have 3 PoPs, each have approximately 25-30K users, we would expect around 10K users each PoP will need shaping based on current usage (which is only increasing). Is this an easy task on the 7300 LNS's? Or should we be looking more towards dedicated special hardware for this task, if it helps, we are soon replace 7300 LNS's in at least one PoP with a ESR10K, the LNS's also perform netflow for traffic accounting, the CPU's average around %50 each router. Thank you. From avayner at cisco.com Sun Aug 16 06:20:01 2009 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Sun, 16 Aug 2009 12:20:01 +0200 Subject: [c-nsp] Shape users over quota In-Reply-To: References: Message-ID: Ed, The best approach for this kind of services (and even more advanced, like different policies for different protocols even if quota is exceeded) could be implemented with the Cisco SCE product: http://www.cisco.com/en/US/products/ps9591/index.html smaller scale can be achieved with the SCE2020: http://www.cisco.com/en/US/products/ps6151/index.html Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ed Lazerus Sent: Sunday, August 16, 2009 12:53 To: cisco-nsp at puck.nether.net Subject: [c-nsp] Shape users over quota Dear All, We currently use 7300's as LNS's, we have for a few years worked on user pays excess, like all businesses things change and so must we, we are looking to offer new plans of use quota then we shape you down top 64/64kbps. We have 3 PoPs, each have approximately 25-30K users, we would expect around 10K users each PoP will need shaping based on current usage (which is only increasing). Is this an easy task on the 7300 LNS's? Or should we be looking more towards dedicated special hardware for this task, if it helps, we are soon replace 7300 LNS's in at least one PoP with a ESR10K, the LNS's also perform netflow for traffic accounting, the CPU's average around %50 each router. Thank you. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From avayner at cisco.com Sun Aug 16 06:22:02 2009 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Sun, 16 Aug 2009 12:22:02 +0200 Subject: [c-nsp] Shape users over quota References: Message-ID: Just as a side note - if you are interested in very simple quata service, you could also look at the ISG solution, which can be implemented on the 7301 (I assume you use 7301/7200 and not the 7304): http://www.cisco.com/en/US/docs/ios/isg/configuration/guide/12_2sr/isg_1 2_2sr_book.html Arie -----Original Message----- From: Arie Vayner (avayner) Sent: Sunday, August 16, 2009 13:20 To: 'Ed Lazerus'; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Shape users over quota Ed, The best approach for this kind of services (and even more advanced, like different policies for different protocols even if quota is exceeded) could be implemented with the Cisco SCE product: http://www.cisco.com/en/US/products/ps9591/index.html smaller scale can be achieved with the SCE2020: http://www.cisco.com/en/US/products/ps6151/index.html Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ed Lazerus Sent: Sunday, August 16, 2009 12:53 To: cisco-nsp at puck.nether.net Subject: [c-nsp] Shape users over quota Dear All, We currently use 7300's as LNS's, we have for a few years worked on user pays excess, like all businesses things change and so must we, we are looking to offer new plans of use quota then we shape you down top 64/64kbps. We have 3 PoPs, each have approximately 25-30K users, we would expect around 10K users each PoP will need shaping based on current usage (which is only increasing). Is this an easy task on the 7300 LNS's? Or should we be looking more towards dedicated special hardware for this task, if it helps, we are soon replace 7300 LNS's in at least one PoP with a ESR10K, the LNS's also perform netflow for traffic accounting, the CPU's average around %50 each router. Thank you. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From eng_mssk at hotmail.com Sun Aug 16 08:44:39 2009 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Sun, 16 Aug 2009 15:44:39 +0300 Subject: [c-nsp] WiMAX IPSEC VPN Message-ID: dears in regard to the setup i am asking about the problem resides in that the CPE itself obtain the public IP address and the router gets a private IP address from the CPE , so the tunnel will never comes up how can i overcome this issue ?? _________________________________________________________________ Drag n? drop?Get easy photo sharing with Windows Live? Photos. http://www.microsoft.com/windows/windowslive/products/photos.aspx From avayner at cisco.com Sun Aug 16 09:30:18 2009 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Sun, 16 Aug 2009 15:30:18 +0200 Subject: [c-nsp] WiMAX IPSEC VPN In-Reply-To: References: Message-ID: Mohammad, IPSec requires special support if used behind NAT. The feature is usually called NAT Traversal or Transparency... This is the Cisco feature description: http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftipsnat .html It should be something the CPE doing NAT should support (not the IPSec client) Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil Sent: Sunday, August 16, 2009 15:45 To: cisco-nsp at puck.nether.net Subject: [c-nsp] WiMAX IPSEC VPN dears in regard to the setup i am asking about the problem resides in that the CPE itself obtain the public IP address and the router gets a private IP address from the CPE , so the tunnel will never comes up how can i overcome this issue ?? _________________________________________________________________ Drag n' drop-Get easy photo sharing with Windows Live(tm) Photos. http://www.microsoft.com/windows/windowslive/products/photos.aspx _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ip at ioshints.info Sun Aug 16 10:11:20 2009 From: ip at ioshints.info (Ivan Pepelnjak) Date: Sun, 16 Aug 2009 16:11:20 +0200 Subject: [c-nsp] Shape users over quota In-Reply-To: References: Message-ID: <001001ca1e7b$6ed87290$0a00000a@nil.si> First of all, you should use policing, not shaping. Although it's not as user-friendly, it's not CPU-intensive (shaping is). See this article for potential drawbacks: http://wiki.nil.com/Policing_vs_shaping A very simple implementation would push the policing rules to virtual access interfaces through RADIUS groups (and you'd just switch the user between groups when they exceed their quota). Obviously, some people prefer that you'd use a dedicated box, myself included (as we offer SCE training :) http://www.nil.com/ls/NIL_SCEO10 In a large-scale environment it makes sense to use SCE, more so as it was developed to address the exact needs you have (whereas anything you're doing on a router is by necessity a kludge). Ivan http://www.ioshints.info/about http://blog.ioshints.info/ > -----Original Message----- > From: Arie Vayner (avayner) [mailto:avayner at cisco.com] > Sent: Sunday, August 16, 2009 12:20 PM > To: Ed Lazerus; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Shape users over quota > > Ed, > > The best approach for this kind of services (and even more > advanced, like different policies for different protocols > even if quota is > exceeded) could be implemented with the Cisco SCE product: > http://www.cisco.com/en/US/products/ps9591/index.html > > smaller scale can be achieved with the SCE2020: > http://www.cisco.com/en/US/products/ps6151/index.html > > Arie > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ed Lazerus > Sent: Sunday, August 16, 2009 12:53 > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Shape users over quota > > Dear All, > We currently use 7300's as LNS's, we have for a few years > worked on user pays excess, like all businesses things change > and so must we, we are looking to offer new plans of use > quota then we shape you down top 64/64kbps. > > We have 3 PoPs, each have approximately 25-30K users, we > would expect around 10K users each PoP will need shaping > based on current usage (which is only increasing). > > Is this an easy task on the 7300 LNS's? Or should we be > looking more towards dedicated special hardware for this > task, if it helps, we are soon replace 7300 LNS's in at > least one PoP with a ESR10K, the LNS's also perform netflow > for traffic accounting, the CPU's average around %50 each router. > > Thank you. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From mulitskiy at acedsl.com Sun Aug 16 15:05:00 2009 From: mulitskiy at acedsl.com (Michael Ulitskiy) Date: Sun, 16 Aug 2009 15:05:00 -0400 Subject: [c-nsp] Multiple power supply failures. Advise needed In-Reply-To: References: <200908141604.42069.mulitskiy@acedsl.com> Message-ID: <200908161505.00887.mulitskiy@acedsl.com> Thanks everybody who replied. I was promised our circuits to be examined by electrician on Monday. Is there a way for me to check the grounding? I remember some fat wires are fastened to the cage, but honestly I didn't pay particular attention. Thanks, Michael On Friday 14 August 2009 09:59:30 pm Roland Dobbins wrote: > > On Aug 15, 2009, at 3:04 AM, Michael Ulitskiy wrote: > > > Does anybody have any ideas what could be causing this and how I can > > monitor the specific conditions? > > Grounding? > > ----------------------------------------------------------------------- > Roland Dobbins // > > Unfortunately, inefficiency scales really well. > > -- Kevin Lawton > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From sethm at rollernet.us Sun Aug 16 15:15:44 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Sun, 16 Aug 2009 12:15:44 -0700 Subject: [c-nsp] Multiple power supply failures. Advise needed In-Reply-To: <200908161505.00887.mulitskiy@acedsl.com> References: <200908141604.42069.mulitskiy@acedsl.com> <200908161505.00887.mulitskiy@acedsl.com> Message-ID: <4A885AE0.9050102@rollernet.us> Michael Ulitskiy wrote: > Thanks everybody who replied. > I was promised our circuits to be examined by electrician on Monday. > Is there a way for me to check the grounding? I remember some fat wires are fastened to the cage, > but honestly I didn't pay particular attention. > Thanks, > You can do it ghetto style by taking a meter and checking for ground potentials between different pieces of metal. If all grounds are at the same potential the meter will read zero. Run away if you read voltage between two metal pieces. ~Seth From sethm at rollernet.us Sun Aug 16 16:08:19 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Sun, 16 Aug 2009 13:08:19 -0700 Subject: [c-nsp] Why doesn't this policy map work? Message-ID: <4A886733.4080701@rollernet.us> This is a NME-16ES-1G-P running 22-25.SEE and I treat it like a 3750. policy-map 1megfixed class class-default police 1000000 1000000 exceed-action drop interface Vlan20 description timmy ip address 208.79.242.93 255.255.255.252 ip access-group fw-timmy-in in ip access-group fw-timmy-out out end interface FastEthernet1/0/3 description B12 timmy power inline never switchport access vlan 20 service-policy input 1megfixed spanning-tree portfast end And it can still utilize the full 100 meg port. I applied the 1megfixed policy to Fa1/0/2 (the only difference is its vlan is a /27) and it worked fine. I split the SVI and the port because it wasn't working in "no switchport" mode either. What am I missing? ~Seth From sethm at rollernet.us Sun Aug 16 16:15:23 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Sun, 16 Aug 2009 13:15:23 -0700 Subject: [c-nsp] Why doesn't this policy map work? In-Reply-To: <4A886733.4080701@rollernet.us> References: <4A886733.4080701@rollernet.us> Message-ID: <4A8868DB.8070804@rollernet.us> Seth Mattinen wrote: > > And it can still utilize the full 100 meg port. I applied the 1megfixed > policy to Fa1/0/2 (the only difference is its vlan is a /27) and it > worked fine. I split the SVI and the port because it wasn't working in > "no switchport" mode either. What am I missing? > Ooh, I figured out what I was missing. I was logged in to the wrong switch after I'd moved the interface to a different switch. Boy, do I feel stupid. Nevermind! ~Seth From andy.saykao at staff.netspace.net.au Sun Aug 16 20:59:17 2009 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Mon, 17 Aug 2009 10:59:17 +1000 Subject: [c-nsp] NAT-ON-A-STICK for VRF Traffic Message-ID: <56F211C5E3F24F47B103EA1B253822BE044AAB3E@vic-cr-ex1.staff.netspace.net.au> I want to set up a NAT-PE Internet Gateway and NAT vrf traffic using NAT-ON-A-STICK. Is this possible? Easy enough to do when it's IP traffic using policy-based routing as per this article: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a 0080094430.shtml Just wondering how you would apply the article in relation to when the traffic is MPLS/VRF based. I tried this config, but could not get it to work. NAT-PE Router: interface Loopback98 description Used for NAT-ON-A-STICK ip address 172.16.76.25 255.255.255.248 ip nat outside ! interface GigabitEthernet0/0.11 description Core/MPLS Network encapsulation dot1Q 11 ip address 203.10.110.X 255.255.255.224 ip nat inside ip virtual-reassembly ip policy route-map NAT-LOOP mpls ip ! ! Set default to next hop on P router in the global routing table ip route vrf NSTEST 0.0.0.0 0.0.0.0 GigabitEthernet0/0.11 203.10.110.Y global ! ip nat pool NSTEST-NAT-POOL 210.15.230.65 210.15.230.65 netmask 255.255.255.252 ip nat inside source list NSTEST-NAT-ACL pool NSTEST-NAT-POOL vrf NSTEST overload ! ip access-list standard NSTEST-NAT-ACL permit 192.168.0.0 0.0.255.255 ! route-map NAT-LOOP permit 10 match mpls-label set ip next-hop 172.16.76.26 P Router: ! Route public ip's to loopback98 on NAT-PE router ip route 210.15.230.64 255.255.255.252 Loopback98 172.16.76.25 My logic is flawed somewhere ;) Thanks. Andy This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From ashnet2009 at gmail.com Sun Aug 16 21:38:23 2009 From: ashnet2009 at gmail.com (Ash Net) Date: Sun, 16 Aug 2009 21:38:23 -0400 Subject: [c-nsp] Monitoring Nexus 7000 platform In-Reply-To: <3EC4755B-6190-4E73-8D91-7E11E3AA3F5A@cisco.com> References: <896a291f0908131007s218f5489rf466cd0ed6e7eb7@mail.gmail.com> <352D947C-7CAC-4322-9BAC-830E489CB070@arbor.net> <896a291f0908131401q2d32fdden198fd5f500ce2052@mail.gmail.com> <4A848F2F.8090502@usgs.gov> <97229F86-6C23-4BC0-92E3-F4AFA54C7855@cisco.com> <3EC4755B-6190-4E73-8D91-7E11E3AA3F5A@cisco.com> Message-ID: <896a291f0908161838j279eba9cn3b8a3d722f8b231f@mail.gmail.com> Thanks Lincoln and evrybody who has contributed to this thread. The information provided is very beneficial for us to enable snmp monitoring on our prod 7K gear. Regards, On 8/16/09, Lincoln Dale wrote: > > On 15/08/2009, at 7:37 AM, Lee wrote: > >> On 8/14/09, Lincoln Dale wrote: >> >> .. snip lots of really cool examples .. >> >>> why one would ever touch SNMP willingly after using the above is >>> beyond me. :) >> >> Is there an XML equivalent to the Net-SNMP package? > > i'm not aware of any standard perl modules for NetConf, however we > (Cisco) and other vendors have sample scripts available which > demonstrate how to make use of Netconf with the CPAN Expect and > XML::DOM. > > most sample scripts turn out to be <50 lines of code, e.g. > > #!/usr/bin/perl > # netconf/xml sample demonstration script to gather ip arp table > # -- ltd at cisco.com march 2009 > die "usage: $0 (switch) (user) (pass) (vrf)\n" if ($#ARGV != 3); > ($switch,$user,$pass,$vrf) = @ARGV; > > $debug = 1; > $| = 1; > > use Expect; > use XML::DOM; > $Expect::Log_Stdout = 0 if ($debug < 2); > > # ssh to switch with netconf > my $exp = new Expect(); > $exp->raw_pty(1); > printf STDERR "logging into switch %s as %s\n",$switch,$user if $debug; > die "could not spawn ssh: $!\n" if (!$exp->spawn("ssh","-s","-2","-v", > $user."@".$switch,"xmlagent")); > > # send password and login > $exp->expect(20, > [ qr/Are you sure you want /, > sub { my $self = shift; $self->send("yes\n"); > exp_continue; }], > [ qr/Name or service not known/, > sub { die "$switch unknown.\n"; }], > [ qr/password: /i, > sub { my $self = shift; printf STDERR "sending password\n" > if $debug; > $self->send($pass."\n"); exp_continue; }], > [ qr#(\d+)(.*)#, > sub { my $self = shift; > printf STDERR "netconf session %d established\n", > ($self->matchlist)[0] if $debug; > $self->send(wrap_xml(' > > > urn:ietf:params:xml:ns:netconf:base:1.0 nc:capability> > > ')); > exp_continue; }], > [ timeout => > sub { die "could not login\n"; } ], > ']]>]]>'); > > # collect statistics > $exp->send(wrap_rpc("urib",' > > > > > > <'.$vrf.'/> > > > > > ')); > > my $raw = read_rpc(30); > # printf STDERR "got %s\n",$raw if $debug; > > my $parser = new XML::DOM::Parser; > my $stats = $parser->parsestring($raw); > > my $nodes = $stats->getElementsByTagName("ROW_adj"); > my $n = $nodes->getLength; > > printf STDERR "found %d adjacencies\n",$n if $debug; > for (my $i = 0; $i < $n; $i++) { > my $node = $nodes->item($i); > > # result data will be like this: > # > # mgmt0 > # 10.67.16.12 > # 00:05:32 > # 001e.c9b4.e670 > > foreach my $stat ($node->getChildNodes) { > next if ($stat->getNodeType() != ELEMENT_NODE); > > my $key = $stat->getNodeName; > my $value = $stat->getFirstChild->getData; > printf STDERR " row %d key %s value %s\n",$i,$key, > $value if $debug; > } > } > $stats->dispose; > exit(0); > > ############################################### > # helper routing to format a netconf request inside rpc wrapper > sub wrap_rpc { > my $xmlns = shift; > my $cmd = shift; > $rpc_message_id = 100 if (!defined $rpc_message_id); > $rpc_message_id++; > return wrap_xml(' xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" > xmlns="http://www.cisco.com/nxos:1.0:'.$xmlns.' > ">'.$cmd.''); > } > > ############################################### > # helper routine to format a xml requst > sub wrap_xml { > my $cmd = shift; > return ''.$cmd.']]>]]>'; > } > > ############################################### > # helper routine to receive a netconf/xml response > sub read_rpc { > my $timeout = shift; > my $data = ""; > if ($exp->expect($timeout, ']]>]]>')) { > $data = $exp->before().$exp->match(); > } > $data =~ s/]]>]]>$//g; > return $data; > } > > ############################################### > # the end > >> For example, >> finding devices that haven't had their config saved is easy with SNMP: >> >> chgTime=`snmpget -OqUtv $DEV ccmHistoryRunningLastChanged.0` >> savTime=`snmpget -OqUtv $DEV ccmHistoryStartupLastChanged.0` >> if [ $savTime -lt $chgTime ]; then >> printf "%-14s config needs to be saved\n" $DEV >> fi >> >> how do you do that with Netconf/XML? > > good question. the key to doing something in NetConf is to find a CLI > command that provides the data you want. e.g. if there was a CLI > command that provided time/datestamps of startup-config vs running- > config (or a flag indicating config has changed between them), then > you'd do that command. > > off the top of my head, i can't think of a command that provides that, > however one COULD in theory ask the switch to provide a diff between > the running-config and the startup-config, e.g. > switch# show diff rollback-patch running-config startup-config > and if you get any changes then there is a difference. > > its a bit heavyweight versus a flag, but assuming your script wanted > to do something intelligent based on said output, could be useful. > > NX-OS does support the SNMP trap for ccmCLIRunningConfigChanged so you > could use that. > > another way i can forsee that one could accomplish a simple trigger is > an EEM event that creates a file on config-change and clears it on > config-save, e.g. > event manager applet set_config_changed_flag > event cli match "config" > action 1 cli echo config_changed > volatile:config_changed > action 2 event-default > event manager applet clear_config_config_changed > event cli match "copy running-config startup-config" > action 1 cli delete volatile:config_changed > action 2 event-default > > then your NetConf/XML can do the equivalent of "tail > volatile:config_changed" and see what result it gets back. > probably overkill but you get the idea - many ways to achieve what you > want. > > > cheers, > > lincoln. > > > > > > > >> >> >> Regards, >> Lee > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From eninja at gmail.com Mon Aug 17 01:57:38 2009 From: eninja at gmail.com (e ninja) Date: Sun, 16 Aug 2009 22:57:38 -0700 Subject: [c-nsp] instabilities with SXI2? In-Reply-To: <20090814213923.GB29143@greenie.muc.de> References: <20090814213923.GB29143@greenie.muc.de> Message-ID: Gert, This sounds like a 'silent reload'. Capture *K-traces*and send to TAC for analysis. -Eninja PS. You should probably only work with TAC escalation on this. On Fri, Aug 14, 2009 at 2:39 PM, Gert Doering wrote: > Hi, > > I'm wondering if one of you is running SXI2 non-modular code and has had > negative experiences? > > We run it on a 7604/Sup720 with no problems at all, and on a 7603/Sup32-10G > that is a bit unhappy with us these days - it's spontaneously reloading > every few days (twice so far), and after the reload, it claims > > System returned to ROM by power on at 11:35:27 MET Fri Nov 10 2000 (SP by > power on) > > ... which I'm reasonably sure is a blatant lie (redundant PSUs, connected > to different power distribution strips, no works at that time, yadda > yadda). > > (And it was *not* there in the year 2000 either...) > > > After the first crash, I hooked up a console, to see whether it would > print anything funny - nothing. Just the normal "configured by..." > messages (last line as of 3 days ago), and then the "System Bootstrap" > line that the boot ROM prints as the very first line. > > Nothing in the bootflash, no crashinfo, etc. > > > So, it's either: > > - SXI2 is bad, and the Sup720 box has been lucky > - SXI2 doesn't like the Sup32-10G (or the 7603) > - SXI2 is fine, and this specific hardware is flakey > > TAC case has been opened, but since the box is refusing to give meaningful > statements on *why* it's unhappy, this is not proceeding - which is why > I hope to hear from you "yes, we've seen that as well" or "no, SXI2 is > rock solid for us" evidence. > > (I won't go in the details of the box's configuration - there is nothing > really different from what other boxes do in our network, IPv4, IPv6, > MPLS, BGP [with ~500 prefixes only], the full program - but I don't > really think this is relevant here, *those* crashes usually look different) > > thanks, > > gert > -- > USENET is *not* the non-clickable part of WWW! > // > www.muc.de/~gert/ > Gert Doering - Munich, Germany > gert at greenie.muc.de > fax: +49-89-35655025 > gert at net.informatik.tu-muenchen.de > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From eninja at gmail.com Mon Aug 17 02:22:11 2009 From: eninja at gmail.com (e ninja) Date: Sun, 16 Aug 2009 23:22:11 -0700 Subject: [c-nsp] Feedback on Bug Toolkit (BTK), IOS Software Download Planner, etc... In-Reply-To: <4A841CC9.4090909@cisco.com> References: <4A841CC9.4090909@cisco.com> Message-ID: Wilson, *Feedback:* - Make the Bug toolkit and Bug fixes freely available to all customers that have purchased Cisco software and not just SMARTnet customers. -Eninja On Thu, Aug 13, 2009 at 7:01 AM, Rodney Dunn wrote: > I got involved through a few channels and encouraged the teams responsible > for some of the Cisco.com Support tools to leverage this forum directly for > feedback. They were very interested in the idea. > > Can those of you that care enough to give direct feedback based on the past > threads around IOS Upgrade Planner, Bug Toolkit, etc. please take a few > minutes and compose an email directly to: > > Wilson Shiu (wshiu) > > He is the point of contact for feedback. > > They are eager to listen so now is a good time to get involved. > > I encourage you guys to take advantage of this. > > Thanks > Rodney > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From david.freedman at uk.clara.net Mon Aug 17 06:52:33 2009 From: david.freedman at uk.clara.net (David Freedman) Date: Mon, 17 Aug 2009 11:52:33 +0100 Subject: [c-nsp] Question for PA OC3 guru? In-Reply-To: References: Message-ID: > I want to buy a PA card to use in a 7200VXR and found the single-mode fiber > one PA-POS-OC3SMI As per Gert's response, no support for channelisation on this card, the PA-MC-STM1 does not do SoNET (SDH only) despite having the "framing sonet" command which is most annoying :( From leonardo.souza at nec.com.br Mon Aug 17 08:07:00 2009 From: leonardo.souza at nec.com.br (Leonardo Gama Souza) Date: Mon, 17 Aug 2009 09:07:00 -0300 Subject: [c-nsp] RES: Feedback on Bug Toolkit (BTK), IOS Software Download Planner, etc... In-Reply-To: References: <4A841CC9.4090909@cisco.com> Message-ID: <9E07F8717FE8BC4FBAE6860F61EA6C1D029B56E4@spsrvmail03.nec.br> Bug toolkit is not only available to Smartnet customers. Shared Support customers also have access. -----Mensagem original----- De: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] Em nome de e ninja Enviada em: segunda-feira, 17 de agosto de 2009 03:22 Para: wshiu at cisco.com Cc: cisco-nsp at puck.nether.net Assunto: Re: [c-nsp] Feedback on Bug Toolkit (BTK),IOS Software Download Planner, etc... Wilson, *Feedback:* - Make the Bug toolkit and Bug fixes freely available to all customers that have purchased Cisco software and not just SMARTnet customers. -Eninja On Thu, Aug 13, 2009 at 7:01 AM, Rodney Dunn wrote: > I got involved through a few channels and encouraged the teams responsible > for some of the Cisco.com Support tools to leverage this forum directly for > feedback. They were very interested in the idea. > > Can those of you that care enough to give direct feedback based on the past > threads around IOS Upgrade Planner, Bug Toolkit, etc. please take a few > minutes and compose an email directly to: > > Wilson Shiu (wshiu) > > He is the point of contact for feedback. > > They are eager to listen so now is a good time to get involved. > > I encourage you guys to take advantage of this. > > Thanks > Rodney > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From lists at memetic.org Mon Aug 17 08:12:46 2009 From: lists at memetic.org (Adam Armstrong) Date: Mon, 17 Aug 2009 12:12:46 -0000 Subject: [c-nsp] Monitoring Nexus 7000 platform In-Reply-To: <896a291f0908131007s218f5489rf466cd0ed6e7eb7@mail.gmail.com> References: <896a291f0908131007s218f5489rf466cd0ed6e7eb7@mail.gmail.com> Message-ID: <4A23BC3E.4030509@memetic.org> Ash Net wrote: > Hello, > > We have recently deployed N7k's in our DC and want to enable > monitoring on them. The current ESM systems in Place are HPOV and > Concord ehealth. > > I'd like to get feedback on whether anybody has had experience with > Monitoring the 7K chassis with either of the above ESM solutions > and/or are using a different system and what it took to get monitoring > enabled. > If anyone has a Nexus in testing they'd like to give SNMP read access to for a while I'd be interested in adding support for it to Observer. I don't think it would help in your scenario Ash, but I'm sure it'd be useful to some people :) adam. http://www.observernms.org From rmikisa at gmail.com Mon Aug 17 08:14:01 2009 From: rmikisa at gmail.com (Mikisa Richard) Date: Mon, 17 Aug 2009 15:14:01 +0300 Subject: [c-nsp] C7206VXR boot issue Message-ID: <4A894989.1090604@gmail.com> Hi all, I have an issue with a 7206VXR which boots into boot mode without any errors. The registry is 0x2102 and therefore not the issue, any ideas what might be wrong. Richard From abalashov at evaristesys.com Mon Aug 17 08:22:17 2009 From: abalashov at evaristesys.com (Alex Balashov) Date: Mon, 17 Aug 2009 08:22:17 -0400 (EDT) Subject: [c-nsp] C7206VXR boot issue In-Reply-To: <4A894989.1090604@gmail.com> References: <4A894989.1090604@gmail.com> Message-ID: The config-register is not really 0x2102? > Hi all, > > I have an issue with a 7206VXR which boots into boot mode without any > errors. The registry is 0x2102 and therefore not the issue, any ideas > what might be wrong. > > Richard > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Alex Balashov Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (678) 237-1775 From eninja at gmail.com Mon Aug 17 08:29:53 2009 From: eninja at gmail.com (Eninja) Date: Mon, 17 Aug 2009 14:29:53 +0200 Subject: [c-nsp] RES: Feedback on Bug Toolkit (BTK), IOS Software Download Planner, etc... In-Reply-To: <9E07F8717FE8BC4FBAE6860F61EA6C1D029B56E4@spsrvmail03.nec.br> References: <4A841CC9.4090909@cisco.com> <9E07F8717FE8BC4FBAE6860F61EA6C1D029B56E4@spsrvmail03.nec.br> Message-ID: <0059BB67-2056-4B85-9389-9986D1FD3A37@gmail.com> "Shared Support" is a variant of SMARTnet where Cisco and its partners 'share support' delivery. Wilson, To simplify..... - Make the Bug toolkit and Bug fixes freely available to all customers that have purchased Cisco software. -Eninja On Aug 17, 2009, at 2:07 PM, "Leonardo Gama Souza" wrote: > Bug toolkit is not only available to Smartnet customers. Shared > Support > customers also have access. > > > -----Mensagem original----- > De: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] Em nome de e ninja > Enviada em: segunda-feira, 17 de agosto de 2009 03:22 > Para: wshiu at cisco.com > Cc: cisco-nsp at puck.nether.net > Assunto: Re: [c-nsp] Feedback on Bug Toolkit (BTK),IOS Software > Download > Planner, etc... > > Wilson, > > *Feedback:* > > - Make the Bug toolkit and Bug fixes freely available to all > customers > that have purchased Cisco software and not just SMARTnet customers. > > -Eninja > > > > > On Thu, Aug 13, 2009 at 7:01 AM, Rodney Dunn wrote: > >> I got involved through a few channels and encouraged the teams > responsible >> for some of the Cisco.com Support tools to leverage this forum > directly for >> feedback. They were very interested in the idea. >> >> Can those of you that care enough to give direct feedback based on >> the > past >> threads around IOS Upgrade Planner, Bug Toolkit, etc. please take a > few >> minutes and compose an email directly to: >> >> Wilson Shiu (wshiu) >> >> He is the point of contact for feedback. >> >> They are eager to listen so now is a good time to get involved. >> >> I encourage you guys to take advantage of this. >> >> Thanks >> Rodney >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From MatlockK at exempla.org Mon Aug 17 08:30:10 2009 From: MatlockK at exempla.org (Matlock, Kenneth L) Date: Mon, 17 Aug 2009 06:30:10 -0600 Subject: [c-nsp] C7206VXR boot issue References: <4A894989.1090604@gmail.com> Message-ID: <4288131ED5E3024C9CD4782CECCAD2C70489E97B@LMC-MAIL2.exempla.org> If I had to guess, you probably upgraded the IOS code, and didn't upgrade the bootloader? On a 7200-series chassis, you need to upgrade both the IOS and the Bootloader when you change versions. Grab the same bootloader version as the IOS and put that on, then change the bootloader statement to reflect the new version. Ken ________________________________ From: cisco-nsp-bounces at puck.nether.net on behalf of Alex Balashov Sent: Mon 8/17/2009 6:22 AM To: Mikisa Richard Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] C7206VXR boot issue The config-register is not really 0x2102? > Hi all, > > I have an issue with a 7206VXR which boots into boot mode without any > errors. The registry is 0x2102 and therefore not the issue, any ideas > what might be wrong. > > Richard > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Alex Balashov Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (678) 237-1775 _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From Shahar.Grin at gmail.com Mon Aug 17 08:33:19 2009 From: Shahar.Grin at gmail.com (shahar grin) Date: Mon, 17 Aug 2009 05:33:19 -0700 (PDT) Subject: [c-nsp] Invitation to connect on LinkedIn Message-ID: <1390959718.1951125.1250512399888.JavaMail.app@ech3-cdn05.prod> LinkedIn ------------ I'd like to add you to my professional network on LinkedIn. - shahar PS: Here is the link: https://www.linkedin.com/e/isd/688615787/b7Jw9lfG/ It is free to join and takes less than 60 seconds to sign up. ------------------------------------------ shahar grin has a LinkedIn profile to connect with colleagues, find experts, and explore new opportunities. ------ (c) 2009, LinkedIn Corporation From rmikisa at gmail.com Mon Aug 17 08:39:26 2009 From: rmikisa at gmail.com (Richard Mikisa) Date: Mon, 17 Aug 2009 15:39:26 +0300 Subject: [c-nsp] C7206VXR boot issue In-Reply-To: References: <4A894989.1090604@gmail.com> Message-ID: Yes it is .. On Mon, Aug 17, 2009 at 3:22 PM, Alex Balashov wrote: > > The config-register is not really 0x2102? > >> Hi all, >> >> I have an issue with a 7206VXR which boots into boot mode without any >> errors. The registry is 0x2102 and therefore not the issue, any ideas >> what might be wrong. >> >> Richard >> >> _______________________________________________ >> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > > -- > Alex Balashov > Evariste Systems > Web ? ?: http://www.evaristesys.com/ > Tel ? ?: (+1) (678) 954-0670 > Direct : (+1) (678) 954-0671 > Mobile : (+1) (678) 237-1775 > > > -- cheers Richard From rmikisa at gmail.com Mon Aug 17 08:40:55 2009 From: rmikisa at gmail.com (Richard Mikisa) Date: Mon, 17 Aug 2009 15:40:55 +0300 Subject: [c-nsp] C7206VXR boot issue In-Reply-To: <4288131ED5E3024C9CD4782CECCAD2C70489E97B@LMC-MAIL2.exempla.org> References: <4A894989.1090604@gmail.com> <4288131ED5E3024C9CD4782CECCAD2C70489E97B@LMC-MAIL2.exempla.org> Message-ID: There was no upgrade at all. Box was working fine, then a schedules downtime to sort the power and when it next boots up, it boots into boot mode. On Mon, Aug 17, 2009 at 3:30 PM, Matlock, Kenneth L wrote: > If I had to guess, you probably upgraded the IOS code, and didn't upgrade the bootloader? > > On a 7200-series chassis, you need to upgrade both the IOS and the Bootloader when you change versions. > > Grab the same bootloader version as the IOS and put that on, then change the bootloader statement to reflect the new version. > > Ken > > ________________________________ > > From: cisco-nsp-bounces at puck.nether.net on behalf of Alex Balashov > Sent: Mon 8/17/2009 6:22 AM > To: Mikisa Richard > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] C7206VXR boot issue > > > > > The config-register is not really 0x2102? > >> Hi all, >> >> I have an issue with a 7206VXR which boots into boot mode without any >> errors. The registry is 0x2102 and therefore not the issue, any ideas >> what might be wrong. >> >> Richard >> >> _______________________________________________ >> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > > -- > Alex Balashov > Evariste Systems > Web ? ?: http://www.evaristesys.com/ > Tel ? ?: (+1) (678) 954-0670 > Direct : (+1) (678) 954-0671 > Mobile : (+1) (678) 237-1775 > > > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > -- cheers Richard From abalashov at evaristesys.com Mon Aug 17 08:47:40 2009 From: abalashov at evaristesys.com (Alex Balashov) Date: Mon, 17 Aug 2009 08:47:40 -0400 Subject: [c-nsp] Invitation to connect on LinkedIn In-Reply-To: <1390959718.1951125.1250512399888.JavaMail.app@ech3-cdn05.prod> References: <1390959718.1951125.1250512399888.JavaMail.app@ech3-cdn05.prod> Message-ID: <6672FF3F-5CE5-4B79-A4A9-0300DA8E5795@evaristesys.com> Fail. -- Sent from mobile device On Aug 17, 2009, at 8:33 AM, shahar grin wrote: > LinkedIn > ------------ > > > > > I'd like to add you to my professional network on LinkedIn. > > - shahar > > PS: Here is the link: > https://www.linkedin.com/e/isd/688615787/b7Jw9lfG/ > > It is free to join and takes less than 60 seconds to sign up. > > ------------------------------------------ > > shahar grin has a LinkedIn profile to connect with colleagues, find > experts, and explore new opportunities. > > > > ------ > (c) 2009, LinkedIn Corporation > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From domintefamily at yahoo.co.uk Mon Aug 17 09:01:47 2009 From: domintefamily at yahoo.co.uk (C and C Dominte) Date: Mon, 17 Aug 2009 13:01:47 +0000 (GMT) Subject: [c-nsp] VSS 1440 issues In-Reply-To: Message-ID: <28817.26270.qm@web27907.mail.ukl.yahoo.com> Hi, I am still experiencing unknown unicast flooding with the Catalyst 6509 VSS 1440 configuration. I have tried two more tests, to check if the flood will stop: 1. I turned off the routed-mac feature #sh mac-addr aging-type routed ?Routed MAC aging : disabled 2. I configured the arp timeout for each VLAN interface to 900 seconds To test if this solved the problem, I enabled 4 interfaces on Switch 2, and as soon as that was done, 100 mbps flood of unknon unicast was sent to all trunk ports. I pasted below the MAC address aging time that is currently 3 times the syncronisation time: Syncronisation time: ??? Global Status: Status of feature enabled on the switch???????????? :? on Default activity time?????????????????????????????? :? 160 Configured current activity time??????????????????? :? 640 Mac address aging: #sh mac-addr aging-time Vlan??? Aging Time ----??? ---------- Global? 1920 no vlan age other than global age configured I am really out of ideas as to what can cause this loop, that then generates the unknown unicast flood. Has anyone experienced anything similar and can offer any advice on why this is happening? Thank you Catalin --- On Fri, 7/8/09, Eric Cables wrote: From: Eric Cables Subject: Re: [c-nsp] VSS 1440 issues To: "Kevin Loch" Cc: "cisco-nsp at puck.nether.net" Date: Friday, 7 August, 2009, 8:43 AM Agreed, your mileage may vary on the exact timers to use (I ended up at 900 seconds), but synchronizing MAC and ARP aging timers should solve your unicast flooding issues, assuming the traffic is to legitimate destinations. Have you captured any traffic to identify the destination of flooded traffic? -- Eric Cables On Thu, Aug 6, 2009 at 9:35 PM, Kevin Loch wrote: > C and C Dominte wrote: > >? Thank you for your advice, however, increasing the timers >> did not work. >> >> >> I powered down the active linecards from switch 2 >> yesterday to see if it stopped the unicast flood, which it did. >> >> Today I increased the mac address syncronisation activity >> time to 640 and the mac address aging time to 1920 (3x640) as below: >> > > While I have not run 6500's in VSS mode I have run into similar unicast > flooding with certain non-VSS configurations of 6500's.? The most > reliable fix I have found is "arp timeout 120" in the affected vlan > interfaces. > > - Kevin > > _______________________________________________ > cisco-nsp mailing list? cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list? cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From jmaimon at ttec.com Mon Aug 17 09:05:06 2009 From: jmaimon at ttec.com (Joe Maimon) Date: Mon, 17 Aug 2009 09:05:06 -0400 Subject: [c-nsp] C7206VXR boot issue In-Reply-To: <4A894989.1090604@gmail.com> References: <4A894989.1090604@gmail.com> Message-ID: <4A895582.4090406@ttec.com> Probably would help to know what IO controller and NPE you have, what image is the bootloader, where and what image you are trying to boot. Not always can a 7200 boot directly of ide flash. Do you have any configuration, such as boot statements? Mikisa Richard wrote: > Hi all, > > I have an issue with a 7206VXR which boots into boot mode without any > errors. The registry is 0x2102 and therefore not the issue, any ideas > what might be wrong. > > Richard > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From ltd at cisco.com Mon Aug 17 08:31:48 2009 From: ltd at cisco.com (Lincoln Dale) Date: Mon, 17 Aug 2009 22:31:48 +1000 Subject: [c-nsp] Monitoring Nexus 7000 platform In-Reply-To: <4A23BC3E.4030509@memetic.org> References: <896a291f0908131007s218f5489rf466cd0ed6e7eb7@mail.gmail.com> <4A23BC3E.4030509@memetic.org> Message-ID: <2C99D354-E036-441C-B463-7D0328E4FAD7@cisco.com> On 01/06/2009, at 9:32 PM, Adam Armstrong wrote: > If anyone has a Nexus in testing they'd like to give SNMP read > access to for a while I'd be interested in adding support for it to > Observer. > > I don't think it would help in your scenario Ash, but I'm sure it'd > be useful to some people :) if you can work with a snmpwalk then feel free to use ftp://ftp-eng.cisco.com/ltd/snmpwalk_nxos_ankara.txt.gz for a (relatively) recent snmpwalk. otherwise contact me off list and i'll arrange access to a box. most of what you use seems to be IF-MIB which is there. there will be some holes with vlan discovery (you're using VTP MIB which isn't there yet), but there are other ways that can be accomplished, time permitting i'll send you a svn diff to add that support. cheers, lincoln. From ip at ioshints.info Mon Aug 17 09:42:29 2009 From: ip at ioshints.info (Ivan Pepelnjak) Date: Mon, 17 Aug 2009 15:42:29 +0200 Subject: [c-nsp] NAT-ON-A-STICK for VRF Traffic In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE044AAB3E@vic-cr-ex1.staff.netspace.net.au> References: <56F211C5E3F24F47B103EA1B253822BE044AAB3E@vic-cr-ex1.staff.netspace.net.au> Message-ID: <002a01ca1f40$919db400$0a00000a@nil.si> It's probably easier to use the NAT Virtual Interface ("ip nat enable" instead of "ip nat inside|outside") in a VRF environment. You also don't need NAT-on-a-stick with NVI. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ > -----Original Message----- > From: Andy Saykao [mailto:andy.saykao at staff.netspace.net.au] > Sent: Monday, August 17, 2009 2:59 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] NAT-ON-A-STICK for VRF Traffic > > I want to set up a NAT-PE Internet Gateway and NAT vrf traffic using > NAT-ON-A-STICK. Is this possible? > > Easy enough to do when it's IP traffic using policy-based > routing as per > this article: > > http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_ > note09186a > 0080094430.shtml > > Just wondering how you would apply the article in relation to when the > traffic is MPLS/VRF based. From copse at xy.org Mon Aug 17 10:27:33 2009 From: copse at xy.org (Roger Wiklund) Date: Mon, 17 Aug 2009 16:27:33 +0200 Subject: [c-nsp] Cisco 3560 LAN QoS egress queing shaping/sharing questions Message-ID: Hi Im a bit confused regarding 3560 egress QoS. This is the default setting on a 3560, only "mls qos" is enabled globally. FastEthernet0/4 Egress Priority Queue : disabled Shaped queue weights (absolute) : 25 0 0 0 Shared queue weights : 25 25 25 25 The port bandwidth limit : 100 (Operational Bandwidth:100.0) The port is mapped to qset : 1 So after reading the document, the 4 egress queues are configure with 25% bandwith each. and they are in shared mode, which means that they have a minimum of 25% but can also use more from the other queues if available. But then we have the shaped queue. 25 0 0 0. This is from the documentation: In shaped mode, the egress queues are guaranteed a percentage of the bandwidth, and they are rate-limited to that amount. Shaped traffic does not use more than the allocated bandwidth even if the link is idle. Shaping provides a more even flow of traffic over time and reduces the peaks and valleys of bursty traffic. With shaping, the absolute value of each weight is used to compute the bandwidth available for the queues. By default, weight1 is set to 25; weight2, weight3, and weight4 are set to 0, and these queues are in shared mode. For weight1 weight2 weight3 weight4, enter the weights to control the percentage of the port that is shaped. The inverse ratio (1/weight) controls the shaping bandwidth for this queue. Separate each value with a space. The range is 0 to 65535. If you configure a weight of 0, the corresponding queue operates in shared mode. The weight specified with the srr-queue bandwidth shape command is ignored, and the weights specified with the srr-queue bandwidth share interface configuration command for a queue come into effect. When configuring queues in the same queue-set for both shaping and sharing, make sure that you configure the lowest number queue for shaping. The shaped mode overrides the shared mode. Does this then mean that per default, the egress queue 1, handling COS 5, EF etc, only has 25mbit on a fastethernet port. Everything above that gets dropped. And also: Priority-queue out When you configure this command, the SRR weight and queue size ratios are affected because there is one less queue participating in SRR. This means that weight1 in the srr-queue bandwidth shape or the srr-queue bandwidth share command is ignored (not used in the ratio calculation). And also, when enabling egress prio queue, that queue qets 100% of the bandwith? That will starve all the other traffic. Im reading in the Cisco QoS book where you can have strict prio + weighted round robin. But it looks like thats not available on the 3560. Thanks /Roger From jlewis at lewis.org Mon Aug 17 10:43:17 2009 From: jlewis at lewis.org (Jon Lewis) Date: Mon, 17 Aug 2009 10:43:17 -0400 (EDT) Subject: [c-nsp] C7206VXR boot issue In-Reply-To: <4288131ED5E3024C9CD4782CECCAD2C70489E97B@LMC-MAIL2.exempla.org> References: <4A894989.1090604@gmail.com> <4288131ED5E3024C9CD4782CECCAD2C70489E97B@LMC-MAIL2.exempla.org> Message-ID: On Mon, 17 Aug 2009, Matlock, Kenneth L wrote: > If I had to guess, you probably upgraded the IOS code, and didn't > upgrade the bootloader? > > On a 7200-series chassis, you need to upgrade both the IOS and the > Bootloader when you change versions. Where'd you get that idea? Other than making sure I have boot code new enough to support booting the real IOS from CF, I don't generally touch the bootloader. My guess would be there's something wrong with the devices the router is trying to boot from. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From copse at xy.org Mon Aug 17 10:47:33 2009 From: copse at xy.org (Roger Wiklund) Date: Mon, 17 Aug 2009 16:47:33 +0200 Subject: [c-nsp] Cisco 3560 LAN QoS egress queing shaping/sharing questions In-Reply-To: References: Message-ID: Correction! It should be 1/25th of 100meg = 4 meg. Thats really strange to have such a small limit. Found this also: http://www.gossamer-threads.com/lists/cisco/nsp/113754 Regards Roger On Mon, Aug 17, 2009 at 4:27 PM, Roger Wiklund wrote: > Hi > > Im a bit confused regarding 3560 egress QoS. > > This is the default setting on a 3560, only "mls qos" is enabled globally. > > FastEthernet0/4 > Egress Priority Queue : disabled > Shaped queue weights (absolute) : 25 0 0 0 > Shared queue weights : 25 25 25 25 > The port bandwidth limit : 100 (Operational Bandwidth:100.0) > The port is mapped to qset : 1 > So after reading the document, the 4 egress queues are configure with 25% > bandwith each. and they are in shared mode, which means that they have a > minimum of 25% but can also use more from the other queues if available. > > But then we have the shaped queue. 25 0 0 0. > This is from the documentation: > > In shaped mode, the egress queues are guaranteed a percentage of the > bandwidth, and they are rate-limited to that amount. Shaped traffic does not > use more than the allocated bandwidth even if the link is idle. Shaping > provides a more even flow of traffic over time and reduces the peaks and > valleys of bursty traffic. With shaping, the absolute value of each weight > is used to compute the bandwidth available for the queues. > > By default, weight1 is set to 25; weight2, weight3, and weight4 are set to > 0, and these queues are in shared mode. > > For weight1 weight2 weight3 weight4, enter the weights to control the > percentage of the port that is shaped. The inverse ratio (1/weight) controls > the shaping bandwidth for this queue. Separate each value with a space. The > range is 0 to 65535. > > If you configure a weight of 0, the corresponding queue operates in shared > mode. The weight specified with the srr-queue bandwidth shape command is > ignored, and the weights specified with the srr-queue bandwidth share > interface configuration command for a queue come into effect. When > configuring queues in the same queue-set for both shaping and sharing, make > sure that you configure the lowest number queue for shaping. > The shaped mode overrides the shared mode. > > Does this then mean that per default, the egress queue 1, handling COS > 5, EF etc, only has 25mbit on a fastethernet port. Everything above that > gets dropped. > > And also: > > Priority-queue out > > When you configure this command, the SRR weight and queue size ratios are > affected because there is one less queue participating in SRR. This means > that weight1 in the srr-queue bandwidth shape or the srr-queue bandwidth > share command is ignored (not used in the ratio calculation). > > And also, when enabling egress prio queue, that queue qets 100% of the > bandwith? That will starve all the other traffic. Im reading in the Cisco > QoS book where you can have strict prio + weighted round robin. But it looks > like thats not available on the 3560. > > Thanks > > /Roger > > > > > > > > > > > > > From mulitskiy at acedsl.com Mon Aug 17 11:01:28 2009 From: mulitskiy at acedsl.com (Michael Ulitskiy) Date: Mon, 17 Aug 2009 11:01:28 -0400 Subject: [c-nsp] Multiple power supply failures. Advise needed In-Reply-To: <4A885AE0.9050102@rollernet.us> References: <200908141604.42069.mulitskiy@acedsl.com> <200908161505.00887.mulitskiy@acedsl.com> <4A885AE0.9050102@rollernet.us> Message-ID: <200908171101.28098.mulitskiy@acedsl.com> Thanks for the advise. This is a good one. Will definitely do. Michael On Sunday 16 August 2009 03:15:44 pm Seth Mattinen wrote: > Michael Ulitskiy wrote: > > Thanks everybody who replied. > > I was promised our circuits to be examined by electrician on Monday. > > Is there a way for me to check the grounding? I remember some fat wires are fastened to the cage, > > but honestly I didn't pay particular attention. > > Thanks, > > > > You can do it ghetto style by taking a meter and checking for ground > potentials between different pieces of metal. If all grounds are at the > same potential the meter will read zero. Run away if you read voltage > between two metal pieces. > > ~Seth > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From paul at paulstewart.org Mon Aug 17 11:06:26 2009 From: paul at paulstewart.org (Paul Stewart) Date: Mon, 17 Aug 2009 11:06:26 -0400 Subject: [c-nsp] C7206VXR boot issue In-Reply-To: References: <4A894989.1090604@gmail.com> <4288131ED5E3024C9CD4782CECCAD2C70489E97B@LMC-MAIL2.exempla.org> Message-ID: <000001ca1f4c$4bbd6780$e3383680$@org> For sure... bootloaders are one of those things I don't like to touch until I have to... it's been so long since I had to upgrade the bootloader on anything we have that I'd have to read the docs again to remember how..;) Paul -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jon Lewis Sent: Monday, August 17, 2009 10:43 AM To: Matlock, Kenneth L Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] C7206VXR boot issue On Mon, 17 Aug 2009, Matlock, Kenneth L wrote: > If I had to guess, you probably upgraded the IOS code, and didn't > upgrade the bootloader? > > On a 7200-series chassis, you need to upgrade both the IOS and the > Bootloader when you change versions. Where'd you get that idea? Other than making sure I have boot code new enough to support booting the real IOS from CF, I don't generally touch the bootloader. My guess would be there's something wrong with the devices the router is trying to boot from. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From MatlockK at exempla.org Mon Aug 17 11:11:53 2009 From: MatlockK at exempla.org (Matlock, Kenneth L) Date: Mon, 17 Aug 2009 09:11:53 -0600 Subject: [c-nsp] C7206VXR boot issue In-Reply-To: <000001ca1f4c$4bbd6780$e3383680$@org> References: <4A894989.1090604@gmail.com> <4288131ED5E3024C9CD4782CECCAD2C70489E97B@LMC-MAIL2.exempla.org> <000001ca1f4c$4bbd6780$e3383680$@org> Message-ID: <4288131ED5E3024C9CD4782CECCAD2C7065D3990@LMC-MAIL2.exempla.org> I've seen it a few times in the past, exclusively with 7200's. The bootloader and IOS versions don't have to exactly match, but in my experience is that they need to be 'close' (where 'close' changes each rev number :) ) If the bootloader and IOS aren't 'compatible', you'll get exactly those symptoms (boots to bootloader prompt). Not saying that IS the problem, but a possibility. Also check the boot statements to make sure the bootldr and system boot statements are both there. Ken Matlock Network Analyst Exempla Healthcare (303) 467-4671 matlockk at exempla.org -----Original Message----- From: Paul Stewart [mailto:paul at paulstewart.org] Sent: Monday, August 17, 2009 9:06 AM To: 'Jon Lewis'; Matlock, Kenneth L Cc: cisco-nsp at puck.nether.net Subject: RE: [c-nsp] C7206VXR boot issue For sure... bootloaders are one of those things I don't like to touch until I have to... it's been so long since I had to upgrade the bootloader on anything we have that I'd have to read the docs again to remember how..;) Paul -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jon Lewis Sent: Monday, August 17, 2009 10:43 AM To: Matlock, Kenneth L Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] C7206VXR boot issue On Mon, 17 Aug 2009, Matlock, Kenneth L wrote: > If I had to guess, you probably upgraded the IOS code, and didn't > upgrade the bootloader? > > On a 7200-series chassis, you need to upgrade both the IOS and the > Bootloader when you change versions. Where'd you get that idea? Other than making sure I have boot code new enough to support booting the real IOS from CF, I don't generally touch the bootloader. My guess would be there's something wrong with the devices the router is trying to boot from. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From sethm at rollernet.us Mon Aug 17 11:45:39 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Mon, 17 Aug 2009 08:45:39 -0700 Subject: [c-nsp] Multiple power supply failures. Advise needed In-Reply-To: <200908171101.28098.mulitskiy@acedsl.com> References: <200908141604.42069.mulitskiy@acedsl.com> <200908161505.00887.mulitskiy@acedsl.com> <4A885AE0.9050102@rollernet.us> <200908171101.28098.mulitskiy@acedsl.com> Message-ID: <4A897B23.9040303@rollernet.us> Michael Ulitskiy wrote: > Thanks for the advise. This is a good one. Will definitely do. > I should also add that ground potential differences are also dangerous and can shock you if it's high enough, not just something to be worried about with equipment. ~Seth From achatz at forthnet.gr Mon Aug 17 13:03:45 2009 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Mon, 17 Aug 2009 20:03:45 +0300 Subject: [c-nsp] EoMPLS between subinterface and physical interface Message-ID: <4A898D71.1050405@forthnet.gr> I'm reading under EoMPLS Guidelines and Restrictions http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/guide/pfc3mpls.html#wp1109041 ====================================== For a particular EoMPLS connection, both the ingress EoMPLS interface on the ingress PE and the egress EoMPLS interface on the egress PE have to be subinterfaces with dot1Q encapsulation or neither is a subinterface. ====================================== So, i guess in PFC-based EoMPLS you can't have a subinterface on one side (vlan mode) and a physical interface (port mode) on the other side. Besides using ES/SPA cards and scalable EoMPLS on both sides, is there another solution? What about scalable EoMPLS on one side and PFC-based EoMPLS (vlan or port mode) on the other? Has anyone tried it? -- Tassos From ecables at gmail.com Mon Aug 17 13:09:41 2009 From: ecables at gmail.com (Eric Cables) Date: Mon, 17 Aug 2009 10:09:41 -0700 Subject: [c-nsp] VSS 1440 issues In-Reply-To: <28817.26270.qm@web27907.mail.ukl.yahoo.com> References: <28817.26270.qm@web27907.mail.ukl.yahoo.com> Message-ID: You need to put a sniffer on those ports to discover the destination for the unicast flooding. -- Eric Cables On Mon, Aug 17, 2009 at 6:01 AM, C and C Dominte wrote: > Hi, > > I am still experiencing unknown unicast flooding with the Catalyst 6509 VSS > 1440 configuration. > > I have tried two more tests, to check if the flood will stop: > > 1. I turned off the routed-mac feature > > #sh mac-addr aging-type routed > Routed MAC aging : disabled > > 2. I configured the arp timeout for each VLAN interface to 900 seconds > > To test if this solved the problem, I enabled 4 interfaces on Switch 2, and > as soon as that was done, 100 mbps flood of unknon unicast was sent to all > trunk ports. > > I pasted below the MAC address aging time that is currently 3 times the > syncronisation time: > > Syncronisation time: > > Global Status: > Status of feature enabled on the switch : on > Default activity time : 160 > Configured current activity time : 640 > > Mac address aging: > > #sh mac-addr aging-time > Vlan Aging Time > ---- ---------- > Global 1920 > no vlan age other than global age configured > > I am really out of ideas as to what can cause this loop, that then > generates the unknown unicast flood. Has anyone experienced anything similar > and can offer any advice on why this is happening? > > Thank you > > Catalin > > --- On *Fri, 7/8/09, Eric Cables * wrote: > > > From: Eric Cables > Subject: Re: [c-nsp] VSS 1440 issues > To: "Kevin Loch" > Cc: "cisco-nsp at puck.nether.net" > Date: Friday, 7 August, 2009, 8:43 AM > > > Agreed, your mileage may vary on the exact timers to use (I ended up at 900 > seconds), but synchronizing MAC and ARP aging timers should solve your > unicast flooding issues, assuming the traffic is to legitimate > destinations. > > Have you captured any traffic to identify the destination of flooded > traffic? > > -- Eric Cables > > > On Thu, Aug 6, 2009 at 9:35 PM, Kevin Loch > > wrote: > > > C and C Dominte wrote: > > > > Thank you for your advice, however, increasing the timers > >> did not work. > >> > >> > >> I powered down the active linecards from switch 2 > >> yesterday to see if it stopped the unicast flood, which it did. > >> > >> Today I increased the mac address syncronisation activity > >> time to 640 and the mac address aging time to 1920 (3x640) as below: > >> > > > > While I have not run 6500's in VSS mode I have run into similar unicast > > flooding with certain non-VSS configurations of 6500's. The most > > reliable fix I have found is "arp timeout 120" in the affected vlan > > interfaces. > > > > - Kevin > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > From ler762 at gmail.com Mon Aug 17 13:15:13 2009 From: ler762 at gmail.com (Lee) Date: Mon, 17 Aug 2009 13:15:13 -0400 Subject: [c-nsp] Monitoring Nexus 7000 platform In-Reply-To: <3EC4755B-6190-4E73-8D91-7E11E3AA3F5A@cisco.com> References: <896a291f0908131007s218f5489rf466cd0ed6e7eb7@mail.gmail.com> <352D947C-7CAC-4322-9BAC-830E489CB070@arbor.net> <896a291f0908131401q2d32fdden198fd5f500ce2052@mail.gmail.com> <4A848F2F.8090502@usgs.gov> <97229F86-6C23-4BC0-92E3-F4AFA54C7855@cisco.com> <3EC4755B-6190-4E73-8D91-7E11E3AA3F5A@cisco.com> Message-ID: On 8/16/09, Lincoln Dale wrote: > > On 15/08/2009, at 7:37 AM, Lee wrote: > >> On 8/14/09, Lincoln Dale wrote: >> >> .. snip lots of really cool examples .. >> >>> why one would ever touch SNMP willingly after using the above is >>> beyond me. :) >> >> Is there an XML equivalent to the Net-SNMP package? > > i'm not aware of any standard perl modules for NetConf, however we > (Cisco) and other vendors have sample scripts available which > demonstrate how to make use of Netconf with the CPAN Expect and > XML::DOM. Maybe that'll help push my "learn perl" todo item up a bit higher on my list :) But that's assuming netconf/xml makes expect scripts a bit less dependent on the exact formatting of the output. If upgrading the OS requires updating the xml definition in the script (eg. bump netconf:base:1.0 to netconf:base:1.1) .. well, seems like not such a big win. > most sample scripts turn out to be <50 lines of code, e.g. <.. snip example ..> Thanks for the example. I'd done a search on cisco.com for how to use xml & the best I could find was a recommendation to use an xml editor & click on the publish button to push the file to the device. At least your example is something that could be run from a crontab entry >> For example, >> finding devices that haven't had their config saved is easy with SNMP: >> >> chgTime=`snmpget -OqUtv $DEV ccmHistoryRunningLastChanged.0` >> savTime=`snmpget -OqUtv $DEV ccmHistoryStartupLastChanged.0` >> if [ $savTime -lt $chgTime ]; then >> printf "%-14s config needs to be saved\n" $DEV >> fi >> >> how do you do that with Netconf/XML? > > good question. the key to doing something in NetConf is to find a CLI > command that provides the data you want. e.g. if there was a CLI > command that provided time/datestamps of startup-config vs running- > config (or a flag indicating config has changed between them), then > you'd do that command. > > off the top of my head, i can't think of a command that provides that, The other example that came to mind was finding switch ports that haven't been used in however many days. CatOS has the "show port usage" command; I haven't found the IOS equivalent yet but IOS switches do have the ifLastChange mib variable. > however one COULD in theory ask the switch to provide a diff between > the running-config and the startup-config, e.g. > switch# show diff rollback-patch running-config startup-config > and if you get any changes then there is a difference. > > its a bit heavyweight versus a flag, but assuming your script wanted > to do something intelligent based on said output, could be useful. Usually all I want to do is make sure everything's been saved before a scheduled power outage :) > NX-OS does support the SNMP trap for ccmCLIRunningConfigChanged so you > could use that. > > another way i can forsee that one could accomplish a simple trigger is > an EEM event that creates a file on config-change and clears it on > config-save, e.g. > event manager applet set_config_changed_flag > event cli match "config" > action 1 cli echo config_changed > volatile:config_changed > action 2 event-default > event manager applet clear_config_config_changed > event cli match "copy running-config startup-config" > action 1 cli delete volatile:config_changed > action 2 event-default > > then your NetConf/XML can do the equivalent of "tail > volatile:config_changed" and see what result it gets back. > probably overkill but you get the idea - many ways to achieve what you > want. Yes, I see. We recently got a pair of Nx7000s - I'll have to see what I can do with them. Thanks for the ideas, Lee From peter at rathlev.dk Mon Aug 17 13:57:46 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Mon, 17 Aug 2009 19:57:46 +0200 Subject: [c-nsp] Cisco 3560 LAN QoS egress queing shaping/sharing questions In-Reply-To: References: Message-ID: <1250531866.2831.10.camel@abehat.net.rm.dk> On Mon, 2009-08-17 at 16:27 +0200, Roger Wiklund wrote: > Does this then mean that per default, the egress queue 1, handling COS > 5, EF etc, only has 25mbit on a fastethernet port. Everything above > that gets dropped. Yup, as you say it's actually 1/25th of the port bandwidth. But yes, everything beyond this gets dropped. Since EF is meant to be used for voice only the 4 mbps default is plenty IMHO. > And also, when enabling egress prio queue, that queue qets 100% of the > bandwith? That will starve all the other traffic. Im reading in the > Cisco QoS book where you can have strict prio + weighted round robin. > But it looks like thats not available on the 3560. Correct. You should always combine a priority queue with policing so you don't starve the other queues. Or use SRR shaping, which "elegantly" gives you both policing and prioritisation. Priority queue and SRR shaping are not compatible; one rules the other out. Beware that the classification on the 3560 prevents you from matching via ACL _and_ DSCP; you have to choose between matching DSCP for any incoming packet or matching by ACL and then trusting DSCP. Regards, Peter From gert at greenie.muc.de Mon Aug 17 14:49:29 2009 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 17 Aug 2009 20:49:29 +0200 Subject: [c-nsp] C7206VXR boot issue In-Reply-To: <4288131ED5E3024C9CD4782CECCAD2C70489E97B@LMC-MAIL2.exempla.org> References: <4A894989.1090604@gmail.com> <4288131ED5E3024C9CD4782CECCAD2C70489E97B@LMC-MAIL2.exempla.org> Message-ID: <20090817184929.GO2121@greenie.muc.de> Hi, On Mon, Aug 17, 2009 at 06:30:10AM -0600, Matlock, Kenneth L wrote: > On a 7200-series chassis, you need to upgrade both the IOS and the Bootloader when you change versions. No. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From avayner at cisco.com Mon Aug 17 14:57:41 2009 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Mon, 17 Aug 2009 20:57:41 +0200 Subject: [c-nsp] EoMPLS between subinterface and physical interface In-Reply-To: <4A898D71.1050405@forthnet.gr> References: <4A898D71.1050405@forthnet.gr> Message-ID: Tasso, What are you trying to achieve? Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tassos Chatzithomaoglou Sent: Monday, August 17, 2009 20:04 To: cisco-nsp Subject: [c-nsp] EoMPLS between subinterface and physical interface I'm reading under EoMPLS Guidelines and Restrictions http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/gu ide/pfc3mpls.html#wp1109041 ====================================== For a particular EoMPLS connection, both the ingress EoMPLS interface on the ingress PE and the egress EoMPLS interface on the egress PE have to be subinterfaces with dot1Q encapsulation or neither is a subinterface. ====================================== So, i guess in PFC-based EoMPLS you can't have a subinterface on one side (vlan mode) and a physical interface (port mode) on the other side. Besides using ES/SPA cards and scalable EoMPLS on both sides, is there another solution? What about scalable EoMPLS on one side and PFC-based EoMPLS (vlan or port mode) on the other? Has anyone tried it? -- Tassos _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From NMaio at guesswho.com Mon Aug 17 15:06:28 2009 From: NMaio at guesswho.com (NMaio at guesswho.com) Date: Mon, 17 Aug 2009 15:06:28 -0400 Subject: [c-nsp] Arp Inspection Rate Limit Message-ID: Just a quick question. Taking into account that everyone's network is different and to find the best limit you need to study a trace.....does anyone use a rule of thumb for configuring the rate limit for arp inspection. Does anyone find the default 15 pps too low on ports other than etherchannels and trunks? Thanks, Nick From Grzegorz at Janoszka.pl Mon Aug 17 15:50:37 2009 From: Grzegorz at Janoszka.pl (Grzegorz Janoszka) Date: Mon, 17 Aug 2009 21:50:37 +0200 Subject: [c-nsp] LACP on high latency links Message-ID: <4A89B48D.7000205@Janoszka.pl> Hi, Anyone running LACP on links with latency about 10 ms or higher? With local links and latency ~1 ms we have no problems at all, it just works perfect, however recently we ran into strange issues with CRS-1 (IOS-XR 3.6.2) and LACP on remote links with latency 10 ms or higher. When we try to add a link into a bundle (CRS-1's name of the port-channel) which has already had an interface assigned and up, the whole bundle stops sending packets. The bundle-ether interface is up, however it does not send any packets. The only thing that helps is to deassign all ifaces from the bundle, shut them down, then enable then and add them to the bundle again. Does anyone know any cisco bugs with LACP and IOS-XR? Any help would be appreciated, regards, -- Grzegorz Janoszka From eninja at gmail.com Mon Aug 17 15:59:41 2009 From: eninja at gmail.com (e ninja) Date: Mon, 17 Aug 2009 12:59:41 -0700 Subject: [c-nsp] Feedback on Bug Toolkit (BTK), IOS Software Download Planner, etc... In-Reply-To: References: <4A841CC9.4090909@cisco.com> Message-ID: Wilson, Thanks. -Eninja On Mon, Aug 17, 2009 at 8:58 AM, Wilson Shiu (wshiu) wrote: > Eninja, > > Thank you so much for your feedback. I will definitely discuss your request > during my next meeting with the Bug Tool Kit team. > > Regards, > > Wilson > > > > *From:* e ninja [mailto:eninja at gmail.com] > *Sent:* Monday, August 17, 2009 2:22 AM > *To:* Wilson Shiu (wshiu) > *Cc:* cisco-nsp at puck.nether.net; eninja at gmail.com > *Subject:* Re: [c-nsp] Feedback on Bug Toolkit (BTK), IOS Software > Download Planner, etc... > > > > Wilson, > > *Feedback:* > > - Make the Bug toolkit and Bug fixes freely available to all customers > that have purchased Cisco software and not just SMARTnet customers. > > -Eninja > > > > On Thu, Aug 13, 2009 at 7:01 AM, Rodney Dunn wrote: > > I got involved through a few channels and encouraged the teams responsible > for some of the Cisco.com Support tools to leverage this forum directly for > feedback. They were very interested in the idea. > > Can those of you that care enough to give direct feedback based on the past > threads around IOS Upgrade Planner, Bug Toolkit, etc. please take a few > minutes and compose an email directly to: > > Wilson Shiu (wshiu) > > He is the point of contact for feedback. > > They are eager to listen so now is a good time to get involved. > > I encourage you guys to take advantage of this. > > Thanks > Rodney > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > From ibrahim.abozaid at gmail.com Mon Aug 17 16:47:21 2009 From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid) Date: Mon, 17 Aug 2009 23:47:21 +0300 Subject: [c-nsp] ISIS Problem Message-ID: Hi All I have a problem with the below ISIS toplogy , All ADJ of R1 are L1 and interface between R2 is in A2 from R2 side and in A3 side from R3 side so R2 and R3 have L2-ADJ betwene them , as expected both R2 and R3 send LSP with ATT bit set so R1 has 2 L1 default routes point to both R2 and R3 , the wired result there is L1 on both R2 and R3 points to R1 !! but R1 don't set ATT bit in its LSP do you explainsation why R1 sends this default route ? and how we can stop it Topology R2--------L-1------------ | | | | L2 A-1 R1 | | | | R3---------L-1----------- Configuration R1 ! interface Serial1/0 description to R2 ip address 10.10.12.1 255.255.255.0 ip router isis encapsulation ppp ! interface Serial1/1 description to R3 ip address 10.10.13.1 255.255.255.0 ip router isis encapsulation ppp ! router isis net 49.0001.0000.0000.0001.00 is-type level-1 R2 interface Serial1/0 description to R1 ip address 10.10.12.2 255.255.255.0 ip router isis encapsulation ppp ! interface Serial1/1 description to R3 ip address 10.10.23.2 255.255.255.0 ip router isis 2 encapsulation ppp ! router isis 2 net 49.0002.0000.0000.0002.00 is-type level-2-only ! router isis net 49.0001.0000.0000.0002.00 is-type level-1 R3 interface Serial 1/0 description to R1 ip address 10.10.13.3 255.255.255.0 ip router isis encapsulation ppp ! interface Serial 1/1 description to R2 ip address 10.10.23.3 255.255.255.0 ip router isis 3 encapsulation ppp ! router isis 3 net 49.0003.0000.0000.0003.00 is-type level-2-only ! router isis net 49.0001.0000.0000.0003.00 is-type level-1 Logs ------- R1#sh clns neighbors System Id Interface SNPA State Holdtime Type Protocol R2 Se1/0 *PPP* Up 22 L1 IS-IS R3 Se1/1 *PPP* Up 23 L1 IS-IS R2#sh clns neighbors Area 2: System Id Interface SNPA State Holdtime Type Protocol R3 Se1/1 *PPP* Up 28 L2 IS-IS Area null: System Id Interface SNPA State Holdtime Type Protocol R1 Se1/0 *PPP* Up 26 L1 IS-IS R3#sh clns neighbors Area 3: System Id Interface SNPA State Holdtime Type Protocol R2 Se1/1 *PPP* Up 22 L2 IS-IS Area null: System Id Interface SNPA State Holdtime Type Protocol R1 Se1/0 *PPP* Up 28 L1 IS-IS routing tables ----------------- R1#sh ip route isis i*L1 0.0.0.0/0 [115/10] via 10.10.13.3, Serial1/1 [115/10] via 10.10.12.2, Serial1/0 R2#sh ip route isis i L2 10.10.13.1/32 [115/20] via 10.10.23.3, Serial1/0 i L1 10.10.13.0/24 [115/20] via 10.10.12.1, Serial1/0 i*L1 0.0.0.0/0 [115/20] via 10.10.12.1, Serial1/0 R3#sh ip route isis i L1 10.10.12.0/24 [115/20] via 10.10.13.1, Serial1/0 i L2 10.10.12.1/32 [115/20] via 10.10.23.2, Serial1/1 i*L1 0.0.0.0/0 [115/20] via 10.10.13.1, Serial1/0 From justin at justinshore.com Mon Aug 17 18:12:25 2009 From: justin at justinshore.com (Justin Shore) Date: Mon, 17 Aug 2009 17:12:25 -0500 Subject: [c-nsp] Question for PA OC3 guru? In-Reply-To: References: Message-ID: <4A89D5C9.3080604@justinshore.com> Security Team wrote: > I have a telco that wants to hand me an OC3 on which there will be 3 DS3's, > all doing different things. One will be a clear channel (pt-pt) DS3, one > will contain 28 T1's in the DS1 time slots of the DS3, and one will be > unused for the time being. CJ, I'm going to agree with those that proposed the external OC3 mux. It really is your best bet. It also gives you the most long-term options. The Adtran OPTI-3 mux will be able to do the heavy lifting on your OC3. http://www.adtran.com/web/page/portal/Adtran/product/1184003L1/270 It supports protection too so you can insist that your provider give you a protected OC3 if they want to cram an OC3 down your throat. With that mux you have the option to terminating the CC DS3 and channelized DS3 on different devices if you so choose (now or in the future). That really is the best option. The other thing you might consider is replacing or adding to your router collection and getting an ASR (or other router that supports SPAs like the 7600). The ASR has a channelized OC3 module that could do what you want. List on the dual channelized DS3 SPA is $30k. List on the channelized OC3 is only $36k. The channelized quad-DS3 is $60k. The OC3 is a good deal on that platform if you don't mind buying the external OC3 mux. That's what I'll be doing in the future. I'm replacing my Widebanks with Adtran MX2820 M13s. Then I'm going to mux them with the OPTI-3 and terminate it in an ASR with the channelized OC3 SPA. My $.02 Justin From gsgranados at comcast.net Mon Aug 17 18:30:34 2009 From: gsgranados at comcast.net (Scott Granados) Date: Mon, 17 Aug 2009 15:30:34 -0700 Subject: [c-nsp] asa 5520, more than one crypto map? Message-ID: <025901ca1f8a$5a3a7990$0202fea9@am.thmulti.com> Hi, I'm having an issue binding more than one map to the outside interface so I need someone to set me straight.:) Background I have an ASA 5520 that's providing access to a private network via the Cisco VPN client. I wish to establish a few LAN-to-LAN sessions to branch offices using the same concentrator. Problem, when I apply one map to the outside interface the previously added map is removed. For example, IF I have the following in place. crypto ipsec transform-set ny-trans esp-aes-192 esp-md5-hmac crypto ipsec transform-set vpn-transform1 esp-aes-256 esp-sha-hmac crypto dynamic-map dynmap 10 set transform-set vpn-transform1 crypto dynamic-map dynmap 10 set reverse-route crypto map vpn-ra-map 10 ipsec-isakmp dynamic dynmap crypto map vpn-ra-map interface outside and then add the following crypto map ny-map 10 match address ny-vpn-acl crypto map ny-map 10 set peer ny-fw-outside crypto map ny-map 10 set transform-set ny-trans crypto map ny-map 10 set reverse-route crypto map ny-map interface outside I end up with the following in my startup and running configs crypto dynamic-map dynmap 10 set transform-set vpn-transform1 crypto dynamic-map dynmap 10 set reverse-route crypto map ny-map 10 match address ny-vpn-acl crypto map ny-map 10 set peer ny-fw-outside crypto map ny-map 10 set transform-set ny-trans crypto map ny-map 10 set reverse-route crypto map ny-map interface outside crypto map vpn-ra-map 10 ipsec-isakmp dynamic dynmap (no vpn-ra-map interface outside for clients) So my client access breaks as soon as I add the second map for the NY LAN-to-LAN tunnel. What am I doing wrong? Is there a different way to add more than one map to an interface? Any pointers would be appreciated. Thanks Scott From justin at justinshore.com Mon Aug 17 18:33:14 2009 From: justin at justinshore.com (Justin Shore) Date: Mon, 17 Aug 2009 17:33:14 -0500 Subject: [c-nsp] Feedback on Bug Toolkit (BTK), IOS Software Download Planner, etc... In-Reply-To: <4A8567B6.5080408@cisco.com> References: <4A841CC9.4090909@cisco.com> <4A8463E1.2030709@cisco.com> <4A8567B6.5080408@cisco.com> Message-ID: <4A89DAAA.10004@justinshore.com> Rodney, Do you think you might be able to gain the ear of someone responsible for the CSCC? I've had ongoing issues with it ever since it was introduced. I raised those concerns several times and they were never resolved. Now that SCC has been completely deleted and replaced with CSCC I have no way to work with my contracts. I tried to use it again today and it listed dozens upon dozens of devices that I don't own, never have. It also didn't list dozen upon dozens of devices that I do own and are under contract. Very flaky.... Another great pair of ears to locate would be whomever is responsible for the DCT Dynamic Config Tool (DN) that let's you build device BoMs and the Feature Navigator (FN). I have feature requests for both and a sanity request for the DCT. Thanks Justin Rodney Dunn wrote: > Ok...the first list is this. > > Use Wilson Shiu (wshiu) as the contact for: > > Bitswapping Tool > Bug Tool Kit > Cisco Notification System > Command Lookup Tool > Error Message Decoder > File Exchange > IP Subnet Calculator > MYTECH Support > Output Interpreter > Product Alert Tool > SNMP Object Navigator > Special File Access > TAC Case Connection > TSRT > Voice Codec Bandwidth Calculator > > I'm getting the contact for the Software Center stuff and will report back. > > Rodney > > > Rodney Dunn wrote: >> I'm getting that for clarity. I'll respond back. >> >> >> >> Tony Varriale wrote: >>> Rodney, >>> >>> Do you have an official list of items/tools that feedback can be >>> provided on? Or, should we ping Wilson? >>> >>> tv >>> ----- Original Message ----- From: "Rodney Dunn" >>> To: >>> Sent: Thursday, August 13, 2009 9:01 AM >>> Subject: [c-nsp] Feedback on Bug Toolkit (BTK), IOS Software Download >>> Planner,etc... >>> >>> >>>> I got involved through a few channels and encouraged the teams >>>> responsible for some of the Cisco.com Support tools to leverage this >>>> forum directly for feedback. They were very interested in the idea. >>>> >>>> Can those of you that care enough to give direct feedback based on >>>> the past threads around IOS Upgrade Planner, Bug Toolkit, etc. >>>> please take a few minutes and compose an email directly to: >>>> >>>> Wilson Shiu (wshiu) >>>> >>>> He is the point of contact for feedback. >>>> >>>> They are eager to listen so now is a good time to get involved. >>>> >>>> I encourage you guys to take advantage of this. >>>> >>>> Thanks >>>> Rodney >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From bbartik at uen.org Mon Aug 17 18:51:26 2009 From: bbartik at uen.org (BRYAN BARTIK) Date: Mon, 17 Aug 2009 16:51:26 -0600 Subject: [c-nsp] ISIS Problem In-Reply-To: References: Message-ID: Hello, Do a "show isis database" and you will see who is setting the ATT bit. R2 and R3 are setting the ATT bits and these get flooded to R1 and then across to each other in L1. Probably looks like this: R1#sho isis database IS-IS Level-1 Link State Database: LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL R1.00-00 * 0x00000003 0x5524 1173 0/0/0 R2.00-00 0x00000003 0x7E42 1161 1/0/0 R3.00-00 0x00000003 0xC8F2 1179 1/0/0 -Bryan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ibrahim Abo Zaid Sent: Monday, August 17, 2009 2:47 PM To: cisco_nsp; cisco at groupstudy.com Subject: [c-nsp] ISIS Problem Hi All I have a problem with the below ISIS toplogy , All ADJ of R1 are L1 and interface between R2 is in A2 from R2 side and in A3 side from R3 side so R2 and R3 have L2-ADJ betwene them , as expected both R2 and R3 send LSP with ATT bit set so R1 has 2 L1 default routes point to both R2 and R3 , the wired result there is L1 on both R2 and R3 points to R1 !! but R1 don't set ATT bit in its LSP do you explainsation why R1 sends this default route ? and how we can stop it Topology R2--------L-1------------ | | | | L2 A-1 R1 | | | | R3---------L-1----------- Configuration R1 ! interface Serial1/0 description to R2 ip address 10.10.12.1 255.255.255.0 ip router isis encapsulation ppp ! interface Serial1/1 description to R3 ip address 10.10.13.1 255.255.255.0 ip router isis encapsulation ppp ! router isis net 49.0001.0000.0000.0001.00 is-type level-1 R2 interface Serial1/0 description to R1 ip address 10.10.12.2 255.255.255.0 ip router isis encapsulation ppp ! interface Serial1/1 description to R3 ip address 10.10.23.2 255.255.255.0 ip router isis 2 encapsulation ppp ! router isis 2 net 49.0002.0000.0000.0002.00 is-type level-2-only ! router isis net 49.0001.0000.0000.0002.00 is-type level-1 R3 interface Serial 1/0 description to R1 ip address 10.10.13.3 255.255.255.0 ip router isis encapsulation ppp ! interface Serial 1/1 description to R2 ip address 10.10.23.3 255.255.255.0 ip router isis 3 encapsulation ppp ! router isis 3 net 49.0003.0000.0000.0003.00 is-type level-2-only ! router isis net 49.0001.0000.0000.0003.00 is-type level-1 Logs ------- R1#sh clns neighbors System Id Interface SNPA State Holdtime Type Protocol R2 Se1/0 *PPP* Up 22 L1 IS-IS R3 Se1/1 *PPP* Up 23 L1 IS-IS R2#sh clns neighbors Area 2: System Id Interface SNPA State Holdtime Type Protocol R3 Se1/1 *PPP* Up 28 L2 IS-IS Area null: System Id Interface SNPA State Holdtime Type Protocol R1 Se1/0 *PPP* Up 26 L1 IS-IS R3#sh clns neighbors Area 3: System Id Interface SNPA State Holdtime Type Protocol R2 Se1/1 *PPP* Up 22 L2 IS-IS Area null: System Id Interface SNPA State Holdtime Type Protocol R1 Se1/0 *PPP* Up 28 L1 IS-IS routing tables ----------------- R1#sh ip route isis i*L1 0.0.0.0/0 [115/10] via 10.10.13.3, Serial1/1 [115/10] via 10.10.12.2, Serial1/0 R2#sh ip route isis i L2 10.10.13.1/32 [115/20] via 10.10.23.3, Serial1/0 i L1 10.10.13.0/24 [115/20] via 10.10.12.1, Serial1/0 i*L1 0.0.0.0/0 [115/20] via 10.10.12.1, Serial1/0 R3#sh ip route isis i L1 10.10.12.0/24 [115/20] via 10.10.13.1, Serial1/0 i L2 10.10.12.1/32 [115/20] via 10.10.23.2, Serial1/1 i*L1 0.0.0.0/0 [115/20] via 10.10.13.1, Serial1/0 _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From yurixewx at yahoo.com Mon Aug 17 18:05:41 2009 From: yurixewx at yahoo.com (Yuri Bank) Date: Mon, 17 Aug 2009 15:05:41 -0700 (PDT) Subject: [c-nsp] ISIS Problem In-Reply-To: Message-ID: <280367.19975.qm@web36902.mail.mud.yahoo.com> Your configuration looks invalid. An ISIS router should only be part of a single area. This is different from OSPF, where a router can be in multiple areas. It seems like R1 is advertising the default route it receives from R2 to R3, and R3 to R2. This wouldn't happen if R2 and R3 were in the same area, or if one of them didn't have a a L1 adjacency with R1. To correct this reduce R3 and R2 to a single area ( 0001 ) and then set level 2 only on the links between R3 and R2. In interface configuration mode, isis circuit-type level-2-only --- On Mon, 8/17/09, Ibrahim Abo Zaid wrote: > From: Ibrahim Abo Zaid > Subject: [c-nsp] ISIS Problem > To: "cisco_nsp" , cisco at groupstudy.com > Date: Monday, August 17, 2009, 1:47 PM > Hi All > > I have a problem with the below ISIS toplogy , All ADJ of > R1 are L1 and > interface between R2 is in A2 from R2 side and in A3 side > from R3 side > so R2 and R3 have L2-ADJ betwene them , as expected both R2 > and R3 send LSP > with ATT bit set so R1 has 2 L1 default routes point to > both R2 and R3 , the > wired result there is L1 on both R2 and R3 points to R1 !! > but R1 don't set > ATT bit in its LSP > > do you explainsation why R1 sends this default route ? and > how we can stop > it > > Topology > > R2--------L-1------------ > |? ? ? ? ? ? ? ? > ? ? ? ? ? | > |? ? ? ? ? ? ? ? > ? ? ? ? ? | > L2? ? ???A-1? ? ? > ? ???R1 > |? ? ? ? ? ? ? ? > ? ? ? ? ? | > |? ? ? ? ? ? ? ? > ? ? ? ? ? | > R3---------L-1----------- > > Configuration > > R1 > > ! > interface Serial1/0 > description to R2 > ip address 10.10.12.1 255.255.255.0 > ip router isis > encapsulation ppp > ! > interface Serial1/1 > description to R3 > ip address 10.10.13.1 255.255.255.0 > ip router isis > encapsulation ppp > ! > router isis > net 49.0001.0000.0000.0001.00 > is-type level-1 > > > R2 > > interface Serial1/0 > description to R1 > ip address 10.10.12.2 255.255.255.0 > ip router isis > encapsulation ppp > ! > interface Serial1/1 > description to R3 > ip address 10.10.23.2 255.255.255.0 > ip router isis 2 > encapsulation ppp > ! > router isis 2 > net 49.0002.0000.0000.0002.00 > is-type level-2-only > ! > router isis > net 49.0001.0000.0000.0002.00 > is-type level-1 > > > R3 > > interface Serial 1/0 > description to R1 > ip address 10.10.13.3 255.255.255.0 > ip router isis > encapsulation ppp > ! > interface Serial 1/1 > description to R2 > ip address 10.10.23.3 255.255.255.0 > ip router isis 3 > encapsulation ppp > ! > router isis 3 > net 49.0003.0000.0000.0003.00 > is-type level-2-only > ! > router isis > net 49.0001.0000.0000.0003.00 > is-type level-1 > > > Logs > ------- > > > R1#sh clns neighbors > System Id? ? ? > Interface???SNPA? ? ? ? > ? ? ? ? State? Holdtime? Type > Protocol > R2? ? ? ? ? > ???Se1/0? ? > ???*PPP*? ? ? ? ? > ? ???Up? ???22? > ? ? ? L1???IS-IS > R3? ? ? ? ? > ???Se1/1? ? > ???*PPP*? ? ? ? ? > ? ???Up? ???23? > ? ? ? L1???IS-IS > > > R2#sh clns neighbors > Area 2: > System Id? ? ? > Interface???SNPA? ? ? ? > ? ? ? ? State? Holdtime? Type > Protocol > R3? ? ? ? ? > ???Se1/1? ? > ???*PPP*? ? ? ? ? > ? ???Up? ???28? > ? ? ? L2???IS-IS > Area null: > System Id? ? ? > Interface???SNPA? ? ? ? > ? ? ? ? State? Holdtime? Type > Protocol > R1? ? ? ? ? > ???Se1/0? ? > ???*PPP*? ? ? ? ? > ? ???Up? ???26? > ? ? ? L1???IS-IS > > > R3#sh clns neighbors > Area 3: > System Id? ? ? > Interface???SNPA? ? ? ? > ? ? ? ? State? Holdtime? Type > Protocol > R2? ? ? ? ? > ???Se1/1? ? > ???*PPP*? ? ? ? ? > ? ???Up? ???22? > ? ? ? L2???IS-IS > Area null: > System Id? ? ? > Interface???SNPA? ? ? ? > ? ? ? ? State? Holdtime? Type > Protocol > R1? ? ? ? ? > ???Se1/0? ? > ???*PPP*? ? ? ? ? > ? ???Up? ???28? > ? ? ? L1???IS-IS > > routing tables > ----------------- > > R1#sh ip route isis > i*L1 0.0.0.0/0 [115/10] via 10.10.13.3, Serial1/1 > ? ? ? ? ? ? > ???[115/10] via 10.10.12.2, Serial1/0 > > R2#sh ip route isis > i L2? ? 10.10.13.1/32 [115/20] via 10.10.23.3, > Serial1/0 > i L1? ? 10.10.13.0/24 [115/20] via 10.10.12.1, > Serial1/0 > i*L1 0.0.0.0/0 [115/20] via 10.10.12.1, Serial1/0 > > > R3#sh ip route isis > i L1? ? 10.10.12.0/24 [115/20] via 10.10.13.1, > Serial1/0 > i L2? ? 10.10.12.1/32 [115/20] via 10.10.23.2, > Serial1/1 > i*L1 0.0.0.0/0 [115/20] via 10.10.13.1, Serial1/0 > _______________________________________________ > cisco-nsp mailing list? cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From peter at rathlev.dk Mon Aug 17 19:16:21 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Tue, 18 Aug 2009 01:16:21 +0200 Subject: [c-nsp] asa 5520, more than one crypto map? In-Reply-To: <025901ca1f8a$5a3a7990$0202fea9@am.thmulti.com> References: <025901ca1f8a$5a3a7990$0202fea9@am.thmulti.com> Message-ID: <1250550981.3745.35.camel@abehat.net.rm.dk> Hi Scott, On Mon, 2009-08-17 at 15:30 -0700, Scott Granados wrote: > Hi, I'm having an issue binding more than one map to the outside > interface so I need someone to set me straight.:) > > Background > > I have an ASA 5520 that's providing access to a private network via > the Cisco VPN client. I wish to establish a few LAN-to-LAN sessions to > branch offices using the same concentrator. > > Problem, when I apply one map to the outside interface the previously > added map is removed. This is "by design". :-) You can only use one crypto map per interface. To define more than one peer you need to use the serial ("crypto map ") to differentiate them. Remember that the dynamic map should be in the very end of the crypto map definition. http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ike.html Regards, Peter Rathlev From rwest at zyedge.com Mon Aug 17 18:48:23 2009 From: rwest at zyedge.com (Ryan West) Date: Mon, 17 Aug 2009 18:48:23 -0400 Subject: [c-nsp] asa 5520, more than one crypto map? In-Reply-To: <025901ca1f8a$5a3a7990$0202fea9@am.thmulti.com> References: <025901ca1f8a$5a3a7990$0202fea9@am.thmulti.com> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E1401248E269764@zy-ex1.zyedge.local> Scott, Add the following to your ny-map: crypto map ny-map 65535 ipsec-isakmp dynamic dynmap That should get you what you want. -ryan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Granados Sent: Monday, August 17, 2009 6:31 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] asa 5520, more than one crypto map? Hi, I'm having an issue binding more than one map to the outside interface so I need someone to set me straight.:) Background I have an ASA 5520 that's providing access to a private network via the Cisco VPN client. I wish to establish a few LAN-to-LAN sessions to branch offices using the same concentrator. Problem, when I apply one map to the outside interface the previously added map is removed. For example, IF I have the following in place. crypto ipsec transform-set ny-trans esp-aes-192 esp-md5-hmac crypto ipsec transform-set vpn-transform1 esp-aes-256 esp-sha-hmac crypto dynamic-map dynmap 10 set transform-set vpn-transform1 crypto dynamic-map dynmap 10 set reverse-route crypto map vpn-ra-map 10 ipsec-isakmp dynamic dynmap crypto map vpn-ra-map interface outside and then add the following crypto map ny-map 10 match address ny-vpn-acl crypto map ny-map 10 set peer ny-fw-outside crypto map ny-map 10 set transform-set ny-trans crypto map ny-map 10 set reverse-route crypto map ny-map interface outside I end up with the following in my startup and running configs crypto dynamic-map dynmap 10 set transform-set vpn-transform1 crypto dynamic-map dynmap 10 set reverse-route crypto map ny-map 10 match address ny-vpn-acl crypto map ny-map 10 set peer ny-fw-outside crypto map ny-map 10 set transform-set ny-trans crypto map ny-map 10 set reverse-route crypto map ny-map interface outside crypto map vpn-ra-map 10 ipsec-isakmp dynamic dynmap (no vpn-ra-map interface outside for clients) So my client access breaks as soon as I add the second map for the NY LAN-to-LAN tunnel. What am I doing wrong? Is there a different way to add more than one map to an interface? Any pointers would be appreciated. Thanks Scott _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From frnkblk at iname.com Mon Aug 17 19:53:32 2009 From: frnkblk at iname.com (Frank Bulk) Date: Mon, 17 Aug 2009 18:53:32 -0500 Subject: [c-nsp] C7206VXR boot issue In-Reply-To: <4288131ED5E3024C9CD4782CECCAD2C7065D3990@LMC-MAIL2.exempla.org> References: <4A894989.1090604@gmail.com> <4288131ED5E3024C9CD4782CECCAD2C70489E97B@LMC-MAIL2.exempla.org> <000001ca1f4c$4bbd6780$e3383680$@org> <4288131ED5E3024C9CD4782CECCAD2C7065D3990@LMC-MAIL2.exempla.org> Message-ID: Never had to do this, even though we've upgraded 6 times in 4 years. Frank -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Matlock, Kenneth L Sent: Monday, August 17, 2009 10:12 AM To: Paul Stewart; Jon Lewis; Matlock, Kenneth L Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] C7206VXR boot issue I've seen it a few times in the past, exclusively with 7200's. The bootloader and IOS versions don't have to exactly match, but in my experience is that they need to be 'close' (where 'close' changes each rev number :) ) If the bootloader and IOS aren't 'compatible', you'll get exactly those symptoms (boots to bootloader prompt). Not saying that IS the problem, but a possibility. Also check the boot statements to make sure the bootldr and system boot statements are both there. Ken Matlock Network Analyst Exempla Healthcare (303) 467-4671 matlockk at exempla.org -----Original Message----- From: Paul Stewart [mailto:paul at paulstewart.org] Sent: Monday, August 17, 2009 9:06 AM To: 'Jon Lewis'; Matlock, Kenneth L Cc: cisco-nsp at puck.nether.net Subject: RE: [c-nsp] C7206VXR boot issue For sure... bootloaders are one of those things I don't like to touch until I have to... it's been so long since I had to upgrade the bootloader on anything we have that I'd have to read the docs again to remember how..;) Paul -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jon Lewis Sent: Monday, August 17, 2009 10:43 AM To: Matlock, Kenneth L Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] C7206VXR boot issue On Mon, 17 Aug 2009, Matlock, Kenneth L wrote: > If I had to guess, you probably upgraded the IOS code, and didn't > upgrade the bootloader? > > On a 7200-series chassis, you need to upgrade both the IOS and the > Bootloader when you change versions. Where'd you get that idea? Other than making sure I have boot code new enough to support booting the real IOS from CF, I don't generally touch the bootloader. My guess would be there's something wrong with the devices the router is trying to boot from. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ecables at gmail.com Mon Aug 17 19:57:51 2009 From: ecables at gmail.com (Eric Cables) Date: Mon, 17 Aug 2009 16:57:51 -0700 Subject: [c-nsp] C7206VXR boot issue In-Reply-To: <20090817184929.GO2121@greenie.muc.de> References: <4A894989.1090604@gmail.com> <4288131ED5E3024C9CD4782CECCAD2C70489E97B@LMC-MAIL2.exempla.org> <20090817184929.GO2121@greenie.muc.de> Message-ID: The only time I had to upgrade the bootloader on a 7200 platform was when I migrated from NPE-400 to NPE-G2. -- Eric Cables On Mon, Aug 17, 2009 at 11:49 AM, Gert Doering wrote: > Hi, > > On Mon, Aug 17, 2009 at 06:30:10AM -0600, Matlock, Kenneth L wrote: > > On a 7200-series chassis, you need to upgrade both the IOS and the > Bootloader when you change versions. > > No. > > gert > -- > USENET is *not* the non-clickable part of WWW! > // > www.muc.de/~gert/ > Gert Doering - Munich, Germany > gert at greenie.muc.de > fax: +49-89-35655025 > gert at net.informatik.tu-muenchen.de > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ltd at cisco.com Mon Aug 17 20:04:24 2009 From: ltd at cisco.com (Lincoln Dale) Date: Tue, 18 Aug 2009 10:04:24 +1000 Subject: [c-nsp] Monitoring Nexus 7000 platform In-Reply-To: References: <896a291f0908131007s218f5489rf466cd0ed6e7eb7@mail.gmail.com> <352D947C-7CAC-4322-9BAC-830E489CB070@arbor.net> <896a291f0908131401q2d32fdden198fd5f500ce2052@mail.gmail.com> <4A848F2F.8090502@usgs.gov> <97229F86-6C23-4BC0-92E3-F4AFA54C7855@cisco.com> <3EC4755B-6190-4E73-8D91-7E11E3AA3F5A@cisco.com> Message-ID: <26048223-2E42-47E5-93A2-E0D2AB921237@cisco.com> On 18/08/2009, at 3:15 AM, Lee wrote: > But that's assuming netconf/xml makes expect scripts a bit > less dependent on the exact formatting of the output. If upgrading > the OS requires updating the xml definition in the script (eg. bump > netconf:base:1.0 to netconf:base:1.1) .. well, seems like not such a > big win. those should not change - because its referring to Netconf version. we also don't use "strict" checking on the input data, so while by the standard one SHOULD always specify the right namespace for things (e.g. looking up interface-related stats should always be for xmlns:if_manager), the reality is you could put something wrong there and it'll still currently work. > The other example that came to mind was finding switch ports that > haven't been used in however many days. CatOS has the "show port > usage" command; I haven't found the IOS equivalent yet but IOS > switches do have the ifLastChange mib variable. you can use ifLastChange in IF-MIB, or you can use the 'last flapped' info from CLI. e.g. if you did a: switch# show interface | egrep '(^Eth|flapped)' Ethernet1/1 is down (suspended) Last link flapped 3week(s) 5day(s) Ethernet1/2 is down (suspended) Last link flapped 3week(s) 5day(s) Ethernet1/5 is down (Link not connected) Last link flapped never Ethernet1/6 is down (Link not connected) Last link flapped never which i think will give you the equivalent of what you want (albeit perhaps not in a nice column display). its forseeable you could use sed/awk/tr to columnize it if you wish. (i've found an example of egrep / tr / sed below, just for giggles): switch# show interface | egrep '(^Eth|flapped)' | tr '\n' '\t' | sed 's/Ether/\nEther/g' Ethernet1/1 is down (suspended) Last link flapped 3week(s) 5day(s) Ethernet1/2 is down (suspended) Last link flapped 3week(s) 5day(s) Ethernet1/5 is down (Link not connected) Last link flapped never Ethernet1/6 is down (Link not connected) Last link flapped never the above assumes you're not disrupting the box (i.e. above stats won't survive across disruptive reloads), but since you can do code upgrades/downgrades nondisruptive with ISSU that shouldn't pose any issues. >> its a bit heavyweight versus a flag, but assuming your script wanted >> to do something intelligent based on said output, could be useful. > > Usually all I want to do is make sure everything's been saved before a > scheduled power outage :) another approach i've seen some people use is to automatically save a changed config after a period of time if its not already saved. this can be accomplished off-box via scripts - or on-box via an event manager (EEM) applet. doing automated 'config checkpoints' is also not a bad thing if this is a device getting a lot of config changes. you can do that off-box via scripts (e.g. RANCID) or on-box via checkpoint functionality which gives you rollbacks too. cheers, lincoln. From cdry at staff.iinet.net.au Mon Aug 17 23:41:10 2009 From: cdry at staff.iinet.net.au (Cameron Dry) Date: Tue, 18 Aug 2009 11:41:10 +0800 Subject: [c-nsp] OSM support for 1000BaseT Message-ID: <100362309621454DAA534950B17E55DB011D717C0C70@isp-per-exc01.win2k.iinet.net.au> Does anyone know if the OSM-2+4GE-WAN+ supports copper GBICs in the WAN ports - currently installed in a 7600 running 12.2SRC4. Thanks Cameron From ibrahim.abozaid at gmail.com Tue Aug 18 03:24:02 2009 From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid) Date: Tue, 18 Aug 2009 10:24:02 +0300 Subject: [c-nsp] ISIS Problem In-Reply-To: References: Message-ID: Hi All R1 isn't setting ATT bit in its LSP it is like that R1 forwards L1 default route to all its L1 neighbors in DEF the originatation area (but it is not shown in R1-LSP) , I connected R4 to R1 with L2 ADJ between them and there is no DEF route !! any explainsion ? R1#sh isis database IS-IS Level-1 Link State Database: LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL R1.00-00 * 0x00000003 0xD80B 1161 0/0/0 R2.00-00 0x00000003 0xDE59 1165 1/0/0 R3.00-00 0x00000003 0xDF77 1165 1/0/0 R1#sh isis database R1.00-00 detail IS-IS Level-1 LSP R1.00-00 LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL R1.00-00 * 0x00000007 0x2B0C 629 0/0/0 Area Address: 49.0001 NLPID: 0xCC Hostname: R1 IP Address: 10.10.13.1 Metric: 10 IP 10.10.12.0/24 Metric: 10 IP 10.10.13.0/24 Metric: 10 IS-Extended R3.00 Metric: 10 IS-Extended R2.00 IS-IS Level-2 LSP R1.00-00 LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL R1.00-00 * 0x00000005 0x6E68 1199 0/0/0 Area Address: 49.0001 NLPID: 0xCC Hostname: R1 IP Address: 10.10.13.1 Metric: 10 IP 10.14.1.0/24 Metric: 10 IS-Extended R4.01 Metric: 10 IP 10.10.12.2/32 Metric: 10 IP 10.10.12.0/24 Metric: 10 IP 10.10.13.3/32 Metric: 10 IP 10.10.13.0/24 R2#sh isis database Area 2: IS-IS Level-2 Link State Database: LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL R2.00-00 * 0x00000004 0x6D77 1156 0/0/0 R3.00-00 0x00000004 0x934E 1154 0/0/0 Area null: IS-IS Level-1 Link State Database: LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL R1.00-00 0x00000003 0xD80B 1143 0/0/0 R2.00-00 * 0x00000003 0xDE59 1150 1/0/0 R3.00-00 0x00000003 0xDF77 1147 1/0/0 R3#sh isis database Area 3: IS-IS Level-2 Link State Database: LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL R2.00-00 0x00000004 0x6D77 1137 0/0/0 R3.00-00 * 0x00000004 0x934E 1138 0/0/0 Area null: IS-IS Level-1 Link State Database: LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL R1.00-00 0x00000003 0xD80B 1125 0/0/0 R2.00-00 0x00000003 0xDE59 1129 1/0/0 R3.00-00 * 0x00000003 0xDF77 1132 1/0/0 On Tue, Aug 18, 2009 at 1:51 AM, BRYAN BARTIK wrote: > Hello, > > Do a "show isis database" and you will see who is setting the ATT bit. R2 > and R3 are setting the ATT bits and these get flooded to R1 and then across > to each other in L1. Probably looks like this: > > R1#sho isis database > > IS-IS Level-1 Link State Database: > LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL > R1.00-00 * 0x00000003 0x5524 1173 0/0/0 > R2.00-00 0x00000003 0x7E42 1161 1/0/0 > R3.00-00 0x00000003 0xC8F2 1179 1/0/0 > > -Bryan > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto: > cisco-nsp-bounces at puck.nether.net] On Behalf Of Ibrahim Abo Zaid > Sent: Monday, August 17, 2009 2:47 PM > To: cisco_nsp; cisco at groupstudy.com > Subject: [c-nsp] ISIS Problem > > Hi All > > I have a problem with the below ISIS toplogy , All ADJ of R1 are L1 and > interface between R2 is in A2 from R2 side and in A3 side from R3 side > so R2 and R3 have L2-ADJ betwene them , as expected both R2 and R3 send LSP > with ATT bit set so R1 has 2 L1 default routes point to both R2 and R3 , > the > wired result there is L1 on both R2 and R3 points to R1 !! but R1 don't set > ATT bit in its LSP > > do you explainsation why R1 sends this default route ? and how we can stop > it > > Topology > > R2--------L-1------------ > | | > | | > L2 A-1 R1 > | | > | | > R3---------L-1----------- > > Configuration > > R1 > > ! > interface Serial1/0 > description to R2 > ip address 10.10.12.1 255.255.255.0 > ip router isis > encapsulation ppp > ! > interface Serial1/1 > description to R3 > ip address 10.10.13.1 255.255.255.0 > ip router isis > encapsulation ppp > ! > router isis > net 49.0001.0000.0000.0001.00 > is-type level-1 > > > R2 > > interface Serial1/0 > description to R1 > ip address 10.10.12.2 255.255.255.0 > ip router isis > encapsulation ppp > ! > interface Serial1/1 > description to R3 > ip address 10.10.23.2 255.255.255.0 > ip router isis 2 > encapsulation ppp > ! > router isis 2 > net 49.0002.0000.0000.0002.00 > is-type level-2-only > ! > router isis > net 49.0001.0000.0000.0002.00 > is-type level-1 > > > R3 > > interface Serial 1/0 > description to R1 > ip address 10.10.13.3 255.255.255.0 > ip router isis > encapsulation ppp > ! > interface Serial 1/1 > description to R2 > ip address 10.10.23.3 255.255.255.0 > ip router isis 3 > encapsulation ppp > ! > router isis 3 > net 49.0003.0000.0000.0003.00 > is-type level-2-only > ! > router isis > net 49.0001.0000.0000.0003.00 > is-type level-1 > > > Logs > ------- > > > R1#sh clns neighbors > System Id Interface SNPA State Holdtime Type > Protocol > R2 Se1/0 *PPP* Up 22 L1 IS-IS > R3 Se1/1 *PPP* Up 23 L1 IS-IS > > > R2#sh clns neighbors > Area 2: > System Id Interface SNPA State Holdtime Type > Protocol > R3 Se1/1 *PPP* Up 28 L2 IS-IS > Area null: > System Id Interface SNPA State Holdtime Type > Protocol > R1 Se1/0 *PPP* Up 26 L1 IS-IS > > > R3#sh clns neighbors > Area 3: > System Id Interface SNPA State Holdtime Type > Protocol > R2 Se1/1 *PPP* Up 22 L2 IS-IS > Area null: > System Id Interface SNPA State Holdtime Type > Protocol > R1 Se1/0 *PPP* Up 28 L1 IS-IS > > routing tables > ----------------- > > R1#sh ip route isis > i*L1 0.0.0.0/0 [115/10] via 10.10.13.3, Serial1/1 > [115/10] via 10.10.12.2, Serial1/0 > > R2#sh ip route isis > i L2 10.10.13.1/32 [115/20] via 10.10.23.3, Serial1/0 > i L1 10.10.13.0/24 [115/20] via 10.10.12.1, Serial1/0 > i*L1 0.0.0.0/0 [115/20] via 10.10.12.1, Serial1/0 > > > R3#sh ip route isis > i L1 10.10.12.0/24 [115/20] via 10.10.13.1, Serial1/0 > i L2 10.10.12.1/32 [115/20] via 10.10.23.2, Serial1/1 > i*L1 0.0.0.0/0 [115/20] via 10.10.13.1, Serial1/0 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From eng_mssk at hotmail.com Tue Aug 18 04:43:24 2009 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Tue, 18 Aug 2009 11:43:24 +0300 Subject: [c-nsp] RIPE Subnets Message-ID: hey all i heard that i can ask subnets from another organization other than RIPE can anyone help ? Thanks _________________________________________________________________ Show them the way! Add maps and directions to your party invites. http://www.microsoft.com/windows/windowslive/products/events.aspx From achatz at forthnet.gr Tue Aug 18 05:19:27 2009 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Tue, 18 Aug 2009 12:19:27 +0300 Subject: [c-nsp] EoMPLS between subinterface and physical interface In-Reply-To: References: <4A898D71.1050405@forthnet.gr> Message-ID: <4A8A721F.9010103@forthnet.gr> Arie, I'm actually trying something strange in the lab, but i wanted to ask opinions before trying all the alternatives. More specifically i want to transfer double tagged traffic from multiple subifs of a local MUX-UNI interface to multiple remote physical interfaces, where the outer tag would be removed. CPE <===> 3750 <===> 7600-1 <= MPLS-network => 7600-2 <===> CPE-x Something like: 7600-1 ------ int gi1/1 desc conn to 3750 switch mode trunk ! these are single-tagged vlans following another path int gi1/1.100 enc dot 100 ! this is double-tagged that needs to be tunneled xconnect x2.x2.x2.x2 y1 int g1/1.200 enc dot 200 ! this is double-tagged that needs to be tunneled xconnect x2.x2.x2.x2 y2 7600-2 ------ int gi1/1 desc conn to CPE-1 xconnect x1.x1.x1.x1 y1 int gi1/2 desc conn to CPE-2 xconnect x1.x1.x1.x1 y2 So double-tagged traffic having an outer vlan of 100, would get transfered from 7600-1 gi1/1.100 to 7600-2 gi1/1, where it would/should have the outer vlan removed. It's actually like many L2 VPNs starting from one port on 7600-1 and ending at many ports (each one on its own) on 7600-2. -- Tassos Arie Vayner (avayner) wrote on 17/08/2009 21:57: > Tasso, > > What are you trying to achieve? > > Arie > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tassos > Chatzithomaoglou > Sent: Monday, August 17, 2009 20:04 > To: cisco-nsp > Subject: [c-nsp] EoMPLS between subinterface and physical interface > > I'm reading under EoMPLS Guidelines and Restrictions > http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/gu > ide/pfc3mpls.html#wp1109041 > > ====================================== > For a particular EoMPLS connection, both the ingress EoMPLS interface on > the ingress PE and the egress EoMPLS interface > on the egress PE have to be subinterfaces with dot1Q encapsulation or > neither is a subinterface. > ====================================== > > So, i guess in PFC-based EoMPLS you can't have a subinterface on one > side (vlan mode) and a physical interface (port > mode) on the other side. > > Besides using ES/SPA cards and scalable EoMPLS on both sides, is there > another solution? > > What about scalable EoMPLS on one side and PFC-based EoMPLS (vlan or > port mode) on the other? Has anyone tried it? > > -- > Tassos > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From zivl at gilat.net Tue Aug 18 08:42:36 2009 From: zivl at gilat.net (Ziv Leyes) Date: Tue, 18 Aug 2009 15:42:36 +0300 Subject: [c-nsp] RIPE Subnets In-Reply-To: References: Message-ID: Quite off topic but it's OK ;-) Yes, you can, but it's depending on what geographical area you're located, there are 5 RIRs all over the world, RIPE is one of them, each one serves a big area of the globus. You can read more here: http://en.wikipedia.org/wiki/Regional_Internet_registry Hope this helps Ziv -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil Sent: Tuesday, August 18, 2009 11:43 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] RIPE Subnets hey all i heard that i can ask subnets from another organization other than RIPE can anyone help ? Thanks _________________________________________________________________ Show them the way! Add maps and directions to your party invites. http://www.microsoft.com/windows/windowslive/products/events.aspx _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ __________ Information from ESET NOD32 Antivirus, version of virus signature database 4344 (20090818) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __________ Information from ESET NOD32 Antivirus, version of virus signature database 4344 (20090818) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From ibrahim.abozaid at gmail.com Tue Aug 18 09:24:47 2009 From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid) Date: Tue, 18 Aug 2009 16:24:47 +0300 Subject: [c-nsp] ISIS Problem In-Reply-To: References: Message-ID: Hi all To make it clearer , i don't have a problem with default route on R1 i have a problem with the default route on R2 and R3 best regards --Ibrahim On Tue, Aug 18, 2009 at 10:24 AM, Ibrahim Abo Zaid < ibrahim.abozaid at gmail.com> wrote: > Hi All > > R1 isn't setting ATT bit in its LSP it is like that R1 forwards L1 default > route to all its L1 neighbors in DEF the originatation area (but it is not > shown in R1-LSP) , I connected R4 to R1 with L2 ADJ between them and there > is no DEF route !! > > any explainsion ? > > > R1#sh isis database > IS-IS Level-1 Link State Database: > LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL > > R1.00-00 * 0x00000003 0xD80B 1161 0/0/0 > R2.00-00 0x00000003 0xDE59 1165 1/0/0 > R3.00-00 0x00000003 0xDF77 1165 1/0/0 > > R1#sh isis database R1.00-00 detail > > IS-IS Level-1 LSP R1.00-00 > > LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL > > R1.00-00 * 0x00000007 0x2B0C 629 0/0/0 > Area Address: 49.0001 > NLPID: 0xCC > Hostname: R1 > IP Address: 10.10.13.1 > Metric: 10 IP 10.10.12.0/24 > Metric: 10 IP 10.10.13.0/24 > Metric: 10 IS-Extended R3.00 > Metric: 10 IS-Extended R2.00 > > IS-IS Level-2 LSP R1.00-00 > > LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL > > R1.00-00 * 0x00000005 0x6E68 1199 0/0/0 > Area Address: 49.0001 > NLPID: 0xCC > Hostname: R1 > IP Address: 10.10.13.1 > Metric: 10 IP 10.14.1.0/24 > Metric: 10 IS-Extended R4.01 > Metric: 10 IP 10.10.12.2/32 > Metric: 10 IP 10.10.12.0/24 > Metric: 10 IP 10.10.13.3/32 > Metric: 10 IP 10.10.13.0/24 > > > > R2#sh isis database > Area 2: > IS-IS Level-2 Link State Database: > > LSPID LSP Seq Num LSP Checksum LSP Holdtime > ATT/P/OL > > R2.00-00 * 0x00000004 0x6D77 1156 0/0/0 > R3.00-00 0x00000004 0x934E 1154 0/0/0 > Area null: > > IS-IS Level-1 Link State Database: > LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL > > R1.00-00 0x00000003 0xD80B 1143 0/0/0 > R2.00-00 * 0x00000003 0xDE59 1150 1/0/0 > R3.00-00 0x00000003 0xDF77 1147 1/0/0 > R3#sh isis database > Area 3: > IS-IS Level-2 Link State Database: > > LSPID LSP Seq Num LSP Checksum LSP Holdtime > ATT/P/OL > > R2.00-00 0x00000004 0x6D77 1137 0/0/0 > R3.00-00 * 0x00000004 0x934E 1138 0/0/0 > Area null: > > IS-IS Level-1 Link State Database: > LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL > > R1.00-00 0x00000003 0xD80B 1125 0/0/0 > R2.00-00 0x00000003 0xDE59 1129 1/0/0 > R3.00-00 * 0x00000003 0xDF77 1132 1/0/0 > > On Tue, Aug 18, 2009 at 1:51 AM, BRYAN BARTIK wrote: > >> Hello, >> >> Do a "show isis database" and you will see who is setting the ATT bit. R2 >> and R3 are setting the ATT bits and these get flooded to R1 and then across >> to each other in L1. Probably looks like this: >> >> R1#sho isis database >> >> IS-IS Level-1 Link State Database: >> LSPID LSP Seq Num LSP Checksum LSP Holdtime >> ATT/P/OL >> R1.00-00 * 0x00000003 0x5524 1173 0/0/0 >> R2.00-00 0x00000003 0x7E42 1161 1/0/0 >> R3.00-00 0x00000003 0xC8F2 1179 1/0/0 >> >> -Bryan >> >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net [mailto: >> cisco-nsp-bounces at puck.nether.net] On Behalf Of Ibrahim Abo Zaid >> Sent: Monday, August 17, 2009 2:47 PM >> To: cisco_nsp; cisco at groupstudy.com >> Subject: [c-nsp] ISIS Problem >> >> Hi All >> >> I have a problem with the below ISIS toplogy , All ADJ of R1 are L1 and >> interface between R2 is in A2 from R2 side and in A3 side from R3 side >> so R2 and R3 have L2-ADJ betwene them , as expected both R2 and R3 send >> LSP >> with ATT bit set so R1 has 2 L1 default routes point to both R2 and R3 , >> the >> wired result there is L1 on both R2 and R3 points to R1 !! but R1 don't >> set >> ATT bit in its LSP >> >> do you explainsation why R1 sends this default route ? and how we can stop >> it >> >> Topology >> >> R2--------L-1------------ >> | | >> | | >> L2 A-1 R1 >> | | >> | | >> R3---------L-1----------- >> >> Configuration >> >> R1 >> >> ! >> interface Serial1/0 >> description to R2 >> ip address 10.10.12.1 255.255.255.0 >> ip router isis >> encapsulation ppp >> ! >> interface Serial1/1 >> description to R3 >> ip address 10.10.13.1 255.255.255.0 >> ip router isis >> encapsulation ppp >> ! >> router isis >> net 49.0001.0000.0000.0001.00 >> is-type level-1 >> >> >> R2 >> >> interface Serial1/0 >> description to R1 >> ip address 10.10.12.2 255.255.255.0 >> ip router isis >> encapsulation ppp >> ! >> interface Serial1/1 >> description to R3 >> ip address 10.10.23.2 255.255.255.0 >> ip router isis 2 >> encapsulation ppp >> ! >> router isis 2 >> net 49.0002.0000.0000.0002.00 >> is-type level-2-only >> ! >> router isis >> net 49.0001.0000.0000.0002.00 >> is-type level-1 >> >> >> R3 >> >> interface Serial 1/0 >> description to R1 >> ip address 10.10.13.3 255.255.255.0 >> ip router isis >> encapsulation ppp >> ! >> interface Serial 1/1 >> description to R2 >> ip address 10.10.23.3 255.255.255.0 >> ip router isis 3 >> encapsulation ppp >> ! >> router isis 3 >> net 49.0003.0000.0000.0003.00 >> is-type level-2-only >> ! >> router isis >> net 49.0001.0000.0000.0003.00 >> is-type level-1 >> >> >> Logs >> ------- >> >> >> R1#sh clns neighbors >> System Id Interface SNPA State Holdtime Type >> Protocol >> R2 Se1/0 *PPP* Up 22 L1 IS-IS >> R3 Se1/1 *PPP* Up 23 L1 IS-IS >> >> >> R2#sh clns neighbors >> Area 2: >> System Id Interface SNPA State Holdtime Type >> Protocol >> R3 Se1/1 *PPP* Up 28 L2 IS-IS >> Area null: >> System Id Interface SNPA State Holdtime Type >> Protocol >> R1 Se1/0 *PPP* Up 26 L1 IS-IS >> >> >> R3#sh clns neighbors >> Area 3: >> System Id Interface SNPA State Holdtime Type >> Protocol >> R2 Se1/1 *PPP* Up 22 L2 IS-IS >> Area null: >> System Id Interface SNPA State Holdtime Type >> Protocol >> R1 Se1/0 *PPP* Up 28 L1 IS-IS >> >> routing tables >> ----------------- >> >> R1#sh ip route isis >> i*L1 0.0.0.0/0 [115/10] via 10.10.13.3, Serial1/1 >> [115/10] via 10.10.12.2, Serial1/0 >> >> R2#sh ip route isis >> i L2 10.10.13.1/32 [115/20] via 10.10.23.3, Serial1/0 >> i L1 10.10.13.0/24 [115/20] via 10.10.12.1, Serial1/0 >> i*L1 0.0.0.0/0 [115/20] via 10.10.12.1, Serial1/0 >> >> >> R3#sh ip route isis >> i L1 10.10.12.0/24 [115/20] via 10.10.13.1, Serial1/0 >> i L2 10.10.12.1/32 [115/20] via 10.10.23.2, Serial1/1 >> i*L1 0.0.0.0/0 [115/20] via 10.10.13.1, Serial1/0 >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > From markom at markom.info Tue Aug 18 09:32:36 2009 From: markom at markom.info (Marko Milivojevic) Date: Tue, 18 Aug 2009 13:32:36 +0000 Subject: [c-nsp] EoMPLS between subinterface and physical interface In-Reply-To: <4A8A721F.9010103@forthnet.gr> References: <4A898D71.1050405@forthnet.gr> <4A8A721F.9010103@forthnet.gr> Message-ID: Have you tried to use native VLAN on 7600-1 for the subinterface? Mind you, I'm not 100% sure if you can actually xconnect native VLAN, but you may give it a go... -- Marko CCIE #18427 (SP) My network blog: http://cisco.markom.info/ On Tue, Aug 18, 2009 at 09:19, Tassos Chatzithomaoglou wrote: > Arie, > > I'm actually trying something strange in the lab, but i wanted to ask > opinions before > trying all the alternatives. > > More specifically i want to transfer double tagged traffic from multiple > subifs of a local MUX-UNI interface to multiple remote physical interfaces, > where the outer tag would be removed. > > CPE <===> 3750 <===> 7600-1 <= MPLS-network => 7600-2 <===> CPE-x > > > Something like: > > 7600-1 > ------ > int gi1/1 > ?desc conn to 3750 > ?switch mode trunk ? ? ? ? ? ? ?! these are single-tagged vlans following > another path > int gi1/1.100 > ?enc dot 100 ? ? ? ? ? ? ? ? ? ?! this is double-tagged that needs to be > tunneled > ?xconnect x2.x2.x2.x2 y1 > int g1/1.200 > ?enc dot 200 ? ? ? ? ? ? ? ? ? ?! this is double-tagged that needs to be > tunneled > ?xconnect x2.x2.x2.x2 y2 > > 7600-2 > ------ > int gi1/1 > ?desc conn to CPE-1 > ?xconnect x1.x1.x1.x1 y1 > int gi1/2 > ?desc conn to CPE-2 > ?xconnect x1.x1.x1.x1 y2 > > So double-tagged traffic having an outer vlan of 100, would get transfered > from 7600-1 gi1/1.100 to 7600-2 gi1/1, where it would/should have the outer > vlan removed. It's actually like many L2 VPNs starting from one port on > 7600-1 and ending at many ports (each one on its own) on 7600-2. From markom at markom.info Tue Aug 18 09:38:43 2009 From: markom at markom.info (Marko Milivojevic) Date: Tue, 18 Aug 2009 13:38:43 +0000 Subject: [c-nsp] EoMPLS between subinterface and physical interface In-Reply-To: References: <4A898D71.1050405@forthnet.gr> <4A8A721F.9010103@forthnet.gr> Message-ID: On Tue, Aug 18, 2009 at 13:32, Marko Milivojevic wrote: > Have you tried to use native VLAN on 7600-1 for the subinterface? Mind > you, I'm not 100% sure if you can actually xconnect native VLAN, but > you may give it a go... Sorry, I meant to say on 7600-2. -- Marko CCIE #18427 (SP) My network blog: http://cisco.markom.info/ From ross at kallisti.us Tue Aug 18 09:48:28 2009 From: ross at kallisti.us (Ross Vandegrift) Date: Tue, 18 Aug 2009 09:48:28 -0400 Subject: [c-nsp] Monitoring Nexus 7000 platform In-Reply-To: References: <896a291f0908131007s218f5489rf466cd0ed6e7eb7@mail.gmail.com> <352D947C-7CAC-4322-9BAC-830E489CB070@arbor.net> <896a291f0908131401q2d32fdden198fd5f500ce2052@mail.gmail.com> <4A848F2F.8090502@usgs.gov> <97229F86-6C23-4BC0-92E3-F4AFA54C7855@cisco.com> <3EC4755B-6190-4E73-8D91-7E11E3AA3F5A@cisco.com> Message-ID: <20090818134828.GA26127@kallisti.us> On Mon, Aug 17, 2009 at 01:15:13PM -0400, Lee wrote: > Maybe that'll help push my "learn perl" todo item up a bit higher on > my list :) But that's assuming netconf/xml makes expect scripts a bit > less dependent on the exact formatting of the output. If upgrading > the OS requires updating the xml definition in the script (eg. bump > netconf:base:1.0 to netconf:base:1.1) .. well, seems like not such a > big win. Those namespaces are specified as versions of the netconf namespace, not as Cisco-specific namespaces. Those will change only for subsequent versions of the top-most, Netconf-defined tags. Unfortunately, JUNOS does encode generating versions into namespaces, which sometimes gets hairy. From the samples posted, it looks like Cisco hasn't committed this particular atrocity. Ross -- Ross Vandegrift ross at kallisti.us "If the fight gets hot, the songs get hotter. If the going gets tough, the songs get tougher." --Woody Guthrie From rodunn at cisco.com Tue Aug 18 10:31:28 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Tue, 18 Aug 2009 10:31:28 -0400 Subject: [c-nsp] Feedback on Bug Toolkit (BTK), IOS Software Download Planner, etc... In-Reply-To: <4A89DAAA.10004@justinshore.com> References: <4A841CC9.4090909@cisco.com> <4A8463E1.2030709@cisco.com> <4A8567B6.5080408@cisco.com> <4A89DAAA.10004@justinshore.com> Message-ID: <4A8ABB40.50403@cisco.com> This is the only other contact I have right now: Oscar Bauer Software Downloads (in general ast here are internal code names) Software Delivery System (SDS) FTP.cisco.com Cisco View Planner Resource Management Essentials (RME) Planner IOS Upgrade Planner (retired in April) Voice Notification Tool (retired Q4) If there is one that isn't on the list you could email Oscar or Wilson and they could probably put you in contact with the right channel. Rodney Justin Shore wrote: > Rodney, > > Do you think you might be able to gain the ear of someone responsible > for the CSCC? I've had ongoing issues with it ever since it was > introduced. I raised those concerns several times and they were never > resolved. Now that SCC has been completely deleted and replaced with > CSCC I have no way to work with my contracts. I tried to use it again > today and it listed dozens upon dozens of devices that I don't own, > never have. It also didn't list dozen upon dozens of devices that I do > own and are under contract. Very flaky.... > > Another great pair of ears to locate would be whomever is responsible > for the DCT Dynamic Config Tool (DN) that let's you build device BoMs > and the Feature Navigator (FN). I have feature requests for both and a > sanity request for the DCT. > > Thanks > Justin > > > > Rodney Dunn wrote: >> Ok...the first list is this. >> >> Use Wilson Shiu (wshiu) as the contact for: >> >> Bitswapping Tool >> Bug Tool Kit >> Cisco Notification System >> Command Lookup Tool >> Error Message Decoder >> File Exchange >> IP Subnet Calculator >> MYTECH Support >> Output Interpreter >> Product Alert Tool >> SNMP Object Navigator >> Special File Access >> TAC Case Connection >> TSRT >> Voice Codec Bandwidth Calculator >> >> I'm getting the contact for the Software Center stuff and will report >> back. >> >> Rodney >> >> >> Rodney Dunn wrote: >>> I'm getting that for clarity. I'll respond back. >>> >>> >>> >>> Tony Varriale wrote: >>>> Rodney, >>>> >>>> Do you have an official list of items/tools that feedback can be >>>> provided on? Or, should we ping Wilson? >>>> >>>> tv >>>> ----- Original Message ----- From: "Rodney Dunn" >>>> To: >>>> Sent: Thursday, August 13, 2009 9:01 AM >>>> Subject: [c-nsp] Feedback on Bug Toolkit (BTK), IOS Software >>>> Download Planner,etc... >>>> >>>> >>>>> I got involved through a few channels and encouraged the teams >>>>> responsible for some of the Cisco.com Support tools to leverage >>>>> this forum directly for feedback. They were very interested in the >>>>> idea. >>>>> >>>>> Can those of you that care enough to give direct feedback based on >>>>> the past threads around IOS Upgrade Planner, Bug Toolkit, etc. >>>>> please take a few minutes and compose an email directly to: >>>>> >>>>> Wilson Shiu (wshiu) >>>>> >>>>> He is the point of contact for feedback. >>>>> >>>>> They are eager to listen so now is a good time to get involved. >>>>> >>>>> I encourage you guys to take advantage of this. >>>>> >>>>> Thanks >>>>> Rodney >>>>> _______________________________________________ >>>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ From avayner at cisco.com Tue Aug 18 11:19:51 2009 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Tue, 18 Aug 2009 17:19:51 +0200 Subject: [c-nsp] EoMPLS between subinterface and physical interface In-Reply-To: <4A8A721F.9010103@forthnet.gr> References: <4A898D71.1050405@forthnet.gr> <4A8A721F.9010103@forthnet.gr> Message-ID: Well, you could use a loopback cable solution (not the prettiest solution around). So on 7600-2 you use a trunk port with multiple sub-ifs (like on 7600-1) but loop it back to a regular l2 trunk port. Then you just connect the CPE's to regular access ports on the VLANs. What I am not sure is whether the 7600 would even allow you to put an access port on the same VLAN used on the sub-if. No quick way for me to test it right now. Also, if it even works, you would be doing MAC learning on 7600-2, as the CPEs are attached to access ports... The right solution for this kind of service would be to use ES20/ES40 and EVCs. Arie -----Original Message----- From: Tassos Chatzithomaoglou [mailto:achatz at forthnet.gr] Sent: Tuesday, August 18, 2009 12:19 To: Arie Vayner (avayner) Cc: cisco-nsp Subject: Re: [c-nsp] EoMPLS between subinterface and physical interface Arie, I'm actually trying something strange in the lab, but i wanted to ask opinions before trying all the alternatives. More specifically i want to transfer double tagged traffic from multiple subifs of a local MUX-UNI interface to multiple remote physical interfaces, where the outer tag would be removed. CPE <===> 3750 <===> 7600-1 <= MPLS-network => 7600-2 <===> CPE-x Something like: 7600-1 ------ int gi1/1 desc conn to 3750 switch mode trunk ! these are single-tagged vlans following another path int gi1/1.100 enc dot 100 ! this is double-tagged that needs to be tunneled xconnect x2.x2.x2.x2 y1 int g1/1.200 enc dot 200 ! this is double-tagged that needs to be tunneled xconnect x2.x2.x2.x2 y2 7600-2 ------ int gi1/1 desc conn to CPE-1 xconnect x1.x1.x1.x1 y1 int gi1/2 desc conn to CPE-2 xconnect x1.x1.x1.x1 y2 So double-tagged traffic having an outer vlan of 100, would get transfered from 7600-1 gi1/1.100 to 7600-2 gi1/1, where it would/should have the outer vlan removed. It's actually like many L2 VPNs starting from one port on 7600-1 and ending at many ports (each one on its own) on 7600-2. -- Tassos Arie Vayner (avayner) wrote on 17/08/2009 21:57: > Tasso, > > What are you trying to achieve? > > Arie > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tassos > Chatzithomaoglou > Sent: Monday, August 17, 2009 20:04 > To: cisco-nsp > Subject: [c-nsp] EoMPLS between subinterface and physical interface > > I'm reading under EoMPLS Guidelines and Restrictions > http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/gu > ide/pfc3mpls.html#wp1109041 > > ====================================== > For a particular EoMPLS connection, both the ingress EoMPLS interface on > the ingress PE and the egress EoMPLS interface > on the egress PE have to be subinterfaces with dot1Q encapsulation or > neither is a subinterface. > ====================================== > > So, i guess in PFC-based EoMPLS you can't have a subinterface on one > side (vlan mode) and a physical interface (port > mode) on the other side. > > Besides using ES/SPA cards and scalable EoMPLS on both sides, is there > another solution? > > What about scalable EoMPLS on one side and PFC-based EoMPLS (vlan or > port mode) on the other? Has anyone tried it? > > -- > Tassos > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From markom at markom.info Tue Aug 18 11:36:52 2009 From: markom at markom.info (Marko Milivojevic) Date: Tue, 18 Aug 2009 15:36:52 +0000 Subject: [c-nsp] EoMPLS between subinterface and physical interface In-Reply-To: References: <4A898D71.1050405@forthnet.gr> <4A8A721F.9010103@forthnet.gr> Message-ID: > What I am not sure is whether the 7600 would even allow you to put an > access port on the same VLAN used on the sub-if. No quick way for me to > test it right now. I can answer that... It won't allow it. This solution with LAN line cards would require VLAN mapping, which isn't pretty, at all. -- Marko CCIE #18427 (SP) My network blog: http://cisco.markom.info/ From psirt at cisco.com Tue Aug 18 12:32:31 2009 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: Tue, 18 Aug 2009 16:32:31 -0000 Subject: [c-nsp] Cisco Security Advisory: Cisco Security Advisory: Cisco IOS XR Software Border Gateway Protocol Vulnerability Message-ID: <20090818.bgp@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Cisco Security Advisory: Cisco IOS XR Software Border Gateway Protocol Vulnerability Advisory ID: cisco-sa-20090818-bgp http://www.cisco.com/warp/public/707/cisco-sa-20090818-bgp.shtml Revision 1.0 For Public Release 2009 August 18 1500 UTC (GMT) - --------------------------------------------------------------------- Summary ======= Cisco IOS XR will reset a Border Gateway Protocol (BGP) peering session when receiving a specific invalid BGP update. The vulnerability manifests when a BGP peer announces a prefix with a specific invalid attribute. On receipt of this prefix, the Cisco IOS XR device will restart the peering session by sending a notification. The peering session will flap until the sender stops sending the invalid/corrupt update. This is a different vulnerability to what was disclosed in the Cisco Security Advisory "Cisco IOS Software Border Gateway Protocol 4-Byte Autonomous System Number Vulnerabilities" disclosed on the 2009 July 29 1600 UTC at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20090729-bgp.shtml Cisco is preparing to release free software maintenance upgrade (SMU) that address this vulnerability. This advisory will be updated once the SMU is available. A workaround that mitigates this vulnerability is available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090818-bgp.shtml Affected Products ================= This vulnerability affects all Cisco IOS XR software devices after and including software release 3.4.0 configured with BGP routing. Vulnerable Products +------------------ To determine the Cisco IOS XR Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS XR Software by displaying text similar to "Cisco IOS XR Software". The software version is displayed after the text "Cisco IOS XR Software". The following example identifies a Cisco CRS-1 that is running Cisco IOS XR Software Release 3.6.2: RP/0/RP0/CPU0:CRS#show version Tue Aug 18 14:25:17.407 AEST Cisco IOS XR Software, Version 3.6.2[00] Copyright (c) 2008 by Cisco Systems, Inc. ROM: System Bootstrap, Version 1.49(20080319:195807) [CRS-1 ROMMON], CRS uptime is 4 weeks, 4 days, 1 minute System image file is "disk0:hfr-os-mbi-3.6.2/mbihfr-rp.vm" cisco CRS-8/S (7457) processor with 4194304K bytes of memory. 7457 processor at 1197Mhz, Revision 1.2 17 Packet over SONET/SDH network interface(s) 1 DWDM controller(s) 17 SONET/SDH Port controller(s) 8 TenGigabitEthernet/IEEE 802.3 interface(s) 2 Ethernet/IEEE 802.3 interface(s) 1019k bytes of non-volatile configuration memory. 38079M bytes of hard disk. 981440k bytes of ATA PCMCIA card at disk 0 (Sector size 512 bytes). Configuration register on node 0/0/CPU0 is 0x102 Boot device on node 0/0/CPU0 is mem: !--- output truncated The following example identifies a Cisco 12404 router that is running Cisco IOS XR Software Release 3.7.1: RP/0/0/CPU0:GSR#show version Cisco IOS XR Software, Version 3.7.1[00] Copyright (c) 2008 by Cisco Systems, Inc. ROM: System Bootstrap, Version 12.0(20051020:160303) SOFTWARE Copyright (c) 1994-2005 by cisco Systems, Inc. GSR uptime is 3 weeks, 6 days, 3 hours, 20 minutes System image file is "disk0:c12k-os-mbi-3.7.1/mbiprp-rp.vm" cisco 12404/PRP (7457) processor with 2097152K bytes of memory. 7457 processor at 1266Mhz, Revision 1.2 1 Cisco 12000 Series Performance Route Processor 1 Cisco 12000 Series - Multi-Service Blade Controller 1 1 Port ISE Packet Over SONET OC-48c/STM-16 Controller (1 POS) 1 Cisco 12000 Series SPA Interface Processor-601/501/401 3 Ethernet/IEEE 802.3 interface(s) 1 SONET/SDH Port controller(s) 1 Packet over SONET/SDH network interface(s) 4 PLIM QoS controller(s) 8 FastEthernet/IEEE 802.3 interface(s) 1016k bytes of non-volatile configuration memory. 1000496k bytes of disk0: (Sector size 512 bytes). 65536k bytes of Flash internal SIMM (Sector size 256k). Configuration register on node 0/0/CPU0 is 0x2102 Boot device on node 0/0/CPU0 is disk0: !--- output truncated Additional information about Cisco IOS XR software release naming conventions is available in the "White Paper: Cisco IOS Reference Guide" at the following link: http://www.cisco.com/warp/public/620/1.html#t6 Additional information about Cisco IOS XR software time-based release model is available in the "White Paper: Guidelines for Cisco IOS XR Software" at the following link: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8803/ps5845/product_bulletin_c25-478699.html BGP is configured in Cisco IOS XR software with the configuration command router bgp [AS Number] or router bgp [X.Y]. The device is vulnerable if it is running affected Cisco IOS XR version and has BGP configured. The following example shows a Cisco IOS XR software device configured with BGP: RP/0/0/CPU0:GSR#show running-config | begin router bgp Building configuration... router bgp 65535 bgp router-id 192.168.0.1 address-family ipv4 unicast network 192.168.1.1/32 ! address-family vpnv4 unicast ! neighbor 192.168.2.1 remote-as 65534 update-source Loopback0 address-family ipv4 unicast ! !--- output truncated Products Confirmed Not Vulnerable +-------------------------------- The following Cisco products are confirmed not vulnerable: * Cisco IOS Software * Cisco IOS XR Software prior to release 3.4.0 * Cisco IOS XR Software not configured for BGP routing No other Cisco products are currently known to be affected by this vulnerability. Details ======= On August 17th, 2009, a widely-distributed Border Gateway Protocol (BGP) route update contained an BGP Update message with a specific invalid attribute. When the invalid BGP Update message was processed by Cisco IOS XR software, it began resetting BGP peering sessions over which the update was received. When receiving the invalid update the receiving Cisco IOS XR software device will display a log message like the following example: RP/0/RP0/CPU0:Aug 17 13:47:05.896 GMT: bgp[122]: %ROUTING-BGP-5-ADJCHANGE : neighbor 192.168.0.1 Down - BGP Notification sent: invalid or corrupt AS path The peering session will flap until the sender stops sending the invalid/corrupt prefix. This vulnerability is documented in Cisco Bug ID CSCtb42995 ( registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2009-2055. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCtb42995 - Cisco IOS XR Software Border Gateway Protocol Vulnerability +----------------------------------------------------- CVSS Base Score - 4.3 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Partial CVSS Temporal Score - 3.9 Exploitability - Functional Remediation Level - Unavailable Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerability may result in BGP peering sessions continuously being reset. This may lead to routing inconsistencies and a denial of service for those affected networks. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. +---------------------------------------+ | Cisco IOS XR Version | SMU ID | |----------------------+----------------| | 3.2.X | Not Vulnerable | |----------------------+----------------| | 3.3.X | Not vulnerable | |----------------------+----------------| | 3.4.0 | Pending | |----------------------+----------------| | 3.4.1 | Pending | |----------------------+----------------| | 3.4.2 | Pending | |----------------------+----------------| | 3.4.3 | Pending | |----------------------+----------------| | 3.5.2 | Pending | |----------------------+----------------| | 3.5.3 | Pending | |----------------------+----------------| | 3.5.4 | Pending | |----------------------+----------------| | 3.6.0 | Pending | |----------------------+----------------| | 3.6.1 | Pending | |----------------------+----------------| | 3.6.2 | Pending | |----------------------+----------------| | 3.6.3 | Pending | |----------------------+----------------| | 3.7.0 | Pending | |----------------------+----------------| | 3.7.1 | Pending | |----------------------+----------------| | 3.7.2 | Pending | |----------------------+----------------| | 3.7.3 | Pending | |----------------------+----------------| | 3.8.0 | Pending | |----------------------+----------------| | 3.8.1 | Pending | +---------------------------------------+ Workarounds =========== There are no workarounds on the affected device itself. Co-ordination is required with the peering neighbor support staff to filter the invalid update on their outbound path. The following procedure explains how to help mitigate this vulnerability: Using the peer IP address in the log message that was generated when the Cisco IOS XR software device received the invalid update; capture the notification message hex dump from the CLI command show bgp neighbor and contact the Cisco TAC whom can assist with a decode. Details on how to contact Cisco TAC are contained within the section "Obtaining Fixed Software" of this advisory. The following example show an example generated log message when receiving the invalid update, and the details to be captured to be sent to the Cisco TAC for decoding: Log message generated when receiving invalid update: RP/0/RP0/CPU0:Aug 17 13:47:05.896 GMT: bgp[122]: %ROUTING-BGP-5-ADJCHANGE : neighbor 192.168.0.1 Down - BGP Notification sent: invalid or corrupt AS path Information to capture for decoding by the Cisco TAC, is the output from show bgp neighbors [ip address of neighbor from above log message]. RP/0/RP0/CPU0:CRS#show bgp neighbors 192.168.0.1 Working with Cisco TAC, the decode of the above will display the AS path in a manner illustrated below. ATTRIBUTE NAME: AS_PATH AS_PATH: Type 2 is AS_SEQUENCE AS_PATH: Segment Length is 4 (0x04) segments long AS_PATH: 65533 65532 65531 65531 Working cooperatively with your peering partner, request that they filter outbound prefix advertisements from the identified source AS (in this example 65531) for your peering session. The filters configuration methods will vary depending on the routing device operating system used. For Cisco IOS XR the filters will be applied using Routing Policy Language (RPL) policies or with Cisco IOS software via applying route-maps that deny advertisements matching that AS in their AS-PATH. Once these policies are applied, the peering session will be re-established. For further information on Cisco IOS XR RPL consult the document "Implementing Routing Policy on Cisco IOS XR Software" at the following link: http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.0/routing/configuration/guide/rc3rpl.html#wp1118699 For further information on Cisco IOS route maps with BGP, consult the document "Cisco IOS BGP Configuration Guide, Release 12.4T" at the following link: http://www.cisco.com/en/US/docs/ios/12_2sr/12_2srb/feature/guide/tbgp_c.html Obtaining Fixed Software ======================== Cisco will be releasing free software updates that address this vulnerability. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt at cisco.com or security-alert at cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac at cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== On August 17, 2009 around 16:30-17:00 UTC several ISP's began experiencing connectivity issues as BGP sessions were being repeatedly reset. Cisco TAC was engaged with a number of customers all seeing similar issues. Stability came a few hours afterward as workarounds were applied. At this time, it is not believed that the connectivity issues were the result of malicious activity. Status of this Notice: INTERIM ============================== THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. CISCO EXPECTS TO UPDATE THIS DOCUMENT AS NEW INFORMATION BECOMES AVAILABLE. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20090818-bgp.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce at cisco.com * first-bulletins at lists.first.org * bugtraq at securityfocus.com * vulnwatch at vulnwatch.org * cisco at spot.colorado.edu * cisco-nsp at puck.nether.net * full-disclosure at lists.grok.org.uk * comp.dcom.sys.cisco at newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2009-August-18 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt - --------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iD8DBQFKitOJ86n/Gc8U/uARAlpUAJ95EA/XmiFntl4XuXpKTpqeIt5q8gCfdOPV /OmnNTdlD9lueFh99gS6NDM= =dejJ -----END PGP SIGNATURE----- From gert at greenie.muc.de Tue Aug 18 12:38:21 2009 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 18 Aug 2009 18:38:21 +0200 Subject: [c-nsp] EoMPLS between subinterface and physical interface In-Reply-To: References: <4A898D71.1050405@forthnet.gr> <4A8A721F.9010103@forthnet.gr> Message-ID: <20090818163821.GV2121@greenie.muc.de> Hi, On Tue, Aug 18, 2009 at 05:19:51PM +0200, Arie Vayner (avayner) wrote: > What I am not sure is whether the 7600 would even allow you to put an > access port on the same VLAN used on the sub-if. No quick way for me to > test it right now. Not with SX* software - VLAN space is global, and a VLAN can only be used either as "VLAN" stuff (switchport mode access, interface vlan X) or as subinterface stuff (encaps dot1q Y). I'm reasonably sure that it won't work with SR* software either, as it is just the way this hardware works. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From avayner at cisco.com Tue Aug 18 13:06:18 2009 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Tue, 18 Aug 2009 19:06:18 +0200 Subject: [c-nsp] EoMPLS between subinterface and physical interface In-Reply-To: <20090818163821.GV2121@greenie.muc.de> References: <4A898D71.1050405@forthnet.gr> <4A8A721F.9010103@forthnet.gr> <20090818163821.GV2121@greenie.muc.de> Message-ID: This is true. The only way to get rid of the global VLAN scope is by using SIP/ES modules (which require SR software) Arie -----Original Message----- From: Gert Doering [mailto:gert at greenie.muc.de] Sent: Tuesday, August 18, 2009 19:38 To: Arie Vayner (avayner) Cc: Tassos Chatzithomaoglou; cisco-nsp Subject: Re: [c-nsp] EoMPLS between subinterface and physical interface Hi, On Tue, Aug 18, 2009 at 05:19:51PM +0200, Arie Vayner (avayner) wrote: > What I am not sure is whether the 7600 would even allow you to put an > access port on the same VLAN used on the sub-if. No quick way for me > to test it right now. Not with SX* software - VLAN space is global, and a VLAN can only be used either as "VLAN" stuff (switchport mode access, interface vlan X) or as subinterface stuff (encaps dot1q Y). I'm reasonably sure that it won't work with SR* software either, as it is just the way this hardware works. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From icox at cisco.com Tue Aug 18 14:05:05 2009 From: icox at cisco.com (Ian Cox) Date: Tue, 18 Aug 2009 11:05:05 -0700 Subject: [c-nsp] OSM support for 1000BaseT In-Reply-To: <100362309621454DAA534950B17E55DB011D717C0C70@isp-per-exc01.win2k.iinet.net.au> References: <100362309621454DAA534950B17E55DB011D717C0C70@isp-per-exc01.win2k.iinet.net.au> Message-ID: <4A8AED51.4090802@cisco.com> Yes it is meant to be supported. It was supported in previous releases. Ian Cameron Dry wrote: > Does anyone know if the OSM-2+4GE-WAN+ supports copper GBICs in the WAN ports - currently installed in a 7600 running 12.2SRC4. > > Thanks > > Cameron > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From justin at justinshore.com Tue Aug 18 14:12:57 2009 From: justin at justinshore.com (Justin Shore) Date: Tue, 18 Aug 2009 13:12:57 -0500 Subject: [c-nsp] Order of Operations for processing a packet (ingress and egress) Message-ID: <4A8AEF29.4010901@justinshore.com> Does anyone have any good links to an order of operations for what happens in what order on the assorted types of Cisco interfaces in both the ingress and egress directions? I found one that touchs on the QoS order of operations: http://www.cisco.com/en/US/tech/tk543/tk757/technologies_tech_note09186a0080160fc1.shtml I'm interested in fairly detailed things like at what point does a vanilla IP packet go through the MPLS label imposition process (on ingress as it's received or egress onto an MPLS-enabled interface). Or at what point is a packet encapsulated on a GRE interface. I'm looking for a reference that talks about router ports, WAN & LAN ports on a Cat routing chassis like the 7600, basic LAN switchports on Cat switches, etc. I've never seen a doc that put it all together and I seldom come across docs that even talk about small portions of the order of operations. Any references would be much appreciated. Thanks Justin From icox at cisco.com Tue Aug 18 15:15:54 2009 From: icox at cisco.com (Ian Cox) Date: Tue, 18 Aug 2009 12:15:54 -0700 Subject: [c-nsp] Order of Operations for processing a packet (ingress and egress) In-Reply-To: <4A8AEF29.4010901@justinshore.com> References: <4A8AEF29.4010901@justinshore.com> Message-ID: <4A8AFDEA.80502@cisco.com> I don't believe there is a comprehensive one published on CCO besides the following document for the 7600. http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper0900aecd80673385.html If we just consider LAN modules, then all encapsulation operations are done by the ingress PFC or DFC responsible for a particular module. The egress module just performs queuing for the packet. Now egress multicast replication is an exception to this. WAN modules essentially behave the same as LAN ports, except they take an ethernet frame from the fabric and modify it to be ppp etc. The exception cases are when it comes to VPLS, Selective QinQ, ... where the WAN module actually does do the forwarding function. If you ask your AM/SE you should be able to arrange a presentation on how all forwarding works, since all the detailed presentations I know of are under NDA. Ian Justin Shore wrote: > Does anyone have any good links to an order of operations for what > happens in what order on the assorted types of Cisco interfaces in both > the ingress and egress directions? > > I found one that touchs on the QoS order of operations: > > http://www.cisco.com/en/US/tech/tk543/tk757/technologies_tech_note09186a0080160fc1.shtml > > > I'm interested in fairly detailed things like at what point does a > vanilla IP packet go through the MPLS label imposition process (on > ingress as it's received or egress onto an MPLS-enabled interface). Or > at what point is a packet encapsulated on a GRE interface. I'm looking > for a reference that talks about router ports, WAN & LAN ports on a Cat > routing chassis like the 7600, basic LAN switchports on Cat switches, > etc. I've never seen a doc that put it all together and I seldom come > across docs that even talk about small portions of the order of > operations. Any references would be much appreciated. > > Thanks > Justin > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From William.Murphy at uth.tmc.edu Tue Aug 18 17:43:30 2009 From: William.Murphy at uth.tmc.edu (Murphy, William) Date: Tue, 18 Aug 2009 16:43:30 -0500 Subject: [c-nsp] Arp Inspection Rate Limit In-Reply-To: References: Message-ID: On access layer ports in our environment 15pps works well. Very rarely we have some weird print server or some device that bursts above that, but we never have had to go above 30pps on an access port. Since we limit on the edge ports we don't put a limit on the trunks... Bill M -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of NMaio at guesswho.com Sent: Monday, August 17, 2009 2:06 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Arp Inspection Rate Limit Just a quick question. Taking into account that everyone's network is different and to find the best limit you need to study a trace.....does anyone use a rule of thumb for configuring the rate limit for arp inspection. Does anyone find the default 15 pps too low on ports other than etherchannels and trunks? Thanks, Nick _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4327 bytes Desc: not available URL: From kgraham at industrial-marshmallow.com Tue Aug 18 17:04:31 2009 From: kgraham at industrial-marshmallow.com (Kevin Graham) Date: Tue, 18 Aug 2009 14:04:31 -0700 (PDT) Subject: [c-nsp] Sup720 hang while writing SP crashinfo? Message-ID: <491424.73465.qm@web1211.biz.mail.gq1.yahoo.com> We had a Sup720B (non-redundant, running modular SXI) crash, due to what looks like was due to a CPU_MONITOR watchdog event. What was nasty though was that rather than reload, it hung (dead and unresponsive console) and required a power cycle. The RP crashinfo made it out fine, however SP crashinfo was incomplete. Looking at that, its due to sup-bootflash running out of space (1 byte left w/ an incomplete/inaccessible crashinfo). Unfounded speculation is that the "hung" state was due to system pounding away trying to finish writing crashinfo to a full filesystem. Is that hypothesis at all reasonable, or is there something else that should be explored? From eninja at gmail.com Tue Aug 18 19:00:18 2009 From: eninja at gmail.com (Eninja) Date: Wed, 19 Aug 2009 01:00:18 +0200 Subject: [c-nsp] Sup720 hang while writing SP crashinfo? In-Reply-To: <491424.73465.qm@web1211.biz.mail.gq1.yahoo.com> References: <491424.73465.qm@web1211.biz.mail.gq1.yahoo.com> Message-ID: There are multiple causes of crashes and several causes of system 'hang' (high CPU, memory depletion, etc) and both should be investigated independently. Do you have any syslogs from a few minutes before the crash? If yes send over along with RP crashinfo, whatever was captured from SP and console logs. -Eninja On Aug 18, 2009, at 11:04 PM, Kevin Graham wrote: > We had a Sup720B (non-redundant, running modular SXI) crash, due to > what looks > like was due to a CPU_MONITOR watchdog event. What was nasty though > was that > rather than reload, it hung (dead and unresponsive console) and > required a > power cycle. > > The RP crashinfo made it out fine, however SP crashinfo was > incomplete. Looking > at that, its due to sup-bootflash running out of space (1 byte left > w/ an > incomplete/inaccessible crashinfo). > > Unfounded speculation is that the "hung" state was due to system > pounding away > trying to finish writing crashinfo to a full filesystem. > > Is that hypothesis at all reasonable, or is there something else > that should be > explored? > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From graham at g-rock.net Tue Aug 18 18:54:14 2009 From: graham at g-rock.net (Graham Wooden) Date: Tue, 18 Aug 2009 17:54:14 -0500 Subject: [c-nsp] Traffic shaping on a Sup32 In-Reply-To: <20090814120038.GW29143@greenie.muc.de> Message-ID: Hi there, I need to implement some traffic shaping on some SVI VLAN interfaces (a customer either with 1 server or 10 servers) on a 6509/Sup32. Running IOS is advipservicesk9_wan-mz.122-33.SXI1. I have currently setup some policy-maps that do some policing, which are feed by class-maps with match any. Seems like "service-policy output ..." works, but input doesn't. What is the best way to handle both ingress/egress traffic shaping? Do I need to input on the fastEthernet linecard? Thanks for any assistance or guidance. -graham From graham at g-rock.net Tue Aug 18 18:47:48 2009 From: graham at g-rock.net (Graham Wooden) Date: Tue, 18 Aug 2009 17:47:48 -0500 Subject: [c-nsp] Bridge devices - ARP takeover In-Reply-To: <20090814120038.GW29143@greenie.muc.de> Message-ID: Update: I could not keep the link up on the Sup32. Even hardcoding the MAC addresses, traffic would flat stop at random times. However, it's been up for 4 days now on a Sup2. Specific interface/vlan config is exactly the same. Only differences are the Sups, IOS, and linecard. So, does anyone know what could be the issue? I really don't want them to be hanging off of this aging hardware... Works: 6509 - Sup2 - s222-adventerprisek9_wan-mz.122-18.SXF15a.bin - WS-X6248-RJ-45 Doesn't: 6509 - Sup32 - s3223-advipservicesk9_wan-mz.122-33.SXI1.bin - WS-X6348-RJ-45 On 8/14/09 7:00 AM, "Gert Doering" wrote: > Hi, > > On Fri, Aug 14, 2009 at 06:57:08AM -0500, Graham Wooden wrote: >> Agreed on the ip proxy-arp, but if it makes the link work for the time being >> ... > > This would be VERY surprising - "ip proxy-arp" makes a difference only > if one of the devices sends ARP requests for IP addresses that are > off-link (specifically: that the router with "ip proxy-arp" knows to be > off-link and has a route for it). > > Your routers on both sides shouldn't do any ARPing for off-link addresses > unless one of them has a static route pointing to the ethernet itself > ("ip route 0.0.0.0 0.0.0.0 ethernet0" is a quite typical example). > > dot1q-tagging the management interface sounds like a good plan, though :) > > gert From NMaio at guesswho.com Tue Aug 18 19:52:03 2009 From: NMaio at guesswho.com (NMaio at guesswho.com) Date: Tue, 18 Aug 2009 19:52:03 -0400 Subject: [c-nsp] Arp Inspection Rate Limit In-Reply-To: References: Message-ID: William, Thanks for the response. Funny you mention the print server because that happens to be one device port I need to tweak since it occasionally exceeds the 15 pps. Thanks again, Nick -----Original Message----- From: Murphy, William [mailto:William.Murphy at uth.tmc.edu] Sent: Tuesday, August 18, 2009 5:44 PM To: Nicholas Maio; cisco-nsp at puck.nether.net Subject: RE: Arp Inspection Rate Limit On access layer ports in our environment 15pps works well. Very rarely we have some weird print server or some device that bursts above that, but we never have had to go above 30pps on an access port. Since we limit on the edge ports we don't put a limit on the trunks... Bill M -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of NMaio at guesswho.com Sent: Monday, August 17, 2009 2:06 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Arp Inspection Rate Limit Just a quick question. Taking into account that everyone's network is different and to find the best limit you need to study a trace.....does anyone use a rule of thumb for configuring the rate limit for arp inspection. Does anyone find the default 15 pps too low on ports other than etherchannels and trunks? Thanks, Nick _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ltd at cisco.com Tue Aug 18 19:58:16 2009 From: ltd at cisco.com (Lincoln Dale) Date: Wed, 19 Aug 2009 09:58:16 +1000 Subject: [c-nsp] Monitoring Nexus 7000 platform In-Reply-To: <20090818134828.GA26127@kallisti.us> References: <896a291f0908131007s218f5489rf466cd0ed6e7eb7@mail.gmail.com> <352D947C-7CAC-4322-9BAC-830E489CB070@arbor.net> <896a291f0908131401q2d32fdden198fd5f500ce2052@mail.gmail.com> <4A848F2F.8090502@usgs.gov> <97229F86-6C23-4BC0-92E3-F4AFA54C7855@cisco.com> <3EC4755B-6190-4E73-8D91-7E11E3AA3F5A@cisco.com> <20090818134828.GA26127@kallisti.us> Message-ID: <60DAB0E3-C91B-417F-85BC-32E5D65D68D2@cisco.com> On 18/08/2009, at 11:48 PM, Ross Vandegrift wrote: > Those namespaces are specified as versions of the netconf namespace, > not as Cisco-specific namespaces. Those will change only for > subsequent versions of the top-most, Netconf-defined tags. > Unfortunately, JUNOS does encode generating versions into namespaces, > which sometimes gets hairy. From the samples posted, it looks like > Cisco hasn't committed this particular atrocity. technically, you are meant to validate all input and ensure that the correct namespace. on NX-OS at least, we figured that was counterproductive, so by default don't validate the namespace and perhaps burn some CPU cycles to allow any namespace. if you wish strict interpretation with NX-OS, you can configure it with "xml server validate" in the switch config. its off by default. cheers, lincoln. From rodunn at cisco.com Tue Aug 18 22:16:30 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Tue, 18 Aug 2009 22:16:30 -0400 Subject: [c-nsp] Bridge devices - ARP takeover In-Reply-To: References: Message-ID: <4A8B607E.7080304@cisco.com> You need to get more data when it's failing for anyone to help. sh ip arp sh adj detail sh mls cef as starters. Graham Wooden wrote: > Update: I could not keep the link up on the Sup32. Even hardcoding the MAC > addresses, traffic would flat stop at random times. However, it's been up > for 4 days now on a Sup2. Specific interface/vlan config is exactly the > same. Only differences are the Sups, IOS, and linecard. > > So, does anyone know what could be the issue? I really don't want them to be > hanging off of this aging hardware... > > Works: 6509 - Sup2 - s222-adventerprisek9_wan-mz.122-18.SXF15a.bin - > WS-X6248-RJ-45 > > Doesn't: 6509 - Sup32 - s3223-advipservicesk9_wan-mz.122-33.SXI1.bin - > WS-X6348-RJ-45 > > On 8/14/09 7:00 AM, "Gert Doering" wrote: > >> Hi, >> >> On Fri, Aug 14, 2009 at 06:57:08AM -0500, Graham Wooden wrote: >>> Agreed on the ip proxy-arp, but if it makes the link work for the time being >>> ... >> This would be VERY surprising - "ip proxy-arp" makes a difference only >> if one of the devices sends ARP requests for IP addresses that are >> off-link (specifically: that the router with "ip proxy-arp" knows to be >> off-link and has a route for it). >> >> Your routers on both sides shouldn't do any ARPing for off-link addresses >> unless one of them has a static route pointing to the ethernet itself >> ("ip route 0.0.0.0 0.0.0.0 ethernet0" is a quite typical example). >> >> dot1q-tagging the management interface sounds like a good plan, though :) >> >> gert > From graham at g-rock.net Tue Aug 18 22:09:38 2009 From: graham at g-rock.net (Graham Wooden) Date: Tue, 18 Aug 2009 21:09:38 -0500 Subject: [c-nsp] Traffic shaping on a Sup32 In-Reply-To: Message-ID: Ah-ha! I found the solution to my first inquire - traffic shapping on SVIs. Apparently the key was "mls qos vlan-based" on the actual LAN interface. Now its adhering both input and output. I'll see if I can tweak to fit a dot1q subint. On 8/18/09 8:52 PM, "Graham Wooden" wrote: > Oh, the fun. I am not making much headway with this. After reading the Qos on > the PFC, I am even more lost. I can't seem to do any traffic shaping within > the map. I can't do the police cir, bandwidth percentage, etc. > Does anyone have any good working examples? > > > class-map match-any VOIP > match access-group 100 > ! > policy-map EdgeMap > class VOIP > police cir percent 25 > conform-action transmit > class class-default > police cir percent 75 > conform-action transmit > exceed-action drop > ! > access-list 100 permit udp any any gt 10000 > access-list 100 permit udp any any lt 20000 > access-list 100 permit udp any any gt 4000 > access-list 100 permit udp any any lt 6000 > > interface FastEthernet3/1.284 > bandwidth 20000 > encapsulation dot1Q 284 > ip address nn.nn.nn.nn 255.255.255.252 > end > > > edge01#conf t > Enter configuration commands, one per line. End with CNTL/Z. > > edge01(config)#interface fastEthernet 3/1.284 > edge01(config-subif)#service-policy input EdgeMap > police percent command is not supported in input direction for this interface > Configuration failed! > > edge01(config-subif)#service-policy output EdgeMap > police percent command is not supported in output direction for this interface > Configuration failed! > edge01(config-subif)# > > > > On 8/18/09 5:54 PM, "Graham Wooden" wrote: > >> Hi there, >> >> I need to implement some traffic shaping on some SVI VLAN interfaces (a >> customer either with 1 server or 10 servers) on a 6509/Sup32. >> Running IOS is advipservicesk9_wan-mz.122-33.SXI1. >> >> I have currently setup some policy-maps that do some policing, which are >> feed by class-maps with match any. >> >> Seems like "service-policy output ..." works, but input doesn't. >> What is the best way to handle both ingress/egress traffic shaping? >> Do I need to input on the fastEthernet linecard? >> >> Thanks for any assistance or guidance. >> -graham >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ From graham at g-rock.net Tue Aug 18 22:40:38 2009 From: graham at g-rock.net (Graham Wooden) Date: Tue, 18 Aug 2009 21:40:38 -0500 Subject: [c-nsp] Bridge devices - ARP takeover In-Reply-To: <4A8B607E.7080304@cisco.com> Message-ID: Hi Rodney, When the last outage occurred, I did a quick assessment of the output of those two commands and reviewed it with output while it was working - and nothing stuck out wrong or incorrect. I however, didn't do the sh mls cef. In a haste effort to get this particular customer up, I moved them back over to the older box and didn't save my vi buffers. I will have to setup a test link, as I can't have this PtP go down again. I was more/less looking for any input on any known difference between these two setups. Thanks, -graham On 8/18/09 9:16 PM, "Rodney Dunn" wrote: > You need to get more data when it's failing for anyone to help. > > sh ip arp > sh adj detail > sh mls cef > > as starters. > > > > Graham Wooden wrote: >> Update: I could not keep the link up on the Sup32. Even hardcoding the MAC >> addresses, traffic would flat stop at random times. However, it's been up >> for 4 days now on a Sup2. Specific interface/vlan config is exactly the >> same. Only differences are the Sups, IOS, and linecard. >> >> So, does anyone know what could be the issue? I really don't want them to be >> hanging off of this aging hardware... >> >> Works: 6509 - Sup2 - s222-adventerprisek9_wan-mz.122-18.SXF15a.bin - >> WS-X6248-RJ-45 >> >> Doesn't: 6509 - Sup32 - s3223-advipservicesk9_wan-mz.122-33.SXI1.bin - >> WS-X6348-RJ-45 >> >> On 8/14/09 7:00 AM, "Gert Doering" wrote: >> >>> Hi, >>> >>> On Fri, Aug 14, 2009 at 06:57:08AM -0500, Graham Wooden wrote: >>>> Agreed on the ip proxy-arp, but if it makes the link work for the time >>>> being >>>> ... >>> This would be VERY surprising - "ip proxy-arp" makes a difference only >>> if one of the devices sends ARP requests for IP addresses that are >>> off-link (specifically: that the router with "ip proxy-arp" knows to be >>> off-link and has a route for it). >>> >>> Your routers on both sides shouldn't do any ARPing for off-link addresses >>> unless one of them has a static route pointing to the ethernet itself >>> ("ip route 0.0.0.0 0.0.0.0 ethernet0" is a quite typical example). >>> >>> dot1q-tagging the management interface sounds like a good plan, though :) >>> >>> gert >> From graham at g-rock.net Tue Aug 18 21:52:08 2009 From: graham at g-rock.net (Graham Wooden) Date: Tue, 18 Aug 2009 20:52:08 -0500 Subject: [c-nsp] Traffic shaping on a Sup32 In-Reply-To: Message-ID: Oh, the fun. I am not making much headway with this. After reading the Qos on the PFC, I am even more lost. I can't seem to do any traffic shaping within the map. I can't do the police cir, bandwidth percentage, etc. Does anyone have any good working examples? class-map match-any VOIP match access-group 100 ! policy-map EdgeMap class VOIP police cir percent 25 conform-action transmit class class-default police cir percent 75 conform-action transmit exceed-action drop ! access-list 100 permit udp any any gt 10000 access-list 100 permit udp any any lt 20000 access-list 100 permit udp any any gt 4000 access-list 100 permit udp any any lt 6000 interface FastEthernet3/1.284 bandwidth 20000 encapsulation dot1Q 284 ip address nn.nn.nn.nn 255.255.255.252 end edge01#conf t Enter configuration commands, one per line. End with CNTL/Z. edge01(config)#interface fastEthernet 3/1.284 edge01(config-subif)#service-policy input EdgeMap police percent command is not supported in input direction for this interface Configuration failed! edge01(config-subif)#service-policy output EdgeMap police percent command is not supported in output direction for this interface Configuration failed! edge01(config-subif)# On 8/18/09 5:54 PM, "Graham Wooden" wrote: > Hi there, > > I need to implement some traffic shaping on some SVI VLAN interfaces (a > customer either with 1 server or 10 servers) on a 6509/Sup32. > Running IOS is advipservicesk9_wan-mz.122-33.SXI1. > > I have currently setup some policy-maps that do some policing, which are > feed by class-maps with match any. > > Seems like "service-policy output ..." works, but input doesn't. > What is the best way to handle both ingress/egress traffic shaping? > Do I need to input on the fastEthernet linecard? > > Thanks for any assistance or guidance. > -graham > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From swmike at swm.pp.se Tue Aug 18 23:08:38 2009 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Wed, 19 Aug 2009 05:08:38 +0200 (CEST) Subject: [c-nsp] Traffic shaping on a Sup32 In-Reply-To: References: Message-ID: On Tue, 18 Aug 2009, Graham Wooden wrote: > Oh, the fun. I am not making much headway with this. After reading the Qos > on the PFC, I am even more lost. I can't seem to do any traffic shaping > within the map. I can't do the police cir, bandwidth percentage, etc. > Does anyone have any good working examples? You can't do shaping (delaying packets) with LAN cards, you can only police. Bandwidth command under interface doesn't affect anything that has to do with forwarding of packets. So basically, all policing you want to do, you need to do with absolute values and not percent. -- Mikael Abrahamsson email: swmike at swm.pp.se From graham at g-rock.net Tue Aug 18 23:48:45 2009 From: graham at g-rock.net (Graham Wooden) Date: Tue, 18 Aug 2009 22:48:45 -0500 Subject: [c-nsp] Traffic shaping on a Sup32 In-Reply-To: Message-ID: Thanks Mikael - that did the trick. By hardcoding the bit rate on the police I am now able to sort out my specified traffic into my different rate patterns. -graham On 8/18/09 10:08 PM, "Mikael Abrahamsson" wrote: > On Tue, 18 Aug 2009, Graham Wooden wrote: > >> Oh, the fun. I am not making much headway with this. After reading the Qos >> on the PFC, I am even more lost. I can't seem to do any traffic shaping >> within the map. I can't do the police cir, bandwidth percentage, etc. >> Does anyone have any good working examples? > > You can't do shaping (delaying packets) with LAN cards, you can only > police. Bandwidth command under interface doesn't affect anything that has > to do with forwarding of packets. > > So basically, all policing you want to do, you need to do with absolute > values and not percent. From kgraham at industrial-marshmallow.com Tue Aug 18 23:33:47 2009 From: kgraham at industrial-marshmallow.com (Kevin Graham) Date: Tue, 18 Aug 2009 20:33:47 -0700 (PDT) Subject: [c-nsp] Sup720 hang while writing SP crashinfo? In-Reply-To: References: <491424.73465.qm@web1211.biz.mail.gq1.yahoo.com> Message-ID: <538216.56886.qm@web1204.biz.mail.gq1.yahoo.com> > There are multiple causes of crashes and several causes of system 'hang' (high > CPU, memory depletion, etc) and both should be investigated independently. Yes, crash itself didn't seem particularly interesting, but am pursuing that w/ TAC. It looked like it was a "good and orderly" reset, which is why the failure to complete the reboot (combined w/ incomplete SP crashinfo and full sup-bootflash) were curious. > Do you have any syslogs from a few minutes before the crash? If yes send over > along with RP crashinfo, whatever was captured from SP and console logs. Only what was captured in RP crashinfo (sparing the list the rest of the spam, but symptoms were consistent w/ very high RP cpu. Starting w/ HSRP state flaps, drop of OSPF adjacencies). The last gasps were: 094893: Aug 18 10:53:19.694 PDT: icc_send_request_internal: ipc_send_rpc_blocked failed, result 6 : ios-base : (PID=16407, TID=21) : -Traceback=(s72033_rp-ipser vicesk9-6-dso-b.so+0x164B40) ([33:0]+0x164DAC) ([33:0]+0x165320) ([23:-9]3+0x316 100) ([33:0]+0x306158) ([23:-9]1+0x2B81A8) ([33:0]+0x2FBFF8) ([23:-9]6+0x4E3BC4) ([33:0]+0x4E3B9C) 094894: Aug 18 10:53:25.910 PDT: %CPU_MONITOR-6-NOT_HEARD: CPU_MONITOR messages have not been heard for 120 seconds [6/0] 094895: Aug 18 10:53:55.990 PDT: %CPU_MONITOR-6-NOT_HEARD: CPU_MONITOR messages have not been heard for 150 seconds [6/0] 094896: Aug 18 10:54:26.049 PDT: %CPU_MONITOR-3-TIMED_OUT: CPU_MONITOR messages have failed, resetting system [6/0] Crashdump : 17:54:26.944 Tue Aug 18 2009 : ios-base : (PID=16407, TID=1) : -Tra ceback=(s72033_rp-ipservicesk9-9-dso-b.so+0x2E46C8) ([33:0]+0x3577B4) ([33:0]+0x 359CF8) ([23:-9]6+0x4E3BC4) ([33:0]+0x4E3B9C) crashdump called (with pause = 0 sec) %ALIGN-1-FATAL: Illegal access to a low address 10:54:26 PDT Tue Aug 18 2009 addr=0x0, pc=0x74C7D940, ra=0x74C7D86C, sp=0x389EBC8 > On Aug 18, 2009, at 11:04 PM, Kevin Graham > wrote: > > > We had a Sup720B (non-redundant, running modular SXI) crash, due to what looks > > like was due to a CPU_MONITOR watchdog event. What was nasty though was that > > rather than reload, it hung (dead and unresponsive console) and required a > > power cycle. > > > > The RP crashinfo made it out fine, however SP crashinfo was incomplete. > Looking > > at that, its due to sup-bootflash running out of space (1 byte left w/ an > > incomplete/inaccessible crashinfo). > > > > Unfounded speculation is that the "hung" state was due to system pounding away > > trying to finish writing crashinfo to a full filesystem. > > > > Is that hypothesis at all reasonable, or is there something else that should > be > > explored? > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ From nadengine at googlemail.com Wed Aug 19 00:48:50 2009 From: nadengine at googlemail.com (shadow floating) Date: Wed, 19 Aug 2009 07:48:50 +0300 Subject: [c-nsp] Management Vlan VS Vlan1 Message-ID: <5c1b7500908182148y1667609as98c0f75d95aabf0b@mail.gmail.com> Hi All, I just have a question, as we know that Cisco preserve VLAN 1 for management issues and network management needed protocols like CDP, VTP and the like, and all access from other VLANs to this VLAN should be restricted except from the management VLAN, as for our network, we are implementing a new management VLAN on a VLAN id other than 1 according to some consultant's advice, my question is : is there any benefit of migrating the management (all managing and managed devices) to another VLAN other than VLAN1 ??...won't in this case we have to protect two VLANs (VLAN 1 and the new management VLAN)?...or is there a real benefit in the migration of the management VLAN, as for my knowledge...VLAN 1 can not be disabled or even pruned on trunk links? appreciating your comments thanks alot Nad From sethm at rollernet.us Wed Aug 19 03:02:55 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Wed, 19 Aug 2009 00:02:55 -0700 Subject: [c-nsp] Management Vlan VS Vlan1 In-Reply-To: <5c1b7500908182148y1667609as98c0f75d95aabf0b@mail.gmail.com> References: <5c1b7500908182148y1667609as98c0f75d95aabf0b@mail.gmail.com> Message-ID: <4A8BA39F.9040304@rollernet.us> shadow floating wrote: > Hi All, > I just have a question, as we know that Cisco preserve VLAN 1 for > management issues and network management needed protocols like CDP, > VTP and the like, and all access from other VLANs to this VLAN should > be restricted except from the management VLAN, as for our network, we > are implementing a new management VLAN on a VLAN id other than 1 > according to some consultant's advice, my question is : is there any > benefit of migrating the management (all managing and managed devices) > to another VLAN other than VLAN1 ??...won't in this case we have to > protect two VLANs (VLAN 1 and the new management VLAN)?...or is there > a real benefit in the migration of the management VLAN, as for my > knowledge...VLAN 1 can not be disabled or even pruned on trunk links? > > appreciating your comments > thanks alot > I don't use VLAN 1 at all anywhere. Except for the disabled ports. ~Seth From almog.purepeak at gmail.com Wed Aug 19 04:13:52 2009 From: almog.purepeak at gmail.com (almog ohayon) Date: Wed, 19 Aug 2009 11:13:52 +0300 Subject: [c-nsp] CIsco 3560 SVI SNMP Message-ID: <3b53747c0908190113m591e9e3o479122f5ea4ad383@mail.gmail.com> Hello Everyone,Does anyone know if there is an option to get statistics from Cisco 3560 Interface Vlan ? I need throughput statistics from my interfaces vlans and i only get physical interface statistics . if anyone can help... Thanks -- Almog From daniel at bit.nl Wed Aug 19 04:19:18 2009 From: daniel at bit.nl (Daniel Verlouw) Date: Wed, 19 Aug 2009 10:19:18 +0200 Subject: [c-nsp] per interface ARP policing (6500) Message-ID: <1250669958.12119.7.camel@daniel.office.bit.nl> Hi, my google-fu is not much of help on this one: 6509VE(config)#mls qos protocol arp police 32k This overrides the per interface ARP policing Does anyone know where to find the default settings for this "per interface ARP policer" ? And are these sufficient to protect against ARP attacks? "sh mls qos arp" doesn't provide much insight either and I'm unable to find any references for it on cisco.com as well. This is a 6500 with Sup32 on SXI2 btw. --Daniel. From gert at greenie.muc.de Wed Aug 19 04:32:45 2009 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 19 Aug 2009 10:32:45 +0200 Subject: [c-nsp] CIsco 3560 SVI SNMP In-Reply-To: <3b53747c0908190113m591e9e3o479122f5ea4ad383@mail.gmail.com> References: <3b53747c0908190113m591e9e3o479122f5ea4ad383@mail.gmail.com> Message-ID: <20090819083245.GY2121@greenie.muc.de> Hi, On Wed, Aug 19, 2009 at 11:13:52AM +0300, almog ohayon wrote: > Hello Everyone,Does anyone know if there is an option to get statistics from > Cisco 3560 Interface Vlan ? Yes - and the answer is "no". 3560 / 3750s are not able to do proper counting on VLAN interfaces. Packets seen by the CPU are counted, packets moved by the hardware are not. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From baimoung at inet.co.th Wed Aug 19 05:27:25 2009 From: baimoung at inet.co.th (Charuntorn Baimoung) Date: Wed, 19 Aug 2009 16:27:25 +0700 (ICT) Subject: [c-nsp] RSPAN + VACL Redirect Message-ID: Hi Everyone, I'would like to know this config is work properly on 6500 same box. Configure the Source VLANs or Ports monitor session 1 source int giga9/1 , giga8/1 , giga8/2 , giga8/3 , giga8/4 rx monitor session 1 destination remote vlan 300 Configure the Destination Monitoring Interfaces monitor session 2 destination interface gi74-5 monitor session 2 source remote vlan 300 Configure an ACL for Each Traffic Type to be Monitored ip access-list extended web-traffic permit tcp 10.20.5.0 0.0.0.255 10.20.10.0 0.0.0.255 eq 80 permit tcp 10.20.10.0 0.0.0.255 eq 80 10.20.5.0 0.0.0.255 ip access-list extended telnet-traffic permit tcp 10.20.5.0 0.0.0.255 10.20.10.0 0.0.0.255 eq 23 permit tcp 10.20.10.0 0.0.0.255 eq 23 10.20.5.0 0.0.0.255 Map Each ACL to a Monitoring Port with the Access-Map vlan access-map analyzerfilter 10 match ip address web-traffic action redirect GigabitEthernet7/4 vlan access-map analyzerfilter 20 match ip address telnet-traffic action redirect Gi7/5 Apply the Access-Map to the RSPAN VLAN with the VLAN filter vlan filter analyzerfilter vlan-list 300 Assign external monitoring ports to the RSPAN VLAN interface GigabitEthernet7/4 switchport access vlan 300 switchport mode access interface GigabitEthernet7/5 switchport access vlan 300 switchport mode access Thank, Charuntorn From alex at digriz.org.uk Wed Aug 19 05:59:29 2009 From: alex at digriz.org.uk (Alexander Clouter) Date: Wed, 19 Aug 2009 10:59:29 +0100 Subject: [c-nsp] Arp Inspection Rate Limit References: Message-ID: <11vsl6-6me.ln1@chipmunk.wormnet.eu> Hi, NMaio at guesswho.com wrote: > > Thanks for the response. Funny you mention the print server because > that happens to be one device port I need to tweak since it occasionally > exceeds the 15 pps. > We have been fine at 10 for over a year now[1], however it took us a while to figure out that for some bizarre reason[2] 'File and Print Sharing' being enabled actually caused the workstation to flood ping the local subnet looking for printers everytime someone pressed on their workstation. Similar thing happens under Vista only when you want to add an IPP printer by hand :-/ Cheers [1] we are a university with about 600 staff and 3000 students [2] might be linked to Novell being installed too, but who knows -- Alexander Clouter .sigmonster says: There's enough money here to buy 5000 cans of Noodle-Roni! From p.mayers at imperial.ac.uk Wed Aug 19 06:32:01 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Wed, 19 Aug 2009 11:32:01 +0100 Subject: [c-nsp] RSPAN + VACL Redirect In-Reply-To: References: Message-ID: <4A8BD4A1.5060106@imperial.ac.uk> Charuntorn Baimoung wrote: > Hi Everyone, > > I'would like to know this config is work properly on 6500 same box. I seriously doubt it. What are you trying to do? From ingimar at hi.is Wed Aug 19 06:49:18 2009 From: ingimar at hi.is (Ingimar =?ISO-8859-1?Q?J=F3nsson?=) Date: Wed, 19 Aug 2009 10:49:18 +0000 Subject: [c-nsp] Problem with DHCP over wireless on 1811W Message-ID: <1250678958.22648.131.camel@dino.rhi.hi.is> Hi all. This is my first post to this list so please bear with me. I'm trying to configure a 1811W to act as a DHCP relay for its wireless AP. The scenario is like this; The 1811W is located in a remote office and forwards RADIUS and DHCP to local servers. DHCP is working on FastEthernet ports on the 1811. Clients get RADIUS authentication on the AP. No DHCP traffic comes from the AP on the 1811. If I put a static ip address on a client connected to the AP, it can't ping anything. The config on the 1811W is like this (the crucial part I think): dot11 ssid TEST vlan 110 authentication open mac-address rad_mac accounting rad_acc guest-mode infrastructure-ssid ! dot11 aaa authentication mac-authen filter-cache dot11 holdoff-time 300 ip source-route ! ip cef ip dhcp-server X.Y.165.53 ! no ipv6 cef multilink bundle-name authenticated ! vtp mode transparent ! vlan 110 name testing ! ip ssh version 1 bridge irb ! interface Loopback0 ip address X.Y.160.21 255.255.255.255 ! interface FastEthernet0 description Testing ip address X.Y.69.167 255.255.255.0 no ip redirects no ip proxy-arp ip pim sparse-dense-mode ip cgmp ip ospf authentication ip ospf authentication-key 7 135C470705051C737B duplex auto speed auto ! interface FastEthernet1 no ip address shutdown duplex auto speed auto ! interface FastEthernet2 switchport access vlan 110 ! ! interface Dot11Radio0 no ip address no ip route-cache cef no ip route-cache no dot11 extension aironet ! encryption mode wep mandatory ! encryption vlan 110 key 1 size 40bit 7 XXXXXXXXX transmit-key encryption vlan 110 mode wep mandatory ! ssid TESTING ! speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 channel 2437 station-role root rts threshold 2312 ! interface Dot11Radio0.110 encapsulation dot1Q 110 native no ip route-cache bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface Dot11Radio1 no ip address shutdown speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0 station-role root ! interface Vlan1 no ip address ip tcp adjust-mss 1452 shutdown ! interface Vlan110 ip address X.Y.72.206 255.255.255.240 ip helper-address X.Y.165.53 no ip redirects no ip proxy-arp ip pim sparse-dense-mode ip cgmp no autostate ! interface BVI1 no ip address ip helper-address X.Y.165.53 no ip route-cache cef no ip route-cache ! no ip forward-protocol nd ip forward-protocol udp bootpc ip route 0.0.0.0 0.0.0.0 X.Y.69.254 ! ! bridge 1 protocol ieee bridge 1 route ip Thanks Ingimar Jonsson From achatz at forthnet.gr Wed Aug 19 07:59:36 2009 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Wed, 19 Aug 2009 14:59:36 +0300 Subject: [c-nsp] RP/SP BOOT synchronisation issue on 6500/7600 Message-ID: <4A8BE928.50104@forthnet.gr> Has anyone met such an issue? Whenever i use more than 2 files in the boot sequence, i get the SP BOOT variable desynchronized (RP BOOT is fine). I have seen it in SXH3a, SXI1, SRD2a. Is there a lower limit on the number of chars in SP BOOT than in RP BOOT? On some versions i also get "%MONITOR-SP-3-VARSETFAIL: ROM monitor variable set of "BOOT" failed." -- Tassos From harbor235 at gmail.com Wed Aug 19 09:01:40 2009 From: harbor235 at gmail.com (harbor235) Date: Wed, 19 Aug 2009 09:01:40 -0400 Subject: [c-nsp] Management Vlan VS Vlan1 In-Reply-To: <4A8BA39F.9040304@rollernet.us> References: <5c1b7500908182148y1667609as98c0f75d95aabf0b@mail.gmail.com> <4A8BA39F.9040304@rollernet.us> Message-ID: <836bf1f90908190601o177c8b84oe43d7dd620840576@mail.gmail.com> I would not use VLAN for disabled ports either, create a PARK vlan and reassign all unused diabled ports to the PARK vlan. That wy vlan 1 has no chance to be mistakenly activated. mike On Wed, Aug 19, 2009 at 3:02 AM, Seth Mattinen wrote: > shadow floating wrote: > > Hi All, > > I just have a question, as we know that Cisco preserve VLAN 1 for > > management issues and network management needed protocols like CDP, > > VTP and the like, and all access from other VLANs to this VLAN should > > be restricted except from the management VLAN, as for our network, we > > are implementing a new management VLAN on a VLAN id other than 1 > > according to some consultant's advice, my question is : is there any > > benefit of migrating the management (all managing and managed devices) > > to another VLAN other than VLAN1 ??...won't in this case we have to > > protect two VLANs (VLAN 1 and the new management VLAN)?...or is there > > a real benefit in the migration of the management VLAN, as for my > > knowledge...VLAN 1 can not be disabled or even pruned on trunk links? > > > > appreciating your comments > > thanks alot > > > > I don't use VLAN 1 at all anywhere. Except for the disabled ports. > > ~Seth > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From mtinka at globaltransit.net Wed Aug 19 03:20:57 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Wed, 19 Aug 2009 15:20:57 +0800 Subject: [c-nsp] ISIS Problem In-Reply-To: References: Message-ID: <200908191521.05120.mtinka@globaltransit.net> On Tuesday 18 August 2009 09:24:47 pm Ibrahim Abo Zaid wrote: > To make it clearer , i don't have a problem with default > route on R1 i have a problem with the default route on R2 > and R3 As Yuri had suggested, have you tried simplifying your IS-IS configuration by having only a single instance of IS-IS running on R2 and R3? Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From frnkblk at iname.com Wed Aug 19 11:20:35 2009 From: frnkblk at iname.com (Frank Bulk - iName.com) Date: Wed, 19 Aug 2009 10:20:35 -0500 Subject: [c-nsp] Arp Inspection Rate Limit In-Reply-To: <11vsl6-6me.ln1@chipmunk.wormnet.eu> References: <11vsl6-6me.ln1@chipmunk.wormnet.eu> Message-ID: We deal with this issue on the BWA side of the house. We typically set up the client radios to rate-limit broadcasts (yes, there's more to broadcast than ARP, but ARP is most of it) to 7 pps and main radio to as low as 12 pps. Frank -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Alexander Clouter Sent: Wednesday, August 19, 2009 4:59 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Arp Inspection Rate Limit Hi, NMaio at guesswho.com wrote: > > Thanks for the response. Funny you mention the print server because > that happens to be one device port I need to tweak since it occasionally > exceeds the 15 pps. > We have been fine at 10 for over a year now[1], however it took us a while to figure out that for some bizarre reason[2] 'File and Print Sharing' being enabled actually caused the workstation to flood ping the local subnet looking for printers everytime someone pressed on their workstation. Similar thing happens under Vista only when you want to add an IPP printer by hand :-/ Cheers [1] we are a university with about 600 staff and 3000 students [2] might be linked to Novell being installed too, but who knows -- Alexander Clouter .sigmonster says: There's enough money here to buy 5000 cans of Noodle-Roni! _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From mtinka at globaltransit.net Wed Aug 19 11:41:00 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Wed, 19 Aug 2009 23:41:00 +0800 Subject: [c-nsp] Management Vlan VS Vlan1 In-Reply-To: <4A8BA39F.9040304@rollernet.us> References: <5c1b7500908182148y1667609as98c0f75d95aabf0b@mail.gmail.com> <4A8BA39F.9040304@rollernet.us> Message-ID: <200908192341.14438.mtinka@globaltransit.net> On Wednesday 19 August 2009 03:02:55 pm Seth Mattinen wrote: > I don't use VLAN 1 at all anywhere. Except for the > disabled ports. Same here. Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From William.Murphy at uth.tmc.edu Wed Aug 19 11:56:23 2009 From: William.Murphy at uth.tmc.edu (Murphy, William) Date: Wed, 19 Aug 2009 10:56:23 -0500 Subject: [c-nsp] Management Vlan VS Vlan1 In-Reply-To: <5c1b7500908182148y1667609as98c0f75d95aabf0b@mail.gmail.com> References: <5c1b7500908182148y1667609as98c0f75d95aabf0b@mail.gmail.com> Message-ID: In all recent IOS versions and switching hardware you can disable VLAN 1 on trunk ports (switchport trunk allowed vlan remove 1) and the protocols you mentioned will still continue to function. This is how Cisco recommends you do it. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of shadow floating Sent: Tuesday, August 18, 2009 11:49 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Management Vlan VS Vlan1 Hi All, I just have a question, as we know that Cisco preserve VLAN 1 for management issues and network management needed protocols like CDP, VTP and the like, and all access from other VLANs to this VLAN should be restricted except from the management VLAN, as for our network, we are implementing a new management VLAN on a VLAN id other than 1 according to some consultant's advice, my question is : is there any benefit of migrating the management (all managing and managed devices) to another VLAN other than VLAN1 ??...won't in this case we have to protect two VLANs (VLAN 1 and the new management VLAN)?...or is there a real benefit in the migration of the management VLAN, as for my knowledge...VLAN 1 can not be disabled or even pruned on trunk links? appreciating your comments thanks alot Nad _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4327 bytes Desc: not available URL: From psirt at cisco.com Wed Aug 19 13:12:26 2009 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: Wed, 19 Aug 2009 13:12:26 -0400 Subject: [c-nsp] Cisco Security Advisory: Firewall Services Module Crafted ICMP Message Vulnerability Message-ID: <200908191315.fwsm@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Firewall Services Module Crafted ICMP Message Vulnerability Advisory ID: cisco-sa-20090819-fwsm http://www.cisco.com/warp/public/707/cisco-sa-20090819-fwsm.shtml Revision 1.0 For Public Release 2009 August 19 1600 UTC (GMT) Summary ======= A vulnerability exists in the Cisco Firewall Services Module (FWSM) for the Catalyst 6500 Series Switches and Cisco 7600 Series Routers. The vulnerability may cause the FWSM to stop forwarding traffic and may be triggered while processing multiple, crafted ICMP messages. There are no known instances of intentional exploitation of this vulnerability. However, Cisco has observed data streams that appear to trigger this vulnerability unintentionally. Cisco has released free software updates that address this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090819-fwsm.shtml. Affected Products ================= Vulnerable Products - ------------------- All non-fixed 2.x, 3.x and 4.x versions of the FWSM software are affected by this vulnerability. To determine the version of the FWSM software that is running, issue the "show module" command-line interface (CLI) command from Cisco IOS Software or Cisco Catalyst Operating System Software to identify what modules and sub-modules are installed in the system. The following example shows a system with an FWSM (WS-SVC-FWM-1) installed in slot 4. switch#show module Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ----------------- ----------- 1 48 SFM-capable 48 port 10/100/1000mb RJ45 WS-X6548-GE-TX SAxxxxxxxxx 4 6 Firewall Module WS-SVC-FWM-1 SAxxxxxxxxx 5 2 Supervisor Engine 720 (Active) WS-SUP720-BASE SAxxxxxxxxx 6 2 Supervisor Engine 720 (Hot) WS-SUP720-BASE SAxxxxxxxxx After locating the correct slot, issue the "show module " command to identify the software version that is running. switch#show module 4 Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ----------------- ----------- 4 6 Firewall Module WS-SVC-FWM-1 SAxxxxxxxxx Mod MAC addresses Hw Fw Sw Status --- --------------------------------- ------ ------------ ------------ ------- 4 0003.e4xx.xxxx to 0003.e4xx.xxxx 3.0 7.2(1) 3.2(3) Ok The preceding example shows that the FWSM is running software version 3.2(3) as indicated by the column under "Sw". Note: Recent versions of Cisco IOS Software will show the software version of each module in the output from the "show module" command; therefore, executing the "show module " command is not necessary. If a Virtual Switching System (VSS) is used to allow two physical Cisco Catalyst 6500 Series Switches to operate as a single logical virtual switch, the "show module switch all" command can display the software version of all FWSMs that belong to switch 1 and switch 2. The output from this command will be similar to the output from the "show module " but will include module information for the modules in each switch in the VSS. Alternatively, version information can be obtained directly from the FWSM through the "show version" command, as shown in the following example. FWSM#show version FWSM Firewall Version 3.2(3) Customers who use the Cisco Adaptive Security Device Manager (ASDM) to manage their devices can find the version of the software displayed in the table in the login window or in the upper left corner of the ASDM window. The version notation is similar to the following example. FWSM Version: 3.2(3) Products Confirmed Not Vulnerable - --------------------------------- Other Cisco products that offer firewall services, including Cisco IOS Software, Cisco ASA 5500 Series Adaptive Security Appliances, and Cisco PIX Security Appliances, are not affected by this vulnerability. No other Cisco products are currently known to be affected by this vulnerability. Details ======= The Cisco FWSM is a high-speed, integrated firewall module for Catalyst 6500 Series Switches and Cisco 7600 Series Routers. The FWSM offers firewall services with stateful packet filtering and deep packet inspection. A vulnerability exists in the Cisco FWSM Software that may cause the FWSM to stop forwarding traffic between interfaces, or stop processing traffic that is directed at the FWSM (management traffic) after multiple, crafted ICMP messages are processed by the FWSM. Any traffic that transits or is directed towards the FWSM is affected, regardless of whether ICMP inspection ("inspect icmp" command under Class configuration mode) is enabled. The FWSM stops processing traffic because one of the Network Processors (NPs) that is used by the FWSM to handle traffic may use all available execution threads while handling a specific type of crafted ICMP messages. This behavior limits the execution threads that are available to handle additional traffic. Administrators may be able to determine if the FWSM has been affected by this vulnerability by issuing the "show np 2 stats" command. If this command produces output showing various counters and their values, as shown in the example CLI output that follows, the FWSM has not been affected by the vulnerability. If the command returns a single line that reads "ERROR: np_logger_query request for FP Stats failed", the FWSM may have been affected by the vulnerability. FWSM#show np 2 stats - ------------------------------------------------------------------------------- Fast Path 64 bit Global Statistics Counters (NP-2) - ------------------------------------------------------------------------------- PKT_MNG: total packets (dot1q) rcvd : 10565937 PKT_MNG: total packets (dot1q) sent : 4969517 PKT_MNG: total packets (dot1q) dropped : 65502 PKT_MNG: TCP packets received : 0 PKT_MNG: UDP packets received : 4963509 PKT_MNG: ICMP packets received : 0 PKT_MNG: ARP packets received : 2 PKT_MNG: other protocol pkts received : 0 PKT_MNG: default (no IP/ARP) dropped : 0 SESS_MNG: sessions created : 18 SESS_MNG: sessions embryonic to active : 0 [...] An FWSM that stops processing traffic as a result of this vulnerability will need to be reloaded. Administrators can reload the FWSM from the supervisor of the Catalyst 6500 Series Switch or the Cisco 7600 Series Router by issuing the command "hw-module module reset" (Cisco IOS Software), or "set module power up| down " (Cisco CatOS Software). Note that unless the FWSM software is updated to a non-vulnerable version, or crafted ICMP messages are blocked (see the Workarounds section for details), the FWSM can still be subject to exploitation (intentional or otherwise) after a reload. If an FWSM that is configured for failover operation encounters this issue, the active FWSM may not properly fail over to the standby FWSM. IPv6 (in particular ICMPv6) cannot trigger this vulnerability. This issue is documented in Cisco Bug ID CSCsz97207 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2009-0638. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided a FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * NP 2 threads lock due to processing crafted ICMP message (CSCsz97207) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerability may cause the FWSM to stop forwarding traffic between interfaces (transit traffic), and stop processing traffic directed at the FWSM (management traffic). If the FWSM is configured for failover operation, the active FWSM may not fail over to the standby FWSM. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the FWSM software table below describes a major FWSM software train and the earliest possible release within that train that contains the fix (the "First Fixed Release") and the anticipated date of availability (if not currently available) in the "First Fixed Release" column. A device running a release that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. The release should be upgraded at least to the indicated release or a later version (greater than or equal to the First Fixed Release label). +---------------------------------------+ | Major | First Fixed Release | | Release | | |------------+--------------------------| | 2.x | Vulnerable; migrate to | | | 3.x or 4.x | |------------+--------------------------| | 3.1 | 3.1(16) | |------------+--------------------------| | 3.2 | 3.2(13) | |------------+--------------------------| | 4.0 | 4.0(6) | +---------------------------------------+ Fixed FWSM software can be downloaded from the Software Center on cisco.com by visiting http://www.cisco.com/public/sw-center/index.shtml and navigating to "Security" > "Cisco Catalyst 6500 Series Firewall Services Module" > "Firewall Services Module (FWSM) Software". Workarounds =========== There are no workarounds for this vulnerability. Access control lists (ACLs) that are deployed on the FWSM itself to block through-the-device or to-the-device ICMP messages are not effective to prevent this vulnerability. However, blocking unnecessary ICMP messages on screening devices or on devices in the path to the FWSM will prevent the FWSM from triggering the vulnerability. For example, the following ACL, when deployed on a Cisco IOS device in front of the FWSM, will prevent crafted ICMP messages from reaching the FWSM, and thus protect the FWSM from triggering the vulnerability: access-list 101 permit icmp any any echo access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any traceroute access-list 101 permit icmp any any packet-too-big access-list 101 permit icmp any any time-exceeded access-list 101 permit icmp any any host-unreachable access-list 101 permit icmp any any unreachable access-list 101 deny icmp any any access-list 101 permit ip any any This sample ACL is allowing certain ICMP messages that are vital for network troubleshooting and for proper operation of the network. It is safe to allow any other ICMP messages for which the Cisco IOS Software "access-list" command has named ICMP type keywords. ACLs like the one in the preceding example may also be deployed on non-Cisco IOS devices, such as the Cisco PIX and ASA security appliances, although the ACL syntax on non-Cisco IOS devices may not support all the named ICMP type keywords that the Cisco IOS ACL syntax supports. However, on non-Cisco IOS devices, it is safe to permit all ICMP messages for which there are named ICMP type keywords in the ACL syntax. As mentioned in the Details section, if the FWSM has stopped processing traffic due to this vulnerability, the FWSM will require a reload. Administrators can reload the FWSM by logging in to the supervisor of the Catalyst 6500 Series Switch or the Cisco 7600 Series router and issuing the "hw-module module reset" (Cisco IOS Software), or "set module power up|down " (Cisco CatOS Software) commands. Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link: http://www.cisco.com/warp/public/707/cisco-amb-20090819-fwsm.shtml. Obtaining Fixed Software ======================== Cisco has released free software updates that address this vulnerability. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt at cisco.com or security-alert at cisco.com for software upgrades. Customers with Service Contracts - -------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations - ------------------------------------------------- Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts - ----------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac at cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory, but Cisco is aware of customers that have encountered this vulnerability during normal network operation. This vulnerability was discovered during the handling of customer support cases. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20090819-fwsm.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce at cisco.com * first-bulletins at lists.first.org * bugtraq at securityfocus.com * vulnwatch at vulnwatch.org * cisco at spot.colorado.edu * cisco-nsp at puck.nether.net * full-disclosure at lists.grok.org.uk * comp.dcom.sys.cisco at newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2009-August-19 | Initial public release | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2008-2009 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: Aug 19, 2009 Document ID: 110460 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkqMMFYACgkQ86n/Gc8U/uA2jACeLVA38jWbQv4AGpSCvOPVJjgR NqUAniMoiEUkV/JIDlo1xA0ztaO6jCFR =2Tm1 -----END PGP SIGNATURE----- From thilak.t at gmail.com Wed Aug 19 15:17:45 2009 From: thilak.t at gmail.com (Thilak T) Date: Wed, 19 Aug 2009 12:17:45 -0700 Subject: [c-nsp] TCP throughput /WAN delay simulation with back to back routers Message-ID: <1d11fbf80908191217k4f117d1blbc767ed37a044b82@mail.gmail.com> Hello Folks , I am trying to test TCP throughput with different variables. I want to simulate a delay of aprox 45msec between two test PCs connected two bat to back routers . How do we introduce an artificial delay where in the actual delay is on 2-3 msec.Using cisco routers.? Thilak From brandon at burn.net Wed Aug 19 15:28:19 2009 From: brandon at burn.net (Brandon Applegate) Date: Wed, 19 Aug 2009 15:28:19 -0400 (EDT) Subject: [c-nsp] TCP throughput /WAN delay simulation with back to back routers In-Reply-To: <1d11fbf80908191217k4f117d1blbc767ed37a044b82@mail.gmail.com> References: <1d11fbf80908191217k4f117d1blbc767ed37a044b82@mail.gmail.com> Message-ID: On Wed, 19 Aug 2009, Thilak T wrote: > Hello Folks , > > I am trying to test TCP throughput with different variables. I want to > simulate a delay of aprox 45msec between two test PCs connected two > bat to back routers . How do we introduce an artificial delay where in > the actual delay is on 2-3 msec.Using cisco routers.? Google 'dummynet'. FreeBSD with Dummynet does this nicely. If you really want it transparent, you can build a dummynet machine with 2 NICs and do it in bridged mode. You can play with bandwidth, delay, introduce packet drops etc. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996 "SH1-0151. This is the serial number, of our orbital gun." From sthaug at nethelp.no Wed Aug 19 15:33:19 2009 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Wed, 19 Aug 2009 21:33:19 +0200 (CEST) Subject: [c-nsp] TCP throughput /WAN delay simulation with back to back routers In-Reply-To: <1d11fbf80908191217k4f117d1blbc767ed37a044b82@mail.gmail.com> References: <1d11fbf80908191217k4f117d1blbc767ed37a044b82@mail.gmail.com> Message-ID: <20090819.213319.74719848.sthaug@nethelp.no> > I am trying to test TCP throughput with different variables. I want to > simulate a delay of aprox 45msec between two test PCs connected two > bat to back routers . How do we introduce an artificial delay where in > the actual delay is on 2-3 msec.Using cisco routers.? FreeBSD and Dummynet, on a suitable PC. See http://info.iet.unipi.it/~luigi/dummynet/ Steinar Haug, Nethelp consulting, sthaug at nethelp.no From ratio+nsp at invalid.org.ua Wed Aug 19 15:38:09 2009 From: ratio+nsp at invalid.org.ua (Sergey Khalavchuk) Date: Wed, 19 Aug 2009 22:38:09 +0300 Subject: [c-nsp] Fwd: strange "archive" feature on c3560 In-Reply-To: <4f909a820908191105l76aa5948i34513db43730fe3d@mail.gmail.com> References: <4f909a820908191105l76aa5948i34513db43730fe3d@mail.gmail.com> Message-ID: <4f909a820908191238w52ce73a1we3f74b4e66faa227@mail.gmail.com> hello, group i've recently discovered strange behavior on clean catalyst 3560 with 122-40.SE IOS: whenever i try to save config, i get: SWITCH#wr Building configuration... nv_done: unable to open "flash:/archive/backup.config.new"[OK] SWITCH# who knows what is it, and how to enable/disable this? it's look like archive feature, but, archive is not enabled (config is clean, switch is freshly erased and rebooted): SWITCH#sh archive ?Archive feature not enabled also, nothing changes if i try to configure archive (set path to tftp, enable or disable archive on-write). the only way i found to get rid of this message is to mkdir archive. i have few more 3560 with same ios, but they write config without any errors (and have no flash:/archive/ dir). -- wbr sergey khalavchuk From ip at ioshints.info Wed Aug 19 16:00:15 2009 From: ip at ioshints.info (Ivan Pepelnjak) Date: Wed, 19 Aug 2009 22:00:15 +0200 Subject: [c-nsp] TCP throughput /WAN delay simulation with back to back routers In-Reply-To: <1d11fbf80908191217k4f117d1blbc767ed37a044b82@mail.gmail.com> References: <1d11fbf80908191217k4f117d1blbc767ed37a044b82@mail.gmail.com> Message-ID: <000501ca2107$abe2b6d0$0a00000a@nil.si> http://wanem.sourceforge.net/ You can download an ISO image that boots off the CD. It can be used on a PC with two interfaces (emulating a router) or with a bit of static-route trickery on the end hosts. Worked perfectly for me when I had to do similar tests. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ > -----Original Message----- > From: Thilak T [mailto:thilak.t at gmail.com] > Sent: Wednesday, August 19, 2009 9:18 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] TCP throughput /WAN delay simulation with > back to back routers > > Hello Folks , > > I am trying to test TCP throughput with different variables. > I want to simulate a delay of aprox 45msec between two test > PCs connected two bat to back routers . How do we introduce > an artificial delay where in the actual delay is on 2-3 > msec.Using cisco routers.? > > Thilak > > From damin at nacs.net Wed Aug 19 16:16:48 2009 From: damin at nacs.net (Gregory Boehnlein) Date: Wed, 19 Aug 2009 16:16:48 -0400 Subject: [c-nsp] T.38 Fax Relay from 2620XM Message-ID: <06b701ca2109$fe294420$fa7bcc60$@net> Hello, I have a couple of 2620XM units that I am using as PRI to SIP gateways. I have been trying to get T.38 fax relay working w/ an endpoint. What I have discovered is that the Cisco is not sending T.38 invite information in the SDP message. Call Path --------- ISDN PRI (ni2) -> 2620XM -> T.38 Device What I have also found out is that if I force all calls to be treated as Faxes on the T.38 machine, it sends back a T.38 invite to the Cisco and the Fax progresses properly and is received. In my ancient telco brain, I am used to working w/ CNG tones as determining wether to go into FAX receive mode or not, but from what I can read, Cisco does not use CNG detection on it's PRI (I find that weird and it seems incorrect). So how the heck does it know that an incoming call is a Fax or not??? I would assume that the PRI port would work thusly.. 1. Answer the ISDN call 2. Detect CNG tone 3. Send T.38 Invite in SDP via SIP Any pointers? Relevant details.. IP's removed to protect the innocent. Cisco 2620XM (MPC860P) processor (revision 1.0) with 126090K/4982K bytes of memory. Processor board ID JAE073107G7 M860 processor: part number 5, mask 2 1 FastEthernet interface 48 Serial interfaces 2 Channelized T1/PRI ports 32K bytes of NVRAM. 32768K bytes of processor board System flash (Read/Write) Configuration register is 0x2102 flash:c2600-ipvoicek9-mz.124-23.bin voice service voip signaling forward rawmsg fax protocol t38 ls-redundancy 0 hs-redundancy 0 fallback none sip ds0-num dial-peer voice 2000 voip preference 2 destination-pattern .T voice-class codec 10 session protocol sipv2 session target sip-server dtmf-relay rtp-nte fax-relay ecm disable fax nsf 000000 fax protocol t38 ls-redundancy 0 hs-redundancy 0 fallback none ip qos dscp ef signaling no vad sip-ua disable-early-media 180 retry invite 3 retry response 3 retry bye 3 retry cancel 3 timers buffer-invite 1024 sip-server ipv4:x.x.x.x:5060 From A.L.M.Buxey at lboro.ac.uk Wed Aug 19 16:51:44 2009 From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey) Date: Wed, 19 Aug 2009 21:51:44 +0100 Subject: [c-nsp] Management Vlan VS Vlan1 In-Reply-To: <836bf1f90908190601o177c8b84oe43d7dd620840576@mail.gmail.com> References: <5c1b7500908182148y1667609as98c0f75d95aabf0b@mail.gmail.com> <4A8BA39F.9040304@rollernet.us> <836bf1f90908190601o177c8b84oe43d7dd620840576@mail.gmail.com> Message-ID: <20090819205144.GD3277@lboro.ac.uk> Hi, > I would not use VLAN for disabled ports either, create a PARK vlan and > reassign all > unused diabled ports to the PARK vlan. That wy vlan 1 has no chance to be > mistakenly > activated. aye - we have a similar 'blackhole' VLAN which is present but doesnt do anything. (i was toying with the idea of giving it DHCP but keep it unrouted and have a monitor so if any traffic suddenly appears on it then...... ;-) ) alan From KaeglerM at tessco.com Wed Aug 19 16:54:11 2009 From: KaeglerM at tessco.com (Kaegler, Mike) Date: Wed, 19 Aug 2009 16:54:11 -0400 Subject: [c-nsp] TCP throughput /WAN delay simulation with back to back routers In-Reply-To: <1d11fbf80908191217k4f117d1blbc767ed37a044b82@mail.gmail.com> Message-ID: If you have a linux machine laying around (a default ubuntu install will do...), drop it on the same subnet as either one of the two PCs. (only one ethernet card needed) Do: iptables -A OUTPUT -p icmp --icmp-type redirect -j DROP tc qdisc add dev eth0 root netem delay 45msec echo -n 1 > /proc/sys/net/ipv4/ip_forward On the PC on the same subnet, set the default gateway to be the IP of the linux machine. Done. You can change the delay with `tc qdisc change dev eth0 root netem delay ` This technically only induces delay in one direction (you could do it bidirectionally by sending it from the router to the linux box) but the net net won't affect your LFN testing. -porkchop On 8/19/09 3:17 PM, "Thilak T" wrote: > Hello Folks , > > I am trying to test TCP throughput with different variables. I want to > simulate a delay of aprox 45msec between two test PCs connected two > bat to back routers . How do we introduce an artificial delay where in > the actual delay is on 2-3 msec.Using cisco routers.? > > Thilak > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Michael Kaegler, TESSCO Technologies: Engineering, 410 229 1295 Your wireless success, nothing less. http://www.tessco.com/ From ryan at deadfrog.net Wed Aug 19 17:07:42 2009 From: ryan at deadfrog.net (Ryan Wilkins) Date: Wed, 19 Aug 2009 16:07:42 -0500 Subject: [c-nsp] TCP throughput /WAN delay simulation with back to back routers In-Reply-To: <000501ca2107$abe2b6d0$0a00000a@nil.si> References: <1d11fbf80908191217k4f117d1blbc767ed37a044b82@mail.gmail.com> <000501ca2107$abe2b6d0$0a00000a@nil.si> Message-ID: <065673EB-43FA-4BAC-A4F3-9A6A6F9ADD32@deadfrog.net> You can also look at . I use Netem to simulate satellite delay. My configured delays are about 265 ms each way with 2 ms of variation. Works really well and support is compiled directly recent Ubuntu Linux versions and probably many others as well. I used a single box with 802.1q support on it and a couple of VLANs configured in bridging mode so the Linux box is just transparent to the devices under test. Use a VLAN trunking capable switch to break out the VLANs to as many devices as you need. Regards, Ryan Wilkins > >> -----Original Message----- >> From: Thilak T [mailto:thilak.t at gmail.com] >> Sent: Wednesday, August 19, 2009 9:18 PM >> To: cisco-nsp at puck.nether.net >> Subject: [c-nsp] TCP throughput /WAN delay simulation with >> back to back routers >> >> Hello Folks , >> >> I am trying to test TCP throughput with different variables. >> I want to simulate a delay of aprox 45msec between two test >> PCs connected two bat to back routers . How do we introduce >> an artificial delay where in the actual delay is on 2-3 >> msec.Using cisco routers.? >> >> Thilak >> >> > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From ibrahim.abozaid at gmail.com Wed Aug 19 17:40:09 2009 From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid) Date: Thu, 20 Aug 2009 00:40:09 +0300 Subject: [c-nsp] ISIS Adj-filter problem Message-ID: Hi All I was testing ISIS Adj-filter option , R1,R2 and R3 are connected over ethernet switch (using dynamips) with the below configuration the configuration works for adj point and both R2 and R3 have ADJ with R1 only , the problem is R2 is droping R1 and R3 LSPs and debug shows it is dropped due to invalid adj . can you help to resolve that ? Configuration R1 interface Loopback0 ip address 10.10.1.1 255.255.255.255 ! interface FastEthernet0/0 ip address 10.10.123.1 255.255.255.0 ip router isis router isis net 49.0001.0000.0000.0001.00 is-type level-1 passive-interface Loopback0 R2 interface Loopback0 ip address 10.10.2.2 255.255.255.255 ! interface FastEthernet0/0 ip address 10.10.123.2 255.255.255.0 ip router isis isis adjacency-filter A1 ! router isis net 49.0001.0000.0000.0002.00 is-type level-1 passive-interface Loopback0 clns filter-set A1 permit 49.0001.0000.0000.0100.00 R3 interface Loopback0 ip address 10.10.3.3 255.255.255.255 ! interface FastEthernet0/0 ip address 10.10.123.3 255.255.255.0 ip router isis isis adjacency-filter A1 router isis net 49.0001.0000.0000.0003.00 is-type level-1 passive-interface Loopback0 clns filter-set A1 permit 49.0001.0000.0000.0100.00 verification R1#sh clns neighbors System Id Interface SNPA State Holdtime Type Protocol R2 Fa0/0 c201.0544.0000 Up 8 L1 IS-IS R3 Fa0/0 c202.0544.0000 Up 7 L1 IS-IS R1 has R2 and R3 LSPs R1#sh isis database IS-IS Level-1 Link State Database: LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL R1.00-00 * 0x00000010 0x2D88 849 0/0/0 R2.00-00 0x00000009 0x8037 1036 0/0/0 R2.01-00 0x00000003 0x78D8 1036 0/0/0 R3.00-00 0x00000005 0x4470 552 0/0/0 R3.01-00 0x00000006 0x78D3 1091 0/0/0 but has R3-Lo0 route ONLY !! R1#sh ip route isis 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks i L1 10.10.3.3/32 [115/10] via 10.10.123.3, FastEthernet0/0 R2#sh clns neighbors System Id Interface SNPA State Holdtime Type Protocol R1 Fa0/0 c200.0544.0000 Up 21 L1 IS-IS R2 don't have R1 and R3 LSPs !!! R2#sh isis database IS-IS Level-1 Link State Database: LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL R2.00-00 * 0x00000009 0x8037 985 0/0/0 R2.01-00 * 0x00000003 0x78D8 986 0/0/0 NO ISIS Route , it normal no LSP :) R2#sh ip route isis R2# R3 R3#sh clns neighbors System Id Interface SNPA State Holdtime Type Protocol R1 Fa0/0 c200.0544.0000 Up 26 L1 IS-IS R3#sh isis database IS-IS Level-1 Link State Database: LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL R1.00-00 0x00000013 0x278B 1181 0/0/0 R2.00-00 0x00000009 0x8037 845 0/0/0 R2.01-00 0x00000003 0x78D8 846 0/0/0 R3.00-00 * 0x00000006 0x4271 1186 0/0/0 R3.01-00 * 0x00000007 0x76D4 1185 0/0/0 route to R1-Lo0 only !! R3#sh ip route isis 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks i L1 10.10.1.1/32 [115/10] via 10.10.123.1, FastEthernet0/0 debug isis update-packets shows update is dropped due to invalid ADJ *Mar 1 00:30:16.751: ISIS-Upd: Invalid adjacency *Mar 1 00:30:26.619: ISIS-Upd: Invalid adjacency *Mar 1 00:30:34.151: ISIS-Upd: Invalid adjacency any ideas best regards --Ibrahim From rbf+cisco-nsp at panix.com Wed Aug 19 18:13:12 2009 From: rbf+cisco-nsp at panix.com (Brett Frankenberger) Date: Wed, 19 Aug 2009 17:13:12 -0500 Subject: [c-nsp] Management Vlan VS Vlan1 In-Reply-To: References: <5c1b7500908182148y1667609as98c0f75d95aabf0b@mail.gmail.com> Message-ID: <20090819221312.GA3749@panix.com> On Wed, Aug 19, 2009 at 10:56:23AM -0500, Murphy, William wrote: > In all recent IOS versions and switching hardware you can disable > VLAN 1 on trunk ports (switchport trunk allowed vlan remove 1) and > the protocols you mentioned will still continue to function. This is > how Cisco recommends you do it. Not on ethernet switch HWICs in 28xx and 38xx series routers. They still require VLAN 1 on all trunks. -- Brett From rwest at zyedge.com Wed Aug 19 19:45:32 2009 From: rwest at zyedge.com (Ryan West) Date: Wed, 19 Aug 2009 19:45:32 -0400 Subject: [c-nsp] CIsco 3560 SVI SNMP In-Reply-To: <20090819083245.GY2121@greenie.muc.de> References: <3b53747c0908190113m591e9e3o479122f5ea4ad383@mail.gmail.com> <20090819083245.GY2121@greenie.muc.de> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E1401248E2698EF@zy-ex1.zyedge.local> Gert, Is this behavior different on the higher end models? -ryan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gert Doering Sent: Wednesday, August 19, 2009 4:33 AM To: almog ohayon Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] CIsco 3560 SVI SNMP Hi, On Wed, Aug 19, 2009 at 11:13:52AM +0300, almog ohayon wrote: > Hello Everyone,Does anyone know if there is an option to get > statistics from Cisco 3560 Interface Vlan ? Yes - and the answer is "no". 3560 / 3750s are not able to do proper counting on VLAN interfaces. Packets seen by the CPU are counted, packets moved by the hardware are not. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From peter at rathlev.dk Wed Aug 19 20:05:24 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Thu, 20 Aug 2009 02:05:24 +0200 Subject: [c-nsp] CIsco 3560 SVI SNMP In-Reply-To: <6E21B2BDEF6E714EA0B5BA8D5D0E1401248E2698EF@zy-ex1.zyedge.local> References: <3b53747c0908190113m591e9e3o479122f5ea4ad383@mail.gmail.com> <20090819083245.GY2121@greenie.muc.de> <6E21B2BDEF6E714EA0B5BA8D5D0E1401248E2698EF@zy-ex1.zyedge.local> Message-ID: <1250726724.5371.3.camel@abehat.net.rm.dk> On Wed, 2009-08-19 at 10:32 +0200, Gert Doering wrote: > 3560 / 3750s are not able to do proper counting on VLAN interfaces. On Wed, 2009-08-19 at 19:45 -0400, Ryan West wrote: > Is this behavior different on the higher end models? Yes, at least the 6500/7600 counts SVI traffic correctly. I don't know about the 4500. Regards, Peter From thilak.t at gmail.com Wed Aug 19 20:25:03 2009 From: thilak.t at gmail.com (Thilak T) Date: Wed, 19 Aug 2009 17:25:03 -0700 Subject: [c-nsp] TCP throughput /WAN delay simulation with back to back routers In-Reply-To: References: <1d11fbf80908191217k4f117d1blbc767ed37a044b82@mail.gmail.com> Message-ID: <1d11fbf80908191725t6cbb5908r574d64c5c5eca61d@mail.gmail.com> Thanks Ivan,Kaegler, Wouter & sthaug . I could find a similar software which runs on windows and was able to introduce desired delay. (I used shunra Ve - http://static.shunra.com/free-trials.php). regards Thilak On Wed, Aug 19, 2009 at 1:54 PM, Kaegler, Mike wrote: > If you have a linux machine laying around (a default ubuntu install will > do...), drop it on the same subnet as either one of the two PCs. (only one > ethernet card needed) > > Do: > iptables -A OUTPUT -p icmp --icmp-type redirect -j DROP > tc qdisc add dev eth0 root netem delay 45msec > echo -n 1 > /proc/sys/net/ipv4/ip_forward > > On the PC on the same subnet, set the default gateway to be the IP of the > linux machine. Done. You can change the delay with `tc qdisc change dev eth0 > root netem delay ` > > This technically only induces delay in one direction (you could do it > bidirectionally by sending it from the router to the linux box) but the net > net won't affect your LFN testing. > -porkchop > > > On 8/19/09 3:17 PM, "Thilak T" wrote: > >> Hello Folks , >> >> I am trying to test TCP throughput with different variables. I want to >> simulate a delay of aprox 45msec between two test PCs connected two >> bat to back routers . How do we introduce an artificial delay where in >> the actual delay is on 2-3 msec.Using cisco routers.? >> >> Thilak >> _______________________________________________ >> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > -- > Michael Kaegler, TESSCO Technologies: Engineering, 410 229 1295 > Your wireless success, nothing less. http://www.tessco.com/ > > From rwest at zyedge.com Wed Aug 19 20:25:35 2009 From: rwest at zyedge.com (Ryan West) Date: Wed, 19 Aug 2009 20:25:35 -0400 Subject: [c-nsp] CIsco 3560 SVI SNMP In-Reply-To: <1250726724.5371.3.camel@abehat.net.rm.dk> References: <3b53747c0908190113m591e9e3o479122f5ea4ad383@mail.gmail.com> <20090819083245.GY2121@greenie.muc.de> <6E21B2BDEF6E714EA0B5BA8D5D0E1401248E2698EF@zy-ex1.zyedge.local> <1250726724.5371.3.camel@abehat.net.rm.dk> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E1401248E2698F2@zy-ex1.zyedge.local> Peter, Thanks for your input, I was able to verify that a 4500 with a SupIV is also able to show the proper SVI stats. -ryan -----Original Message----- From: Peter Rathlev [mailto:peter at rathlev.dk] Sent: Wednesday, August 19, 2009 8:05 PM To: Ryan West Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] CIsco 3560 SVI SNMP On Wed, 2009-08-19 at 10:32 +0200, Gert Doering wrote: > 3560 / 3750s are not able to do proper counting on VLAN interfaces. On Wed, 2009-08-19 at 19:45 -0400, Ryan West wrote: > Is this behavior different on the higher end models? Yes, at least the 6500/7600 counts SVI traffic correctly. I don't know about the 4500. Regards, Peter From eninja at gmail.com Wed Aug 19 22:39:45 2009 From: eninja at gmail.com (e ninja) Date: Wed, 19 Aug 2009 19:39:45 -0700 Subject: [c-nsp] Sup720 hang while writing SP crashinfo? In-Reply-To: <538216.56886.qm@web1204.biz.mail.gq1.yahoo.com> References: <491424.73465.qm@web1211.biz.mail.gq1.yahoo.com> <538216.56886.qm@web1204.biz.mail.gq1.yahoo.com> Message-ID: Kevin, Looks like the RP reset the system because the SP failed to respond to RP<->SP cpu availability heartbeat keepalives (aka CPU MONITOR). The TAC engineer should not bother decoding the RP tracebacks as this would most likely be generic functions. The root cause lies in the SP and understanding why it failed or failed to respond to RP heartbeat keepalives. Some possible causes; - SP crashed because of a software bug. Make room for future crashinfo files since trigger still looms. - SP heartbeat response got stuck behind other EOBC management activity during a traffic spike. (eg CSCsm21728, etc.) It is always a good idea to setup syslog so that all events can be captured for future troubleshooting. -Eninja On Tue, Aug 18, 2009 at 8:33 PM, Kevin Graham < kgraham at industrial-marshmallow.com> wrote: > > > > > > There are multiple causes of crashes and several causes of system 'hang' > (high > > CPU, memory depletion, etc) and both should be investigated > independently. > > Yes, crash itself didn't seem particularly interesting, but am pursuing > that > w/ TAC. It looked like it was a "good and orderly" reset, which is why the > failure to complete the reboot (combined w/ incomplete SP crashinfo and > full > sup-bootflash) were curious. > > > Do you have any syslogs from a few minutes before the crash? If yes send > over > > along with RP crashinfo, whatever was captured from SP and console logs. > > Only what was captured in RP crashinfo (sparing the list the rest of the > spam, > but symptoms were consistent w/ very high RP cpu. Starting w/ HSRP state > flaps, > drop of OSPF adjacencies). The last gasps were: > > 094893: Aug 18 10:53:19.694 PDT: icc_send_request_internal: > ipc_send_rpc_blocked > failed, result 6 : ios-base : (PID=16407, TID=21) : > -Traceback=(s72033_rp-ipser > vicesk9-6-dso-b.so+0x164B40) ([33:0]+0x164DAC) ([33:0]+0x165320) > ([23:-9]3+0x316 > 100) ([33:0]+0x306158) ([23:-9]1+0x2B81A8) ([33:0]+0x2FBFF8) > ([23:-9]6+0x4E3BC4) > ([33:0]+0x4E3B9C) > 094894: Aug 18 10:53:25.910 PDT: %CPU_MONITOR-6-NOT_HEARD: CPU_MONITOR > messages > have not been heard for 120 seconds [6/0] > 094895: Aug 18 10:53:55.990 PDT: %CPU_MONITOR-6-NOT_HEARD: CPU_MONITOR > messages > have not been heard for 150 seconds [6/0] > 094896: Aug 18 10:54:26.049 PDT: %CPU_MONITOR-3-TIMED_OUT: CPU_MONITOR > messages > have failed, resetting system [6/0] > Crashdump : 17:54:26.944 Tue Aug 18 2009 : ios-base : (PID=16407, TID=1) : > -Tra > ceback=(s72033_rp-ipservicesk9-9-dso-b.so+0x2E46C8) ([33:0]+0x3577B4) > ([33:0]+0x > 359CF8) ([23:-9]6+0x4E3BC4) ([33:0]+0x4E3B9C) > crashdump called (with pause = 0 sec) > > %ALIGN-1-FATAL: Illegal access to a low address 10:54:26 PDT Tue Aug 18 > 2009 > addr=0x0, pc=0x74C7D940, ra=0x74C7D86C, sp=0x389EBC8 > > > > On Aug 18, 2009, at 11:04 PM, Kevin Graham > > wrote: > > > > > We had a Sup720B (non-redundant, running modular SXI) crash, due to > what looks > > > like was due to a CPU_MONITOR watchdog event. What was nasty though was > that > > > rather than reload, it hung (dead and unresponsive console) and > required a > > > power cycle. > > > > > > The RP crashinfo made it out fine, however SP crashinfo was incomplete. > > Looking > > > at that, its due to sup-bootflash running out of space (1 byte left w/ > an > > > incomplete/inaccessible crashinfo). > > > > > > Unfounded speculation is that the "hung" state was due to system > pounding away > > > trying to finish writing crashinfo to a full filesystem. > > > > > > Is that hypothesis at all reasonable, or is there something else that > should > > be > > > explored? > > > > > > _______________________________________________ > > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From ibrahim.abozaid at gmail.com Wed Aug 19 22:51:11 2009 From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid) Date: Thu, 20 Aug 2009 05:51:11 +0300 Subject: [c-nsp] ISIS partition avoidance Message-ID: Hi All Does any one knows why ISIS partition avoidance is needed ? according to DocCD To cause an Intermediate System-to-Intermediate System (IS-IS) Level 1-2 border router to stop advertising the Level 1 area prefix into the Level 2 backbone when full connectivity is lost between the border router, all adjacent Level 1 routers, and end hosts but that occur automatically without enabling the feature so what extra benefit it provide ? best regards --Ibrahim From ml at kenweb.org Wed Aug 19 23:19:24 2009 From: ml at kenweb.org (ML) Date: Wed, 19 Aug 2009 23:19:24 -0400 Subject: [c-nsp] 6500 QoS Message-ID: <4A8CC0BC.2000606@kenweb.org> I'm about to turn on "mls qos" for the first time on a 6509E. I would like some background information from the QoS experts on this list. Last time I turned on "mls qos" it was a 3560 which has certain undesirable defaults when "mls qos" is turned on. I want avoid the same result with the 6509 which is our Internet edge device. What I want to accomplish is to mark all incoming traffic from our transit link to CS0. I don't want to inadvertently get clobbered by a default limit of x% for egress queue bandwidth that I'm not expecting. If I understand what I've found out so far: On the WS-X6724-SFP: Seems all possible CoS values are mapped to queue 1 for ingress and egress. The WRR queue ratios are 100,0,0 for queues 1,2,3 (4 is priority?) So Queue can utilize 100% of the interface bandwidth. So by default I shouldn't seem traffic getting bottlenecked where it wasn't before because of some default config? Is the simplest configuration to turn on mls qos globally and use a service policy to set all input to dscp cs0? Thanks From ianh at ianh.net.au Wed Aug 19 23:22:38 2009 From: ianh at ianh.net.au (Ian Henderson) Date: Thu, 20 Aug 2009 11:22:38 +0800 (WST) Subject: [c-nsp] TCP throughput /WAN delay simulation with back to back routers In-Reply-To: <1d11fbf80908191217k4f117d1blbc767ed37a044b82@mail.gmail.com> References: <1d11fbf80908191217k4f117d1blbc767ed37a044b82@mail.gmail.com> Message-ID: On Wed, 19 Aug 2009, Thilak T wrote: > I am trying to test TCP throughput with different variables. I want to > simulate a delay of aprox 45msec between two test PCs connected two bat > to back routers . How do we introduce an artificial delay where in the > actual delay is on 2-3 msec.Using cisco routers.? Riverbed introduced us to the Network Nightmare www.networknightmare.net. Its a neat little appliance using the FreeBSD dummynet stuff, without having to maintain it. Incredibly easy to use, although its pricey if you've got the time/expertise to setup dummynet. Their website is truly awful, but ordering/delivery was fast/easy. Rgds, - I. From nadengine at googlemail.com Thu Aug 20 01:19:18 2009 From: nadengine at googlemail.com (shadow floating) Date: Thu, 20 Aug 2009 07:19:18 +0200 Subject: [c-nsp] Management Vlan VS Vlan1 In-Reply-To: <20090819221312.GA3749@panix.com> References: <5c1b7500908182148y1667609as98c0f75d95aabf0b@mail.gmail.com> <20090819221312.GA3749@panix.com> Message-ID: <5c1b7500908192219y73220c79p9408713fe8e150ca@mail.gmail.com> Thanks alot guys for all your informative response, but still if I migrate the management VLAN from VLAN 1 to another VLAN , won't I have to protect 2 VLANs instead of just taking care of VLAN 1?..is there any good reason prevent one from using VLAN1 for management and restrict access from other VLANs to it? thanks alot regards, Nad On Thu, Aug 20, 2009 at 12:13 AM, Brett Frankenberger wrote: > On Wed, Aug 19, 2009 at 10:56:23AM -0500, Murphy, William wrote: >> In all recent IOS versions and switching hardware you can disable >> VLAN 1 on trunk ports (switchport trunk allowed vlan remove 1) and >> the protocols you mentioned will still continue to function. ?This is >> how Cisco recommends you do it. > > Not on ethernet switch HWICs in 28xx and 38xx series routers. ?They > still require VLAN 1 on all trunks. > > ? ? -- Brett > From gert at greenie.muc.de Thu Aug 20 02:50:19 2009 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 20 Aug 2009 08:50:19 +0200 Subject: [c-nsp] CIsco 3560 SVI SNMP In-Reply-To: <6E21B2BDEF6E714EA0B5BA8D5D0E1401248E2698EF@zy-ex1.zyedge.local> References: <3b53747c0908190113m591e9e3o479122f5ea4ad383@mail.gmail.com> <20090819083245.GY2121@greenie.muc.de> <6E21B2BDEF6E714EA0B5BA8D5D0E1401248E2698EF@zy-ex1.zyedge.local> Message-ID: <20090820065019.GN2121@greenie.muc.de> Hi, On Wed, Aug 19, 2009 at 07:45:32PM -0400, Ryan West wrote: > Is this behavior different on the higher end models? Yes. 6500s have proper statistics on the VLAN interfaces. I'm not sure about catalyst 4000/4500s, it might depend on the specific supervisor engine used. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From giesen at snickers.org Thu Aug 20 11:19:04 2009 From: giesen at snickers.org (Gary T. Giesen) Date: Thu, 20 Aug 2009 11:19:04 -0400 Subject: [c-nsp] NAT Global to FVRF Message-ID: <9a9d0c6a0908200819l617960bdjdce322cfa17b2980@mail.gmail.com> I've got a customer that requires localized Internet access from their DMVPN router (they currently receive a default route over the VPN). Their router is setup with the customer (inside) network in the global routing table, and their Internet connection sits inside a Front door VRF (FVRF). Has anyone done this, and have a working config? I've tried all manner of options but have yet to be successful NAT'ing between the global inside and outside FVRF. [ LAN ] ---[ CPE ]--- [ Internet ] Global -------> VRF "RED" NAT GG From ip at ioshints.info Thu Aug 20 11:49:08 2009 From: ip at ioshints.info (Ivan Pepelnjak) Date: Thu, 20 Aug 2009 17:49:08 +0200 Subject: [c-nsp] NAT Global to FVRF In-Reply-To: <9a9d0c6a0908200819l617960bdjdce322cfa17b2980@mail.gmail.com> References: <9a9d0c6a0908200819l617960bdjdce322cfa17b2980@mail.gmail.com> Message-ID: <004c01ca21ad$c1c39680$0a00000a@nil.si> >I've tried all manner of options but > have yet to be successful NAT'ing between the global inside > and outside FVRF. Did you use classic NAT (ip nat inside ... commands) or NAT Virtual Interface (ip nat enable ... commands)? NVI works better in VRF environment. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ From luan at netcraftsmen.net Thu Aug 20 11:50:53 2009 From: luan at netcraftsmen.net (Luan Nguyen) Date: Thu, 20 Aug 2009 11:50:53 -0400 Subject: [c-nsp] NAT Global to FVRF In-Reply-To: <9a9d0c6a0908200819l617960bdjdce322cfa17b2980@mail.gmail.com> References: <9a9d0c6a0908200819l617960bdjdce322cfa17b2980@mail.gmail.com> Message-ID: <00ba01ca21ad$ffdaab20$ff900160$@net> I think the problem is because your VRF Red doesn't have route to the LAN. If [LAN] is switch, then you could try to create a route in VRF Red for the LAN network with the next hop is the IP address of the switch. Regards, ---------------------------- Luan Nguyen Chesapeake NetCraftsmen, LLC. http://www.netcraftsmen.net ---------------------------- -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gary T. Giesen Sent: Thursday, August 20, 2009 11:19 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] NAT Global to FVRF I've got a customer that requires localized Internet access from their DMVPN router (they currently receive a default route over the VPN). Their router is setup with the customer (inside) network in the global routing table, and their Internet connection sits inside a Front door VRF (FVRF). Has anyone done this, and have a working config? I've tried all manner of options but have yet to be successful NAT'ing between the global inside and outside FVRF. [ LAN ] ---[ CPE ]--- [ Internet ] Global -------> VRF "RED" NAT GG _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ip at ioshints.info Thu Aug 20 11:51:20 2009 From: ip at ioshints.info (Ivan Pepelnjak) Date: Thu, 20 Aug 2009 17:51:20 +0200 Subject: [c-nsp] ISIS partition avoidance In-Reply-To: References: Message-ID: <004d01ca21ae$11050c10$0a00000a@nil.si> The router still belongs to the same area as it did before and would thus advertise the area's prefix into L2 due to its own NET. Remember the major difference between OSPF and IS-IS: A router (not an interface) belongs to an area and a router (not an interface) has a NET. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ > -----Original Message----- > From: Ibrahim Abo Zaid [mailto:ibrahim.abozaid at gmail.com] > Sent: Thursday, August 20, 2009 4:51 AM > To: cisco_nsp; cisco at groupstudy.com > Subject: [c-nsp] ISIS partition avoidance > > Hi All > > > Does any one knows why ISIS partition avoidance is needed ? > according to DocCD > > To cause an Intermediate System-to-Intermediate System > (IS-IS) Level 1-2 border router to stop advertising the Level > 1 area prefix into the Level 2 backbone when full > connectivity is lost between the border router, all adjacent > Level 1 routers, and end hosts > > > but that occur automatically without enabling the feature so > what extra benefit it provide ? > > best regards > --Ibrahim > > From William.Murphy at uth.tmc.edu Thu Aug 20 12:15:32 2009 From: William.Murphy at uth.tmc.edu (Murphy, William) Date: Thu, 20 Aug 2009 11:15:32 -0500 Subject: [c-nsp] Management Vlan VS Vlan1 In-Reply-To: <5c1b7500908192219y73220c79p9408713fe8e150ca@mail.gmail.com> References: <5c1b7500908182148y1667609as98c0f75d95aabf0b@mail.gmail.com> <20090819221312.GA3749@panix.com> <5c1b7500908192219y73220c79p9408713fe8e150ca@mail.gmail.com> Message-ID: I think Cisco wants to keep normal traffic away from control plane type traffic. Refer to http://www.cisco.com/en/US/products/hw/switches/ps700/products_white_paper09 186a00801b49a4.shtml#pre6 For the Cisco explanation... BillM -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of shadow floating Sent: Thursday, August 20, 2009 12:19 AM To: Brett Frankenberger Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Management Vlan VS Vlan1 Thanks alot guys for all your informative response, but still if I migrate the management VLAN from VLAN 1 to another VLAN , won't I have to protect 2 VLANs instead of just taking care of VLAN 1?..is there any good reason prevent one from using VLAN1 for management and restrict access from other VLANs to it? thanks alot regards, Nad On Thu, Aug 20, 2009 at 12:13 AM, Brett Frankenberger wrote: > On Wed, Aug 19, 2009 at 10:56:23AM -0500, Murphy, William wrote: >> In all recent IOS versions and switching hardware you can disable >> VLAN 1 on trunk ports (switchport trunk allowed vlan remove 1) and >> the protocols you mentioned will still continue to function. ?This is >> how Cisco recommends you do it. > > Not on ethernet switch HWICs in 28xx and 38xx series routers. ?They > still require VLAN 1 on all trunks. > > ? ? -- Brett > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4327 bytes Desc: not available URL: From guru6111 at gmail.com Thu Aug 20 12:55:39 2009 From: guru6111 at gmail.com (Atif Sid) Date: Thu, 20 Aug 2009 12:55:39 -0400 Subject: [c-nsp] xconnect on VLAN interface ES card Message-ID: <766b203d0908200955t7da384d2u2c30a0b56596df32@mail.gmail.com> I have seen posts on this topic but still not clear.. currentl have WS line cards, with SUP-32 on 7606; PW on VLAN interface do not work. testing ES card customer facing, RSP-720 core facing, here is the issue.. any help will be great ! Is it possible to configure xconnect from an SVI interface, when your core facing cards are RSP-720? I have configured it: interface Vlan290 no ip address xconnect 10.10.136.129 37123712 encapsulation mpls end It does not come up: PE4#sh mpl l2transport vc Local intf Local circuit Dest address VC ID Status ------------- -------------------------- --------------- ---------- ---------- Vl290 Eth VLAN 290 10.10.136.129 37123712 DOWN PE4#sh mpl l2transport vc 37123712 det PE4#sh mpl l2transport vc 37123712 detail Local interface: Vl290 up, line protocol up, Eth VLAN 290 up Interworking type is Ethernet Destination address: 10.10.136.129, VC ID: 37123712, VC status: down Output interface: none, imposed label stack {} Preferred path: not configured Default path: no route No adjacency Create time: 00:00:49, last status change time: 00:00:03 Signaling protocol: LDP, peer 10.10.136.129:0 up Targeted Hello: 10.10.136.131(LDP Id) -> 10.10.136.129 Status TLV support (local/remote) : enabled/not supported Label/status state machine : remote ready, LndRru Last local dataplane status rcvd: no fault Last local SSS circuit status rcvd: AC DOWN(rx,tx faults) Last local SSS circuit status sent: no fault Last local LDP TLV status sent: no fault (withdrawn) Last remote LDP TLV status rcvd: not sent MPLS VC labels: local unassigned, remote 340 Group ID: local unknown, remote 0 MTU: local unknown, remote 1500 Remote interface description: ** Test PW with PE4 ES SVI int ** Sequencing: receive disabled, send disabled VC statistics: packet totals: receive 0, send 0 byte totals: receive 0, send 0 packet drops: receive 0, seq error 0, send 0 Although when I use a physical interface it comes up? RSP720 does not support it?? moved it to physical interface it comes up: interface GigabitEthernet2/1 no ip address ip verify unicast source reachable-via any load-interval 30 speed 1000 xconnect 10.10.136.129 37123712 encapsulation mpls end PE4#sh mpls l2transport vc Local intf Local circuit Dest address VC ID Status ------------- -------------------------- --------------- ---------- ---------- Gi2/1 Ethernet 10.10.136.129 37123712 UP From shimshah at cisco.com Thu Aug 20 13:05:17 2009 From: shimshah at cisco.com (Shimol Shah) Date: Thu, 20 Aug 2009 13:05:17 -0400 Subject: [c-nsp] xconnect on VLAN interface ES card In-Reply-To: <766b203d0908200955t7da384d2u2c30a0b56596df32@mail.gmail.com> References: <766b203d0908200955t7da384d2u2c30a0b56596df32@mail.gmail.com> Message-ID: <4A8D824D.404@cisco.com> On the 7600 for doing SVI EoMPLS (Xconnect under SVI) you need a CWAN card (ES20, SIP400 etc) facing the core. For using Hardware EoMPLS (i.e. with Xconnect under main/single tag subif ) on the 7600, you can use below CE Facing LC: LAN Line Card, ES-20, SIP-600 Core Facing LC: Any Atif Sid said the following on 8/20/2009 12:55 PM: > I have seen posts on this topic but still not clear.. currentl have WS line > cards, with SUP-32 on 7606; PW on VLAN interface do not work. testing ES > card customer facing, RSP-720 core facing, here is the issue.. any help will > be great ! > > Is it possible to configure xconnect from an SVI interface, when your core > facing cards are RSP-720? > > I have configured it: > > interface Vlan290 > no ip address > xconnect 10.10.136.129 37123712 encapsulation mpls > end > > It does not come up: > > PE4#sh mpl l2transport vc > > Local intf Local circuit Dest address VC ID Status > ------------- -------------------------- --------------- ---------- > ---------- > Vl290 Eth VLAN 290 10.10.136.129 37123712 DOWN > > PE4#sh mpl l2transport vc 37123712 det > PE4#sh mpl l2transport vc 37123712 detail > Local interface: Vl290 up, line protocol up, Eth VLAN 290 up > Interworking type is Ethernet > Destination address: 10.10.136.129, VC ID: 37123712, VC status: down > Output interface: none, imposed label stack {} > Preferred path: not configured > Default path: no route > No adjacency > Create time: 00:00:49, last status change time: 00:00:03 > Signaling protocol: LDP, peer 10.10.136.129:0 up > Targeted Hello: 10.10.136.131(LDP Id) -> 10.10.136.129 > Status TLV support (local/remote) : enabled/not supported > Label/status state machine : remote ready, LndRru > Last local dataplane status rcvd: no fault > Last local SSS circuit status rcvd: AC DOWN(rx,tx faults) > Last local SSS circuit status sent: no fault > Last local LDP TLV status sent: no fault (withdrawn) > Last remote LDP TLV status rcvd: not sent > MPLS VC labels: local unassigned, remote 340 > Group ID: local unknown, remote 0 > MTU: local unknown, remote 1500 > Remote interface description: ** Test PW with PE4 ES SVI int ** > Sequencing: receive disabled, send disabled > VC statistics: > packet totals: receive 0, send 0 > byte totals: receive 0, send 0 > packet drops: receive 0, seq error 0, send 0 > > Although when I use a physical interface it comes up? > RSP720 does not support it?? > > moved it to physical interface it comes up: > > interface GigabitEthernet2/1 > no ip address > ip verify unicast source reachable-via any > load-interval 30 > speed 1000 > xconnect 10.10.136.129 37123712 encapsulation mpls > end > > PE4#sh mpls l2transport vc > Local intf Local circuit Dest address VC ID Status > ------------- -------------------------- --------------- ---------- > ---------- > Gi2/1 Ethernet 10.10.136.129 37123712 UP > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rechew at ucsc.edu Thu Aug 20 12:09:14 2009 From: rechew at ucsc.edu (Richard Chew) Date: Thu, 20 Aug 2009 09:09:14 -0700 Subject: [c-nsp] 6500 QoS Message-ID: <4A8D752A.6080003@ucsc.edu> On a 6509 once you configure *mls qos* all traffic out all interfaces will be remarked as Best Effort (CS0) this is by default. Only traffic on interfaces with the *mls qos dscp trust *statement will retain their dscp markings. In other words only traffic coming in or out an interface you explicitly tell it to trust will retain its markings. Rich |Is the simplest configuration to turn on mls qos globally and use a |service policy to set a From haminu at aljawal.blackberry.com Thu Aug 20 13:18:47 2009 From: haminu at aljawal.blackberry.com (haminu at aljawal.blackberry.com) Date: Thu, 20 Aug 2009 17:18:47 +0000 Subject: [c-nsp] xconnect on VLAN interface ES card In-Reply-To: <766b203d0908200955t7da384d2u2c30a0b56596df32@mail.gmail.com> References: <766b203d0908200955t7da384d2u2c30a0b56596df32@mail.gmail.com> Message-ID: <166869678-1250788703-cardhu_decombobulator_blackberry.rim.net-609612749-@bxe1001.bisx.produk.on.blackberry> Atif, What is your ios version? Hash Sent from my BlackBerry? wireless device from Aljawal -----Original Message----- From: Atif Sid Date: Thu, 20 Aug 2009 12:55:39 To: Subject: [c-nsp] xconnect on VLAN interface ES card I have seen posts on this topic but still not clear.. currentl have WS line cards, with SUP-32 on 7606; PW on VLAN interface do not work. testing ES card customer facing, RSP-720 core facing, here is the issue.. any help will be great ! Is it possible to configure xconnect from an SVI interface, when your core facing cards are RSP-720? I have configured it: interface Vlan290 no ip address xconnect 10.10.136.129 37123712 encapsulation mpls end It does not come up: PE4#sh mpl l2transport vc Local intf Local circuit Dest address VC ID Status ------------- -------------------------- --------------- ---------- ---------- Vl290 Eth VLAN 290 10.10.136.129 37123712 DOWN PE4#sh mpl l2transport vc 37123712 det PE4#sh mpl l2transport vc 37123712 detail Local interface: Vl290 up, line protocol up, Eth VLAN 290 up Interworking type is Ethernet Destination address: 10.10.136.129, VC ID: 37123712, VC status: down Output interface: none, imposed label stack {} Preferred path: not configured Default path: no route No adjacency Create time: 00:00:49, last status change time: 00:00:03 Signaling protocol: LDP, peer 10.10.136.129:0 up Targeted Hello: 10.10.136.131(LDP Id) -> 10.10.136.129 Status TLV support (local/remote) : enabled/not supported Label/status state machine : remote ready, LndRru Last local dataplane status rcvd: no fault Last local SSS circuit status rcvd: AC DOWN(rx,tx faults) Last local SSS circuit status sent: no fault Last local LDP TLV status sent: no fault (withdrawn) Last remote LDP TLV status rcvd: not sent MPLS VC labels: local unassigned, remote 340 Group ID: local unknown, remote 0 MTU: local unknown, remote 1500 Remote interface description: ** Test PW with PE4 ES SVI int ** Sequencing: receive disabled, send disabled VC statistics: packet totals: receive 0, send 0 byte totals: receive 0, send 0 packet drops: receive 0, seq error 0, send 0 Although when I use a physical interface it comes up? RSP720 does not support it?? moved it to physical interface it comes up: interface GigabitEthernet2/1 no ip address ip verify unicast source reachable-via any load-interval 30 speed 1000 xconnect 10.10.136.129 37123712 encapsulation mpls end PE4#sh mpls l2transport vc Local intf Local circuit Dest address VC ID Status ------------- -------------------------- --------------- ---------- ---------- Gi2/1 Ethernet 10.10.136.129 37123712 UP _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From haminu at aljawal.blackberry.com Thu Aug 20 13:21:25 2009 From: haminu at aljawal.blackberry.com (haminu at aljawal.blackberry.com) Date: Thu, 20 Aug 2009 17:21:25 +0000 Subject: [c-nsp] xconnect on VLAN interface ES card In-Reply-To: <4A8D824D.404@cisco.com> References: <766b203d0908200955t7da384d2u2c30a0b56596df32@mail.gmail.com><4A8D824D.404@cisco.com> Message-ID: <375418926-1250788862-cardhu_decombobulator_blackberry.rim.net-1139763432-@bxe1001.bisx.produk.on.blackberry> More over in some ios version it comes up but not passing traffic and no label imposed. While in later release it stays down. Hth Hash Sent from my BlackBerry? wireless device from Aljawal -----Original Message----- From: Shimol Shah Date: Thu, 20 Aug 2009 13:05:17 To: Atif Sid Cc: Subject: Re: [c-nsp] xconnect on VLAN interface ES card On the 7600 for doing SVI EoMPLS (Xconnect under SVI) you need a CWAN card (ES20, SIP400 etc) facing the core. For using Hardware EoMPLS (i.e. with Xconnect under main/single tag subif ) on the 7600, you can use below CE Facing LC: LAN Line Card, ES-20, SIP-600 Core Facing LC: Any Atif Sid said the following on 8/20/2009 12:55 PM: > I have seen posts on this topic but still not clear.. currentl have WS line > cards, with SUP-32 on 7606; PW on VLAN interface do not work. testing ES > card customer facing, RSP-720 core facing, here is the issue.. any help will > be great ! > > Is it possible to configure xconnect from an SVI interface, when your core > facing cards are RSP-720? > > I have configured it: > > interface Vlan290 > no ip address > xconnect 10.10.136.129 37123712 encapsulation mpls > end > > It does not come up: > > PE4#sh mpl l2transport vc > > Local intf Local circuit Dest address VC ID Status > ------------- -------------------------- --------------- ---------- > ---------- > Vl290 Eth VLAN 290 10.10.136.129 37123712 DOWN > > PE4#sh mpl l2transport vc 37123712 det > PE4#sh mpl l2transport vc 37123712 detail > Local interface: Vl290 up, line protocol up, Eth VLAN 290 up > Interworking type is Ethernet > Destination address: 10.10.136.129, VC ID: 37123712, VC status: down > Output interface: none, imposed label stack {} > Preferred path: not configured > Default path: no route > No adjacency > Create time: 00:00:49, last status change time: 00:00:03 > Signaling protocol: LDP, peer 10.10.136.129:0 up > Targeted Hello: 10.10.136.131(LDP Id) -> 10.10.136.129 > Status TLV support (local/remote) : enabled/not supported > Label/status state machine : remote ready, LndRru > Last local dataplane status rcvd: no fault > Last local SSS circuit status rcvd: AC DOWN(rx,tx faults) > Last local SSS circuit status sent: no fault > Last local LDP TLV status sent: no fault (withdrawn) > Last remote LDP TLV status rcvd: not sent > MPLS VC labels: local unassigned, remote 340 > Group ID: local unknown, remote 0 > MTU: local unknown, remote 1500 > Remote interface description: ** Test PW with PE4 ES SVI int ** > Sequencing: receive disabled, send disabled > VC statistics: > packet totals: receive 0, send 0 > byte totals: receive 0, send 0 > packet drops: receive 0, seq error 0, send 0 > > Although when I use a physical interface it comes up? > RSP720 does not support it?? > > moved it to physical interface it comes up: > > interface GigabitEthernet2/1 > no ip address > ip verify unicast source reachable-via any > load-interval 30 > speed 1000 > xconnect 10.10.136.129 37123712 encapsulation mpls > end > > PE4#sh mpls l2transport vc > Local intf Local circuit Dest address VC ID Status > ------------- -------------------------- --------------- ---------- > ---------- > Gi2/1 Ethernet 10.10.136.129 37123712 UP > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From shimshah at cisco.com Thu Aug 20 13:23:38 2009 From: shimshah at cisco.com (Shimol Shah) Date: Thu, 20 Aug 2009 13:23:38 -0400 Subject: [c-nsp] xconnect on VLAN interface ES card In-Reply-To: <375418926-1250788862-cardhu_decombobulator_blackberry.rim.net-1139763432-@bxe1001.bisx.produk.on.blackberry> References: <766b203d0908200955t7da384d2u2c30a0b56596df32@mail.gmail.com><4A8D824D.404@cisco.com> <375418926-1250788862-cardhu_decombobulator_blackberry.rim.net-1139763432-@bxe1001.bisx.produk.on.blackberry> Message-ID: <4A8D869A.2060305@cisco.com> Without the right hardware you can expect to see all kinds of problem's like control plane being learnt correctly but VC still being down or VC manages to come up but traffic does not pass. Which is why it is important to use the correct/supported LC for the feature. haminu at aljawal.blackberry.com said the following on 8/20/2009 1:21 PM: > More over in some ios version it comes up but not passing traffic and no label imposed. While in later release it stays down. > Hth > Hash > Sent from my BlackBerry? wireless device from Aljawal > > -----Original Message----- > From: Shimol Shah > > Date: Thu, 20 Aug 2009 13:05:17 > To: Atif Sid > Cc: > Subject: Re: [c-nsp] xconnect on VLAN interface ES card > > > On the 7600 for doing SVI EoMPLS (Xconnect under SVI) you need a CWAN > card (ES20, SIP400 etc) facing the core. > > > > For using Hardware EoMPLS (i.e. with Xconnect under main/single tag > subif ) on the 7600, you can use below > > CE Facing LC: LAN Line Card, ES-20, SIP-600 > Core Facing LC: Any > > > > Atif Sid said the following on 8/20/2009 12:55 PM: >> I have seen posts on this topic but still not clear.. currentl have WS line >> cards, with SUP-32 on 7606; PW on VLAN interface do not work. testing ES >> card customer facing, RSP-720 core facing, here is the issue.. any help will >> be great ! >> >> Is it possible to configure xconnect from an SVI interface, when your core >> facing cards are RSP-720? >> >> I have configured it: >> >> interface Vlan290 >> no ip address >> xconnect 10.10.136.129 37123712 encapsulation mpls >> end >> >> It does not come up: >> >> PE4#sh mpl l2transport vc >> >> Local intf Local circuit Dest address VC ID Status >> ------------- -------------------------- --------------- ---------- >> ---------- >> Vl290 Eth VLAN 290 10.10.136.129 37123712 DOWN >> >> PE4#sh mpl l2transport vc 37123712 det >> PE4#sh mpl l2transport vc 37123712 detail >> Local interface: Vl290 up, line protocol up, Eth VLAN 290 up >> Interworking type is Ethernet >> Destination address: 10.10.136.129, VC ID: 37123712, VC status: down >> Output interface: none, imposed label stack {} >> Preferred path: not configured >> Default path: no route >> No adjacency >> Create time: 00:00:49, last status change time: 00:00:03 >> Signaling protocol: LDP, peer 10.10.136.129:0 up >> Targeted Hello: 10.10.136.131(LDP Id) -> 10.10.136.129 >> Status TLV support (local/remote) : enabled/not supported >> Label/status state machine : remote ready, LndRru >> Last local dataplane status rcvd: no fault >> Last local SSS circuit status rcvd: AC DOWN(rx,tx faults) >> Last local SSS circuit status sent: no fault >> Last local LDP TLV status sent: no fault (withdrawn) >> Last remote LDP TLV status rcvd: not sent >> MPLS VC labels: local unassigned, remote 340 >> Group ID: local unknown, remote 0 >> MTU: local unknown, remote 1500 >> Remote interface description: ** Test PW with PE4 ES SVI int ** >> Sequencing: receive disabled, send disabled >> VC statistics: >> packet totals: receive 0, send 0 >> byte totals: receive 0, send 0 >> packet drops: receive 0, seq error 0, send 0 >> >> Although when I use a physical interface it comes up? >> RSP720 does not support it?? >> >> moved it to physical interface it comes up: >> >> interface GigabitEthernet2/1 >> no ip address >> ip verify unicast source reachable-via any >> load-interval 30 >> speed 1000 >> xconnect 10.10.136.129 37123712 encapsulation mpls >> end >> >> PE4#sh mpls l2transport vc >> Local intf Local circuit Dest address VC ID Status >> ------------- -------------------------- --------------- ---------- >> ---------- >> Gi2/1 Ethernet 10.10.136.129 37123712 UP >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From shimshah at cisco.com Thu Aug 20 13:26:13 2009 From: shimshah at cisco.com (Shimol Shah) Date: Thu, 20 Aug 2009 13:26:13 -0400 Subject: [c-nsp] xconnect on VLAN interface ES card In-Reply-To: <166869678-1250788703-cardhu_decombobulator_blackberry.rim.net-609612749-@bxe1001.bisx.produk.on.blackberry> References: <766b203d0908200955t7da384d2u2c30a0b56596df32@mail.gmail.com> <166869678-1250788703-cardhu_decombobulator_blackberry.rim.net-609612749-@bxe1001.bisx.produk.on.blackberry> Message-ID: <4A8D8735.6030606@cisco.com> I think perhaps this IOS version would not be a problem since his ES card booted up fine as support for it was added in SRB. http://www.cisco.com/en/US/prod/collateral/routers/ps368/product_data_sheet0900aecd8057f3ad.html I feel this is due to incorrect LC being used. If you try to use the right LC with your IOS does it work fine ? Also make sure using Feature Navigator that the feature is supported in your IOS. haminu at aljawal.blackberry.com said the following on 8/20/2009 1:18 PM: > Atif, > > What is your ios version? > Hash > Sent from my BlackBerry? wireless device from Aljawal > > -----Original Message----- > From: Atif Sid > > Date: Thu, 20 Aug 2009 12:55:39 > To: > Subject: [c-nsp] xconnect on VLAN interface ES card > > > I have seen posts on this topic but still not clear.. currentl have WS line > cards, with SUP-32 on 7606; PW on VLAN interface do not work. testing ES > card customer facing, RSP-720 core facing, here is the issue.. any help will > be great ! > > Is it possible to configure xconnect from an SVI interface, when your core > facing cards are RSP-720? > > I have configured it: > > interface Vlan290 > no ip address > xconnect 10.10.136.129 37123712 encapsulation mpls > end > > It does not come up: > > PE4#sh mpl l2transport vc > > Local intf Local circuit Dest address VC ID Status > ------------- -------------------------- --------------- ---------- > ---------- > Vl290 Eth VLAN 290 10.10.136.129 37123712 DOWN > > PE4#sh mpl l2transport vc 37123712 det > PE4#sh mpl l2transport vc 37123712 detail > Local interface: Vl290 up, line protocol up, Eth VLAN 290 up > Interworking type is Ethernet > Destination address: 10.10.136.129, VC ID: 37123712, VC status: down > Output interface: none, imposed label stack {} > Preferred path: not configured > Default path: no route > No adjacency > Create time: 00:00:49, last status change time: 00:00:03 > Signaling protocol: LDP, peer 10.10.136.129:0 up > Targeted Hello: 10.10.136.131(LDP Id) -> 10.10.136.129 > Status TLV support (local/remote) : enabled/not supported > Label/status state machine : remote ready, LndRru > Last local dataplane status rcvd: no fault > Last local SSS circuit status rcvd: AC DOWN(rx,tx faults) > Last local SSS circuit status sent: no fault > Last local LDP TLV status sent: no fault (withdrawn) > Last remote LDP TLV status rcvd: not sent > MPLS VC labels: local unassigned, remote 340 > Group ID: local unknown, remote 0 > MTU: local unknown, remote 1500 > Remote interface description: ** Test PW with PE4 ES SVI int ** > Sequencing: receive disabled, send disabled > VC statistics: > packet totals: receive 0, send 0 > byte totals: receive 0, send 0 > packet drops: receive 0, seq error 0, send 0 > > Although when I use a physical interface it comes up? > RSP720 does not support it?? > > moved it to physical interface it comes up: > > interface GigabitEthernet2/1 > no ip address > ip verify unicast source reachable-via any > load-interval 30 > speed 1000 > xconnect 10.10.136.129 37123712 encapsulation mpls > end > > PE4#sh mpls l2transport vc > Local intf Local circuit Dest address VC ID Status > ------------- -------------------------- --------------- ---------- > ---------- > Gi2/1 Ethernet 10.10.136.129 37123712 UP > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From guru6111 at gmail.com Thu Aug 20 14:28:38 2009 From: guru6111 at gmail.com (Atif Sid) Date: Thu, 20 Aug 2009 14:28:38 -0400 Subject: [c-nsp] xconnect on VLAN interface ES card In-Reply-To: <4A8D8735.6030606@cisco.com> References: <766b203d0908200955t7da384d2u2c30a0b56596df32@mail.gmail.com> <166869678-1250788703-cardhu_decombobulator_blackberry.rim.net-609612749-@bxe1001.bisx.produk.on.blackberry> <4A8D8735.6030606@cisco.com> Message-ID: <766b203d0908201128t22aa9936x9f2f1d412692c8ca@mail.gmail.com> IOS 12.2(33)SRD1. i will try to to test with ES facing core, if that is the case. but same LC for customer ports and core, is that recommended? or any issues. On Thu, Aug 20, 2009 at 1:26 PM, Shimol Shah wrote: > I think perhaps this IOS version would not be a problem since his ES card > booted up fine as support for it was added in SRB. > > > http://www.cisco.com/en/US/prod/collateral/routers/ps368/product_data_sheet0900aecd8057f3ad.html > > I feel this is due to incorrect LC being used. > > If you try to use the right LC with your IOS does it work fine ? > > Also make sure using Feature Navigator that the feature is supported in > your IOS. > > > haminu at aljawal.blackberry.com said the following on 8/20/2009 1:18 PM: > > Atif, >> >> What is your ios version? >> Hash >> Sent from my BlackBerry? wireless device from Aljawal >> >> -----Original Message----- >> From: Atif Sid >> >> Date: Thu, 20 Aug 2009 12:55:39 To: >> Subject: [c-nsp] xconnect on VLAN interface ES card >> >> >> I have seen posts on this topic but still not clear.. currentl have WS >> line >> cards, with SUP-32 on 7606; PW on VLAN interface do not work. testing ES >> card customer facing, RSP-720 core facing, here is the issue.. any help >> will >> be great ! >> >> Is it possible to configure xconnect from an SVI interface, when your core >> facing cards are RSP-720? >> >> I have configured it: >> >> interface Vlan290 >> no ip address >> xconnect 10.10.136.129 37123712 encapsulation mpls >> end >> >> It does not come up: >> >> PE4#sh mpl l2transport vc >> >> Local intf Local circuit Dest address VC ID Status >> ------------- -------------------------- --------------- ---------- >> ---------- >> Vl290 Eth VLAN 290 10.10.136.129 37123712 DOWN >> >> PE4#sh mpl l2transport vc 37123712 det >> PE4#sh mpl l2transport vc 37123712 detail >> Local interface: Vl290 up, line protocol up, Eth VLAN 290 up >> Interworking type is Ethernet >> Destination address: 10.10.136.129, VC ID: 37123712, VC status: down >> Output interface: none, imposed label stack {} >> Preferred path: not configured >> Default path: no route >> No adjacency >> Create time: 00:00:49, last status change time: 00:00:03 >> Signaling protocol: LDP, peer 10.10.136.129:0 up >> Targeted Hello: 10.10.136.131(LDP Id) -> 10.10.136.129 >> Status TLV support (local/remote) : enabled/not supported >> Label/status state machine : remote ready, LndRru >> Last local dataplane status rcvd: no fault >> Last local SSS circuit status rcvd: AC DOWN(rx,tx faults) >> Last local SSS circuit status sent: no fault >> Last local LDP TLV status sent: no fault (withdrawn) >> Last remote LDP TLV status rcvd: not sent >> MPLS VC labels: local unassigned, remote 340 >> Group ID: local unknown, remote 0 >> MTU: local unknown, remote 1500 >> Remote interface description: ** Test PW with PE4 ES SVI int ** >> Sequencing: receive disabled, send disabled >> VC statistics: >> packet totals: receive 0, send 0 >> byte totals: receive 0, send 0 >> packet drops: receive 0, seq error 0, send 0 >> >> Although when I use a physical interface it comes up? >> RSP720 does not support it?? >> >> moved it to physical interface it comes up: >> >> interface GigabitEthernet2/1 >> no ip address >> ip verify unicast source reachable-via any >> load-interval 30 >> speed 1000 >> xconnect 10.10.136.129 37123712 encapsulation mpls >> end >> >> PE4#sh mpls l2transport vc >> Local intf Local circuit Dest address VC ID Status >> ------------- -------------------------- --------------- ---------- >> ---------- >> Gi2/1 Ethernet 10.10.136.129 37123712 UP >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > From jared at puck.nether.net Thu Aug 20 14:38:32 2009 From: jared at puck.nether.net (Jared Mauch) Date: Thu, 20 Aug 2009 14:38:32 -0400 Subject: [c-nsp] Sup720 hang while writing SP crashinfo? In-Reply-To: References: <491424.73465.qm@web1211.biz.mail.gq1.yahoo.com> <538216.56886.qm@web1204.biz.mail.gq1.yahoo.com> Message-ID: One thing I notice here is that you are running the modular software. Be sure you have it set up to write core dumps properly to the disk0/ disk1 devices. This will greatly increase the ability of these bugs to be isolated and resolved quicker when working with TAC/DEs. - Jared On Aug 19, 2009, at 10:39 PM, e ninja wrote: > Kevin, > > Looks like the RP reset the system because the SP failed to respond to > RP<->SP cpu availability heartbeat keepalives (aka CPU MONITOR). The > TAC > engineer should not bother decoding the RP tracebacks as this would > most > likely be generic functions. The root cause lies in the SP and > understanding > why it failed or failed to respond to RP heartbeat keepalives. > > Some possible causes; > > - SP crashed because of a software bug. Make room for future > crashinfo > files since trigger still looms. > - SP heartbeat response got stuck behind other EOBC management > activity > during a traffic spike. (eg CSCsm21728, etc.) > > It is always a good idea to setup syslog so that all events can be > captured > for future troubleshooting. > > -Eninja > > > On Tue, Aug 18, 2009 at 8:33 PM, Kevin Graham < > kgraham at industrial-marshmallow.com> wrote: > >> >> >> >> >>> There are multiple causes of crashes and several causes of system >>> 'hang' >> (high >>> CPU, memory depletion, etc) and both should be investigated >> independently. >> >> Yes, crash itself didn't seem particularly interesting, but am >> pursuing >> that >> w/ TAC. It looked like it was a "good and orderly" reset, which is >> why the >> failure to complete the reboot (combined w/ incomplete SP crashinfo >> and >> full >> sup-bootflash) were curious. >> >>> Do you have any syslogs from a few minutes before the crash? If >>> yes send >> over >>> along with RP crashinfo, whatever was captured from SP and console >>> logs. >> >> Only what was captured in RP crashinfo (sparing the list the rest >> of the >> spam, >> but symptoms were consistent w/ very high RP cpu. Starting w/ HSRP >> state >> flaps, >> drop of OSPF adjacencies). The last gasps were: >> >> 094893: Aug 18 10:53:19.694 PDT: icc_send_request_internal: >> ipc_send_rpc_blocked >> failed, result 6 : ios-base : (PID=16407, TID=21) : >> -Traceback=(s72033_rp-ipser >> vicesk9-6-dso-b.so+0x164B40) ([33:0]+0x164DAC) ([33:0]+0x165320) >> ([23:-9]3+0x316 >> 100) ([33:0]+0x306158) ([23:-9]1+0x2B81A8) ([33:0]+0x2FBFF8) >> ([23:-9]6+0x4E3BC4) >> ([33:0]+0x4E3B9C) >> 094894: Aug 18 10:53:25.910 PDT: %CPU_MONITOR-6-NOT_HEARD: >> CPU_MONITOR >> messages >> have not been heard for 120 seconds [6/0] >> 094895: Aug 18 10:53:55.990 PDT: %CPU_MONITOR-6-NOT_HEARD: >> CPU_MONITOR >> messages >> have not been heard for 150 seconds [6/0] >> 094896: Aug 18 10:54:26.049 PDT: %CPU_MONITOR-3-TIMED_OUT: >> CPU_MONITOR >> messages >> have failed, resetting system [6/0] >> Crashdump : 17:54:26.944 Tue Aug 18 2009 : ios-base : (PID=16407, >> TID=1) : >> -Tra >> ceback=(s72033_rp-ipservicesk9-9-dso-b.so+0x2E46C8) ([33:0]+0x3577B4) >> ([33:0]+0x >> 359CF8) ([23:-9]6+0x4E3BC4) ([33:0]+0x4E3B9C) >> crashdump called (with pause = 0 sec) >> >> %ALIGN-1-FATAL: Illegal access to a low address 10:54:26 PDT Tue >> Aug 18 >> 2009 >> addr=0x0, pc=0x74C7D940, ra=0x74C7D86C, sp=0x389EBC8 >> >> >>> On Aug 18, 2009, at 11:04 PM, Kevin Graham >>> wrote: >>> >>>> We had a Sup720B (non-redundant, running modular SXI) crash, due to >> what looks >>>> like was due to a CPU_MONITOR watchdog event. What was nasty >>>> though was >> that >>>> rather than reload, it hung (dead and unresponsive console) and >> required a >>>> power cycle. >>>> >>>> The RP crashinfo made it out fine, however SP crashinfo was >>>> incomplete. >>> Looking >>>> at that, its due to sup-bootflash running out of space (1 byte >>>> left w/ >> an >>>> incomplete/inaccessible crashinfo). >>>> >>>> Unfounded speculation is that the "hung" state was due to system >> pounding away >>>> trying to finish writing crashinfo to a full filesystem. >>>> >>>> Is that hypothesis at all reasonable, or is there something else >>>> that >> should >>> be >>>> explored? >>>> >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From guru6111 at gmail.com Thu Aug 20 14:59:08 2009 From: guru6111 at gmail.com (Atif Sid) Date: Thu, 20 Aug 2009 14:59:08 -0400 Subject: [c-nsp] priority queue (like LLQ) on RSP 720 Message-ID: <766b203d0908201159y5576d4b3n78ef0331c45d7762@mail.gmail.com> I tried using prioerity queue for Realtime traffic on RSp 702 it is not supported. how can we prioritze realtime traffic is the core facing link is on RSP-720. From vijay.ramcharan at verizonbusiness.com Thu Aug 20 15:58:47 2009 From: vijay.ramcharan at verizonbusiness.com (Ramcharan, Vijay A) Date: Thu, 20 Aug 2009 19:58:47 +0000 Subject: [c-nsp] NAT Global to FVRF In-Reply-To: <00ba01ca21ad$ffdaab20$ff900160$@net> Message-ID: <8171C8272CE8FE4A8F5BFF8A97CE6AB301514501@ASHEVS006.mcilink.com> This caught my interest as the scenarios I've worked with were in the reverse, i.e. Internet access provided for VRF via the global routing table interface/address. Here's what appears to be a working config (NAT config is on a 1710 running 12.4.25b IP/FW/3DES code): ip vrf inet rd 1:1 !import ipv4 unicast map rtm_global !=> If you wanted to import routes from the global routing table interface Ethernet0 ip vrf forwarding inet ip address 192.168.248.113 255.255.255.0 ip nat outside ip virtual-reassembly full-duplex interface FastEthernet0 ip vrf receive inet ip address 10.1.1.1 255.255.255.0 ip nat inside ip virtual-reassembly ip policy route-map set_to_vrf_intf speed auto full-duplex !router bgp 65002 !=> Only if doing IPv4 prefix import from global routing table or if you're actually using BGP bgp log-neighbor-changes ! address-family ipv4 redistribute connected no auto-summary no synchronization exit-address-family ! address-family ipv4 vrf inet no synchronization exit-address-family ! ip route 0.0.0.0 0.0.0.0 Ethernet0 192.168.248.1 !=> Global default route points to next hop which is in inet VRF ip route vrf inet 0.0.0.0 0.0.0.0 192.168.248.1 !=> Static default in inet VRF pointing at "ISP" next-hop ip nat inside source list acl_match_global interface Ethernet0 vrf inet overload ip access-list extended acl_match_global permit ip 10.1.1.0 0.0.0.255 any route-map set_to_vrf_intf permit 10 set vrf inet ! !----------------------- !Test ping from a device (10.1.1.2) reachable via global routing table using 10.1.1.1 (NAT router) as its default gateway 7206-NPE175#ping 4.2.2.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 4.2.2.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/24/28 ms 7206-NPE175# !----------------------- NAT Debugs 000230: *Jan 10 12:01:53.235: NAT: [1] Allocated Port for 10.1.1.2 -> 192.168.248.113: wanted 35 got 35 000231: *Jan 10 12:01:53.235: NAT*: i: icmp (10.1.1.2, 35) -> (4.2.2.1, 35) [1089] 000232: *Jan 10 12:01:53.239: NAT*: i: icmp (10.1.1.2, 35) -> (4.2.2.1, 35) [1089] 000233: *Jan 10 12:01:53.239: NAT*: s=10.1.1.2->192.168.248.113, d=4.2.2.1 [1089] vrf=> inet 000234: *Jan 10 12:01:53.259: NAT*: o: icmp (4.2.2.1, 35) -> (192.168.248.113, 35) [35412] 000235: *Jan 10 12:01:53.259: NAT*: s=4.2.2.1, d=192.168.248.113->10.1.1.2 [35412] vrf=> inet 000236: *Jan 10 12:01:53.259: NAT*: i: icmp (10.1.1.2, 35) -> (4.2.2.1, 35) [1090] 000237: *Jan 10 12:01:53.263: NAT*: s=10.1.1.2->192.168.248.113, d=4.2.2.1 [1090] vrf=> inet 000238: *Jan 10 12:01:53.283: NAT*: o: icmp (4.2.2.1, 35) -> (192.168.248.113, 35) [35413] 000239: *Jan 10 12:01:53.283: NAT*: s=4.2.2.1, d=192.168.248.113->10.1.1.2 [35413] vrf=> inet 000240: *Jan 10 12:01:53.283: NAT*: i: icmp (10.1.1.2, 35) -> (4.2.2.1, 35) ! !------------------------ c1710#sh ip ro vrf * ... Gateway of last resort is 192.168.248.1 to network 0.0.0.0 1.0.0.0/32 is subnetted, 1 subnets C 1.1.1.1 is directly connected, Loopback1111 10.0.0.0/24 is subnetted, 1 subnets C 10.1.1.0 is directly connected, FastEthernet0 S* 0.0.0.0/0 [1/0] via 192.168.248.1, Ethernet0 Routing Table: inet ... Gateway of last resort is 192.168.248.1 to network 0.0.0.0 1.0.0.0/32 is subnetted, 1 subnets B 1.1.1.1 is directly connected, 00:56:37, Loopback1111 10.0.0.0/24 is subnetted, 1 subnets C 10.1.1.0 is directly connected, FastEthernet0 C 192.168.248.0/24 is directly connected, Ethernet0 S* 0.0.0.0/0 [1/0] via 192.168.248.1 c1710# !------------------------ -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Luan Nguyen Sent: Thursday, August 20, 2009 11:51 AM To: giesen at snickers.org; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] NAT Global to FVRF I think the problem is because your VRF Red doesn't have route to the LAN. If [LAN] is switch, then you could try to create a route in VRF Red for the LAN network with the next hop is the IP address of the switch. Regards, ---------------------------- Luan Nguyen Chesapeake NetCraftsmen, LLC. http://www.netcraftsmen.net ---------------------------- -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gary T. Giesen Sent: Thursday, August 20, 2009 11:19 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] NAT Global to FVRF I've got a customer that requires localized Internet access from their DMVPN router (they currently receive a default route over the VPN). Their router is setup with the customer (inside) network in the global routing table, and their Internet connection sits inside a Front door VRF (FVRF). Has anyone done this, and have a working config? I've tried all manner of options but have yet to be successful NAT'ing between the global inside and outside FVRF. [ LAN ] ---[ CPE ]--- [ Internet ] Global -------> VRF "RED" NAT GG _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ______________________________________________________________________ This e-mail has been scanned by Verizon Managed Email Content Service, using Skeptic(tm) technology powered by MessageLabs. For more information on Verizon Managed Email Content Service, visit http://www.verizonbusiness.com. ______________________________________________________________________ From bacon at walleyesoftware.com Thu Aug 20 16:13:44 2009 From: bacon at walleyesoftware.com (Jeff Bacon) Date: Thu, 20 Aug 2009 15:13:44 -0500 Subject: [c-nsp] sup32/sup720 onboard int performance Message-ID: <5A69C25361FED34F83ABF05F5047524505CD85D2@wally.walleyetrading.net> How are the ports that are on the supervisor module hooked into the fabric/PFC? Are they at any significant advantage or disadvantage compared to ports on linecards? I'm primarily wondering because I'm wondering about the performance of sup32s. I understand that any linecard is going to be running on classic-bus with a sup32, and that probably adds a couple usec of latency vs fabric-switched packets. And I've seen various documents on how the various linecards are architected. But I've never seen anything describing how the onboard ports are dealt with. Are they operating as if they're on a fabric-connected linecard? Are their controllers directly hooked into the PFC? Or are they abortions just stuck on there for the sake of argument? I have various use cases where a pair of sup-32s in a 6503 chassis makes plenty of sense for what I need. I have a couple, and they're ok so far - but I have yet to really stress them out at all either. Thanks, -bacon From mksmith at adhost.com Thu Aug 20 16:49:03 2009 From: mksmith at adhost.com (Michael K. Smith - Adhost) Date: Thu, 20 Aug 2009 13:49:03 -0700 Subject: [c-nsp] GSR 12k GRP Images?!? Message-ID: <17838240D9A5544AAA5FF95F8D52031606933D6F@ad-exh01.adhost.lan> Hello: Does anyone know what happened to the 12.0S GRP images? The software navigator only shows PRP images. Regards, Mike -- Michael K. Smith - CISSP, GISP Chief Technical Officer - Adhost Internet LLC mksmith at adhost.com w: +1 (206) 404-9500 f: +1 (206) 404-9050 PGP: B49A DDF5 8611 27F3 08B9 84BB E61E 38C0 (Key ID: 0x9A96777D) From swmike at swm.pp.se Thu Aug 20 17:21:49 2009 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Thu, 20 Aug 2009 23:21:49 +0200 (CEST) Subject: [c-nsp] GSR 12k GRP Images?!? In-Reply-To: <17838240D9A5544AAA5FF95F8D52031606933D6F@ad-exh01.adhost.lan> References: <17838240D9A5544AAA5FF95F8D52031606933D6F@ad-exh01.adhost.lan> Message-ID: On Thu, 20 Aug 2009, Michael K. Smith - Adhost wrote: > Does anyone know what happened to the 12.0S GRP images? The software > navigator only shows PRP images. GRP(-B) is end-of-life and considered obsolete. -- Mikael Abrahamsson email: swmike at swm.pp.se From harbor235 at gmail.com Thu Aug 20 17:27:41 2009 From: harbor235 at gmail.com (harbor235) Date: Thu, 20 Aug 2009 17:27:41 -0400 Subject: [c-nsp] GSR 12k GRP Images?!? In-Reply-To: <17838240D9A5544AAA5FF95F8D52031606933D6F@ad-exh01.adhost.lan> References: <17838240D9A5544AAA5FF95F8D52031606933D6F@ad-exh01.adhost.lan> Message-ID: <836bf1f90908201427pbee4228g4357d4054282903d@mail.gmail.com> They are still there, 12.0(32)SY9 is the latest. There is a S as well but it is not as well deployed. I was looking today, go figure. mike On Thu, Aug 20, 2009 at 4:49 PM, Michael K. Smith - Adhost < mksmith at adhost.com> wrote: > Hello: > > Does anyone know what happened to the 12.0S GRP images? The software > navigator only shows PRP images. > > Regards, > > Mike > > -- > Michael K. Smith - CISSP, GISP > Chief Technical Officer - Adhost Internet LLC mksmith at adhost.com > w: +1 (206) 404-9500 f: +1 (206) 404-9050 > PGP: B49A DDF5 8611 27F3 08B9 84BB E61E 38C0 (Key ID: 0x9A96777D) > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From maddison at lightbound.net Thu Aug 20 17:36:13 2009 From: maddison at lightbound.net (Matt Addison) Date: Thu, 20 Aug 2009 17:36:13 -0400 Subject: [c-nsp] GSR 12k GRP Images?!? In-Reply-To: References: <17838240D9A5544AAA5FF95F8D52031606933D6F@ad-exh01.adhost.lan> Message-ID: > > Does anyone know what happened to the 12.0S GRP images? The software > > navigator only shows PRP images. > > GRP(-B) is end-of-life and considered obsolete. The 1600 is obsolete too, but you can still get images for that. Looks like you can still get GRP images through Software Advisor, just not the sw-center/"Download Software" tool. ~Matt From gabriel.grissett at gmail.com Thu Aug 20 18:39:03 2009 From: gabriel.grissett at gmail.com (Gabriel Grissett) Date: Thu, 20 Aug 2009 17:39:03 -0500 Subject: [c-nsp] ipv6 unicast-routing and radius-server non-standard Message-ID: <4be849600908201539m13e356e3v96e66343b85be1ab@mail.gmail.com> Wondering if anyone has run into this before. I cannot seem to seem to find anything in the bug tool kit. I was starting to deploy IPv6 and after doing so radius users who use Legacy filters (example **) have their new sessions dropped at the LNS when trying to establish. The reason: Aug 20 14:50:16.348 CDT: %AAA-3-PARSEERR: Error(2) parser is unable to parse permit ip any x.x.x.0 0.0.0.255 per-user command Issue goes away (Legacy filters are processed without errors) immediately after removing ipv6 unicast-routing. 7200VXR 12.2(31)SB15 Thanks. Gabriel ** Example that fails most of the time: Ascend-Data-Filter = ip in forward tcp est Ascend-Data-Filter = ip in forward dstip x.x.x.0/x Ascend-Data-Filter = ip in drop tcp dstport = 25 Ascend-Data-Filter = ip in forward Ascend-Client-Assign-DNS = DNS-Assign-Yes Ascend-Client-Primary-DNS = x.x.x.x Ascend-Client-Secondary-DNS = x.x.x.x From ariemer at wesenergy.com.au Thu Aug 20 21:26:46 2009 From: ariemer at wesenergy.com.au (Aaron Riemer) Date: Fri, 21 Aug 2009 09:26:46 +0800 Subject: [c-nsp] IP SLA / EEM Scripting Message-ID: <0867622C64B50C4B878AB45C95F43F1106FE7951@MAILWA01.wesenergy.local> Hey Guys, I am hoping to use a combination of IP SLA and EEM to run a script when a certain event occurs. For example we have a cellular router that sometimes requires a reset. We have a backup link so I would like to automate this reset process. What I would like to do is to monitor the cellular device with IP SLA icmp probes and after a certain number of failures run a script that can telnet to the device via the back door and issue commands to reset. I have done some digging but I am unable to see if EEM supports the ability for a router to actually telnet to another device and issue commands. I may have to use our network monitoring app to run the script. Could Cacti do this? Thanks for any suggestions. Aaron. LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. From pshuleski at gmail.com Fri Aug 21 00:51:33 2009 From: pshuleski at gmail.com (Pete S.) Date: Fri, 21 Aug 2009 00:51:33 -0400 Subject: [c-nsp] IP SLA / EEM Scripting In-Reply-To: <0867622C64B50C4B878AB45C95F43F1106FE7951@MAILWA01.wesenergy.local> References: <0867622C64B50C4B878AB45C95F43F1106FE7951@MAILWA01.wesenergy.local> Message-ID: <50f158990908202151j399d65a3n90f01e0d2414a296@mail.gmail.com> A perl script with Net:Ping, and Net:Telnet might be easier, especially if you have a server dedicated to device management. Both are fairly trivial modules with many examples on line. Have cron run the script every 5(whatever) min. If ping fails, part of the scripts logic is to telnet and reload. Part of the script's output can be the ping data, which cacti can graph as a datasource. You may even see a trend when its about to die. Wouldn't you rather solve the problem with the vendor, as to why the device needs the reset so often, or find new hardware that doesn't need the reset? :) --Pete On Thu, Aug 20, 2009 at 9:26 PM, Aaron Riemer wrote: > Hey Guys, > > I am hoping to use a combination of IP SLA and EEM to run a script when > a certain event occurs. For example we have a cellular router that > sometimes requires a reset. We have a backup link so I would like to > automate this reset process. What I would like to do is to monitor the > cellular device with IP SLA icmp probes and after a certain number of > failures run a script that can telnet to the device via the back door > and issue commands to reset. > > I have done some digging but I am unable to see if EEM supports the > ability for a router to actually telnet to another device and issue > commands. I may have to use our network monitoring app to run the > script. Could Cacti do this? > > Thanks for any suggestions. > > Aaron. From ariemer at wesenergy.com.au Fri Aug 21 02:31:30 2009 From: ariemer at wesenergy.com.au (Aaron Riemer) Date: Fri, 21 Aug 2009 14:31:30 +0800 Subject: [c-nsp] IP SLA / EEM Scripting In-Reply-To: <50f158990908202151j399d65a3n90f01e0d2414a296@mail.gmail.com> References: <0867622C64B50C4B878AB45C95F43F1106FE7951@MAILWA01.wesenergy.local> <50f158990908202151j399d65a3n90f01e0d2414a296@mail.gmail.com> Message-ID: <0867622C64B50C4B878AB45C95F43F11070270F4@MAILWA01.wesenergy.local> Yes it would be preferable not to have dodgy hardware! But we have to put up with it for a little while longer. Thanks for those suggestions guys. Since I already have a telnet perl script I will mod that to do the ping beforehand. Thanks, Aaron. -----Original Message----- From: Pete S. [mailto:pshuleski at gmail.com] Sent: Friday, 21 August 2009 12:52 PM To: Aaron Riemer Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] IP SLA / EEM Scripting A perl script with Net:Ping, and Net:Telnet might be easier, especially if you have a server dedicated to device management. Both are fairly trivial modules with many examples on line. Have cron run the script every 5(whatever) min. If ping fails, part of the scripts logic is to telnet and reload. Part of the script's output can be the ping data, which cacti can graph as a datasource. You may even see a trend when its about to die. Wouldn't you rather solve the problem with the vendor, as to why the device needs the reset so often, or find new hardware that doesn't need the reset? :) --Pete On Thu, Aug 20, 2009 at 9:26 PM, Aaron Riemer wrote: > Hey Guys, > > I am hoping to use a combination of IP SLA and EEM to run a script when > a certain event occurs. For example we have a cellular router that > sometimes requires a reset. We have a backup link so I would like to > automate this reset process. What I would like to do is to monitor the > cellular device with IP SLA icmp probes and after a certain number of > failures run a script that can telnet to the device via the back door > and issue commands to reset. > > I have done some digging but I am unable to see if EEM supports the > ability for a router to actually telnet to another device and issue > commands. I may have to use our network monitoring app to run the > script. Could Cacti do this? > > Thanks for any suggestions. > > Aaron. LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. From ip at ioshints.info Fri Aug 21 02:55:59 2009 From: ip at ioshints.info (Ivan Pepelnjak) Date: Fri, 21 Aug 2009 08:55:59 +0200 Subject: [c-nsp] IP SLA / EEM Scripting In-Reply-To: <0867622C64B50C4B878AB45C95F43F1106FE7951@MAILWA01.wesenergy.local> References: <0867622C64B50C4B878AB45C95F43F1106FE7951@MAILWA01.wesenergy.local> Message-ID: <00ba01ca222c$71390c70$0a00000a@nil.si> Running the "telnet" command does not work too well (although it might work a bit better from Tcl EEM policy than from tclsh). http://blog.ioshints.info/2007/10/you-cannot-start-telnet-session-from.html However, you can open a TCP socket (to telnet port) from Tcl and issue the commands. You could write Tcl EEM policy and do it from there or use a simple EEM applet that runs a tclsh command. I try to avoid Tcl EEM policies as they are a nightmare to edit/test. Last but not least, EEM applet can send a SNMP trap to your NMS (or execute a SSH command) and the NMS can then reset the modem. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ > -----Original Message----- > From: Aaron Riemer [mailto:ariemer at wesenergy.com.au] > Sent: Friday, August 21, 2009 3:27 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] IP SLA / EEM Scripting > > Hey Guys, > > I am hoping to use a combination of IP SLA and EEM to run a > script when a certain event occurs. For example we have a > cellular router that sometimes requires a reset. We have a > backup link so I would like to automate this reset process. > What I would like to do is to monitor the cellular device > with IP SLA icmp probes and after a certain number of > failures run a script that can telnet to the device via the > back door and issue commands to reset. > > I have done some digging but I am unable to see if EEM > supports the ability for a router to actually telnet to > another device and issue commands. I may have to use our > network monitoring app to run the script. Could Cacti do this? > > Thanks for any suggestions. > > Aaron. From p.mayers at imperial.ac.uk Fri Aug 21 05:17:15 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Fri, 21 Aug 2009 10:17:15 +0100 Subject: [c-nsp] sup32/sup720 onboard int performance In-Reply-To: <5A69C25361FED34F83ABF05F5047524505CD85D2@wally.walleyetrading.net> References: <5A69C25361FED34F83ABF05F5047524505CD85D2@wally.walleyetrading.net> Message-ID: <4A8E661B.9050301@imperial.ac.uk> Jeff Bacon wrote: > How are the ports that are on the supervisor module hooked into the > fabric/PFC? Are they at any significant advantage or disadvantage > compared to ports on linecards? IIRC they're bus-attached ports on the plain sup720. I think they're fabric-attached on the sup720-10g. They're obviously bus-attached on the sup32 since it lacks a fabric. This matters for putting the box in dCEF-only mode, which helps some types of sup failover; see the first few items in: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/nsfsso.html#wp1105901 But, since you're primarily concerned with the sup32 that's not relevant. I'm not hugely familiar with the sup32 but my understanding is that it lacks a fabric completely, and that the PFC and onboard ports are all attached to the bus. Perhaps someone else can comment. From p.mayers at imperial.ac.uk Fri Aug 21 05:34:09 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Fri, 21 Aug 2009 10:34:09 +0100 Subject: [c-nsp] 6500 QoS In-Reply-To: <4A8CC0BC.2000606@kenweb.org> References: <4A8CC0BC.2000606@kenweb.org> Message-ID: <4A8E6A11.50607@imperial.ac.uk> ML wrote: > I'm about to turn on "mls qos" for the first time on a 6509E. > > I would like some background information from the QoS experts on this list. > > Last time I turned on "mls qos" it was a 3560 which has certain > undesirable defaults when "mls qos" is turned on. I want avoid the same > result with the 6509 which is our Internet edge device. What I want to > accomplish is to mark all incoming traffic from our transit link to CS0. > > I don't want to inadvertently get clobbered by a default limit of x% for > egress queue bandwidth that I'm not expecting. > > If I understand what I've found out so far: > > On the WS-X6724-SFP: > > Seems all possible CoS values are mapped to queue 1 for ingress and > egress. The WRR queue ratios are 100,0,0 for queues 1,2,3 (4 is > priority?) So Queue can utilize 100% of the interface bandwidth. So by > default I shouldn't seem traffic getting bottlenecked where it wasn't > before because of some default config? Well... it depends. Remember that enabling QoS immediately divides up the transmit and receive buffer RAM; if you don't map traffic into a queue, the defaults will mean you're "wasting" (or losing) buffer space, which may or may not matter depending on your traffic levels. Recall that there are also the thresholds (the "t" in 2q8t receive or 1p3q8t transmit). Whilst all the CoS values may be mapped to the same queue, they may not be mapped to the same thresholds, and if the queue goes above a threshold, WRED or drop may start occuring for one CoS value but not another. It really depends on your traffic levels. If you're even close to filling any links, you want to be very careful about just running with the defaults. If you've got plenty of headroom, it should be fine. From rekordmeister at gmail.com Fri Aug 21 07:24:03 2009 From: rekordmeister at gmail.com (MKS) Date: Fri, 21 Aug 2009 11:24:03 +0000 Subject: [c-nsp] BFD on 7600 Message-ID: Hi list According to this document, BFD runs on 7600 on the hardware below http://www.cisco.com/en/US/technologies/tk648/tk365/tk381/technologies_white_paper0900aecd80243ff4_ps6599_Products_White_Paper.html Can you share your experience with BFD on the 7600 platform and sw release? The document hints that BFD runs in hardware on the following modules,but does not explicitly say so. Can someone clarify this for me? Supervisor: ? Sup720 (PFC3A) ? Sup720-3BXL 10GE Modules: ? WS-X6704-10GE GE Modules: ? WS-X6816-GBIC ? WS-X6724-SFP ? WS-X6408A-GBIC Optics: ? 10GE XENPAK (XENPAK-10GB-ER, XENPAK-10GB-LR) ? 10GE DWDM ITU XENPAK (P/N TBD) ? DWDM-GBIC-xx.xx DWDM GBIC ? WS-G548x Standard GBIC ? GLC-xx-xx Cisco SFP DFC Cards: ? WS-F6700-DFC3A ? WS-F6700-DFC3B ? WS-F6K-DFC3 From NMaio at guesswho.com Fri Aug 21 08:27:59 2009 From: NMaio at guesswho.com (NMaio at guesswho.com) Date: Fri, 21 Aug 2009 08:27:59 -0400 Subject: [c-nsp] Arp Inspection Rate Limit In-Reply-To: <11vsl6-6me.ln1@chipmunk.wormnet.eu> References: <11vsl6-6me.ln1@chipmunk.wormnet.eu> Message-ID: <2AA600764E54964491083B1E0EC81A3002B0390A5C@EXCLUS.nationala-1advertising.com> Found the problem with the print sever to actually be a broadcast NTP packet sent from the print server which in turn made the machines on the subnet do an arp request which in turn made the print server send arp responses. The arp responses were the reason the port would exceeded the threshold. The ntp setting had to be changed and it is running nicely now. Thanks, Nick -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Alexander Clouter Sent: Wednesday, August 19, 2009 5:59 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Arp Inspection Rate Limit Hi, NMaio at guesswho.com wrote: > > Thanks for the response. Funny you mention the print server because > that happens to be one device port I need to tweak since it occasionally > exceeds the 15 pps. > We have been fine at 10 for over a year now[1], however it took us a while to figure out that for some bizarre reason[2] 'File and Print Sharing' being enabled actually caused the workstation to flood ping the local subnet looking for printers everytime someone pressed on their workstation. Similar thing happens under Vista only when you want to add an IPP printer by hand :-/ Cheers [1] we are a university with about 600 staff and 3000 students [2] might be linked to Novell being installed too, but who knows -- Alexander Clouter .sigmonster says: There's enough money here to buy 5000 cans of Noodle-Roni! _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From justin at justinshore.com Fri Aug 21 11:34:31 2009 From: justin at justinshore.com (Justin Shore) Date: Fri, 21 Aug 2009 10:34:31 -0500 Subject: [c-nsp] BFD on 7600 In-Reply-To: References: Message-ID: <4A8EBE87.2040105@justinshore.com> MKS wrote: > Can you share your experience with BFD on the 7600 platform and sw release? I use it and like it. However beginning with SRB2 Cisco removed support for running BFD on SVIs. To date there is no workaround and the feature hasn't been added back to SR. Otherwise it works fine in my experience. > The document hints that BFD runs in hardware on the following > modules,but does not explicitly say so. Can someone clarify this for > me? To the best of my knowledge BFD is 100% software driven. Generating echo requests, processing those requests, receiving the echo replies and processing them aren't things that ASICs are suited for I don't believe. I could be mistaken and someone else may chime in with more detailed knowledge, but I wouldn't expect something like BFD to be handled in hardware. That's not necessarily a reason to not use BFD. BFD is meant to be lightweight. That may be a reason not to run several thousand instances of it on a single router of course... Justin From jlewis at lewis.org Fri Aug 21 11:42:06 2009 From: jlewis at lewis.org (Jon Lewis) Date: Fri, 21 Aug 2009 11:42:06 -0400 (EDT) Subject: [c-nsp] RP/SP BOOT synchronisation issue on 6500/7600 In-Reply-To: <4A8BE928.50104@forthnet.gr> References: <4A8BE928.50104@forthnet.gr> Message-ID: On Wed, 19 Aug 2009, Tassos Chatzithomaoglou wrote: > Has anyone met such an issue? > > Whenever i use more than 2 files in the boot sequence, i get the SP BOOT > variable desynchronized (RP BOOT is fine). > > I have seen it in SXH3a, SXI1, SRD2a. Is there a lower limit on the number of > chars in SP BOOT than in RP BOOT? > > On some versions i also get "%MONITOR-SP-3-VARSETFAIL: ROM monitor variable > set of "BOOT" failed." I posted this back in January: Is it a known issue that a 6509 (sup720-3bxl) with "too many" boot system statements in the config will confuse the boot loader, resulting in Autoboot: failed, BOOT string is empty Autoboot executing command: "boot " At this point, the unit boots whatever it can find in sup-bootflash. It sounds like you've run into a similar issue. I was running into this with around 5 or 6 boot statements. I guess when upgrading, it's best to limit yourself to 2 boot statements (first choice and second choice). ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From jmplank at gmail.com Fri Aug 21 11:56:02 2009 From: jmplank at gmail.com (Jason Plank) Date: Fri, 21 Aug 2009 11:56:02 -0400 Subject: [c-nsp] BFD on 7600 In-Reply-To: <4A8EBE87.2040105@justinshore.com> References: <4A8EBE87.2040105@justinshore.com> Message-ID: Just an FYI - this is a document that explains overall functionality of BFD.... http://www.cisco.com/en/US/technologies/tk648/tk365/tk480/technologies_white_paper0900aecd80244005.html On Fri, Aug 21, 2009 at 11:34 AM, Justin Shore wrote: > MKS wrote: >> >> Can you share your experience with BFD on the 7600 platform and sw >> release? > > I use it and like it. ?However beginning with SRB2 Cisco removed support for > running BFD on SVIs. ?To date there is no workaround and the feature hasn't > been added back to SR. ?Otherwise it works fine in my experience. > >> The document hints that BFD runs in hardware on the following >> modules,but does not explicitly say so. Can someone clarify this for >> me? > > To the best of my knowledge BFD is 100% software driven. ?Generating echo > requests, processing those requests, receiving the echo replies and > processing them aren't things that ASICs are suited for I don't believe. ? I > could be mistaken and someone else may chime in with more detailed > knowledge, but I wouldn't expect something like BFD to be handled in > hardware. > > That's not necessarily a reason to not use BFD. ?BFD is meant to be > lightweight. ?That may be a reason not to run several thousand instances of > it on a single router of course... > > Justin > > > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- -- Jason Plank (CCIE #16560) From everton at lab.ipaccess.diveo.net.br Fri Aug 21 14:23:38 2009 From: everton at lab.ipaccess.diveo.net.br (Everton da Silva Marques) Date: Fri, 21 Aug 2009 15:23:38 -0300 Subject: [c-nsp] priority queue (like LLQ) on RSP 720 In-Reply-To: <766b203d0908201159y5576d4b3n78ef0331c45d7762@mail.gmail.com> References: <766b203d0908201159y5576d4b3n78ef0331c45d7762@mail.gmail.com> Message-ID: <20090821182338.GA8310@diveo.net.br> On Thu, Aug 20, 2009 at 02:59:08PM -0400, Atif Sid wrote: > I tried using prioerity queue for Realtime traffic on RSp 702 it is not > supported. how can we prioritze realtime traffic is the core facing link is > on RSP-720. Have a look at this doc. Configuring PFC QoS http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/guide/qos.html Everton From w3yni1 at gmail.com Fri Aug 21 16:10:58 2009 From: w3yni1 at gmail.com (Charles Mills) Date: Fri, 21 Aug 2009 16:10:58 -0400 Subject: [c-nsp] Cisco SSL VPN? Message-ID: <607f1e0a0908211310x33b94fa9vf711cb7b904b920@mail.gmail.com> Anyone currently (successfully) using the SSL VPN on an ASA box (5520 or above)? I'm in uncharted territory with this feature and not sure if it is worth going down this route. Chuck From streiner at cluebyfour.org Fri Aug 21 16:22:12 2009 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Fri, 21 Aug 2009 16:22:12 -0400 (EDT) Subject: [c-nsp] Cisco SSL VPN? In-Reply-To: <607f1e0a0908211310x33b94fa9vf711cb7b904b920@mail.gmail.com> References: <607f1e0a0908211310x33b94fa9vf711cb7b904b920@mail.gmail.com> Message-ID: On Fri, 21 Aug 2009, Charles Mills wrote: > Anyone currently (successfully) using the SSL VPN on an ASA box (5520 or above)? > > I'm in uncharted territory with this feature and not sure if it is > worth going down this route. I've deployed it for a client and it seems to work pretty well, though as far as I know they're not doing anything terribly exotic. One important gotcha: The SSL VPN connections are licensed independently from IPSEC connections. The base license allows for only two concurrent connections at least on the smaller ASAs, so you might need to purchase a license upgrade if you want to roll it out on a larger scale. If you do a "show version" on the ASA, the number of WebVPN peers is the number you need to know. Cisco has made it clear that they're moving in this direction, as they don't seem to be putting much new development effort into the IPSEC client - it doesn't support 64-bit OSen, and I doubt they'll spin many cycles testing Windows 7, etc... They seem to want people to move to the AnyConnect (SSL VPN) model. jms From steve.tillinger at sourcemedia.com Fri Aug 21 16:56:25 2009 From: steve.tillinger at sourcemedia.com (Tillinger, Steve) Date: Fri, 21 Aug 2009 16:56:25 -0400 Subject: [c-nsp] Cisco SSL VPN? Message-ID: If you upgrade to ASA 8.2, there's a AnyConnect Essentials license which allows you -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin M. Streiner Sent: Friday, August 21, 2009 4:22 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Cisco SSL VPN? On Fri, 21 Aug 2009, Charles Mills wrote: > Anyone currently (successfully) using the SSL VPN on an ASA box (5520 or above)? > > I'm in uncharted territory with this feature and not sure if it is > worth going down this route. I've deployed it for a client and it seems to work pretty well, though as far as I know they're not doing anything terribly exotic. One important gotcha: The SSL VPN connections are licensed independently from IPSEC connections. The base license allows for only two concurrent connections at least on the smaller ASAs, so you might need to purchase a license upgrade if you want to roll it out on a larger scale. If you do a "show version" on the ASA, the number of WebVPN peers is the number you need to know. Cisco has made it clear that they're moving in this direction, as they don't seem to be putting much new development effort into the IPSEC client - it doesn't support 64-bit OSen, and I doubt they'll spin many cycles testing Windows 7, etc... They seem to want people to move to the AnyConnect (SSL VPN) model. jms _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ "This communication is intended solely for the addressee and is confidential and not for third party unauthorized distribution" From steve.tillinger at SourceMedia.com Fri Aug 21 16:58:23 2009 From: steve.tillinger at SourceMedia.com (Tillinger, Steve) Date: Fri, 21 Aug 2009 16:58:23 -0400 Subject: [c-nsp] Cisco SSL VPN? Message-ID: If you upgrade to ASA 8.2, there's a AnyConnect Essentials license which allows you use the SSL client for the number of IPsec connections your ASA is licensed for. This license is only around ~$100. So if you have a 5520 with 750 IPsec licenses, when you add the AnyConnect Essentials license, you'll be able to have 750 SSL client connections. This would be for the SSL fat client. The webportal is licensed separately and is much more expensive. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin M. Streiner Sent: Friday, August 21, 2009 4:22 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Cisco SSL VPN? On Fri, 21 Aug 2009, Charles Mills wrote: > Anyone currently (successfully) using the SSL VPN on an ASA box (5520 or above)? > > I'm in uncharted territory with this feature and not sure if it is > worth going down this route. I've deployed it for a client and it seems to work pretty well, though as far as I know they're not doing anything terribly exotic. One important gotcha: The SSL VPN connections are licensed independently from IPSEC connections. The base license allows for only two concurrent connections at least on the smaller ASAs, so you might need to purchase a license upgrade if you want to roll it out on a larger scale. If you do a "show version" on the ASA, the number of WebVPN peers is the number you need to know. Cisco has made it clear that they're moving in this direction, as they don't seem to be putting much new development effort into the IPSEC client - it doesn't support 64-bit OSen, and I doubt they'll spin many cycles testing Windows 7, etc... They seem to want people to move to the AnyConnect (SSL VPN) model. jms _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ "This communication is intended solely for the addressee and is confidential and not for third party unauthorized distribution" From streiner at cluebyfour.org Fri Aug 21 17:08:17 2009 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Fri, 21 Aug 2009 17:08:17 -0400 (EDT) Subject: [c-nsp] Cisco SSL VPN? In-Reply-To: References: Message-ID: On Fri, 21 Aug 2009, Tillinger, Steve wrote: > If you upgrade to ASA 8.2, there's a AnyConnect Essentials license which > allows you use the SSL client for the number of IPsec connections your > ASA is licensed for. This license is only around ~$100. > > So if you have a 5520 with 750 IPsec licenses, when you add the > AnyConnect Essentials license, you'll be able to have 750 SSL client > connections. > > This would be for the SSL fat client. The webportal is licensed > separately and is much more expensive. Good to know - thanks for the heads-up. jms From egirard at focustsi.com Fri Aug 21 16:47:28 2009 From: egirard at focustsi.com (Eric Girard) Date: Fri, 21 Aug 2009 16:47:28 -0400 Subject: [c-nsp] Cisco SSL VPN? In-Reply-To: References: <607f1e0a0908211310x33b94fa9vf711cb7b904b920@mail.gmail.com> Message-ID: Something relatively recent that makes the lack of 64-bit support much more palatable is the new Essentials license. It needs 8.2 code, but for short money it gives you AnyConnect client only SSL VPN support for the max number of tunnels supported by the box. It restores the cost/benefit of the old IPSec client. Beyond that, to add to what Justin said, nothing fancy, it pretty much works, similar to the old IPSec client. I tend to stay away from the clientless and Java client stuff, just stick to the AnyConnect. Eric -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin M. Streiner Sent: Friday, August 21, 2009 4:22 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Cisco SSL VPN? On Fri, 21 Aug 2009, Charles Mills wrote: > Anyone currently (successfully) using the SSL VPN on an ASA box (5520 or above)? > > I'm in uncharted territory with this feature and not sure if it is > worth going down this route. I've deployed it for a client and it seems to work pretty well, though as far as I know they're not doing anything terribly exotic. One important gotcha: The SSL VPN connections are licensed independently from IPSEC connections. The base license allows for only two concurrent connections at least on the smaller ASAs, so you might need to purchase a license upgrade if you want to roll it out on a larger scale. If you do a "show version" on the ASA, the number of WebVPN peers is the number you need to know. Cisco has made it clear that they're moving in this direction, as they don't seem to be putting much new development effort into the IPSEC client - it doesn't support 64-bit OSen, and I doubt they'll spin many cycles testing Windows 7, etc... They seem to want people to move to the AnyConnect (SSL VPN) model. jms _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From rwest at zyedge.com Fri Aug 21 17:23:38 2009 From: rwest at zyedge.com (Ryan West) Date: Fri, 21 Aug 2009 17:23:38 -0400 Subject: [c-nsp] Cisco SSL VPN? In-Reply-To: References: Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E1401248E269A37@zy-ex1.zyedge.local> One thing to note before upgrading to 8.2+ is the increased memory requirements. If you're using a 5510, you'll want to upgrade to a 512MB stick. -ryan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tillinger, Steve Sent: Friday, August 21, 2009 4:58 PM To: Justin M. Streiner; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Cisco SSL VPN? If you upgrade to ASA 8.2, there's a AnyConnect Essentials license which allows you use the SSL client for the number of IPsec connections your ASA is licensed for. This license is only around ~$100. So if you have a 5520 with 750 IPsec licenses, when you add the AnyConnect Essentials license, you'll be able to have 750 SSL client connections. This would be for the SSL fat client. The webportal is licensed separately and is much more expensive. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin M. Streiner Sent: Friday, August 21, 2009 4:22 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Cisco SSL VPN? On Fri, 21 Aug 2009, Charles Mills wrote: > Anyone currently (successfully) using the SSL VPN on an ASA box (5520 or above)? > > I'm in uncharted territory with this feature and not sure if it is > worth going down this route. I've deployed it for a client and it seems to work pretty well, though as far as I know they're not doing anything terribly exotic. One important gotcha: The SSL VPN connections are licensed independently from IPSEC connections. The base license allows for only two concurrent connections at least on the smaller ASAs, so you might need to purchase a license upgrade if you want to roll it out on a larger scale. If you do a "show version" on the ASA, the number of WebVPN peers is the number you need to know. Cisco has made it clear that they're moving in this direction, as they don't seem to be putting much new development effort into the IPSEC client - it doesn't support 64-bit OSen, and I doubt they'll spin many cycles testing Windows 7, etc... They seem to want people to move to the AnyConnect (SSL VPN) model. jms _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ "This communication is intended solely for the addressee and is confidential and not for third party unauthorized distribution" _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From bep at whack.org Fri Aug 21 16:51:32 2009 From: bep at whack.org (Bruce Pinsky) Date: Fri, 21 Aug 2009 13:51:32 -0700 Subject: [c-nsp] Cisco SSL VPN? In-Reply-To: <607f1e0a0908211310x33b94fa9vf711cb7b904b920@mail.gmail.com> References: <607f1e0a0908211310x33b94fa9vf711cb7b904b920@mail.gmail.com> Message-ID: <4A8F08D4.3080906@whack.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Charles Mills wrote: > Anyone currently (successfully) using the SSL VPN on an ASA box (5520 or above)? > > I'm in uncharted territory with this feature and not sure if it is > worth going down this route. > I am using it quite extensively in a couple of areas. Contact me off-list if you want to discuss specifics. - -- ========= bep -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkqPCNQACgkQE1XcgMgrtya7rwCguWLugXuqTllcupdusxqQU/y6 WUkAoIPftPZckSUsShLC7Js+hWj0Sur3 =46x3 -----END PGP SIGNATURE----- From rsm at fast-serv.com Fri Aug 21 17:27:34 2009 From: rsm at fast-serv.com (Randy McAnally) Date: Fri, 21 Aug 2009 17:27:34 -0400 Subject: [c-nsp] 6500 QoS In-Reply-To: <4A8CC0BC.2000606@kenweb.org> References: <4A8CC0BC.2000606@kenweb.org> Message-ID: <20090821212536.M92630@fast-serv.com> We got minor packet loss and noticeably slower speeds off the bat with 'mls qos' enabled with all defaults, even with only 40-50% interface utilization. In fact it took a while to figure it out. Be very careful when you enable it if even minor packet loss will be an issue. -- Randy www.FastServ.com ---------- Original Message ----------- From: ML To: cisco-nsp at puck.nether.net Sent: Wed, 19 Aug 2009 23:19:24 -0400 Subject: [c-nsp] 6500 QoS > I'm about to turn on "mls qos" for the first time on a 6509E. > > I would like some background information from the QoS experts on > this list. > > Last time I turned on "mls qos" it was a 3560 which has certain > undesirable defaults when "mls qos" is turned on. I want avoid the > same result with the 6509 which is our Internet edge device. What I > want to accomplish is to mark all incoming traffic from our transit > link to CS0. > > I don't want to inadvertently get clobbered by a default limit of x% > for egress queue bandwidth that I'm not expecting. > > If I understand what I've found out so far: > > On the WS-X6724-SFP: > > Seems all possible CoS values are mapped to queue 1 for ingress and > egress. The WRR queue ratios are 100,0,0 for queues 1,2,3 (4 is > priority?) So Queue can utilize 100% of the interface bandwidth. So > by default I shouldn't seem traffic getting bottlenecked where it > wasn't before because of some default config? > > Is the simplest configuration to turn on mls qos globally and use a > service policy to set all input to dscp cs0? > > Thanks > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ------- End of Original Message ------- From moua0100 at umn.edu Fri Aug 21 17:48:52 2009 From: moua0100 at umn.edu (Ge Moua) Date: Fri, 21 Aug 2009 16:48:52 -0500 Subject: [c-nsp] Cisco SSL VPN? In-Reply-To: References: <607f1e0a0908211310x33b94fa9vf711cb7b904b920@mail.gmail.com> Message-ID: <4A8F1644.5010107@umn.edu> We've used this free IPSec 64-bit Windows client for the Cisco VPN: http://www.shrew.net/ Regards, Ge Moua | Email: moua0100 at umn.edu Network Design Engineer University of Minnesota | Networking & Telecommunications Services Eric Girard wrote: > Something relatively recent that makes the lack of 64-bit support much more palatable is the new Essentials license. It needs 8.2 code, but for short money it gives you AnyConnect client only SSL VPN support for the max number of tunnels supported by the box. It restores the cost/benefit of the old IPSec client. > > Beyond that, to add to what Justin said, nothing fancy, it pretty much works, similar to the old IPSec client. I tend to stay away from the clientless and Java client stuff, just stick to the AnyConnect. > > Eric > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin M. Streiner > Sent: Friday, August 21, 2009 4:22 PM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Cisco SSL VPN? > > On Fri, 21 Aug 2009, Charles Mills wrote: > > >> Anyone currently (successfully) using the SSL VPN on an ASA box (5520 or above)? >> >> I'm in uncharted territory with this feature and not sure if it is >> worth going down this route. >> > > I've deployed it for a client and it seems to work pretty well, though as > far as I know they're not doing anything terribly exotic. > > One important gotcha: > The SSL VPN connections are licensed independently from IPSEC connections. > The base license allows for only two concurrent connections at least on > the smaller ASAs, so you might need to purchase a license upgrade if you > want to roll it out on a larger scale. If you do a "show version" on the > ASA, the number of WebVPN peers is the number you need to know. > > Cisco has made it clear that they're moving in this direction, as they > don't seem to be putting much new development effort into the IPSEC client > - it doesn't support 64-bit OSen, and I doubt they'll spin many cycles > testing Windows 7, etc... They seem to want people to move to the > AnyConnect (SSL VPN) model. > > jms > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From gsgranados at comcast.net Fri Aug 21 17:48:42 2009 From: gsgranados at comcast.net (Scott Granados) Date: Fri, 21 Aug 2009 14:48:42 -0700 Subject: [c-nsp] Cisco SSL VPN? References: Message-ID: <022901ca22a9$2d8ea160$0202fea9@am.thmulti.com> Also note that the SSL VPN is not exactly friendly with some screen reading software and other adaptive tools. If this poses a problem which it can in some instances it's something you want to consider. ----- Original Message ----- From: "Justin M. Streiner" To: "Tillinger, Steve" Cc: Sent: Friday, August 21, 2009 2:08 PM Subject: Re: [c-nsp] Cisco SSL VPN? > On Fri, 21 Aug 2009, Tillinger, Steve wrote: > >> If you upgrade to ASA 8.2, there's a AnyConnect Essentials license which >> allows you use the SSL client for the number of IPsec connections your >> ASA is licensed for. This license is only around ~$100. >> >> So if you have a 5520 with 750 IPsec licenses, when you add the >> AnyConnect Essentials license, you'll be able to have 750 SSL client >> connections. >> >> This would be for the SSL fat client. The webportal is licensed >> separately and is much more expensive. > > Good to know - thanks for the heads-up. > > jms > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From tvarriale at comcast.net Fri Aug 21 19:27:26 2009 From: tvarriale at comcast.net (Tony Varriale) Date: Fri, 21 Aug 2009 18:27:26 -0500 Subject: [c-nsp] Cisco SSL VPN? References: <6E21B2BDEF6E714EA0B5BA8D5D0E1401248E269A37@zy-ex1.zyedge.local> Message-ID: Just note that it's not a requirement but you may need to... http://www.cisco.com/en/US/docs/security/asa/asa82/release/notes/asarn82.html tv ----- Original Message ----- From: "Ryan West" To: "Tillinger, Steve" ; "Justin M. Streiner" ; Sent: Friday, August 21, 2009 4:23 PM Subject: Re: [c-nsp] Cisco SSL VPN? > One thing to note before upgrading to 8.2+ is the increased memory > requirements. If you're using a 5510, you'll want to upgrade to a 512MB > stick. > > -ryan > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tillinger, Steve > Sent: Friday, August 21, 2009 4:58 PM > To: Justin M. Streiner; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Cisco SSL VPN? > > If you upgrade to ASA 8.2, there's a AnyConnect Essentials license which > allows you use the SSL client for the number of IPsec connections your > ASA is licensed for. This license is only around ~$100. > > So if you have a 5520 with 750 IPsec licenses, when you add the > AnyConnect Essentials license, you'll be able to have 750 SSL client > connections. > > This would be for the SSL fat client. The webportal is licensed > separately and is much more expensive. > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin M. > Streiner > Sent: Friday, August 21, 2009 4:22 PM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Cisco SSL VPN? > > On Fri, 21 Aug 2009, Charles Mills wrote: > >> Anyone currently (successfully) using the SSL VPN on an ASA box (5520 > or above)? >> >> I'm in uncharted territory with this feature and not sure if it is >> worth going down this route. > > I've deployed it for a client and it seems to work pretty well, though > as > far as I know they're not doing anything terribly exotic. > > One important gotcha: > The SSL VPN connections are licensed independently from IPSEC > connections. > The base license allows for only two concurrent connections at least on > the smaller ASAs, so you might need to purchase a license upgrade if you > > want to roll it out on a larger scale. If you do a "show version" on > the > ASA, the number of WebVPN peers is the number you need to know. > > Cisco has made it clear that they're moving in this direction, as they > don't seem to be putting much new development effort into the IPSEC > client > - it doesn't support 64-bit OSen, and I doubt they'll spin many cycles > testing Windows 7, etc... They seem to want people to move to the > AnyConnect (SSL VPN) model. > > jms > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > "This communication is intended solely for the addressee and is > confidential and not for third party unauthorized distribution" > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From mvanton at gmail.com Sat Aug 22 03:32:35 2009 From: mvanton at gmail.com (vince anton) Date: Sat, 22 Aug 2009 09:32:35 +0200 Subject: [c-nsp] ASA real world throughput Message-ID: <87e0d3ae0908220032l1ed10d69u9e5625321b736d0e@mail.gmail.com> Hi All, im looking at deploying an ASA cluster and scratching my head in terms of throughputs. the data sheet for the 5520 says 450Mbps clear text and 250Mbps encrypted (vpn) and for the 5500 its 1.2Gbps clear text and 450Mbps encrypted basically double the capacity for roughly double the price. my question is, by how much do I have to divide these data sheet figures to get real world usable figures that i am likely to see in production. we all know that for routers you have to divide those figures by 2 at a minimum since they represent tests with 64 byte packets in strict lab conditions whith the CPU running rather hot. im really looking to be covered for say about 300Mbps down, 100Mbps up of which about 5-10% will be vpn encrypted. whats the rule of thumb for ASA boxes to get real values from the data sheet values ? Thanks, anton From adrian.minta at gmail.com Sat Aug 22 07:41:38 2009 From: adrian.minta at gmail.com (Adrian Minta) Date: Sat, 22 Aug 2009 14:41:38 +0300 Subject: [c-nsp] ASA real world throughput In-Reply-To: <87e0d3ae0908220032l1ed10d69u9e5625321b736d0e@mail.gmail.com> References: <87e0d3ae0908220032l1ed10d69u9e5625321b736d0e@mail.gmail.com> Message-ID: <4A8FD972.906@gmail.com> vince anton wrote: > Hi All, > > im looking at deploying an ASA cluster and scratching my head in terms of > throughputs. > > the data sheet for the 5520 says 450Mbps clear text and 250Mbps encrypted > (vpn) > and for the 5500 its 1.2Gbps clear text and 450Mbps encrypted > > whats the rule of thumb for ASA boxes to get real values from the data sheet > values ? > > On two ASA 5520 firewalls we see errors on interfaces when traffic gets near 70Mbps, probably cause by traffic burst. The boxes are used only for port blocking. No VPN or deep packet inspection, not even for NAT, so I don't know anything about VPN performance for 5520, or about deep packet inspection performance either. Somewhere on the net somebody stated that this is cause by a problematic hardware design: all the four interfaces shares the same interrupt. I guess this is why cisco suggested for ASA5550 to use one of the onboard interfaces for input and one of the extension interfaces for output: http://tinyurl.com/mxyj63 FW# sh int gi 0/1 Interface GigabitEthernet0/1 "", is up, line protocol is up Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps) Available but not configured via nameif MAC address 001b.d5e8.d9d5, MTU not set IP address unassigned 10920305967 packets input, 8396998405240 bytes, 0 no buffer Received 15584 broadcasts, 0 runts, 0 giants 148151 input errors, 0 CRC, 0 frame, 148151 overrun, 0 ignored, 0 abort 0 L2 decode drops 11677898365 packets output, 11268008541750 bytes, 288217 underruns 0 output errors, 0 collisions, 0 interface resets 0 late collisions, 0 deferred 0 input reset drops, 0 output reset drops, 0 tx hangs input queue (curr/max packets): hardware (0/33) software (0/0) output queue (curr/max packets): hardware (0/255) software (0/0) From mays at win.net Sun Aug 23 16:37:07 2009 From: mays at win.net (Joseph Mays) Date: Sun, 23 Aug 2009 16:37:07 -0400 Subject: [c-nsp] PPP fails with IOS upgrade Message-ID: <010f01ca2431$7b45a640$b92118d8@engineering01> I sent a message yesterday about a problem we are having on an AS5400. PPP works fine with version 12.2.16, but fails with version 12.3.13. The config is not changing between the two versions. Here's information on the problem that is a bit more specific. With the old version of IOS everything proceeds as normally, as shown by the following debug output (debug ppp events, errors, and negotiation). With the new version, the debug output is identical through pap authentication (with the exception of a session ID line that doesn't show up with the old version, but I don't think it has anything to do with the problem). Immediately after authentication, the new version begins sending an IPCP packet (with a "ccp code"?). It sends it over and over. On the client side, windows dial-up times out during "Registering your computer on the network" saying it timed out awaiting a response from the server. This is a confusing and disturbing problem, though I have a suspicion that when we arrive at the answer it will turn out to be something quite simple and easy to fix. Any help that can be offered would be appreciated. With IOS c5400-js-mz.122-16.T17.bin 005248: Aug 23 12:00:14.918: As2/42 LCP: Lower layer not up, Fast Starting 005249: Aug 23 12:00:14.918: As2/42 PPP: Using dialer call direction 005250: Aug 23 12:00:14.918: As2/42 PPP: Treating connection as a callin 005251: Aug 23 12:00:14.918: As2/42 PPP: Phase is ESTABLISHING, Passive Open 005252: Aug 23 12:00:14.918: As2/42 LCP: State is Listen [...] 005299: Aug 23 12:00:15.174: As2/42 PAP: Authenticating peer launchpad at win.net 005300: Aug 23 12:00:15.174: As2/42 PPP: Phase is FORWARDING, Attempting Forward 005301: Aug 23 12:00:15.174: As2/42 EVT: Hook 1 0x00000000 005302: Aug 23 12:00:15.174: As2/42 EVT: Hook 1 0x00000000 005303: Aug 23 12:00:15.174: As2/42 EVT: Forwarded 0 0x00000000 005304: Aug 23 12:00:15.174: As2/42 PPP: Phase is AUTHENTICATING, Unauthenticated User 005305: Aug 23 12:00:15.230: As2/42 EVT: AAA Response 0 0x6387270C 005306: Aug 23 12:00:15.230: As2/42 PPP: Phase is FORWARDING, Attempting Forward 005307: Aug 23 12:00:15.230: As2/42 EVT: Hook 1 0x00000000 005308: Aug 23 12:00:15.230: As2/42 EVT: Forwarded 0 0x00000000 005309: Aug 23 12:00:15.230: As2/42 PPP: Phase is AUTHENTICATING, Authenticated User 005310: Aug 23 12:00:15.230: As2/42 EVT: AAA Response 0 0x64BBD314 005311: Aug 23 12:00:15.230: As2/42 PAP: O AUTH-ACK id 27 len 5 005312: Aug 23 12:00:15.234: As2/42 PPP: Phase is UP [...] 005361: Aug 23 12:00:15.550: As2/42 IPCP: Add link info for cef entry 216.24.0.207 With IOS c5400-js-mz.123-13b.bin 000835: Aug 23 12:15:59.328: As2/46 LCP: Lower layer not up, Fast Starting 000836: Aug 23 12:15:59.328: As2/46 PPP: Using dialer call direction 000837: Aug 23 12:15:59.328: As2/46 PPP: Treating connection as a callin 000838: Aug 23 12:15:59.328: As2/46 PPP: Session handle[D0000062] Session id[0] 000839: Aug 23 12:15:59.328: As2/46 PPP: Phase is ESTABLISHING, Passive Open 000840: Aug 23 12:15:59.328: As2/46 LCP: State is Listen [...] 000887: Aug 23 12:15:59.576: As2/46 PAP: Authenticating peer launchpad at win.net 000888: Aug 23 12:15:59.576: As2/46 PPP: Phase is FORWARDING, Attempting Forward 000889: Aug 23 12:15:59.576: As2/46 EVT: Hook 1 0x00000000 000890: Aug 23 12:15:59.580: As2/46 EVT: Forwarded 0 0x00000000 000891: Aug 23 12:15:59.580: As2/46 PPP: Phase is AUTHENTICATING, Unauthenticated User 000892: Aug 23 12:15:59.584: As2/46 EVT: AAA Response 0 0x64DFF388 000893: Aug 23 12:15:59.584: As2/46 PPP: Phase is FORWARDING, Attempting Forward 000894: Aug 23 12:15:59.584: As2/46 EVT: Hook 1 0x00000000 000895: Aug 23 12:15:59.584: As2/46 EVT: Forwarded 0 0x00000000 000896: Aug 23 12:15:59.584: As2/46 PPP: Phase is AUTHENTICATING, Authenticated User 000897: Aug 23 12:15:59.584: As2/46 EVT: AAA Response 0 0x64E0A3EC 000898: Aug 23 12:15:59.584: As2/46 EVT: AAA Response 0 0x64DDA8F8 000899: Aug 23 12:15:59.588: As2/46 PAP: O AUTH-ACK id 30 len 5 000900: Aug 23 12:15:59.700: As2/46 EVT: Packet 0 0x62AC4B40 000901: Aug 23 12:15:59.700: As2/46 PPP: Queue CCP code[1] id[4] 000902: Aug 23 12:15:59.700: As2/46 EVT: IPCP Packet 0 0x62AC7508 000903: Aug 23 12:15:59.700: As2/46 PPP: Queue IPCP code[1] id[5] 000904: Aug 23 12:16:01.328: As2/46 EVT: IPCP Packet 0 0x62AC98D8 000905: Aug 23 12:16:01.328: As2/46 PPP: Update queued IPCP code[1] id[6] 000906: Aug 23 12:16:01.328: As2/46 EVT: Packet 0 0x62AC9BD4 000907: Aug 23 12:16:01.328: As2/46 PPP: Update queued CCP code[1] id[7] 000908: Aug 23 12:16:04.328: As2/46 EVT: IPCP Packet 0 0x62AD4EE4 000909: Aug 23 12:16:04.328: As2/46 PPP: Update queued IPCP code[1] id[8] [...] From mays at win.net Sun Aug 23 17:33:49 2009 From: mays at win.net (Joseph Mays) Date: Sun, 23 Aug 2009 17:33:49 -0400 Subject: [c-nsp] PPP fails with IOS upgrade References: <010f01ca2431$7b45a640$b92118d8@engineering01> <4A91ACA3.9050605@internetsolver.com> Message-ID: <014a01ca2439$678648f0$b92118d8@engineering01> Dave Weis said.... > Wild guess would be put no compress in your virtual template, that's what > CCP appears to be. Good suggestion, thanks, and if compression is what CCP is it's a useful clue. I just tried setting both "no compress" and "compress stac" in the virtual template, though, and the problem seems to be the same. Joe Mays From andy.saykao at staff.netspace.net.au Sun Aug 23 19:59:48 2009 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Mon, 24 Aug 2009 09:59:48 +1000 Subject: [c-nsp] NAT-ON-A-STICK for VRF Traffic References: <56F211C5E3F24F47B103EA1B253822BE044AAB3E@vic-cr-ex1.staff.netspace.net.au> <002a01ca1f40$919db400$0a00000a@nil.si> Message-ID: <56F211C5E3F24F47B103EA1B253822BE044AAB53@vic-cr-ex1.staff.netspace.net.au> Hi Ivan, Thank you for your suggestion of using "ip nat enable". I've given this a go but can't get it to work. Does this work in a MPLS L3 VPN environment because I can't get the NAT-PE to nat any traffic coming from the CE/PE? Eg: CE -> PE -> P -> NAT-PE -> Internet The Cisco examples on using "ip nat enable" with VRF only discuss physically connected VRF's that are nat enabled. This is different to what I want to do because I have no physical/virtual VRF interfaces hanging off the NAT-PE router. http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtnatvi. pdf On the NAT-PE I have configured this: interface GigabitEthernet0/0.11 description Interface into MPLS Network encapsulation dot1Q 11 ip address 203.10.110.x 255.255.255.224 ip nat enable mpls ip ! interface GigabitEthernet0/0.904 description Internet GW for VPN encapsulation dot1Q 904 ip address 202.45.118.x 255.255.255.252 ip nat enable ip virtual-reassembly ! ! Advertise default route to PE's via MP-BGP. ip route vrf NSTEST 0.0.0.0 0.0.0.0 GigabitEthernet0/0.904 202.45.118.y global ! ip nat pool NSTEST-NAT-POOL 210.15.230.a 210.15.230.b netmask 255.255.255.252 add-route ip nat inside source list NSTEST-NAT-ACL pool NSTEST-NAT-POOL vrf NSTEST overload ! ip access-list standard NSTEST-NAT-ACL permit 192.168.0.0 0.0.255.255 permit 10.15.0.0 0.0.255.255 permit 172.16.0.0 0.0.255.255 When I test from the PE to the Internet, it just times out. PE#ping vrf NSTEST Protocol [ip]: Target IP address: www.google.com Translating "www.google.com"...domain server (210.15.254.240) [OK] Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 66.102.11.104, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) The trace is hitting the NAT-PE (202.45.118.x) but no natting occurs. PE#traceroute vrf NSTEST 210.15.254.x Type escape sequence to abort. Tracing the route to dns1-1-virtual.netspace.net.au (210.15.254.x) 1 core1-hs-TenGigE-4-1.Sydney.netspace.net.au (203.12.53.x) [MPLS: Labels 3043/8653 Exp 0] 16 msec 16 msec 12 msec 2 core1-ks-gigether-4-0-0.Melbourne.netspace.net.au (203.17.96.x) [MPLS: Labels 8060/8653 Exp 0] 16 msec 12 msec 16 msec 3 202-45-118-134-static.spacecentre.com.au (202.45.118.x) [MPLS: Label 8653 Exp 0] 12 msec 12 msec 16 msec 4 * * * 5 * * * NOTE: IT LOCKS UP MY NAT-PE ROUTER EVERY TIME I DO TESTING FROM THE PE AND I HAVE TO REBOOT THE NAT-PE. The NAT-PE is a Cisco 7301 running 12.4(24)T1. Yeah..so I was just wondering if "ip nat enabled" can be used in a MPLS L3 VPN enviroment and whether I've set up the NAT-PE correctly??? Thanks. Andy -----Original Message----- From: Ivan Pepelnjak [mailto:ip at ioshints.info] Sent: Monday, 17 August 2009 11:42 PM To: Andy Saykao; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] NAT-ON-A-STICK for VRF Traffic It's probably easier to use the NAT Virtual Interface ("ip nat enable" instead of "ip nat inside|outside") in a VRF environment. You also don't need NAT-on-a-stick with NVI. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From andy.saykao at staff.netspace.net.au Sun Aug 23 20:56:15 2009 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Mon, 24 Aug 2009 10:56:15 +1000 Subject: [c-nsp] NAT-ON-A-STICK for VRF Traffic References: <56F211C5E3F24F47B103EA1B253822BE044AAB3E@vic-cr-ex1.staff.netspace.net.au> <002a01ca1f40$919db400$0a00000a@nil.si> <56F211C5E3F24F47B103EA1B253822BE044AAB53@vic-cr-ex1.staff.netspace.net.au> Message-ID: <56F211C5E3F24F47B103EA1B253822BE044AAB54@vic-cr-ex1.staff.netspace.net.au> Worked it out...had the wrong NAT statement. Change from: ip nat inside source list NSTEST-NAT-ACL pool NSTEST-NAT-POOL vrf NSTEST overload Change to: ip nat source list NSTEST-NAT-ACL pool NSTEST-NAT-POOL vrf NSTEST overload Thanks. Andy -----Original Message----- From: Andy Saykao Sent: Monday, 24 August 2009 10:00 AM To: 'Ivan Pepelnjak'; 'cisco-nsp at puck.nether.net' Subject: RE: NAT-ON-A-STICK for VRF Traffic Hi Ivan, Thank you for your suggestion of using "ip nat enable". I've given this a go but can't get it to work. Does this work in a MPLS L3 VPN environment because I can't get the NAT-PE to nat any traffic coming from the CE/PE? Eg: CE -> PE -> P -> NAT-PE -> Internet The Cisco examples on using "ip nat enable" with VRF only discuss physically connected VRF's that are nat enabled. This is different to what I want to do because I have no physical/virtual VRF interfaces hanging off the NAT-PE router. http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtnatvi. pdf On the NAT-PE I have configured this: interface GigabitEthernet0/0.11 description Interface into MPLS Network encapsulation dot1Q 11 ip address 203.10.110.x 255.255.255.224 ip nat enable mpls ip ! interface GigabitEthernet0/0.904 description Internet GW for VPN encapsulation dot1Q 904 ip address 202.45.118.x 255.255.255.252 ip nat enable ip virtual-reassembly ! ! Advertise default route to PE's via MP-BGP. ip route vrf NSTEST 0.0.0.0 0.0.0.0 GigabitEthernet0/0.904 202.45.118.y global ! ip nat pool NSTEST-NAT-POOL 210.15.230.a 210.15.230.b netmask 255.255.255.252 add-route ip nat inside source list NSTEST-NAT-ACL pool NSTEST-NAT-POOL vrf NSTEST overload ! ip access-list standard NSTEST-NAT-ACL permit 192.168.0.0 0.0.255.255 permit 10.15.0.0 0.0.255.255 permit 172.16.0.0 0.0.255.255 When I test from the PE to the Internet, it just times out. PE#ping vrf NSTEST Protocol [ip]: Target IP address: www.google.com Translating "www.google.com"...domain server (210.15.254.240) [OK] Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 66.102.11.104, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) The trace is hitting the NAT-PE (202.45.118.x) but no natting occurs. PE#traceroute vrf NSTEST 210.15.254.x Type escape sequence to abort. Tracing the route to dns1-1-virtual.netspace.net.au (210.15.254.x) 1 core1-hs-TenGigE-4-1.Sydney.netspace.net.au (203.12.53.x) [MPLS: Labels 3043/8653 Exp 0] 16 msec 16 msec 12 msec 2 core1-ks-gigether-4-0-0.Melbourne.netspace.net.au (203.17.96.x) [MPLS: Labels 8060/8653 Exp 0] 16 msec 12 msec 16 msec 3 202-45-118-134-static.spacecentre.com.au (202.45.118.x) [MPLS: Label 8653 Exp 0] 12 msec 12 msec 16 msec 4 * * * 5 * * * NOTE: IT LOCKS UP MY NAT-PE ROUTER EVERY TIME I DO TESTING FROM THE PE AND I HAVE TO REBOOT THE NAT-PE. The NAT-PE is a Cisco 7301 running 12.4(24)T1. Yeah..so I was just wondering if "ip nat enabled" can be used in a MPLS L3 VPN enviroment and whether I've set up the NAT-PE correctly??? Thanks. Andy -----Original Message----- From: Ivan Pepelnjak [mailto:ip at ioshints.info] Sent: Monday, 17 August 2009 11:42 PM To: Andy Saykao; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] NAT-ON-A-STICK for VRF Traffic It's probably easier to use the NAT Virtual Interface ("ip nat enable" instead of "ip nat inside|outside") in a VRF environment. You also don't need NAT-on-a-stick with NVI. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From saku at ytti.fi Mon Aug 24 05:26:16 2009 From: saku at ytti.fi (Saku Ytti) Date: Mon, 24 Aug 2009 12:26:16 +0300 Subject: [c-nsp] EoMPLS between subinterface and physical interface In-Reply-To: <4A898D71.1050405@forthnet.gr> References: <4A898D71.1050405@forthnet.gr> Message-ID: <20090824092616.GA15125@mx.ytti.net> On (2009-08-17 20:03 +0300), Tassos Chatzithomaoglou wrote: > ====================================== > For a particular EoMPLS connection, both the ingress EoMPLS > interface on the ingress PE and the egress EoMPLS interface on the > egress PE have to be subinterfaces with dot1Q encapsulation or > neither is a subinterface. > ====================================== > > So, i guess in PFC-based EoMPLS you can't have a subinterface on one > side (vlan mode) and a physical interface (port mode) on the other > side. conf term pseudowire-class FOO encap mpls interworking ethernet ! int foo|foo.42 xconnect 192.0.2.1 42 pw-class FOO ! -- ++ytti From tsands at rackspace.com Mon Aug 24 06:40:31 2009 From: tsands at rackspace.com (Tom Sands) Date: Mon, 24 Aug 2009 05:40:31 -0500 Subject: [c-nsp] Long Uptime In-Reply-To: <345400390906190842w29c12f42md8fab5ac80dff66d@mail.gmail.com> References: <018201c9f0e0$f65e3740$e31aa5c0$@net> <73d1f88a0906190725q440718b5kacb829140f0c6a83@mail.gmail.com> <345400390906190842w29c12f42md8fab5ac80dff66d@mail.gmail.com> Message-ID: <8155_1251110434_n7OAePv4010262_4A926E1F.2050706@rackspace.com> D12-1.sat1>show ver Cisco Catalyst 1900/2820 Enterprise Edition Software Version V9.00.02 Copyright ? Cisco Systems, Ins. 1993-1999 D12-1.sat1 uptime is 2926day(s) 18hour(s) 01minute(s) 25second(s) -------------------------------------------------------------------------------- Tom Sands Chief Network Engineer Rackspace (210)312-4391 -------------------------------------------------------------------------------- Adam Piasecki wrote: > Cisco Internetwork Operating System Software > IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(11)EA1, RELEASE > SOFTWARE > (fc1) > Copyright (c) 1986-2002 by cisco Systems, Inc. > Compiled Wed 28-Aug-02 10:25 by antonino > Image text-base: 0x80010000, data-base: 0x80528000 > > ROM: Bootstrap program is CALHOUN boot loader > > switch02.kst.dc uptime is 6 years, 4 weeks, 4 days, 48 minutes > System returned to ROM by power-on > System restarted at 11:00:50 EST Tue May 20 2003 > System image file is "flash:/c2950-i6q4l2-mz.121-11.EA1.bin" > > My longest running switch. > > > On Fri, Jun 19, 2009 at 10:25 AM, Gustavo Rodrigues Ramos < > gustavo at nexthop.com.br> wrote: > >> Is this suppose to be a good thing? (not patching your systems for >> almost 10 years?)... >> >> Gustavo. >> >> >> On Fri, Jun 19, 2009 at 10:22 AM, Nic McCartney wrote: >>> Not techy, just interesting anyone beat this uptime? >>> >>> Liverpool_St_A#sho ver >>> Cisco Internetwork Operating System Software IOS (tm) 3000 Software >>> (IGS-J-L), Version 11.0(13), RELEASE SOFTWARE (fc1) Copyright (c) >> 1986-1996 >>> by cisco Systems, Inc. >>> Compiled Mon 09-Dec-96 19:48 by athavale Image text-base: 0x030348D8, >>> data-base: 0x00001000 >>> >>> ROM: System Bootstrap, Version 5.2(8a), RELEASE SOFTWARE >>> ROM: 3000 Bootstrap Software (IGS-RXBOOT), Version 10.2(8a), RELEASE >>> SOFTWARE (fc1) >>> >>> Liverpool_St_A uptime is 529 weeks, 3 days, 9 hours, 2 minutes System >>> restarted by power-on System image file is "flash:igs-j-l.110-13", booted >>> via flash >>> >>> cisco 2500 (68030) processor (revision F) with 4096K/2048K bytes of >> memory. >>> Processor board ID 04812778, with hardware revision 00000000 Bridging >>> software. >>> SuperLAT software copyright 1990 by Meridian Technology Corp). >>> X.25 software, Version 2.0, NET2, BFE and GOSIP compliant. >>> TN3270 Emulation software (copyright 1994 by TGV Inc). >>> 1 Ethernet/IEEE 802.3 interface. >>> 2 Serial network interfaces. >>> 32K bytes of non-volatile configuration memory. >>> 8192K bytes of processor board System flash (Read ONLY) >>> >>> Configuration register is 0x2102 >>> >>> Liverpool_St_A# >>> >>> >>> Thanks >>> >>> Nic >>> >>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > . > Confidentiality Notice: This e-mail message (including any attached or embedded documents) is intended for the exclusive and confidential use of the individual or entity to which this message is addressed, and unless otherwise expressly indicated, is confidential and privileged information of Rackspace. Any dissemination, distribution or copying of the enclosed material is prohibited. If you receive this transmission in error, please notify us immediately by e-mail at abuse at rackspace.com, and delete the original message. Your cooperation is appreciated. From andy.petrenko at gmail.com Mon Aug 24 07:50:53 2009 From: andy.petrenko at gmail.com (Andrey 'sshd' Petrenko) Date: Mon, 24 Aug 2009 14:50:53 +0300 Subject: [c-nsp] Long Uptime In-Reply-To: <8155_1251110434_n7OAePv4010262_4A926E1F.2050706@rackspace.com> References: <018201c9f0e0$f65e3740$e31aa5c0$@net> <73d1f88a0906190725q440718b5kacb829140f0c6a83@mail.gmail.com> <345400390906190842w29c12f42md8fab5ac80dff66d@mail.gmail.com> <8155_1251110434_n7OAePv4010262_4A926E1F.2050706@rackspace.com> Message-ID: <4A927E9D.8030205@gmail.com> 24.08.2009 13:40, Tom Sands ?????: > D12-1.sat1>show ver > Cisco Catalyst 1900/2820 Enterprise Edition Software > Version V9.00.02 > Copyright ? Cisco Systems, Ins. 1993-1999 > D12-1.sat1 uptime is 2926day(s) 18hour(s) 01minute(s) 25second(s) > > > -------------------------------------------------------------------------------- > > Tom Sands > Chief Network Engineer > Rackspace > (210)312-4391 > -------------------------------------------------------------------------------- > > > Adam Piasecki wrote: >> Cisco Internetwork Operating System Software >> IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(11)EA1, RELEASE >> SOFTWARE >> (fc1) >> Copyright (c) 1986-2002 by cisco Systems, Inc. >> Compiled Wed 28-Aug-02 10:25 by antonino >> Image text-base: 0x80010000, data-base: 0x80528000 >> >> ROM: Bootstrap program is CALHOUN boot loader >> >> switch02.kst.dc uptime is 6 years, 4 weeks, 4 days, 48 minutes >> System returned to ROM by power-on >> System restarted at 11:00:50 EST Tue May 20 2003 >> System image file is "flash:/c2950-i6q4l2-mz.121-11.EA1.bin" >> >> My longest running switch. >> >> >> On Fri, Jun 19, 2009 at 10:25 AM, Gustavo Rodrigues Ramos < >> gustavo at nexthop.com.br> wrote: >> >>> Is this suppose to be a good thing? (not patching your systems for >>> almost 10 years?)... >>> >>> Gustavo. >>> >>> >>> On Fri, Jun 19, 2009 at 10:22 AM, Nic McCartney wrote: >>>> Not techy, just interesting anyone beat this uptime? >>>> >>>> Liverpool_St_A#sho ver >>>> Cisco Internetwork Operating System Software IOS (tm) 3000 Software >>>> (IGS-J-L), Version 11.0(13), RELEASE SOFTWARE (fc1) Copyright (c) >>> 1986-1996 >>>> by cisco Systems, Inc. >>>> Compiled Mon 09-Dec-96 19:48 by athavale Image text-base: 0x030348D8, >>>> data-base: 0x00001000 >>>> >>>> ROM: System Bootstrap, Version 5.2(8a), RELEASE SOFTWARE >>>> ROM: 3000 Bootstrap Software (IGS-RXBOOT), Version 10.2(8a), RELEASE >>>> SOFTWARE (fc1) >>>> >>>> Liverpool_St_A uptime is 529 weeks, 3 days, 9 hours, 2 minutes System >>>> restarted by power-on System image file is "flash:igs-j-l.110-13", >>>> booted >>>> via flash >>>> >>>> cisco 2500 (68030) processor (revision F) with 4096K/2048K bytes of >>> memory. >>>> Processor board ID 04812778, with hardware revision 00000000 Bridging >>>> software. >>>> SuperLAT software copyright 1990 by Meridian Technology Corp). >>>> X.25 software, Version 2.0, NET2, BFE and GOSIP compliant. >>>> TN3270 Emulation software (copyright 1994 by TGV Inc). >>>> 1 Ethernet/IEEE 802.3 interface. >>>> 2 Serial network interfaces. >>>> 32K bytes of non-volatile configuration memory. >>>> 8192K bytes of processor board System flash (Read ONLY) >>>> >>>> Configuration register is 0x2102 >>>> >>>> Liverpool_St_A# >>>> >>>> >>>> Thanks >>>> >>>> Nic >>>> >>>> >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> . >> > > > Confidentiality Notice: This e-mail message (including any attached or > embedded documents) is intended for the exclusive and confidential use > of the > individual or entity to which this message is addressed, and unless > otherwise > expressly indicated, is confidential and privileged information of > Rackspace. > Any dissemination, distribution or copying of the enclosed material is > prohibited. > If you receive this transmission in error, please notify us > immediately by e-mail > at abuse at rackspace.com, and delete the original message. > Your cooperation is appreciated. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ c7300-24#sh ver Cisco IOS Software, 7301 Software (C7301-P-M), Version 12.4(1a), RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by Cisco Systems, Inc. Compiled Fri 27-May-05 14:38 by hqluong c7300-24 uptime is 3 years, 35 weeks, 2 days, 22 hours, 2 minutes -- With best regards, Andrey 'sshd' Petrenko xmmp: sshd at jabber.org gtalk: andy.petrenko at gmail.com skype: andy.petrenko web: sshd.by From ross at wtccommunications.ca Mon Aug 24 10:30:08 2009 From: ross at wtccommunications.ca (Ross Halliday) Date: Mon, 24 Aug 2009 10:30:08 -0400 Subject: [c-nsp] Long Uptime References: <018201c9f0e0$f65e3740$e31aa5c0$@net> <73d1f88a0906190725q440718b5kacb829140f0c6a83@mail.gmail.com> <345400390906190842w29c12f42md8fab5ac80dff66d@mail.gmail.com><8155_1251110434_n7OAePv4010262_4A926E1F.2050706@rackspace.com> <4A927E9D.8030205@gmail.com> Message-ID: <151BC03492E46E4CB8D479E42CEF7890BEE915@exchange.wtc.local> Fabric-West> sh ver WS-C5500 Software, Version McpSW: 6.4(9) NmpSW: 6.4(9) Copyright (c) 1995-2004 by Cisco Systems NMP S/W compiled on Mar 10 2004, 18:22:30 MCP S/W compiled on Mar 10 2004, 18:17:56 ... Uptime is 1287 days, 7 hours, 37 minutes These things are beasts, last reload was for a CatOS upgrade. --- Ross Halliday Network Operations WTC Communications Office: 613-547-6939 x203 Helpdesk: 866-547-6939 option 2 http://www.wtccommunications.ca -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Andrey 'sshd' Petrenko Sent: Monday, August 24, 2009 7:51 AM Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Long Uptime 24.08.2009 13:40, Tom Sands ?????: > D12-1.sat1>show ver > Cisco Catalyst 1900/2820 Enterprise Edition Software > Version V9.00.02 > Copyright ? Cisco Systems, Ins. 1993-1999 > D12-1.sat1 uptime is 2926day(s) 18hour(s) 01minute(s) 25second(s) > > > -------------------------------------------------------------------------------- > > Tom Sands > Chief Network Engineer > Rackspace > (210)312-4391 > -------------------------------------------------------------------------------- > > > Adam Piasecki wrote: >> Cisco Internetwork Operating System Software >> IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(11)EA1, RELEASE >> SOFTWARE >> (fc1) >> Copyright (c) 1986-2002 by cisco Systems, Inc. >> Compiled Wed 28-Aug-02 10:25 by antonino >> Image text-base: 0x80010000, data-base: 0x80528000 >> >> ROM: Bootstrap program is CALHOUN boot loader >> >> switch02.kst.dc uptime is 6 years, 4 weeks, 4 days, 48 minutes >> System returned to ROM by power-on >> System restarted at 11:00:50 EST Tue May 20 2003 >> System image file is "flash:/c2950-i6q4l2-mz.121-11.EA1.bin" >> >> My longest running switch. >> >> >> On Fri, Jun 19, 2009 at 10:25 AM, Gustavo Rodrigues Ramos < >> gustavo at nexthop.com.br> wrote: >> >>> Is this suppose to be a good thing? (not patching your systems for >>> almost 10 years?)... >>> >>> Gustavo. >>> >>> >>> On Fri, Jun 19, 2009 at 10:22 AM, Nic McCartney wrote: >>>> Not techy, just interesting anyone beat this uptime? >>>> >>>> Liverpool_St_A#sho ver >>>> Cisco Internetwork Operating System Software IOS (tm) 3000 Software >>>> (IGS-J-L), Version 11.0(13), RELEASE SOFTWARE (fc1) Copyright (c) >>> 1986-1996 >>>> by cisco Systems, Inc. >>>> Compiled Mon 09-Dec-96 19:48 by athavale Image text-base: 0x030348D8, >>>> data-base: 0x00001000 >>>> >>>> ROM: System Bootstrap, Version 5.2(8a), RELEASE SOFTWARE >>>> ROM: 3000 Bootstrap Software (IGS-RXBOOT), Version 10.2(8a), RELEASE >>>> SOFTWARE (fc1) >>>> >>>> Liverpool_St_A uptime is 529 weeks, 3 days, 9 hours, 2 minutes System >>>> restarted by power-on System image file is "flash:igs-j-l.110-13", >>>> booted >>>> via flash >>>> >>>> cisco 2500 (68030) processor (revision F) with 4096K/2048K bytes of >>> memory. >>>> Processor board ID 04812778, with hardware revision 00000000 Bridging >>>> software. >>>> SuperLAT software copyright 1990 by Meridian Technology Corp). >>>> X.25 software, Version 2.0, NET2, BFE and GOSIP compliant. >>>> TN3270 Emulation software (copyright 1994 by TGV Inc). >>>> 1 Ethernet/IEEE 802.3 interface. >>>> 2 Serial network interfaces. >>>> 32K bytes of non-volatile configuration memory. >>>> 8192K bytes of processor board System flash (Read ONLY) >>>> >>>> Configuration register is 0x2102 >>>> >>>> Liverpool_St_A# >>>> >>>> >>>> Thanks >>>> >>>> Nic >>>> >>>> >> . >> > > c7300-24#sh ver Cisco IOS Software, 7301 Software (C7301-P-M), Version 12.4(1a), RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by Cisco Systems, Inc. Compiled Fri 27-May-05 14:38 by hqluong c7300-24 uptime is 3 years, 35 weeks, 2 days, 22 hours, 2 minutes -- With best regards, Andrey 'sshd' Petrenko xmmp: sshd at jabber.org gtalk: andy.petrenko at gmail.com skype: andy.petrenko web: sshd.by From gert at greenie.muc.de Mon Aug 24 10:52:04 2009 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 24 Aug 2009 16:52:04 +0200 Subject: [c-nsp] Long Uptime In-Reply-To: <151BC03492E46E4CB8D479E42CEF7890BEE915@exchange.wtc.local> References: <018201c9f0e0$f65e3740$e31aa5c0$@net> <73d1f88a0906190725q440718b5kacb829140f0c6a83@mail.gmail.com> <4A927E9D.8030205@gmail.com> <151BC03492E46E4CB8D479E42CEF7890BEE915@exchange.wtc.local> Message-ID: <20090824145204.GK2121@greenie.muc.de> Hi, On Mon, Aug 24, 2009 at 10:30:08AM -0400, Ross Halliday wrote: > Fabric-West> sh ver > WS-C5500 Software, Version McpSW: 6.4(9) NmpSW: 6.4(9) > Copyright (c) 1995-2004 by Cisco Systems > NMP S/W compiled on Mar 10 2004, 18:22:30 > MCP S/W compiled on Mar 10 2004, 18:17:56 > ... > Uptime is 1287 days, 7 hours, 37 minutes > > > These things are beasts, last reload was for a CatOS upgrade. Indeed... :-) WS-C5509 Software, Version McpSW: 5.5(13) NmpSW: 5.5(13) Copyright (c) 1995-2002 by Cisco Systems NMP S/W compiled on Jan 22 2002, 19:03:57 MCP S/W compiled on Jan 22 2002, 18:58:15 ... Uptime is 2759 days, 5 hours, 38 minutes (what, there is a 6.x for 5500? need to upgrade *AGAIN*...?!) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From sgranger at randfinancial.com Mon Aug 24 11:21:17 2009 From: sgranger at randfinancial.com (Sean Granger) Date: Mon, 24 Aug 2009 10:21:17 -0500 Subject: [c-nsp] Long Uptime In-Reply-To: <20090824145204.GK2121@greenie.muc.de> References: <018201c9f0e0$f65e3740$e31aa5c0$@net> <73d1f88a0906190725q440718b5kacb829140f0c6a83@mail.gmail.com> <4A927E9D.8030205@gmail.com> <151BC03492E46E4CB8D479E42CEF7890BEE915@exchange.wtc.local> <20090824145204.GK2121@greenie.muc.de> Message-ID: <4A92699D020000D900003336@mail.randfinancial.com> Yep ... w/ crypto : WS-C5500 Software, Version McpSW: 6.4(13) NmpSW: 6.4(13) Copyright (c) 1995-2004 by Cisco Systems NMP S/W compiled on Sep 13 2004, 19:20:01 MCP S/W compiled on Sep 13 2004, 19:19:28 ... Uptime is 1164 days, 20 hours, 24 minutes (cat5000-sup3k9.6-4-13.bin) >>> Gert Doering 8/24/2009 9:52 AM >>> Hi, On Mon, Aug 24, 2009 at 10:30:08AM -0400, Ross Halliday wrote: > Fabric-West> sh ver > WS-C5500 Software, Version McpSW: 6.4(9) NmpSW: 6.4(9) > Copyright (c) 1995-2004 by Cisco Systems > NMP S/W compiled on Mar 10 2004, 18:22:30 > MCP S/W compiled on Mar 10 2004, 18:17:56 > ... > Uptime is 1287 days, 7 hours, 37 minutes > > > These things are beasts, last reload was for a CatOS upgrade. Indeed... :-) WS-C5509 Software, Version McpSW: 5.5(13) NmpSW: 5.5(13) Copyright (c) 1995-2002 by Cisco Systems NMP S/W compiled on Jan 22 2002, 19:03:57 MCP S/W compiled on Jan 22 2002, 18:58:15 ... Uptime is 2759 days, 5 hours, 38 minutes (what, there is a 6.x for 5500? need to upgrade *AGAIN*...?!) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From bjohnson at drtel.com Mon Aug 24 14:34:54 2009 From: bjohnson at drtel.com (Brian Johnson) Date: Mon, 24 Aug 2009 13:34:54 -0500 Subject: [c-nsp] Long Uptime In-Reply-To: <4A927E9D.8030205@gmail.com> References: <018201c9f0e0$f65e3740$e31aa5c0$@net> <73d1f88a0906190725q440718b5kacb829140f0c6a83@mail.gmail.com> <345400390906190842w29c12f42md8fab5ac80dff66d@mail.gmail.com><8155_1251110434_n7OAePv4010262_4A926E1F.2050706@rackspace.com> <4A927E9D.8030205@gmail.com> Message-ID: <29A54911243620478FF59F00EBB12F47019896C6@ex01.drtel.lan> sw01.oake#sh ver Cisco IOS Software, Catalyst 4000 L3 Switch Software (cat4000-I9S-M), Version 12.2(25)EWA3, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by Cisco Systems, Inc. Compiled Tue 23-Aug-05 14:07 by dchih Image text-base: 0x10000000, data-base: 0x114DD210 ROM: 12.2(20r)EW1 Dagobah Revision 225, Swamp Revision 4 sw01.oake uptime is 3 years, 45 weeks, 6 days, 22 hours, 6 minutes System returned to ROM by power-on System restarted at 16:19:24 CDT Fri Oct 7 2005 System image file is "bootflash:" cisco WS-C4948 (MPC8245) processor (revision 0) with 262144K bytes of memory. Processor board ID FOX084506R8 MPC8245 CPU at 266Mhz, Fixed Module Last reset from PowerUp 2 Virtual Ethernet interfaces 48 Gigabit Ethernet interfaces 511K bytes of non-volatile configuration memory. - Brian > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Andrey 'sshd' Petrenko > Sent: Monday, August 24, 2009 6:51 AM > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Long Uptime > > 24.08.2009 13:40, Tom Sands ?????: > > D12-1.sat1>show ver > > Cisco Catalyst 1900/2820 Enterprise Edition Software > > Version V9.00.02 > > Copyright ? Cisco Systems, Ins. 1993-1999 > > D12-1.sat1 uptime is 2926day(s) 18hour(s) 01minute(s) 25second(s) > > > > > > --------------------------------------------------------------------- > ----------- > > > > Tom Sands > > Chief Network Engineer > > Rackspace > > (210)312-4391 > > --------------------------------------------------------------------- > ----------- > > > > > > Adam Piasecki wrote: > >> Cisco Internetwork Operating System Software > >> IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(11)EA1, > RELEASE > >> SOFTWARE > >> (fc1) > >> Copyright (c) 1986-2002 by cisco Systems, Inc. > >> Compiled Wed 28-Aug-02 10:25 by antonino > >> Image text-base: 0x80010000, data-base: 0x80528000 > >> > >> ROM: Bootstrap program is CALHOUN boot loader > >> > >> switch02.kst.dc uptime is 6 years, 4 weeks, 4 days, 48 minutes > >> System returned to ROM by power-on > >> System restarted at 11:00:50 EST Tue May 20 2003 > >> System image file is "flash:/c2950-i6q4l2-mz.121-11.EA1.bin" > >> > >> My longest running switch. > >> > >> > >> On Fri, Jun 19, 2009 at 10:25 AM, Gustavo Rodrigues Ramos < > >> gustavo at nexthop.com.br> wrote: > >> > >>> Is this suppose to be a good thing? (not patching your systems for > >>> almost 10 years?)... > >>> > >>> Gustavo. > >>> > >>> > >>> On Fri, Jun 19, 2009 at 10:22 AM, Nic McCartney > wrote: > >>>> Not techy, just interesting anyone beat this uptime? > >>>> > >>>> Liverpool_St_A#sho ver > >>>> Cisco Internetwork Operating System Software IOS (tm) 3000 > Software > >>>> (IGS-J-L), Version 11.0(13), RELEASE SOFTWARE (fc1) Copyright (c) > >>> 1986-1996 > >>>> by cisco Systems, Inc. > >>>> Compiled Mon 09-Dec-96 19:48 by athavale Image text-base: > 0x030348D8, > >>>> data-base: 0x00001000 > >>>> > >>>> ROM: System Bootstrap, Version 5.2(8a), RELEASE SOFTWARE > >>>> ROM: 3000 Bootstrap Software (IGS-RXBOOT), Version 10.2(8a), > RELEASE > >>>> SOFTWARE (fc1) > >>>> > >>>> Liverpool_St_A uptime is 529 weeks, 3 days, 9 hours, 2 minutes > System > >>>> restarted by power-on System image file is "flash:igs-j-l.110-13", > >>>> booted > >>>> via flash > >>>> > >>>> cisco 2500 (68030) processor (revision F) with 4096K/2048K bytes > of > >>> memory. > >>>> Processor board ID 04812778, with hardware revision 00000000 > Bridging > >>>> software. > >>>> SuperLAT software copyright 1990 by Meridian Technology Corp). > >>>> X.25 software, Version 2.0, NET2, BFE and GOSIP compliant. > >>>> TN3270 Emulation software (copyright 1994 by TGV Inc). > >>>> 1 Ethernet/IEEE 802.3 interface. > >>>> 2 Serial network interfaces. > >>>> 32K bytes of non-volatile configuration memory. > >>>> 8192K bytes of processor board System flash (Read ONLY) > >>>> > >>>> Configuration register is 0x2102 > >>>> > >>>> Liverpool_St_A# > >>>> > >>>> > >>>> Thanks > >>>> > >>>> Nic > >>>> > >>>> > >>>> _______________________________________________ > >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net > >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp > >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >>>> > >>> _______________________________________________ > >>> cisco-nsp mailing list cisco-nsp at puck.nether.net > >>> https://puck.nether.net/mailman/listinfo/cisco-nsp > >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >>> > >> _______________________________________________ > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >> . > >> > > > > > > Confidentiality Notice: This e-mail message (including any attached > or > > embedded documents) is intended for the exclusive and confidential > use > > of the > > individual or entity to which this message is addressed, and unless > > otherwise > > expressly indicated, is confidential and privileged information of > > Rackspace. > > Any dissemination, distribution or copying of the enclosed material > is > > prohibited. > > If you receive this transmission in error, please notify us > > immediately by e-mail > > at abuse at rackspace.com, and delete the original message. > > Your cooperation is appreciated. > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > c7300-24#sh ver > Cisco IOS Software, 7301 Software (C7301-P-M), Version 12.4(1a), > RELEASE > SOFTWARE (fc2) > Technical Support: http://www.cisco.com/techsupport > Copyright (c) 1986-2005 by Cisco Systems, Inc. > Compiled Fri 27-May-05 14:38 by hqluong > c7300-24 uptime is 3 years, 35 weeks, 2 days, 22 hours, 2 minutes > > -- > With best regards, > Andrey 'sshd' Petrenko > xmmp: sshd at jabber.org > gtalk: andy.petrenko at gmail.com > skype: andy.petrenko > web: sshd.by > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From sbr at infonet.ee Mon Aug 24 15:37:53 2009 From: sbr at infonet.ee (Konstantin Barinov) Date: Mon, 24 Aug 2009 22:37:53 +0300 Subject: [c-nsp] Long Uptime In-Reply-To: <29A54911243620478FF59F00EBB12F47019896C6@ex01.drtel.lan> References: <018201c9f0e0$f65e3740$e31aa5c0$@net> <73d1f88a0906190725q440718b5kacb829140f0c6a83@mail.gmail.com> <345400390906190842w29c12f42md8fab5ac80dff66d@mail.gmail.com><8155_1251110434_n7OAePv4010262_4A926E1F.2050706@rackspace.com> <4A927E9D.8030205@gmail.com> <29A54911243620478FF59F00EBB12F47019896C6@ex01.drtel.lan> Message-ID: <4A92EC11.7000205@infonet.ee> OK, here we go :) > sh ver WS-C5505 Software, Version McpSW: 6.3(10) NmpSW: 6.3(10) Copyright (c) 1995-2002 by Cisco Systems NMP S/W compiled on Nov 4 2002, 17:17:28 MCP S/W compiled on Nov 04 2002, 17:01:16 ... Uptime is 910 days, 16 hours, 37 minutes >sh ver Cisco IOS Software, 7200 Software (C7200-P-M), Version 12.3(7)T11, RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by Cisco Systems, Inc. Compiled Fri 15-Jul-05 01:09 by dchih ROM: System Bootstrap, Version 12.0(19990210:195103) [12.0XE 105], DEVELOPMENT SOFTWARE BOOTLDR: 7200 Software (C7200-BOOT-M), Version 12.0(13)S, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) xxx uptime is 3 years, 44 weeks, 3 days, 15 hours, 51 minutes System restarted at 06:23:14 EEST Tue Oct 18 2005 System image file is "sup-slot0:/c7200-p-mz.123-7.T11.bin" Cisco 7204VXR (NPE300) processor (revision D) with 229376K/65536K bytes of memory. >sh ver Cisco Internetwork Operating System Software IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(6)EA2b, RELEASE SOFTWARE (fc1) Copyright (c) 1986-2002 by cisco Systems, Inc. Compiled Fri 15-Feb-02 11:39 by antonino Image text-base: 0x80010000, data-base: 0x8042C000 ROM: Bootstrap program is CALHOUN boot loader t16e-sw uptime is 4 years, 18 weeks, 2 days, 7 hours, 25 minutes System returned to ROM by power-on System restarted at 15:00:27 EEST Tue Apr 19 2005 System image file is "flash:c2950-i6q4l2-mz.121-6.EA2b.bin" cisco WS-C2950-12 (RC32300) processor (revision B0) with 21295K bytes of memory. Processor board ID FAB0534P0UK Last reset from system-reset 12 FastEthernet/IEEE 802.3 interface(s) Here is Chinese switch: #sh ver Application Version: V02.03.0111 Build Date: Jan 11 2005 15:20:06 Image Name: xnetaxr7xf.img Boot Version: Build Date: Hardware Version: MAC Address: 00:05:1d:02:06:88 SysUpTime: 1622 10:41:58 I also have Ascend MAX4000 running for 4+ years, but ethernet port died, and I've left it running only for uptime. I visit site occasionally to connect serial console and check status. :) -- Konstantin Barinov On 24-Aug-09 21:34, Brian Johnson wrote: > sw01.oake#sh ver > Cisco IOS Software, Catalyst 4000 L3 Switch Software (cat4000-I9S-M), Version 12.2(25)EWA3, RELEASE SOFTWARE (fc1) > Technical Support: http://www.cisco.com/techsupport > Copyright (c) 1986-2005 by Cisco Systems, Inc. > Compiled Tue 23-Aug-05 14:07 by dchih > Image text-base: 0x10000000, data-base: 0x114DD210 > > ROM: 12.2(20r)EW1 > Dagobah Revision 225, Swamp Revision 4 > > sw01.oake uptime is 3 years, 45 weeks, 6 days, 22 hours, 6 minutes > System returned to ROM by power-on > System restarted at 16:19:24 CDT Fri Oct 7 2005 > System image file is "bootflash:" > > cisco WS-C4948 (MPC8245) processor (revision 0) with 262144K bytes of memory. > Processor board ID FOX084506R8 > MPC8245 CPU at 266Mhz, Fixed Module > Last reset from PowerUp > 2 Virtual Ethernet interfaces > 48 Gigabit Ethernet interfaces > 511K bytes of non-volatile configuration memory. > > > > - Brian > >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- >> bounces at puck.nether.net] On Behalf Of Andrey 'sshd' Petrenko >> Sent: Monday, August 24, 2009 6:51 AM >> Cc: cisco-nsp at puck.nether.net >> Subject: Re: [c-nsp] Long Uptime >> >> 24.08.2009 13:40, Tom Sands ?????: >>> D12-1.sat1>show ver >>> Cisco Catalyst 1900/2820 Enterprise Edition Software >>> Version V9.00.02 >>> Copyright ? Cisco Systems, Ins. 1993-1999 >>> D12-1.sat1 uptime is 2926day(s) 18hour(s) 01minute(s) 25second(s) >>> >>> >>> --------------------------------------------------------------------- >> ----------- >>> >>> Tom Sands >>> Chief Network Engineer >>> Rackspace >>> (210)312-4391 >>> --------------------------------------------------------------------- >> ----------- >>> >>> >>> Adam Piasecki wrote: >>>> Cisco Internetwork Operating System Software >>>> IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(11)EA1, >> RELEASE >>>> SOFTWARE >>>> (fc1) >>>> Copyright (c) 1986-2002 by cisco Systems, Inc. >>>> Compiled Wed 28-Aug-02 10:25 by antonino >>>> Image text-base: 0x80010000, data-base: 0x80528000 >>>> >>>> ROM: Bootstrap program is CALHOUN boot loader >>>> >>>> switch02.kst.dc uptime is 6 years, 4 weeks, 4 days, 48 minutes >>>> System returned to ROM by power-on >>>> System restarted at 11:00:50 EST Tue May 20 2003 >>>> System image file is "flash:/c2950-i6q4l2-mz.121-11.EA1.bin" >>>> >>>> My longest running switch. >>>> >>>> >>>> On Fri, Jun 19, 2009 at 10:25 AM, Gustavo Rodrigues Ramos< >>>> gustavo at nexthop.com.br> wrote: >>>> >>>>> Is this suppose to be a good thing? (not patching your systems for >>>>> almost 10 years?)... >>>>> >>>>> Gustavo. >>>>> >>>>> >>>>> On Fri, Jun 19, 2009 at 10:22 AM, Nic McCartney >> wrote: >>>>>> Not techy, just interesting anyone beat this uptime? >>>>>> >>>>>> Liverpool_St_A#sho ver >>>>>> Cisco Internetwork Operating System Software IOS (tm) 3000 >> Software >>>>>> (IGS-J-L), Version 11.0(13), RELEASE SOFTWARE (fc1) Copyright (c) >>>>> 1986-1996 >>>>>> by cisco Systems, Inc. >>>>>> Compiled Mon 09-Dec-96 19:48 by athavale Image text-base: >> 0x030348D8, >>>>>> data-base: 0x00001000 >>>>>> >>>>>> ROM: System Bootstrap, Version 5.2(8a), RELEASE SOFTWARE >>>>>> ROM: 3000 Bootstrap Software (IGS-RXBOOT), Version 10.2(8a), >> RELEASE >>>>>> SOFTWARE (fc1) >>>>>> >>>>>> Liverpool_St_A uptime is 529 weeks, 3 days, 9 hours, 2 minutes >> System >>>>>> restarted by power-on System image file is "flash:igs-j-l.110-13", >>>>>> booted >>>>>> via flash >>>>>> >>>>>> cisco 2500 (68030) processor (revision F) with 4096K/2048K bytes >> of >>>>> memory. >>>>>> Processor board ID 04812778, with hardware revision 00000000 >> Bridging >>>>>> software. >>>>>> SuperLAT software copyright 1990 by Meridian Technology Corp). >>>>>> X.25 software, Version 2.0, NET2, BFE and GOSIP compliant. >>>>>> TN3270 Emulation software (copyright 1994 by TGV Inc). >>>>>> 1 Ethernet/IEEE 802.3 interface. >>>>>> 2 Serial network interfaces. >>>>>> 32K bytes of non-volatile configuration memory. >>>>>> 8192K bytes of processor board System flash (Read ONLY) >>>>>> >>>>>> Configuration register is 0x2102 >>>>>> >>>>>> Liverpool_St_A# >>>>>> >>>>>> >>>>>> Thanks >>>>>> >>>>>> Nic >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>>>> >>>>> _______________________________________________ >>>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>>> >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> . >>>> >>> >>> >>> Confidentiality Notice: This e-mail message (including any attached >> or >>> embedded documents) is intended for the exclusive and confidential >> use >>> of the >>> individual or entity to which this message is addressed, and unless >>> otherwise >>> expressly indicated, is confidential and privileged information of >>> Rackspace. >>> Any dissemination, distribution or copying of the enclosed material >> is >>> prohibited. >>> If you receive this transmission in error, please notify us >>> immediately by e-mail >>> at abuse at rackspace.com, and delete the original message. >>> Your cooperation is appreciated. >>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> c7300-24#sh ver >> Cisco IOS Software, 7301 Software (C7301-P-M), Version 12.4(1a), >> RELEASE >> SOFTWARE (fc2) >> Technical Support: http://www.cisco.com/techsupport >> Copyright (c) 1986-2005 by Cisco Systems, Inc. >> Compiled Fri 27-May-05 14:38 by hqluong >> c7300-24 uptime is 3 years, 35 weeks, 2 days, 22 hours, 2 minutes >> >> -- >> With best regards, >> Andrey 'sshd' Petrenko >> xmmp: sshd at jabber.org >> gtalk: andy.petrenko at gmail.com >> skype: andy.petrenko >> web: sshd.by >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From justin at justinshore.com Mon Aug 24 17:01:15 2009 From: justin at justinshore.com (Justin Shore) Date: Mon, 24 Aug 2009 16:01:15 -0500 Subject: [c-nsp] 6500 QoS In-Reply-To: <20090821212536.M92630@fast-serv.com> References: <4A8CC0BC.2000606@kenweb.org> <20090821212536.M92630@fast-serv.com> Message-ID: <4A92FF9B.1080003@justinshore.com> Randy McAnally wrote: > We got minor packet loss and noticeably slower speeds off the bat with 'mls > qos' enabled with all defaults, even with only 40-50% interface utilization. > In fact it took a while to figure it out. Be very careful when you enable it > if even minor packet loss will be an issue. I'm neck deep in a similar configuration. I'm hoping that I don't run into similar issues. Justin From BBlackford at nwresd.k12.or.us Mon Aug 24 17:37:41 2009 From: BBlackford at nwresd.k12.or.us (Bill Blackford) Date: Mon, 24 Aug 2009 14:37:41 -0700 Subject: [c-nsp] asa SSL VPN Message-ID: <6069A203FD01884885C037F81DD75080171DF91E13@wsc-mail-01.intra.nwresd.k12.or.us> A basic question about functionality. Does the asa clientless SSL work the same as the VPN Concentrator's webvpn? I'm reading some documentation that is leading me to believe that it only will allow access to published services. vs., modifying the client route table and tunneling address ranges. Am I missing something? Thanks -b --- Bill Blackford Senior Network Engineer Technology Systems Group Northwest Regional ESD my /home away from home From andy.saykao at staff.netspace.net.au Mon Aug 24 18:39:40 2009 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Tue, 25 Aug 2009 08:39:40 +1000 Subject: [c-nsp] Nat Virtual Interface References: Message-ID: <56F211C5E3F24F47B103EA1B253822BE044AAB5A@vic-cr-ex1.staff.netspace.net.au> Are we suppose to be able to view the nat translations taking place when using a NAT Virtual Interface. Here's me pinging google using a NVI, but I can't see any NAT translations taking place???? The translation must be taking place because my PC has address of 192.168.2.2 (gets natted to 210.15.230.x) and I'm getting replies from google. test-mpls-cr#sh ip cache flow | inc 66.102.11.99 Gi0/0.11 66.102.11.99 Gi0/0.11 210.15.230.x 01 0000 0000 23 Gi0/0.11 192.168.2.2 Gi0/0.904 66.102.11.99 01 0000 0800 23 test-mpls-cr#sh ip nat trans Pro Inside global Inside local Outside local Outside global test-mpls-cr#sh ip nat trans global Pro Inside global Inside local Outside local Outside global test-mpls-cr#sh ip nat trans vrf NSTEST Pro Inside global Inside local Outside local Outside global test-mpls-cr#sh ip nat stat Total active translations: 0 (0 static, 0 dynamic; 0 extended) Peak translations: 0, occurred 16:02:21 ago Outside interfaces: Inside interfaces: Hits: 0 Misses: 0 CEF Translated packets: 0, CEF Punted packets: 0 Expired translations: 0 Dynamic mappings: -- Outside Destination [Id: 1] access-list NSTEST-NAT-ACL pool NSTEST-NAT-POOL refcount 22 pool NSTEST-NAT-POOL: netmask 255.255.255.252 start 210.15.230.x end 210.15.230.x type generic, total addresses 1, allocated 1 (100%), misses 0 Appl doors: 0 Normal doors: 0 Queued Packets: 0 This is on a Cisco 7301 running 12.4(24)T1 Thanks. Andy This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From rwest at zyedge.com Mon Aug 24 19:01:01 2009 From: rwest at zyedge.com (Ryan West) Date: Mon, 24 Aug 2009 19:01:01 -0400 Subject: [c-nsp] Nat Virtual Interface In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE044AAB5A@vic-cr-ex1.staff.netspace.net.au> References: <56F211C5E3F24F47B103EA1B253822BE044AAB5A@vic-cr-ex1.staff.netspace.net.au> Message-ID: <45BE49FE-D593-4E04-92CE-82605CB86FA2@zyedge.com> s ip nat nvi trans Sent from handheld. On Aug 24, 2009, at 6:44 PM, "Andy Saykao" wrote: > Are we suppose to be able to view the nat translations taking place > when > using a NAT Virtual Interface. > > Here's me pinging google using a NVI, but I can't see any NAT > translations taking place???? The translation must be taking place > because my PC has address of 192.168.2.2 (gets natted to 210.15.230.x) > and I'm getting replies from google. > > test-mpls-cr#sh ip cache flow | inc 66.102.11.99 > Gi0/0.11 66.102.11.99 Gi0/0.11 210.15.230.x 01 0000 > 0000 > 23 > Gi0/0.11 192.168.2.2 Gi0/0.904 66.102.11.99 01 0000 0800 > 23 > > test-mpls-cr#sh ip nat trans > Pro Inside global Inside local Outside local > Outside global > > test-mpls-cr#sh ip nat trans global > Pro Inside global Inside local Outside local > Outside global > > test-mpls-cr#sh ip nat trans vrf NSTEST > Pro Inside global Inside local Outside local > Outside global > > test-mpls-cr#sh ip nat stat > Total active translations: 0 (0 static, 0 dynamic; 0 extended) > Peak translations: 0, occurred 16:02:21 ago > Outside interfaces: > Inside interfaces: > Hits: 0 Misses: 0 > CEF Translated packets: 0, CEF Punted packets: 0 > Expired translations: 0 > Dynamic mappings: > -- Outside Destination > [Id: 1] access-list NSTEST-NAT-ACL pool NSTEST-NAT-POOL refcount 22 > pool NSTEST-NAT-POOL: netmask 255.255.255.252 > start 210.15.230.x end 210.15.230.x > type generic, total addresses 1, allocated 1 (100%), misses 0 > Appl doors: 0 > Normal doors: 0 > Queued Packets: 0 > > This is on a Cisco 7301 running 12.4(24)T1 > > Thanks. > > Andy > > This email and any files transmitted with it are confidential and > intended > solely for the use of the individual or entity to whom they are > addressed. > Please notify the sender immediately by email if you have received > this > email by mistake and delete this email from your system. Please note > that > any views or opinions presented in this email are solely those of the > author and do not necessarily represent those of the organisation. > Finally, the recipient should check this email and any attachments for > the presence of viruses. The organisation accepts no liability for any > damage caused by any virus transmitted by this email. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From andy.saykao at staff.netspace.net.au Mon Aug 24 19:08:42 2009 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Tue, 25 Aug 2009 09:08:42 +1000 Subject: [c-nsp] Nat Virtual Interface References: <56F211C5E3F24F47B103EA1B253822BE044AAB5A@vic-cr-ex1.staff.netspace.net.au> Message-ID: <56F211C5E3F24F47B103EA1B253822BE044AAB5B@vic-cr-ex1.staff.netspace.net.au> Sorry...fixed...after more googling, found that you can view the nat translation with: test-mpls-cr#sh ip nat nvi translations Pro Source global Source local Destin local Destin global tcp 74.125.109.25:80 74.125.109.25:80 210.15.230.x:1129 192.168.2.2:1129 tcp 74.125.109.37:80 74.125.109.37:80 210.15.230.x:1128 192.168.2.2:1128 Don't know why they don't include this in aby of the cisco doco. Nice article here: http://ipexpert.ccieblog.com/2009/08/19/mpls-vpn-using-the-nat-virtual-i nterface-for-internet-access/ Cheers. Andy This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From mcgrath at fas.harvard.edu Mon Aug 24 19:30:00 2009 From: mcgrath at fas.harvard.edu (Scott McGrath) Date: Mon, 24 Aug 2009 19:30:00 -0400 Subject: [c-nsp] asa SSL VPN Message-ID: <13C9443BD0C7344D835569B0CFC9BB75358DB9D3@HARVBE01.fasmail.priv> The SSL vpn client is implemented either as a ActiveX control or a java application depending upon platform. It replicates the functionality of the IPsec client and is currently the only support Cisco has for 64 bit OS'es There is a WebVPN license as well which only allows access to published services you used to get this as part of the SSL VPN client but now Cisco has a SSL VPN 'essentials' licence which gives you the IPSec emulation only. -----Original Message----- From: "Bill Blackford" Subj: [c-nsp] asa SSL VPN Date: Mon Aug 24, 2009 17:35 Size: 733 bytes To: "cisco-nsp at puck.nether.net" A basic question about functionality. Does the asa clientless SSL work the same as the VPN Concentrator's webvpn? I'm reading some documentation that is leading me to believe that it only will allow access to published services. vs., modifying the client route table and tunneling address ranges. Am I missing something? Thanks -b --- Bill Blackford Senior Network Engineer Technology Systems Group Northwest Regional ESD my /home away from home _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From felixnkansah at gmail.com Mon Aug 24 21:45:23 2009 From: felixnkansah at gmail.com (Felix Nkansah) Date: Tue, 25 Aug 2009 01:45:23 +0000 Subject: [c-nsp] OT: What Data Leak Prevention Solution Do You Use? Message-ID: <18dba4e50908241845j5ba4c35dib36d1d302ca1f415@mail.gmail.com> Hi, I would like to know which platforms, products or solutions you have deployed in-house or for your clients to effectively prevent leakage of corporate data? Felix From andy.saykao at staff.netspace.net.au Mon Aug 24 22:36:22 2009 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Tue, 25 Aug 2009 12:36:22 +1000 Subject: [c-nsp] NAT-ON-A-STICK for VRF Traffic References: <56F211C5E3F24F47B103EA1B253822BE044AAB3E@vic-cr-ex1.staff.netspace.net.au> <002a01ca1f40$919db400$0a00000a@nil.si> Message-ID: <56F211C5E3F24F47B103EA1B253822BE044AAB61@vic-cr-ex1.staff.netspace.net.au> I've been able to get this working using NVI but I'm finding the traceroute is a bit strange. It times out after the Internet GW interface (202.45.118.x) which is on NAT-PE. When I go back to using nat inside/outside interfaces, the traceroute goes through fine. Any ideas why a NVI would not give a full traceroute of all the hops. Internet connectivity is fine so can't complain but don't want VPN customers asking why the traceroute isn't showing properly. My topology is like this: CE1 --10.15.99.4/30--> PE1 -> P --202.45.118.x/30--> NAT-PE <--10.15.99.8/30-- CE2 >From CE1 side: C:\Documents and Settings\Andy>tracert www.google.com Tracing route to www.l.google.com [66.102.11.99] over a maximum of 30 hops: 1 1 ms 1 ms 1 ms 192.168.2.1 2 23 ms 21 ms 20 ms 10.15.99.5 3 19 ms 18 ms 20 ms 202.45.118.x 4 * * * Request timed out. 5 * * * Request timed out. 6 * * * Request timed out. >From CE2 (directly connected to NAT-PE): C:\Users\sysadmin>tracert www.yahoo.com Tracing route to www-real.wa1.b.yahoo.com [209.131.36.158] over a maximum of 30 hops: 1 <1 ms <1 ms <1 ms 10.15.99.9 2 <1 ms <1 ms <1 ms f1.www.vip.sp1.yahoo.com [209.131.36.158] 3 1 ms <1 ms <1 ms f1.www.vip.sp1.yahoo.com [209.131.36.158] 4 12 ms 12 ms 12 ms f1.www.vip.sp1.yahoo.com [209.131.36.158] 5 12 ms 13 ms 12 ms f1.www.vip.sp1.yahoo.com [209.131.36.158] 6 * * * Request timed out. 7 12 ms 12 ms 12 ms f1.www.vip.sp1.yahoo.com [209.131.36.158] 8 172 ms 172 ms 172 ms f1.www.vip.sp1.yahoo.com [209.131.36.158] 9 173 ms 172 ms 172 ms f1.www.vip.sp1.yahoo.com [209.131.36.158] 10 173 ms 173 ms 173 ms f1.www.vip.sp1.yahoo.com [209.131.36.158] 11 173 ms 173 ms 173 ms f1.www.vip.sp1.yahoo.com [209.131.36.158] 12 173 ms 174 ms 173 ms f1.www.vip.sp1.yahoo.com [209.131.36.158] Trace complete. Not sure why all the hops don't show up when I do a traceroute from either CE's???? Thanks. Andy -----Original Message----- From: Ivan Pepelnjak [mailto:ip at ioshints.info] Sent: Monday, 17 August 2009 11:42 PM To: Andy Saykao; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] NAT-ON-A-STICK for VRF Traffic It's probably easier to use the NAT Virtual Interface ("ip nat enable" instead of "ip nat inside|outside") in a VRF environment. You also don't need NAT-on-a-stick with NVI. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ > -----Original Message----- > From: Andy Saykao [mailto:andy.saykao at staff.netspace.net.au] > Sent: Monday, August 17, 2009 2:59 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] NAT-ON-A-STICK for VRF Traffic > > I want to set up a NAT-PE Internet Gateway and NAT vrf traffic using > NAT-ON-A-STICK. Is this possible? > > Easy enough to do when it's IP traffic using policy-based routing as > per this article: > > http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_ > note09186a > 0080094430.shtml > > Just wondering how you would apply the article in relation to when the > traffic is MPLS/VRF based. ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From wireless at starbeam.com Tue Aug 25 00:54:36 2009 From: wireless at starbeam.com (Jerry Bacon) Date: Mon, 24 Aug 2009 21:54:36 -0700 Subject: [c-nsp] GSR 12k GRP Images?!? References: <17838240D9A5544AAA5FF95F8D52031606933D6F@ad-exh01.adhost.lan> Message-ID: <636F110CE0EC47AC91F0CA2D54E0CBC5@mini2> Which brings up a question I've had for a while. What's the difference between the 12.0S and the 12.0SY versions? TIA -- Jerry B. ----- Original Message ----- From: "Matt Addison" > > The 1600 is obsolete too, but you can still get images for that. > > Looks like you can still get GRP images through Software Advisor, just > not the sw-center/"Download Software" tool. From swmike at swm.pp.se Tue Aug 25 01:58:32 2009 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Tue, 25 Aug 2009 07:58:32 +0200 (CEST) Subject: [c-nsp] GSR 12k GRP Images?!? In-Reply-To: <636F110CE0EC47AC91F0CA2D54E0CBC5@mini2> References: <17838240D9A5544AAA5FF95F8D52031606933D6F@ad-exh01.adhost.lan> <636F110CE0EC47AC91F0CA2D54E0CBC5@mini2> Message-ID: On Mon, 24 Aug 2009, Jerry Bacon wrote: > Which brings up a question I've had for a while. What's the difference > between the 12.0S and the 12.0SY versions? You can use the feature navigator for that, but basically 12.0(32)SY has a few added features over 12.0(32)S such as support for more hardware such as SPA-TENGE-V2 and it has a few more features such as mpls ldp igp sync for ISIS. Generally for the SY train has been early introduction of features, historically MPLS was available there first for instance. -- Mikael Abrahamsson email: swmike at swm.pp.se From zivl at gilat.net Tue Aug 25 02:42:03 2009 From: zivl at gilat.net (Ziv Leyes) Date: Tue, 25 Aug 2009 09:42:03 +0300 Subject: [c-nsp] NAT-ON-A-STICK for VRF Traffic In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE044AAB61@vic-cr-ex1.staff.netspace.net.au> References: <56F211C5E3F24F47B103EA1B253822BE044AAB3E@vic-cr-ex1.staff.netspace.net.au> <002a01ca1f40$919db400$0a00000a@nil.si> <56F211C5E3F24F47B103EA1B253822BE044AAB61@vic-cr-ex1.staff.netspace.net.au> Message-ID: You can tell your customers the VPN purpose isn't ICMP but some other important things, as long as they work, they should stop "checking" and start to work! Just kidding... -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Andy Saykao Sent: Tuesday, August 25, 2009 5:36 AM To: Ivan Pepelnjak; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] NAT-ON-A-STICK for VRF Traffic I've been able to get this working using NVI but I'm finding the traceroute is a bit strange. It times out after the Internet GW interface (202.45.118.x) which is on NAT-PE. When I go back to using nat inside/outside interfaces, the traceroute goes through fine. Any ideas why a NVI would not give a full traceroute of all the hops. Internet connectivity is fine so can't complain but don't want VPN customers asking why the traceroute isn't showing properly. My topology is like this: CE1 --10.15.99.4/30--> PE1 -> P --202.45.118.x/30--> NAT-PE <--10.15.99.8/30-- CE2 >From CE1 side: C:\Documents and Settings\Andy>tracert www.google.com Tracing route to www.l.google.com [66.102.11.99] over a maximum of 30 hops: 1 1 ms 1 ms 1 ms 192.168.2.1 2 23 ms 21 ms 20 ms 10.15.99.5 3 19 ms 18 ms 20 ms 202.45.118.x 4 * * * Request timed out. 5 * * * Request timed out. 6 * * * Request timed out. >From CE2 (directly connected to NAT-PE): C:\Users\sysadmin>tracert www.yahoo.com Tracing route to www-real.wa1.b.yahoo.com [209.131.36.158] over a maximum of 30 hops: 1 <1 ms <1 ms <1 ms 10.15.99.9 2 <1 ms <1 ms <1 ms f1.www.vip.sp1.yahoo.com [209.131.36.158] 3 1 ms <1 ms <1 ms f1.www.vip.sp1.yahoo.com [209.131.36.158] 4 12 ms 12 ms 12 ms f1.www.vip.sp1.yahoo.com [209.131.36.158] 5 12 ms 13 ms 12 ms f1.www.vip.sp1.yahoo.com [209.131.36.158] 6 * * * Request timed out. 7 12 ms 12 ms 12 ms f1.www.vip.sp1.yahoo.com [209.131.36.158] 8 172 ms 172 ms 172 ms f1.www.vip.sp1.yahoo.com [209.131.36.158] 9 173 ms 172 ms 172 ms f1.www.vip.sp1.yahoo.com [209.131.36.158] 10 173 ms 173 ms 173 ms f1.www.vip.sp1.yahoo.com [209.131.36.158] 11 173 ms 173 ms 173 ms f1.www.vip.sp1.yahoo.com [209.131.36.158] 12 173 ms 174 ms 173 ms f1.www.vip.sp1.yahoo.com [209.131.36.158] Trace complete. Not sure why all the hops don't show up when I do a traceroute from either CE's???? Thanks. Andy -----Original Message----- From: Ivan Pepelnjak [mailto:ip at ioshints.info] Sent: Monday, 17 August 2009 11:42 PM To: Andy Saykao; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] NAT-ON-A-STICK for VRF Traffic It's probably easier to use the NAT Virtual Interface ("ip nat enable" instead of "ip nat inside|outside") in a VRF environment. You also don't need NAT-on-a-stick with NVI. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ > -----Original Message----- > From: Andy Saykao [mailto:andy.saykao at staff.netspace.net.au] > Sent: Monday, August 17, 2009 2:59 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] NAT-ON-A-STICK for VRF Traffic > > I want to set up a NAT-PE Internet Gateway and NAT vrf traffic using > NAT-ON-A-STICK. Is this possible? > > Easy enough to do when it's IP traffic using policy-based routing as > per this article: > > http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_ > note09186a > 0080094430.shtml > > Just wondering how you would apply the article in relation to when the > traffic is MPLS/VRF based. ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ __________ Information from ESET NOD32 Antivirus, version of virus signature database 4364 (20090824) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __________ Information from ESET NOD32 Antivirus, version of virus signature database 4364 (20090824) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From A.L.M.Buxey at lboro.ac.uk Tue Aug 25 05:46:49 2009 From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey) Date: Tue, 25 Aug 2009 10:46:49 +0100 Subject: [c-nsp] Long Uptime In-Reply-To: <4A92EC11.7000205@infonet.ee> References: <018201c9f0e0$f65e3740$e31aa5c0$@net> <73d1f88a0906190725q440718b5kacb829140f0c6a83@mail.gmail.com> <345400390906190842w29c12f42md8fab5ac80dff66d@mail.gmail.com> <8155_1251110434_n7OAePv4010262_4A926E1F.2050706@rackspace.com> <4A927E9D.8030205@gmail.com> <29A54911243620478FF59F00EBB12F47019896C6@ex01.drtel.lan> <4A92EC11.7000205@infonet.ee> Message-ID: <20090825094649.GB25228@lboro.ac.uk> hi, all these emails tell me are there are many devices on which bug fixes and security fixes are not being applied on; along with possibly the service provider where these might be living. all handy information to those who only listen to this list.... ..some might wonder why routine upgrade/patching windows are not being undertaken..a resilient linkage scheme and equipment list should mean that eg a router or switch can be taken out even in middle of day should out of hours work be a non-entity :-| alan From asturluismi at gmail.com Tue Aug 25 08:18:54 2009 From: asturluismi at gmail.com (luismi) Date: Tue, 25 Aug 2009 14:18:54 +0200 Subject: [c-nsp] dns resolution not working with vrfs Message-ID: <1251202734.18328.12.camel@dsba-ipso> Hi all, I tried this code: ip domain-lookup source-interface Port-channel1.92 ip name-server vrf FW2INET 199.45.32.40 ip name-server vrf FW2INET 151.202.0.85 ip name-server vrf FW2INET 151.202.0.84 And the test is... #ping www.google.es Translating "www.google.es"...domain server (255.255.255.255) % Unrecognized host or address, or protocol not running. Then I tried... no ip name-server vrf FW2INET 199.45.32.40 no ip name-server vrf FW2INET 151.202.0.85 no ip name-server vrf FW2INET 151.202.0.84 ip name-server 199.45.32.40 ip name-server 151.202.0.85 ip name-server 151.202.0.8 I the test is... #ping www.google.es Translating "www.google.es"...domain server (199.45.32.40) (151.202.0.85) (151.202.0.84) % Unrecognized host or address, or protocol not running. This is the config for port-c.1.92 interface Port-channel1.92 encapsulation dot1Q 92 ip vrf forwarding FW2INET ip address 88.84.74.195 255.255.255.240 no ip redirects no ip unreachables no ip proxy-arp if I do ping the result is... #ping vrf FW2INET 151.202.0.85 source Port-channel1.92 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 151.202.0.85, timeout is 2 seconds: Packet sent with a source address of 88.84.74.195 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 108/112/116 ms #ping vrf FW2INET 199.45.32.40 source Port-channel1.92 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 199.45.32.40, timeout is 2 seconds: Packet sent with a source address of 88.84.74.195 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 104/107/108 ms Any idea? From asturluismi at gmail.com Tue Aug 25 08:19:43 2009 From: asturluismi at gmail.com (luismi) Date: Tue, 25 Aug 2009 14:19:43 +0200 Subject: [c-nsp] Invitation to connect on LinkedIn In-Reply-To: <1390959718.1951125.1250512399888.JavaMail.app@ech3-cdn05.prod> References: <1390959718.1951125.1250512399888.JavaMail.app@ech3-cdn05.prod> Message-ID: <1251202783.18328.13.camel@dsba-ipso> This should be notified to "fail blog" X-D From asturluismi at gmail.com Tue Aug 25 08:28:02 2009 From: asturluismi at gmail.com (luismi) Date: Tue, 25 Aug 2009 14:28:02 +0200 Subject: [c-nsp] route-map based on NBAR to control passive ftp Message-ID: <1251203282.18328.18.camel@dsba-ipso> Hi all, We have here an issue regarding PBR. We are not able -so far until right now- to change the routing policy using as a condition the passive ftp traffic. In other words... - Active FTP is being forwarded to vrf A by a "set vrf" condition (pretty easy using ACLs for TCP 20 and 21 ports) - Passive FTP is being forwarded to vrf B -which is incorrect in our scenario- because the PBR is not able detect it (we could open ports over 1024 in the ACL but we want to avoid P2P in vrf A) So, is there anyway to create a "match" condition to control just the P2P traffic? From p.mayers at imperial.ac.uk Tue Aug 25 08:30:53 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Tue, 25 Aug 2009 13:30:53 +0100 Subject: [c-nsp] dns resolution not working with vrfs In-Reply-To: <1251202734.18328.12.camel@dsba-ipso> References: <1251202734.18328.12.camel@dsba-ipso> Message-ID: <4A93D97D.1090605@imperial.ac.uk> luismi wrote: > Hi all, > > I tried this code: > ip domain-lookup source-interface Port-channel1.92 > ip name-server vrf FW2INET 199.45.32.40 > ip name-server vrf FW2INET 151.202.0.85 > ip name-server vrf FW2INET 151.202.0.84 > > And the test is... > #ping www.google.es > Translating "www.google.es"...domain server (255.255.255.255) > % Unrecognized host or address, or protocol not running. What happens if you do: ping vrf FW2INET www.google.es ...here? > > Then I tried... > no ip name-server vrf FW2INET 199.45.32.40 > no ip name-server vrf FW2INET 151.202.0.85 > no ip name-server vrf FW2INET 151.202.0.84 > ip name-server 199.45.32.40 > ip name-server 151.202.0.85 > ip name-server 151.202.0.8 ...this won't work because the source-interface is in a VRF, and there isn't a per-VRF "ip domain-lookup source-interface" command We saw something related to this the other day; I'm half convinced that per-VRF DNS settings are only used "inside" that VRF e.g. for "ping vrf" versus plain "ping" commands. From asturluismi at gmail.com Tue Aug 25 09:02:32 2009 From: asturluismi at gmail.com (luismi) Date: Tue, 25 Aug 2009 15:02:32 +0200 Subject: [c-nsp] dns resolution not working with vrfs In-Reply-To: <4A93D97D.1090605@imperial.ac.uk> References: <1251202734.18328.12.camel@dsba-ipso> <4A93D97D.1090605@imperial.ac.uk> Message-ID: <1251205352.18328.20.camel@dsba-ipso> #ping vrf FW2INET www.google.es Translating "www.google.es"...domain server (199.45.32.40) [OK] Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 64.233.169.99, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 116/119/120 ms quite interesting... Thanks for that point of view From ip at ioshints.info Tue Aug 25 12:10:26 2009 From: ip at ioshints.info (Ivan Pepelnjak) Date: Tue, 25 Aug 2009 18:10:26 +0200 Subject: [c-nsp] dns resolution not working with vrfs In-Reply-To: <1251205352.18328.20.camel@dsba-ipso> References: <1251202734.18328.12.camel@dsba-ipso><4A93D97D.1090605@imperial.ac.uk> <1251205352.18328.20.camel@dsba-ipso> Message-ID: <005101ca259e$9008d980$0a00000a@nil.si> "ip name-server VRF name address" specifies the DNS server to use for operations in the specified VRF (for example, when doing traceroute, telnet or ping on the PE-router within the VRF). A bit more is written here: http://www.cisco.com/en/US/docs/ios/12_4t/ip_addr/configuration/guide/tvrfdn s.html Ivan http://www.ioshints.info/about http://blog.ioshints.info/ > -----Original Message----- > From: luismi [mailto:asturluismi at gmail.com] > Sent: Tuesday, August 25, 2009 3:03 PM > To: Phil Mayers > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] dns resolution not working with vrfs > > #ping vrf FW2INET www.google.es > > Translating "www.google.es"...domain server (199.45.32.40) [OK] > > Type escape sequence to abort. > Sending 5, 100-byte ICMP Echos to 64.233.169.99, timeout is 2 seconds: > !!!!! > Success rate is 100 percent (5/5), round-trip min/avg/max = > 116/119/120 ms > > > quite interesting... > > Thanks for that point of view > > > From alex at digriz.org.uk Tue Aug 25 13:57:18 2009 From: alex at digriz.org.uk (Alexander Clouter) Date: Tue, 25 Aug 2009 18:57:18 +0100 Subject: [c-nsp] Long Uptime References: <018201c9f0e0$f65e3740$e31aa5c0$@net> <73d1f88a0906190725q440718b5kacb829140f0c6a83@mail.gmail.com> <345400390906190842w29c12f42md8fab5ac80dff66d@mail.gmail.com> <8155_1251110434_n7OAePv4010262_4A926E1F.2050706@rackspace.com> <4A927E9D.8030205@gmail.com> <29A54911243620478FF59F00EBB12F47019896C6@ex01.drtel.lan> <4A92EC11.7000205@infonet.ee> <20090825094649.GB25228@lboro.ac.uk> Message-ID: Alan Buxey wrote: > > [snipped] > > ..some might wonder why routine upgrade/patching windows are not being > undertaken..a resilient linkage scheme and equipment list should mean that > eg a router or switch can be taken out even in middle of day should > out of hours work be a non-entity :-| > In a phrase "risk assessment". The risk of being h4ck0r3d probably in many situations might be considered lower than the risk of someone having a larger todger^Wuptime. Cheers -- Alexander Clouter .sigmonster says: BOFH excuse #248: Too much radiation coming from the soil. From musmanashraf at gmail.com Tue Aug 25 14:10:57 2009 From: musmanashraf at gmail.com (M Usman Ashraf) Date: Wed, 26 Aug 2009 00:10:57 +0600 Subject: [c-nsp] Strange syslog message Message-ID: <9149d2410908251110y715554d2r8adee36eb0c2470f@mail.gmail.com> Hi List, Just saw a strange message on CISCO 7609, 5357: Aug 24 00:00:06.503 PKT: %LINEPROTO-5-UPDOWN: Line protocol on Interface Container1048576, changed state to up Can anybody confirm what this Interface Container is? -- Regards, M Usman Ashraf From Michael.Balasko at cityofhenderson.com Tue Aug 25 13:56:06 2009 From: Michael.Balasko at cityofhenderson.com (Michael Balasko) Date: Tue, 25 Aug 2009 10:56:06 -0700 Subject: [c-nsp] Cisco ASA V9 Netflow collectors? In-Reply-To: <005101ca259e$9008d980$0a00000a@nil.si> References: <1251202734.18328.12.camel@dsba-ipso><4A93D97D.1090605@imperial.ac.uk><1251205352.18328.20.camel@dsba-ipso> <005101ca259e$9008d980$0a00000a@nil.si> Message-ID: <9AF22D15085E7D409ED5710CBC779E930B83DF7B@COHNTCS09.ci.henderson.nv.us> I am looking to implement Netflow on our ASA's and am wondering if anyone knows of any collector that is compatible with the current ASA templates. I am REALLY interested in the NF_F_XLATE_SRC_ADDR_IPV4, NF_F_XLATE_DST_ADDR_IPV4 records being presented in a usable fashion but I have yet to find a collector that will present that information. I know that ASA netflow is way in its infancy, but I was hoping the collective clue here could help. I have read this and it feels like the entirety of the burden is on the collector folks.... http://www.cisco.com/en/US/docs/security/asa/asa81/netflow/netflow.html# wp1029489 Thanks for any help, Mike Balasko From avayner at cisco.com Tue Aug 25 15:14:00 2009 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Tue, 25 Aug 2009 21:14:00 +0200 Subject: [c-nsp] Strange syslog message In-Reply-To: <9149d2410908251110y715554d2r8adee36eb0c2470f@mail.gmail.com> References: <9149d2410908251110y715554d2r8adee36eb0c2470f@mail.gmail.com> Message-ID: Hi, Are you using this 7600 for terminating subscriber services? The container interface type is part of the relatively new infrastructure for service termination on 7600. Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of M Usman Ashraf Sent: Tuesday, August 25, 2009 21:11 To: cisco-nsp at puck.nether.net Subject: [c-nsp] Strange syslog message Hi List, Just saw a strange message on CISCO 7609, 5357: Aug 24 00:00:06.503 PKT: %LINEPROTO-5-UPDOWN: Line protocol on Interface Container1048576, changed state to up Can anybody confirm what this Interface Container is? -- Regards, M Usman Ashraf _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From braaen at zcorum.com Tue Aug 25 15:42:25 2009 From: braaen at zcorum.com (Brian Raaen) Date: Tue, 25 Aug 2009 15:42:25 -0400 Subject: [c-nsp] Problems setting PPPo(AE) on 7606 Message-ID: <4A943EA1.2050202@zcorum.com> I am having problems setting up PPPoA or PPPoE on a 7606 router's ATM interface. I am unable to enter either the vpdn or bba-group commands. This router is using a SUP-32 running c7600s3223-adventerprisek9-mz.122-33.SRD2.bin I am trying to terminate the ppp on a SIP-400 linecard. -- ----------------- Brian Raaen Network Engineer email: /braaen at zcorum.com/ From peter at rathlev.dk Tue Aug 25 15:46:05 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Tue, 25 Aug 2009 21:46:05 +0200 Subject: [c-nsp] Long Uptime In-Reply-To: <20090825094649.GB25228@lboro.ac.uk> References: <018201c9f0e0$f65e3740$e31aa5c0$@net> <73d1f88a0906190725q440718b5kacb829140f0c6a83@mail.gmail.com> <345400390906190842w29c12f42md8fab5ac80dff66d@mail.gmail.com> <8155_1251110434_n7OAePv4010262_4A926E1F.2050706@rackspace.com> <4A927E9D.8030205@gmail.com> <29A54911243620478FF59F00EBB12F47019896C6@ex01.drtel.lan> <4A92EC11.7000205@infonet.ee> <20090825094649.GB25228@lboro.ac.uk> Message-ID: <1251229565.5530.2.camel@abehat.net.rm.dk> On Tue, 2009-08-25 at 10:46 +0100, Alan Buxey wrote: > all these emails tell me are there are many devices on which bug fixes > and security fixes are not being applied on; along with possibly > the service provider where these might be living. all handy > information to those who only listen to this list.... Completely agree. :-) > ..some might wonder why routine upgrade/patching windows are not being > undertaken..a resilient linkage scheme and equipment list should mean > that eg a router or switch can be taken out even in middle of day > should out of hours work be a non-entity :-| We should start a thread where we can boast about having the _lowest_ uptimes and still delivering adequate services (cf SLA). Regards, Peter From yaniv220 at gmail.com Tue Aug 25 15:58:51 2009 From: yaniv220 at gmail.com (yaniv shagan) Date: Tue, 25 Aug 2009 22:58:51 +0300 Subject: [c-nsp] RSVP BFD OR RSVP HELLO Message-ID: <17999cae0908251258n62733589p6bcf1b342005b610@mail.gmail.com> Hi guy in our network we work with mpls LDP in the core,the igp is isis. in the EDGE we have TLDP and LDP we want to enable rsvp only to the couple of lsp ,and to config FRR with the auto tunnel NHOP ONLY what are the recommend for Fast Tunnel Interface Down Detection to enable detect the failure with : Engineering: BFD-triggered Fast Reroute (FRR) OR Link and Node Protection, with RSVP Hellos Support ? Thanks yaniv From petelists at templin.org Tue Aug 25 16:26:18 2009 From: petelists at templin.org (Pete Templin) Date: Tue, 25 Aug 2009 15:26:18 -0500 Subject: [c-nsp] Long Uptime In-Reply-To: References: <018201c9f0e0$f65e3740$e31aa5c0$@net> <73d1f88a0906190725q440718b5kacb829140f0c6a83@mail.gmail.com> <345400390906190842w29c12f42md8fab5ac80dff66d@mail.gmail.com> <8155_1251110434_n7OAePv4010262_4A926E1F.2050706@rackspace.com> <4A927E9D.8030205@gmail.com> <29A54911243620478FF59F00EBB12F47019896C6@ex01.drtel.lan> <4A92EC11.7000205@infonet.ee> <20090825094649.GB25228@lboro.ac.uk> Message-ID: <4A9448EA.3040104@templin.org> Alexander Clouter wrote: > Alan Buxey wrote: >> [snipped] >> >> ..some might wonder why routine upgrade/patching windows are not being >> undertaken..a resilient linkage scheme and equipment list should mean that >> eg a router or switch can be taken out even in middle of day should >> out of hours work be a non-entity :-| >> > In a phrase "risk assessment". The risk of being h4ck0r3d probably in > many situations might be considered lower than the risk of someone > having a larger todger^Wuptime. I know of at least one device referenced in this thread as being a "show" piece, running on a carefully-managed UPS, hand-carried on at least one occasion (with other hands carrying said UPS within a 5' radius of the device...), all to be able to say "we have a device with XXXX uptime!". As far as I know, there are no Ethernet cables into the device. Hence, no risk. ;) pt From gert at greenie.muc.de Tue Aug 25 16:43:52 2009 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 25 Aug 2009 22:43:52 +0200 Subject: [c-nsp] Long Uptime In-Reply-To: <20090825094649.GB25228@lboro.ac.uk> References: <018201c9f0e0$f65e3740$e31aa5c0$@net> <73d1f88a0906190725q440718b5kacb829140f0c6a83@mail.gmail.com> <345400390906190842w29c12f42md8fab5ac80dff66d@mail.gmail.com> <8155_1251110434_n7OAePv4010262_4A926E1F.2050706@rackspace.com> <4A927E9D.8030205@gmail.com> <29A54911243620478FF59F00EBB12F47019896C6@ex01.drtel.lan> <4A92EC11.7000205@infonet.ee> <20090825094649.GB25228@lboro.ac.uk> Message-ID: <20090825204352.GD117@greenie.muc.de> Hi, On Tue, Aug 25, 2009 at 10:46:49AM +0100, Alan Buxey wrote: > all these emails tell me are there are many devices on which bug fixes > and security fixes are not being applied on; along with possibly > the service provider where these might be living. all handy information > to those who only listen to this list.... The amount of security issues and security related bugs in older IOS devices is fairly small, and well-understood - and all of them can be mitigated by not running certain protocols, or carefully filtering the packets. Our stance on IOS security issues is - put mitigation filters into place *immediately* - put a fixed IOS in the flash of the router - reload when convenient due to the bug history of IOS, it was quite good for our overall uptime to postpone the "reloading" thing until lots of additional bugfixes later on - and thus saving not only but sometimes multiple reboots. The CatOS switches, on the other hand, are pure L2 switches that have their management IP in a very tightly filtered RFC1918 network segment - and I wish you good luck in accessing those :-) > ..some might wonder why routine upgrade/patching windows are not being > undertaken..a resilient linkage scheme and equipment list should mean that > eg a router or switch can be taken out even in middle of day should > out of hours work be a non-entity :-| "Real World" networks usually happen to lack some of the "everything is fully redundant, every server is wired to two different switches, nothing will ever fail in case a reboot goes wrong" magic. Reloading one of our core L2 switches would have serious impact on a LOT of customers (all those directly attached to that switch, plus STP ripples to those that are dual-attached). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From gsgranados at comcast.net Tue Aug 25 17:02:35 2009 From: gsgranados at comcast.net (Scott Granados) Date: Tue, 25 Aug 2009 14:02:35 -0700 Subject: [c-nsp] ASA5520 questions on crypto map structure Message-ID: <018601ca25c7$62d53520$2208120a@am.thmulti.com> Hi list, First, thanks for all the great pointers and suggestions I've made a lot of progress as a result and I appreciate it. I'm wondering if I have the general idea correct for writing crypto maps. My understanding is that a dynamic map is used for client access and in terms of sequence should be the last in the list. I have this working. I want to add a LAN-to-LAN session now on the same device. I've written the following and I'm looking for input as to whether this looks correct or is there a better way? Here's the example config. crypto ipsec transform-set vpn-transform1 esp-aes-256 esp-sha-hmac crypto ipsec transform-set vpn-transform2 esp-aes-192 esp-md5-hmac crypto ipsec transform-set vpn-transform3 esp-3des esp-sha-hmac crypto dynamic-map dynmap 10 set transform-set vpn-transform1 vpn-transform2 vpn-transform3 crypto dynamic-map dynmap 10 set reverse-route (original dynamic map portion) crypto map vpn-ra-map 10 match address ny-vpn-acl crypto map vpn-ra-map 10 set peer ny-fw-outside crypto map vpn-ra-map 10 set transform-set vpn-transform2 crypto map vpn-ra-map 10 set reverse-route (note I'm using the names facility to name the peer and the ACL mentioned marks the traffic to encrypt destined to New York) crypto map vpn-ra-map 65535 ipsec-isakmp dynamic dynmap crypto map vpn-ra-map interface outside (adds the dynamic map and the whole shooting match to the outside interface) Do I more or less have this right? Using the examples that I received off list this seems close. Also, would I simply increase the sequence number and add the next LAN-to-LAN mapping as sequence 20 between the existing peer and the dynmap? A little hint as to whether I'm in the right area or totally off base would be helpful. Thanks Scott From gsgranados at comcast.net Tue Aug 25 17:31:53 2009 From: gsgranados at comcast.net (Scott Granados) Date: Tue, 25 Aug 2009 14:31:53 -0700 Subject: [c-nsp] ASA5520 questions on crypto map structure References: <018601ca25c7$62d53520$2208120a@am.thmulti.com> Message-ID: <01a501ca25cb$7bca8860$2208120a@am.thmulti.com> It is, looks like I'm pretty close. I like the rekey options based on bits transfered. Thanks Scott ----- Original Message ----- From: "Tom Lusty" To: "Scott Granados" Cc: Sent: Tuesday, August 25, 2009 2:22 PM Subject: RE: [c-nsp] ASA5520 questions on crypto map structure Scott, Yep, just make the sequence number 20, or some other number between your current entry and the dynamic map entry, and things should be fine. We're running the same thing, multiple L2L VPN tunnels and RA VPN clients, as well and the included configuration/cryptomap works like a champ :) crypto ipsec transform-set esp-aes256-sha esp-aes-256 esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map outside_dyn_map 40 set pfs crypto dynamic-map outside_dyn_map 40 set transform-set esp-aes256-sha crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800 crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000 crypto map outside_map1 10 match address vpn-IE crypto map outside_map1 10 set peer IE-pub-IP crypto map outside_map1 10 set transform-set esp-aes256-sha crypto map outside_map1 10 set security-association lifetime seconds 28800 crypto map outside_map1 10 set security-association lifetime kilobytes 4608000 crypto map outside_map1 20 match address vpn-UK crypto map outside_map1 20 set peer UK-pub-IP crypto map outside_map1 20 set transform-set esp-aes256-sha crypto map outside_map1 20 set security-association lifetime seconds 28800 crypto map outside_map1 20 set security-association lifetime kilobytes 4608000 crypto map outside_map1 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map1 interface outside Hope this is helpful -Tom -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Granados Sent: Tuesday, August 25, 2009 5:03 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] ASA5520 questions on crypto map structure Hi list, First, thanks for all the great pointers and suggestions I've made a lot of progress as a result and I appreciate it. I'm wondering if I have the general idea correct for writing crypto maps. My understanding is that a dynamic map is used for client access and in terms of sequence should be the last in the list. I have this working. I want to add a LAN-to-LAN session now on the same device. I've written the following and I'm looking for input as to whether this looks correct or is there a better way? Here's the example config. crypto ipsec transform-set vpn-transform1 esp-aes-256 esp-sha-hmac crypto ipsec transform-set vpn-transform2 esp-aes-192 esp-md5-hmac crypto ipsec transform-set vpn-transform3 esp-3des esp-sha-hmac crypto dynamic-map dynmap 10 set transform-set vpn-transform1 vpn-transform2 vpn-transform3 crypto dynamic-map dynmap 10 set reverse-route (original dynamic map portion) crypto map vpn-ra-map 10 match address ny-vpn-acl crypto map vpn-ra-map 10 set peer ny-fw-outside crypto map vpn-ra-map 10 set transform-set vpn-transform2 crypto map vpn-ra-map 10 set reverse-route (note I'm using the names facility to name the peer and the ACL mentioned marks the traffic to encrypt destined to New York) crypto map vpn-ra-map 65535 ipsec-isakmp dynamic dynmap crypto map vpn-ra-map interface outside (adds the dynamic map and the whole shooting match to the outside interface) Do I more or less have this right? Using the examples that I received off list this seems close. Also, would I simply increase the sequence number and add the next LAN-to-LAN mapping as sequence 20 between the existing peer and the dynmap? A little hint as to whether I'm in the right area or totally off base would be helpful. Thanks Scott _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From td_miles at yahoo.com Tue Aug 25 17:37:40 2009 From: td_miles at yahoo.com (Tony) Date: Tue, 25 Aug 2009 14:37:40 -0700 (PDT) Subject: [c-nsp] Problems setting PPPo(AE) on 7606 In-Reply-To: <4A943EA1.2050202@zcorum.com> Message-ID: <315279.79327.qm@web110116.mail.gq1.yahoo.com> See this thread where I asked the same question a couple of months ago: https://puck.nether.net/pipermail/cisco-nsp/2009-May/060641.html regards, Tony. --- On Wed, 26/8/09, Brian Raaen wrote: > I am having problems setting up PPPoA > or PPPoE on a 7606 router's ATM > interface.? I am unable to enter either the vpdn or > bba-group commands. > This router is using a SUP-32 running > c7600s3223-adventerprisek9-mz.122-33.SRD2.bin? I am > trying to terminate > the ppp on a SIP-400 linecard. > > __________________________________________________________________________________ Find local businesses and services in your area with Yahoo!7 Local. Get started: http://local.yahoo.com.au From matt at melbourne.org.uk Tue Aug 25 17:40:08 2009 From: matt at melbourne.org.uk (Matthew Melbourne) Date: Tue, 25 Aug 2009 22:40:08 +0100 Subject: [c-nsp] QoS on 3750 VRF-Lite CE Message-ID: <003901ca25cc$9e16f060$1000a8c0@win2k> Hi, I have a 3750 CE device connecting to an FE port on a 6509 PE over a 100M WAN Link. The 3750 is running VRF-Lite, and a trunk exists between the 3750 CE and 6509 PE to provide VRF separation. Configuration of the 3750 CE: interface FastEthernet 1/0/1.100 encapsulation dot1q 100 ip address 10.0.100.2 255.255.255.252 ip vrf forwarding VRF-100 ! interface FastEthernet 1/0/1.101 encapsulation dot1q 101 ip address 10.0.101.2 255.255.255.252 ip vrf forwarding VRF-101 ! interface vlan 10 ip address 10.100.0.1 255.255.255.0 ip vrf forwarding VRF-100 ! interface vlan 20 ip address 10.101.0.1 255.255.255.0 ip vrf forwarding VRF-101 Configuration of the C6509 PE: interface FastEthernet 5/1.100 encapsulation dot1q 100 ip address 10.0.100.1 255.255.255.252 ip vrf forwarding VRF-100 ! interface FastEthernet 5/1.101 encapsulation dot1q 101 ip address 10.0.101.2 255.255.255.252 ip vrf forwarding VRF-101 If I need to enforce QoS on a per-VRF basis, e.g. require a traffic class to be guaranteed a minimum bandwidth of (say) 5Mbps within VRF-100 between CE and PE, where should the service policy be applied? Can a hierarchical policy using shapers be applied to the sub-interfaces to achieve the desired result? Cheers, Matt -- Matthew Melbourne From andrew2 at one.net Tue Aug 25 16:45:59 2009 From: andrew2 at one.net (andrew2 at one.net) Date: Tue, 25 Aug 2009 16:45:59 -0400 Subject: [c-nsp] RPS 675 question Message-ID: <053601ca25c5$0d181eb0$2a00a8c0@andrew2> I'm getting ready to install some RPS 675's in order to dual cord some 3750's and ran across this in the manual: "Do not use different power sources to power up the RPS and the connected device. If you connect to separate AC power sources, reset conditions might occur." Huh? My intent is to plug the RPS into a different PDU than the actual switches so that the switches can stay online in the event of a power failure on their primary circuit. Is this Cisco FUD or are there good reasons I wouldn't want to plug an RPS into a different circuit than the connected switches? Thanks, Andrew From peter at rathlev.dk Tue Aug 25 17:53:03 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Tue, 25 Aug 2009 23:53:03 +0200 Subject: [c-nsp] "CEF-Drop: Stalled adjacency for 0.0.0.0" ? Message-ID: <1251237184.5530.28.camel@abehat.net.rm.dk> Hi, I have now several times seen log messages like these: CEF-Drop: Stalled adjacency for 0.0.0.0 on for destination CEF-Drop: Packet for -- encapsulation I can figure out that it's related to the box not being able to resolve an adjacency, e.g. incomplete ARP for Ethernet, but what does the "0.0.0.0" mean? And would this always be incomplete ARP when dealing with Ethernet? Thank you in advance. Peter From peter at rathlev.dk Tue Aug 25 18:03:20 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Wed, 26 Aug 2009 00:03:20 +0200 Subject: [c-nsp] QoS on 3750 VRF-Lite CE In-Reply-To: <003901ca25cc$9e16f060$1000a8c0@win2k> References: <003901ca25cc$9e16f060$1000a8c0@win2k> Message-ID: <1251237800.5530.36.camel@abehat.net.rm.dk> On Tue, 2009-08-25 at 22:40 +0100, Matthew Melbourne wrote: > I have a 3750 CE device connecting to an FE port on a 6509 PE over a 100M > WAN Link. The 3750 is running VRF-Lite, and a trunk exists between the 3750 > CE and 6509 PE to provide VRF separation. ... > If I need to enforce QoS on a per-VRF basis, e.g. require a traffic class to > be guaranteed a minimum bandwidth of (say) 5Mbps within VRF-100 between CE > and PE, where should the service policy be applied? Can a hierarchical > policy using shapers be applied to the sub-interfaces to achieve the desired > result? The short answer is probably "no can do", the 3750 isn't that advanced regarding QoS. AFAIK the QoS part of the 3750 doesn't care at all about VRFs as such. You would have to define you match criteria based on L3/L4 access-lists. And shaping isn't (easily) possible either. You theoretically have the SRR Shaping, which sort of works by simple time division and buffer partitioning as I understand. But this is configured using the MQC, rather the 3750/3560-specific "mls qos" commands. Regards, Peter From peter at rathlev.dk Tue Aug 25 18:16:00 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Wed, 26 Aug 2009 00:16:00 +0200 Subject: [c-nsp] RPS 675 question In-Reply-To: <053601ca25c5$0d181eb0$2a00a8c0@andrew2> References: <053601ca25c5$0d181eb0$2a00a8c0@andrew2> Message-ID: <1251238560.5530.45.camel@abehat.net.rm.dk> On Tue, 2009-08-25 at 16:45 -0400, andrew2 at one.net wrote: > I'm getting ready to install some RPS 675's in order to dual cord some > 3750's and ran across this in the manual: > > "Do not use different power sources to power up the RPS and the connected > device. If you connect to separate AC power sources, reset conditions might > occur." Yes, it's hilarious. Severely limits the usability of the device, doesn't it? :-) > Huh? My intent is to plug the RPS into a different PDU than the actual > switches so that the switches can stay online in the event of a power > failure on their primary circuit. Is this Cisco FUD or are there good > reasons I wouldn't want to plug an RPS into a different circuit than the > connected switches? I guess they say "might occur" either because that had several customers complaining about something like this or because they looked at the blueprint and could see some problems with isolation or something. Generally you can use the RPS the way you describe. Several people, including me, have been doing it with success e.g. when servicing UPS devices. Beware of the possible problems when trying to switch away from the RPS after the switch starts using it. This thread might provide more relevant details: http://www.mail-archive.com/cisco-nsp at puck.nether.net/msg04703.html Regards, Peter From peter at rathlev.dk Tue Aug 25 18:17:21 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Wed, 26 Aug 2009 00:17:21 +0200 Subject: [c-nsp] QoS on 3750 VRF-Lite CE In-Reply-To: <1251237800.5530.36.camel@abehat.net.rm.dk> References: <003901ca25cc$9e16f060$1000a8c0@win2k> <1251237800.5530.36.camel@abehat.net.rm.dk> Message-ID: <1251238641.5530.46.camel@abehat.net.rm.dk> On Wed, 2009-08-26 at 00:03 +0200, Peter Rathlev wrote: > And shaping isn't (easily) possible either. You theoretically have the > SRR Shaping, which sort of works by simple time division and buffer > partitioning as I understand. But this is configured using the MQC, Oops, I meant to say: "... this is _not_ configured using the MQC ...". Otherwise it wouldn't be a problem. :-) Regards, Peter From TLusty at csnstores.com Tue Aug 25 17:22:14 2009 From: TLusty at csnstores.com (Tom Lusty) Date: Tue, 25 Aug 2009 17:22:14 -0400 Subject: [c-nsp] ASA5520 questions on crypto map structure In-Reply-To: <018601ca25c7$62d53520$2208120a@am.thmulti.com> References: <018601ca25c7$62d53520$2208120a@am.thmulti.com> Message-ID: Scott, Yep, just make the sequence number 20, or some other number between your current entry and the dynamic map entry, and things should be fine. We're running the same thing, multiple L2L VPN tunnels and RA VPN clients, as well and the included configuration/cryptomap works like a champ :) crypto ipsec transform-set esp-aes256-sha esp-aes-256 esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map outside_dyn_map 40 set pfs crypto dynamic-map outside_dyn_map 40 set transform-set esp-aes256-sha crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800 crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000 crypto map outside_map1 10 match address vpn-IE crypto map outside_map1 10 set peer IE-pub-IP crypto map outside_map1 10 set transform-set esp-aes256-sha crypto map outside_map1 10 set security-association lifetime seconds 28800 crypto map outside_map1 10 set security-association lifetime kilobytes 4608000 crypto map outside_map1 20 match address vpn-UK crypto map outside_map1 20 set peer UK-pub-IP crypto map outside_map1 20 set transform-set esp-aes256-sha crypto map outside_map1 20 set security-association lifetime seconds 28800 crypto map outside_map1 20 set security-association lifetime kilobytes 4608000 crypto map outside_map1 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map1 interface outside Hope this is helpful -Tom -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Granados Sent: Tuesday, August 25, 2009 5:03 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] ASA5520 questions on crypto map structure Hi list, First, thanks for all the great pointers and suggestions I've made a lot of progress as a result and I appreciate it. I'm wondering if I have the general idea correct for writing crypto maps. My understanding is that a dynamic map is used for client access and in terms of sequence should be the last in the list. I have this working. I want to add a LAN-to-LAN session now on the same device. I've written the following and I'm looking for input as to whether this looks correct or is there a better way? Here's the example config. crypto ipsec transform-set vpn-transform1 esp-aes-256 esp-sha-hmac crypto ipsec transform-set vpn-transform2 esp-aes-192 esp-md5-hmac crypto ipsec transform-set vpn-transform3 esp-3des esp-sha-hmac crypto dynamic-map dynmap 10 set transform-set vpn-transform1 vpn-transform2 vpn-transform3 crypto dynamic-map dynmap 10 set reverse-route (original dynamic map portion) crypto map vpn-ra-map 10 match address ny-vpn-acl crypto map vpn-ra-map 10 set peer ny-fw-outside crypto map vpn-ra-map 10 set transform-set vpn-transform2 crypto map vpn-ra-map 10 set reverse-route (note I'm using the names facility to name the peer and the ACL mentioned marks the traffic to encrypt destined to New York) crypto map vpn-ra-map 65535 ipsec-isakmp dynamic dynmap crypto map vpn-ra-map interface outside (adds the dynamic map and the whole shooting match to the outside interface) Do I more or less have this right? Using the examples that I received off list this seems close. Also, would I simply increase the sequence number and add the next LAN-to-LAN mapping as sequence 20 between the existing peer and the dynmap? A little hint as to whether I'm in the right area or totally off base would be helpful. Thanks Scott _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From plato at wisc.edu Tue Aug 25 17:46:02 2009 From: plato at wisc.edu (Janet Plato) Date: Tue, 25 Aug 2009 16:46:02 -0500 Subject: [c-nsp] IPv6 experience on DSBU switches Message-ID: <20090825214602.GA14823@wisc.edu> Greetings, I'm finding IPv6 support lacking a few glaring things on 12.2(50)SE2. Things like the inability to enter an IPv6 address as a target for a radius server, or a hostname with only a Quad A record as well. When I ask Cisco, they view these things as features to be added, not bugs to be fixed. I thought IPv6 was relatively well worked out. Are other folks mostly able to get IPv6 going, or would you think it's reasonable to expect accepting an IPv6 address in a config to be a feature request? s-3750-18-lab(config)#radius-server ho s-3750-18-lab(config)#$er host 2607:dead:beef:0:0:0:0:2 radius-server host 2607:f388:e:100:20c:29ff:fe4a:7cb0 ^ % Invalid input detected at '^' marker. s-3750-18-lab(config)#$er host radv6 Translating "radv6"...domain server (2607:dead:beef:0:0:0:0:2) ^ % Invalid input detected at '^' marker. s-3750-18-lab(config)# I'm kind of shocked with the replies I am getting, and I am thinking maybe I just fail to grasp the current situation. Cheers, Janet Plato -- plato at wisc.edu http://net.doit.wisc.edu/~plato ARS:N8KKJ Madison, WI From rwest at zyedge.com Tue Aug 25 19:18:22 2009 From: rwest at zyedge.com (Ryan West) Date: Tue, 25 Aug 2009 19:18:22 -0400 Subject: [c-nsp] ASA5520 questions on crypto map structure In-Reply-To: <01a501ca25cb$7bca8860$2208120a@am.thmulti.com> References: <018601ca25c7$62d53520$2208120a@am.thmulti.com> <01a501ca25cb$7bca8860$2208120a@am.thmulti.com> Message-ID: <5E1F83C4-2403-457E-BACD-C34226665F7D@zyedge.com> Scott, You're good so far, the crypto map reads top down like an ACL and you can insert at any time. If by chance you're on 7.2.4(18), make sure you upgrade, that code has ISAKMP bug. The fun has just started, wait until you have internal addressing overlap. Sent from handheld. On Aug 25, 2009, at 5:37 PM, "Scott Granados" wrote: > It is, looks like I'm pretty close. > > I like the rekey options based on bits transfered. > > Thanks > Scott > > ----- Original Message ----- > From: "Tom Lusty" > To: "Scott Granados" > Cc: > Sent: Tuesday, August 25, 2009 2:22 PM > Subject: RE: [c-nsp] ASA5520 questions on crypto map structure > > > Scott, > > Yep, just make the sequence number 20, or some other number between > your > current entry and the dynamic map entry, and things should be fine. > > We're running the same thing, multiple L2L VPN tunnels and RA VPN > clients, > as well and the included configuration/cryptomap works like a champ :) > > crypto ipsec transform-set esp-aes256-sha esp-aes-256 esp-sha-hmac > crypto ipsec security-association lifetime seconds 28800 > crypto ipsec security-association lifetime kilobytes 4608000 > > crypto dynamic-map outside_dyn_map 40 set pfs > crypto dynamic-map outside_dyn_map 40 set transform-set esp-aes256-sha > crypto dynamic-map outside_dyn_map 40 set security-association > lifetime > seconds 28800 > crypto dynamic-map outside_dyn_map 40 set security-association > lifetime > kilobytes 4608000 > > crypto map outside_map1 10 match address vpn-IE > crypto map outside_map1 10 set peer IE-pub-IP > crypto map outside_map1 10 set transform-set esp-aes256-sha > crypto map outside_map1 10 set security-association lifetime seconds > 28800 > crypto map outside_map1 10 set security-association lifetime kilobytes > 4608000 > crypto map outside_map1 20 match address vpn-UK > crypto map outside_map1 20 set peer UK-pub-IP > crypto map outside_map1 20 set transform-set esp-aes256-sha > crypto map outside_map1 20 set security-association lifetime seconds > 28800 > crypto map outside_map1 20 set security-association lifetime kilobytes > 4608000 > > crypto map outside_map1 65535 ipsec-isakmp dynamic outside_dyn_map > crypto map outside_map1 interface outside > > Hope this is helpful > -Tom > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Granados > Sent: Tuesday, August 25, 2009 5:03 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] ASA5520 questions on crypto map structure > > Hi list, > First, thanks for all the great pointers and suggestions I've made a > lot of > progress as a result and I appreciate it. > > I'm wondering if I have the general idea correct for writing crypto > maps. > My understanding is that a dynamic map is used for client access and > in > terms of sequence should be the last in the list. I have this > working. I > want to add a LAN-to-LAN session now on the same device. I've > written the > following and I'm looking for input as to whether this looks correct > or is > there a better way? > > Here's the example config. > > crypto ipsec transform-set vpn-transform1 esp-aes-256 esp-sha-hmac > crypto ipsec transform-set vpn-transform2 esp-aes-192 esp-md5-hmac > crypto ipsec transform-set vpn-transform3 esp-3des esp-sha-hmac > crypto dynamic-map dynmap 10 set transform-set vpn-transform1 vpn- > transform2 > vpn-transform3 > crypto dynamic-map dynmap 10 set reverse-route > (original dynamic map portion) > > crypto map vpn-ra-map 10 match address ny-vpn-acl > crypto map vpn-ra-map 10 set peer ny-fw-outside > crypto map vpn-ra-map 10 set transform-set vpn-transform2 > crypto map vpn-ra-map 10 set reverse-route > > (note I'm using the names facility to name the peer and the ACL > mentioned > marks the traffic to encrypt destined to New York) > > crypto map vpn-ra-map 65535 ipsec-isakmp dynamic dynmap > crypto map vpn-ra-map interface outside > (adds the dynamic map and the whole shooting match to the outside > interface) > > Do I more or less have this right? Using the examples that I > received off > list this seems close. Also, would I simply increase the sequence > number > and add the next LAN-to-LAN mapping as sequence 20 between the > existing peer > and the dynmap? A little hint as to whether I'm in the right area or > totally > off base would be helpful. > > Thanks > Scott > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From mailinglists at unix-scripts.com Tue Aug 25 19:40:39 2009 From: mailinglists at unix-scripts.com (Shaun R.) Date: Tue, 25 Aug 2009 16:40:39 -0700 Subject: [c-nsp] Large networks Message-ID: I worked for a company in the past that had a very large flat network. The network consisted of two /20's (255.255.240.0) that were configured on a 7206 npe-300 router that connected to a bunch of catalyst 2924 switches (the old school ones). Everything was on vlan1. The company was a small hosting company that provided mainly dedicated servers. This company was constantly having problems with what i called broadcast attacks. The network graphs would show traffic on all interfaces spike and normally the 100mbit uplink between the switches would saturate and the network would die. From that experience i took my time to design and deploy my network to be as correct as possible. I put each customer on there own vlan with there own subnet carved out. My 3750 stack is my access/core and i have 7206-VXR-npe-g2's for borders (bgp/ospf). Every edge switch is uplinked twice with gigE (2gbit of bw) and customers are uplinked normally at 100mbit. For years this was fine and worked great but when deploying our own servers i always found myself kicking out a new vlan and subnet. I wasnt sure if it was needed being that it was our own servers (our own servers meaning that we managed them, customer do not have admin/root access). Then came virtual server hosting. With VPS Hosting we have one physical server (a host) that we carve out a /26 for and assign it to it's own vlan. We've done this for a few years now and it's worked fine but it's also kind of caused problems. One problem is that some hosts needs more ips than other hosts. We end up with some hosts having 20 ips free in there subnet while other hosts have none and need another allocation assigned to them. Also, we cannot move a customer from one host to another with out making the customer change ip address's. For a while now i've been wanting to just combine all the VPS hosts into one vlan and carve them out /24's as needed. Then each host could just get a ip from that pool and when that pool started to become depleated i could assign another /24. Right now when totalling all ips assigned to hosts that are free not being used we have thousands and it sucks because thats waisted space. Each Host can have up to 40 virtual servers on them. So lets say i combine 40 hosts with a total of 1000 Virtual Servers, thats now 1000 servers in one vlan. These virtual servers are running on the Xen platform connected to the hosts bridge interface which is using ebtables to fillter traffic at a layer2 level by mac and source address. Another problem that company i worked for had was that they where calculating bandwidth usage off the 2924 network interfaces. The problem with this we later found was that ARP/Broadcast traffic ended up being a huge amount added to there bill at the end of the month. I want to say that each customer had around 4-6GB of transfer tacked onto there bandwidth usage. So what i'm really asking is... 1. When should i really cut out a new vlan for a server or group of servers for my own use (meaning the customer doesnt have admin privileges to the machine)? 2. Was the problem with the large network that they didnt cut the /20 into smaller subnets or was the problem that they didnt cut them into smaller subnets and put them into there own vlans? 3. Say i combine all the VPS Hosts, 1000 Virtual servers in 1 vlan, with say 15 /24's... Is this ok? how is this compared to say having 25 vlans/subnets with each pysical host in one of them? Anything else i should be worried about here? ~Shaun From steve at ibctech.ca Tue Aug 25 20:58:32 2009 From: steve at ibctech.ca (Steve Bertrand) Date: Tue, 25 Aug 2009 20:58:32 -0400 Subject: [c-nsp] Large networks In-Reply-To: References: Message-ID: <4A9488B8.1000201@ibctech.ca> Shaun R. wrote: Your message is intoxicable ;) > I worked for a company in the past that had a very large flat network. > The network consisted of two /20's (255.255.240.0) that were configured > on a 7206 npe-300 router that connected to a bunch of catalyst 2924 > switches (the old school ones). I still use them, and they work great! > Everything was on vlan1. The company > was a small hosting company that provided mainly dedicated servers. > This company was constantly having problems with what i called broadcast > attacks. The network graphs would show traffic on all interfaces spike > and normally the 100mbit uplink between the switches would saturate and > the network would die. From that experience i took my time to design > and deploy my network to be as correct as possible. Out of curiosity, did your experience find that the issues were related to actual broadcast problems? > I put each customer > on there own vlan with there own subnet carved out. My 3750 stack is my > access/core and i have 7206-VXR-npe-g2's for borders (bgp/ospf). Every > edge switch is uplinked twice with gigE (2gbit of bw) and customers are > uplinked normally at 100mbit. For years this was fine and worked great > but when deploying our own servers i always found myself kicking out a > new vlan and subnet. I wasnt sure if it was needed being that it was > our own servers (our own servers meaning that we managed them, customer > do not have admin/root access). Again, out of pure curiosity, why did you do it this way? Do you manage ACLs per server? We're a small op that provides access, hosting and colo, and I'm wondering why you'd adopt this strategy. > Then came virtual server hosting. With VPS Hosting we have one physical > server (a host) that we carve out a /26 for and assign it to it's own > vlan. We've done this for a few years now and it's worked fine but it's > also kind of caused problems. One problem is that some hosts needs more > ips than other hosts. We end up with some hosts having 20 ips free in > there subnet while other hosts have none and need another allocation > assigned to them. Also, we cannot move a customer from one host to > another with out making the customer change ip address's. I'm but a rookie, but it appears as though some design research regarding IP assignment strategies may be beneficial. > For a while > now i've been wanting to just combine all the VPS hosts into one vlan > and carve them out /24's as needed. Then each host could just get a ip > from that pool and when that pool started to become depleated i could > assign another /24. Let the big boys criticize me here... what I've done is push our 'hosting' arm to the outside of the edge of our network. The 'hosting/colo' acts as a client premise. Even though it resides within our primary PoP, it connects to the network the same way that a client aggregation router does. I use iBGP from the 'hosting' routers to the edge routers in order to provide 'in-house' redundancy. Then, I allow the 'hosting' routers to advertise whatever IP blocks that they need. I have certain (relatively) large prefixes dedicated to hosting that are reserved, but can be (and sometimes are) re-purposed in a heartbeat because of the dynamic setup. In your statement above, to "assign another /24" would allow you to re-purpose prefixes for the pool, and use them on a slice-by-slice basis. Either way, the comment that I'm currently quoting appears more sound than anything else so far. > Another problem that company i worked for had was that they where > calculating bandwidth usage off the 2924 network interfaces. The > problem with this we later found was that ARP/Broadcast traffic ended up > being a huge amount added to there bill at the end of the month. I want > to say that each customer had around 4-6GB of transfer tacked onto there > bandwidth usage. ...relative. I'd like to know what you used to do your billing, and who authorized the billing. With that kind of potential over-billing, a job at your employer could mean a massive pay raise :) > So what i'm really asking is... > 1. When should i really cut out a new vlan for a server or group of > servers for my own use (meaning the customer doesnt have admin > privileges to the machine)? Whenever you deem it necessary. > 2. Was the problem with the large network that they didnt cut the /20 > into smaller subnets or was the problem that they didnt cut them into > smaller subnets and put them into there own vlans? It's a matter of implementation. Whether you look at it as a subnet or a vlan, it doesn't matter. When I first got our /21 from ARIN, I had to do some serious reading. My primary objective was how to allow the migration of clients without having to make them renumber. (During which time, I renumbered our entire network twice, once from MCI IP's, and from our then 'new' upstream IP's). After that, I slowly started to learn (via experience and MUCH reading) that renumbering IP's wasn't the only 'renumbering'. We also want to have no client impact with prefix lengths (subnet mask) and default gateway addresses. Only experience will tell you what went wrong, and where, given much feedback from diagnostics and other troubleshooting. (I've found that seeing this on numerous 'small' networks, it comes naturally. When dealing with a network larger than what I'm used to, the experience in troubleshooting/documenting paves the way). > 3. Say i combine all the VPS Hosts, 1000 Virtual servers in 1 vlan, > with say 15 /24's... Is this ok? ...you stated above that you suspected broadcast issues, but now you want to put... nevermind. No, it's not ok. > how is this compared to say having 25 > vlans/subnets with each pysical host in one of them? Because technically and logically, each VLAN is it's own broadcast domain. It means that my server can scream to everyone in it's VLAN (broadcast domain) all it wants, but it can't affect any other host in any other VLAN. It can only craft a well-designed broadcast attack on the network that isn't protecting against it, but only affect a limited number of connected nodes. Otherwise, put all hosts in one VLAN, a single problem on a single host will surely take down your entire network. (with cascading and escalating detriment). > Anything else i should be worried about here? Your sanity. I'd advise that you hire someone who has had the experience of designing an infrastructure the size of yours, at least as a consultant. Steve ps. feedback welcome on anything that I wrote... -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3233 bytes Desc: S/MIME Cryptographic Signature URL: From musmanashraf at gmail.com Tue Aug 25 22:37:15 2009 From: musmanashraf at gmail.com (M Usman Ashraf) Date: Wed, 26 Aug 2009 08:37:15 +0600 Subject: [c-nsp] Strange syslog message In-Reply-To: References: <9149d2410908251110y715554d2r8adee36eb0c2470f@mail.gmail.com> Message-ID: <9149d2410908251937r50d6edbg219e8a8554d23d15@mail.gmail.com> The box is being used as a backup BRAS for terminating PPPoE sessions and for BGP peering with our bandwidth provider. On Wed, Aug 26, 2009 at 1:14 AM, Arie Vayner (avayner) wrote: > Hi, > > Are you using this 7600 for terminating subscriber services? > The container interface type is part of the relatively new > infrastructure for service termination on 7600. > > Arie > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of M Usman Ashraf > Sent: Tuesday, August 25, 2009 21:11 > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Strange syslog message > > Hi List, > > Just saw a strange message on CISCO 7609, > > 5357: Aug 24 00:00:06.503 PKT: %LINEPROTO-5-UPDOWN: Line protocol on > Interface Container1048576, changed state to up > > Can anybody confirm what this Interface Container is? > > -- > Regards, > > M Usman Ashraf > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Regards, M Usman Ashraf From justin at justinshore.com Wed Aug 26 03:48:37 2009 From: justin at justinshore.com (Justin Shore) Date: Wed, 26 Aug 2009 02:48:37 -0500 Subject: [c-nsp] RPS 675 question In-Reply-To: <053601ca25c5$0d181eb0$2a00a8c0@andrew2> References: <053601ca25c5$0d181eb0$2a00a8c0@andrew2> Message-ID: <4A94E8D5.4030802@justinshore.com> andrew2 at one.net wrote: > I'm getting ready to install some RPS 675's in order to dual cord some > 3750's and ran across this in the manual: > > "Do not use different power sources to power up the RPS and the connected > device. If you connect to separate AC power sources, reset conditions might > occur." > > Huh? My intent is to plug the RPS into a different PDU than the actual > switches so that the switches can stay online in the event of a power > failure on their primary circuit. Is this Cisco FUD or are there good > reasons I wouldn't want to plug an RPS into a different circuit than the > connected switches? The only possible problem that I can foresee is the potential to create a ground loop. That wouldn't be good. The RPSs are only meant to protect against a power supply failure, not a power source failure. That said, I use a RPS 675 in the same way that you're describing without any problems. Also, remember that the RPS 675 can only keep 1 connected device powered up in the event of a power failure. The RPS 2300 can do 2. Ie, if you have a stack of 4 switches with 2 connected to circuit A, 2 connected to circuit B, the RPS connected to circuit C (with all 4 switches connected to that RPS) and circuit B fails, only 1 of the 2 switches connected to circuit B will get power from the RPS. The other will be dead in the water. Justin From arla at rn.dk Wed Aug 26 03:48:04 2009 From: arla at rn.dk (Arne Larsen / Region Nordjylland) Date: Wed, 26 Aug 2009 09:48:04 +0200 Subject: [c-nsp] cisco router 2800/3800 serie Message-ID: <8D68760F464FFD40A01BF2FB374E4A2801CC1C850C16@SRVEXC02.aas.its.nja.dk> Hi all. Can someone give me a hint what to use. We have 40 locations with different users and these location is to be migrated to fiber 20Mb from adsl. We want to run MPLS on these routers, because there is administration guest-network etc. Which router would be efficient for this, I have been looking on the 2800 & 3800 series, but I can't seem to find a doc. the describe what the throughputs is on these boxes. /Arne From sethm at rollernet.us Wed Aug 26 03:59:02 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Wed, 26 Aug 2009 00:59:02 -0700 Subject: [c-nsp] RPS 675 question In-Reply-To: <4A94E8D5.4030802@justinshore.com> References: <053601ca25c5$0d181eb0$2a00a8c0@andrew2> <4A94E8D5.4030802@justinshore.com> Message-ID: <4A94EB46.5030705@rollernet.us> Justin Shore wrote: > andrew2 at one.net wrote: >> I'm getting ready to install some RPS 675's in order to dual cord some >> 3750's and ran across this in the manual: >> >> "Do not use different power sources to power up the RPS and the connected >> device. If you connect to separate AC power sources, reset conditions >> might >> occur." >> >> Huh? My intent is to plug the RPS into a different PDU than the actual >> switches so that the switches can stay online in the event of a power >> failure on their primary circuit. Is this Cisco FUD or are there good >> reasons I wouldn't want to plug an RPS into a different circuit than the >> connected switches? > > The only possible problem that I can foresee is the potential to create > a ground loop. That wouldn't be good. The RPSs are only meant to > protect against a power supply failure, not a power source failure. > > That said, I use a RPS 675 in the same way that you're describing > without any problems. > > Also, remember that the RPS 675 can only keep 1 connected device powered > up in the event of a power failure. The RPS 2300 can do 2. Ie, if you > have a stack of 4 switches with 2 connected to circuit A, 2 connected to > circuit B, the RPS connected to circuit C (with all 4 switches connected > to that RPS) and circuit B fails, only 1 of the 2 switches connected to > circuit B will get power from the RPS. The other will be dead in the > water. > Don't forget rebooting to go back to internal power. Except on 2088 series routers with an AC-IP power supply; they can switch back fine. ~Seth From swmike at swm.pp.se Wed Aug 26 04:13:10 2009 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Wed, 26 Aug 2009 10:13:10 +0200 (CEST) Subject: [c-nsp] cisco router 2800/3800 serie In-Reply-To: <8D68760F464FFD40A01BF2FB374E4A2801CC1C850C16@SRVEXC02.aas.its.nja.dk> References: <8D68760F464FFD40A01BF2FB374E4A2801CC1C850C16@SRVEXC02.aas.its.nja.dk> Message-ID: On Wed, 26 Aug 2009, Arne Larsen / Region Nordjylland wrote: > Which router would be efficient for this, I have been looking on the > 2800 & 3800 series, but I can't seem to find a doc. the describe what > the throughputs is on these boxes. You could probably look into the 1841 as well, it should be enough for your 20 megabit/s need. -- Mikael Abrahamsson email: swmike at swm.pp.se From peter at rathlev.dk Wed Aug 26 04:18:55 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Wed, 26 Aug 2009 10:18:55 +0200 Subject: [c-nsp] cisco router 2800/3800 serie In-Reply-To: <8D68760F464FFD40A01BF2FB374E4A2801CC1C850C16@SRVEXC02.aas.its.nja.dk> References: <8D68760F464FFD40A01BF2FB374E4A2801CC1C850C16@SRVEXC02.aas.its.nja.dk> Message-ID: <1251274735.2880.4.camel@abehat.net.rm.dk> On Wed, 2009-08-26 at 09:48 +0200, Arne Larsen wrote: > Can someone give me a hint what to use. We have 40 locations with > different users and these location is to be migrated to fiber 20Mb > from adsl. > We want to run MPLS on these routers, because there is administration > guest-network etc. > Which router would be efficient for this, I have been looking on the > 2800 & 3800 series, but I can't seem to find a doc. the describe what > the throughputs is on these boxes. The "Routing Performance" portable product sheet gives some numbers on performance: http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf You might consider the 3560 L3 switch instead; it lacks features but delivers plenty of raw forwarding performance in a relatively cheap package. It supports VRF-Lite with the services image and can do prioritising QoS fine. Otherwise we have used 2851 this, though typically with a number of HDLC lines instead of fiber. Regards, Peter From perc69 at gmail.com Wed Aug 26 05:23:10 2009 From: perc69 at gmail.com (Per Carlson) Date: Wed, 26 Aug 2009 11:23:10 +0200 Subject: [c-nsp] cisco router 2800/3800 serie In-Reply-To: <8D68760F464FFD40A01BF2FB374E4A2801CC1C850C16@SRVEXC02.aas.its.nja.dk> References: <8D68760F464FFD40A01BF2FB374E4A2801CC1C850C16@SRVEXC02.aas.its.nja.dk> Message-ID: <746ca6da0908260223i49309ab7l6a7757a2dcf3b30b@mail.gmail.com> Hi Arne. > We have 40 locations with different users and these location is to be migrated to fiber 20Mb from adsl. How are those fiber accesses going to be delivered, i.e. do you need devices with optical interfaces? > We want to run MPLS on these routers, because there is administration guest-network etc. VRF-Lite would probably suffice here. -- Pelle From markom at markom.info Wed Aug 26 05:25:26 2009 From: markom at markom.info (Marko Milivojevic) Date: Wed, 26 Aug 2009 09:25:26 +0000 Subject: [c-nsp] Have I Gone Mad? (OSPF NSSA) Message-ID: Hello, My understanding of OSPF is being challenged by recent upgrade of some of our 7600's (running SRD2a now). Pairs of 7600's are ABR's to totally stubby NSSA areas (area X nssa no-summary default-information originate). This is supposed to prevent all external and summary routes reaching NSSA area, as well as originate type 7 default. However, I'm seeing something else. This is from one of the internal routers (.227 and .228 are ABR's): OSPF Router with ID (xxx.yyy.zzz.24) (Process ID 1) Router Link States (Area 9) Link ID ADV Router Age Seq# Checksum Link count xxx.yyy.zzz.24 xxx.yyy.zzz.24 245 0x80009C45 0x006365 2 xxx.yyy.zzz.25 xxx.yyy.zzz.25 1596 0x80009C3F 0x008347 2 xxx.yyy.zzz.26 xxx.yyy.zzz.26 1560 0x80009C3D 0x009B2D 2 xxx.yyy.zzz.27 xxx.yyy.zzz.27 663 0x80009C3C 0x00B114 2 xxx.yyy.zzz.227 xxx.yyy.zzz.227 224 0x8000933F 0x00F96C 1 xxx.yyy.zzz.228 xxx.yyy.zzz.228 133 0x80005CBB 0x00A479 1 Net Link States (Area 9) Link ID ADV Router Age Seq# Checksum xxx.yyy.zzz.130 xxx.yyy.zzz.228 1129 0x8000016A 0x00258A Summary Net Link States (Area 9) Link ID ADV Router Age Seq# Checksum 0.0.0.0 xxx.yyy.zzz.227 224 0x80000165 0x007943 0.0.0.0 xxx.yyy.zzz.228 133 0x80000167 0x006F4A Type-7 AS External Link States (Area 9) Link ID ADV Router Age Seq# Checksum Tag 0.0.0.0 xxx.yyy.zzz.227 224 0x80000165 0x004DEA 0 0.0.0.0 xxx.yyy.zzz.228 133 0x80000166 0x0045F0 0 ABR's appear to be injecting both the type 3 and type 7. AHave I gone mad, or I need to hit back the books? -- Marko CCIE #18427 (SP) My network blog: http://cisco.markom.info/ From gert at greenie.muc.de Wed Aug 26 06:02:03 2009 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 26 Aug 2009 12:02:03 +0200 Subject: [c-nsp] Large networks In-Reply-To: <4A9488B8.1000201@ibctech.ca> References: <4A9488B8.1000201@ibctech.ca> Message-ID: <20090826100203.GE117@greenie.muc.de> Hi, On Tue, Aug 25, 2009 at 08:58:32PM -0400, Steve Bertrand wrote: > > This company was constantly having problems with what i called broadcast > > attacks. The network graphs would show traffic on all interfaces spike > > and normally the 100mbit uplink between the switches would saturate and > > the network would die. From that experience i took my time to design > > and deploy my network to be as correct as possible. > > Out of curiosity, did your experience find that the issues were related > to actual broadcast problems? Generally, putting each customer into a dedicated layer 3 network segment is a good idea - because half of the attacks that a hacked server belonging to "customer 1" might do to a server from "customer 2" (ARP spoofing, IP address spoofing [-> blaim goes to customer 2], HSRP attacks to the shared router, etc.) suddenly are no longer relevant at all. ... and *if* you need to ACL one customer, or just shut down their network segment (because they are busy attacking someone else), you can be sure that it doesn't affect other customers ;-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From ashnet2009 at gmail.com Wed Aug 26 06:07:12 2009 From: ashnet2009 at gmail.com (Ash Net) Date: Wed, 26 Aug 2009 06:07:12 -0400 Subject: [c-nsp] Application Protocol Performance in low latency envrionments Message-ID: <896a291f0908260307q2c4e6441q1869f8f9655d8351@mail.gmail.com> Hi Folks, Sorry about the OT here, I'm looking to get some feedback regarding some of the most common application protocols (CIFS, NFSv3,SQL net, Snapmirror, ndmcopy) used in most Enterprise envrionments and their behavior in a sub msec campus latency environments vs ~3 msec latency over 10G Lanphy environments in metro DC topologies and potential ways to speed them up. In our lab testing using wan simulator and injecting 3msec latency (delay between 2 sites), we've noticed that all the above protocols take a considerable performance hit with when even minimal latency is introduced. The file/data transfers/transactions take almost twice as long or sometimes even more and the protocols aren't able to ramp up to use all the bandwidth available (Gig terminations on the src/dest boxes sitting idle). This behavior is completely different than what was noticed by removing 3 msec latency and running off a sub-msec configuration where most of the above protocols were able to ramp up and utilize a fair share of b/w available to help achieve faster file/data transfer rates/transaction times which is to be expected. Question is, is this something that other environments normally experience as well with the above listed protocol set where they are lightning fast in a sub-msec topology and slow in 3-5 msec environments, and if they do, what are some of the techniques that are being used today in the Industry to optimize these protocols and help achieve lan like performance over a low latency (3-5 msec) metro ethernet dwdm based WAN. WAN ACCeleration is normally a solution to speed up transfer rates but 3 msec isn't a big enough delay to perhaps introduce it, do other environments deploy WAN Accl in such environments anyways The reason for performance degradation solely seems to be latency related since there's tons of b/w available in the lab setup and over 10G lanphy paths. Do people still deploy QOS for better traffic management on the lanphy interfaces even with no saturation?. Overall I'm looking for some feedback and suggestions If possible as to how the industry is currently able to better utilize and saturate low latency based 10Glanphy circuits between metro DC locations and speed up protocols by somehow allowing them to ramp up and use as much of the b/w that's currently available. Any feedback would be greatly appreciated and thanks in advance. From alex at digriz.org.uk Wed Aug 26 05:54:32 2009 From: alex at digriz.org.uk (Alexander Clouter) Date: Wed, 26 Aug 2009 10:54:32 +0100 Subject: [c-nsp] IPv6 experience on DSBU switches References: <20090825214602.GA14823@wisc.edu> Message-ID: Hi, Janet Plato wrote: > > I'm finding IPv6 support lacking a few glaring things on 12.2(50)SE2. > Things like the inability to enter an IPv6 address as a target for > a radius server, or a hostname with only a Quad A record as well. > When I ask Cisco, they view these things as features to be added, not > bugs to be fixed. > > I thought IPv6 was relatively well worked out. Are other folks > mostly able to get IPv6 going, or would you think it's reasonable > to expect accepting an IPv6 address in a config to be a feature > request? > > [snipped] > > I'm kind of shocked with the replies I am getting, and I am > thinking maybe I just fail to grasp the current situation. > I think you only need to look to Cisco's 'next generation' wireless offerings to answer your questions...it seems they not care too much for IPv6; their presentations say one thing, the product line and IOS's say quite a different story. :-/ You should see what plans I have to get our 3750's to make SLAAC actually accountable (in a ARP inspection-esque sense) and usable on our network... :) I think the 'backporting' of the IPv6 support in ipservices into ipbase was only because everyone 'else' supports IPv6 and Cisco were no longer able to justify the considerable markup. The sad part is that no one can get the in production experience of IPv6 because the vendors do not support it. You generally have to make do with what you can and use Linux as 'duct-tape' for the bits that are lacking... Wait till you stumble on the lack of an 'ND proxy' or 'RA guard' :) Cheers -- Alexander Clouter .sigmonster says: Generic Fortune. From swmike at swm.pp.se Wed Aug 26 06:23:47 2009 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Wed, 26 Aug 2009 12:23:47 +0200 (CEST) Subject: [c-nsp] Application Protocol Performance in low latency envrionments In-Reply-To: <896a291f0908260307q2c4e6441q1869f8f9655d8351@mail.gmail.com> References: <896a291f0908260307q2c4e6441q1869f8f9655d8351@mail.gmail.com> Message-ID: On Wed, 26 Aug 2009, Ash Net wrote: > The reason for performance degradation solely seems to be latency > related since there's tons of b/w available in the lab setup and over > 10G lanphy paths. Do people still deploy QOS for better traffic > management on the lanphy interfaces even with no saturation?. All the protocols you mentioned are "query/response" ones and thus they take a big hit when latency is introduced. I know several companies who nowadays has a wan simulation device between the clients and servers in their dev labs, just so that the developers will develop applications that actually work in real life, not just in the 1/10 ms latency of the dev environment. Imagine the difference in a latency environment between doing a single nested SQL query, as opposed to doing 1 returning a list, and then doing one query per list entry. In a 1/10ms environment the difference might not be noticeable, but in a 100ms environment it most certainly will. At several ms network latency you're effectively dealing with harddrive latencies as opposed to almost memory latencies, and thus techniques that work akin to NCQ or alike needs to be employed. Failure to do so will create performance problems in real life. -- Mikael Abrahamsson email: swmike at swm.pp.se From gert at greenie.muc.de Wed Aug 26 08:09:25 2009 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 26 Aug 2009 14:09:25 +0200 Subject: [c-nsp] IPv6 experience on DSBU switches In-Reply-To: References: <20090825214602.GA14823@wisc.edu> Message-ID: <20090826120925.GF117@greenie.muc.de> Hi, On Wed, Aug 26, 2009 at 10:54:32AM +0100, Alexander Clouter wrote: > The sad part is that no one can get the in production experience of IPv6 > because the vendors do not support it. You generally have to make do > with what you can and use Linux as 'duct-tape' for the bits that are > lacking... Oh, well, it's not *so* bad. Some things are lacking, but the conclusion "the box cannot do radius over IPv6 transport" == "not ready for production IPv6 deployment" is not something I can agree to. I expect that we'll have to run IPv4 in parallel for a few more years, and if some parts of the device management functionality is not available over IPv6 today, it won't stop us from offering IPv6 internet services... > Wait till you stumble on the lack of an 'ND proxy' or 'RA guard' :) Tell your account teams that you want it, and won't buy new hardware unless they deliver... OTOH - Cisco has working prototypes of SeND, while no other (!) operating system out there supports it. So where's the Linux duct-tape when you need it...? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From ip at ioshints.info Wed Aug 26 08:52:42 2009 From: ip at ioshints.info (Ivan Pepelnjak) Date: Wed, 26 Aug 2009 14:52:42 +0200 Subject: [c-nsp] Have I Gone Mad? (OSPF NSSA) In-Reply-To: References: Message-ID: <001d01ca264c$1a9801e0$0a00000a@nil.si> > ABR's appear to be injecting both the type 3 and type 7. > AHave I gone mad, or I need to hit back the books? It depends :) Actually you've asked for it. The "no-summary" part of NSSA statement generates type-3 default and the "default-information originate" generates type-7 default. See the "Not-so-stubby-areas" section of this article: http://www.nil.com/ipcorner/OSPFDefaultMysteries/ It could be that the previous software releases were smarter and did not insert type-7 default when they've inserted type-3 default (which would take precedence over type-7 anyway), but it doesn't hurt you either. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ From domintefamily at yahoo.co.uk Wed Aug 26 07:55:28 2009 From: domintefamily at yahoo.co.uk (C and C Dominte) Date: Wed, 26 Aug 2009 11:55:28 +0000 (GMT) Subject: [c-nsp] vss switch 2 reloading every 15 minutes Message-ID: <468261.9376.qm@web27905.mail.ukl.yahoo.com> Hi, I recently configured two catalyst 6509 switches into a VSS cluster. After I experimented issues with unknown unicast, the secondary chassis reloaded itself with no apparent reason, . The cluster is configured with two VSL 10G links, one link is on the supervisor, and the secondary one located on the WS-X6708-10GE linecard, to provide redundancy. I pasted the details from the logs below. The sequence of events is as follows: 1. For some reason VSL interfaces go down Aug 25 15:54:10.563: %LINK-3-UPDOWN: Interface TenGigabitEthernet1/6/4, changed state to down 2. This triggers the VSL failure Aug 25 15:54:10.535: %VSLP-SW1_SP-3-VSLP_LMP_FAIL_REASON: Te1/6/4: Link down Aug 25 15:54:10.535: %VSLP-SW1_SP-2-VSL_DOWN: Last VSL interface Te1/6/4 went down Aug 25 15:54:10.559: %VSLP-SW1_SP-2-VSL_DOWN: All VSL links went down while switch is in ACTIVE role Aug 25 15:54:10.567: %LINK-SW1_SP-3-UPDOWN: Interface TenGigabitEthernet1/6/4, changed state to down 3. Another VSL error: Aug 25 15:54:10.655: %NTI-SW1_SP-3-TRIG_INIT_ALREADY_IN_PROGRESS: Cannot initiate NTI trigger for EP ID 0x216 at this time: trigger processing of trigger type NTI_EP_NOT_PRESENT, trigger group NTI_TRIGGER_GROUP_NONE already in progress 4. Chassis 2 reloads, and the failover mode is changed to simplex Aug 25 15:54:11.259: %PFREDUN-SW1_SP-6-ACTIVE: Standby processor removed or reloaded, changing to Simplex mode 5. A few more errors for 5 minutes. The cached IP-over-EoBC packets are being dropped: Aug 25 15:55:01.174: %SATVS_IBC-SW1_SP-5-VSL_DOWN_SCP_DROP: VSL inactive - dropping cached SCP packet: (SA/DA:0x5/0x5, SSAP/DSAP:0x1D/0xAB, OP/SEQ:0x500/0x9BF5, SIG/INFO:0x1/0x501, eSA:0000.0600.0000) Aug 25 15:56:04.064: %SATVS_IBC-SW1_SP-5-VSL_DOWN_SCP_DROP: VSL inactive - dropping cached SCP packet: (SA/DA:0x5/0x5, SSAP/DSAP:0x1D/0xAB, OP/SEQ:0x500/0x9D72, SIG/INFO:0x1/0x501, eSA:0000.0600.0000) Aug 25 15:58:23.016: %SATVS_IBC-SW1_SP-5-VSL_DOWN_SCP_DROP: VSL inactive - dropping cached SCP packet: (SA/DA:0x5/0x5, SSAP/DSAP:0x1D/0xAB, OP/SEQ:0x500/0xA123, SIG/INFO:0x1/0x501, eSA:0000.0600.0000) 6. VSL Interface on the supervisor comes back up: Aug 25 16:02:19.037: %LINK-3-UPDOWN: Interface TenGigabitEthernet1/6/4, changed state to up Aug 25 16:02:18.737: %LINK-SW1_SP-3-UPDOWN: Interface TenGigabitEthernet1/6/4, changed state to up 7. VSL reinitialises Aug 25 16:02:50.721: %VSLP-SW1_SP-5-RRP_ROLE_RESOLVED: Role resolved as ACTIVE by VSLP Aug 25 16:02:50.721: %VSL-SW1_SP-5-VSL_CNTRL_LINK: New VSL Control Link Te1/6/4 Aug 25 16:02:55.972: %VSLP-SW1_SP-5-VSL_UP: Ready for control traffic Aug 25 16:05:22.325: %PFREDUN-SW1_SP-6-ACTIVE: Standby initializing for SSO mode Aug 25 16:09:47.278: %PFINIT-SW1_SP-5-CONFIG_SYNC: Sync'ing the startup configuration to the standby Router. 8. Interface on the supervisor goes down again Aug 25 16:14:37.314: %LINK-3-UPDOWN: Interface TenGigabitEthernet1/6/4, changed state to down The same loop repeats at regular intervals, and the secondary VSL link never comes back online. No other line card comes back online on switch 2, as the secondary supervisor does not initialise fully. The interfaces went down initially with the following message logged: Aug 25 15:16:49.254: %SYS-SW2_SPSTBY-5-RELOAD: Reload requested - From Active Switch (Reload peer unit). I pasted below the full initial log, when the secondary chassis went down: Yesterday 16:20:51 Syslog [Message Details] Aug 25 15:16:53.686: %SATVS_IBC-SW1_SP-5-VSL_DOWN_SCP_DROP: VSL inactive - dropping cached SCP packet: (SA/DA:0x5/0x5, SSAP/DSAP:0x2A/0x0, OP/SEQ:0x3 ... Yesterday 16:20:51 Syslog [Message Details] Aug 25 15:16:52.994: %LINK-SW1_SP-3-UPDOWN: Interface Port-channel120, changed state to down Yesterday 16:20:51 Syslog [Message Details] Aug 25 15:16:52.290: %LINK-SW1_SP-3-UPDOWN: Interface TenGigabitEthernet2/6/4, changed state to down Yesterday 16:20:40 Syslog [Message Details] Aug 25 15:16:52.270: %PFREDUN-SW1_SP-6-ACTIVE: Standby processor removed or reloaded, changing to Simplex mode Yesterday 16:20:39 Syslog [Message Details] Aug 25 15:16:51.502: %LINK-SW1_SP-3-UPDOWN: Interface TenGigabitEthernet1/6/4, changed state to down Yesterday 16:20:39 Syslog [Message Details] Aug 25 15:16:51.502: %LINK-SW1_SP-3-UPDOWN: Interface TenGigabitEthernet1/7/1, changed state to down Yesterday 16:20:39 Syslog [Message Details] Aug 25 15:16:51.502: %LINK-SW1_SP-3-UPDOWN: Interface Port-channel256, changed state to down Yesterday 16:20:39 Syslog [Message Details] Aug 25 15:16:51.502: %LINEPROTO-SW1_SP-5-UPDOWN: Line protocol on Interface Port-channel256, changed state to down Yesterday 16:20:39 Syslog [Message Details] Aug 25 15:16:51.502: %LINEPROTO-SW1_SP-5-UPDOWN: Line protocol on Interface TenGigabitEthernet1/7/1, changed state to down Yesterday 16:20:39 Syslog [Message Details] Aug 25 15:16:51.334: %VSLP-SW1_SP-2-VSL_DOWN: All VSL links went down while switch is in ACTIVE role Yesterday 16:20:39 Syslog [Message Details] Aug 25 15:16:51.334: %LINEPROTO-SW1_SP-5-UPDOWN: Line protocol on Interface TenGigabitEthernet2/6/4, changed state to down Yesterday 16:20:39 Syslog [Message Details] Aug 25 15:16:51.330: %LINEPROTO-SW1_SP-5-UPDOWN: Line protocol on Interface TenGigabitEthernet1/6/4, changed state to down Yesterday 16:20:39 Syslog [Message Details] Aug 25 15:16:51.114: %VSLP-SW1_SP-2-VSL_DOWN: Last VSL interface Te1/7/1 went down Yesterday 16:20:39 Syslog [Message Details] Aug 25 15:16:51.114: %VSLP-SW1_SP-3-VSLP_LMP_FAIL_REASON: Te1/7/1: Disabled by Peer Reload Request Yesterday 16:20:39 Syslog [Message Details] Aug 25 15:16:51.030: %VSL-SW1_SP-5-VSL_CNTRL_LINK: New VSL Control Link Te1/7/1 Yesterday 16:20:39 Syslog [Message Details] Aug 25 15:16:51.030: %VSLP-SW1_SP-3-VSLP_LMP_FAIL_REASON: Te1/6/4: Disabled by Peer Reload Request Yesterday 16:20:39 Syslog [Message Details] Aug 25 15:16:48.990: %RF-SW1_SP-5-RF_RELOAD: Peer reload. Reason: Proxy request to reload peer Yesterday 16:20:39 Syslog [Message Details] Aug 25 15:17:01.590: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet2/7/1, changed state to down Yesterday 16:20:39 Syslog [Message Details] Aug 25 15:17:01.578: %LINK-3-UPDOWN: Interface TenGigabitEthernet2/7/1, changed state to down Yesterday 16:20:39 Syslog [Message Details] Aug 25 15:17:01.574: %LINK-3-UPDOWN: Interface Port-channel255, changed state to down Yesterday 16:20:39 Syslog [Message Details] Aug 25 15:17:01.574: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel255, changed state to down Yesterday 16:20:30 Syslog [Message Details] Aug 25 15:16:51.534: %LINK-3-UPDOWN: Interface TenGigabitEthernet1/6/4, changed state to down Yesterday 16:20:30 Syslog [Message Details] Aug 25 15:16:51.446: %LINK-3-UPDOWN: Interface TenGigabitEthernet1/7/1, changed state to down Yesterday 16:20:30 Syslog [Message Details] Aug 25 15:16:51.446: %LINK-3-UPDOWN: Interface Port-channel256, changed state to down Yesterday 16:20:29 Syslog [Message Details] Aug 25 15:16:51.446: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel256, changed state to down Yesterday 16:20:29 Syslog [Message Details] Aug 25 15:16:51.382: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet1/7/1, changed state to down Yesterday 16:20:28 Syslog [Message Details] Aug 25 15:16:51.102: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet2/6/4, changed state to down Yesterday 16:20:28 Syslog [Message Details] Aug 25 15:16:51.046: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet1/6/4, changed state to down Yesterday 16:20:28 Syslog [Message Details] Aug 25 15:16:49.254: %SYS-SW2_SPSTBY-5-RELOAD: Reload requested - From Active Switch (Reload peer unit). Yesterday 16:20:26 Syslog [Message Details] Aug 25 15:16:48.138: %IDBMAN-4-CONFIG_WRITE_FAIL: Failed to generate configuration for interface Po120 Has anyone seen something similar? Regards, Catalin From ip at ioshints.info Wed Aug 26 08:55:22 2009 From: ip at ioshints.info (Ivan Pepelnjak) Date: Wed, 26 Aug 2009 14:55:22 +0200 Subject: [c-nsp] Large networks In-Reply-To: <20090826100203.GE117@greenie.muc.de> References: <4A9488B8.1000201@ibctech.ca> <20090826100203.GE117@greenie.muc.de> Message-ID: <002401ca264c$79d62dd0$0a00000a@nil.si> > Generally, putting each customer into a dedicated layer 3 > network segment is a good idea - because half of the attacks > that a hacked server belonging to "customer 1" might do to a > server from "customer 2" (ARP spoofing, IP address spoofing > [-> blaim goes to customer 2], HSRP attacks to the shared > router, etc.) suddenly are no longer relevant at all. The only disadvantage of this approach is that you waste up to 75% of the address space (assuming you have one server per customer). If you want to do some really weird things you could configure mismatched subnet masks on servers and routers, use host routes to point toward the servers ... This will reclaim almost all the address space, but result in somewhat more complex addressing and routing. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ From daniel at bit.nl Wed Aug 26 09:04:08 2009 From: daniel at bit.nl (Daniel Verlouw) Date: Wed, 26 Aug 2009 15:04:08 +0200 Subject: [c-nsp] IPv6 experience on DSBU switches In-Reply-To: References: <20090825214602.GA14823@wisc.edu> Message-ID: <1251291848.20465.12.camel@daniel.office.bit.nl> On Wed, 2009-08-26 at 10:54 +0100, Alexander Clouter wrote: > The sad part is that no one can get the in production experience of IPv6 > because the vendors do not support it. You generally have to make do > with what you can and use Linux as 'duct-tape' for the bits that are > lacking... really? Our experience is exactly the opposite...(and we run -all- our services dual-stack). Admittedly, we've had our fair share of bugs with vendor C and J, but overall that amount is relatively small compared to the number of bugs and annoyances in Linux, Windows and other host OSs... --Daniel. From daniel at bit.nl Wed Aug 26 09:04:17 2009 From: daniel at bit.nl (Daniel Verlouw) Date: Wed, 26 Aug 2009 15:04:17 +0200 Subject: [c-nsp] IPv6 experience on DSBU switches In-Reply-To: <20090826120925.GF117@greenie.muc.de> References: <20090825214602.GA14823@wisc.edu> <20090826120925.GF117@greenie.muc.de> Message-ID: <1251291857.20465.13.camel@daniel.office.bit.nl> On Wed, 2009-08-26 at 14:09 +0200, Gert Doering wrote: > OTOH - Cisco has working prototypes of SeND, while no other (!) operating > system out there supports it. OT: JUNOS implements SEND as well, from 9.3 onwards. I've not seen decent support in any host OS so far. --Daniel. From gert at greenie.muc.de Wed Aug 26 09:16:27 2009 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 26 Aug 2009 15:16:27 +0200 Subject: [c-nsp] Large networks In-Reply-To: <002401ca264c$79d62dd0$0a00000a@nil.si> References: <4A9488B8.1000201@ibctech.ca> <20090826100203.GE117@greenie.muc.de> <002401ca264c$79d62dd0$0a00000a@nil.si> Message-ID: <20090826131627.GG117@greenie.muc.de> Hi, On Wed, Aug 26, 2009 at 02:55:22PM +0200, Ivan Pepelnjak wrote: > > Generally, putting each customer into a dedicated layer 3 > > network segment is a good idea - because half of the attacks > > that a hacked server belonging to "customer 1" might do to a > > server from "customer 2" (ARP spoofing, IP address spoofing > > [-> blaim goes to customer 2], HSRP attacks to the shared > > router, etc.) suddenly are no longer relevant at all. > > The only disadvantage of this approach is that you waste up to 75% of the > address space (assuming you have one server per customer). That's what we have IPv6 for :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From gert at greenie.muc.de Wed Aug 26 09:17:09 2009 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 26 Aug 2009 15:17:09 +0200 Subject: [c-nsp] IPv6 experience on DSBU switches In-Reply-To: <1251291857.20465.13.camel@daniel.office.bit.nl> References: <20090825214602.GA14823@wisc.edu> <20090826120925.GF117@greenie.muc.de> <1251291857.20465.13.camel@daniel.office.bit.nl> Message-ID: <20090826131709.GH117@greenie.muc.de> Hi, On Wed, Aug 26, 2009 at 03:04:17PM +0200, Daniel Verlouw wrote: > On Wed, 2009-08-26 at 14:09 +0200, Gert Doering wrote: > > OTOH - Cisco has working prototypes of SeND, while no other (!) operating > > system out there supports it. > > OT: JUNOS implements SEND as well, from 9.3 onwards. Oh, cool! > I've not seen decent support in any host OS so far. This matches what I had in mind :-( gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From swmike at swm.pp.se Wed Aug 26 09:32:13 2009 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Wed, 26 Aug 2009 15:32:13 +0200 (CEST) Subject: [c-nsp] Large networks In-Reply-To: <002401ca264c$79d62dd0$0a00000a@nil.si> References: <4A9488B8.1000201@ibctech.ca> <20090826100203.GE117@greenie.muc.de> <002401ca264c$79d62dd0$0a00000a@nil.si> Message-ID: On Wed, 26 Aug 2009, Ivan Pepelnjak wrote: > The only disadvantage of this approach is that you waste up to 75% of > the address space (assuming you have one server per customer). If you > want to do some really weird things you could configure mismatched > subnet masks on servers and routers, use host routes to point toward the > servers ... This will reclaim almost all the address space, but result > in somewhat more complex addressing and routing. It's not weird. If you do it like that with local-proxy-arp then you can have multiple vlans per IP subnet, so you get L2 isolation between customers but you do not waste any IP addresses. -- Mikael Abrahamsson email: swmike at swm.pp.se From A.L.M.Buxey at lboro.ac.uk Wed Aug 26 09:34:00 2009 From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey) Date: Wed, 26 Aug 2009 14:34:00 +0100 Subject: [c-nsp] IPv6 experience on DSBU switches In-Reply-To: <1251291857.20465.13.camel@daniel.office.bit.nl> References: <20090825214602.GA14823@wisc.edu> <20090826120925.GF117@greenie.muc.de> <1251291857.20465.13.camel@daniel.office.bit.nl> Message-ID: <20090826133400.GB30040@lboro.ac.uk> Hi, attended a wonderful talk about IPv6 at Cisco networkers earlier this year. some good stuff being shown....and then they mentioned that all these security features etc are only in lab and wont be on our IOS for some time :-( regarding IPv6 support on hardware - at this point in time I've given up with doing IPv6 on the switches/routers themselves - keeping all management to IPv4...all communication to RADIUS, TACACS, TFTP etc as IPv4 on the wire, however, things are different - our DNS, RADIUS, NTP etc (ie core infrastructure) is all dual-stack and happily passing most of its stuff via IPv6 where needed...which is good. DHCPv6 is another thing altogether (thanks steering groups and OS vendors!) most of my server access (on site and offsite ) is now via IPv6 too - hey, if i turned the IPv4 off then , for a while, almost all attacks from those IPv4 only networks would stop.. hmmm...tempting! ;-) alan From tdurack at gmail.com Wed Aug 26 09:37:01 2009 From: tdurack at gmail.com (Tim Durack) Date: Wed, 26 Aug 2009 09:37:01 -0400 Subject: [c-nsp] Application Protocol Performance in low latency envrionments In-Reply-To: References: <896a291f0908260307q2c4e6441q1869f8f9655d8351@mail.gmail.com> Message-ID: <9e246b4d0908260637i4c87cf73pc26e5db8732686c8@mail.gmail.com> On Wed, Aug 26, 2009 at 6:23 AM, Mikael Abrahamsson wrote: > On Wed, 26 Aug 2009, Ash Net wrote: > > The reason for performance degradation solely seems to be latency related >> since there's tons of b/w available in the lab setup and over 10G lanphy >> paths. Do people still deploy QOS for better traffic management on the >> lanphy interfaces even with no saturation?. >> > > All the protocols you mentioned are "query/response" ones and thus they > take a big hit when latency is introduced. > > I know several companies who nowadays has a wan simulation device between > the clients and servers in their dev labs, just so that the developers will > develop applications that actually work in real life, not just in the 1/10 > ms latency of the dev environment. Imagine the difference in a latency > environment between doing a single nested SQL query, as opposed to doing 1 > returning a list, and then doing one query per list entry. In a 1/10ms > environment the difference might not be noticeable, but in a 100ms > environment it most certainly will. > > At several ms network latency you're effectively dealing with harddrive > latencies as opposed to almost memory latencies, and thus techniques that > work akin to NCQ or alike needs to be employed. Failure to do so will create > performance problems in real life. > > Serious feelings of deja-vu. We lived through a similar scenario over the last few months. GigE "WAN" (really a MAN) with 3-5ms latency. Had to install some WAN accelerators, 'cos they promise to fix everything. WAN Accelerators don't work in this scenario for the reason Mikael mentions (the IO subsystem of a WAN accelerator is in the 2-3ms range.) Only real answer is to get application developers to code for the Internet at large, rather than for <1ms LAN. Of course our devs don't even like their dev servers being 3-5ms away... Tim:> From gert at greenie.muc.de Wed Aug 26 09:50:34 2009 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 26 Aug 2009 15:50:34 +0200 Subject: [c-nsp] Large networks In-Reply-To: References: <4A9488B8.1000201@ibctech.ca> <20090826100203.GE117@greenie.muc.de> <002401ca264c$79d62dd0$0a00000a@nil.si> Message-ID: <20090826135034.GI117@greenie.muc.de> Hi, On Wed, Aug 26, 2009 at 03:32:13PM +0200, Mikael Abrahamsson wrote: > If you do it like that with local-proxy-arp then you can have multiple > vlans per IP subnet, so you get L2 isolation between customers but you do > not waste any IP addresses. So how do you prevent customer A from sending out packets with an IP address belonging to customer B? (For whatever reason). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From swmike at swm.pp.se Wed Aug 26 09:52:55 2009 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Wed, 26 Aug 2009 15:52:55 +0200 (CEST) Subject: [c-nsp] Large networks In-Reply-To: <20090826135034.GI117@greenie.muc.de> References: <4A9488B8.1000201@ibctech.ca> <20090826100203.GE117@greenie.muc.de> <002401ca264c$79d62dd0$0a00000a@nil.si> <20090826135034.GI117@greenie.muc.de> Message-ID: On Wed, 26 Aug 2009, Gert Doering wrote: > So how do you prevent customer A from sending out packets with an IP > address belonging to customer B? (For whatever reason). Antispoofing ACL on vlan interface? Or if you have an access layer, you can do your L2.5 access lists there on ingress. -- Mikael Abrahamsson email: swmike at swm.pp.se From gert at greenie.muc.de Wed Aug 26 09:58:15 2009 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 26 Aug 2009 15:58:15 +0200 Subject: [c-nsp] Large networks In-Reply-To: References: <4A9488B8.1000201@ibctech.ca> <20090826100203.GE117@greenie.muc.de> <002401ca264c$79d62dd0$0a00000a@nil.si> <20090826135034.GI117@greenie.muc.de> Message-ID: <20090826135815.GJ117@greenie.muc.de> Hi, On Wed, Aug 26, 2009 at 03:52:55PM +0200, Mikael Abrahamsson wrote: > On Wed, 26 Aug 2009, Gert Doering wrote: > > >So how do you prevent customer A from sending out packets with an IP > >address belonging to customer B? (For whatever reason). > > Antispoofing ACL on vlan interface? Won't help if you have customer A and customer B in the same VLAN. > Or if you have an access layer, you > can do your L2.5 access lists there on ingress. This would work - but that's LOTS of extra things to maintain, and keep up to date, etc. Which is why we are VERY happy with "every customer has a different L3 subnet" - and yes, this is wasting a few IPv4 addresses, but since our customers usually have more than one machine, it's not "75%". Even so, the time of IPv4 is past, and we should stop worrying about it. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From markom at markom.info Wed Aug 26 10:02:12 2009 From: markom at markom.info (Marko Milivojevic) Date: Wed, 26 Aug 2009 14:02:12 +0000 Subject: [c-nsp] Have I Gone Mad? (OSPF NSSA) In-Reply-To: <001d01ca264c$1a9801e0$0a00000a@nil.si> References: <001d01ca264c$1a9801e0$0a00000a@nil.si> Message-ID: On Wed, Aug 26, 2009 at 12:52, Ivan Pepelnjak wrote: > It could be that the previous software releases were smarter and did not > insert type-7 default when they've inserted type-3 default (which would take > precedence over type-7 anyway), but it doesn't hurt you either. Actually... It did hurt somewhat :-/. Previous IOS that we were running (7600 SXx and SRBx) were injecting type 7. However, that behaviour changed with SRD2 and it injects both. Naturally, type 3 wins. In one place we had distribution configured that was configured to redistribute only type 7 default into BGP elsewhere - which no longer worked after upgrade... I wonder why the behaviour changed... Then again, my fault for misconfiguring the darn thing to begin with :-) -- Marko CCIE #18427 (SP) My network blog: http://cisco.markom.info/ From rsm at fast-serv.com Wed Aug 26 10:10:52 2009 From: rsm at fast-serv.com (Randy McAnally) Date: Wed, 26 Aug 2009 10:10:52 -0400 Subject: [c-nsp] Large networks In-Reply-To: <20090826135034.GI117@greenie.muc.de> References: <4A9488B8.1000201@ibctech.ca> <20090826100203.GE117@greenie.muc.de> <002401ca264c$79d62dd0$0a00000a@nil.si> <20090826135034.GI117@greenie.muc.de> Message-ID: <20090826140753.M67564@fast-serv.com> In a dedicated server hosting environment, each customer should have their own VLAN and subnet. True, it may waste a few IPs, but keep in mind when the customer expands to two or more servers, they can utilize additional IPs from their existing VLAN even when the servers are not physically close to each other. It makes customers happy, and it makes sysadmins sleep easier. -- Randy ---------- Original Message ----------- From: Gert Doering To: Mikael Abrahamsson Cc: cisco-nsp at puck.nether.net Sent: Wed, 26 Aug 2009 15:50:34 +0200 Subject: Re: [c-nsp] Large networks > Hi, > > On Wed, Aug 26, 2009 at 03:32:13PM +0200, Mikael Abrahamsson wrote: > > If you do it like that with local-proxy-arp then you can have multiple > > vlans per IP subnet, so you get L2 isolation between customers but you do > > not waste any IP addresses. > > So how do you prevent customer A from sending out packets with an IP > address belonging to customer B? (For whatever reason). > > gert > -- > USENET is *not* the non-clickable part of WWW! > //www.muc.de/~gert/ > Gert Doering - Munich, Germany gert at greenie.muc.de > fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de ------- End of Original Message ------- From swmike at swm.pp.se Wed Aug 26 10:11:28 2009 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Wed, 26 Aug 2009 16:11:28 +0200 (CEST) Subject: [c-nsp] Large networks In-Reply-To: <20090826135815.GJ117@greenie.muc.de> References: <4A9488B8.1000201@ibctech.ca> <20090826100203.GE117@greenie.muc.de> <002401ca264c$79d62dd0$0a00000a@nil.si> <20090826135034.GI117@greenie.muc.de> <20090826135815.GJ117@greenie.muc.de> Message-ID: On Wed, 26 Aug 2009, Gert Doering wrote: > Hi, > > On Wed, Aug 26, 2009 at 03:52:55PM +0200, Mikael Abrahamsson wrote: >> On Wed, 26 Aug 2009, Gert Doering wrote: >> >>> So how do you prevent customer A from sending out packets with an IP >>> address belonging to customer B? (For whatever reason). >> >> Antispoofing ACL on vlan interface? > > Won't help if you have customer A and customer B in the same VLAN. They are not in the same vlan, they're in the same IP subnet but in different vlans. -- Mikael Abrahamsson email: swmike at swm.pp.se From gert at greenie.muc.de Wed Aug 26 10:13:06 2009 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 26 Aug 2009 16:13:06 +0200 Subject: [c-nsp] Large networks In-Reply-To: References: <4A9488B8.1000201@ibctech.ca> <20090826100203.GE117@greenie.muc.de> <002401ca264c$79d62dd0$0a00000a@nil.si> <20090826135034.GI117@greenie.muc.de> <20090826135815.GJ117@greenie.muc.de> Message-ID: <20090826141306.GK117@greenie.muc.de> Hi, On Wed, Aug 26, 2009 at 04:11:28PM +0200, Mikael Abrahamsson wrote: > >On Wed, Aug 26, 2009 at 03:52:55PM +0200, Mikael Abrahamsson wrote: > >>On Wed, 26 Aug 2009, Gert Doering wrote: > >> > >>>So how do you prevent customer A from sending out packets with an IP > >>>address belonging to customer B? (For whatever reason). > >> > >>Antispoofing ACL on vlan interface? > > > >Won't help if you have customer A and customer B in the same VLAN. > > They are not in the same vlan, they're in the same IP subnet but in > different vlans. Ah, pvlans and community vlan stuff. OK, that would work, but still - lots of effort that is just "automatic" otherwise. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From ip at ioshints.info Wed Aug 26 10:21:52 2009 From: ip at ioshints.info (Ivan Pepelnjak) Date: Wed, 26 Aug 2009 16:21:52 +0200 Subject: [c-nsp] Large networks In-Reply-To: References: <4A9488B8.1000201@ibctech.ca><20090826100203.GE117@greenie.muc.de><002401ca264c$79d62dd0$0a00000a@nil.si><20090826135034.GI117@greenie.muc.de> Message-ID: <004301ca2658$8fce9b20$0a00000a@nil.si> RPF check? > -----Original Message----- > From: Mikael Abrahamsson [mailto:swmike at swm.pp.se] > Sent: Wednesday, August 26, 2009 3:53 PM > To: Gert Doering > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Large networks > > On Wed, 26 Aug 2009, Gert Doering wrote: > > > So how do you prevent customer A from sending out packets > with an IP > > address belonging to customer B? (For whatever reason). > > Antispoofing ACL on vlan interface? Or if you have an access > layer, you can do your L2.5 access lists there on ingress. > > -- > Mikael Abrahamsson email: swmike at swm.pp.se > > From ip at ioshints.info Wed Aug 26 10:21:52 2009 From: ip at ioshints.info (Ivan Pepelnjak) Date: Wed, 26 Aug 2009 16:21:52 +0200 Subject: [c-nsp] Large networks In-Reply-To: References: <4A9488B8.1000201@ibctech.ca><20090826100203.GE117@greenie.muc.de><002401ca264c$79d62dd0$0a00000a@nil.si><20090826135034.GI117@greenie.muc.de> Message-ID: <004301ca2658$8fce9b20$0a00000a@nil.si> RPF check? > -----Original Message----- > From: Mikael Abrahamsson [mailto:swmike at swm.pp.se] > Sent: Wednesday, August 26, 2009 3:53 PM > To: Gert Doering > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Large networks > > On Wed, 26 Aug 2009, Gert Doering wrote: > > > So how do you prevent customer A from sending out packets > with an IP > > address belonging to customer B? (For whatever reason). > > Antispoofing ACL on vlan interface? Or if you have an access > layer, you can do your L2.5 access lists there on ingress. > > -- > Mikael Abrahamsson email: swmike at swm.pp.se > > From alex at digriz.org.uk Wed Aug 26 09:52:25 2009 From: alex at digriz.org.uk (Alexander Clouter) Date: Wed, 26 Aug 2009 14:52:25 +0100 Subject: [c-nsp] IPv6 experience on DSBU switches In-Reply-To: <20090826120925.GF117@greenie.muc.de> References: <20090825214602.GA14823@wisc.edu> <20090826120925.GF117@greenie.muc.de> Message-ID: <20090826135225.GF20088@chipmunk> Hi, * Gert Doering [2009-08-26 14:09:25+0200]: > > On Wed, Aug 26, 2009 at 10:54:32AM +0100, Alexander Clouter wrote: > > The sad part is that no one can get the in production experience of IPv6 > > because the vendors do not support it. You generally have to make do > > with what you can and use Linux as 'duct-tape' for the bits that are > > lacking... > > Oh, well, it's not *so* bad. > > Some things are lacking, but the conclusion "the box cannot do radius > over IPv6 transport" == "not ready for production IPv6 deployment" is > not something I can agree to. > Exaggerated definitely[1] but when Cisco's only answer for you to assign IP's (accountably) is to use DHCPv6 it's a bit of a crappy welcoming mat; not many DHCPv6 servers out there and defeats a lot of IPv6 benefits (especially now that RFC 5006 is 'here'). > I expect that we'll have to run IPv4 in parallel for a few more years, > and if some parts of the device management functionality is not available > over IPv6 today, it won't stop us from offering IPv6 internet services... > Very true, probably for the next 20 or more. > > Wait till you stumble on the lack of an 'ND proxy' or 'RA guard' :) > > Tell your account teams that you want it, and won't buy new hardware > unless they deliver... > Problem is in the Real World(tm) when the 'other' vendors also don't offer much needed functionality you have to make compromises and your threats become empty. :-/ Cisco is good at L2 stuff, it seems when they look much about L3 they start being a pain; probably the issues are just more easily solved for me with a pile of battered Linux boxes[2]. > OTOH - Cisco has working prototypes of SeND, while no other (!) operating > system out there supports it. So where's the Linux duct-tape when you > need it...? > Apparently Cisco has some IPv6 stuff in the works I am told, but the people telling me are all NDA'd to hell and back and cannot tell me anything....'great, handy info'! Unsure why I would want to cryptographically sign my ND's, we do not control the workstations that plus into our network and I'm not dishing out client side certificates for everyone :) For the IPv4 world I have 'ARP inspection' and 'DHCP snooping' to stop people doing stupid things[4], in the v6 world it seems I have to use 802.1x and Linux duct-tape. All I want is something similar in the v6 world, but it needs to support SLAAC (with privacy extensions) and multiple addresses per host...QoS throttling and 'ND inspection' would give a 99% solution this without the whole load of IPsec dumped upon us. Without this, we pretty much are still stuck in the mindset of IPv4 when deploying our IPv6 services. Accepting that 'crap' is going to happen on your network whatever you do to try and stop it seems to have been a pointless endeavour for years. Having a good audit trail and event driven monitoring/alerting has been far more helpful for *us* (plus better use of our time deploying because of it's other non-security related benefits) and means we do not have to plug *every* hole in our network when we come to the finding out what happened and the lessons learned phase of an incident. Then, I'm only starting out in the v6 world...from an early start I do know that Cisco is not making my life any easier and until recently I had to pay a premium to even *look* at v6 on a 3750. Just my ?0.02...keep the change ;) Cheers [1] well, their WLC 4400's (and it seems the 5500's) cannot do any L3 v6 stuff which means we cannot deploy it accountably on our wireless network [2] I'm still coming to terms with a 3750 being unable to shift more than 20Mbit's of IPIP/GRE tunnel[3] action as it's all done in software. [3] hmmm, and in SXI3 their 6509's still suck with multicast over IPIP tunnels forcing you to use GRE tunnels :-/ [4] the *majority* of problems on the network here are not from attackers but -- Alexander Clouter .sigmonster says: Edited for television. From swmike at swm.pp.se Wed Aug 26 10:30:24 2009 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Wed, 26 Aug 2009 16:30:24 +0200 (CEST) Subject: [c-nsp] Large networks In-Reply-To: <20090826141306.GK117@greenie.muc.de> References: <4A9488B8.1000201@ibctech.ca> <20090826100203.GE117@greenie.muc.de> <002401ca264c$79d62dd0$0a00000a@nil.si> <20090826135034.GI117@greenie.muc.de> <20090826135815.GJ117@greenie.muc.de> <20090826141306.GK117@greenie.muc.de> Message-ID: On Wed, 26 Aug 2009, Gert Doering wrote: > Ah, pvlans and community vlan stuff. OK, that would work, but still - > lots of effort that is just "automatic" otherwise. Well, I think that it's reckless to spend 4 globally routable IP addresses instead of 1 per customer, when all you do is save a few minutes of time per installation. -- Mikael Abrahamsson email: swmike at swm.pp.se From gert at greenie.muc.de Wed Aug 26 10:48:27 2009 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 26 Aug 2009 16:48:27 +0200 Subject: [c-nsp] Large networks In-Reply-To: <004301ca2658$8fce9b20$0a00000a@nil.si> References: <004301ca2658$8fce9b20$0a00000a@nil.si> Message-ID: <20090826144827.GM117@greenie.muc.de> Hi, On Wed, Aug 26, 2009 at 04:21:52PM +0200, Ivan Pepelnjak wrote: > RPF check? won't help for "customer A is 10.0.0.1, customer B is 10.0.0.2, your router interface is 10.0.0.254/24". gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From gert at greenie.muc.de Wed Aug 26 11:00:31 2009 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 26 Aug 2009 17:00:31 +0200 Subject: [c-nsp] Large networks In-Reply-To: References: <4A9488B8.1000201@ibctech.ca> <20090826100203.GE117@greenie.muc.de> <002401ca264c$79d62dd0$0a00000a@nil.si> <20090826135034.GI117@greenie.muc.de> <20090826135815.GJ117@greenie.muc.de> <20090826141306.GK117@greenie.muc.de> Message-ID: <20090826150031.GN117@greenie.muc.de> Hi, On Wed, Aug 26, 2009 at 04:30:24PM +0200, Mikael Abrahamsson wrote: > On Wed, 26 Aug 2009, Gert Doering wrote: > > >Ah, pvlans and community vlan stuff. OK, that would work, but still - > >lots of effort that is just "automatic" otherwise. > > Well, I think that it's reckless to spend 4 globally routable IP addresses > instead of 1 per customer, when all you do is save a few minutes of time > per installation. As I said: our customers usually use many more IP addresses than just one. And, of course, you're welcome to join us in IPv6 land where this sort of "last century" thinking does not need to worry us any longer :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From rwest at zyedge.com Wed Aug 26 11:06:41 2009 From: rwest at zyedge.com (Ryan West) Date: Wed, 26 Aug 2009 11:06:41 -0400 Subject: [c-nsp] cisco router 2800/3800 serie In-Reply-To: <1251274735.2880.4.camel@abehat.net.rm.dk> References: <8D68760F464FFD40A01BF2FB374E4A2801CC1C850C16@SRVEXC02.aas.its.nja.dk> <1251274735.2880.4.camel@abehat.net.rm.dk> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E1401248E269B8E@zy-ex1.zyedge.local> Peter, > You might consider the 3560 L3 switch instead; it lacks features but > delivers plenty of raw forwarding performance in a relatively cheap > package. It supports VRF-Lite with the services image and can do > prioritising QoS fine. Can you elaborate a little more on the QoS portion. It seems that the 3560 would be fine policing some traffic, but gets cryptic when you want to start shaping or provide bandwidth allocations. Am I missing some obvious MQC support? Thanks, -ryan From psirt at cisco.com Wed Aug 26 12:00:00 2009 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: Wed, 26 Aug 2009 12:00:00 -0400 Subject: [c-nsp] Cisco Security Advisory: Cisco Unified Communications Manager Denial of Service Vulnerabilities Message-ID: <200908261200.gateway@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Cisco Unified Communications Manager Denial of Service Vulnerabilities Advisory ID: cisco-sa-20090826-cucm Revision 1.0 For Public Release 2009 August 26 1600 UTC (GMT) +--------------------------------------------------------------------- Summary ======= Cisco Unified Communications Manager (formerly CallManager) contains multiple denial of service (DoS) vulnerabilities that if exploited could cause an interruption to voice services. The Session Initiation Protocol (SIP) and Skinny Client Control Protocol (SCCP) services are affected by these vulnerabilities. Cisco has released free software updates for select Cisco Unified Communications Manager versions that address these vulnerabilities. There are no workarounds for these vulnerabilities. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20090826-cucm.shtml Affected Products ================= Vulnerable Products +------------------ The following products are affected by vulnerabilities described in this advisory: * Cisco Unified Communications Manager 4.x * Cisco Unified Communications Manager 5.x * Cisco Unified Communications Manager 6.x * Cisco Unified Communications Manager 7.x Products Confirmed Not Vulnerable +-------------------------------- Cisco Unified Communications Manager Express is not affected by these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Cisco Unified Communications Manager is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, VoIP gateways, and multimedia applications. Malformed SIP Message Vulnerabilities +------------------------------------ Cisco Unified Communications Manager contains two DoS vulnerabilities that involve the processing of SIP packets. Each vulnerability is triggered by a malformed SIP message that could cause a critical process to fail, resulting in the disruption of voice services. All SIP ports (TCP 5060 and 5061, UDP 5060 and 5061) are affected by these vulnerabilities. The first SIP DoS vulnerability is documented in Cisco Bug ID CSCsi46466 and has been assigned the CVE identifier CVE-2009-2050. The first vulnerability is fixed in Cisco Unified Communications Manager versions 6.1(1) and later. Cisco Unified Communications Manager 4.x versions are only affected by the first SIP DoS vulnerability if a SIP trunk is explicitly configured. To determine if a SIP truck is configured on a Cisco Unified Communications Manager version 4.x system, navigate to Device > Trunk and choose the option SIP Trunk in the Cisco Unified Communications Manager administration interface. To mitigate against this vulnerability, administrators are advised to restrict access to TCP and UDP port 5060 on vulnerable Cisco Unified Communications Manager 4.x systems that are configured to use SIP trunks with screening devices to valid SIP trunk end points. The second SIP DoS vulnerability is documented in Cisco Bug ID CSCsz40392 and has been assigned the CVE identifier CVE-2009-2051. The second vulnerability is fixed in Cisco Unified Communications Manager versions 5.1(3g), 6.1(4), and 7.1(2). Network Connection Tracking Vulnerability +---------------------------------------- Cisco Unified Communications Manager contains a DoS vulnerability that involves the tracking of network connections by the embedded operating system firewall. By establishing many TCP connections with a vulnerable system, an attacker could overwhelm the operating system table that is used to track network connections and prevent new connections from being established to system services. Any service that listens to a TCP port on a vulnerable system could be affected by this vulnerability, including SIP and SCCP. This vulnerability is documented in Cisco Bug ID CSCsq22534 and has been assigned the CVE identifier CVE-2009-2052. The vulnerability is fixed in Cisco Unified Communications Manager versions 5.1(3g), 6.1(4), 7.0(2), and 7.1(2). Related SIP and SCCP DoS Vulnerabilities +--------------------------------------- Cisco Unified Communications Manager contains two DoS vulnerabilities involving the processing of SIP and SCCP packets. By flooding a vulnerable system with many TCP packets, an attacker could exhaust operating system file descriptors that cause the SIP port (TCP 5060 and 5061) and SCCP port (TCP 2000 and 2443) to close. This action could prevent new connections from being established to the SIP and SCCP services. SIP UDP (5060 and 5061) ports are not affected. The SCCP vulnerability is documented in Cisco Bug ID CSCsx32236 and has been assigned the CVE identifier CVE-2009-2053. The SCCP vulnerability is fixed in Cisco Unified Communications Manager versions 5.1(3g), 6.1(4), 7.0(2a)su1, and 7.1(2). The SIP vulnerability is documented in Cisco Bug ID CSCsx23689 and has been assigned the CVE identifier CVE-2009-2054. The SIP vulnerability is fixed in Cisco Unified Communications Manager versions 5.1(3g), 6.1(4), 7.0(2a)su1, and 7.1(2a)su1. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCsi46466 - CM 6.1 SDL router services dead when receiving abnormal CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsz40392 - CCM: Coredump in sipSafeStrlen from malicious INVITE Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsq22534 - IP_Conntrack Fills Up During TCP Flood Attack Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsx32236 - SCCP Port Closed in Response to FD Resource Exhaustion Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsx23689 - SIP Port Closed in Response to FD Resource Exhaustion Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerabilities described in this advisory could result in the interruption of voice services. To restore voice services, affected Cisco Unified Communications Manager services may require a manual restart. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. +---------------------------------------+ | Cisco Unified | | | Communications | Recommended Release | | Manager Version | | |-----------------+---------------------| | | 5.1(3g) (Available | | 5.x | for download in | | | early September | | | 2009) | |-----------------+---------------------| | 6.x | 6.1(4) | |-----------------+---------------------| | 7.x | 7.1(2a)SU1 | +---------------------------------------+ Cisco Unified Communications Manager software version 5.1(3g) will be available for download in early September 2009 at the following link: http://tools.cisco.com/support/downloads/go/ReleaseType.x?optPlat=null&isPlatform=Y&mdfid=280735907&sftType=Unified%20Communications%20Manager%20Updates&treeName=Voice%20and%20Unified%20Communications&modelName=Cisco%20Unified%20Communications%20Manager%20Version%205.1&mdfLevel=Software%20Version/Option&treeMdfId=278875240&modifmdfid=null&imname=null&hybrid=Y&imst=N Cisco Unified Communications Manager software version 6.1(4) can be downloaded at the following link: http://tools.cisco.com/support/downloads/go/PlatformList.x?sftType=Unified%20Communications%20Manager%20Updates&mdfid=281023410&treeName=Voice%20and%20Unified%20Communications&mdfLevel=Software%20Version/Option&url=null&modelName=Cisco%20Unified%20Communications%20Manager%20Version%206.1&isPlatform=N&treeMdfId=278875240&modifmdfid=null&imname=null&hybrid=Y&imst=N Administrators are advised to upgrade Cisco Unified Communications Manager systems running software version 7.0 to version 7.1(2a)SU1. Cisco Unified Communications Manager software version 7.1(2a)SU1 can be downloaded at the following link: http://tools.cisco.com/support/downloads/go/PlatformList.x?sftType=Unified+Communications+Manager+Updates&mdfid=282421166&treeName=Voice+and+Unified+Communications&mdfLevel=Software%20Version/Option&url=null&modelName=Cisco+Unified+Communications+Manager+Version+7.1&isPlatform=N&treeMdfId=278875240&modifmdfid=null&imname=&hybrid=Y&imst=N Workarounds =========== There are no workarounds for the vulnerabilities in this advisory. Administrators can mitigate the SCCP- and SIP-related vulnerabilities by implementing filtering on screening devices to permit access to TCP ports 2000 and 2443, and TCP and UDP ports 5060 and 5061 only from networks that need SCCP and SIP access to Cisco Unified Communications Manager servers. Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20090826-cucm.shtml Obtaining Fixed Software ======================== Cisco has released free software updates for select Cisco Unified Communications Manager versions that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt at cisco.com or security-alert at cisco.com for software upgrades. Cisco Unified Communications Manager Versions 6.x and Later +---------------------------------------------------------- Cisco has released free software updates for all vulnerabilities described in this advisory in Cisco Unified Communications Manager versions 6.x and 7.x. Cisco Unified Communications Manager Versions 4.x and 5.x +-------------------------------------------------------- For Cisco Bug ID Cscsi46466, Cisco will not provide a software fix for Cisco Unified Communications Manager versions 4.x and 5.x. Customers who are concerned about the availability of fixed software for this vulnerability in these releases should contact the following email address: cucm-august26-inquiry at cisco.com Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac at cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. The vulnerabilities were discovered by Cisco. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20090826-cucm.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce at cisco.com * first-bulletins at lists.first.org * bugtraq at securityfocus.com * vulnwatch at vulnwatch.org * cisco at spot.colorado.edu * cisco-nsp at puck.nether.net * full-disclosure at lists.grok.org.uk * comp.dcom.sys.cisco at newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2009-August-26 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- iD8DBQFKlVmL86n/Gc8U/uARAv5YAJ9Qo8XGM9LvJWJ6AvVGQ0DvQ1v1KQCgg8vf x3d5mwP1SWPEvIGzoXffuBc= =oqg/ -----END PGP SIGNATURE----- From ashnet2009 at gmail.com Wed Aug 26 12:03:57 2009 From: ashnet2009 at gmail.com (Ash Net) Date: Wed, 26 Aug 2009 12:03:57 -0400 Subject: [c-nsp] Application Protocol Performance in low latency envrionments In-Reply-To: <9e246b4d0908260637i4c87cf73pc26e5db8732686c8@mail.gmail.com> References: <896a291f0908260307q2c4e6441q1869f8f9655d8351@mail.gmail.com> <9e246b4d0908260637i4c87cf73pc26e5db8732686c8@mail.gmail.com> Message-ID: <896a291f0908260903h4b30e809n3424f1b69f5a3666@mail.gmail.com> Thanks Guys. Your feedback is greatly appreciated. On 8/26/09, Tim Durack wrote: > On Wed, Aug 26, 2009 at 6:23 AM, Mikael Abrahamsson > wrote: > >> On Wed, 26 Aug 2009, Ash Net wrote: >> >> The reason for performance degradation solely seems to be latency >> related >>> since there's tons of b/w available in the lab setup and over 10G lanphy >>> paths. Do people still deploy QOS for better traffic management on the >>> lanphy interfaces even with no saturation?. >>> >> >> All the protocols you mentioned are "query/response" ones and thus they >> take a big hit when latency is introduced. >> >> I know several companies who nowadays has a wan simulation device between >> the clients and servers in their dev labs, just so that the developers >> will >> develop applications that actually work in real life, not just in the >> 1/10 >> ms latency of the dev environment. Imagine the difference in a latency >> environment between doing a single nested SQL query, as opposed to doing >> 1 >> returning a list, and then doing one query per list entry. In a 1/10ms >> environment the difference might not be noticeable, but in a 100ms >> environment it most certainly will. >> >> At several ms network latency you're effectively dealing with harddrive >> latencies as opposed to almost memory latencies, and thus techniques that >> work akin to NCQ or alike needs to be employed. Failure to do so will >> create >> performance problems in real life. >> >> > Serious feelings of deja-vu. We lived through a similar scenario over the > last few months. GigE "WAN" (really a MAN) with 3-5ms latency. Had to > install some WAN accelerators, 'cos they promise to fix everything. WAN > Accelerators don't work in this scenario for the reason Mikael mentions > (the > IO subsystem of a WAN accelerator is in the 2-3ms range.) > > Only real answer is to get application developers to code for the Internet > at large, rather than for <1ms LAN. Of course our devs don't even like > their > dev servers being 3-5ms away... > > Tim:> > From leonardo.souza at nec.com.br Wed Aug 26 12:35:47 2009 From: leonardo.souza at nec.com.br (Leonardo Gama Souza) Date: Wed, 26 Aug 2009 13:35:47 -0300 Subject: [c-nsp] RES: Large networks In-Reply-To: <20090826100203.GE117@greenie.muc.de> References: <4A9488B8.1000201@ibctech.ca> <20090826100203.GE117@greenie.muc.de> Message-ID: <9E07F8717FE8BC4FBAE6860F61EA6C1D02AD1C65@spsrvmail03.nec.br> In this case I think you could configure Private VLANs, isolating each customer in the same l3 network segment. -----Mensagem original----- De: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] Em nome de Gert Doering Enviada em: quarta-feira, 26 de agosto de 2009 07:02 Para: Steve Bertrand Cc: Shaun R.; cisco-nsp at puck.nether.net Assunto: Re: [c-nsp] Large networks Hi, On Tue, Aug 25, 2009 at 08:58:32PM -0400, Steve Bertrand wrote: > > This company was constantly having problems with what i called broadcast > > attacks. The network graphs would show traffic on all interfaces spike > > and normally the 100mbit uplink between the switches would saturate and > > the network would die. From that experience i took my time to design > > and deploy my network to be as correct as possible. > > Out of curiosity, did your experience find that the issues were related > to actual broadcast problems? Generally, putting each customer into a dedicated layer 3 network segment is a good idea - because half of the attacks that a hacked server belonging to "customer 1" might do to a server from "customer 2" (ARP spoofing, IP address spoofing [-> blaim goes to customer 2], HSRP attacks to the shared router, etc.) suddenly are no longer relevant at all. ... and *if* you need to ACL one customer, or just shut down their network segment (because they are busy attacking someone else), you can be sure that it doesn't affect other customers ;-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From cnsp at matthias-mueller.net Wed Aug 26 13:26:51 2009 From: cnsp at matthias-mueller.net (=?ISO-8859-1?Q?Matthias_M=FCller?=) Date: Wed, 26 Aug 2009 19:26:51 +0200 Subject: [c-nsp] RES: Large networks In-Reply-To: <9E07F8717FE8BC4FBAE6860F61EA6C1D02AD1C65@spsrvmail03.nec.br> References: <4A9488B8.1000201@ibctech.ca> <20090826100203.GE117@greenie.muc.de> <9E07F8717FE8BC4FBAE6860F61EA6C1D02AD1C65@spsrvmail03.nec.br> Message-ID: <4A95705B.4040602@matthias-mueller.net> Hi, Leonardo Gama Souza schrieb: > In this case I think you could configure Private VLANs, isolating each > customer in the same l3 network segment. > Private VLANs won't help you with ip-spoofing in the same subnet and hsrp-attacks and not against arp attacks (but these can be prevented using static arp-entries on the l3-device). Matthias > -----Mensagem original----- > De: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] Em nome de Gert Doering > Enviada em: quarta-feira, 26 de agosto de 2009 07:02 > Para: Steve Bertrand > Cc: Shaun R.; cisco-nsp at puck.nether.net > Assunto: Re: [c-nsp] Large networks > > Hi, > > On Tue, Aug 25, 2009 at 08:58:32PM -0400, Steve Bertrand wrote: > >>> This company was constantly having problems with what i called >>> > broadcast > >>> attacks. The network graphs would show traffic on all interfaces >>> > spike > >>> and normally the 100mbit uplink between the switches would saturate >>> > and > >>> the network would die. From that experience i took my time to >>> > design > >>> and deploy my network to be as correct as possible. >>> >> Out of curiosity, did your experience find that the issues were >> > related > >> to actual broadcast problems? >> > > Generally, putting each customer into a dedicated layer 3 network > segment > is a good idea - because half of the attacks that a hacked server > belonging > to "customer 1" might do to a server from "customer 2" (ARP spoofing, > IP address spoofing [-> blaim goes to customer 2], HSRP attacks to the > shared router, etc.) suddenly are no longer relevant at all. > > ... and *if* you need to ACL one customer, or just shut down their > network segment (because they are busy attacking someone else), you > can be sure that it doesn't affect other customers ;-) > > gert > From ip at ioshints.info Wed Aug 26 13:30:14 2009 From: ip at ioshints.info (Ivan Pepelnjak) Date: Wed, 26 Aug 2009 19:30:14 +0200 Subject: [c-nsp] Have I Gone Mad? (OSPF NSSA) In-Reply-To: References: <001d01ca264c$1a9801e0$0a00000a@nil.si> Message-ID: <009401ca2672$e0eff570$0a00000a@nil.si> > Actually... It did hurt somewhat :-/. Previous IOS that we > were running (7600 SXx and SRBx) were injecting type 7. > However, that behaviour changed with SRD2 and it injects > both. Naturally, type 3 wins. I wrote the article more than a year ago and the 12.4T behavior at that time was the same as what you've described. Obviously you were running "somewhat" older code :) > I wonder why the behaviour changed... Then again, my fault > for misconfiguring the darn thing to begin with :-) Well, it makes sense to advertise type-3 default for "summary-only" as there are no other type-3 LSAs (to make totally-NSSA identical to totally-stubby area in this aspect), although this particular behavior is not part of OSPF RFC. Someone with more than just a few boxes probably made a lot of noise asking for the behavior to change :)) Ivan http://www.ioshints.info/about http://blog.ioshints.info/ From ip at ioshints.info Wed Aug 26 13:32:15 2009 From: ip at ioshints.info (Ivan Pepelnjak) Date: Wed, 26 Aug 2009 19:32:15 +0200 Subject: [c-nsp] Large networks In-Reply-To: <20090826144827.GM117@greenie.muc.de> References: <004301ca2658$8fce9b20$0a00000a@nil.si> <20090826144827.GM117@greenie.muc.de> Message-ID: <00ac01ca2673$282a3630$0a00000a@nil.si> > On Wed, Aug 26, 2009 at 04:21:52PM +0200, Ivan Pepelnjak wrote: > > RPF check? > > won't help for "customer A is 10.0.0.1, customer B is > 10.0.0.2, your router interface is 10.0.0.254/24". This is debatable as the host routes point to various L3 interfaces ... I guess it's time to start another test lab :)) Will post the results (unless someone else has more spare time than I do :). Ivan http://www.ioshints.info/about http://blog.ioshints.info/ From ip at ioshints.info Wed Aug 26 13:33:40 2009 From: ip at ioshints.info (Ivan Pepelnjak) Date: Wed, 26 Aug 2009 19:33:40 +0200 Subject: [c-nsp] Large networks In-Reply-To: <20090826150031.GN117@greenie.muc.de> References: <4A9488B8.1000201@ibctech.ca> <20090826100203.GE117@greenie.muc.de><002401ca264c$79d62dd0$0a00000a@nil.si><20090826135034.GI117@greenie.muc.de><20090826135815.GJ117@greenie.muc.de><20090826141306.GK117@greenie.muc.de> <20090826150031.GN117@greenie.muc.de> Message-ID: <00b301ca2673$5ce7cc70$0a00000a@nil.si> > > Well, I think that it's reckless to spend 4 globally routable IP > > addresses instead of 1 per customer, when all you do is save a few > > minutes of time per installation. > > As I said: our customers usually use many more IP addresses > than just one. > > And, of course, you're welcome to join us in IPv6 land where > this sort of "last century" thinking does not need to worry > us any longer :-) Some of us still have to live with reality where IPv6 deployment is negligible :) ... And don't forget some IBM mainframes are still forced to run operating systems emulating 80-column card reader :D From gsgranados at comcast.net Wed Aug 26 13:58:23 2009 From: gsgranados at comcast.net (Scott Granados) Date: Wed, 26 Aug 2009 10:58:23 -0700 Subject: [c-nsp] IPV6 in general was Re: Large networks References: <4A9488B8.1000201@ibctech.ca><20090826100203.GE117@greenie.muc.de><002401ca264c$79d62dd0$0a00000a@nil.si><20090826135034.GI117@greenie.muc.de><20090826135815.GJ117@greenie.muc.de><20090826141306.GK117@greenie.muc.de><20090826150031.GN117@greenie.muc.de> <00b301ca2673$5ce7cc70$0a00000a@nil.si> Message-ID: <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> I'm interested in general, how much IPV6 is actually out there? I'm very unfamiliar but at my present gig and my last few I never ran in to this once. Is it actually being used in production? Thank you Scott ----- Original Message ----- From: "Ivan Pepelnjak" To: "'Gert Doering'" ; "'Mikael Abrahamsson'" Cc: Sent: Wednesday, August 26, 2009 10:33 AM Subject: Re: [c-nsp] Large networks >> > Well, I think that it's reckless to spend 4 globally routable IP >> > addresses instead of 1 per customer, when all you do is save a few >> > minutes of time per installation. >> >> As I said: our customers usually use many more IP addresses >> than just one. >> >> And, of course, you're welcome to join us in IPv6 land where >> this sort of "last century" thinking does not need to worry >> us any longer :-) > > Some of us still have to live with reality where IPv6 deployment is > negligible :) ... And don't forget some IBM mainframes are still forced to > run operating systems emulating 80-column card reader :D > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From justin at justinshore.com Wed Aug 26 14:00:31 2009 From: justin at justinshore.com (Justin Shore) Date: Wed, 26 Aug 2009 13:00:31 -0500 Subject: [c-nsp] cisco router 2800/3800 serie In-Reply-To: References: <8D68760F464FFD40A01BF2FB374E4A2801CC1C850C16@SRVEXC02.aas.its.nja.dk> Message-ID: <4A95783F.3060402@justinshore.com> Mikael Abrahamsson wrote: > You could probably look into the 1841 as well, it should be enough for > your 20 megabit/s need. Be careful with the 1841. Though all the MPLS commands are technically there, MPLS is not a supported feature on the 1841. Ie, a code update could remove the commands altogether and there would be nothing you could do about it. I don't have our lab 1841 accessible at the moment so I can't verify a suspicion of mine. I'm suspect that the interface MTU of the 1841 may not go above 1500. The 2811 is limited to 1600 and the 2821 jumps up to 9676. Like Petere said, VRF-Lite may very well suit your needs. If VRF-Lite will work then you could scale down to smaller ISRs if you wanted. Justin From gert at greenie.muc.de Wed Aug 26 14:01:06 2009 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 26 Aug 2009 20:01:06 +0200 Subject: [c-nsp] Large networks In-Reply-To: <00ac01ca2673$282a3630$0a00000a@nil.si> References: <20090826144827.GM117@greenie.muc.de> <00ac01ca2673$282a3630$0a00000a@nil.si> Message-ID: <20090826180106.GR117@greenie.muc.de> Hi, On Wed, Aug 26, 2009 at 07:32:15PM +0200, Ivan Pepelnjak wrote: > > On Wed, Aug 26, 2009 at 04:21:52PM +0200, Ivan Pepelnjak wrote: > > > RPF check? > > > > won't help for "customer A is 10.0.0.1, customer B is > > 10.0.0.2, your router interface is 10.0.0.254/24". > > This is debatable as the host routes point to various L3 interfaces ... Well, *if* you have "various L3 interfaces", *then* RPF is going to help (but it's ugly as hell, and needs proxy-arp to work, which in itself is ugly). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From gert at greenie.muc.de Wed Aug 26 13:59:28 2009 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 26 Aug 2009 19:59:28 +0200 Subject: [c-nsp] Large networks In-Reply-To: <00b301ca2673$5ce7cc70$0a00000a@nil.si> References: <4A9488B8.1000201@ibctech.ca> <20090826150031.GN117@greenie.muc.de> <00b301ca2673$5ce7cc70$0a00000a@nil.si> Message-ID: <20090826175928.GQ117@greenie.muc.de> Hi, On Wed, Aug 26, 2009 at 07:33:40PM +0200, Ivan Pepelnjak wrote: > > > Well, I think that it's reckless to spend 4 globally routable IP > > > addresses instead of 1 per customer, when all you do is save a few > > > minutes of time per installation. > > > > As I said: our customers usually use many more IP addresses > > than just one. > > > > And, of course, you're welcome to join us in IPv6 land where > > this sort of "last century" thinking does not need to worry > > us any longer :-) > > Some of us still have to live with reality where IPv6 deployment is > negligible :) You have it in your hands to change that. Almost all traffic that goes into my home network or out of it is IPv6 these days - SSH to work, e-mails to and from work and to all the lists on puck.nether.net (thanks, Jared :) ), www to google, ... > ... And don't forget some IBM mainframes are still forced to > run operating systems emulating 80-column card reader :D Sure, some amount of legacy IP is going to stay - but these IBM mainframes are not your typical web server anymore. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From ip at ioshints.info Wed Aug 26 14:08:03 2009 From: ip at ioshints.info (Ivan Pepelnjak) Date: Wed, 26 Aug 2009 20:08:03 +0200 Subject: [c-nsp] Large networks In-Reply-To: <20090826180106.GR117@greenie.muc.de> References: <20090826144827.GM117@greenie.muc.de> <00ac01ca2673$282a3630$0a00000a@nil.si> <20090826180106.GR117@greenie.muc.de> Message-ID: <00e201ca2678$28a651c0$0a00000a@nil.si> > > > > RPF check? > > > > > > won't help for "customer A is 10.0.0.1, customer B is 10.0.0.2, > > > your router interface is 10.0.0.254/24". > > > > This is debatable as the host routes point to various L3 > interfaces ... > > Well, *if* you have "various L3 interfaces", *then* RPF is > going to help (but it's ugly as hell, and needs proxy-arp to > work, which in itself is ugly). This was exactly what I started hinting at and Mikael provided a link to a working configuration. Ugly? Beauty is in the eye of the beholder :) Ivan http://www.ioshints.info/about http://blog.ioshints.info/ From gert at greenie.muc.de Wed Aug 26 14:11:00 2009 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 26 Aug 2009 20:11:00 +0200 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> References: <00b301ca2673$5ce7cc70$0a00000a@nil.si> <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> Message-ID: <20090826181100.GS117@greenie.muc.de> Hi, On Wed, Aug 26, 2009 at 10:58:23AM -0700, Scott Granados wrote: > I'm interested in general, how much IPV6 is actually out there? I'm very > unfamiliar but at my present gig and my last few I never ran in to this > once. Is it actually being used in production? It really depends on what you call "in production". Could I do my daily work (send mail to puck.nether.net, ssh to work and from work to home machines, telnet to routers, hang on IRC, ask google, lookup DNS, ...) using only IPv6? Yes. Am I doing it? Mostly, but for some things I need to fall back to IPv4 because there are niches where IPv6 is harder to deploy, like "management interfaces on older switches" or "non-upgradeable routers at customer sites" and such. Could I do *all* things that I do over the Internet using IPv6? No. Why? Because companies like Cisco are stalling - no IPv6 on www.cisco.com, www.microsoft.com, www.heise.de, ... There will be Lots Of Fun when IPv4 runs out, and whole new markets of DSL customers (as in India, China, Arabia...) will not be able to access web sites from vendors that have no IPv6 reachability. Goodby, sales to that region... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From ip at ioshints.info Wed Aug 26 14:19:20 2009 From: ip at ioshints.info (Ivan Pepelnjak) Date: Wed, 26 Aug 2009 20:19:20 +0200 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <20090826181100.GS117@greenie.muc.de> References: <00b301ca2673$5ce7cc70$0a00000a@nil.si> <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> <20090826181100.GS117@greenie.muc.de> Message-ID: <010c01ca2679$bbb7be80$0a00000a@nil.si> > There will be Lots Of Fun when IPv4 runs out, and whole new markets > of DSL customers (as in India, China, Arabia...) will not be able to > access web sites from vendors that have no IPv6 reachability. Goodby, > sales to that region... Not gonna happen. Unfortunately there's so much stuff on the Internet that's only reachable via IPv4 (including www.wikipedia.org) that the few vendor sites don't matter at all. All those new DSL (I hope not) markets will have to have some sort of IPv4 connectivity (Carrier Grade NAT raises its ugly head). Ivan http://www.ioshints.info/about http://blog.ioshints.info/ From peter at rathlev.dk Wed Aug 26 14:22:08 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Wed, 26 Aug 2009 20:22:08 +0200 Subject: [c-nsp] cisco router 2800/3800 serie In-Reply-To: <6E21B2BDEF6E714EA0B5BA8D5D0E1401248E269B8E@zy-ex1.zyedge.local> References: <8D68760F464FFD40A01BF2FB374E4A2801CC1C850C16@SRVEXC02.aas.its.nja.dk> <1251274735.2880.4.camel@abehat.net.rm.dk> <6E21B2BDEF6E714EA0B5BA8D5D0E1401248E269B8E@zy-ex1.zyedge.local> Message-ID: <1251310928.2932.24.camel@abehat.net.rm.dk> On Wed, 2009-08-26 at 11:06 -0400, Ryan West wrote: > Can you elaborate a little more on the QoS portion. It seems that the > 3560 would be fine policing some traffic, but gets cryptic when you > want to start shaping or provide bandwidth allocations. Am I missing > some obvious MQC support? IMHO it's the 3560 that is missing some MQC support. :-) You can do policing fine, though you are limited when defining your class maps, where you can only match on one thing. If matching by IP ACL only is acceptable this is no problem. If you expect matching on ACL and something else (like DSCP), bad luck AFAIK. This is probably because everything must fit in something that can translate to TCAM entries. The upside is that everything's in hardware. The shaping model on the 3560/3750 switches isn't the MQC HQoS way. It's not a simple token bucket, so technically it's shaping; the shaping works by reserving slots in the transmit scheduler combined with reserving some part of the egress buffers. I haven't found anywhere saying how deep the buffers on the 3560/3750 are (it's a combination of seperate interface buffers (maybe just the tx ring?) and a "global" SRR egress buffer) in bits, but I suspect that they're quite small. This limits the shaping possibilities somewhat. The SRR shaping works fine as a combined reserve/policy mechanism though. What taxes me the most is that the QoS configuration quickly becomes very large for doing even simple things. And that the default egress queue size configuration (even with QoS disabled) seemingly aren't using up all available buffers. We have had to enable QoS and just adjust egress queue sizes just so that a 100 mbps port receiving data from a 1000 mbps port doesn't drop execessively. Regards, Peter From gert at greenie.muc.de Wed Aug 26 14:23:58 2009 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 26 Aug 2009 20:23:58 +0200 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <010c01ca2679$bbb7be80$0a00000a@nil.si> References: <00b301ca2673$5ce7cc70$0a00000a@nil.si> <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> <20090826181100.GS117@greenie.muc.de> <010c01ca2679$bbb7be80$0a00000a@nil.si> Message-ID: <20090826182358.GT117@greenie.muc.de> Hi, On Wed, Aug 26, 2009 at 08:19:20PM +0200, Ivan Pepelnjak wrote: > > There will be Lots Of Fun when IPv4 runs out, and whole new markets > > of DSL customers (as in India, China, Arabia...) will not be able to > > access web sites from vendors that have no IPv6 reachability. Goodby, > > sales to that region... > > Not gonna happen. Unfortunately there's so much stuff on the Internet that's > only reachable via IPv4 (including www.wikipedia.org) that the few vendor > sites don't matter at all. Wikimedia images are already reachable over IPv6, the rest is going to follow. Some will continue to stick their head into the sand (especially the Americans), others will just move ahead. > All those new DSL (I hope not) markets will have > to have some sort of IPv4 connectivity (Carrier Grade NAT raises its ugly > head). Vendor C would certainly love to build a CGN. Guess how many million $ it would cost...? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From peter at rathlev.dk Wed Aug 26 14:40:37 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Wed, 26 Aug 2009 20:40:37 +0200 Subject: [c-nsp] cisco router 2800/3800 serie In-Reply-To: <4A95783F.3060402@justinshore.com> References: <8D68760F464FFD40A01BF2FB374E4A2801CC1C850C16@SRVEXC02.aas.its.nja.dk> <4A95783F.3060402@justinshore.com> Message-ID: <1251312037.2932.36.camel@abehat.net.rm.dk> On Wed, 2009-08-26 at 13:00 -0500, Justin Shore wrote: > I'm suspect that the interface MTU of the 1841 may not go above 1500. It's even worse, it doesn't seem to support MTU != 1500 at all on the built in FE interfaces. Router(config-if)#do sh ip int bri Interface IP-Address OK? Method Status Protocol FastEthernet0/0 10.251.9.5 YES NVRAM up up FastEthernet0/1 unassigned YES NVRAM administratively down down ATM0/0/0 unassigned YES NVRAM down down Router(config-if)#int fa0/0 Router(config-if)#mtu 1501 % Interface FastEthernet0/0 does not support user settable mtu. Router(config-if)#int fa0/1 Router(config-if)#mtu 1501 % Interface FastEthernet0/1 does not support user settable mtu. Router(config-if)#do sh ver | incl IOS Cisco IOS Software, 1841 Software (C1841-BROADBAND-M), Version 12.4(1a), RELEASE SOFTWARE (fc2) Router(config-if)# Outdated IOS but this MTU thingy probably hasn't changed. Regards, Peter From ptimmins at clearrate.com Wed Aug 26 14:16:46 2009 From: ptimmins at clearrate.com (Paul G. Timmins) Date: Wed, 26 Aug 2009 14:16:46 -0400 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> References: <4A9488B8.1000201@ibctech.ca><20090826100203.GE117@greenie.muc.de><002401ca264c$79d62dd0$0a00000a@nil.si><20090826135034.GI117@greenie.muc.de><20090826135815.GJ117@greenie.muc.de><20090826141306.GK117@greenie.muc.de><20090826150031.GN117@greenie.muc.de><00b301ca2673$5ce7cc70$0a00000a@nil.si> <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> Message-ID: We've got paying customers who came to us specifically because we support it. Our last decision for IP transport had IPv6 as a requirement. YMMV. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Granados Sent: Wednesday, August 26, 2009 1:58 PM To: Ivan Pepelnjak; 'Gert Doering'; 'Mikael Abrahamsson' Cc: cisco-nsp at puck.nether.net Subject: [c-nsp] IPV6 in general was Re: Large networks I'm interested in general, how much IPV6 is actually out there? I'm very unfamiliar but at my present gig and my last few I never ran in to this once. Is it actually being used in production? Thank you Scott ----- Original Message ----- From: "Ivan Pepelnjak" To: "'Gert Doering'" ; "'Mikael Abrahamsson'" Cc: Sent: Wednesday, August 26, 2009 10:33 AM Subject: Re: [c-nsp] Large networks >> > Well, I think that it's reckless to spend 4 globally routable IP >> > addresses instead of 1 per customer, when all you do is save a few >> > minutes of time per installation. >> >> As I said: our customers usually use many more IP addresses >> than just one. >> >> And, of course, you're welcome to join us in IPv6 land where >> this sort of "last century" thinking does not need to worry >> us any longer :-) > > Some of us still have to live with reality where IPv6 deployment is > negligible :) ... And don't forget some IBM mainframes are still forced to > run operating systems emulating 80-column card reader :D > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From eriks at nationalfastfreight.com Wed Aug 26 15:02:30 2009 From: eriks at nationalfastfreight.com (Erik Soosalu) Date: Wed, 26 Aug 2009 15:02:30 -0400 Subject: [c-nsp] cisco router 2800/3800 serie In-Reply-To: <1251312037.2932.36.camel@abehat.net.rm.dk> References: <8D68760F464FFD40A01BF2FB374E4A2801CC1C850C16@SRVEXC02.aas.its.nja.dk><4A95783F.3060402@justinshore.com> <1251312037.2932.36.camel@abehat.net.rm.dk> Message-ID: <0B224A2FE01CC54C860290D42474BF6003DFA849@exchange.nff.local> With some things neutered... Cisco IOS Software, 1841 Software (C1841-SPSERVICESK9-M), Version 12.4(22)T1, RELEASE SOFTWARE (fc5) Technical Support: http://www.cisco.com/techsupport rt-02#sh ip int brief Interface IP-Address OK? Method Status Protocol FastEthernet0/1 10.1.254.14 YES NVRAM up up rt-02#conf t Enter configuration commands, one per line. End with CNTL/Z. rt-02(config)#int fa 0/1 rt-02(config-if)#mtu ? <64-1600> MTU size in bytes rt-02(config-if)#mtu 1600 rt-02(config-if)#end rt-02#sh run int fa 0/1 Building configuration... Current configuration : 239 bytes ! interface FastEthernet0/1 mtu 1600 Thanks, Erik -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Peter Rathlev Sent: Wednesday, August 26, 2009 2:41 PM To: Justin Shore Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] cisco router 2800/3800 serie On Wed, 2009-08-26 at 13:00 -0500, Justin Shore wrote: > I'm suspect that the interface MTU of the 1841 may not go above 1500. It's even worse, it doesn't seem to support MTU != 1500 at all on the built in FE interfaces. Router(config-if)#do sh ip int bri Interface IP-Address OK? Method Status Protocol FastEthernet0/0 10.251.9.5 YES NVRAM up up FastEthernet0/1 unassigned YES NVRAM administratively down down ATM0/0/0 unassigned YES NVRAM down down Router(config-if)#int fa0/0 Router(config-if)#mtu 1501 % Interface FastEthernet0/0 does not support user settable mtu. Router(config-if)#int fa0/1 Router(config-if)#mtu 1501 % Interface FastEthernet0/1 does not support user settable mtu. Router(config-if)#do sh ver | incl IOS Cisco IOS Software, 1841 Software (C1841-BROADBAND-M), Version 12.4(1a), RELEASE SOFTWARE (fc2) Router(config-if)# Outdated IOS but this MTU thingy probably hasn't changed. Regards, Peter _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From alex at digriz.org.uk Wed Aug 26 15:01:58 2009 From: alex at digriz.org.uk (Alexander Clouter) Date: Wed, 26 Aug 2009 20:01:58 +0100 Subject: [c-nsp] IPV6 in general was Re: Large networks References: <4A9488B8.1000201@ibctech.ca> <20090826135034.GI117@greenie.muc.de> <20090826135815.GJ117@greenie.muc.de> <20090826141306.GK117@greenie.muc.de> <20090826150031.GN117@greenie.muc.de> <00b301ca2673$5ce7cc70$0a00000a@nil.si> <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> Message-ID: <6edgm6-u6l.ln1@chipmunk.wormnet.eu> Hi, Scott Granados wrote: > > I'm interested in general, how much IPV6 is actually out there? I'm very > unfamiliar but at my present gig and my last few I never ran in to this > once. Is it actually being used in production? > Ironically I would suggest Google...which it's-self is IPv6 enabled. It's not the 'enabling' IPv6 in the network that's the awkward bit, it's trying to eject the mindset that IPv4 puts you in... With IPv6 you can get rid of DHCP, forget VPN's, forget DDNS, forget HSRP, and most importantly you no longer need NATs that understand every protocol that runs through it and so remove a possible single point of failure. By tinkering you find out what horrible kludges are in IPv4[1] and slowly untie your brain from thinking in that manner. You quickly discovery what tpye of straightjacket IPv4 put us all in. In short, it's how the Internet is meant to run. Google themselves say it has simplified things internally for them. Besides, I though Comcast was rolling out IPv6 next year to all it's DSL users? Other production cases are the smattering of ISP's about with it everywhere and of course free.fr. Cheers [1] for the OS knowledgable people, it is akin to UNIX compared to Plan9, just without the cute logo of course -- Alexander Clouter .sigmonster says: Is it clean in other dimensions? From CFlint at mt.gov Wed Aug 26 15:13:23 2009 From: CFlint at mt.gov (Flint, Chris) Date: Wed, 26 Aug 2009 13:13:23 -0600 Subject: [c-nsp] cisco router 2800/3800 serie Message-ID: <169F1B4CBA47CC4F93BF2BD0A504C0552EEF510927@doaisd05222.state.mt.ads> 12.4(20)T or newer should support the MTU change. You still get the error message, but it does work. Flint ------------------------- Date: Wed, 26 Aug 2009 20:40:37 +0200 From: Peter Rathlev To: Justin Shore Cc: "cisco-nsp at puck.nether.net" Subject: Re: [c-nsp] cisco router 2800/3800 serie Message-ID: <1251312037.2932.36.camel at abehat.net.rm.dk> Content-Type: text/plain On Wed, 2009-08-26 at 13:00 -0500, Justin Shore wrote: > I'm suspect that the interface MTU of the 1841 may not go above 1500. It's even worse, it doesn't seem to support MTU != 1500 at all on the built in FE interfaces. Router(config-if)#do sh ip int bri Interface IP-Address OK? Method Status Protocol FastEthernet0/0 10.251.9.5 YES NVRAM up up FastEthernet0/1 unassigned YES NVRAM administratively down down ATM0/0/0 unassigned YES NVRAM down down Router(config-if)#int fa0/0 Router(config-if)#mtu 1501 % Interface FastEthernet0/0 does not support user settable mtu. Router(config-if)#int fa0/1 Router(config-if)#mtu 1501 % Interface FastEthernet0/1 does not support user settable mtu. Router(config-if)#do sh ver | incl IOS Cisco IOS Software, 1841 Software (C1841-BROADBAND-M), Version 12.4(1a), RELEASE SOFTWARE (fc2) Router(config-if)# Outdated IOS but this MTU thingy probably hasn't changed. Regards, Peter From sthaug at nethelp.no Wed Aug 26 15:15:20 2009 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Wed, 26 Aug 2009 21:15:20 +0200 (CEST) Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: References: <00b301ca2673$5ce7cc70$0a00000a@nil.si> <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> Message-ID: <20090826.211520.41650372.sthaug@nethelp.no> > We've got paying customers who came to us specifically because we > support it. Our last decision for IP transport had IPv6 as a > requirement. YMMV. In a slightly different vein, we had IPv6 as a "soft requirement" last time we renewed our IP transit agreements. We were able to get IPv6 from all our providers (but only one of them native). This time around IPv6 will be a hard requirement. Steinar Haug, Nethelp consulting, sthaug at nethelp.no From sthaug at nethelp.no Wed Aug 26 15:18:33 2009 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Wed, 26 Aug 2009 21:18:33 +0200 (CEST) Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <6edgm6-u6l.ln1@chipmunk.wormnet.eu> References: <00b301ca2673$5ce7cc70$0a00000a@nil.si> <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> <6edgm6-u6l.ln1@chipmunk.wormnet.eu> Message-ID: <20090826.211833.71103910.sthaug@nethelp.no> > With IPv6 you can get rid of DHCP, forget VPN's, forget DDNS, forget > HSRP, and most importantly you no longer need NATs that understand every > protocol that runs through it and so remove a possible single point of > failure. Some of us would disagree rather strongly with one or more of those points. For instance, for us DHCPv6 is a hard requirement. Steinar Haug, Nethelp consulting, sthaug at nethelp.no From leonardo.souza at nec.com.br Wed Aug 26 15:25:32 2009 From: leonardo.souza at nec.com.br (Leonardo Gama Souza) Date: Wed, 26 Aug 2009 16:25:32 -0300 Subject: [c-nsp] RES: IPV6 in general was Re: Large networks In-Reply-To: <6edgm6-u6l.ln1@chipmunk.wormnet.eu> References: <4A9488B8.1000201@ibctech.ca><20090826135034.GI117@greenie.muc.de><20090826135815.GJ117@greenie.muc.de><20090826141306.GK117@greenie.muc.de><20090826150031.GN117@greenie.muc.de><00b301ca2673$5ce7cc70$0a00000a@nil.si><019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> <6edgm6-u6l.ln1@chipmunk.wormnet.eu> Message-ID: <9E07F8717FE8BC4FBAE6860F61EA6C1D02B09069@spsrvmail03.nec.br> Why can we forget about HSRP with IPv6? >With IPv6 you can get rid of DHCP, forget VPN's, forget DDNS, forget >HSRP, and most importantly you no longer need NATs that understand every >protocol that runs through it and so remove a possible single point of >failure. From leonardo.souza at nec.com.br Wed Aug 26 15:34:10 2009 From: leonardo.souza at nec.com.br (Leonardo Gama Souza) Date: Wed, 26 Aug 2009 16:34:10 -0300 Subject: [c-nsp] RES: RES: Large networks In-Reply-To: <4A95705B.4040602@matthias-mueller.net> References: <4A9488B8.1000201@ibctech.ca> <20090826100203.GE117@greenie.muc.de><9E07F8717FE8BC4FBAE6860F61EA6C1D02AD1C65@spsrvmail03.nec.br> <4A95705B.4040602@matthias-mueller.net> Message-ID: <9E07F8717FE8BC4FBAE6860F61EA6C1D02B0907C@spsrvmail03.nec.br> You are right. To be protected against IP spoofing you would need a VACL configured as well. >Private VLANs won't help you with ip-spoofing in the same subnet and >hsrp-attacks and not against arp attacks (but these can be prevented >using static arp-entries on the l3-device). > >Matthias From A.L.M.Buxey at lboro.ac.uk Wed Aug 26 16:01:34 2009 From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey) Date: Wed, 26 Aug 2009 21:01:34 +0100 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <20090826181100.GS117@greenie.muc.de> References: <00b301ca2673$5ce7cc70$0a00000a@nil.si> <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> <20090826181100.GS117@greenie.muc.de> Message-ID: <20090826200134.GA31612@lboro.ac.uk> Hi, > There will be Lots Of Fun when IPv4 runs out, and whole new markets > of DSL customers (as in India, China, Arabia...) will not be able to > access web sites from vendors that have no IPv6 reachability. Goodby, > sales to that region... 6to4 webproxy - i got one... had to for when i ran a VLAN that ONLY had IPv6 (none of that nasty dual-stack stuff ;-) ) alan From shaw38 at gmail.com Wed Aug 26 16:06:33 2009 From: shaw38 at gmail.com (Steve Shaw) Date: Wed, 26 Aug 2009 16:06:33 -0400 Subject: [c-nsp] Overlapping DHCP pools w/ VRF lite on 12.2(33)SXI? Message-ID: <1d3cfae10908261306u2d9440f6ga3f17b43a6eb14fa@mail.gmail.com> Folks, Anyone have any luck running overlapping DHCP pools with VRF-lite on 12 .2(33)SXI? It looks like a vrf sub-command under DHCP pool configuration mode was added in SRC code but I can't confirm or deny support for the SXI train. Thanks, Steve From daniel at bit.nl Wed Aug 26 16:17:53 2009 From: daniel at bit.nl (Daniel Verlouw) Date: Wed, 26 Aug 2009 22:17:53 +0200 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <20090826.211833.71103910.sthaug@nethelp.no> References: <00b301ca2673$5ce7cc70$0a00000a@nil.si> <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> Message-ID: On Aug 26, 2009, at 9:18 PM, sthaug at nethelp.no wrote: >> With IPv6 you can get rid of DHCP, forget VPN's, forget DDNS, forget >> HSRP, and most importantly you no longer need NATs that understand >> every >> protocol that runs through it and so remove a possible single point >> of >> failure. > > Some of us would disagree rather strongly with one or more of those > points. For instance, for us DHCPv6 is a hard requirement. seconded. And currently there's no way we're gonna live without HSRP/ VRRPv6. Waiting for RA/NUD to timeout is just way too slow (besides, several OSs behave quirky with multiple default gateways presents). No VPNs? What about host-to-host IPSec VPNs (e.g MS DirectAccess)? --Daniel. From mohacsi at niif.hu Wed Aug 26 16:23:18 2009 From: mohacsi at niif.hu (Mohacsi Janos) Date: Wed, 26 Aug 2009 22:23:18 +0200 (CEST) Subject: [c-nsp] RES: IPV6 in general was Re: Large networks In-Reply-To: <9E07F8717FE8BC4FBAE6860F61EA6C1D02B09069@spsrvmail03.nec.br> References: <4A9488B8.1000201@ibctech.ca><20090826135034.GI117@greenie.muc.de><20090826135815.GJ117@greenie.muc.de><20090826141306.GK117@greenie.muc.de><20090826150031.GN117@greenie.muc.de><00b301ca2673$5ce7cc70$0a00000a@nil.si><019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <9E07F8717FE8BC4FBAE6860F61EA6C1D02B09069@spsrvmail03.nec.br> Message-ID: On Wed, 26 Aug 2009, Leonardo Gama Souza wrote: > Why can we forget about HSRP with IPv6? > >> With IPv6 you can get rid of DHCP, forget VPN's, forget DDNS, forget >> HSRP, and most importantly you no longer need NATs that understand > every >> protocol that runs through it and so remove a possible single point of >> failure. If you increase the frequency of the NUD to sufficiently low you can emulate HSRP like behaviour. We are using this trick for HA DNS servers with *BSD carp in the server side. Janos Mohacsi Head of HBONE+ project Network Engineer, Deputy Director of Network Planning and Projects NIIF/HUNGARNET, HUNGARY Key 70EF9882: DEC2 C685 1ED4 C95A 145F 4300 6F64 7B00 70EF 9882 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From td_miles at yahoo.com Wed Aug 26 17:07:01 2009 From: td_miles at yahoo.com (Tony) Date: Wed, 26 Aug 2009 14:07:01 -0700 (PDT) Subject: [c-nsp] cisco router 2800/3800 serie In-Reply-To: <4A95783F.3060402@justinshore.com> Message-ID: <487910.64132.qm@web110108.mail.gq1.yahoo.com> --- On Thu, 27/8/09, Justin Shore wrote: > > Be careful with the 1841.? Though all the MPLS > commands are technically there, MPLS is not a supported > feature on the 1841.? Ie, a code update could remove > the commands altogether and there would be nothing you could > do about it. I always refer to the below document when looking at whether a device officially supports MPLS. Of course Cisco can remove it in the future, but the 1841 is listed as the lowest model officially supporting MPLS. http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6557/prod_white_paper0900aecd8051fbdc.html That document also gives Cisco recommendations on how many VRF's (and VRF routes) each model is reasonably capable of supporting. I know of quite a few large implementations that have 1841 as managed CPE running MPLS on low speed (ie <10Mbps) links because it is the smallest/cheapest device that you can run proper MPLS on. If Cisco were to change this after the stance of officially saying that it supports MPLS there would be some great anger (which still doesn't mean that Cisco won't do this, you never know). regards, Tony. __________________________________________________________________________________ Find local businesses and services in your area with Yahoo!7 Local. Get started: http://local.yahoo.com.au From alex at digriz.org.uk Wed Aug 26 16:23:08 2009 From: alex at digriz.org.uk (Alexander Clouter) Date: Wed, 26 Aug 2009 21:23:08 +0100 Subject: [c-nsp] IPV6 in general was Re: Large networks References: <00b301ca2673$5ce7cc70$0a00000a@nil.si> <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> Message-ID: sthaug at nethelp.no wrote: > >> With IPv6 you can get rid of DHCP, forget VPN's, forget DDNS, forget >> HSRP, and most importantly you no longer need NATs that understand every >> protocol that runs through it and so remove a possible single point of >> failure. > > Some of us would disagree rather strongly with one or more of those > points. For instance, for us DHCPv6 is a hard requirement. > Why the hard requirement? Is this for a MAC<->IP association table? I'm working on a method (might not work mind you) to make a SLAAC network forfill this requirement...I have to so we meet our upstream AUP requirements but running DHCPv6 kinda misses the point for why you try to deploy IPv6. :) If it's for service discovery, that should be via DNS or better still multicast. However I would kill for PXE booting IPv6, no practical reasoning there though. Cheers -- Alexander Clouter .sigmonster says: Avert misunderstanding by calm, poise, and balance. From alex at digriz.org.uk Wed Aug 26 16:17:53 2009 From: alex at digriz.org.uk (Alexander Clouter) Date: Wed, 26 Aug 2009 21:17:53 +0100 Subject: [c-nsp] RES: IPV6 in general was Re: Large networks References: <4A9488B8.1000201@ibctech.ca> <20090826135815.GJ117@greenie.muc.de> <20090826141306.GK117@greenie.muc.de> <20090826150031.GN117@greenie.muc.de> <00b301ca2673$5ce7cc70$0a00000a@nil.si> <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <9E07F8717FE8BC4FBAE6860F61EA6C1D02B09069@spsrvmail03.nec.br> Message-ID: Hi, Leonardo Gama Souza wrote: > > Why can we forget about HSRP with IPv6? > Depending on how 'high' the 'H' is in your HSRP, you can have multiple routers on the same subnet to provision your default gateway to the world, the clients *should* just use the responsive one if one was to disappear. Cheers -- Alexander Clouter .sigmonster says: I'm not proud. From gsgranados at comcast.net Wed Aug 26 17:30:50 2009 From: gsgranados at comcast.net (Scott Granados) Date: Wed, 26 Aug 2009 14:30:50 -0700 Subject: [c-nsp] RES: IPV6 in general was Re: Large networks References: <4A9488B8.1000201@ibctech.ca><20090826135034.GI117@greenie.muc.de><20090826135815.GJ117@greenie.muc.de><20090826141306.GK117@greenie.muc.de><20090826150031.GN117@greenie.muc.de><00b301ca2673$5ce7cc70$0a00000a@nil.si><019d01ca2676$e54c26d0$0202fea9@am.thmulti.com><6edgm6-u6l.ln1@chipmunk.wormnet.eu><9E07F8717FE8BC4FBAE6860F61EA6C1D02B09069@spsrvmail03.nec.br> Message-ID: <02e401ca2694$83f07670$0202fea9@am.thmulti.com> Ok it's official, I'm asking for the term Deputy to be included in my next title! That's just cool! ----- Original Message ----- From: "Mohacsi Janos" To: "Leonardo Gama Souza" Cc: "Alexander Clouter" ; Sent: Wednesday, August 26, 2009 1:23 PM Subject: Re: [c-nsp] RES: IPV6 in general was Re: Large networks > > > > On Wed, 26 Aug 2009, Leonardo Gama Souza wrote: > >> Why can we forget about HSRP with IPv6? >> >>> With IPv6 you can get rid of DHCP, forget VPN's, forget DDNS, forget >>> HSRP, and most importantly you no longer need NATs that understand >> every >>> protocol that runs through it and so remove a possible single point of >>> failure. > > If you increase the frequency of the NUD to sufficiently low you can > emulate HSRP like behaviour. We are using this trick for HA DNS servers > with *BSD carp in the server side. > > Janos Mohacsi > Head of HBONE+ project > Network Engineer, Deputy Director of Network Planning and Projects > NIIF/HUNGARNET, HUNGARY > Key 70EF9882: DEC2 C685 1ED4 C95A 145F 4300 6F64 7B00 70EF 9882 > >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From andy.saykao at staff.netspace.net.au Wed Aug 26 17:37:10 2009 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Thu, 27 Aug 2009 07:37:10 +1000 Subject: [c-nsp] MST and Uplinkfast Message-ID: <56F211C5E3F24F47B103EA1B253822BE044AAB72@vic-cr-ex1.staff.netspace.net.au> Hi All, Can anybody confirm if uplinkfast is enabled when you run MST? http://www.cisco.com/en/US/products/hw/switches/ps708/products_configura tion_example09186a00807b075f.shtml "The spanning tree uplinkfast and backbonefast features are PVST+ features, and it is disabled when you enable MST because those features are built within RSTP, and MST relies on RSTP." To me this statement seems rather ambigious - are they saying uplinkfast is disabled with MST or is it built into RPST and therefore MST will have that feature too??? When I enable uplinkfast , it tells me that uplinkfast is inactive in mst and testing shows a lost of data flow for around 20-30sec before traffic switches over to the redundant link??? switch #sh span summ Switch is in mst mode Root bridge for: none EtherChannel misconfig guard is enabled Extended system ID is enabled Portfast Default is disabled PortFast BPDU Guard Default is disabled Portfast BPDU Filter Default is disabled Loopguard Default is enabled UplinkFast is enabled but inactive in mst mode BackboneFast is disabled Pathcost method used is long Name Blocking Listening Learning Forwarding STP Active ---------------------- -------- --------- -------- ---------- ---------- MST00 0 0 0 2 2 MST01 0 0 0 2 2 ---------------------- -------- --------- -------- ---------- ---------- 2 msts 0 0 0 4 4 Thanks. Andy This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From gert at greenie.muc.de Wed Aug 26 18:07:27 2009 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 27 Aug 2009 00:07:27 +0200 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: References: <00b301ca2673$5ce7cc70$0a00000a@nil.si> <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> Message-ID: <20090826220727.GV117@greenie.muc.de> Hi, On Wed, Aug 26, 2009 at 10:17:53PM +0200, Daniel Verlouw wrote: > seconded. And currently there's no way we're gonna live without HSRP/ > VRRPv6. Waiting for RA/NUD to timeout is just way too slow (besides, > several OSs behave quirky with multiple default gateways presents). HSRP with IPv6 is there on IOS, VRRP with IPv6 is there on JunOS and (as far as I understand) "coming soon" to IOS. > No VPNs? What about host-to-host IPSec VPNs (e.g MS DirectAccess)? Technically a VPN, indeed. I think the original poster was aiming at "getting rid of all those nasty VPN clients that you have to install on your box and that mess up all your machines". DirectAccess sounds like a Really Great Thing. (*And* it will bring IPv6 into the enterprises, which normally stubbornly refuse any sort of progress...) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From alex at digriz.org.uk Wed Aug 26 17:12:26 2009 From: alex at digriz.org.uk (Alexander Clouter) Date: Wed, 26 Aug 2009 22:12:26 +0100 Subject: [c-nsp] IPV6 in general was Re: Large networks References: <00b301ca2673$5ce7cc70$0a00000a@nil.si> <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> Message-ID: Hi, Daniel Verlouw wrote: > > On Aug 26, 2009, at 9:18 PM, sthaug at nethelp.no wrote: > > [snipped] > > No VPNs? What about host-to-host IPSec VPNs (e.g MS DirectAccess)? > I should have said "VPN concentrator". Mobile IPv6 and finally the end-to-end-ness of IPv6 lets use use IPsec finally in it's transport mode as 'God' intended. Cheers -- Alexander Clouter .sigmonster says: Wanna buy a duck? From peter at rathlev.dk Wed Aug 26 17:34:46 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Wed, 26 Aug 2009 23:34:46 +0200 Subject: [c-nsp] Overlapping DHCP pools w/ VRF lite on 12.2(33)SXI? In-Reply-To: <1d3cfae10908261306u2d9440f6ga3f17b43a6eb14fa@mail.gmail.com> References: <1d3cfae10908261306u2d9440f6ga3f17b43a6eb14fa@mail.gmail.com> Message-ID: <1251322486.3153.11.camel@abehat.net.rm.dk> On Wed, 2009-08-26 at 16:06 -0400, Steve Shaw wrote: > Anyone have any luck running overlapping DHCP pools with VRF-lite on > 12.2(33)SXI? It looks like a vrf sub-command under DHCP pool > configuration mode was added in SRC code but I can't confirm or deny > support for the SXI train. I don't know or use it, but it seems the 12.2(33)SXI1 CLI doesn't want any of it: rhski-1(config)#ip dhcp pool test rhski-1(dhcp-config)#vrf ? % Unrecognized command rhski-1(dhcp-config)#vrf test ^ % Invalid input detected at '^' marker. rhski-1(dhcp-config)#? DHCP pool configuration commands: bootfile Boot file name client-identifier Client identifier client-name Client name default-router Default routers dns-server DNS servers domain-name Domain name exit Exit from DHCP pool configuration mode hardware-address Client hardware address host Client IP address and mask import Programatically importing DHCP option parameters lease Address lease time netbios-name-server NetBIOS (WINS) name servers netbios-node-type NetBIOS node type network Network number and mask next-server Next server in boot process no Negate a command or set its defaults option Raw DHCP options renew Configure renewal policy rhski-1(dhcp-config)# Regards, Peter From gert at greenie.muc.de Wed Aug 26 18:12:09 2009 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 27 Aug 2009 00:12:09 +0200 Subject: [c-nsp] Large networks In-Reply-To: <00e901ca2678$aea8a7a0$0a00000a@nil.si> References: <4A9488B8.1000201@ibctech.ca> <20090826150031.GN117@greenie.muc.de> <00b301ca2673$5ce7cc70$0a00000a@nil.si> <20090826175928.GQ117@greenie.muc.de> <00e901ca2678$aea8a7a0$0a00000a@nil.si> Message-ID: <20090826221209.GW117@greenie.muc.de> Hi, On Wed, Aug 26, 2009 at 08:11:48PM +0200, Ivan Pepelnjak wrote: > > > Some of us still have to live with reality where IPv6 deployment is > > > negligible :) > > > > You have it in your hands to change that. > > You might. I don't. The only thing I can do is spread the gospel ... But you > know what usually happens to those people :) > > Not a single ISP in Slovenia provides production-grade IPv6 service and I > won't run tunnels half way across the planet just to claim I'm capable of > configuring the latest technology wonder :)) Well. This is *exactly* what you can do about it: bug your upstream ISPs about it, and require it at contract requirements. I know that a few .si ISPs already have working IPv6 - not production ready yet, but at least getting experience and moving packets, and building momentum. I don't know the market situation in Slovenia, admittedly, but I would be surprised if none of the "big ones" with IPv6 would be offering their services there (Global Crossing, NTT/Verio, Flag Telecom, UUnet). What international carriers are offering IP services at your place? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From david at hughes.com.au Wed Aug 26 18:56:03 2009 From: david at hughes.com.au (David Hughes) Date: Thu, 27 Aug 2009 08:56:03 +1000 Subject: [c-nsp] Large networks In-Reply-To: <20090826135815.GJ117@greenie.muc.de> References: <4A9488B8.1000201@ibctech.ca> <20090826100203.GE117@greenie.muc.de> <002401ca264c$79d62dd0$0a00000a@nil.si> <20090826135034.GI117@greenie.muc.de> <20090826135815.GJ117@greenie.muc.de> Message-ID: <67FA6A8A-69EB-4F4A-B453-AA93674D5C4A@hughes.com.au> On 26/08/2009, at 11:58 PM, Gert Doering wrote: > Which is why we are VERY happy with "every customer has a different L3 > subnet" - and yes, this is wasting a few IPv4 addresses, but since our > customers usually have more than one machine, it's not "75%". Even > so, > the time of IPv4 is past, and we should stop worrying about it. I'm with Gert on this. Our hosting networks are all configured this way. And, regarding the OP's comment about VPS, why view a virtual server any differently? Each customer with either physical or virtual servers gets a vlan and IP allocation for those servers. The virtuals quite happily vmotion around the network to their hearts content. Each ESX cluster node gets to see the vlans for all the VM's on that cluster. No big deal - it's just a dot1q trunk after all. David ... From JBracey at csuchico.edu Wed Aug 26 16:30:41 2009 From: JBracey at csuchico.edu (Bracey, John) Date: Wed, 26 Aug 2009 13:30:41 -0700 Subject: [c-nsp] Audit tool for Cisco Config files Message-ID: <755A73D3547BAE429728E2EC2AEDC60572D360D83E@EXMAIL.csuchico.edu> I'm wondering if any of you have run across a tool that will audit a cisco configuration file (or files as the case may be) against a standard template? We have a configuration file repository and just need to be able to report on those configs as to compliance with our standard device template. I'm thinking there'd got to be a perl or shell script out there somewhere that will do the trick. Thanks in advance. ********************************************************* John K. Bracey, Sr. Network Analyst Communications Services / Network Operations California State University, Chico 530-898-5400 ********************************************************* P Please consider the environment before printing this email. From ddunkin at netos.net Wed Aug 26 19:28:36 2009 From: ddunkin at netos.net (Darryl Dunkin) Date: Wed, 26 Aug 2009 16:28:36 -0700 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: References: <00b301ca2673$5ce7cc70$0a00000a@nil.si><019d01ca2676$e54c26d0$0202fea9@am.thmulti.com><6edgm6-u6l.ln1@chipmunk.wormne t.eu><20090826.211833.71103910.sthaug@nethelp.no> Message-ID: <56F5BC5F404CF84896C447397A1AAF2001268301@MAIL.nosi.netos.com> There are DHCP parameters we rely on every single day. Phones: Voice VLAN assignment, plus boot server DNS->Hostname mapping (having the DHCP server dynamically register the host/device in DNS) DNS Domain Name NTP/Time offset Legacy WINS servers (yes, I have networks unwilling/unable to get rid of this) Those just don't exist in v6 auto configuration. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Alexander Clouter Sent: Wednesday, August 26, 2009 13:23 To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] IPV6 in general was Re: Large networks Why the hard requirement? Is this for a MAC<->IP association table? I'm working on a method (might not work mind you) to make a SLAAC network forfill this requirement...I have to so we meet our upstream AUP requirements but running DHCPv6 kinda misses the point for why you try to deploy IPv6. :) If it's for service discovery, that should be via DNS or better still multicast. However I would kill for PXE booting IPv6, no practical reasoning there though. Cheers -- Alexander Clouter .sigmonster says: Avert misunderstanding by calm, poise, and balance. From ml at kenweb.org Wed Aug 26 19:52:28 2009 From: ml at kenweb.org (ML) Date: Wed, 26 Aug 2009 19:52:28 -0400 Subject: [c-nsp] Audit tool for Cisco Config files In-Reply-To: <755A73D3547BAE429728E2EC2AEDC60572D360D83E@EXMAIL.csuchico.edu> References: <755A73D3547BAE429728E2EC2AEDC60572D360D83E@EXMAIL.csuchico.edu> Message-ID: <4A95CABC.8000006@kenweb.org> Bracey, John wrote: > I'm wondering if any of you have run across a tool that will audit a cisco configuration file (or files as the case may be) against a standard template? > > We have a configuration file repository and just need to be able to report on those configs as to compliance with our standard device template. I'm thinking there'd got to be a perl or shell script out there somewhere that will do the trick. > > Thanks in advance. http://www.cisecurity.org/bench_cisco.html From mailinglists at unix-scripts.com Wed Aug 26 20:07:44 2009 From: mailinglists at unix-scripts.com (Shaun R.) Date: Wed, 26 Aug 2009 17:07:44 -0700 Subject: [c-nsp] Large networks In-Reply-To: <67FA6A8A-69EB-4F4A-B453-AA93674D5C4A@hughes.com.au> References: <4A9488B8.1000201@ibctech.ca><20090826100203.GE117@greenie.muc.de><002401ca264c$79d62dd0$0a00000a@nil.si><20090826135034.GI117@greenie.muc.de><20090826135815.GJ117@greenie.muc.de> <67FA6A8A-69EB-4F4A-B453-AA93674D5C4A@hughes.com.au> Message-ID: David, Well it is possible to do with Xen too. We just use ebtables to filter traffic from each VPS. We restrict what comes in and out by the address and mac. Using vlans, at least for us, per VPS would be killer. We would have thousands of vlans already just for virtual servers. Right now our gear has a 4096 vlan limit, not sure if there's gear that support higher numbers than that. My learning/expereince with this stuff is by implementing it when i need it :) ~Shaun "David Hughes" wrote in message news:67FA6A8A-69EB-4F4A-B453-AA93674D5C4A at hughes.com.au... > > On 26/08/2009, at 11:58 PM, Gert Doering wrote: > >> Which is why we are VERY happy with "every customer has a different L3 >> subnet" - and yes, this is wasting a few IPv4 addresses, but since our >> customers usually have more than one machine, it's not "75%". Even so, >> the time of IPv4 is past, and we should stop worrying about it. > > I'm with Gert on this. Our hosting networks are all configured this way. > And, regarding the OP's comment about VPS, why view a virtual server any > differently? Each customer with either physical or virtual servers gets > a vlan and IP allocation for those servers. The virtuals quite happily > vmotion around the network to their hearts content. Each ESX cluster > node gets to see the vlans for all the VM's on that cluster. No big > deal - it's just a dot1q trunk after all. > > > David > ... > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From rwest at zyedge.com Wed Aug 26 20:57:59 2009 From: rwest at zyedge.com (Ryan West) Date: Wed, 26 Aug 2009 20:57:59 -0400 Subject: [c-nsp] Audit tool for Cisco Config files In-Reply-To: <755A73D3547BAE429728E2EC2AEDC60572D360D83E@EXMAIL.csuchico.edu> References: <755A73D3547BAE429728E2EC2AEDC60572D360D83E@EXMAIL.csuchico.edu> Message-ID: <6684E47E-BA59-4AC1-B32A-C01233D677C6@zyedge.com> cisecurity.org I think has RAT. It's a perl script you can customize for auditing both file and running configs. Sent from handheld. On Aug 26, 2009, at 7:07 PM, "Bracey, John" wrote: > I'm wondering if any of you have run across a tool that will audit > a cisco configuration file (or files as the case may be) against a > standard template? > > We have a configuration file repository and just need to be able to > report on those configs as to compliance with our standard device > template. I'm thinking there'd got to be a perl or shell script out > there somewhere that will do the trick. > > Thanks in advance. > > ********************************************************* > John K. Bracey, Sr. Network Analyst > Communications Services / Network Operations > California State University, Chico > 530-898-5400 > ********************************************************* > P Please consider the environment before printing this email. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From marty at supine.com Wed Aug 26 20:22:05 2009 From: marty at supine.com (Martin Barry) Date: Thu, 27 Aug 2009 10:22:05 +1000 Subject: [c-nsp] Large networks In-Reply-To: References: <67FA6A8A-69EB-4F4A-B453-AA93674D5C4A@hughes.com.au> Message-ID: <20090827002205.GA12826@cotterpin.mamista.net> $quoted_author = "Shaun R." ; > > Well it is possible to do with Xen too. We just use ebtables to filter > traffic from each VPS. We restrict what comes in and out by the address > and mac. Using vlans, at least for us, per VPS would be killer. Unfortunately VMware's vSwitch (at least up to 3.5, haven't played much with 4 nor the Cisco vSwitch) doesn't have this flexibility so if you want to do the "right thing" you only have VLANs. cheers Marty From rsm at fast-serv.com Wed Aug 26 20:24:24 2009 From: rsm at fast-serv.com (Randy McAnally) Date: Wed, 26 Aug 2009 20:24:24 -0400 Subject: [c-nsp] Large networks In-Reply-To: <67FA6A8A-69EB-4F4A-B453-AA93674D5C4A@hughes.com.au> References: <4A9488B8.1000201@ibctech.ca> <20090826100203.GE117@greenie.muc.de> <002401ca264c$79d62dd0$0a00000a@nil.si> <20090826135034.GI117@greenie.muc.de> <20090826135815.GJ117@greenie.muc.de> <67FA6A8A-69EB-4F4A-B453-AA93674D5C4A@hughes.com.au> Message-ID: <20090827002220.M92717@fast-serv.com> With the number of virtual servers most of us are hosting you would run out of VLAN's very quickly. What I do is static route subnets to host nodes and let the host nodes do the L3 work. This takes care of MAC address conflicts, spoofing, and many other problems. -- Randy www.FastServ.com ---------- Original Message ----------- From: David Hughes To: "Cisco NSP ((E-mail))'" Sent: Thu, 27 Aug 2009 08:56:03 +1000 Subject: Re: [c-nsp] Large networks > On 26/08/2009, at 11:58 PM, Gert Doering wrote: > > > Which is why we are VERY happy with "every customer has a different L3 > > subnet" - and yes, this is wasting a few IPv4 addresses, but since our > > customers usually have more than one machine, it's not "75%". Even > > so, > > the time of IPv4 is past, and we should stop worrying about it. > > I'm with Gert on this. Our hosting networks are all configured this > way. And, regarding the OP's comment about VPS, why view a virtual > server any differently? Each customer with either physical or > virtual servers gets a vlan and IP allocation for those servers. > The virtuals quite happily vmotion around the network to their > hearts content. Each ESX cluster node gets to see the vlans for > all the VM's on that cluster. No big deal - it's just a dot1q > trunk after all. > > David > ... > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ------- End of Original Message ------- From brad.henshaw at qcn.com.au Wed Aug 26 22:03:19 2009 From: brad.henshaw at qcn.com.au (Brad Henshaw) Date: Thu, 27 Aug 2009 12:03:19 +1000 Subject: [c-nsp] [OT] Application Protocol Performance in low latency envrionments Message-ID: <8B25B862BC09784B9B74FB950D4F64D40F8555@qcnapp01.corp.qcn> Ash Net wrote: > The reason for performance degradation solely seems to be latency related > since there's tons of b/w available in the lab setup and over 10G lanphy > paths. Generally it is latency, yes. Sadly in many cases those expensive WAN acceleration devices are for the most part, munging TCP headers to overcome shortcomings in performance caused by poor Layer 5-7 protocol design. If application developers took the issue of delay into account I'm sure we wouldn't end up with business applications performing multiple small TCP-based data transfers one after the other... or fifty transactions in serial which might perform fine on a single host or a LAN with a few microseconds of latency... but 50x20ms RTT WAN transactions ain't so hot. As an alternative to WAN acceleration devices, you can in many instances look at tuning the TCP/IP stack of the host OS to support TCP window scaling, different initial window sizes etc. to improve throughput. In some situations this may benefit LAN performance also. This does introduce other complex issues though, such as the fact that a stack optimised for transmission of high-speed data across a 10GbE LAN has the potential to hit low-speed WAN or Internet links with excessive initial bursts of packets - a problem not generally introduced by the aforementioned hardware devices. For some types of hosts (file servers) this might not be an issue however. I'll end my off-topic rant there. Regards, Brad From clayton at mnsi.net Wed Aug 26 22:25:37 2009 From: clayton at mnsi.net (Clayton Zekelman) Date: Wed, 26 Aug 2009 22:25:37 -0400 Subject: [c-nsp] USB Insertion/Removal Causes Reboot Message-ID: Has anyone seen an issue with a NPE-G2 where insertion or removal of a USB flashdrive causes the router to crash and reboot? This happened to one of our routers earlier today. Cisco IOS Software, 7200 Software (C7200P-IPBASEK9-M), Version 12.4(24)T1, RELEASE SOFTWARE (fc3) *Aug 26 16:07:11.375: %USB_HOST_STACK-6-USB_DEVICE_CONNECTED: A Full speed USB device has been inserted in port 0. *Aug 26 16:07:16.999: fnu1362ControlTransfer Control Transfer did not complete!1 *Aug 26 16:07:16.999: fnu1362ControlTransfer speed: 0x2, pipe: 0x80000080, status: 0x31 *Aug 26 16:07:16.999: fnu1362ControlTransfer, bmRequestType: 0x80, byRequest: 0x6, wValue: 0x100, wIndex: 0x0, wLength: 0x8 *Aug 26 16:07:17.007: %USB_HOST_STACK-5-USB_ENUM_FAIL_GETDESCR: Failed to enumerate a USB device as not able to read the device's description.CMD: 'dir us' 12:07:18 EDT Wed Aug 26 2009 CMD: 'dir usb' 12:07:20 EDT Wed Aug 26 2009 CMD: 'dir ' 12:07:21 EDT Wed Aug 26 2009 12:07:22 EDT Wed Aug 26 2009: Unexpected exception to CPU: vector 300, PC = 0x7 25C0C , LR = 0x725BB8 -Traceback= 0x725C0Cz 0x726C10z 0x727C9Cz 0x1EE960z 0x6D00C8z 0x6CCC88z A bit scary that a flashdrive could bring down the router. From David at Hughes.com.au Thu Aug 27 02:48:33 2009 From: David at Hughes.com.au (David Hughes) Date: Thu, 27 Aug 2009 16:48:33 +1000 Subject: [c-nsp] MST and Uplinkfast In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE044AAB72@vic-cr-ex1.staff.netspace.net.au> References: <56F211C5E3F24F47B103EA1B253822BE044AAB72@vic-cr-ex1.staff.netspace.net.au> Message-ID: <688F39B8-D8E4-4E3D-93C8-B253E8362439@Hughes.com.au> The fact that Rapid STP is an active protocol (rather than the old listen / learn / wait) implies that workarounds like uplinkfast are nolonger required. MST uses RSTP as the STP within the instances and as such gains all the benefits that rapid gives you. David ... On 27/08/2009, at 7:37 AM, Andy Saykao wrote: > To me this statement seems rather ambigious - are they saying > uplinkfast > is disabled with MST or is it built into RPST and therefore MST will > have that feature too??? From andy.saykao at staff.netspace.net.au Thu Aug 27 03:06:00 2009 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Thu, 27 Aug 2009 17:06:00 +1000 Subject: [c-nsp] MST and Uplinkfast References: <56F211C5E3F24F47B103EA1B253822BE044AAB72@vic-cr-ex1.staff.netspace.net.au> <688F39B8-D8E4-4E3D-93C8-B253E8362439@Hughes.com.au> Message-ID: <56F211C5E3F24F47B103EA1B253822BE044AAB75@vic-cr-ex1.staff.netspace.net.au> Hi David, Thanks for the reply... With MST deployed across our network now, the access layer switches take 20-30seconds before they start switching traffic via the redundant link. Prior to this we were using PVST+ and with uplinkfast enabled on these access layer switches, once the primary link failed, the redundant linked kicked in straight away (drop one packet). Is MST suppose to switch traffic almost instantly or is this 20-30sec delay a "normal" thing??? Thanks. Andy -----Original Message----- From: David Hughes [mailto:David at Hughes.com.au] Sent: Thursday, 27 August 2009 4:49 PM To: Andy Saykao Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] MST and Uplinkfast The fact that Rapid STP is an active protocol (rather than the old listen / learn / wait) implies that workarounds like uplinkfast are nolonger required. MST uses RSTP as the STP within the instances and as such gains all the benefits that rapid gives you. David ... On 27/08/2009, at 7:37 AM, Andy Saykao wrote: > To me this statement seems rather ambigious - are they saying > uplinkfast is disabled with MST or is it built into RPST and therefore > MST will have that feature too??? ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From daniel at bit.nl Thu Aug 27 03:31:30 2009 From: daniel at bit.nl (Daniel Verlouw) Date: Thu, 27 Aug 2009 09:31:30 +0200 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <20090826220727.GV117@greenie.muc.de> References: <00b301ca2673$5ce7cc70$0a00000a@nil.si> <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090826220727.GV117@greenie.muc.de> Message-ID: <1251358290.16185.13.camel@daniel.office.bit.nl> On Thu, 2009-08-27 at 00:07 +0200, Gert Doering wrote: > HSRP with IPv6 is there on IOS, VRRP with IPv6 is there on JunOS and > (as far as I understand) "coming soon" to IOS. yep, works like a charm on Junos, same sub-second failover as on VRRP for v4. daniel at jun1.XXXX> show vrrp interface xe-1/0/0.28 Physical interface: xe-1/0/0, Unit: 28, Vlan-id: 28, Address: 2001:XXX:3:1c::3/64 Index: 169, SNMP ifIndex: 182, VRRP-Traps: enabled Interface state: up, Group: 1, State: master Priority: 150, Advertisement interval: 1, Authentication type: none Delay threshold: 100, Computed send rate: 0 Preempt: yes, Preempt hold time: 120 Accept-data mode: yes, VIP count: 2, VIP: fe80::1:1, 2001:XXX:3:1c::1 Advertisement Timer: 0.040s, Master router: fe80::3 Virtual router uptime: 1d 07:08, Master router uptime: 1d 07:06 Virtual Mac: 00:00:5e:00:02:01 [...] No real experience with HSRP though, can anyone shed some light on that? I understand it only works for link-local addresses? --Daniel. From daniel at bit.nl Thu Aug 27 03:36:02 2009 From: daniel at bit.nl (Daniel Verlouw) Date: Thu, 27 Aug 2009 09:36:02 +0200 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: References: <00b301ca2673$5ce7cc70$0a00000a@nil.si> <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> Message-ID: <1251358562.16185.18.camel@daniel.office.bit.nl> On Wed, 2009-08-26 at 21:23 +0100, Alexander Clouter wrote: > > Some of us would disagree rather strongly with one or more of those > > points. For instance, for us DHCPv6 is a hard requirement. > > > Why the hard requirement? DHCPv6 prefix delegation. And DNS assignment. And a bunch of other parameters SLAAC forgot to include. (does anyone actually implement RFC 5006 yet?) --Daniel. From Grzegorz at Janoszka.pl Thu Aug 27 03:47:52 2009 From: Grzegorz at Janoszka.pl (Grzegorz Janoszka) Date: Thu, 27 Aug 2009 09:47:52 +0200 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <1251358290.16185.13.camel@daniel.office.bit.nl> References: <00b301ca2673$5ce7cc70$0a00000a@nil.si> <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090826220727.GV117@greenie.muc.de> <1251358290.16185.13.camel@daniel.office.bit.nl> Message-ID: <4A963A28.9040109@Janoszka.pl> Daniel Verlouw wrote: > No real experience with HSRP though, can anyone shed some light on that? > I understand it only works for link-local addresses? Yes, unfortunately it is only link-local. I am just trying to figure it out how to marry link-local with our global ipv6 assignments. -- Grzegorz Janoszka From sthaug at nethelp.no Thu Aug 27 03:59:17 2009 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Thu, 27 Aug 2009 09:59:17 +0200 (CEST) Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: References: <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> Message-ID: <20090827.095917.74721147.sthaug@nethelp.no> > > Some of us would disagree rather strongly with one or more of those > > points. For instance, for us DHCPv6 is a hard requirement. > > > Why the hard requirement? Is this for a MAC<->IP association table? > I'm working on a method (might not work mind you) to make a SLAAC > network forfill this requirement...I have to so we meet our upstream > AUP requirements but running DHCPv6 kinda misses the point for why you > try to deploy IPv6. :) This is an old discussion, and has been rehashed a number of times on various DHCP and IPv6 mailing lists. In any case: - SLAAC cannot distribute all the parameters that DHCP distributes to customers today. Example of parameters needed: DNS servers, domain name, NTP servers, ... - DHCP is tightly integrated with various operational and support systems. - DHCP lets us control customer address allocation from one central point, instead of having to individually configure routers. See also http://mailman.nanog.org/pipermail/nanog/2009-February/007535.html In short, a number of operators (including the one I work for) have concluded that SLAAC is woefully insufficient for the bulk handling of large number of customers (customers which use DHCPv4 today). Steinar Haug, Nethelp consulting, sthaug at nethelp.no From A.L.M.Buxey at lboro.ac.uk Thu Aug 27 04:06:57 2009 From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey) Date: Thu, 27 Aug 2009 09:06:57 +0100 Subject: [c-nsp] Audit tool for Cisco Config files In-Reply-To: <755A73D3547BAE429728E2EC2AEDC60572D360D83E@EXMAIL.csuchico.edu> References: <755A73D3547BAE429728E2EC2AEDC60572D360D83E@EXMAIL.csuchico.edu> Message-ID: <20090827080657.GA32656@lboro.ac.uk> Hi, > I'm wondering if any of you have run across a tool that will audit a cisco configuration file (or files as the case may be) against a standard template? we've written a few of our own scripts to check for settings, presence and absence of values etc. > We have a configuration file repository and just need to be able to report on those configs as to compliance with our standard device template. I'm thinking there'd got to be a perl or shell script out there somewhere that will do the trick. ..what abnout compliance to best practice etc? theres tools like RAT and Nipper that you might want to look at alan From bjorn at mork.no Thu Aug 27 04:55:51 2009 From: bjorn at mork.no (=?utf-8?Q?Bj=C3=B8rn_Mork?=) Date: Thu, 27 Aug 2009 10:55:51 +0200 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <1251358562.16185.18.camel@daniel.office.bit.nl> (Daniel Verlouw's message of "Thu, 27 Aug 2009 09:36:02 +0200") References: <00b301ca2673$5ce7cc70$0a00000a@nil.si> <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <1251358562.16185.18.camel@daniel.office.bit.nl> Message-ID: <87tyztd4a0.fsf@nemi.mork.no> Daniel Verlouw writes: > (does anyone actually implement RFC 5006 yet?) Sure they do. radvd can announce RDNSS and rdnssd (part of the ndisc6 toolbox) can be used on the client side: http://www.remlab.net/ndisc6/ When it comes to real routers, I don't know... The Juniper ERXes have support for setting IPv6 DNS servers via RADIUS, but this seems to only configure the local dhcpv6 server running on the ERX. Bj?rn From swmike at swm.pp.se Thu Aug 27 05:25:32 2009 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Thu, 27 Aug 2009 11:25:32 +0200 (CEST) Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <87tyztd4a0.fsf@nemi.mork.no> References: <00b301ca2673$5ce7cc70$0a00000a@nil.si> <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <1251358562.16185.18.camel@daniel.office.bit.nl> <87tyztd4a0.fsf@nemi.mork.no> Message-ID: On Thu, 27 Aug 2009, Bj?rn Mork wrote: > When it comes to real routers, I don't know... The Juniper ERXes have > support for setting IPv6 DNS servers via RADIUS, but this seems to only > configure the local dhcpv6 server running on the ERX. Cisco DHCPv6 server in 12.4(24)T can hand out DNS server via DHCPv6 anyway, but that's not RFC5006... -- Mikael Abrahamsson email: swmike at swm.pp.se From bjorn at mork.no Thu Aug 27 05:31:08 2009 From: bjorn at mork.no (=?utf-8?Q?Bj=C3=B8rn_Mork?=) Date: Thu, 27 Aug 2009 11:31:08 +0200 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <20090827.095917.74721147.sthaug@nethelp.no> (sthaug@nethelp.no's message of "Thu, 27 Aug 2009 09:59:17 +0200 (CEST)") References: <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090827.095917.74721147.sthaug@nethelp.no> Message-ID: <87prahd2n7.fsf@nemi.mork.no> sthaug at nethelp.no writes: >> > Some of us would disagree rather strongly with one or more of those >> > points. For instance, for us DHCPv6 is a hard requirement. >> > >> Why the hard requirement? Is this for a MAC<->IP association table? >> I'm working on a method (might not work mind you) to make a SLAAC >> network forfill this requirement...I have to so we meet our upstream >> AUP requirements but running DHCPv6 kinda misses the point for why you >> try to deploy IPv6. :) > > This is an old discussion, and has been rehashed a number of times on > various DHCP and IPv6 mailing lists. In any case: > > - SLAAC cannot distribute all the parameters that DHCP distributes to > customers today. Example of parameters needed: DNS servers, domain > name, NTP servers, ... No it can't, but personally I see that as a feature :-) We need to publish DNS servers, but RFC 5006 solves that. The other DHCP options are mostly unecessary bloat. Are there really that many DHCP clients doing anything useful with the NTP option? I guess you may have set-top boxes using it, but those can just as well be pre-configured with the well-known DNS name of your NTP servers. > - DHCP is tightly integrated with various operational and support > systems. Sure, but given the differences between DHCP and DHCPv6 I wonder if you can reuse much of it anyway? I find it just as easy to modify our RADIUS support to provide the IPv6 prefix(es) and DNS servers. In fact, it's easier. > - DHCP lets us control customer address allocation from one central > point, instead of having to individually configure routers. You can do that with SLAAC too, e.g. by using RADIUS. We'll of course use DHCPv6 too, mostly because we want prefix delegation. But I still think SLAAC is useful in some settings, even for ISPs. I want both. Bj?rn From p.mayers at imperial.ac.uk Thu Aug 27 05:36:51 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Thu, 27 Aug 2009 10:36:51 +0100 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <4A963A28.9040109@Janoszka.pl> References: <00b301ca2673$5ce7cc70$0a00000a@nil.si> <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090826220727.GV117@greenie.muc.de> <1251358290.16185.13.camel@daniel.office.bit.nl> <4A963A28.9040109@Janoszka.pl> Message-ID: <4A9653B3.6090607@imperial.ac.uk> Grzegorz Janoszka wrote: > Daniel Verlouw wrote: >> No real experience with HSRP though, can anyone shed some light on that? >> I understand it only works for link-local addresses? > > Yes, unfortunately it is only link-local. I am just trying to figure it > out how to marry link-local with our global ipv6 assignments. > That's now the way it works AFAICT. Basically, the routers still send router-advertisments. However, the link-local address in the next-hop is the HSRPv6 virtual IP, and floats between the active & backup. So you only *need* the link-local. From jfitz at Princeton.EDU Thu Aug 27 05:42:58 2009 From: jfitz at Princeton.EDU (Jeff Fitzwater) Date: Thu, 27 Aug 2009 05:42:58 -0400 Subject: [c-nsp] SXI1 and 2 breaks 100FX-MM boards Message-ID: <8814F300-6AA6-4213-B510-AE704ACF7A79@Princeton.EDU> We have 24 port 100FX MM boards WS-X6324-100FX-MM in a 13 slot chassis, and none of these modules come up all the way with SXI1 or 2. In Version 1 the modules were not even recognized yet were a supported device. In rev 2 they are recognized and indicate that they pass the diags after reload, but the status of module stays in OTHER and ports are non functional. The fix was suppose to be in rev SXI 2. Has anybody else seen this? Jeff Fitzwater OIT Network Systems Princeton University From p.mayers at imperial.ac.uk Thu Aug 27 04:35:54 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Thu, 27 Aug 2009 09:35:54 +0100 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <20090827.095917.74721147.sthaug@nethelp.no> References: <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090827.095917.74721147.sthaug@nethelp.no> Message-ID: <20090827083554.GA17090@wildfire.net.ic.ac.uk> On Thu, Aug 27, 2009 at 08:59:17AM +0100, sthaug at nethelp.no wrote: >> > Some of us would disagree rather strongly with one or more of those >> > points. For instance, for us DHCPv6 is a hard requirement. >> > >> Why the hard requirement? Is this for a MAC<->IP association table? >> I'm working on a method (might not work mind you) to make a SLAAC >> network forfill this requirement...I have to so we meet our upstream >> AUP requirements but running DHCPv6 kinda misses the point for why you >> try to deploy IPv6. :) > >This is an old discussion, and has been rehashed a number of times on >various DHCP and IPv6 mailing lists. In any case: > >- SLAAC cannot distribute all the parameters that DHCP distributes to >customers today. Example of parameters needed: DNS servers, domain >name, NTP servers, ... > >- DHCP is tightly integrated with various operational and support >systems. > >- DHCP lets us control customer address allocation from one central >point, instead of having to individually configure routers. > >See also > > http://mailman.nanog.org/pipermail/nanog/2009-February/007535.html > >In short, a number of operators (including the one I work for) have >concluded that SLAAC is woefully insufficient for the bulk handling of >large number of customers (customers which use DHCPv4 today). Very strongly agreed. IPv6 emulated the then-state-of-the-art IPX autoconfig mechanisms, and seems reluctant to admit it's missed out the last decade of operational knowledge acquired with IPv4. SLAAC should die the death it so richly deserves (except for link-local) and DHCPv6 should gain prefix advertisment capability. From alex at digriz.org.uk Thu Aug 27 06:00:10 2009 From: alex at digriz.org.uk (Alexander Clouter) Date: Thu, 27 Aug 2009 11:00:10 +0100 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <87prahd2n7.fsf@nemi.mork.no> References: <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090827.095917.74721147.sthaug@nethelp.no> <87prahd2n7.fsf@nemi.mork.no> Message-ID: <20090827100010.GT20088@chipmunk> Hi, * Bj?rn Mork [2009-08-27 11:31:08+0200]: > > sthaug at nethelp.no writes: > > >> > Some of us would disagree rather strongly with one or more of those > >> > points. For instance, for us DHCPv6 is a hard requirement. > >> > > >> Why the hard requirement? Is this for a MAC<->IP association table? > >> I'm working on a method (might not work mind you) to make a SLAAC > >> network forfill this requirement...I have to so we meet our upstream > >> AUP requirements but running DHCPv6 kinda misses the point for why you > >> try to deploy IPv6. :) > > > > This is an old discussion, and has been rehashed a number of times on > > various DHCP and IPv6 mailing lists. In any case: > > > > - SLAAC cannot distribute all the parameters that DHCP distributes to > > customers today. Example of parameters needed: DNS servers, domain > > name, NTP servers, ... > > No it can't, but personally I see that as a feature :-) > > We need to publish DNS servers, but RFC 5006 solves that. The other > DHCP options are mostly unecessary bloat. Are there really that many > DHCP clients doing anything useful with the NTP option? I guess you may > have set-top boxes using it, but those can just as well be pre-configured > with the well-known DNS name of your NTP servers. > Service discovery (SLP, SDP and DNS based) and multicast (NTP especially) has been with us for years. I think this is the problem people have with IPv6, their mindset is stuck in IPv4 for a lot of things. > > - DHCP lets us control customer address allocation from one central > > point, instead of having to individually configure routers. > > You can do that with SLAAC too, e.g. by using RADIUS. > > We'll of course use DHCPv6 too, mostly because we want prefix > delegation. But I still think SLAAC is useful in some settings, even > for ISPs. I want both. > I do not think SLAAC was ever intended for the ISP<->CPE, I could not see how it could be used there. However for router<->node I cannot see why people are so against it. Obviously I'm in a minority so I'm going to disappear back into the Ether :) Cheers -- Alexander Clouter .sigmonster says: God isn't dead. He just doesn't want to get involved. From p.mayers at imperial.ac.uk Thu Aug 27 06:01:30 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Thu, 27 Aug 2009 11:01:30 +0100 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <4A9653B3.6090607@imperial.ac.uk> References: <00b301ca2673$5ce7cc70$0a00000a@nil.si> <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090826220727.GV117@greenie.muc.de> <1251358290.16185.13.camel@daniel.office.bit.nl> <4A963A28.9040109@Janoszka.pl> <4A9653B3.6090607@imperial.ac.uk> Message-ID: <4A96597A.3050709@imperial.ac.uk> Phil Mayers wrote: > Grzegorz Janoszka wrote: >> Daniel Verlouw wrote: >>> No real experience with HSRP though, can anyone shed some light on that? >>> I understand it only works for link-local addresses? >> Yes, unfortunately it is only link-local. I am just trying to figure it >> out how to marry link-local with our global ipv6 assignments. >> > > That's now the way it works AFAICT. Sorry, that's NOT the way it works... Sigh. > > Basically, the routers still send router-advertisments. However, the > link-local address in the next-hop is the HSRPv6 virtual IP, and floats > between the active & backup. > > So you only *need* the link-local. From Grzegorz at Janoszka.pl Thu Aug 27 06:14:37 2009 From: Grzegorz at Janoszka.pl (Grzegorz Janoszka) Date: Thu, 27 Aug 2009 12:14:37 +0200 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <4A9653B3.6090607@imperial.ac.uk> References: <00b301ca2673$5ce7cc70$0a00000a@nil.si> <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090826220727.GV117@greenie.muc.de> <1251358290.16185.13.camel@daniel.office.bit.nl> <4A963A28.9040109@Janoszka.pl> <4A9653B3.6090607@imperial.ac.uk> Message-ID: <4A965C8D.2070600@Janoszka.pl> Phil Mayers wrote: > Grzegorz Janoszka wrote: >> Daniel Verlouw wrote: >>> No real experience with HSRP though, can anyone shed some light on that? >>> I understand it only works for link-local addresses? >> >> Yes, unfortunately it is only link-local. I am just trying to figure >> it out how to marry link-local with our global ipv6 assignments. > > That's now the way it works AFAICT. > > Basically, the routers still send router-advertisments. However, the > link-local address in the next-hop is the HSRPv6 virtual IP, and floats > between the active & backup. > > So you only *need* the link-local. But it is strange indeed. We tell everyone that v6 is just the same as v4, but just the issues as above makes our customers scary. So, we assign 2001:0db8:85a3:08d3::/64 on a customer port, with a gateway fe80:0db8:85a3:08d3::1 - how does it look? Is it the same as we do with v4? :) Do you have any plans for such IP division? I just thought about replacing first 16 bits of public v6 address with fe80, but maybe you have better ideas. -- Grzegorz Janoszka From p.mayers at imperial.ac.uk Thu Aug 27 06:20:07 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Thu, 27 Aug 2009 11:20:07 +0100 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <4A965C8D.2070600@Janoszka.pl> References: <00b301ca2673$5ce7cc70$0a00000a@nil.si> <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090826220727.GV117@greenie.muc.de> <1251358290.16185.13.camel@daniel.office.bit.nl> <4A963A28.9040109@Janoszka.pl> <4A9653B3.6090607@imperial.ac.uk> <4A965C8D.2070600@Janoszka.pl> Message-ID: <4A965DD7.9070105@imperial.ac.uk> Grzegorz Janoszka wrote: > Phil Mayers wrote: >> Grzegorz Janoszka wrote: >>> Daniel Verlouw wrote: >>>> No real experience with HSRP though, can anyone shed some light on that? >>>> I understand it only works for link-local addresses? >>> Yes, unfortunately it is only link-local. I am just trying to figure >>> it out how to marry link-local with our global ipv6 assignments. >> That's now the way it works AFAICT. >> >> Basically, the routers still send router-advertisments. However, the >> link-local address in the next-hop is the HSRPv6 virtual IP, and floats >> between the active & backup. >> >> So you only *need* the link-local. > > But it is strange indeed. We tell everyone that v6 is just the same as > v4, but just the issues as above makes our customers scary. It is odd, and takes some getting used to. > > So, we assign 2001:0db8:85a3:08d3::/64 on a customer port, with a > gateway fe80:0db8:85a3:08d3::1 - how does it look? Is it the same as we > do with v4? :) Well, no ;o) TBH the link-local is one of the things that IPv6 did really make a good choice on (killing fragmentation is another) It looks even weirder if you run an OSPFv3 network with nothing but loopbacks & link-local - kind of like "ip unnumbered" everywhere! > > Do you have any plans for such IP division? I just thought about > replacing first 16 bits of public v6 address with fe80, but maybe you > have better ideas. > I don't understand; all link-local IPs are fe80::/64 i.e. link-local are always fe80:0000:0000:0000: You can't change this I think. From jfitz at Princeton.EDU Thu Aug 27 06:24:46 2009 From: jfitz at Princeton.EDU (Jeff Fitzwater) Date: Thu, 27 Aug 2009 06:24:46 -0400 Subject: [c-nsp] SXI1 and 2 breaks 100FX-MM boards In-Reply-To: <8814F300-6AA6-4213-B510-AE704ACF7A79@Princeton.EDU> References: <8814F300-6AA6-4213-B510-AE704ACF7A79@Princeton.EDU> Message-ID: <53D4E3B6-EDE5-4F98-A9BA-760307BC9893@princeton.edu> Forgot to note that with SXI they work. Its the version 1 and 2 that have the problem. Jeff On Aug 27, 2009, at 5:42 AM, Jeff Fitzwater wrote: > We have 24 port 100FX MM boards WS-X6324-100FX-MM in a 13 slot > chassis, and none of these modules come up all the way with SXI1 or 2. > > In Version 1 the modules were not even recognized yet were a > supported device. In rev 2 they are recognized and indicate that > they pass the diags after reload, but the status of module stays in > OTHER and ports are non functional. > > The fix was suppose to be in rev SXI 2. > > Has anybody else seen this? > > > > > Jeff Fitzwater > OIT Network Systems > Princeton University > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From daniel at bit.nl Thu Aug 27 06:26:13 2009 From: daniel at bit.nl (Daniel Verlouw) Date: Thu, 27 Aug 2009 12:26:13 +0200 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <4A965DD7.9070105@imperial.ac.uk> References: <00b301ca2673$5ce7cc70$0a00000a@nil.si> <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090826220727.GV117@greenie.muc.de> <1251358290.16185.13.camel@daniel.office.bit.nl> <4A963A28.9040109@Janoszka.pl> <4A9653B3.6090607@imperial.ac.uk> <4A965C8D.2070600@Janoszka.pl> <4A965DD7.9070105@imperial.ac.uk> Message-ID: <1251368773.16185.44.camel@daniel.office.bit.nl> On Thu, 2009-08-27 at 11:20 +0100, Phil Mayers wrote: > I don't understand; all link-local IPs are > > fe80::/64 link local unicast range is FE80::/10 --Daniel. From gert at greenie.muc.de Thu Aug 27 06:27:35 2009 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 27 Aug 2009 12:27:35 +0200 Subject: [c-nsp] cisco router 2800/3800 serie In-Reply-To: <1251312037.2932.36.camel@abehat.net.rm.dk> References: <8D68760F464FFD40A01BF2FB374E4A2801CC1C850C16@SRVEXC02.aas.its.nja.dk> <4A95783F.3060402@justinshore.com> <1251312037.2932.36.camel@abehat.net.rm.dk> Message-ID: <20090827102735.GB117@greenie.muc.de> Hi, On Wed, Aug 26, 2009 at 08:40:37PM +0200, Peter Rathlev wrote: > On Wed, 2009-08-26 at 13:00 -0500, Justin Shore wrote: > > I'm suspect that the interface MTU of the 1841 may not go above 1500. > > It's even worse, it doesn't seem to support MTU != 1500 at all on the > built in FE interfaces. Switch6(config)#system mtu ? <1500-1998> MTU size in bytes jumbo Set Jumbo MTU value for GigabitEthernet or TenGigabitEthernet interfaces routing Set the Routing MTU for the system gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From p.mayers at imperial.ac.uk Thu Aug 27 06:28:40 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Thu, 27 Aug 2009 11:28:40 +0100 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <1251368773.16185.44.camel@daniel.office.bit.nl> References: <00b301ca2673$5ce7cc70$0a00000a@nil.si> <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090826220727.GV117@greenie.muc.de> <1251358290.16185.13.camel@daniel.office.bit.nl> <4A963A28.9040109@Janoszka.pl> <4A9653B3.6090607@imperial.ac.uk> <4A965C8D.2070600@Janoszka.pl> <4A965DD7.9070105@imperial.ac.uk> <1251368773.16185.44.camel@daniel.office.bit.nl> Message-ID: <4A965FD8.8050505@imperial.ac.uk> Daniel Verlouw wrote: > On Thu, 2009-08-27 at 11:20 +0100, Phil Mayers wrote: >> I don't understand; all link-local IPs are >> >> fe80::/64 > > link local unicast range is FE80::/10 > > --Daniel. > Hmm. So in theory you can configure a router to advertise fe80:something::/64 as the link prefix? Ok; why would you want to? Link-local prefixes are still link-local, it just requires an extra link of config to make bits 11-64 the same as the unicast prefix. From A.L.M.Buxey at lboro.ac.uk Thu Aug 27 06:39:49 2009 From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey) Date: Thu, 27 Aug 2009 11:39:49 +0100 Subject: [c-nsp] SXI1 and 2 breaks 100FX-MM boards In-Reply-To: <8814F300-6AA6-4213-B510-AE704ACF7A79@Princeton.EDU> References: <8814F300-6AA6-4213-B510-AE704ACF7A79@Princeton.EDU> Message-ID: <20090827103949.GA503@lboro.ac.uk> Hi, > We have 24 port 100FX MM boards WS-X6324-100FX-MM in a 13 slot chassis, > and none of these modules come up all the way with SXI1 or 2. > > In Version 1 the modules were not even recognized yet were a supported > device. In rev 2 they are recognized and indicate that they pass the > diags after reload, but the status of module stays in OTHER and ports > are non functional. > > The fix was suppose to be in rev SXI 2. > > Has anybody else seen this? I always check the release notes - expecially for older line cards support depends on the supervisor being used from the looks of things - http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/release/notes/ol_14271.html#wp2563690 alan From gert at greenie.muc.de Thu Aug 27 06:41:01 2009 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 27 Aug 2009 12:41:01 +0200 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <20090827083554.GA17090@wildfire.net.ic.ac.uk> References: <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090827.095917.74721147.sthaug@nethelp.no> <20090827083554.GA17090@wildfire.net.ic.ac.uk> Message-ID: <20090827104100.GC117@greenie.muc.de> Hi, On Thu, Aug 27, 2009 at 09:35:54AM +0100, Phil Mayers wrote: > IPv6 emulated the then-state-of-the-art IPX autoconfig mechanisms, and > seems reluctant to admit it's missed out the last decade of operational > knowledge acquired with IPv4. > > SLAAC should die the death it so richly deserves (except for link-local) > and DHCPv6 should gain prefix advertisment capability. SLAAC works *very* well for the things it was made for: zero-conf environments, with no dedicated DHCP server - as in "home networks" or "office networks". It's not meant to be used for connecting customer sites to an ISP network, and it's not overly useful for numbering servers either - but that doesn't make it "death deserving". gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From Grzegorz at Janoszka.pl Thu Aug 27 06:51:42 2009 From: Grzegorz at Janoszka.pl (Grzegorz Janoszka) Date: Thu, 27 Aug 2009 12:51:42 +0200 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <4A965DD7.9070105@imperial.ac.uk> References: <00b301ca2673$5ce7cc70$0a00000a@nil.si> <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090826220727.GV117@greenie.muc.de> <1251358290.16185.13.camel@daniel.office.bit.nl> <4A963A28.9040109@Janoszka.pl> <4A9653B3.6090607@imperial.ac.uk> <4A965C8D.2070600@Janoszka.pl> <4A965DD7.9070105@imperial.ac.uk> Message-ID: <4A96653E.20605@Janoszka.pl> Phil Mayers wrote: >> Do you have any plans for such IP division? I just thought about >> replacing first 16 bits of public v6 address with fe80, but maybe you >> have better ideas. > > I don't understand; all link-local IPs are > > fe80::/64 > > i.e. link-local are always fe80:0000:0000:0000: > > You can't change this I think. Link-local IP's are fe80::/10, so I planned to use fe80::/16 in my network just by replacing first 16 bits of our public IP's. Can anyone say whether this is bad or wrong idea? :) -- Grzegorz Janoszka From blahu77 at gmail.com Thu Aug 27 07:05:43 2009 From: blahu77 at gmail.com (Mateusz Blaszczyk) Date: Thu, 27 Aug 2009 12:05:43 +0100 Subject: [c-nsp] RPS 675 question In-Reply-To: <4A94EB46.5030705@rollernet.us> References: <053601ca25c5$0d181eb0$2a00a8c0@andrew2> <4A94E8D5.4030802@justinshore.com> <4A94EB46.5030705@rollernet.us> Message-ID: <20090827110543.GB4902@thorgal> On Wed, Aug 26, 2009 at 12:59:02AM -0700, Seth Mattinen wrote: > Justin Shore wrote: > > andrew2 at one.net wrote: > >> I'm getting ready to install some RPS 675's in order to dual cord some > >> 3750's and ran across this in the manual: > >> > > Don't forget rebooting to go back to internal power. Except on 2088 > series routers with an AC-IP power supply; they can switch back fine. > On the newest IOS (50SE) and 3560-G, all I had to do to switch back to internal PSU was to press the button. No reload, no reboot, no downtime. Best Regards, -mat -- Mateusz Blaszczyk pgp-key 0x64643FCE -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: Digital signature URL: From p.mayers at imperial.ac.uk Thu Aug 27 07:11:46 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Thu, 27 Aug 2009 12:11:46 +0100 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <20090827104100.GC117@greenie.muc.de> References: <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090827.095917.74721147.sthaug@nethelp.no> <20090827083554.GA17090@wildfire.net.ic.ac.uk> <20090827104100.GC117@greenie.muc.de> Message-ID: <4A9669F2.1070905@imperial.ac.uk> Gert Doering wrote: > Hi, > > On Thu, Aug 27, 2009 at 09:35:54AM +0100, Phil Mayers wrote: >> IPv6 emulated the then-state-of-the-art IPX autoconfig mechanisms, and >> seems reluctant to admit it's missed out the last decade of operational >> knowledge acquired with IPv4. >> >> SLAAC should die the death it so richly deserves (except for link-local) >> and DHCPv6 should gain prefix advertisment capability. > > SLAAC works *very* well for the things it was made for: zero-conf > environments, with no dedicated DHCP server - as in "home networks" or > "office networks". Hmm. It seems to me that there are two types of networks: 1. Not connected to the internet at all i.e. no router etc. - in which case SLAAC can just allocate link-local addresses 2. A small network with a router - in which case, I fail to see why the router can't embed a DHCPv6 server just as easily as SEND/CGA/RFC5006 RA implementation Basically, I think SLAAC should only ever allocate link-local. I'm fine with that - it does, as you say, do the job very well, and the ability to bootstap subnet-local connectivity off link-local makes the next steps much easier, cleaner and saner. > > It's not meant to be used for connecting customer sites to an ISP > network, and it's not overly useful for numbering servers either - but > that doesn't make it "death deserving". Fair point. The problem is that there seems to be a zealous effort to shoehorn everything into SLAAC (e.g. DNS servers) and avoid bringing any "IPv4 mistakes" into IPv6. But some people seem to think DHCP is a "mistake", and DHCP options a "mistake" and allocating fixed IPs a "mistake". I cannot share that view. I think that holds IPv6 back, because a lot of enterprises aren't willing to be the guinea pigs for an unproven model where potentially rogue clients generate their own addresses as they please. I do think that there's nothing SLAAC can do that DHCPv6 can't do, if a prefix advertisment DHCPv6 option were created. And as I say, I wonder therefore what the point is - why couldn't these tiny home & office networks with ADSL just as easily embed a minimal DHCPv6 server, versus an RFC 5006 implementation? Ironically we can't use DHCPv6 here even if we wanted to, because it doesn't work in 6vPE under SXI - I was told it was "harder than it seemed" and my TAC case was closed as the opened a PER - I think... From jfitz at Princeton.EDU Thu Aug 27 07:17:52 2009 From: jfitz at Princeton.EDU (Jeff Fitzwater) Date: Thu, 27 Aug 2009 07:17:52 -0400 Subject: [c-nsp] SXI1 and 2 breaks 100FX-MM boards In-Reply-To: <20090827103949.GA503@lboro.ac.uk> References: <8814F300-6AA6-4213-B510-AE704ACF7A79@Princeton.EDU> <20090827103949.GA503@lboro.ac.uk> Message-ID: <57B9B5E4-58F4-439E-AF11-36884A911BF4@Princeton.EDU> We have sup-7203C-10G and it show the module being supported.. It also works in SXI just not SXI1 or 2 We are not running VSM Jeff WS-X6324-100FX-MM 1.52 A at 42 V 24-port 100FX Ethernet ?Single mode and multimode MT-RJ ?128-KB per-port packet buffers ?QoS port architecture (Rx/Tx): 1q4t/2q2t ?Number of ports: 24 Number of port groups: 2 Port ranges per port group: 1-12, 13-24 Note Not supported in virtual switch mode. With Supervisor Engine 720-10GE 12.2(33)SXH With Supervisor Engine 720 12.2(14)SX With Supervisor Engine 32 12.2(18)SXF On Aug 27, 2009, at 6:39 AM, Alan Buxey wrote: > Hi, >> We have 24 port 100FX MM boards WS-X6324-100FX-MM in a 13 slot >> chassis, >> and none of these modules come up all the way with SXI1 or 2. >> >> In Version 1 the modules were not even recognized yet were a >> supported >> device. In rev 2 they are recognized and indicate that they pass the >> diags after reload, but the status of module stays in OTHER and ports >> are non functional. >> >> The fix was suppose to be in rev SXI 2. >> >> Has anybody else seen this? > > I always check the release notes - expecially for older line cards > > > support depends on the supervisor being used from the looks of > things - > > http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/release/notes/ol_14271.html#wp2563690 > > alan From nick at inex.ie Thu Aug 27 07:23:37 2009 From: nick at inex.ie (Nick Hilliard) Date: Thu, 27 Aug 2009 12:23:37 +0100 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <20090827104100.GC117@greenie.muc.de> References: <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090827.095917.74721147.sthaug@nethelp.no> <20090827083554.GA17090@wildfire.net.ic.ac.uk> <20090827104100.GC117@greenie.muc.de> Message-ID: <4A966CB9.5030101@inex.ie> On 27/08/2009 11:41, Gert Doering wrote: > SLAAC works *very* well for the things it was made for: zero-conf > environments, with no dedicated DHCP server - as in "home networks" or > "office networks". No it doesn't. After 13 years of ipv6 development, I still can't plug my mac or my windows box into an ipv6 only network and actually expect it to work, because RA/RDNSS client support is so hit and miss. Nick From Reinhold.Fischer at gmx.net Thu Aug 27 07:27:55 2009 From: Reinhold.Fischer at gmx.net (Reinhold Fischer) Date: Thu, 27 Aug 2009 13:27:55 +0200 Subject: [c-nsp] SXI1 and 2 breaks 100FX-MM boards In-Reply-To: <8814F300-6AA6-4213-B510-AE704ACF7A79@Princeton.EDU> References: <8814F300-6AA6-4213-B510-AE704ACF7A79@Princeton.EDU> Message-ID: <20090827112755.GA25801@fart> Hi, On Thu, Aug 27, 2009 at 05:42:58AM -0400, Jeff Fitzwater wrote: > We have 24 port 100FX MM boards WS-X6324-100FX-MM in a 13 slot chassis, > and none of these modules come up all the way with SXI1 or 2. > > In Version 1 the modules were not even recognized yet were a supported > device. In rev 2 they are recognized and indicate that they pass the > diags after reload, but the status of module stays in OTHER and ports > are non functional. > > The fix was suppose to be in rev SXI 2. > > Has anybody else seen this? > I ran into to same problem. It is bug CSCta74315. According to our AS Engineer it should be fixed in SXI3 which is scheduled for November 2009. -- reinhold From gert at greenie.muc.de Thu Aug 27 07:36:24 2009 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 27 Aug 2009 13:36:24 +0200 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <4A96653E.20605@Janoszka.pl> References: <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090826220727.GV117@greenie.muc.de> <1251358290.16185.13.camel@daniel.office.bit.nl> <4A963A28.9040109@Janoszka.pl> <4A9653B3.6090607@imperial.ac.uk> <4A965C8D.2070600@Janoszka.pl> <4A965DD7.9070105@imperial.ac.uk> <4A96653E.20605@Janoszka.pl> Message-ID: <20090827113624.GE117@greenie.muc.de> Hi, On Thu, Aug 27, 2009 at 12:51:42PM +0200, Grzegorz Janoszka wrote: > Link-local IP's are fe80::/10, so I planned to use fe80::/16 in my > network just by replacing first 16 bits of our public IP's. > > Can anyone say whether this is bad or wrong idea? :) Bad *and* wrong. Link-locals are neither announced nor configured, they are just *there*, and it will always be fe80::/64 on every link. If you want to do use "locally significant addresses", use ULAs. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From gert at greenie.muc.de Thu Aug 27 07:40:55 2009 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 27 Aug 2009 13:40:55 +0200 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <4A9669F2.1070905@imperial.ac.uk> References: <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090827.095917.74721147.sthaug@nethelp.no> <20090827083554.GA17090@wildfire.net.ic.ac.uk> <20090827104100.GC117@greenie.muc.de> <4A9669F2.1070905@imperial.ac.uk> Message-ID: <20090827114055.GF117@greenie.muc.de> Hi, On Thu, Aug 27, 2009 at 12:11:46PM +0100, Phil Mayers wrote: > But some people seem to think DHCP is a "mistake", and DHCP options a > "mistake" and allocating fixed IPs a "mistake". I cannot share that view. Well, as always "there's more than one way to do it". The fact that you like DHCP more, and that there are scenarios where DHCP is clearly better suited (especially DHCP prefix delegation [which is actually a fairly different protocol]...) doesn't mean all the people that like SLAAC are "wrong". > I think that holds IPv6 back, because a lot of enterprises aren't > willing to be the guinea pigs for an unproven model where potentially > rogue clients generate their own addresses as they please. So what exactly prevents a rogue IPv6 client that got an address from the DHCPv6 server from using the prefix known from DHCP from "generate its own address as it pleases"? A rogue client won't play by the rules - and won't really care if that rule is "DHCPv6" or "SLAAC". > I do think that there's nothing SLAAC can do that DHCPv6 can't do, if a > prefix advertisment DHCPv6 option were created. And as I say, I wonder > therefore what the point is - why couldn't these tiny home & office > networks with ADSL just as easily embed a minimal DHCPv6 server, versus > an RFC 5006 implementation? I wonder that the point of "force DHCPv6 on everbody, just because DHCP is liked more by some" is...? A bit more tolerance and less "my solution is the only one that has any right to survive!" would have helped a lot here. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From gert at greenie.muc.de Thu Aug 27 07:42:24 2009 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 27 Aug 2009 13:42:24 +0200 Subject: [c-nsp] cisco router 2800/3800 serie In-Reply-To: <20090827102735.GB117@greenie.muc.de> References: <8D68760F464FFD40A01BF2FB374E4A2801CC1C850C16@SRVEXC02.aas.its.nja.dk> <4A95783F.3060402@justinshore.com> <1251312037.2932.36.camel@abehat.net.rm.dk> <20090827102735.GB117@greenie.muc.de> Message-ID: <20090827114224.GG117@greenie.muc.de> Hi, On Thu, Aug 27, 2009 at 12:27:35PM +0200, Gert Doering wrote: > On Wed, Aug 26, 2009 at 08:40:37PM +0200, Peter Rathlev wrote: > > On Wed, 2009-08-26 at 13:00 -0500, Justin Shore wrote: > > > I'm suspect that the interface MTU of the 1841 may not go above 1500. > > > > It's even worse, it doesn't seem to support MTU != 1500 at all on the > > built in FE interfaces. > > Switch6(config)#system mtu ? > <1500-1998> MTU size in bytes Ugh. Sorry for that. This thread was mixing 3560 things (where "system mtu ..." makes sense) and 1841 questions (where it doesn't). So please ignore the comment above - it wasn't relevant as answer to the specific question. Not that any of this fits under the Subject: line of the thread - but the art of "start a new thread for a new topic" or "adjust the Subject:" seems to be a lost one. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From daniel at bit.nl Thu Aug 27 07:42:38 2009 From: daniel at bit.nl (Daniel Verlouw) Date: Thu, 27 Aug 2009 13:42:38 +0200 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <4A96653E.20605@Janoszka.pl> References: <00b301ca2673$5ce7cc70$0a00000a@nil.si> <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090826220727.GV117@greenie.muc.de> <1251358290.16185.13.camel@daniel.office.bit.nl> <4A963A28.9040109@Janoszka.pl> <4A9653B3.6090607@imperial.ac.uk> <4A965C8D.2070600@Janoszka.pl> <4A965DD7.9070105@imperial.ac.uk> <4A96653E.20605@Janoszka.pl> Message-ID: <1251373358.16185.60.camel@daniel.office.bit.nl> On Thu, 2009-08-27 at 12:51 +0200, Grzegorz Janoszka wrote: > Link-local IP's are fe80::/10, so I planned to use fe80::/16 in my > network just by replacing first 16 bits of our public IP's. > > Can anyone say whether this is bad or wrong idea? :) VRRPv6 (on Junos at least) requires you to statically configure link-local addresses. We use the following scheme for each subnet: fe80:::1/64 = virtual fe80::2/64 = first router fe80::3/64 = second router (all done using a commit script btw, so no addt'l manual labour involved) We don't use HSRP (yet), but I guess you could employ this in an HSRP environment as well and just tell -all- your customers to point to fe80::X:1 as default gateway. --Daniel. From p.mayers at imperial.ac.uk Thu Aug 27 08:05:11 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Thu, 27 Aug 2009 13:05:11 +0100 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <20090827114055.GF117@greenie.muc.de> References: <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090827.095917.74721147.sthaug@nethelp.no> <20090827083554.GA17090@wildfire.net.ic.ac.uk> <20090827104100.GC117@greenie.muc.de> <4A9669F2.1070905@imperial.ac.uk> <20090827114055.GF117@greenie.muc.de> Message-ID: <4A967677.8090904@imperial.ac.uk> Gert Doering wrote: > A bit more tolerance and less "my solution is the only one that has any > right to survive!" would have helped a lot here. You're right, and my language was unhelpful. Basically I'm venting ;o) and I'm sorry if I've offended you Gert - particularly as I've a lot of respect for your writing on this list. Interestingly I'm going to get a chance to find out how wrong my assumptions are - since SXI doesn't support DHCPv6 & 6vPE, we're going to have SLAAC everywhere. Hmm... From Grzegorz at Janoszka.pl Thu Aug 27 08:13:17 2009 From: Grzegorz at Janoszka.pl (Grzegorz Janoszka) Date: Thu, 27 Aug 2009 14:13:17 +0200 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <1251373358.16185.60.camel@daniel.office.bit.nl> References: <00b301ca2673$5ce7cc70$0a00000a@nil.si> <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090826220727.GV117@greenie.muc.de> <1251358290.16185.13.camel@daniel.office.bit.nl> <4A963A28.9040109@Janoszka.pl> <4A9653B3.6090607@imperial.ac.uk> <4A965C8D.2070600@Janoszka.pl> <4A965DD7.9070105@imperial.ac.uk> <4A96653E.20605@Janoszka.pl> <1251373358.16185.60.camel@daniel.office.bit.nl> Message-ID: <4A96785D.8010604@Janoszka.pl> Daniel Verlouw wrote: > On Thu, 2009-08-27 at 12:51 +0200, Grzegorz Janoszka wrote: > >> Link-local IP's are fe80::/10, so I planned to use fe80::/16 in my >> network just by replacing first 16 bits of our public IP's. >> >> Can anyone say whether this is bad or wrong idea? :) > > VRRPv6 (on Junos at least) requires you to statically configure > link-local addresses. We use the following scheme for each subnet: > > fe80:::1/64 = virtual > fe80::2/64 = first router > fe80::3/64 = second router > > (all done using a commit script btw, so no addt'l manual labour > involved) > > We don't use HSRP (yet), but I guess you could employ this in an HSRP > environment as well and just tell -all- your customers to point to > fe80::X:1 as default gateway. Yes, but I wanted to have the LL addresses unique in our whole network. I can take group id, but what if you move a customer from one router to another and the given hsrp group id is already occupied? Yes, a solution would be to have hsrp groups totally unique in our network, but AFAIK the group id can be only 0-255, so it is way too little. I planed to use sth unique and I wanted to make link-local out of the main v6 of the interface. Why did they make v6 so complicated? What is wrong with public IP's on vrrp/hsrp? -- Grzegorz Janoszka From daniel at bit.nl Thu Aug 27 08:22:05 2009 From: daniel at bit.nl (Daniel Verlouw) Date: Thu, 27 Aug 2009 14:22:05 +0200 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <4A96785D.8010604@Janoszka.pl> References: <00b301ca2673$5ce7cc70$0a00000a@nil.si> <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090826220727.GV117@greenie.muc.de> <1251358290.16185.13.camel@daniel.office.bit.nl> <4A963A28.9040109@Janoszka.pl> <4A9653B3.6090607@imperial.ac.uk> <4A965C8D.2070600@Janoszka.pl> <4A965DD7.9070105@imperial.ac.uk> <4A96653E.20605@Janoszka.pl> <1251373358.16185.60.camel@daniel.office.bit.nl> <4A96785D.8010604@Janoszka.pl> Message-ID: <1251375725.16185.65.camel@daniel.office.bit.nl> On Thu, 2009-08-27 at 14:13 +0200, Grzegorz Janoszka wrote: > Why did they make v6 so complicated? What is wrong with public IP's on > vrrp/hsrp? VRRPv6 -does- use global unicast addresses, so you can just tell your clients to point to the global unicast address. --Daniel. From trejrco at gmail.com Thu Aug 27 08:28:22 2009 From: trejrco at gmail.com (TJ) Date: Thu, 27 Aug 2009 08:28:22 -0400 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <4A966CB9.5030101@inex.ie> References: <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090827.095917.74721147.sthaug@nethelp.no> <20090827083554.GA17090@wildfire.net.ic.ac.uk> <20090827104100.GC117@greenie.muc.de> <4A966CB9.5030101@inex.ie> Message-ID: <000001ca2711$debe6f30$9c3b4d90$@com> While I agree the dearth of RA/DNS support is annoying, in all reality the environments that we are talking about aren't "v6 only". Atleast, the environments I work in, that is. They still have v4 (even if RFC19181/NATed), and can rely on DHCP(v4) to get DNS (and other) information and SLAAC can and does work for v6 addressing. Is this ideal? Of course not, but I'd rather it not be mis-represented as totally dysfunctional. Please, push vendors to get RA+DNS (RFC5006) supported on router and host platforms. /TJ >-----Original Message----- >From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- >bounces at puck.nether.net] On Behalf Of Nick Hilliard >Sent: Thursday, August 27, 2009 7:24 AM >To: Gert Doering >Cc: cisco-nsp at puck.nether.net; sthaug at nethelp.no; alex at digriz.org.uk >Subject: Re: [c-nsp] IPV6 in general was Re: Large networks > >On 27/08/2009 11:41, Gert Doering wrote: >> SLAAC works *very* well for the things it was made for: zero-conf >> environments, with no dedicated DHCP server - as in "home networks" or >> "office networks". > >No it doesn't. After 13 years of ipv6 development, I still can't plug my >mac or my windows box into an ipv6 only network and actually expect it to >work, because RA/RDNSS client support is so hit and miss. > >Nick From almog.purepeak at gmail.com Thu Aug 27 08:30:03 2009 From: almog.purepeak at gmail.com (almog ohayon) Date: Thu, 27 Aug 2009 15:30:03 +0300 Subject: [c-nsp] Monitor 3560 Message-ID: <3b53747c0908270530ke57b48dub09cea4dee72c0cd@mail.gmail.com> Hello Everyone,i wondered if anyone knows how to monitor 3560 interface vlan traffic ? i have only 1 uplink interface and lots of vlan through it and i don't know which vlan is busy and which one is not.. thanks. From Grzegorz at Janoszka.pl Thu Aug 27 08:40:48 2009 From: Grzegorz at Janoszka.pl (Grzegorz Janoszka) Date: Thu, 27 Aug 2009 14:40:48 +0200 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <1251375725.16185.65.camel@daniel.office.bit.nl> References: <00b301ca2673$5ce7cc70$0a00000a@nil.si> <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090826220727.GV117@greenie.muc.de> <1251358290.16185.13.camel@daniel.office.bit.nl> <4A963A28.9040109@Janoszka.pl> <4A9653B3.6090607@imperial.ac.uk> <4A965C8D.2070600@Janoszka.pl> <4A965DD7.9070105@imperial.ac.uk> <4A96653E.20605@Janoszka.pl> <1251373358.16185.60.camel@daniel.office.bit.nl> <4A96785D.8010604@Janoszka.pl> <1251375725.16185.65.camel@daniel.office.bit.nl> Message-ID: <4A967ED0.3090700@Janoszka.pl> Daniel Verlouw wrote: > On Thu, 2009-08-27 at 14:13 +0200, Grzegorz Janoszka wrote: >> Why did they make v6 so complicated? What is wrong with public IP's on >> vrrp/hsrp? > > VRRPv6 -does- use global unicast addresses, so you can just tell your > clients to point to the global unicast address. Could you please point me a cisco.com webpage confirming that? -- Grzegorz Janoszka From A.L.M.Buxey at lboro.ac.uk Thu Aug 27 08:41:45 2009 From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey) Date: Thu, 27 Aug 2009 13:41:45 +0100 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <4A966CB9.5030101@inex.ie> References: <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090827.095917.74721147.sthaug@nethelp.no> <20090827083554.GA17090@wildfire.net.ic.ac.uk> <20090827104100.GC117@greenie.muc.de> <4A966CB9.5030101@inex.ie> Message-ID: <20090827124145.GC634@lboro.ac.uk> Hi, > No it doesn't. After 13 years of ipv6 development, I still can't plug my > mac or my windows box into an ipv6 only network and actually expect it to > work, because RA/RDNSS client support is so hit and miss. ..whereas I cant plug my Mac into an IPv4 network and actually expect it to work ;-) alan From A.L.M.Buxey at lboro.ac.uk Thu Aug 27 08:43:34 2009 From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey) Date: Thu, 27 Aug 2009 13:43:34 +0100 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <20090827114055.GF117@greenie.muc.de> References: <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090827.095917.74721147.sthaug@nethelp.no> <20090827083554.GA17090@wildfire.net.ic.ac.uk> <20090827104100.GC117@greenie.muc.de> <4A9669F2.1070905@imperial.ac.uk> <20090827114055.GF117@greenie.muc.de> Message-ID: <20090827124334.GD634@lboro.ac.uk> Hi, > I wonder that the point of "force DHCPv6 on everbody, just because DHCP > is liked more by some" is...? ..that warm fuzzy feeling of familiarity in an alien world...plus knowing that you've already got logging/billing/etc sorted sure, you can pull info or get polled about SLACC etc but that means retooling the whole process alan From daniel at bit.nl Thu Aug 27 08:44:58 2009 From: daniel at bit.nl (Daniel Verlouw) Date: Thu, 27 Aug 2009 14:44:58 +0200 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <4A967ED0.3090700@Janoszka.pl> References: <00b301ca2673$5ce7cc70$0a00000a@nil.si> <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090826220727.GV117@greenie.muc.de> <1251358290.16185.13.camel@daniel.office.bit.nl> <4A963A28.9040109@Janoszka.pl> <4A9653B3.6090607@imperial.ac.uk> <4A965C8D.2070600@Janoszka.pl> <4A965DD7.9070105@imperial.ac.uk> <4A96653E.20605@Janoszka.pl> <1251373358.16185.60.camel@daniel.office.bit.nl> <4A96785D.8010604@Janoszka.pl> <1251375725.16185.65.camel@daniel.office.bit.nl> <4A967ED0.3090700@Janoszka.pl> Message-ID: <1251377098.16185.76.camel@daniel.office.bit.nl> On Thu, 2009-08-27 at 14:40 +0200, Grzegorz Janoszka wrote: > > VRRPv6 -does- use global unicast addresses, so you can just tell your > > clients to point to the global unicast address. > > Could you please point me a cisco.com webpage confirming that? Cisco doesn't support VRRPv6 yet afaik (?). For Juniper: please see the email I posted earlier in this thread with "show vrrp interface" output. --Daniel. From swmike at swm.pp.se Thu Aug 27 08:45:09 2009 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Thu, 27 Aug 2009 14:45:09 +0200 (CEST) Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <4A966CB9.5030101@inex.ie> References: <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090827.095917.74721147.sthaug@nethelp.no> <20090827083554.GA17090@wildfire.net.ic.ac.uk> <20090827104100.GC117@greenie.muc.de> <4A966CB9.5030101@inex.ie> Message-ID: On Thu, 27 Aug 2009, Nick Hilliard wrote: > No it doesn't. After 13 years of ipv6 development, I still can't plug > my mac or my windows box into an ipv6 only network and actually expect > it to work, because RA/RDNSS client support is so hit and miss. It works with DHCPv6, at least with Windows Vista. -- Mikael Abrahamsson email: swmike at swm.pp.se From Grzegorz at Janoszka.pl Thu Aug 27 08:45:29 2009 From: Grzegorz at Janoszka.pl (Grzegorz Janoszka) Date: Thu, 27 Aug 2009 14:45:29 +0200 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <4A965FD8.8050505@imperial.ac.uk> References: <00b301ca2673$5ce7cc70$0a00000a@nil.si> <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090826220727.GV117@greenie.muc.de> <1251358290.16185.13.camel@daniel.office.bit.nl> <4A963A28.9040109@Janoszka.pl> <4A9653B3.6090607@imperial.ac.uk> <4A965C8D.2070600@Janoszka.pl> <4A965DD7.9070105@imperial.ac.uk> <1251368773.16185.44.camel@daniel.office.bit.nl> <4A965FD8.8050505@imperial.ac.uk> Message-ID: <4A967FE9.7080704@Janoszka.pl> Phil Mayers wrote: > Hmm. So in theory you can configure a router to advertise > fe80:something::/64 as the link prefix? > > Ok; why would you want to? Link-local prefixes are still link-local, it > just requires an extra link of config to make bits 11-64 the same as the > unicast prefix. You cannot have the same link-local IP's on different ifaces, can you? But maybe for IPv6 of 64-bit-network-prefix::/64 you may create fe80::64-bit-network-prefix as a gateway? -- Grzegorz Janoszka From daniel at bit.nl Thu Aug 27 08:47:38 2009 From: daniel at bit.nl (Daniel Verlouw) Date: Thu, 27 Aug 2009 14:47:38 +0200 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <4A967FE9.7080704@Janoszka.pl> References: <00b301ca2673$5ce7cc70$0a00000a@nil.si> <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090826220727.GV117@greenie.muc.de> <1251358290.16185.13.camel@daniel.office.bit.nl> <4A963A28.9040109@Janoszka.pl> <4A9653B3.6090607@imperial.ac.uk> <4A965C8D.2070600@Janoszka.pl> <4A965DD7.9070105@imperial.ac.uk> <1251368773.16185.44.camel@daniel.office.bit.nl> <4A965FD8.8050505@imperial.ac.uk> <4A967FE9.7080704@Janoszka.pl> Message-ID: <1251377258.16185.78.camel@daniel.office.bit.nl> On Thu, 2009-08-27 at 14:45 +0200, Grzegorz Janoszka wrote: > You cannot have the same link-local IP's on different ifaces, can you? sure you can, that's what link-local is for. daniel at jun1.XXXX> show interfaces | match fe80::2$ | count Count: 16 lines --Daniel. From rwest at zyedge.com Thu Aug 27 08:50:19 2009 From: rwest at zyedge.com (Ryan West) Date: Thu, 27 Aug 2009 08:50:19 -0400 Subject: [c-nsp] RPS 675 question In-Reply-To: <20090827110543.GB4902@thorgal> References: <053601ca25c5$0d181eb0$2a00a8c0@andrew2> <4A94E8D5.4030802@justinshore.com> <4A94EB46.5030705@rollernet.us> <20090827110543.GB4902@thorgal> Message-ID: Press what button? Sent from handheld. On Aug 27, 2009, at 7:23 AM, "Mateusz Blaszczyk" wrote: > On Wed, Aug 26, 2009 at 12:59:02AM -0700, Seth Mattinen wrote: >> Justin Shore wrote: >>> andrew2 at one.net wrote: >>>> I'm getting ready to install some RPS 675's in order to dual cord >>>> some >>>> 3750's and ran across this in the manual: >>>> >> >> Don't forget rebooting to go back to internal power. Except on 2088 >> series routers with an AC-IP power supply; they can switch back fine. >> > > On the newest IOS (50SE) and 3560-G, all I had to do to switch back to > internal PSU was to press the button. No reload, no reboot, no > downtime. > > Best Regards, > > -mat > > -- > Mateusz Blaszczyk > > pgp-key 0x64643FCE > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From Grzegorz at Janoszka.pl Thu Aug 27 08:51:23 2009 From: Grzegorz at Janoszka.pl (Grzegorz Janoszka) Date: Thu, 27 Aug 2009 14:51:23 +0200 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <1251377258.16185.78.camel@daniel.office.bit.nl> References: <00b301ca2673$5ce7cc70$0a00000a@nil.si> <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090826220727.GV117@greenie.muc.de> <1251358290.16185.13.camel@daniel.office.bit.nl> <4A963A28.9040109@Janoszka.pl> <4A9653B3.6090607@imperial.ac.uk> <4A965C8D.2070600@Janoszka.pl> <4A965DD7.9070105@imperial.ac.uk> <1251368773.16185.44.camel@daniel.office.bit.nl> <4A965FD8.8050505@imperial.ac.uk> <4A967FE9.7080704@Janoszka.pl> <1251377258.16185.78.camel@daniel.office.bit.nl> Message-ID: <4A96814B.1020205@Janoszka.pl> Daniel Verlouw wrote: > On Thu, 2009-08-27 at 14:45 +0200, Grzegorz Janoszka wrote: >> You cannot have the same link-local IP's on different ifaces, can you? > > sure you can, that's what link-local is for. > > daniel at jun1.XXXX> show interfaces | match fe80::2$ | count > Count: 16 lines So, can I have just fe80::1 as a virtual gateway on all interfaces in my network? I thought it was not possible. Does someone have such setup with Cisco? -- Grzegorz Janoszka From p.mayers at imperial.ac.uk Thu Aug 27 08:57:23 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Thu, 27 Aug 2009 13:57:23 +0100 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <4A967FE9.7080704@Janoszka.pl> References: <00b301ca2673$5ce7cc70$0a00000a@nil.si> <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090826220727.GV117@greenie.muc.de> <1251358290.16185.13.camel@daniel.office.bit.nl> <4A963A28.9040109@Janoszka.pl> <4A9653B3.6090607@imperial.ac.uk> <4A965C8D.2070600@Janoszka.pl> <4A965DD7.9070105@imperial.ac.uk> <1251368773.16185.44.camel@daniel.office.bit.nl> <4A965FD8.8050505@imperial.ac.uk> <4A967FE9.7080704@Janoszka.pl> Message-ID: <4A9682B3.1060507@imperial.ac.uk> Grzegorz Janoszka wrote: > Phil Mayers wrote: >> Hmm. So in theory you can configure a router to advertise >> fe80:something::/64 as the link prefix? >> >> Ok; why would you want to? Link-local prefixes are still link-local, it >> just requires an extra link of config to make bits 11-64 the same as the >> unicast prefix. > > You cannot have the same link-local IP's on different ifaces, can you? Yes you can; in fact, it's the norm. This is the reason behind things like: ping fe80::something%eth0 ...or whatever your OS syntax is From gert at greenie.muc.de Thu Aug 27 09:08:31 2009 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 27 Aug 2009 15:08:31 +0200 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <4A967677.8090904@imperial.ac.uk> References: <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090827.095917.74721147.sthaug@nethelp.no> <20090827083554.GA17090@wildfire.net.ic.ac.uk> <20090827104100.GC117@greenie.muc.de> <4A9669F2.1070905@imperial.ac.uk> <20090827114055.GF117@greenie.muc.de> <4A967677.8090904@imperial.ac.uk> Message-ID: <20090827130831.GH117@greenie.muc.de> Hi, On Thu, Aug 27, 2009 at 01:05:11PM +0100, Phil Mayers wrote: > Gert Doering wrote: > > >A bit more tolerance and less "my solution is the only one that has any > >right to survive!" would have helped a lot here. > > You're right, and my language was unhelpful. Basically I'm venting ;o) > and I'm sorry if I've offended you Gert - particularly as I've a lot of > respect for your writing on this list. No offense taken. I'm just a bit tired of this discussion, which keeps coming up on various lists every now and then - there's the "everything must be DHCP!" crowd, and the "DHCP is IPv4 crap, IPv6 doesn't need any of this!" crowd. Both sides usually refuse to acknowledge that the other side might have to offer something - and both sides stick to their ideology, slowing down progress for everyone. Like in "DNS options in SLAAC" - without any way to discover DNS, SLAAC is indeed completely useless, but the in-fighting inside IETF delayed this for how long? 10 years? Indeed, there are a few things wrong with SLAAC - but OTOH, there a few things *right*. For example: a router can do RA / SLAAC to add a new prefix to a network "in flight", which is tremendously cool to help renumbering - you add a prefix, deprecate the old prefix (but it's still usable), peacefully migrate DNS and what else can't be done automatically, and then turn off the old prefix. With the DHCP model of "a client has to go out and query for the prefix to be used" this would either mean "long turnover times" or "lots of query traffic". What I don't like about this model is that the hosts are supposed to auto-discover the routers, and "just pick one". We *like* to configure static default routes on our servers, and this just breaks with HSRP/VRRP doing link-local only. (VRRP doesn't require that, btw, it's just the way vendor J seems to have implemented it). So, yes, lots of things to learn and things to improve. (Which makes "rolling out IPv6 to get things fixed in time!" even more important) > Interestingly I'm going to get a chance to find out how wrong my > assumptions are - since SXI doesn't support DHCPv6 & 6vPE, we're going > to have SLAAC everywhere. Hmm... I hope that you'll find it useful enough for a number of scenarios :-) - and most of the "other" scenarios can be handled by static configuration... Where DHCPv6 is really needed is "DHCP prefix delegation to the CPE router and the network behind the CPE router". This would save lots of effort for large-scale deployments. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From cmadams at hiwaay.net Thu Aug 27 09:10:52 2009 From: cmadams at hiwaay.net (Chris Adams) Date: Thu, 27 Aug 2009 08:10:52 -0500 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <87prahd2n7.fsf@nemi.mork.no> References: <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090827.095917.74721147.sthaug@nethelp.no> <87prahd2n7.fsf@nemi.mork.no> Message-ID: <20090827131052.GA1464872@hiwaay.net> Once upon a time, Bj??rn Mork said: > We need to publish DNS servers, but RFC 5006 solves that. The other > DHCP options are mostly unecessary bloat. "I don't need it so it is bloat" is a bad way of thinking. Those DHCP options are there because somebody uses them. PXE booting, Windows domain information, and more (in an easily extensible fashion) are there and are used. -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From gert at greenie.muc.de Thu Aug 27 09:13:04 2009 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 27 Aug 2009 15:13:04 +0200 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <4A966CB9.5030101@inex.ie> References: <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090827.095917.74721147.sthaug@nethelp.no> <20090827083554.GA17090@wildfire.net.ic.ac.uk> <20090827104100.GC117@greenie.muc.de> <4A966CB9.5030101@inex.ie> Message-ID: <20090827131304.GI117@greenie.muc.de> Hi, On Thu, Aug 27, 2009 at 12:23:37PM +0100, Nick Hilliard wrote: > On 27/08/2009 11:41, Gert Doering wrote: > >SLAAC works *very* well for the things it was made for: zero-conf > >environments, with no dedicated DHCP server - as in "home networks" or > >"office networks". > > No it doesn't. After 13 years of ipv6 development, I still can't plug my > mac or my windows box into an ipv6 only network and actually expect it to > work, because RA/RDNSS client support is so hit and miss. Yes. IETF really botched that "everything is automatic but we don't tell you how to discover DNS" part. Some devices use anycast DNS addresses - if I remember this right, I saw this on an nokia mobile, querying DNS at fec0:0:0:ffff::1 and :2 - nice idea, but not working very well either, because hardly anyone has DNS resolvers listening there... (OTOH: if you plug your laptop with 'a random choice of IPv6-enabled operating system' into an IPv6 only network with DHCPv6, does it work? I seem to remember that MacOS X doesn't do any DHCPv6, just SLAAC and mDNS...) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From sthaug at nethelp.no Thu Aug 27 09:59:33 2009 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Thu, 27 Aug 2009 15:59:33 +0200 (CEST) Subject: [c-nsp] Monitor 3560 In-Reply-To: <3b53747c0908270530ke57b48dub09cea4dee72c0cd@mail.gmail.com> References: <3b53747c0908270530ke57b48dub09cea4dee72c0cd@mail.gmail.com> Message-ID: <20090827.155933.104060568.sthaug@nethelp.no> > Hello Everyone,i wondered if anyone knows how to monitor 3560 interface vlan > traffic ? > i have only 1 uplink interface and lots of vlan through it and i don't know > which > vlan is busy and which one is not.. You can't. 3560 doesn't have the necessary per-VLAN hardware counters. Steinar Haug, Nethelp consulting, sthaug at nethelp.no From nick at inex.ie Thu Aug 27 10:01:18 2009 From: nick at inex.ie (Nick Hilliard) Date: Thu, 27 Aug 2009 15:01:18 +0100 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <20090827131304.GI117@greenie.muc.de> References: <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090827.095917.74721147.sthaug@nethelp.no> <20090827083554.GA17090@wildfire.net.ic.ac.uk> <20090827104100.GC117@greenie.muc.de> <4A966CB9.5030101@inex.ie> <20090827131304.GI117@greenie.muc.de> Message-ID: <4A9691AE.1050303@inex.ie> On 27/08/2009 14:13, Gert Doering wrote: > (OTOH: if you plug your laptop with 'a random choice of IPv6-enabled > operating system' into an IPv6 only network with DHCPv6, does it work? > I seem to remember that MacOS X doesn't do any DHCPv6, just SLAAC and > mDNS...) I'm not pointing fingers or anything: just noting that in the 12 years that I've been poking around with ipv6, we don't yet have functional auto-configuration - which I note in passing was one of the supposed selling points of ipv6 in the first place. I'm still firmly of the opinion that this problem would have been solved years ago if the connectivity at ietf meetings was ipv6 only. Nick From asturluismi at gmail.com Thu Aug 27 10:16:47 2009 From: asturluismi at gmail.com (luismi) Date: Thu, 27 Aug 2009 16:16:47 +0200 Subject: [c-nsp] Audit tool for Cisco Config files In-Reply-To: <755A73D3547BAE429728E2EC2AEDC60572D360D83E@EXMAIL.csuchico.edu> References: <755A73D3547BAE429728E2EC2AEDC60572D360D83E@EXMAIL.csuchico.edu> Message-ID: <1251382607.30101.0.camel@dsba-ipso> http://unix.freshmeat.net/projects/nipper From egregory at umd.edu Thu Aug 27 09:49:52 2009 From: egregory at umd.edu (egregory) Date: Thu, 27 Aug 2009 09:49:52 -0400 Subject: [c-nsp] SXI1 and 2 breaks 100FX-MM boards In-Reply-To: <8814F300-6AA6-4213-B510-AE704ACF7A79@Princeton.EDU> References: <8814F300-6AA6-4213-B510-AE704ACF7A79@Princeton.EDU> Message-ID: <4A968F00.7010109@umd.edu> I have run into the exact same problem here. ======================================= Eric Gregory Network and Telecommunications Services University of Maryland ======================================= Jeff Fitzwater wrote: > We have 24 port 100FX MM boards WS-X6324-100FX-MM in a 13 slot > chassis, and none of these modules come up all the way with SXI1 or 2. > > In Version 1 the modules were not even recognized yet were a supported > device. In rev 2 they are recognized and indicate that they pass the > diags after reload, but the status of module stays in OTHER and ports > are non functional. > > The fix was suppose to be in rev SXI 2. > > Has anybody else seen this? > > > > > Jeff Fitzwater > OIT Network Systems > Princeton University > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From asturluismi at gmail.com Thu Aug 27 10:21:59 2009 From: asturluismi at gmail.com (luismi) Date: Thu, 27 Aug 2009 16:21:59 +0200 Subject: [c-nsp] %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 11.22.33.44 Message-ID: <1251382919.30101.4.camel@dsba-ipso> Hi all, I just configured a cisco 1841 to create a ipsec vpn against another network (exactly against a PFSense box) and I am seeing a lot messages like %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 11.22.33.44 %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 11.22.33.44 %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 11.22.33.44 I was checking the "Error Message Decoder" but I didn't find any useful information there. So I would like to know if some here saw this message before and maybe can give some clue about what things I should start to look. So far, the VPN seems to work ok. Thanks in advance. From domintefamily at yahoo.co.uk Thu Aug 27 09:37:28 2009 From: domintefamily at yahoo.co.uk (C and C Dominte) Date: Thu, 27 Aug 2009 13:37:28 +0000 (GMT) Subject: [c-nsp] sh mac-addr dyn times out Message-ID: <365426.88426.qm@web27906.mail.ukl.yahoo.com> I recently configured two Catalyst 6509 switches in a VSS cluster. When I am issuing the command ?show mac-address-table dynamic?, I?m getting the following output: Legend: * - primary entry age - seconds since last seen n/a - not available vlan mac address type learn age ports ------+----------------+--------+-----+----------+-------------------------- MAC entries unavailable, please try later! No entries present. The command is issued periodically (every 5 minutes), to read the MAC address table. After the VSS cluster was configured, I used to get this output once in a while, but after a few weeks, almost every time this command is issued, it returns this error. This did not happen before the cluster was in place. Has anyone experienced anything similar? Thank you Catalin From maillist at thelan.no Thu Aug 27 11:25:54 2009 From: maillist at thelan.no (Harald Firing Karlsen) Date: Thu, 27 Aug 2009 17:25:54 +0200 Subject: [c-nsp] Monitor 3560 In-Reply-To: <3b53747c0908270530ke57b48dub09cea4dee72c0cd@mail.gmail.com> References: <3b53747c0908270530ke57b48dub09cea4dee72c0cd@mail.gmail.com> Message-ID: <4A96A582.6040801@thelan.no> almog ohayon wrote: > Hello Everyone,i wondered if anyone knows how to monitor 3560 interface vlan > traffic ? > i have only 1 uplink interface and lots of vlan through it and i don't know > which > vlan is busy and which one is not.. > The Cisco Catalyst 3560 platform doesn't update VLAN interface statistics for traffic other then that destined to the switch itself (receive FIB entries). -- Harald Firing Karlsen From paul at paulstewart.org Thu Aug 27 11:35:41 2009 From: paul at paulstewart.org (Paul Stewart) Date: Thu, 27 Aug 2009 11:35:41 -0400 Subject: [c-nsp] VPN Auditing Message-ID: <004801ca272c$09bf3290$1d3d97b0$@org> Hi folks... We have a site that runs a Cisco 2800 with a IOS VPN server. Users connect via their Cisco VPN clients to gain access to an internal network there... I would like to start auditing it a bit more and have a way to tell who logged in and when. Is this difficult? I've searched around and found more complex things that can be accomplished but currently the security policy only permits user authentication auditing. The users are currently authenticated off a local configuration - would moving them to Radius make more sense or can I do this with builtin usernames? Best regards, Paul From mohacsi at niif.hu Thu Aug 27 11:49:23 2009 From: mohacsi at niif.hu (Mohacsi Janos) Date: Thu, 27 Aug 2009 17:49:23 +0200 (CEST) Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <4A966CB9.5030101@inex.ie> References: <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090827.095917.74721147.sthaug@nethelp.no> <20090827083554.GA17090@wildfire.net.ic.ac.uk> <20090827104100.GC117@greenie.muc.de> <4A966CB9.5030101@inex.ie> Message-ID: On Thu, 27 Aug 2009, Nick Hilliard wrote: > On 27/08/2009 11:41, Gert Doering wrote: >> SLAAC works *very* well for the things it was made for: zero-conf >> environments, with no dedicated DHCP server - as in "home networks" or >> "office networks". > > No it doesn't. After 13 years of ipv6 development, I still can't plug my mac > or my windows box into an ipv6 only network and actually expect it to work, > because RA/RDNSS client support is so hit and miss. Blame Apple and Microsoft. Regards, Janos Mohacsi From gsgranados at comcast.net Thu Aug 27 11:56:19 2009 From: gsgranados at comcast.net (Scott Granados) Date: Thu, 27 Aug 2009 08:56:19 -0700 Subject: [c-nsp] IPV6 in general was Re: Large networks References: <6edgm6-u6l.ln1@chipmunk.wormnet.eu><20090826.211833.71103910.sthaug@nethelp.no><20090827.095917.74721147.sthaug@nethelp.no><20090827083554.GA17090@wildfire.net.ic.ac.uk><20090827104100.GC117@greenie.muc.de> <4A966CB9.5030101@inex.ie><20090827131304.GI117@greenie.muc.de> <4A9691AE.1050303@inex.ie> Message-ID: <007c01ca272e$f78f1a10$2208120a@am.thmulti.com> That and having the free IPV6 porn as a motivator sooner might have helped too.;) ----- Original Message ----- From: "Nick Hilliard" To: "Gert Doering" Cc: Sent: Thursday, August 27, 2009 7:01 AM Subject: Re: [c-nsp] IPV6 in general was Re: Large networks > On 27/08/2009 14:13, Gert Doering wrote: >> (OTOH: if you plug your laptop with 'a random choice of IPv6-enabled >> operating system' into an IPv6 only network with DHCPv6, does it work? >> I seem to remember that MacOS X doesn't do any DHCPv6, just SLAAC and >> mDNS...) > > I'm not pointing fingers or anything: just noting that in the 12 years > that I've been poking around with ipv6, we don't yet have functional > auto-configuration - which I note in passing was one of the supposed > selling points of ipv6 in the first place. > > I'm still firmly of the opinion that this problem would have been solved > years ago if the connectivity at ietf meetings was ipv6 only. > > Nick > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From sethm at rollernet.us Thu Aug 27 12:20:18 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Thu, 27 Aug 2009 09:20:18 -0700 Subject: [c-nsp] RPS 675 question In-Reply-To: <20090827110543.GB4902@thorgal> References: <053601ca25c5$0d181eb0$2a00a8c0@andrew2> <4A94E8D5.4030802@justinshore.com> <4A94EB46.5030705@rollernet.us> <20090827110543.GB4902@thorgal> Message-ID: <4A96B242.3030402@rollernet.us> Mateusz Blaszczyk wrote: > On Wed, Aug 26, 2009 at 12:59:02AM -0700, Seth Mattinen wrote: >> Justin Shore wrote: >>> andrew2 at one.net wrote: >>>> I'm getting ready to install some RPS 675's in order to dual cord some >>>> 3750's and ran across this in the manual: >>>> >> Don't forget rebooting to go back to internal power. Except on 2088 >> series routers with an AC-IP power supply; they can switch back fine. >> > > On the newest IOS (50SE) and 3560-G, all I had to do to switch back to > internal PSU was to press the button. No reload, no reboot, no downtime. > Yes, the newer hardware fixed that stupid reboot to fall back problem. I don't know why I wrote "2088", I meant 2800 series. IOS version doesn't matter, it's a hardware thing with the power supply. ~Seth From mailinglists at unix-scripts.com Thu Aug 27 12:32:30 2009 From: mailinglists at unix-scripts.com (Shaun R.) Date: Thu, 27 Aug 2009 09:32:30 -0700 Subject: [c-nsp] Large networks In-Reply-To: <20090827002220.M92717@fast-serv.com> References: <4A9488B8.1000201@ibctech.ca><20090826100203.GE117@greenie.muc.de><002401ca264c$79d62dd0$0a00000a@nil.si><20090826135034.GI117@greenie.muc.de><20090826135815.GJ117@greenie.muc.de><67FA6A8A-69EB-4F4A-B453-AA93674D5C4A@hughes.com.au> <20090827002220.M92717@fast-serv.com> Message-ID: > With the number of virtual servers most of us are hosting you would run > out of > VLAN's very quickly. What I do is static route subnets to host nodes and > let > the host nodes do the L3 work. This takes care of MAC address conflicts, > spoofing, and many other problems. So you still carve out a subnet for each vps? For me that didnt make sense to do because now each customer gets 4 ips (/30) and it seames like a waist of space. a vps with 40 nodes with consume 2/3's of a /24. With IPv6 i guess it wouldnt matter :) I was just trying to do my best to save ips. ebtables acts as a ACL on the edge interface. ~Shaun From mksmith at adhost.com Thu Aug 27 13:00:35 2009 From: mksmith at adhost.com (Michael K. Smith - Adhost) Date: Thu, 27 Aug 2009 10:00:35 -0700 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <4A963A28.9040109@Janoszka.pl> References: <00b301ca2673$5ce7cc70$0a00000a@nil.si> <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090826220727.GV117@greenie.muc.de><1251358290.16185.13.camel@daniel.office.bit.nl> <4A963A28.9040109@Janoszka.pl> Message-ID: <17838240D9A5544AAA5FF95F8D52031606934394@ad-exh01.adhost.lan> > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Grzegorz Janoszka > Sent: Thursday, August 27, 2009 12:48 AM > To: Daniel Verlouw > Cc: Gert Doering; cisco_nsp > Subject: Re: [c-nsp] IPV6 in general was Re: Large networks > > Daniel Verlouw wrote: > > No real experience with HSRP though, can anyone shed some light on > that? > > I understand it only works for link-local addresses? > > Yes, unfortunately it is only link-local. I am just trying to figure it > out how to marry link-local with our global ipv6 assignments. > I have GSR's that don't (and probably will never) support v6-HSRP/VRRP or weighted RA's so I kludged it by anycasting the gateway address from my two core routers. It's not pretty, but it does work, albeit it takes about 20 seconds to fail over. interface GigabitEthernet0/0.9 encapsulation dot1Q 9 ip address no ip redirects no ip directed-broadcast ipv6 address ::1/64 anycast ipv6 address ::2/64 ipv6 enable ipv6 nd ra-interval 3 ipv6 nd ra-lifetime 5 ipv6 nd suppress-ra Regards, Mike From rsm at fast-serv.com Thu Aug 27 13:08:32 2009 From: rsm at fast-serv.com (Randy McAnally) Date: Thu, 27 Aug 2009 13:08:32 -0400 Subject: [c-nsp] Monitor 3560 In-Reply-To: <4A96A582.6040801@thelan.no> References: <3b53747c0908270530ke57b48dub09cea4dee72c0cd@mail.gmail.com> <4A96A582.6040801@thelan.no> Message-ID: <20090827170714.M94697@fast-serv.com> It does however, count traffic routed between VLANs. -- Randy www.FastServ.com ---------- Original Message ----------- From: Harald Firing Karlsen To: almog ohayon Cc: cisco-nsp at puck.nether.net Sent: Thu, 27 Aug 2009 17:25:54 +0200 Subject: Re: [c-nsp] Monitor 3560 > almog ohayon wrote: > > Hello Everyone,i wondered if anyone knows how to monitor 3560 interface vlan > > traffic ? > > i have only 1 uplink interface and lots of vlan through it and i don't know > > which > > vlan is busy and which one is not.. > > > The Cisco Catalyst 3560 platform doesn't update VLAN interface > statistics for traffic other then that destined to the switch itself > (receive FIB entries). > > -- > Harald Firing Karlsen > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ------- End of Original Message ------- From peter at rathlev.dk Thu Aug 27 13:44:12 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Thu, 27 Aug 2009 19:44:12 +0200 Subject: [c-nsp] %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 11.22.33.44 In-Reply-To: <1251382919.30101.4.camel@dsba-ipso> References: <1251382919.30101.4.camel@dsba-ipso> Message-ID: <1251395052.3177.35.camel@abehat.net.rm.dk> On Thu, 2009-08-27 at 16:21 +0200, luismi wrote: > I just configured a cisco 1841 to create a ipsec vpn against another > network (exactly against a PFSense box) and I am seeing a lot messages > like > > %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with > peer at 11.22.33.44 > %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with > peer at 11.22.33.44 > %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with > peer at 11.22.33.44 > > I was checking the "Error Message Decoder" but I didn't find any > useful information there. Currently #3 result when searching cisco.com for the keywords "CRYPTO-6-IKMP_MODE_FAILURE quick mode": http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00801d55aa.shtml This would lead my to think that there was no ISAKMP policy match between the two endpoints. > So far, the VPN seems to work ok. Does this mean that the tunnel towards 11.22.33.44 is established even with the above error message? And that the problem is then the technically cosmetic but still problematic issue of the log message? Or does the tunnel not work? Regards, Peter From rsm at fast-serv.com Thu Aug 27 13:51:46 2009 From: rsm at fast-serv.com (Randy McAnally) Date: Thu, 27 Aug 2009 13:51:46 -0400 Subject: [c-nsp] Large networks In-Reply-To: References: <4A9488B8.1000201@ibctech.ca><20090826100203.GE117@greenie.muc.de><002401ca264c$79d62dd0$0a00000a@nil.si><20090826135034.GI117@greenie.muc.de><20090826135815.GJ117@greenie.muc.de><67FA6A8A-69EB-4F4A-B453-AA93674D5C4A@hughes.com.au> <20090827002220.M92717@fast-serv.com> Message-ID: <20090827174918.M55717@fast-serv.com> No, we actually carve out one or more subnet for each VPS host and assign individual IPs to each VPS. Few IPs are wasted. The only drawback is that a VPS must change IP to be shifted to an alternate node. -- Randy ---------- Original Message ----------- From: "Shaun R." To: cisco-nsp at puck.nether.net Sent: Thu, 27 Aug 2009 09:32:30 -0700 Subject: Re: [c-nsp] Large networks > > With the number of virtual servers most of us are hosting you would run > > out of > > VLAN's very quickly. What I do is static route subnets to host nodes and > > let > > the host nodes do the L3 work. This takes care of MAC address conflicts, > > spoofing, and many other problems. > > So you still carve out a subnet for each vps? For me that didnt make > sense to do because now each customer gets 4 ips (/30) and it seames > like a waist of space. a vps with 40 nodes with consume 2/3's of a > /24. With IPv6 i guess it wouldnt matter :) I was just trying to > do my best to save ips. ebtables acts as a ACL on the edge interface. > > ~Shaun > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ ------- End of Original Message ------- From gert at greenie.muc.de Thu Aug 27 14:03:20 2009 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 27 Aug 2009 20:03:20 +0200 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <4A967FE9.7080704@Janoszka.pl> References: <20090826220727.GV117@greenie.muc.de> <1251358290.16185.13.camel@daniel.office.bit.nl> <4A963A28.9040109@Janoszka.pl> <4A9653B3.6090607@imperial.ac.uk> <4A965C8D.2070600@Janoszka.pl> <4A965DD7.9070105@imperial.ac.uk> <1251368773.16185.44.camel@daniel.office.bit.nl> <4A965FD8.8050505@imperial.ac.uk> <4A967FE9.7080704@Janoszka.pl> Message-ID: <20090827180320.GJ117@greenie.muc.de> Hi, On Thu, Aug 27, 2009 at 02:45:29PM +0200, Grzegorz Janoszka wrote: > You cannot have the same link-local IP's on different ifaces, can you? You can. As it is link-*local*, whatever is on one interface has no relevance to what is on other interfaces. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From gert at greenie.muc.de Thu Aug 27 14:05:02 2009 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 27 Aug 2009 20:05:02 +0200 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <17838240D9A5544AAA5FF95F8D52031606934394@ad-exh01.adhost.lan> References: <00b301ca2673$5ce7cc70$0a00000a@nil.si> <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <4A963A28.9040109@Janoszka.pl> <17838240D9A5544AAA5FF95F8D52031606934394@ad-exh01.adhost.lan> Message-ID: <20090827180502.GK117@greenie.muc.de> Hi, On Thu, Aug 27, 2009 at 10:00:35AM -0700, Michael K. Smith - Adhost wrote: > ipv6 address ::1/64 anycast That's cool. How exactly does it work? I assume that the "anycast" suffix will suppress DAD, and then the client will use whichever router answers first on the ND request for ::1, and when NUD strikes, the next ND will get the other router? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From asturluismi at gmail.com Thu Aug 27 14:52:57 2009 From: asturluismi at gmail.com (luismi) Date: Thu, 27 Aug 2009 20:52:57 +0200 Subject: [c-nsp] %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 11.22.33.44 In-Reply-To: <1251395052.3177.35.camel@abehat.net.rm.dk> References: <1251382919.30101.4.camel@dsba-ipso> <1251395052.3177.35.camel@abehat.net.rm.dk> Message-ID: <1251399177.10387.2.camel@dsba-ipso> First of all, Thanks to everyone, after a detailed review of my Cisco config as well several coffee I fixed it. The problem was some errors in the ACLs related with the crypto map. Now everything is ok :-D Thanks again. From NMaio at guesswho.com Thu Aug 27 16:58:06 2009 From: NMaio at guesswho.com (NMaio at guesswho.com) Date: Thu, 27 Aug 2009 16:58:06 -0400 Subject: [c-nsp] EEM Question Message-ID: <2AA600764E54964491083B1E0EC81A30124171294F@EXCLUS.nationala-1advertising.com> Does anybody know why when using EEM to write to syslog after an event there is an extra blank line written? And if so how to stop that from happening. I have an quick applet that just checks to see if the routers was configured by snmp and then writes a log message but every time it also writes an extra line to syslog. This is happening on a 3825 running ADVIPSERVICESK9 Version 12.4(17b) Thanks, Nick From mksmith at adhost.com Thu Aug 27 17:15:51 2009 From: mksmith at adhost.com (Michael K. Smith - Adhost) Date: Thu, 27 Aug 2009 14:15:51 -0700 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <20090827180502.GK117@greenie.muc.de> References: <00b301ca2673$5ce7cc70$0a00000a@nil.si> <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <4A963A28.9040109@Janoszka.pl> <17838240D9A5544AAA5FF95F8D52031606934394@ad-exh01.adhost.lan> <20090827180502.GK117@greenie.muc.de> Message-ID: <17838240D9A5544AAA5FF95F8D5203160693441D@ad-exh01.adhost.lan> > > Hi, > > On Thu, Aug 27, 2009 at 10:00:35AM -0700, Michael K. Smith - Adhost > wrote: > > ipv6 address ::1/64 anycast > > That's cool. How exactly does it work? I haven't been able to find anything specifically on Cisco's website about how it really works. Even the tech docs just say it has to do with geographic locale - the closer one wins. I'm not sure how the devices (in this case, FreeBSD boxes running PF) know which is closer, but they do. :-) > > I assume that the "anycast" suffix will suppress DAD, and then the > client will use whichever router answers first on the ND request for > ::1, and when NUD strikes, the next ND will get the other router? > I read through RFC2373 and it doesn't detail how it works either - it just specifies what you can and cannot do. The main point is that anycast only works on routers, not hosts. I can tell you that the router shows that DAD is *not* enabled on either interface. But, this is interesting. When I ping the ::1 address from one of the PF boxes, the neighbor entry changes from "state" to "reach" which seems to indicate that the "reach" router is being seen as geographically closer. Mike From shinejoseph at dodo.com.au Thu Aug 27 18:30:19 2009 From: shinejoseph at dodo.com.au (Shine Joseph) Date: Fri, 28 Aug 2009 06:30:19 +0800 Subject: [c-nsp] Wireless LAN controller 5508 on VSS Message-ID: Hi, Can someone guide me if I can use WLC 5508's all the the 8 ports connected to a VSS with 4 links to each chassis? The reason I am asking this question is; in the documentation of VSS it says, not to turn off LACP or PAgP for creating MEC. But, for WLC LAG, the portchannel negtiation must be turned off. Any pointers are welcome. TIA Shine From andy.saykao at staff.netspace.net.au Thu Aug 27 19:18:57 2009 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Fri, 28 Aug 2009 09:18:57 +1000 Subject: [c-nsp] MST and Uplinkfast References: <56F211C5E3F24F47B103EA1B253822BE044AAB72@vic-cr-ex1.staff.netspace.net.au><688F39B8-D8E4-4E3D-93C8-B253E8362439@Hughes.com.au> <56F211C5E3F24F47B103EA1B253822BE044AAB75@vic-cr-ex1.staff.netspace.net.au> <4EF7C23B9231A14E99C9016F65B13B8C098DB500@PDXEX01.webtrends.corp> Message-ID: <56F211C5E3F24F47B103EA1B253822BE044AAB77@vic-cr-ex1.staff.netspace.net.au> Hi All, I have noticed that with MST and rapid failover that those ports which are not boundary ports or do not have portfast enabled go through the blocking, listening and learning states again before forwarding. Here's me shutting off the primary link Gi0/49. You can see the redundant link on Gi0/51 goes straight into forwarding but those ports which are not boundary ports or do not have portfast enabled go through their various states again. Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- -------------------------------- Gi0/1 Desg BLK 2000000 128.1 P2p Gi0/2 Desg FWD 2000000 128.2 P2p Bound(STP) Gi0/3 Desg FWD 200000 128.3 P2p Bound(STP) Gi0/4 Desg BLK 200000 128.4 P2p Gi0/51 Root FWD 40000 128.51 P2p Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- -------------------------------- Gi0/1 Desg LRN 2000000 128.1 P2p Gi0/2 Desg FWD 2000000 128.2 P2p Bound(STP) Gi0/3 Desg FWD 200000 128.3 P2p Bound(STP) Gi0/4 Desg LRN 200000 128.4 P2p Gi0/51 Root FWD 40000 128.51 P2p Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- -------------------------------- Gi0/1 Desg FWD 2000000 128.1 P2p Gi0/2 Desg FWD 2000000 128.2 P2p Bound(STP) Gi0/3 Desg FWD 200000 128.3 P2p Bound(STP) Gi0/4 Desg FWD 200000 128.4 P2p Gi0/51 Root FWD 40000 128.51 P2p When I bring the primary link back up, those same ports go through their blocking, listening and learning states again. Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- -------------------------------- Gi0/1 Desg BLK 2000000 128.1 P2p Gi0/2 Desg FWD 2000000 128.2 P2p Bound(STP) Gi0/3 Desg FWD 200000 128.3 P2p Bound(STP) Gi0/4 Desg BLK 200000 128.4 P2p Gi0/49 Root FWD 20000 128.49 P2p Gi0/51 Altn BLK 40000 128.51 P2p Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- -------------------------------- Gi0/1 Desg LRN 2000000 128.1 P2p Gi0/2 Desg FWD 2000000 128.2 P2p Bound(STP) Gi0/3 Desg FWD 200000 128.3 P2p Bound(STP) Gi0/4 Desg LRN 200000 128.4 P2p Gi0/49 Root FWD 20000 128.49 P2p Gi0/51 Altn BLK 40000 128.51 P2p Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- -------------------------------- Gi0/1 Desg FWD 2000000 128.1 P2p Gi0/2 Desg FWD 2000000 128.2 P2p Bound(STP) Gi0/3 Desg FWD 200000 128.3 P2p Bound(STP) Gi0/4 Desg FWD 200000 128.4 P2p Gi0/49 Root FWD 20000 128.49 P2p Gi0/51 Altn BLK 40000 128.51 P2p I guess what I'll take out of this with MST is that I should enable portfast on those ports where we have devices that can not tolerate a fail over of 20-30secs as the port needs to go through it's spanning tree states whenever a fail over occurs and does the same thing again when the primary link is restored. Cheers. Andy This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From ltd at cisco.com Thu Aug 27 22:07:22 2009 From: ltd at cisco.com (Lincoln Dale) Date: Fri, 28 Aug 2009 12:07:22 +1000 Subject: [c-nsp] MST and Uplinkfast In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE044AAB77@vic-cr-ex1.staff.netspace.net.au> References: <56F211C5E3F24F47B103EA1B253822BE044AAB72@vic-cr-ex1.staff.netspace.net.au><688F39B8-D8E4-4E3D-93C8-B253E8362439@Hughes.com.au> <56F211C5E3F24F47B103EA1B253822BE044AAB75@vic-cr-ex1.staff.netspace.net.au> <4EF7C23B9231A14E99C9016F65B13B8C098DB500@PDXEX01.webtrends.corp> <56F211C5E3F24F47B103EA1B253822BE044AAB77@vic-cr-ex1.staff.netspace.net.au> Message-ID: On 28/08/2009, at 9:18 AM, Andy Saykao wrote: > I have noticed that with MST and rapid failover that those ports which > are not boundary ports or do not have portfast enabled go through the > blocking, listening and learning states again before forwarding. whether its PVRST+ or MST used, you should always mark your 'edge' port correctly as being 'edge' such that they are operating as "portfast" with "bpduguard". it sounds like you have edge ports configured as "network" ports - so the system HAS to wait for the "forwarding delay". since you're saying that is 30 seconds not 15 seconds, that implies the system is falling back to legacy (802.1D-2004) behavior. cheers, lincoln. From trejrco at gmail.com Thu Aug 27 22:18:52 2009 From: trejrco at gmail.com (TJ) Date: Thu, 27 Aug 2009 22:18:52 -0400 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <17838240D9A5544AAA5FF95F8D5203160693441D@ad-exh01.adhost.lan> References: <00b301ca2673$5ce7cc70$0a00000a@nil.si> <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <4A963A28.9040109@Janoszka.pl> <17838240D9A5544AAA5FF95F8D52031606934394@ad-exh01.adhost.lan> <20090827180502.GK117@greenie.muc.de> <17838240D9A5544AAA5FF95F8D5203160693441D@ad-exh01.adhost.lan> Message-ID: <014001ca2785$e3a07d80$aae17880$@com> Good evening! >I read through RFC2373 and it doesn't detail how it works either - it just >specifies what you can and cannot do. The main point is that anycast only >works on routers, not hosts. I can tell you that the router shows that DAD >is *not* enabled on either interface. But, this is interesting. When I >ping the ::1 address from one of the PF boxes, the neighbor entry changes >from "state" to "reach" which seems to indicate that the "reach" router is >being seen as geographically closer. 2373 is two revisions old, try http://tools.ietf.org/html/rfc4291 ... amongst other changes, relaxes the whole (quite silly) "router only" language. In principle, yes - anycast is one-to-one-of-many, with the "nearest" answering. When they are not on the same link then "nearest" is defined by the underlying routing topology (with equidistant falling into equal-cost multi-path, where approp.). When on the same link, "nearest" usually means "answers first". Amongst other things, anycast is used for the DNS root servers that we all hopefully agree are rather important. And for littler things like 6to4 relays. Or any other time we want some cheap and easy fault-tolerance/redundancy or better performance + easier configuration by distributing the point of service. /TJ From andy.saykao at staff.netspace.net.au Fri Aug 28 01:49:50 2009 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Fri, 28 Aug 2009 15:49:50 +1000 Subject: [c-nsp] MST and Uplinkfast References: <56F211C5E3F24F47B103EA1B253822BE044AAB72@vic-cr-ex1.staff.netspace.net.au><688F39B8-D8E4-4E3D-93C8-B253E8362439@Hughes.com.au> <56F211C5E3F24F47B103EA1B253822BE044AAB75@vic-cr-ex1.staff.netspace.net.au> <4EF7C23B9231A14E99C9016F65B13B8C098DB500@PDXEX01.webtrends.corp> <56F211C5E3F24F47B103EA1B253822BE044AAB77@vic-cr-ex1.staff.netspace.net.au> Message-ID: <56F211C5E3F24F47B103EA1B253822BE044AAB7D@vic-cr-ex1.staff.netspace.net.au> Hi Licoln, We may have to do what you have suggested - thanks for the suggestion. I labbed all this up today with mixed results. Basic access layer switch with an access port (laptop pulgged into it) and two links out (one to dist1-switch and one to dist2-switch). Each dist switch connecting to a core switch. I then shut the primary link on the access switch to see what happens to the access port. I also had a constant ping from the core switch to the laptop. Vanilla config on access switch: interface GigabitEthernet1/0/1 description Laptop plugged in switchport access vlan 2 switchport mode access no ip address Results: 2950 - PVST (access port stays forwarding) - MST (access port goes through blk,list,lrn) - IOS 12.1(22)EA8a 3750 - PVST (access port stays forwarding) - MST (access port stays forwarding) - IOS 12.1(19)EA1 3560 - PVST (untested but should stay forwarding) - MST (access port goes through blk,list,lrn) - IOS 12.2(40)SE MST's uplinkfast implementation seems to behave differently depending on which hardware platform you're using. If you've got 2950's and 3560's in your network, you'll have to set the access ports to portfast and enable bpduguard. No need to configure anything on the 3750's (although it would be best practice to also define these access ports as edge ports). Cheers. Andy -----Original Message----- From: Lincoln Dale [mailto:ltd at cisco.com] Sent: Friday, 28 August 2009 12:07 PM To: Andy Saykao Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] MST and Uplinkfast On 28/08/2009, at 9:18 AM, Andy Saykao wrote: > I have noticed that with MST and rapid failover that those ports which > are not boundary ports or do not have portfast enabled go through the > blocking, listening and learning states again before forwarding. whether its PVRST+ or MST used, you should always mark your 'edge' port correctly as being 'edge' such that they are operating as "portfast" with "bpduguard". it sounds like you have edge ports configured as "network" ports - so the system HAS to wait for the "forwarding delay". since you're saying that is 30 seconds not 15 seconds, that implies the system is falling back to legacy (802.1D-2004) behavior. cheers, lincoln. ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From mtinka at globaltransit.net Fri Aug 28 03:29:44 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Fri, 28 Aug 2009 15:29:44 +0800 Subject: [c-nsp] USB Insertion/Removal Causes Reboot In-Reply-To: References: Message-ID: <200908281529.51680.mtinka@globaltransit.net> On Thursday 27 August 2009 10:25:37 am Clayton Zekelman wrote: > Has anyone seen an issue with a NPE-G2 where insertion or > removal of a USB flashdrive causes the router to crash > and reboot? In an almost similar case, we noticed high CPU usage when re-inserting a compact flash drive (back) into an NPE-G1/G2 running SRC code, to the extent that BFD complained and brought down IS-IS on at least one of the network-facing ports. We chalked it down to the router re-initializing the compact flash drive when it's re-inserted, eating up tons of CPU and causing a couple of "ripples" with some of the software processes. It's been a while since we had to physically move the drives from/into the router, and I'm not sure whether any other customers have addressed this issue with Cisco, but we've moved a couple of SRC revisions ahead, and don't know whether it's still a problem. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From tomas at soitron.com Fri Aug 28 05:33:37 2009 From: tomas at soitron.com (Daniska Tomas) Date: Fri, 28 Aug 2009 11:33:37 +0200 Subject: [c-nsp] instabilities with SXI2? Message-ID: <6B43981C32F8464CB24CEE209DA32BD302516D7F@kenya.tronet.as> >Hi, > >I'm wondering if one of you is running SXI2 non-modular code and has had >negative experiences? > >We run it on a 7604/Sup720 with no problems at all, and on a 7603/Sup32-10G >that is a bit unhappy with us these days - it's spontaneously reloading >every few days (twice so far), and after the reload, it claims We're running SXI2 modular on 4 VSS at a customer. Not that much long (still a pilot phase), but have managed to experience multiple VSS switchovers and spontaneous Sup720-10GE crashes. There seems to be a pattern in some of them, but not much to conclude as of yet. Hoping for TAC to reply soon. Nothing special on the boxes - L2 aggregation with multichassis etherchannels, L3 on SVIs, VRFs, some RSTP and OSPF, little BGP. -- Tomas Daniska systems engineer Soitron, a.s. Plynarenska 5, 829 75 Bratislava, Slovakia tel: +421 2 58224111, fax: +421 2 58224199 All generalizations are false, including this one. -- Mark Twain From asturluismi at gmail.com Fri Aug 28 06:20:32 2009 From: asturluismi at gmail.com (luismi) Date: Fri, 28 Aug 2009 12:20:32 +0200 Subject: [c-nsp] PBR + ACL is not working as expected in a 7600 Message-ID: <1251454832.10336.2.camel@dsba-ipso> Hi all, We have here this configuration in the ACL: ip access-list extended AM_Pilotos_vuelta_acelerada permit tcp 88.84.89.240 0.0.0.3 any gt 1024 permit tcp 88.84.89.240 0.0.0.3 any eq ftp www With this config, the www traffic received on Gi1/1 doesn't match the acl (ftp www ACL) so the traffic is not being forwarded as expected by PBR Changed the access list to: permit tcp 88.84.89.240 0.0.0.3 any gt 1024 permit tcp 88.84.89.240 0.0.0.3 any eq www permit tcp 88.84.89.240 0.0.0.3 any eq ftp and it works!! c7600rsp72043-advipservicesk9-mz.122-33.SRC1.bin From bjorn at mork.no Fri Aug 28 07:27:14 2009 From: bjorn at mork.no (=?utf-8?Q?Bj=C3=B8rn_Mork?=) Date: Fri, 28 Aug 2009 13:27:14 +0200 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <20090827131304.GI117@greenie.muc.de> (Gert Doering's message of "Thu, 27 Aug 2009 15:13:04 +0200") References: <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090827.095917.74721147.sthaug@nethelp.no> <20090827083554.GA17090@wildfire.net.ic.ac.uk> <20090827104100.GC117@greenie.muc.de> <4A966CB9.5030101@inex.ie> <20090827131304.GI117@greenie.muc.de> Message-ID: <87k50o6uwd.fsf@nemi.mork.no> Gert Doering writes: > Yes. IETF really botched that "everything is automatic but we don't > tell you how to discover DNS" part. Twice.... The same happened to IPCP, for those who still remember IPv4. RFC 1332 was published in May 1992. RFC 1877 added the DNS options in December 1995. Bj?rn From eng_mssk at hotmail.com Fri Aug 28 08:02:58 2009 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Fri, 28 Aug 2009 15:02:58 +0300 Subject: [c-nsp] nat question Message-ID: hey all i configured natting on a cisco router i have loopback interface and f0/0 interface with ip nat inside configured and one interface configured for outside natting does that affect ? _________________________________________________________________ More than messages?check out the rest of the Windows Live?. http://www.microsoft.com/windows/windowslive/ From trejrco at gmail.com Fri Aug 28 08:11:25 2009 From: trejrco at gmail.com (TJ) Date: Fri, 28 Aug 2009 08:11:25 -0400 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <87k50o6uwd.fsf@nemi.mork.no> References: <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090827.095917.74721147.sthaug@nethelp.no> <20090827083554.GA17090@wildfire.net.ic.ac.uk> <20090827104100.GC117@greenie.muc.de> <4A966CB9.5030101@inex.ie> <20090827131304.GI117@greenie.muc.de> <87k50o6uwd.fsf@nemi.mork.no> Message-ID: <018001ca27d8$aae00df0$00a029d0$@com> >From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- >bounces at puck.nether.net] On Behalf Of Bj?rn Mork >Sent: Friday, August 28, 2009 7:27 AM >To: Gert Doering >Cc: cisco-nsp at puck.nether.net; sthaug at nethelp.no; alex at digriz.org.uk >Subject: Re: [c-nsp] IPV6 in general was Re: Large networks > >Gert Doering writes: > >> Yes. IETF really botched that "everything is automatic but we don't >> tell you how to discover DNS" part. > In every design there are tradeoffs that are made ... and with the benefit of hindsight it is easy to point at the wrong decisions. /TJ From James.Munroe at gnb.ca Fri Aug 28 07:41:10 2009 From: James.Munroe at gnb.ca (Munroe, James (DSS/MAS)) Date: Fri, 28 Aug 2009 08:41:10 -0300 Subject: [c-nsp] MST and Uplinkfast In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE044AAB7D@vic-cr-ex1.staff.netspace.net.au> References: <56F211C5E3F24F47B103EA1B253822BE044AAB72@vic-cr-ex1.staff.netspace.net.au><688F39B8-D8E4-4E3D-93C8-B253E8362439@Hughes.com.au><56F211C5E3F24F47B103EA1B253822BE044AAB75@vic-cr-ex1.staff.netspace.net.au><4EF7C23B9231A14E99C9016F65B13B8C098DB500@PDXEX01.webtrends.corp><56F211C5E3F24F47B103EA1B253822BE044AAB77@vic-cr-ex1.staff.netspace.net.au> <56F211C5E3F24F47B103EA1B253822BE044AAB7D@vic-cr-ex1.staff.netspace.net.au> Message-ID: <458B3EC21E4A3044998E917199AACB2F01A64BDB@GNBEX02.gnb.ca> This is a little off the subject, but may a part. Cisco being Cisco has some variances in MST's adherence to the IEEE 802.1s standard. In certain IOS's the MST BPDU's are tagged, while some are not. Not tagging is what the 802.1s standard calls for. Outside of the bug ID's below. Workgroup switch (2960, 3750, 3560, ME-3400, etc...)IOS's 12.2(44)SE and below send the MST BPDU's untagged. 12.2(46)SE and above send the frames tagged. Cisco 7600 series IOS's up to 12.2(33)SRD send the frames untagged...while those IOS's below it send the frames tagged. This also affects the 6500 (think it's fixed in SXI??)..not sure what other platforms maybe affected... I have been told by TAC that the IOS version 12.2(52)SE for the LAN switches will have the MST BPDU tag issue fixed...ETA 09/29/09. Hope this saves someone a few grey hair :-) CSCsm12766 "vlan dot1q tag native" feature doesn't work on C3750 switches This bug was fixed in 12.2(46)SE and so switches running this and above versions got affected. CSCsv91358 dot1q tag native and voice vlan expect tagged traffic on an access port This bug was fixed in 12.2(50)SE and later codes and so 3560 switches running these codes got affected. These bugs fixes were also ported for other platforms causing this issue. Now to address this issue, there were two bugs filed, one on 6500 platform and another on 3750 switches as below: CSCta17209 Port put into dispute in MST due to agreement BPDU tagged incorrectly Symptom: Port put into blocking due to P2P dispute after upgrade to 12.2(50)SE+ while using MST. Conditions: The upstream switch needs to have vlan dot1q tag native configured and the root does not. The agreement BPDU being sent from the upstream swtich is being incorrectly tagged with the native vlan dot1q tag and is causing the port to go into dispute status. Workaround: Configure dot1q tag native on the root or unconfigure dot1q tag native on the upstream switch. This bug is currently not fixed in any new versions. CSCsk33045 MST BPDU *must* be sent untagged, even when the switch is configured wit In order to be compliant with the IEEE 802.1s standard, the MST BPDU *must* be sent untagged, even when the switch is configured with the "tag native" command. As per the 12.2(18)SXF IOS release on the Catalyst 6500, this is not happening and therefore can cause interoperability issues with other vendors -----Original Message----- From: Andy Saykao [mailto:andy.saykao at staff.netspace.net.au] Sent: Friday, August 28, 2009 2:50 AM To: Lincoln Dale Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] MST and Uplinkfast Hi Licoln, We may have to do what you have suggested - thanks for the suggestion. I labbed all this up today with mixed results. Basic access layer switch with an access port (laptop pulgged into it) and two links out (one to dist1-switch and one to dist2-switch). Each dist switch connecting to a core switch. I then shut the primary link on the access switch to see what happens to the access port. I also had a constant ping from the core switch to the laptop. Vanilla config on access switch: interface GigabitEthernet1/0/1 description Laptop plugged in switchport access vlan 2 switchport mode access no ip address Results: 2950 - PVST (access port stays forwarding) - MST (access port goes through blk,list,lrn) - IOS 12.1(22)EA8a 3750 - PVST (access port stays forwarding) - MST (access port stays forwarding) - IOS 12.1(19)EA1 3560 - PVST (untested but should stay forwarding) - MST (access port goes through blk,list,lrn) - IOS 12.2(40)SE MST's uplinkfast implementation seems to behave differently depending on which hardware platform you're using. If you've got 2950's and 3560's in your network, you'll have to set the access ports to portfast and enable bpduguard. No need to configure anything on the 3750's (although it would be best practice to also define these access ports as edge ports). Cheers. Andy -----Original Message----- From: Lincoln Dale [mailto:ltd at cisco.com] Sent: Friday, 28 August 2009 12:07 PM To: Andy Saykao Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] MST and Uplinkfast On 28/08/2009, at 9:18 AM, Andy Saykao wrote: > I have noticed that with MST and rapid failover that those ports which > are not boundary ports or do not have portfast enabled go through the > blocking, listening and learning states again before forwarding. whether its PVRST+ or MST used, you should always mark your 'edge' port correctly as being 'edge' such that they are operating as "portfast" with "bpduguard". it sounds like you have edge ports configured as "network" ports - so the system HAS to wait for the "forwarding delay". since you're saying that is 30 seconds not 15 seconds, that implies the system is falling back to legacy (802.1D-2004) behavior. cheers, lincoln. ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From Grzegorz at Janoszka.pl Fri Aug 28 08:39:31 2009 From: Grzegorz at Janoszka.pl (Grzegorz Janoszka) Date: Fri, 28 Aug 2009 14:39:31 +0200 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <4A9653B3.6090607@imperial.ac.uk> References: <00b301ca2673$5ce7cc70$0a00000a@nil.si> <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090826220727.GV117@greenie.muc.de> <1251358290.16185.13.camel@daniel.office.bit.nl> <4A963A28.9040109@Janoszka.pl> <4A9653B3.6090607@imperial.ac.uk> Message-ID: <4A97D003.5030301@Janoszka.pl> Phil Mayers wrote: > Grzegorz Janoszka wrote: >> Yes, unfortunately it is only link-local. I am just trying to figure >> it out how to marry link-local with our global ipv6 assignments. > > That's now the way it works AFAICT. > > Basically, the routers still send router-advertisments. However, the > link-local address in the next-hop is the HSRPv6 virtual IP, and floats > between the active & backup. > > So you only *need* the link-local. No, my routers do NOT send ra. I disable it as an incredibly insecure mechanism. -- Grzegorz Janoszka From mohacsi at niif.hu Fri Aug 28 08:55:15 2009 From: mohacsi at niif.hu (Mohacsi Janos) Date: Fri, 28 Aug 2009 14:55:15 +0200 (CEST) Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <4A97D003.5030301@Janoszka.pl> References: <00b301ca2673$5ce7cc70$0a00000a@nil.si> <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090826220727.GV117@greenie.muc.de> <1251358290.16185.13.camel@daniel.office.bit.nl> <4A963A28.9040109@Janoszka.pl> <4A9653B3.6090607@imperial.ac.uk> <4A97D003.5030301@Janoszka.pl> Message-ID: On Fri, 28 Aug 2009, Grzegorz Janoszka wrote: > Phil Mayers wrote: >> Grzegorz Janoszka wrote: >>> Yes, unfortunately it is only link-local. I am just trying to figure it >>> out how to marry link-local with our global ipv6 assignments. >> >> That's now the way it works AFAICT. >> >> Basically, the routers still send router-advertisments. However, the >> link-local address in the next-hop is the HSRPv6 virtual IP, and floats >> between the active & backup. >> >> So you only *need* the link-local. > > No, my routers do NOT send ra. I disable it as an incredibly insecure > mechanism. I disagree. Not worst than DHCP. By the way how do you distribute parameters for local links? Best Regards, Janos Mohacsi From p.mayers at imperial.ac.uk Fri Aug 28 09:16:02 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Fri, 28 Aug 2009 14:16:02 +0100 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <4A97D003.5030301@Janoszka.pl> References: <00b301ca2673$5ce7cc70$0a00000a@nil.si> <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090826220727.GV117@greenie.muc.de> <1251358290.16185.13.camel@daniel.office.bit.nl> <4A963A28.9040109@Janoszka.pl> <4A9653B3.6090607@imperial.ac.uk> <4A97D003.5030301@Janoszka.pl> Message-ID: <4A97D892.2020101@imperial.ac.uk> Grzegorz Janoszka wrote: > Phil Mayers wrote: >> Grzegorz Janoszka wrote: >>> Yes, unfortunately it is only link-local. I am just trying to figure >>> it out how to marry link-local with our global ipv6 assignments. >> That's now the way it works AFAICT. >> >> Basically, the routers still send router-advertisments. However, the >> link-local address in the next-hop is the HSRPv6 virtual IP, and floats >> between the active & backup. >> >> So you only *need* the link-local. > > No, my routers do NOT send ra. I disable it as an incredibly insecure > mechanism. > Fine - so point your clients statically at the virtual link-local address e.g. under Linux: ip -f inet6 route add default via fe80:: dev eth0 What's the problem? From gert at greenie.muc.de Fri Aug 28 09:21:31 2009 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 28 Aug 2009 15:21:31 +0200 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <4A97D003.5030301@Janoszka.pl> References: <00b301ca2673$5ce7cc70$0a00000a@nil.si> <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090826220727.GV117@greenie.muc.de> <1251358290.16185.13.camel@daniel.office.bit.nl> <4A963A28.9040109@Janoszka.pl> <4A9653B3.6090607@imperial.ac.uk> <4A97D003.5030301@Janoszka.pl> Message-ID: <20090828132131.GR117@greenie.muc.de> Hi, On Fri, Aug 28, 2009 at 02:39:31PM +0200, Grzegorz Janoszka wrote: > >So you only *need* the link-local. > > No, my routers do NOT send ra. I disable it as an incredibly insecure > mechanism. What exactly is "incredibly insecure" in *sending* RAs? I could understand if a host does not want to *receive* RAs, if the network environment is not trusted and there is no SeND available yet. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From gert at greenie.muc.de Fri Aug 28 09:23:41 2009 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 28 Aug 2009 15:23:41 +0200 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <018001ca27d8$aae00df0$00a029d0$@com> References: <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090827.095917.74721147.sthaug@nethelp.no> <20090827083554.GA17090@wildfire.net.ic.ac.uk> <20090827104100.GC117@greenie.muc.de> <4A966CB9.5030101@inex.ie> <20090827131304.GI117@greenie.muc.de> <87k50o6uwd.fsf@nemi.mork.no> <018001ca27d8$aae00df0$00a029d0$@com> Message-ID: <20090828132341.GS117@greenie.muc.de> Hi, On Fri, Aug 28, 2009 at 08:11:25AM -0400, TJ wrote: > >Gert Doering writes: > > > >> Yes. IETF really botched that "everything is automatic but we don't > >> tell you how to discover DNS" part. > > In every design there are tradeoffs that are made ... > and with the benefit of hindsight it is easy to point at the wrong decisions. It's very hard to find a reasonable argument why "not considering DNS when designing autoconfiguring networks" could be called a *tradeoff*. Tradeoff against what? "Mostly unusable result" vs. "invest some brains"? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From JBracey at csuchico.edu Fri Aug 28 11:00:43 2009 From: JBracey at csuchico.edu (Bracey, John) Date: Fri, 28 Aug 2009 08:00:43 -0700 Subject: [c-nsp] Audit tool for Cisco Config files Message-ID: <755A73D3547BAE429728E2EC2AEDC60572D360DD62@EXMAIL.csuchico.edu> Thanks for all the helpful replies everybody. Am looking into RAT and Nipper; both look promising. Thanks again! ********************************************************* John K. Bracey, Sr. Network Analyst Communications Services / Network Operations California State University, Chico 530-898-5400 ********************************************************* P Please consider the environment before printing this email. From ler762 at gmail.com Fri Aug 28 13:15:51 2009 From: ler762 at gmail.com (Lee) Date: Fri, 28 Aug 2009 13:15:51 -0400 Subject: [c-nsp] Audit tool for Cisco Config files In-Reply-To: <755A73D3547BAE429728E2EC2AEDC60572D360DD62@EXMAIL.csuchico.edu> References: <755A73D3547BAE429728E2EC2AEDC60572D360DD62@EXMAIL.csuchico.edu> Message-ID: On 8/28/09, Bracey, John wrote: > Thanks for all the helpful replies everybody. Am looking into RAT and > Nipper; both look promising. Both RAT and Nipper are for security audits - last time I looked both were useless for checking that lines were in the config and lines weren't, much less checking for things like 'ip pim sparse-mode' configured on an interface requires multicast routing to be enabled as well as 'ip pim rp-addr' pointing to a valid RP [no, we don't use auto-rp :] or having 'no service dhcp' and a helper address configured on an interface is an error. A co-worker reminded me about Cisco's Network Compliance Manager - it supposedly can do all sorts of config checking against built-in templates as well as user supplied templates. Lee From JBracey at csuchico.edu Fri Aug 28 13:23:51 2009 From: JBracey at csuchico.edu (Bracey, John) Date: Fri, 28 Aug 2009 10:23:51 -0700 Subject: [c-nsp] Audit tool for Cisco Config files In-Reply-To: References: <755A73D3547BAE429728E2EC2AEDC60572D360DD62@EXMAIL.csuchico.edu> Message-ID: <755A73D3547BAE429728E2EC2AEDC60572D360DE35@EXMAIL.csuchico.edu> Kewl! I'm downloading an eval copy as I write this. :) -John Bracey -----Original Message----- From: Lee [mailto:ler762 at gmail.com] Sent: Friday, August 28, 2009 10:16 AM To: Bracey, John Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Audit tool for Cisco Config files On 8/28/09, Bracey, John wrote: > Thanks for all the helpful replies everybody. Am looking into RAT and > Nipper; both look promising. Both RAT and Nipper are for security audits - last time I looked both were useless for checking that lines were in the config and lines weren't, much less checking for things like 'ip pim sparse-mode' configured on an interface requires multicast routing to be enabled as well as 'ip pim rp-addr' pointing to a valid RP [no, we don't use auto-rp :] or having 'no service dhcp' and a helper address configured on an interface is an error. A co-worker reminded me about Cisco's Network Compliance Manager - it supposedly can do all sorts of config checking against built-in templates as well as user supplied templates. Lee From alex at digriz.org.uk Fri Aug 28 14:48:36 2009 From: alex at digriz.org.uk (Alexander Clouter) Date: Fri, 28 Aug 2009 19:48:36 +0100 Subject: [c-nsp] IPV6 in general was Re: Large networks References: <00b301ca2673$5ce7cc70$0a00000a@nil.si> <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090826220727.GV117@greenie.muc.de> <1251358290.16185.13.camel@daniel.office.bit.nl> <4A963A28.9040109@Janoszka.pl> <4A9653B3.6090607@imperial.ac.uk> <4A97D003.5030301@Janoszka.pl> <4A97D892.2020101@imperial.ac.uk> Message-ID: <4dllm6-b31.ln1@chipmunk.wormnet.eu> Phil Mayers wrote: >> >> No, my routers do NOT send ra. I disable it as an incredibly insecure >> mechanism. >> > > Fine - so point your clients statically at the virtual link-local > address e.g. under Linux: > > ip -f inet6 route add default via fe80:: dev eth0 > > What's the problem? > Well, you should be using "ip route add 2000::/3 via....." ;) Cheers -- Alexander Clouter .sigmonster says: Sign here without admitting guilt. From alex at digriz.org.uk Fri Aug 28 15:18:10 2009 From: alex at digriz.org.uk (Alexander Clouter) Date: Fri, 28 Aug 2009 20:18:10 +0100 Subject: [c-nsp] IPV6 in general was Re: Large networks References: <00b301ca2673$5ce7cc70$0a00000a@nil.si> <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090826220727.GV117@greenie.muc.de> <1251358290.16185.13.camel@daniel.office.bit.nl> <4A963A28.9040109@Janoszka.pl> <4A9653B3.6090607@imperial.ac.uk> <4A97D003.5030301@Janoszka.pl> <4A97D892.2020101@imperial.ac.uk> <4dllm6-b31.ln1@chipmunk.wormnet.eu> Message-ID: Alexander Clouter wrote: > > Phil Mayers wrote: >>> >>> No, my routers do NOT send ra. I disable it as an incredibly insecure >>> mechanism. >>> >> >> Fine - so point your clients statically at the virtual link-local >> address e.g. under Linux: >> >> ip -f inet6 route add default via fe80:: dev eth0 >> >> What's the problem? >> > Well, you should be using "ip route add 2000::/3 via....." ;) > Bah, stumbled on RFC3587, I take that statement back :) Cheers -- Alexander Clouter .sigmonster says: The best defense against logic is ignorance. From nrauhauser at gmail.com Fri Aug 28 16:21:43 2009 From: nrauhauser at gmail.com (neal rauhauser) Date: Fri, 28 Aug 2009 15:21:43 -0500 Subject: [c-nsp] UBR 7223 mysteries - which cable card? Message-ID: <9515c62d0908281321i703290aasd14f1dcb59ec929d@mail.gmail.com> I have a UBR 7223 under my care and I've got the following code on it: 1 -rw- 19770888 Aug 17 2006 21:19:32 -05:00 ubr7200-k8p-mz.123-9a.BC9.bin 2 -rw- 23077708 Jul 16 2009 10:47:46 -05:00 ubr7200-ik9su2-mz.123-23.BC7.bin The machine has this linecard in it: Slot 2: DOCSIS Modem Card (ASIC) 1 Down/1 Up Port adapter, 1 port Port adapter is analyzed Port adapter insertion time 00:19:46 ago EEPROM contents at hardware discovery: Hardware Revision : 1.0 Top Assy. Part Number : 800-04767-01 Board Revision : J0 CLEI Code : CN1IS30AAA Deviation Number : 0-0 Fab Version : 01 PCB Serial Number : CAB0437EAV3 RMA Test History : 00 RMA Number : 0-0-0-0 RMA History : 00 Calibration Data : Minimum: -10 dBmV, Maximum: 25 dBmV Calibration values : 0x9CC0 0x9A80 0x9A90 0x96B0 0x96B0 This is apparently an MC11C. We suspect it's bad due to intermittent misbehavior and a replacement was ordered, but we're not so swift and it's an MC11. Neither image works with the new card and only the older image works with the MC11C. I could really use a tip from someone who knows these things as to what to do. About 3% of our customers are on this thing and we'd just as soon give the location away but until we find a home for it we have to keep it running. -- mailto:Neal at layer3arts.com // GoogleTalk: nrauhauser at gmail.com IM: nealrauhauser From sethm at rollernet.us Fri Aug 28 16:25:12 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Fri, 28 Aug 2009 13:25:12 -0700 Subject: [c-nsp] VPN Auditing In-Reply-To: <004801ca272c$09bf3290$1d3d97b0$@org> References: <004801ca272c$09bf3290$1d3d97b0$@org> Message-ID: <4A983D28.6070800@rollernet.us> Paul Stewart wrote: > Hi folks... > > > > We have a site that runs a Cisco 2800 with a IOS VPN server. Users connect > via their Cisco VPN clients to gain access to an internal network there... > > > > I would like to start auditing it a bit more and have a way to tell who > logged in and when. Is this difficult? I've searched around and found more > complex things that can be accomplished but currently the security policy > only permits user authentication auditing. The users are currently > authenticated off a local configuration - would moving them to Radius make > more sense or can I do this with builtin usernames? > I would move to radius; it'll give you accounting too. ~Seth From yurixewx at yahoo.com Fri Aug 28 18:20:57 2009 From: yurixewx at yahoo.com (Yuri Bank) Date: Fri, 28 Aug 2009 15:20:57 -0700 (PDT) Subject: [c-nsp] Data VLAN/Voice VLAN Message-ID: <609889.18764.qm@web36902.mail.mud.yahoo.com> According to cisco documentation, when you specify a voice-vlan for a switchport, the data is then Untagged; Native VLAN. Example configuration. interface FastEthernet0/4 description phone switchport access vlan 77 switchport trunk native vlan 55 switchport mode access switchport voice vlan 66 In this configuration, data is placed on vlan 55? From what I've read on other forums and such is that the data would be on the configured access vlan ( 77 ). Unfortunately I do not have an iphone to test this. Could anyone give me some clarity? From tomas at soitron.com Fri Aug 28 18:23:42 2009 From: tomas at soitron.com (Daniska Tomas) Date: Sat, 29 Aug 2009 00:23:42 +0200 Subject: [c-nsp] instabilities with SXI2? Message-ID: <6B43981C32F8464CB24CEE209DA32BD302516E1A@kenya.tronet.as> TAC was pretty responsive, they have identified this as CSCtb27643. It happens in SXI2, both modular and monolithic, and whether in VSS or not, just when DFCs are in place. The ddts is not public so ask your local team. -- deejay From: Daniska Tomas Sent: Friday, August 28, 2009 11:34 AM To: cisco-nsp at puck.nether.net Cc: 'gert at greenie.muc.de' Subject: Re: [c-nsp] instabilities with SXI2? >Hi, > >I'm wondering if one of you is running SXI2 non-modular code and has had >negative experiences? > >We run it on a 7604/Sup720 with no problems at all, and on a 7603/Sup32-10G >that is a bit unhappy with us these days - it's spontaneously reloading >every few days (twice so far), and after the reload, it claims We're running SXI2 modular on 4 VSS at a?customer. Not that much long (still a?pilot phase), but have managed to experience multiple VSS switchovers and spontaneous Sup720-10GE crashes. There seems to be a?pattern in some of them, but not much to conclude as of yet. Hoping for TAC to reply soon. Nothing special on the boxes - L2 aggregation with multichassis etherchannels, L3 on SVIs, VRFs, some RSTP and OSPF, little BGP. -- Tomas Daniska systems engineer Soitron, a.s. Plynarenska 5, 829 75 Bratislava, Slovakia tel: +421 2 58224111, fax: +421 2 58224199 All generalizations are false, including this one. -- Mark Twain __________ Informacia od ESET NOD32 Antivirus, verzia databazy 4375 (20090827) __________ Tuto spravu preveril ESET NOD32 Antivirus. http://www.eset.sk __________ Informacia od ESET NOD32 Antivirus, verzia databazy 4376 (20090828) __________ Tuto spravu preveril ESET NOD32 Antivirus. http://www.eset.sk __________ Informacia od ESET NOD32 Antivirus, verzia databazy 4377 (20090828) __________ Tuto spravu preveril ESET NOD32 Antivirus. http://www.eset.sk __________ Informacia od ESET NOD32 Antivirus, verzia databazy 4377 (20090828) __________ Tuto spravu preveril ESET NOD32 Antivirus. http://www.eset.sk From peter at rathlev.dk Fri Aug 28 18:43:55 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Sat, 29 Aug 2009 00:43:55 +0200 Subject: [c-nsp] Data VLAN/Voice VLAN In-Reply-To: <609889.18764.qm@web36902.mail.mud.yahoo.com> References: <609889.18764.qm@web36902.mail.mud.yahoo.com> Message-ID: <1251499435.13637.3.camel@abehat.net.rm.dk> On Fri, 2009-08-28 at 15:20 -0700, Yuri Bank wrote: > interface FastEthernet0/4 > description phone > switchport access vlan 77 > switchport trunk native vlan 55 > switchport mode access > switchport voice vlan 66 > > In this configuration, data is placed on vlan 55? From what I've read > on other forums and such is that the data would be on the configured > access vlan ( 77 ). Unfortunately I do not have an iphone to test > this. Could anyone give me some clarity? Untagged traffic on the port would be VLAN 77, since this is what you configured at access VLAN and since the port is in forced access mode. A compatible device (i.e. one the presents itself as a phone via CDP) would activate the voice VLAN and thus allow tagged incoming traffic on VLAN 66. This requires the switch (and port) to have CDP enabled by the way. The trunk configuration is ignored when you issue "switchport mode access". If you only need a stand-alone phone you can just use a simple access port in the voice VLAN. Regards, Peter From BBlackford at nwresd.k12.or.us Fri Aug 28 19:52:23 2009 From: BBlackford at nwresd.k12.or.us (Bill Blackford) Date: Fri, 28 Aug 2009 16:52:23 -0700 Subject: [c-nsp] Data VLAN/Voice VLAN In-Reply-To: <1251499435.13637.3.camel@abehat.net.rm.dk> References: <609889.18764.qm@web36902.mail.mud.yahoo.com> <1251499435.13637.3.camel@abehat.net.rm.dk> Message-ID: <6069A203FD01884885C037F81DD75080171DF92417@wsc-mail-01.intra.nwresd.k12.or.us> If you are using 3560's, this has been my experience as well. If you are unfortunate enough to be using 3550XL's, then the whole game is different. The 3550XL way: interface FastEthernet0/5 switchport trunk encapsulation dot1q switchport trunk native vlan 68 switchport mode trunk switchport voice vlan 66 switchport priority extend cos 0 spanning-tree portfast The data vlan has to be indicated as native. Again, this has been my experience. -b -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Peter Rathlev Sent: Friday, August 28, 2009 3:44 PM To: Yuri Bank Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Data VLAN/Voice VLAN On Fri, 2009-08-28 at 15:20 -0700, Yuri Bank wrote: > interface FastEthernet0/4 > description phone > switchport access vlan 77 > switchport trunk native vlan 55 > switchport mode access > switchport voice vlan 66 > > In this configuration, data is placed on vlan 55? From what I've read > on other forums and such is that the data would be on the configured > access vlan ( 77 ). Unfortunately I do not have an iphone to test > this. Could anyone give me some clarity? Untagged traffic on the port would be VLAN 77, since this is what you configured at access VLAN and since the port is in forced access mode. A compatible device (i.e. one the presents itself as a phone via CDP) would activate the voice VLAN and thus allow tagged incoming traffic on VLAN 66. This requires the switch (and port) to have CDP enabled by the way. The trunk configuration is ignored when you issue "switchport mode access". If you only need a stand-alone phone you can just use a simple access port in the voice VLAN. Regards, Peter _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From trejrco at gmail.com Fri Aug 28 20:10:19 2009 From: trejrco at gmail.com (TJ) Date: Fri, 28 Aug 2009 20:10:19 -0400 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <20090828132341.GS117@greenie.muc.de> References: <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090827.095917.74721147.sthaug@nethelp.no> <20090827083554.GA17090@wildfire.net.ic.ac.uk> <20090827104100.GC117@greenie.muc.de> <4A966CB9.5030101@inex.ie> <20090827131304.GI117@greenie.muc.de> <87k50o6uwd.fsf@nemi.mork.no> <018001ca27d8$aae00df0$00a029d0$@com> <20090828132341.GS117@greenie.muc.de> Message-ID: <006401ca283d$18a40940$49ec1bc0$@com> >> >Gert Doering writes: >> > >> >> Yes. IETF really botched that "everything is automatic but we >> >> don't tell you how to discover DNS" part. >> >> In every design there are tradeoffs that are made ... >> and with the benefit of hindsight it is easy to point at the wrong >decisions. > >It's very hard to find a reasonable argument why "not considering DNS when >designing autoconfiguring networks" could be called a *tradeoff*. > >Tradeoff against what? "Mostly unusable result" vs. "invest some brains"? > >gert I believe the thinking was that the RAs are only (pre-RFC5006) providing information about that which they directly know about. Tacking DNS information in makes perfect sense from the hosts' perspective, but the router is now providing 'second hand' information. And it depends on the deployment scenario. A 'cloud' of simple sensors won't be surfing the net, so the need for name resolution is probably lessened. In the end, I agree - my host needs information (DNS) along with addressing, so Just Make It Work(tm) :). /TJ From maillist at thelan.no Fri Aug 28 21:44:38 2009 From: maillist at thelan.no (Harald Firing Karlsen) Date: Sat, 29 Aug 2009 03:44:38 +0200 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <4A96814B.1020205@Janoszka.pl> References: <00b301ca2673$5ce7cc70$0a00000a@nil.si> <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090826220727.GV117@greenie.muc.de> <1251358290.16185.13.camel@daniel.office.bit.nl> <4A963A28.9040109@Janoszka.pl> <4A9653B3.6090607@imperial.ac.uk> <4A965C8D.2070600@Janoszka.pl> <4A965DD7.9070105@imperial.ac.uk> <1251368773.16185.44.camel@daniel.office.bit.nl> <4A965FD8.8050505@imperial.ac.uk> <4A967FE9.7080704@Janoszka.pl> <1251377258.16185.78.camel@daniel.office.bit.nl> <4A96814B.1020205@Janoszka.pl> Message-ID: <4A988806.8000005@thelan.no> Grzegorz Janoszka wrote: > Daniel Verlouw wrote: >> On Thu, 2009-08-27 at 14:45 +0200, Grzegorz Janoszka wrote: >>> You cannot have the same link-local IP's on different ifaces, can you? >> >> sure you can, that's what link-local is for. >> >> daniel at jun1.XXXX> show interfaces | match fe80::2$ | count Count: 16 >> lines > > So, can I have just fe80::1 as a virtual gateway on all interfaces in > my network? I thought it was not possible. Does someone have such > setup with Cisco? Yes, I have used it for tunneling on several ocations, but keep in mind that for static routes you will naturally always have to specify outgoing interface in addition to the next hop (i.e. ipv6 route ::/0 FastEthernet0/1 fe80::2). -- Harald Firing Karlsen From vedlabs at gmail.com Sat Aug 29 07:35:02 2009 From: vedlabs at gmail.com (Ved Labs) Date: Sat, 29 Aug 2009 17:05:02 +0530 Subject: [c-nsp] dampening for VPNv4 Message-ID: <7db92dcc0908290435s2c9b32eerc64f076eea1f17a2@mail.gmail.com> I would like to know the pros and cons for enabling the dampening for VPNv4 . I can see a lot of vpnv4 routes flapping and causing the cpu shoot . Thanks, Ved. From David at Hughes.com.au Sat Aug 29 07:48:30 2009 From: David at Hughes.com.au (David Hughes) Date: Sat, 29 Aug 2009 21:48:30 +1000 Subject: [c-nsp] MST and Uplinkfast In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE044AAB75@vic-cr-ex1.staff.netspace.net.au> References: <56F211C5E3F24F47B103EA1B253822BE044AAB72@vic-cr-ex1.staff.netspace.net.au> <688F39B8-D8E4-4E3D-93C8-B253E8362439@Hughes.com.au> <56F211C5E3F24F47B103EA1B253822BE044AAB75@vic-cr-ex1.staff.netspace.net.au> Message-ID: <14B0FE23-D2DC-468E-B645-AA76FFB42910@Hughes.com.au> Hi Sorry for the slow response. Up to my neck with the AusNOG conference. Anyway, as others have mentioned, you need to run portfast on your edge ports. Thanks David ... On 27/08/2009, at 5:06 PM, Andy Saykao wrote: > Hi David, > > Thanks for the reply... > > With MST deployed across our network now, the access layer switches > take > 20-30seconds before they start switching traffic via the redundant > link. > Prior to this we were using PVST+ and with uplinkfast enabled on these > access layer switches, once the primary link failed, the redundant > linked kicked in straight away (drop one packet). Is MST suppose to > switch traffic almost instantly or is this 20-30sec delay a "normal" > thing??? From gert at greenie.muc.de Sat Aug 29 10:45:21 2009 From: gert at greenie.muc.de (Gert Doering) Date: Sat, 29 Aug 2009 16:45:21 +0200 Subject: [c-nsp] OSPF fast convergence on Sup32/SXI Message-ID: <20090829144521.GA2115@greenie.muc.de> Hi, for a new project, I have been tasked to build a network that does IGP fast convergence "as fast as possible!!!" (with 5 exclamation marks). Due to other reasons (... of course this needs to be FAST and cost NOTHING...), the routers will be 6504+Sup32s, planned IOS is SXH3a or SXI2. BFD won't be possible, as routing will be done on SVIs (thanks, Cisco) [*maybe* I can do this on port-channel dot1q subinterfaces, but I'm not yet sure how this will work out - can MUX-UNI be used to mix routed subinterfaces and switched VLANs? I've only used it to mix MPLS subfs and switched VLANs]. Now I'm looking for experience and recommendations about tweaking OSPF - how far have you (successfully) reduced OSPF hello timers? Any other success or horror stories about IGP fast convergence on Sup32? ... and yes, I'm aware that I won't be able to do "sub-500ms" on this platform. I'm not aiming for this :-) - something like "< 3s" would be perfect, "< 10s" would make $them grumble, but eventually accept it... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From me at falz.net Sat Aug 29 12:11:44 2009 From: me at falz.net (Chris Wopat) Date: Sat, 29 Aug 2009 11:11:44 -0500 Subject: [c-nsp] Audit tool for Cisco Config files Message-ID: > Date: Fri, 28 Aug 2009 10:23:51 -0700 > > Kewl! ?I'm downloading an eval copy as I write this. ?:) > > ? ? -John Bracey BMC Configuration Automation for Networks (Formerly E-Netaware) can do everything you request and more: http://www.bmc.com/products/product-listing/105410521-159984-2392.html Commercial software, works reasonably well. Some people in my organization hate it, some love it. From blahu77 at gmail.com Sat Aug 29 12:39:07 2009 From: blahu77 at gmail.com (Mateusz Blaszczyk) Date: Sat, 29 Aug 2009 17:39:07 +0100 Subject: [c-nsp] Migrate 6500 to 7600 Message-ID: <20090829163907.GF31692@thorgal> List, We are going to replace a chassis of our core router (SUP720). At the moment it is a standard 6509, but the new one is going to be a smaller 7606S, using the same SUP720 (also the plan is to update the TCAM with XL memory upgrade kit). The box is running SXF. Did anyone undergo such switchover? Are there any gotchas to avoid, some tips(howtos) to follow? We will run SRB or SRC, not sure yet. Looking forward to hear from you. Best Regards, -mat -- Mateusz Blaszczyk pgp-key 0x64643FCE -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: Digital signature URL: From peter at rathlev.dk Sat Aug 29 12:55:16 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Sat, 29 Aug 2009 18:55:16 +0200 Subject: [c-nsp] OSPF fast convergence on Sup32/SXI In-Reply-To: <20090829144521.GA2115@greenie.muc.de> References: <20090829144521.GA2115@greenie.muc.de> Message-ID: <1251564916.6719.5.camel@abehat.net.rm.dk> On Sat, 2009-08-29 at 16:45 +0200, Gert Doering wrote: > for a new project, I have been tasked to build a network that does > IGP fast convergence "as fast as possible!!!" (with 5 exclamation > marks). Heh, only a "five exclamation marks" type of fast convergence? Stroll in the park I guess... ;-) I don't know much about OSPF and fast convergence, but about this: > - can MUX-UNI be used to mix routed subinterfaces and switched VLANs? > I've only used it to mix MPLS subfs and switched VLANs]. I'm afraid it can't. I was hoping one could do exactly that some time ago, but MUX-UNI only allows the subinterfaces to be xconnected and nothing else. It doesn't allow you to specify an IP address. (At least as per SXI1.) Wish they would though. Regards, Peter From peter at rathlev.dk Sat Aug 29 13:01:05 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Sat, 29 Aug 2009 19:01:05 +0200 Subject: [c-nsp] Migrate 6500 to 7600 In-Reply-To: <20090829163907.GF31692@thorgal> References: <20090829163907.GF31692@thorgal> Message-ID: <1251565265.6719.11.camel@abehat.net.rm.dk> On Sat, 2009-08-29 at 17:39 +0100, Mateusz Blaszczyk wrote: > We are going to replace a chassis of our core router (SUP720). > At the moment it is a standard 6509, but the new one is going to be a > smaller 7606S, using the same SUP720 (also the plan is to update the > TCAM with XL memory upgrade kit). The box is running SXF. > > Did anyone undergo such switchover? Are there any gotchas to avoid, > some tips(howtos) to follow? We will run SRB or SRC, not sure yet. We tried the other way around a couple of times, i.e. moved a Sup720 from a 7600 chassis to a 6500 chassis. The only kind of "problem" we ran into was to sometimes not remember to have a copy of the software that will actually boot in the other chassis. With SXF this has never been a problem, only with SRB/SXH and newer. Otherwise it has been painless. Regards, Peter From gert at greenie.muc.de Sat Aug 29 13:27:15 2009 From: gert at greenie.muc.de (Gert Doering) Date: Sat, 29 Aug 2009 19:27:15 +0200 Subject: [c-nsp] OSPF fast convergence on Sup32/SXI In-Reply-To: <1251564916.6719.5.camel@abehat.net.rm.dk> References: <20090829144521.GA2115@greenie.muc.de> <1251564916.6719.5.camel@abehat.net.rm.dk> Message-ID: <20090829172715.GW117@greenie.muc.de> Hi, On Sat, Aug 29, 2009 at 06:55:16PM +0200, Peter Rathlev wrote: > > - can MUX-UNI be used to mix routed subinterfaces and switched VLANs? > > I've only used it to mix MPLS subfs and switched VLANs]. > > I'm afraid it can't. I was hoping one could do exactly that some time > ago, but MUX-UNI only allows the subinterfaces to be xconnected and > nothing else. It doesn't allow you to specify an IP address. (At least > as per SXI1.) *grumble* I need to re-think this... maybe I can get away with "no VLAN is ever visible on two different port channel", and thus I could use routed ports and routed sub-ifs. Thanks. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From blahu77 at gmail.com Sat Aug 29 14:50:22 2009 From: blahu77 at gmail.com (Mateusz Blaszczyk) Date: Sat, 29 Aug 2009 19:50:22 +0100 Subject: [c-nsp] Migrate 6500 to 7600 In-Reply-To: <1251565265.6719.11.camel@abehat.net.rm.dk> References: <20090829163907.GF31692@thorgal> <1251565265.6719.11.camel@abehat.net.rm.dk> Message-ID: <20090829185022.GA15060@thorgal> > With SXF this has never been a > problem, only with SRB/SXH and newer. Yes, I forgot about the SXF can be run on both platforms. Then one thing less to worry about. Any surprises with MAC changes, ifindex changes? I recall a discussion here that chassis switchover resulted in the main (for a lack of better word) MAC being changed. Thanks! Best Regards, -mat -- Mateusz Blaszczyk pgp-key 0x64643FCE -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: Digital signature URL: From peter at rathlev.dk Sat Aug 29 15:03:13 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Sat, 29 Aug 2009 21:03:13 +0200 Subject: [c-nsp] Migrate 6500 to 7600 In-Reply-To: <20090829185022.GA15060@thorgal> References: <20090829163907.GF31692@thorgal> <1251565265.6719.11.camel@abehat.net.rm.dk> <20090829185022.GA15060@thorgal> Message-ID: <1251572593.6719.20.camel@abehat.net.rm.dk> On Sat, 2009-08-29 at 19:50 +0100, Mateusz Blaszczyk wrote: > Any surprises with MAC changes, MAC addresses for SVIs are supplied by the chassis so they change. L3-interfaces get their MAC address from the module. Also the STP bridge ID changes, since it's also the "base MAC address". > ifindex changes? I think, but am not sure, that the "ifindex persist" in configuration and the resulting persistent data on flash will survive between chassis'. When we have swapped things like this we have always completely redefined the device, i.e. new name, new entries in management/measurement tools et cetera. Running SXF means there's a great deal of service alignment between the two platforms (if not complete), but I personally wouldn't consider swapping chassis to a different model a simple "replacement" task. Regards, Peter From blahu77 at gmail.com Sat Aug 29 16:15:53 2009 From: blahu77 at gmail.com (Mateusz Blaszczyk) Date: Sat, 29 Aug 2009 21:15:53 +0100 Subject: [c-nsp] Migrate 6500 to 7600 In-Reply-To: <1251572593.6719.20.camel@abehat.net.rm.dk> References: <20090829163907.GF31692@thorgal> <1251565265.6719.11.camel@abehat.net.rm.dk> <20090829185022.GA15060@thorgal> <1251572593.6719.20.camel@abehat.net.rm.dk> Message-ID: <20090829201553.GA15361@thorgal> > Also the STP bridge ID changes, since it's also the "base MAC address". That one is worth noting. > > > ifindex changes? > > I think, but am not sure, that the "ifindex persist" in configuration > and the resulting persistent data on flash will survive between > chassis'. Would have to get keep track of it after upgrade. > When we have swapped things like this we have always completely > redefined the device, i.e. new name, new entries in > management/measurement tools et cetera. Running SXF means there's a > great deal of service alignment between the two platforms (if not > complete), but I personally wouldn't consider swapping chassis to a > different model a simple "replacement" task. > I know that this is a highly complex job. There are however some contraints within which I have to work e.g. "make it work as if nothing happened". Unfortunately I cannot test drive it in the lab for a few days, but I can take it out of production and prepare it during a day, making sure that all features work as expected. Best Regards. -mat -- Mateusz Blaszczyk pgp-key 0x64643FCE -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: Digital signature URL: From rubensk at gmail.com Sat Aug 29 19:31:27 2009 From: rubensk at gmail.com (Rubens Kuhl) Date: Sat, 29 Aug 2009 20:31:27 -0300 Subject: [c-nsp] OSPF fast convergence on Sup32/SXI In-Reply-To: <20090829144521.GA2115@greenie.muc.de> References: <20090829144521.GA2115@greenie.muc.de> Message-ID: <6bb5f5b10908291631s48779a7dj2fab39416a460ca6@mail.gmail.com> > [*maybe* I can do this on port-channel dot1q subinterfaces, but I'm not > yet sure how this will work out - can MUX-UNI be used to mix routed > subinterfaces and switched VLANs? ?I've only used it to mix MPLS subfs > and switched VLANs]. What intrigues me is that MUX-UNI subinterfaces can be "mpls ip" enabled without having IP addresses... they can also be made part of VRFs... Rubens From cluestore at gmail.com Sun Aug 30 03:45:29 2009 From: cluestore at gmail.com (Clue Store) Date: Sun, 30 Aug 2009 02:45:29 -0500 Subject: [c-nsp] Data VLAN/Voice VLAN In-Reply-To: <6069A203FD01884885C037F81DD75080171DF92417@wsc-mail-01.intra.nwresd.k12.or.us> References: <609889.18764.qm@web36902.mail.mud.yahoo.com> <1251499435.13637.3.camel@abehat.net.rm.dk> <6069A203FD01884885C037F81DD75080171DF92417@wsc-mail-01.intra.nwresd.k12.or.us> Message-ID: <580af3b90908300045x7114c1aaxa6166df2686af7f2@mail.gmail.com> What platform/IOS are you running?? I think the older 3500xl PoE switch had to be in trunk mode to accomplish the dot1(p)(q) header info so trust the EF marking of the packet would work due to CDP improvements and working without actually having a it in "trunk mode". Think newer platforms and IOS, CDP does the magic of the headers of the aux vlan (which is the voice vlan) if im not mitaken. And u can just use voice vlan and access mode and it works. So no need to trunk on newer gear. But Pete's correct, u have the switchport "mode" in access. And u might have to trunk depending on ur setup. Also having it tagging "native" is useless in access mode. HTH, Clue On Fri, Aug 28, 2009 at 6:52 PM, Bill Blackford wrote: > If you are using 3560's, this has been my experience as well. If you are > unfortunate enough to be using 3550XL's, then the whole game is different. > > The 3550XL way: > > interface FastEthernet0/5 > switchport trunk encapsulation dot1q > switchport trunk native vlan 68 > switchport mode trunk > switchport voice vlan 66 > switchport priority extend cos 0 > spanning-tree portfast > > The data vlan has to be indicated as native. > > Again, this has been my experience. > > -b > > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto: > cisco-nsp-bounces at puck.nether.net] On Behalf Of Peter Rathlev > Sent: Friday, August 28, 2009 3:44 PM > To: Yuri Bank > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Data VLAN/Voice VLAN > > On Fri, 2009-08-28 at 15:20 -0700, Yuri Bank wrote: > > interface FastEthernet0/4 > > description phone > > switchport access vlan 77 > > switchport trunk native vlan 55 > > switchport mode access > > switchport voice vlan 66 > > > > In this configuration, data is placed on vlan 55? From what I've read > > on other forums and such is that the data would be on the configured > > access vlan ( 77 ). Unfortunately I do not have an iphone to test > > this. Could anyone give me some clarity? > > Untagged traffic on the port would be VLAN 77, since this is what you > configured at access VLAN and since the port is in forced access mode. > > A compatible device (i.e. one the presents itself as a phone via CDP) > would activate the voice VLAN and thus allow tagged incoming traffic on > VLAN 66. This requires the switch (and port) to have CDP enabled by the > way. > > The trunk configuration is ignored when you issue "switchport mode > access". > > If you only need a stand-alone phone you can just use a simple access > port in the voice VLAN. > > Regards, > Peter > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From cluestore at gmail.com Sun Aug 30 03:53:46 2009 From: cluestore at gmail.com (Clue Store) Date: Sun, 30 Aug 2009 02:53:46 -0500 Subject: [c-nsp] Migrate 6500 to 7600 In-Reply-To: <20090829185022.GA15060@thorgal> References: <20090829163907.GF31692@thorgal> <1251565265.6719.11.camel@abehat.net.rm.dk> <20090829185022.GA15060@thorgal> Message-ID: <580af3b90908300053n77eb8c90o16cdc1aad4caf087@mail.gmail.com> Hi Pete, Im about to undego this same process with 7203bXL, and i'd like to know what roles ur 7606's play?? (BGP, PE, IPv6, 6pe, etc) What has been your most stable non-bgp bugged image that you use??? On Sat, Aug 29, 2009 at 1:50 PM, Mateusz Blaszczyk wrote: > > With SXF this has never been a > > problem, only with SRB/SXH and newer. > > Yes, I forgot about the SXF can be run on both platforms. Then one thing > less to worry about. > > > Any surprises with MAC changes, ifindex changes? > I recall a discussion here that chassis switchover resulted in the main > (for a lack of better > word) MAC being changed. > > Thanks! > > Best Regards, > > -mat > > -- > Mateusz Blaszczyk > > pgp-key 0x64643FCE > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > > iEYEARECAAYFAkqZeG4ACgkQP+rXbWRkP84blgCfcKiDu//RSXmG6SV5pj6y2NQD > fF8AnRzAcX+4SK4aVAns7B2XjY0MxYlL > =dK2k > -----END PGP SIGNATURE----- > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From cluestore at gmail.com Sun Aug 30 04:18:49 2009 From: cluestore at gmail.com (Clue Store) Date: Sun, 30 Aug 2009 03:18:49 -0500 Subject: [c-nsp] OSPF fast convergence on Sup32/SXI In-Reply-To: <20090829144521.GA2115@greenie.muc.de> References: <20090829144521.GA2115@greenie.muc.de> Message-ID: <580af3b90908300118s5d78d1b9i8cc0bdd554573104@mail.gmail.com> Ive had a few customers on a small scale routers perfectly, I believe the dead time in Cisco default is 4 times the hello. I have all of them set of 3 sec Hello packets and a 30 second heal time and zero route instabitliey. But I have zero experience with the sup32/6509 kit. This has been done on 2600/2800 3700/3800 routers with no issues. Clue On Sat, Aug 29, 2009 at 9:45 AM, Gert Doering wrote: > Hi, > > for a new project, I have been tasked to build a network that does > IGP fast convergence "as fast as possible!!!" (with 5 exclamation marks). > > Due to other reasons (... of course this needs to be FAST and cost > NOTHING...), the routers will be 6504+Sup32s, planned IOS is SXH3a or > SXI2. > > BFD won't be possible, as routing will be done on SVIs (thanks, Cisco) > > [*maybe* I can do this on port-channel dot1q subinterfaces, but I'm not > yet sure how this will work out - can MUX-UNI be used to mix routed > subinterfaces and switched VLANs? I've only used it to mix MPLS subfs > and switched VLANs]. > > Now I'm looking for experience and recommendations about tweaking OSPF > - how far have you (successfully) reduced OSPF hello timers? Any other > success or horror stories about IGP fast convergence on Sup32? > > > ... and yes, I'm aware that I won't be able to do "sub-500ms" on this > platform. I'm not aiming for this :-) - something like "< 3s" would > be perfect, "< 10s" would make $them grumble, but eventually accept it... > > gert > -- > USENET is *not* the non-clickable part of WWW! > // > www.muc.de/~gert/ > Gert Doering - Munich, Germany > gert at greenie.muc.de > fax: +49-89-35655025 > gert at net.informatik.tu-muenchen.de > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From Grzegorz at Janoszka.pl Sun Aug 30 12:17:45 2009 From: Grzegorz at Janoszka.pl (Grzegorz Janoszka) Date: Sun, 30 Aug 2009 18:17:45 +0200 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <20090828132131.GR117@greenie.muc.de> References: <00b301ca2673$5ce7cc70$0a00000a@nil.si> <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090826220727.GV117@greenie.muc.de> <1251358290.16185.13.camel@daniel.office.bit.nl> <4A963A28.9040109@Janoszka.pl> <4A9653B3.6090607@imperial.ac.uk> <4A97D003.5030301@Janoszka.pl> <20090828132131.GR117@greenie.muc.de> Message-ID: <4A9AA629.8040306@Janoszka.pl> Gert Doering wrote: > What exactly is "incredibly insecure" in *sending* RAs? > > I could understand if a host does not want to *receive* RAs, if the > network environment is not trusted and there is no SeND available yet. Maybe nothing not that wrong with sending, but I recently compared DHCP and ND RA. DHCP address offer is very easy to be matched by an l3 access-list. So you can make an access-list on a switch to filter all DHCP offers on other ports than your uplink. But try to do it with RA. As far as I checked it is not that easy. Normal l3 acl would not match RA messages allowing other ND traffic. -- Grzegorz Janoszka From blahu77 at gmail.com Sun Aug 30 12:25:25 2009 From: blahu77 at gmail.com (Mateusz Blaszczyk) Date: Sun, 30 Aug 2009 17:25:25 +0100 Subject: [c-nsp] Migrate 6500 to 7600 In-Reply-To: <20090829185022.GA15060@thorgal> References: <20090829163907.GF31692@thorgal> <1251565265.6719.11.camel@abehat.net.rm.dk> <20090829185022.GA15060@thorgal> Message-ID: <20090830162525.GB15361@thorgal> On Sat, Aug 29, 2009 at 07:50:22PM +0100, Mateusz Blaszczyk wrote: > > With SXF this has never been a > > problem, only with SRB/SXH and newer. > > Yes, I forgot about the SXF can be run on both platforms. Then one thing > less to worry about. > not so happy anymore. done some reading and it seems 7606S was supported first by SR train: http://www.cisco.com/en/US/docs/ios/12_2sr/release/notes/122SRrn.html#wp4344593 I wonder if that will boot under SX (12.2(18)SXE6a). -mat -- Mateusz Blaszczyk pgp-key 0x64643FCE -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: Digital signature URL: From Grzegorz at Janoszka.pl Sun Aug 30 12:26:17 2009 From: Grzegorz at Janoszka.pl (Grzegorz Janoszka) Date: Sun, 30 Aug 2009 18:26:17 +0200 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: References: <00b301ca2673$5ce7cc70$0a00000a@nil.si> <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090826220727.GV117@greenie.muc.de> <1251358290.16185.13.camel@daniel.office.bit.nl> <4A963A28.9040109@Janoszka.pl> <4A9653B3.6090607@imperial.ac.uk> <4A97D003.5030301@Janoszka.pl> Message-ID: <4A9AA829.7000103@Janoszka.pl> Mohacsi Janos wrote: > I disagree. Not worst than DHCP. By the way how do you distribute > parameters for local links? DHCP fake offers are better filterable I think. With v6 we now use mostly static IP addressing. Still working for DHCP over v6. -- Grzegorz Janoszka From gert at greenie.muc.de Sun Aug 30 13:31:53 2009 From: gert at greenie.muc.de (Gert Doering) Date: Sun, 30 Aug 2009 19:31:53 +0200 Subject: [c-nsp] Migrate 6500 to 7600 In-Reply-To: <20090830162525.GB15361@thorgal> References: <20090829163907.GF31692@thorgal> <1251565265.6719.11.camel@abehat.net.rm.dk> <20090829185022.GA15060@thorgal> <20090830162525.GB15361@thorgal> Message-ID: <20090830173153.GX117@greenie.muc.de> Hi, On Sun, Aug 30, 2009 at 05:25:25PM +0100, Mateusz Blaszczyk wrote: > done some reading and it seems 7606S was supported first by SR train: 7606S definitely does NOT boot under SXH. Been there, done that, returned the chassis. (We told them "we want to run modular". They said "oh, why bother getting a 7606, get the newer all-shiny-and-dancy 7606S"...) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From cphillips at wbsconnect.com Sun Aug 30 13:11:10 2009 From: cphillips at wbsconnect.com (Chris Phillips) Date: Sun, 30 Aug 2009 10:11:10 -0700 Subject: [c-nsp] Wierd memory issue with SXI/SXI1 on 6500 w/ SUP720-3BXL Message-ID: <4A9AB2AE.8060109@wbsconnect.com> Every six weeks or so I am running out of memory on a 6509 w/ dual SUP720-3BXL with mostly 6700-series line cards. I have 21 other nodes with this exact same configuration, some even running SXI or SXI1 that do not have this issue, which first led me to believe that the issue might be hardware related. During our last maintenance window to alleviate the memory issue, I forced the standby SUP to become the active SUP. The memory issue persisted, leading me back to thinking it is a software issue. I did not have this issue with SXH* on this same device, but SXH is *SO* buggy, rolling back is not an option. This leads me to believe that it is most likely a software issue. The router is heavily used with 250+ BGP sessions, OSPF, MPLS, v4/v6, etc, but I don't think it should be consuming and not releasing 4 mbytes of memory each day. Has anyone else seen this? Anyone know a workaround? I'm upgrading to SXI2 tomight in hopes that it resolves my issue. -- Chris Phillips From eninja at gmail.com Sun Aug 30 14:29:45 2009 From: eninja at gmail.com (e ninja) Date: Sun, 30 Aug 2009 11:29:45 -0700 Subject: [c-nsp] Wierd memory issue with SXI/SXI1 on 6500 w/ SUP720-3BXL In-Reply-To: <4A9AB2AE.8060109@wbsconnect.com> References: <4A9AB2AE.8060109@wbsconnect.com> Message-ID: Grab multiple captures of sh proc mem to identify the process "holding" and not releasing (i.e. leaking) memory. When memory is heavily depleted, grab a *show memory allocating-process totals* and feel free to unicast. Any MALLOC failures? -Eninja On Sun, Aug 30, 2009 at 10:11 AM, Chris Phillips wrote: > Every six weeks or so I am running out of memory on a 6509 w/ dual > SUP720-3BXL with mostly 6700-series line cards. > > I have 21 other nodes with this exact same configuration, some even running > SXI or SXI1 that do not have this issue, which first led me to believe that > the issue might be hardware related. > > During our last maintenance window to alleviate the memory issue, I forced > the standby SUP to become the active SUP. The memory issue persisted, > leading me back to thinking it is a software issue. > > I did not have this issue with SXH* on this same device, but SXH is *SO* > buggy, rolling back is not an option. This leads me to believe that it is > most likely a software issue. > > The router is heavily used with 250+ BGP sessions, OSPF, MPLS, v4/v6, etc, > but I don't think it should be consuming and not releasing 4 mbytes of > memory each day. > > Has anyone else seen this? Anyone know a workaround? > > I'm upgrading to SXI2 tomight in hopes that it resolves my issue. > > -- > Chris Phillips > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From rjs at eng.gxn.net Sun Aug 30 13:40:53 2009 From: rjs at eng.gxn.net (Rob Shakir) Date: Sun, 30 Aug 2009 18:40:53 +0100 Subject: [c-nsp] Migrate 6500 to 7600 In-Reply-To: <20090830162525.GB15361@thorgal> References: <20090829163907.GF31692@thorgal> <1251565265.6719.11.camel@abehat.net.rm.dk> <20090829185022.GA15060@thorgal> <20090830162525.GB15361@thorgal> Message-ID: <20090830174053.GI5351@cappuccino.rob.sh> On Sun, Aug 30, 2009 at 05:25:25PM +0100, Mateusz Blaszczyk wrote: > On Sat, Aug 29, 2009 at 07:50:22PM +0100, Mateusz Blaszczyk wrote: > > > With SXF this has never been a > > > problem, only with SRB/SXH and newer. > > > > Yes, I forgot about the SXF can be run on both platforms. Then one thing > > less to worry about. > > > not so happy anymore. > done some reading and it seems 7606S was supported first by SR train: > http://www.cisco.com/en/US/docs/ios/12_2sr/release/notes/122SRrn.html#wp4344593 > I wonder if that will boot under SX (12.2(18)SXE6a). Hi Mat, When we switched over the 6509s to a 7609-S chassis, it booted and ran fine under SXF15a. After verifying the functionality, we moved to SRC2. Hopefully this is of some help, Rob -- Rob Shakir Network Development Engineer GX Networks/Vialtus Solutions ddi: +44208 587 6077 mob: +44797 155 4098 pgp: 0xc07e6deb nic-hdl: RJS-RIPE This email is subject to: http//www.vialtus.com/disclaimer.html From azher at hep.caltech.edu Sun Aug 30 15:02:04 2009 From: azher at hep.caltech.edu (Azher Mughal) Date: Sun, 30 Aug 2009 12:02:04 -0700 Subject: [c-nsp] Wierd memory issue with SXI/SXI1 on 6500 w/ SUP720-3BXL In-Reply-To: <4A9AB2AE.8060109@wbsconnect.com> References: <4A9AB2AE.8060109@wbsconnect.com> Message-ID: <4A9ACCAC.8060405@hep.caltech.edu> SXI2 will give you another malloc bug :) CSCtb27643 cat6000 Medium buffers leak on SP leading to crash Here is a workaround suggested by Cisco: One workaround is to disable the diag test 'TestEARLInternalTables' on all the DFC/PFC modules. However, this workaround will only stop further memory leak. To recover from the already leaked memory on the SP, the sup has to be reload (in case of single-sup) or a 'switchover' done (in case of dual-supervisor). Command line: - - - - - - - - - - - - - - - - - - - - - r31(config)#no diagnostic monitor module all test TestEARLInternalTables -Azher Chris Phillips wrote: > Every six weeks or so I am running out of memory on a 6509 w/ dual > SUP720-3BXL with mostly 6700-series line cards. > > I have 21 other nodes with this exact same configuration, some even > running SXI or SXI1 that do not have this issue, which first led me to > believe that the issue might be hardware related. > > During our last maintenance window to alleviate the memory issue, I > forced the standby SUP to become the active SUP. The memory issue > persisted, leading me back to thinking it is a software issue. > > I did not have this issue with SXH* on this same device, but SXH is > *SO* buggy, rolling back is not an option. This leads me to believe > that it is most likely a software issue. > > The router is heavily used with 250+ BGP sessions, OSPF, MPLS, v4/v6, > etc, but I don't think it should be consuming and not releasing 4 > mbytes of memory each day. > > Has anyone else seen this? Anyone know a workaround? > > I'm upgrading to SXI2 tomight in hopes that it resolves my issue. > From gert at greenie.muc.de Sun Aug 30 16:42:39 2009 From: gert at greenie.muc.de (Gert Doering) Date: Sun, 30 Aug 2009 22:42:39 +0200 Subject: [c-nsp] Wierd memory issue with SXI/SXI1 on 6500 w/ SUP720-3BXL In-Reply-To: <4A9AB2AE.8060109@wbsconnect.com> References: <4A9AB2AE.8060109@wbsconnect.com> Message-ID: <20090830204239.GZ117@greenie.muc.de> Hi, it's a bit hard to comment on this, as it is lacking the most important bit - *which process* is losing the memory? ("show proc mem sort", run every few days, compare the output). On Sun, Aug 30, 2009 at 10:11:10AM -0700, Chris Phillips wrote: > I did not have this issue with SXH* on this same device, but SXH is *SO* > buggy, rolling back is not an option. This leads me to believe that it > is most likely a software issue. > > The router is heavily used with 250+ BGP sessions, OSPF, MPLS, v4/v6, > etc, but I don't think it should be consuming and not releasing 4 mbytes > of memory each day. > > Has anyone else seen this? Anyone know a workaround? My guess would be "you have SXI and a high number of inactive/shutdown BGP sessions". SXI is leaking memory in this configuration. It seems to queue BGP updates for the inactive neighbors, and never release them (obviously, since they are never sent...). Fixed in SXI2. There are voices that SXI2 also has mem leak issues, but we haven't seen those yet. (NB: SXH3a is quite good for us as well - no mem leaks, no crashes, no ghost bugs.) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From gert at greenie.muc.de Sun Aug 30 16:45:06 2009 From: gert at greenie.muc.de (Gert Doering) Date: Sun, 30 Aug 2009 22:45:06 +0200 Subject: [c-nsp] Monitor 3560 In-Reply-To: <3b53747c0908270530ke57b48dub09cea4dee72c0cd@mail.gmail.com> References: <3b53747c0908270530ke57b48dub09cea4dee72c0cd@mail.gmail.com> Message-ID: <20090830204506.GA117@greenie.muc.de> Hi, On Thu, Aug 27, 2009 at 03:30:03PM +0300, almog ohayon wrote: > Hello Everyone,i wondered if anyone knows how to monitor 3560 interface vlan > traffic ? "take the 3560 and beat your cisco sales rep with it". This still won't give you per-vlan counters, but vent off some of the frustration that these (and the 3750) cause. And no, there is no way - the hardware is lacking the capability to count vlan traffic. (Which has been answered on this list about *one week* ago...) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From gert at greenie.muc.de Sun Aug 30 16:45:42 2009 From: gert at greenie.muc.de (Gert Doering) Date: Sun, 30 Aug 2009 22:45:42 +0200 Subject: [c-nsp] Monitor 3560 In-Reply-To: <20090827170714.M94697@fast-serv.com> References: <3b53747c0908270530ke57b48dub09cea4dee72c0cd@mail.gmail.com> <4A96A582.6040801@thelan.no> <20090827170714.M94697@fast-serv.com> Message-ID: <20090830204542.GB117@greenie.muc.de> Hi, On Thu, Aug 27, 2009 at 01:08:32PM -0400, Randy McAnally wrote: > It does however, count traffic routed between VLANs. No. Well - *if* it does, you have a BIG problem, because that would mean "CPU switched traffic". gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From howard at leadmon.net Sun Aug 30 18:38:13 2009 From: howard at leadmon.net (Howard Leadmon) Date: Sun, 30 Aug 2009 18:38:13 -0400 Subject: [c-nsp] Help with Cisco ASA w/CSC-SSM and WCCP Configuration.. Message-ID: <01af01ca29c2$90bdea00$b239be00$@net> I figured I would post here and see if anyone has set this up before, and come across a decent solution for the issue I am currently trying to work through. First off I have a Cisco ASA-5510 with the CSC-SSM-10 module installed in it. The ASA is running the most current 8.2.1 code, and the CSC is running the most current 6.3.1172.0 code from Cisco's site. I do have all this up and running at this time, and it works. I also have a Cisco Content Engine-590 that I have had online here for a while (with only a T1, saving re-grabbing large image content on sites is a plus). I also have the most current ACNS software 5.5.13 loaded on the 590 as well, and it's configured to work with the ASA using WCCPv2. OK, so now the issue. It is all working, but apparently WCCP and the ASA requests are handled before the CSC module, so any and all web requests being processed by the CSC-SSM-10 module all look as though they are coming from a single IP address (the IP of the CE590). In some ways, I guess one could say that was great as you will sure never have to worry about running past the 50 user limit of the default CSC license, as it only sees stuff from a single IP. Of course like all things there is a catch, and for me this is the issue I have. I want to use the Content Filtering function of the CSC-SSM, and limit people based on either the internal IP address, or I see I can also use the NT Active Directory info. In fact I even tried to use the AD plugin, but as it sees the IP of the CE590, again it won't find any logged in users. So due to this, I can't enforce content restrictions on certain users, as everything appears as a single User/IP. So the million dollar question is, has anyone setup and used the ASA w/CSC module along with a Content Engine (web cache) in transparent mode via WCCP, and been able to make the CSC module see the individual IP's/Users inside?? I tried tweaking a couple items in the CE590 but that only resulted in things breaking, so put it all back. If anyone has any ideas on how to accomplish this, or any material on doing this, it would be most appreciated.. --- Howard Leadmon From illcritikz at gmail.com Sun Aug 30 19:33:46 2009 From: illcritikz at gmail.com (Ben Steele) Date: Mon, 31 Aug 2009 09:33:46 +1000 Subject: [c-nsp] OSPF fast convergence on Sup32/SXI In-Reply-To: <20090829144521.GA2115@greenie.muc.de> References: <20090829144521.GA2115@greenie.muc.de> Message-ID: <4422cf660908301633h2ce2be04j393905d53d83f63e@mail.gmail.com> You can try OSPF fast hello's but the general consensus is to not use them purely because there is no pseudo preemption for it(unlike bfd) so if you have a busy router, or even a router with bursty busyness aka snmp polling you can draw false positives into your fast hello's. Having said that something like 2 sec hello with 6 sec dead timer has worked well for me before, you could try cutting that down to 1 and 3 respectively, it's probably just a matter of test and tweak and see what works for you. If you can work a solution that incorporates BFD you will be better off in the long run(as your router certainly won't get less busy as time goes on) if the ultimate goal is fast convergence with 5 exclamation marks :) Ben On Sun, Aug 30, 2009 at 12:45 AM, Gert Doering wrote: > Hi, > > for a new project, I have been tasked to build a network that does > IGP fast convergence "as fast as possible!!!" (with 5 exclamation marks). > > Due to other reasons (... of course this needs to be FAST and cost > NOTHING...), the routers will be 6504+Sup32s, planned IOS is SXH3a or > SXI2. > > BFD won't be possible, as routing will be done on SVIs (thanks, Cisco) > > [*maybe* I can do this on port-channel dot1q subinterfaces, but I'm not > yet sure how this will work out - can MUX-UNI be used to mix routed > subinterfaces and switched VLANs? I've only used it to mix MPLS subfs > and switched VLANs]. > > Now I'm looking for experience and recommendations about tweaking OSPF > - how far have you (successfully) reduced OSPF hello timers? Any other > success or horror stories about IGP fast convergence on Sup32? > > > ... and yes, I'm aware that I won't be able to do "sub-500ms" on this > platform. I'm not aiming for this :-) - something like "< 3s" would > be perfect, "< 10s" would make $them grumble, but eventually accept it... > > gert > -- > USENET is *not* the non-clickable part of WWW! > // > www.muc.de/~gert/ > Gert Doering - Munich, Germany > gert at greenie.muc.de > fax: +49-89-35655025 > gert at net.informatik.tu-muenchen.de > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From cphillips at wbsconnect.com Sun Aug 30 21:52:13 2009 From: cphillips at wbsconnect.com (Chris Phillips) Date: Sun, 30 Aug 2009 18:52:13 -0700 Subject: [c-nsp] Wierd memory issue with SXI/SXI1 on 6500 w/ SUP720-3BXL [SOLVED] In-Reply-To: References: <4A9AB2AE.8060109@wbsconnect.com> Message-ID: <4A9B2CCD.4080106@wbsconnect.com> A "show memory allocating-process totals" is very telling. llocator PC Summary for: Processor Displayed first 2048 Allocator PCs only PC Total Count Name 0x4035A6C8 295186172 4420 BGP battr chun 0x40809510 45688268 695 CEF: fib BGP is definitely the culprit. It has consumed almost 250 million more bytes than the next closest process. Yikes! Looking at a "healthy" router, this process is just under the 100 million byte mark. I received an off-list reply that contained the workaround. I had four BGP sessions in an admin down state and one that was trying to connect. I removed all five of these sessions from my configuration and the difference was dramatic. Here's the path/bestpath before the removal of the configuration: 1640389/55395 BGP path/bestpath attribute entries using 262462240 bytes of memory Here it is after: 463745/55388 BGP path/bestpath attribute entries using 74199200 bytes of memory That's a staggering difference. However, while the memory has been released back into the "BGP memory pool", it does not show up in the "free memory pool". We're still at 90% usage, so I will have to proceed with our scheduled maintenance tonight. I had planned on moving to SXI2 tonight, but it sounds like that has some memory issues as well. Think I might just stay put for now, since I now know the workaround for this issue. Thank you everyone for your replies and assistance. It was of great help! Cheers! e ninja wrote: > Grab multiple captures of sh proc mem to identify the process "holding" > and not releasing (i.e. leaking) memory. When memory is heavily > depleted, grab a *show memory allocating-process totals* and feel free > to unicast. > > Any MALLOC failures? > > -Eninja > > > On Sun, Aug 30, 2009 at 10:11 AM, Chris Phillips > > wrote: > > Every six weeks or so I am running out of memory on a 6509 w/ dual > SUP720-3BXL with mostly 6700-series line cards. > > I have 21 other nodes with this exact same configuration, some even > running SXI or SXI1 that do not have this issue, which first led me > to believe that the issue might be hardware related. > > During our last maintenance window to alleviate the memory issue, I > forced the standby SUP to become the active SUP. The memory issue > persisted, leading me back to thinking it is a software issue. > > I did not have this issue with SXH* on this same device, but SXH is > *SO* buggy, rolling back is not an option. This leads me to believe > that it is most likely a software issue. > > The router is heavily used with 250+ BGP sessions, OSPF, MPLS, > v4/v6, etc, but I don't think it should be consuming and not > releasing 4 mbytes of memory each day. > > Has anyone else seen this? Anyone know a workaround? > > I'm upgrading to SXI2 tomight in hopes that it resolves my issue. > > -- > Chris Phillips > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > -- Chris Phillips From gert at greenie.muc.de Mon Aug 31 02:36:33 2009 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 31 Aug 2009 08:36:33 +0200 Subject: [c-nsp] OSPF fast convergence on Sup32/SXI In-Reply-To: <4422cf660908301633h2ce2be04j393905d53d83f63e@mail.gmail.com> References: <20090829144521.GA2115@greenie.muc.de> <4422cf660908301633h2ce2be04j393905d53d83f63e@mail.gmail.com> Message-ID: <20090831063633.GC117@greenie.muc.de> Hi, On Mon, Aug 31, 2009 at 09:33:46AM +1000, Ben Steele wrote: > If you can work a solution that incorporates BFD you will be better off in > the long run(as your router certainly won't get less busy as time goes on) > if the ultimate goal is fast convergence with 5 exclamation marks :) I'd *love* to use BFD, but since there is no BFD on SVIs and no MUX-UNI for routed subinterfaces, this seems to be a bit difficult... *grumble* gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From blahu77 at gmail.com Mon Aug 31 03:05:02 2009 From: blahu77 at gmail.com (Mateusz Blaszczyk) Date: Mon, 31 Aug 2009 08:05:02 +0100 Subject: [c-nsp] OSPF fast convergence on Sup32/SXI In-Reply-To: <20090831063633.GC117@greenie.muc.de> References: <20090829144521.GA2115@greenie.muc.de> <4422cf660908301633h2ce2be04j393905d53d83f63e@mail.gmail.com> <20090831063633.GC117@greenie.muc.de> Message-ID: <20090831070502.GE15361@thorgal> On Mon, Aug 31, 2009 at 08:36:33AM +0200, Gert Doering wrote: > Hi, > > On Mon, Aug 31, 2009 at 09:33:46AM +1000, Ben Steele wrote: > > If you can work a solution that incorporates BFD you will be better off in > > the long run(as your router certainly won't get less busy as time goes on) > > if the ultimate goal is fast convergence with 5 exclamation marks :) > > I'd *love* to use BFD, but since there is no BFD on SVIs and no > MUX-UNI for routed subinterfaces, this seems to be a bit difficult... > if ports usage is not an issue, you can try to stretch a vlan via trunk--->access--->routed ports using external looped cable. Ugly. Best Regards, -mat -- Mateusz Blaszczyk pgp-key 0x64643FCE -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: Digital signature URL: From gert at greenie.muc.de Mon Aug 31 03:11:10 2009 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 31 Aug 2009 09:11:10 +0200 Subject: [c-nsp] OSPF fast convergence on Sup32/SXI In-Reply-To: <20090831070502.GE15361@thorgal> References: <20090829144521.GA2115@greenie.muc.de> <4422cf660908301633h2ce2be04j393905d53d83f63e@mail.gmail.com> <20090831063633.GC117@greenie.muc.de> <20090831070502.GE15361@thorgal> Message-ID: <20090831071110.GD117@greenie.muc.de> Hi, On Mon, Aug 31, 2009 at 08:05:02AM +0100, Mateusz Blaszczyk wrote: > if ports usage is not an issue, you can try to stretch a vlan via > trunk--->access--->routed ports using external looped cable. Ugly. I'm not *exactly* sure how to sell this is as a "professional high-availability solution"... :-/ (And since I need BFD on two different interconnection VLANs, it would eat up 4 GE ports if I only go for "1 gbit"). Yes, it might give me BFD, but at what price...? (but thanks for the suggestion anyway :) ). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From JShao at dtcc.com Mon Aug 31 04:04:59 2009 From: JShao at dtcc.com (Jay Shao) Date: Mon, 31 Aug 2009 04:04:59 -0400 Subject: [c-nsp] Jay Shao is out of the office. Message-ID: I will be out of the office starting 08/31/2009 and will not return until 09/07/2009. I will respond to your message when I return. Please contact with NETTCP at DTCC.COM for any production issues
_____________________________________________________________
DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. From trejrco at gmail.com Mon Aug 31 07:41:54 2009 From: trejrco at gmail.com (TJ) Date: Mon, 31 Aug 2009 07:41:54 -0400 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <4A988806.8000005@thelan.no> References: <00b301ca2673$5ce7cc70$0a00000a@nil.si> <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090826220727.GV117@greenie.muc.de> <1251358290.16185.13.camel@daniel.office.bit.nl> <4A963A28.9040109@Janoszka.pl> <4A9653B3.6090607@imperial.ac.uk> <4A965C8D.2070600@Janoszka.pl> <4A965DD7.9070105@imperial.ac.uk> <1251368773.16185.44.camel@daniel.office.bit.nl> <4A965FD8.8050505@imperial.ac.uk> <4A967FE9.7080704@Janoszka.pl> <1251377258.16185.78.camel@daniel.office.bit.nl> <4A96814B.1020205@Janoszka.pl> <4A988806.8000005@thelan.no> Message-ID: <000001ca2a30$0af67040$20e350c0$@com> FWIW - I wouldn't use fe80::1 on all router interfaces. Yes, you can do it (unless you have two router on one link, they couldn't both have fe80::1 on the same link). While I do agree with manually setting the link-local addresses, I prefer a "more meaningful" address. Something that indicate the router and link in question, so in a overly simple case - router 23's interface on VLAN37 could be something like: Fe80::23:37 ... this (or some derivative) makes troubleshooting easier later on .... /TJ >-----Original Message----- >From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- >bounces at puck.nether.net] On Behalf Of Harald Firing Karlsen >Sent: Friday, August 28, 2009 9:45 PM >To: cisco_nsp >Subject: Re: [c-nsp] IPV6 in general was Re: Large networks > >Grzegorz Janoszka wrote: >> Daniel Verlouw wrote: >>> On Thu, 2009-08-27 at 14:45 +0200, Grzegorz Janoszka wrote: >>>> You cannot have the same link-local IP's on different ifaces, can you? >>> >>> sure you can, that's what link-local is for. >>> >>> daniel at jun1.XXXX> show interfaces | match fe80::2$ | count Count: 16 >>> lines >> >> So, can I have just fe80::1 as a virtual gateway on all interfaces in >> my network? I thought it was not possible. Does someone have such >> setup with Cisco? >Yes, I have used it for tunneling on several ocations, but keep in mind that >for static routes you will naturally always have to specify outgoing >interface in addition to the next hop (i.e. ipv6 route ::/0 >FastEthernet0/1 fe80::2). > > >-- >Harald Firing Karlsen >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ From trejrco at gmail.com Mon Aug 31 07:53:36 2009 From: trejrco at gmail.com (TJ) Date: Mon, 31 Aug 2009 07:53:36 -0400 Subject: [c-nsp] IPV6 in general was Re: Large networks In-Reply-To: <4A9AA829.7000103@Janoszka.pl> References: <00b301ca2673$5ce7cc70$0a00000a@nil.si> <019d01ca2676$e54c26d0$0202fea9@am.thmulti.com> <6edgm6-u6l.ln1@chipmunk.wormnet.eu> <20090826.211833.71103910.sthaug@nethelp.no> <20090826220727.GV117@greenie.muc.de> <1251358290.16185.13.camel@daniel.office.bit.nl> <4A963A28.9040109@Janoszka.pl> <4A9653B3.6090607@imperial.ac.uk> <4A97D003.5030301@Janoszka.pl> <4A9AA829.7000103@Janoszka.pl> Message-ID: <000201ca2a31$ac6fc290$054f47b0$@com> >> I disagree. Not worse than DHCP. By the way how do you distribute >> parameters for local links? ++1 >DHCP fake offers are better filterable I think. With v6 we now use mostly >static IP addressing. Still working for DHCP over v6. Not really; I would (hypothetically) hand out valid addresses but point your hosts to me for DNS resolution. Eve wins. On the reverse side, I could manually configure my host for a "valid" IP. Eve wins. Filtering by address sub-ranges is a losing proposition for the most part, low ROI. Simply filter by the valid prefixes (uRPF) and spend the time securing your hosts :). Things like RA Guard help mitigate the impact of rogue RAs being sent on the wire, and SEND/CGA (once deployable) will help a bunch as well. MLD Snooping can help prevent some of the MITM attacks as well. ... Moving forward, I'd also like to see IPv6 versions of things like Dynamic ARP inspection, DHCP Guard ... /TJ From geoff at pendery.net Mon Aug 31 09:24:43 2009 From: geoff at pendery.net (Geoffrey Pendery) Date: Mon, 31 Aug 2009 08:24:43 -0500 Subject: [c-nsp] Data VLAN/Voice VLAN In-Reply-To: <1251499435.13637.3.camel@abehat.net.rm.dk> References: <609889.18764.qm@web36902.mail.mud.yahoo.com> <1251499435.13637.3.camel@abehat.net.rm.dk> Message-ID: "A compatible device (i.e. one the presents itself as a phone via CDP) would activate the voice VLAN and thus allow tagged incoming traffic on VLAN 66. This requires the switch (and port) to have CDP enabled by the way." Can also be done with LLDP, should you have non-Cisco IP phones. I can vouch for 4500's and Avaya IP phones speaking LLDP to each other. -Geoff On Fri, Aug 28, 2009 at 5:43 PM, Peter Rathlev wrote: > On Fri, 2009-08-28 at 15:20 -0700, Yuri Bank wrote: >> interface FastEthernet0/4 >> ?description phone >> ?switchport access vlan 77 >> ?switchport trunk native vlan 55 >> ?switchport mode access >> ?switchport voice vlan 66 >> >> In this configuration, data is placed on vlan 55? From what I've read >> on other forums and such is that the data would be on the configured >> access vlan ( 77 ). Unfortunately I do not have an iphone to test >> this. Could anyone give me some clarity? > > Untagged traffic on the port would be VLAN 77, since this is what you > configured at access VLAN and since the port is in forced access mode. > > A compatible device (i.e. one the presents itself as a phone via CDP) > would activate the voice VLAN and thus allow tagged incoming traffic on > VLAN 66. This requires the switch (and port) to have CDP enabled by the > way. > > The trunk configuration is ignored when you issue "switchport mode > access". > > If you only need a stand-alone phone you can just use a simple access > port in the voice VLAN. > > Regards, > Peter > > > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From koug at intracom.gr Mon Aug 31 09:29:33 2009 From: koug at intracom.gr (John Kougoulos) Date: Mon, 31 Aug 2009 16:29:33 +0300 (GTB Daylight Time) Subject: [c-nsp] VPN Auditing In-Reply-To: <004801ca272c$09bf3290$1d3d97b0$@org> References: <004801ca272c$09bf3290$1d3d97b0$@org> Message-ID: have you enabled "crypto logging session" ? On Thu, 27 Aug 2009, Paul Stewart wrote: > Hi folks... > > > > We have a site that runs a Cisco 2800 with a IOS VPN server. Users connect > via their Cisco VPN clients to gain access to an internal network there... > > > > I would like to start auditing it a bit more and have a way to tell who > logged in and when. Is this difficult? I've searched around and found more > complex things that can be accomplished but currently the security policy > only permits user authentication auditing. The users are currently > authenticated off a local configuration - would moving them to Radius make > more sense or can I do this with builtin usernames? > > > > Best regards, > > > > Paul > > > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From paul at paulstewart.org Mon Aug 31 09:36:00 2009 From: paul at paulstewart.org (Paul Stewart) Date: Mon, 31 Aug 2009 09:36:00 -0400 Subject: [c-nsp] VPN Auditing In-Reply-To: References: <004801ca272c$09bf3290$1d3d97b0$@org> Message-ID: <000301ca2a3f$fb2ae8c0$f180ba40$@org> Thanks - didn't know about that ;) I think we'll end up moving to Radius anyways - just makes better sense .... Take care, Paul -----Original Message----- From: John Kougoulos [mailto:koug at intracom.gr] Sent: August-31-09 9:30 AM To: Paul Stewart Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] VPN Auditing have you enabled "crypto logging session" ? On Thu, 27 Aug 2009, Paul Stewart wrote: > Hi folks... > > > > We have a site that runs a Cisco 2800 with a IOS VPN server. Users connect > via their Cisco VPN clients to gain access to an internal network there... > > > > I would like to start auditing it a bit more and have a way to tell who > logged in and when. Is this difficult? I've searched around and found more > complex things that can be accomplished but currently the security policy > only permits user authentication auditing. The users are currently > authenticated off a local configuration - would moving them to Radius make > more sense or can I do this with builtin usernames? > > > > Best regards, > > > > Paul > > > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From BBlackford at nwresd.k12.or.us Mon Aug 31 09:43:32 2009 From: BBlackford at nwresd.k12.or.us (Bill Blackford) Date: Mon, 31 Aug 2009 06:43:32 -0700 Subject: [c-nsp] Data VLAN/Voice VLAN In-Reply-To: References: <609889.18764.qm@web36902.mail.mud.yahoo.com> <1251499435.13637.3.camel@abehat.net.rm.dk> Message-ID: <6069A203FD01884885C037F81DD75080171DF9241C@wsc-mail-01.intra.nwresd.k12.or.us> I agree. LLDP is fairly slick. We're currently doing it with a non-Cisco switch and Cisco phones in some of our smaller sites. -b -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Geoffrey Pendery Sent: Monday, August 31, 2009 6:25 AM To: Peter Rathlev Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Data VLAN/Voice VLAN "A compatible device (i.e. one the presents itself as a phone via CDP) would activate the voice VLAN and thus allow tagged incoming traffic on VLAN 66. This requires the switch (and port) to have CDP enabled by the way." Can also be done with LLDP, should you have non-Cisco IP phones. I can vouch for 4500's and Avaya IP phones speaking LLDP to each other. -Geoff On Fri, Aug 28, 2009 at 5:43 PM, Peter Rathlev wrote: > On Fri, 2009-08-28 at 15:20 -0700, Yuri Bank wrote: >> interface FastEthernet0/4 >> ?description phone >> ?switchport access vlan 77 >> ?switchport trunk native vlan 55 >> ?switchport mode access >> ?switchport voice vlan 66 >> >> In this configuration, data is placed on vlan 55? From what I've read >> on other forums and such is that the data would be on the configured >> access vlan ( 77 ). Unfortunately I do not have an iphone to test >> this. Could anyone give me some clarity? > > Untagged traffic on the port would be VLAN 77, since this is what you > configured at access VLAN and since the port is in forced access mode. > > A compatible device (i.e. one the presents itself as a phone via CDP) > would activate the voice VLAN and thus allow tagged incoming traffic on > VLAN 66. This requires the switch (and port) to have CDP enabled by the > way. > > The trunk configuration is ignored when you issue "switchport mode > access". > > If you only need a stand-alone phone you can just use a simple access > port in the voice VLAN. > > Regards, > Peter > > > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From gert at greenie.muc.de Mon Aug 31 10:29:25 2009 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 31 Aug 2009 16:29:25 +0200 Subject: [c-nsp] instabilities with SXI2? In-Reply-To: <6B43981C32F8464CB24CEE209DA32BD302516E1A@kenya.tronet.as> References: <6B43981C32F8464CB24CEE209DA32BD302516E1A@kenya.tronet.as> Message-ID: <20090831142925.GJ117@greenie.muc.de> Hi, On Sat, Aug 29, 2009 at 12:23:42AM +0200, Daniska Tomas wrote: > TAC was pretty responsive, they have identified this as CSCtb27643. It happens in SXI2, both modular and monolithic, and whether in VSS or not, just when DFCs are in place. The ddts is not public so ask your local team. Thanks for this heads-up. I'm querying right now... The original issue seems to have been a case of improper grounding - we have opened a TAC case, and they have suggest to check the chassis ground with the dedicated "grounding screw" on the front side. I don't fully understand what's going on inside these boxes (there's grounding in the PSUs and there should be enough metal connected to the rack posts to get ground), but since we've put in an additional grounding cable to this grounding screw, no more spontaneous reboots for 10 days now... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From esavage at digitalrage.org Mon Aug 31 10:49:45 2009 From: esavage at digitalrage.org (Elijah Savage) Date: Mon, 31 Aug 2009 10:49:45 -0400 (EDT) Subject: [c-nsp] Monitoring Cisco SIP 200/400 interfaces Message-ID: <30911076.41251730185534.JavaMail.root@mail> All, Does anyone have the MIB for monitoring the cpu utilization of the SIP200/400 interfaces on a 7600? We can graph the normal interface statistics, but I have seen scenarios where the SIP interface cpu was running very high introducing latency and the circuit was only approaching 40% utilization. Now to Cisco's credit in these situations it has been due to possibly misconfiguration, but this is something I believe should be available just like all the other resources are. Thanks From akg1330 at gmail.com Mon Aug 31 09:58:15 2009 From: akg1330 at gmail.com (Andrew Gallo) Date: Mon, 31 Aug 2009 09:58:15 -0400 Subject: [c-nsp] Data VLAN/Voice VLAN In-Reply-To: References: <609889.18764.qm@web36902.mail.mud.yahoo.com> <1251499435.13637.3.camel@abehat.net.rm.dk> Message-ID: <4A9BD6F7.2020601@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Would you mind sharing your IOS config, DHCP options, phone version & settings file? I've had varying success with Avaya and Cisco LLDP. Then again, I'm using SIP loads on the phones. Thanks. Geoffrey Pendery wrote: > "A compatible device (i.e. one the presents itself as a phone via CDP) > would activate the voice VLAN and thus allow tagged incoming traffic > on VLAN 66. This requires the switch (and port) to have CDP enabled by > the way." > > > Can also be done with LLDP, should you have non-Cisco IP phones. I > can vouch for 4500's and Avaya IP phones speaking LLDP to each other. > > > -Geoff > > > On Fri, Aug 28, 2009 at 5:43 PM, Peter Rathlev wrote: >> On Fri, 2009-08-28 at 15:20 -0700, Yuri Bank wrote: >>> interface FastEthernet0/4 >>> description phone >>> switchport access vlan 77 >>> switchport trunk native vlan 55 >>> switchport mode access >>> switchport voice vlan 66 >>> >>> In this configuration, data is placed on vlan 55? From what I've read >>> on other forums and such is that the data would be on the configured >>> access vlan ( 77 ). Unfortunately I do not have an iphone to test >>> this. Could anyone give me some clarity? >> Untagged traffic on the port would be VLAN 77, since this is what you >> configured at access VLAN and since the port is in forced access mode. >> >> A compatible device (i.e. one the presents itself as a phone via CDP) >> would activate the voice VLAN and thus allow tagged incoming traffic on >> VLAN 66. This requires the switch (and port) to have CDP enabled by the >> way. >> >> The trunk configuration is ignored when you issue "switchport mode >> access". >> >> If you only need a stand-alone phone you can just use a simple access >> port in the voice VLAN. >> >> Regards, >> Peter >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkqb1vcACgkQQr/gMVyFYyTa/gCcDNV9xBQF5p+2pR1L5lgKf2Tp 54kAniLjnhkcI2We/Gd+Szlil9oFBnL1 =+bFG -----END PGP SIGNATURE----- From geoff at pendery.net Mon Aug 31 11:30:37 2009 From: geoff at pendery.net (Geoffrey Pendery) Date: Mon, 31 Aug 2009 10:30:37 -0500 Subject: [c-nsp] Data VLAN/Voice VLAN In-Reply-To: <4A9BD6F7.2020601@gmail.com> References: <609889.18764.qm@web36902.mail.mud.yahoo.com> <1251499435.13637.3.camel@abehat.net.rm.dk> <4A9BD6F7.2020601@gmail.com> Message-ID: The TAC engineer I asked for configuration help found this link for me (I feel dumb being simply out-Googled, but appreciative that he went outside Cisco-only docs and actually found me good interop info) http://www.avaya.de/emea/de/resource/assets/applicationnotes/CSCO_LLDP-MED.pdf On the access ports, we have: switchport switchport host switchport access vlan 100 switchport voice vlan 400 And globally all I had to turn on was "lldp run" We do connect workstations through the phone's built-in switch, and we do use the separate data and voice VLANs. Operationally, we're serving the DHCP options to the phones (a big string of variables in option 176) but in the lab I verified the phone would receive and use the voice and data VLANs separate via LLDP parameters, without help from DHCP. The only thing I noticed missing was the precise power info. AF power determines that the phone is class 2, so it allocates 7.9 Watts from the PS, but if CDP was there (or the Power TLVs in LLDP were open standard, instead of Avaya Propreitary) then it would get the more precise consumption (say 6.2 Watt) and be able to allocate more phones out of the same PS. Other than that, seems to work like a charm. We get lots of good info from the phones via LLDP. -Geoff On Mon, Aug 31, 2009 at 8:58 AM, Andrew Gallo wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Would you mind sharing your IOS config, DHCP options, phone version & > settings file? > > I've had varying success with Avaya and Cisco LLDP. > > Then again, I'm using SIP loads on the phones. > > Thanks. > > > > Geoffrey Pendery wrote: >> "A compatible device (i.e. one the presents itself as a phone via CDP) >> would activate the voice VLAN and thus allow tagged incoming traffic >> on VLAN 66. This requires the switch (and port) to have CDP enabled by >> the way." >> >> >> Can also be done with LLDP, should you have non-Cisco IP phones. ?I >> can vouch for 4500's and Avaya IP phones speaking LLDP to each other. >> >> >> -Geoff >> >> >> On Fri, Aug 28, 2009 at 5:43 PM, Peter Rathlev wrote: >>> On Fri, 2009-08-28 at 15:20 -0700, Yuri Bank wrote: >>>> interface FastEthernet0/4 >>>> ?description phone >>>> ?switchport access vlan 77 >>>> ?switchport trunk native vlan 55 >>>> ?switchport mode access >>>> ?switchport voice vlan 66 >>>> >>>> In this configuration, data is placed on vlan 55? From what I've read >>>> on other forums and such is that the data would be on the configured >>>> access vlan ( 77 ). Unfortunately I do not have an iphone to test >>>> this. Could anyone give me some clarity? >>> Untagged traffic on the port would be VLAN 77, since this is what you >>> configured at access VLAN and since the port is in forced access mode. >>> >>> A compatible device (i.e. one the presents itself as a phone via CDP) >>> would activate the voice VLAN and thus allow tagged incoming traffic on >>> VLAN 66. This requires the switch (and port) to have CDP enabled by the >>> way. >>> >>> The trunk configuration is ignored when you issue "switchport mode >>> access". >>> >>> If you only need a stand-alone phone you can just use a simple access >>> port in the voice VLAN. >>> >>> Regards, >>> Peter >>> >>> >>> _______________________________________________ >>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> _______________________________________________ >> cisco-nsp mailing list ?cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.8 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkqb1vcACgkQQr/gMVyFYyTa/gCcDNV9xBQF5p+2pR1L5lgKf2Tp > 54kAniLjnhkcI2We/Gd+Szlil9oFBnL1 > =+bFG > -----END PGP SIGNATURE----- > From oboehmer at cisco.com Mon Aug 31 12:46:43 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Mon, 31 Aug 2009 18:46:43 +0200 Subject: [c-nsp] IS-IS route separation/filtering In-Reply-To: <4A806F61.1000600@gmail.com> References: <4A79E416.7040909@gmail.com> <4A7A0187.8070807@gmail.com><1249549131.28552.14.camel@daniel.office.bit.nl> <4A7B254B.8040607@gmail.com> <70B7A1CCBFA5C649BD562B6D9F7ED78407C2FE1C@xmb-ams-333.emea.cisco.com> <4A806F61.1000600@gmail.com> Message-ID: <6E4D2678AC543844917CA081C9D6B33F35664B@XMB-AMS-103.cisco.com> Jared Gillis wrote on Monday, August 10, 2009 21:05: > Oliver Boehmer (oboehmer) wrote: >> Well.. not sure how large you want to grow your L1 area, but you >> could investigate "advertise-passive-only" to only adveritse the >> loopbacks (all customer routes should be in BGP if you need to plan >> for growth), and you'll be fine, even with a 1000 nodes in the area. >> And if you reach this number, address summarization (and the >> implications of it) will become an issue (even with OSPF).. >> >>> It's looking like we might have to run OSPF on this, but we'd really >>> rather stick with IS-IS. It seems that OSPF's ability to put >>> individual interfaces into different areas might be the required >>> feature that forces us that way. That is, unless anyone knows a way >>> to put an IS-IS router into different areas aside from assigning >>> multiple NET addresses... >> >> No, doesn't work with Integrated ISIS (only CLNS allows you to use >> different ISIS areas on a single node).. > > Hm, I think I may have found my answer in IS-IS Multiarea: > http://www.cisco.com/en/US/products/ps6599/products_data_sheet09186a0080 0e9780.html > > I've configured it up in our lab, and running IP IS-IS it seems to do > exactly what I need. > I've got my Router A set up running multi-area with one L2 instance > for backbone and multiple L1 instances for each L1 stub area. The L1 areas only > see their own internal routes, plus default towards Router A, and I > have full connectivity from stub to stub. it might work, but is not supported (as mentioned in the link under "Restrictions: The IS-IS Multiarea Support feature is supported only for ISO CLNS. so use it at your own risk... oli From mksmith at adhost.com Mon Aug 31 14:10:04 2009 From: mksmith at adhost.com (Michael K. Smith - Adhost) Date: Mon, 31 Aug 2009 11:10:04 -0700 Subject: [c-nsp] Cisco ASA - presenting a NAT'd address to a VPN tunnel Message-ID: <17838240D9A5544AAA5FF95F8D520316069345C8@ad-exh01.adhost.lan> Hello All: I will be configuring an ASA where the remote-end requirement is that the address presented to them is a globally unique (non-RFC 1918) address. I *think* this means I have to double NAT. So, instead of having the 192.168.x.x address presented over the tunnel, it has to be a "real" address. Has anyone ever configured something like this on an ASA? I've always used the inside addresses for interesting traffic in the ACL. Can I use the static, outside address in the tunnel? Regards, Mike -- Michael K. Smith - CISSP, GISP Chief Technical Officer - Adhost Internet LLC mksmith at adhost.com w: +1 (206) 404-9500 f: +1 (206) 404-9050 PGP: B49A DDF5 8611 27F3 08B9 84BB E61E 38C0 (Key ID: 0x9A96777D) -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 475 bytes Desc: not available URL: From joe at netbyjoe.com Mon Aug 31 14:23:32 2009 From: joe at netbyjoe.com (Joe Freeman) Date: Mon, 31 Aug 2009 14:23:32 -0400 Subject: [c-nsp] MLPPP on dsl Message-ID: <5da6cd9f0908311123tee6a500n2579187cea3ad6e@mail.gmail.com> What's the best IOS to use on a 7206vxr NPE-G1 with 1G Ram, to terminate PPPoE on LT2tpv3 tunnels into MLPPP bundles? We're currently running 12.2(16)B on this box, and terminating sessions just fine. MLPPP performance on DSL/PPPoE sessions is horrible, however. I suspect it's related to a log message concerning mlppp packets being forwarded to the wrong interface. I'm trying to get the exact message, but the customer apparently has their cpe router off. The cpe device in use is currently a 2610 with two ADSL wics running a 12.2 ip plus image. I've got a 2651xm coming with a 12.3 ip plus image to see if it works better. Any help is appreciated. Here's the 7206 virtual template config- interface Virtual-Template2 mtu 1492 ip unnumbered FastEthernet0/0 peer default ip address pool default ppp authentication chap pap ppp chap hostname c7206-2 ppp multilink and the 2600 cpe config- interface Multilink1 no ip address ppp multilink ppp multilink group 1 ! interface ATM0/0 no ip address no atm ilmi-keepalive dsl operating-mode auto hold-queue 224 in ! interface ATM0/0.1 point-to-point pvc 8/35 pppoe-client dial-pool-number 2 ! interface Dialer2 ip address negotiated ip mtu 1492 ip nat outside encapsulation ppp load-interval 30 dialer pool 2 dialer load-threshold 1 outbound dialer-group 2 ppp max-bad-auth 3 ppp lcp predictive ppp lcp delay 1 ppp authentication pap ms-chap callin ppp chap hostname user at domain.com ppp chap password 0 ******* ppp pap sent-username user at domain.com password 0 ******* ppp multilink ppp multilink fragment disable ppp multilink links minimum 2 ppp multilink multiclass Thanks- Joe From egirard at focustsi.com Mon Aug 31 14:30:02 2009 From: egirard at focustsi.com (Eric Girard) Date: Mon, 31 Aug 2009 14:30:02 -0400 Subject: [c-nsp] Cisco ASA - presenting a NAT'd address to a VPN tunnel In-Reply-To: <17838240D9A5544AAA5FF95F8D520316069345C8@ad-exh01.adhost.lan> References: <17838240D9A5544AAA5FF95F8D520316069345C8@ad-exh01.adhost.lan> Message-ID: Mike, Yes, you can use a NAT'd address in the interesting traffic ACLs, just don't include the src/dst pair in you NAT exemption ACL. Because the NAT is done before the VPN traffic selection, the NAT will be applied before it goes into the tunnel. So this could be as simple as using your existing outside interface IP from your ISP, or NATing the traffic to an address given to you by the partner. Eric -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Michael K. Smith - Adhost Sent: Monday, August 31, 2009 2:10 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Cisco ASA - presenting a NAT'd address to a VPN tunnel Hello All: I will be configuring an ASA where the remote-end requirement is that the address presented to them is a globally unique (non-RFC 1918) address. I *think* this means I have to double NAT. So, instead of having the 192.168.x.x address presented over the tunnel, it has to be a "real" address. Has anyone ever configured something like this on an ASA? I've always used the inside addresses for interesting traffic in the ACL. Can I use the static, outside address in the tunnel? Regards, Mike -- Michael K. Smith - CISSP, GISP Chief Technical Officer - Adhost Internet LLC mksmith at adhost.com w: +1 (206) 404-9500 f: +1 (206) 404-9050 PGP: B49A DDF5 8611 27F3 08B9 84BB E61E 38C0 (Key ID: 0x9A96777D) From akg1330 at gmail.com Mon Aug 31 13:13:09 2009 From: akg1330 at gmail.com (Andrew Gallo) Date: Mon, 31 Aug 2009 13:13:09 -0400 Subject: [c-nsp] Data VLAN/Voice VLAN In-Reply-To: References: <609889.18764.qm@web36902.mail.mud.yahoo.com> <1251499435.13637.3.camel@abehat.net.rm.dk> <4A9BD6F7.2020601@gmail.com> Message-ID: <4A9C04A5.8040203@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks Geoffrey! Geoffrey Pendery wrote: > The TAC engineer I asked for configuration help found this link for me > (I feel dumb being simply out-Googled, but appreciative that he went > outside Cisco-only docs and actually found me good interop info) > > http://www.avaya.de/emea/de/resource/assets/applicationnotes/CSCO_LLDP-MED.pdf > > On the access ports, we have: > switchport > switchport host > switchport access vlan 100 > switchport voice vlan 400 > > And globally all I had to turn on was "lldp run" > > We do connect workstations through the phone's built-in switch, and we > do use the separate data and voice VLANs. Operationally, we're > serving the DHCP options to the phones (a big string of variables in > option 176) but in the lab I verified the phone would receive and use > the voice and data VLANs separate via LLDP parameters, without help > from DHCP. > > The only thing I noticed missing was the precise power info. AF power > determines that the phone is class 2, so it allocates 7.9 Watts from > the PS, but if CDP was there (or the Power TLVs in LLDP were open > standard, instead of Avaya Propreitary) then it would get the more > precise consumption (say 6.2 Watt) and be able to allocate more phones > out of the same PS. > > Other than that, seems to work like a charm. We get lots of good info > from the phones via LLDP. > > > -Geoff > > > On Mon, Aug 31, 2009 at 8:58 AM, Andrew Gallo wrote: > Would you mind sharing your IOS config, DHCP options, phone version & > settings file? > > I've had varying success with Avaya and Cisco LLDP. > > Then again, I'm using SIP loads on the phones. > > Thanks. > > > > Geoffrey Pendery wrote: >>>> "A compatible device (i.e. one the presents itself as a phone via CDP) >>>> would activate the voice VLAN and thus allow tagged incoming traffic >>>> on VLAN 66. This requires the switch (and port) to have CDP enabled by >>>> the way." >>>> >>>> >>>> Can also be done with LLDP, should you have non-Cisco IP phones. I >>>> can vouch for 4500's and Avaya IP phones speaking LLDP to each other. >>>> >>>> >>>> -Geoff >>>> >>>> >>>> On Fri, Aug 28, 2009 at 5:43 PM, Peter Rathlev wrote: >>>>> On Fri, 2009-08-28 at 15:20 -0700, Yuri Bank wrote: >>>>>> interface FastEthernet0/4 >>>>>> description phone >>>>>> switchport access vlan 77 >>>>>> switchport trunk native vlan 55 >>>>>> switchport mode access >>>>>> switchport voice vlan 66 >>>>>> >>>>>> In this configuration, data is placed on vlan 55? From what I've read >>>>>> on other forums and such is that the data would be on the configured >>>>>> access vlan ( 77 ). Unfortunately I do not have an iphone to test >>>>>> this. Could anyone give me some clarity? >>>>> Untagged traffic on the port would be VLAN 77, since this is what you >>>>> configured at access VLAN and since the port is in forced access mode. >>>>> >>>>> A compatible device (i.e. one the presents itself as a phone via CDP) >>>>> would activate the voice VLAN and thus allow tagged incoming traffic on >>>>> VLAN 66. This requires the switch (and port) to have CDP enabled by the >>>>> way. >>>>> >>>>> The trunk configuration is ignored when you issue "switchport mode >>>>> access". >>>>> >>>>> If you only need a stand-alone phone you can just use a simple access >>>>> port in the voice VLAN. >>>>> >>>>> Regards, >>>>> Peter >>>>> >>>>> >>>>> _______________________________________________ >>>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>>> >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkqcBKUACgkQQr/gMVyFYyTJ2ACcD41gE1qBl8+i5XmydDiFgXas cB0AmgN265lz1L1sjO+jRABVN/BqqvZF =bSe4 -----END PGP SIGNATURE----- From vuillaumes at gmail.com Mon Aug 31 16:33:55 2009 From: vuillaumes at gmail.com (samuel vuillaume) Date: Mon, 31 Aug 2009 16:33:55 -0400 Subject: [c-nsp] srr-queue bandwidth share on 3750 Message-ID: Guys, i was wondering and because i can;t test, in that case below interface GigabitEthernet1/0/1 switchport trunk encapsulation dot1q switchport trunk allowed vlan 607 switchport mode trunk srr-queue bandwidth share 1 59 30 10 srr-queue bandwidth shape 30 0 0 0 mls qos trust dscp In case of congestion, let's say my queue 2 is free of use (empty) .... How are my queues 3 and 4 gonna to use the free queue bandwidth queue 2? i mean, with this configuration my queue 2,3 and 4 get the remaining bandwidth after the queue 1: queue 2, 59/99*66Mps = 39 Mbps queue 3, 20Mbps queue 4, 6Mps so it means 39 Mpbs available to allocate to queue 3 and Queue 4... how ths traffic will be shared between 3 and 4? ( i suppose it's related to the priority of the queue) Can you confirm? tks From A.L.M.Buxey at lboro.ac.uk Mon Aug 31 16:51:09 2009 From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey) Date: Mon, 31 Aug 2009 21:51:09 +0100 Subject: [c-nsp] Data VLAN/Voice VLAN In-Reply-To: <6069A203FD01884885C037F81DD75080171DF9241C@wsc-mail-01.intra.nwresd.k12.or.us> References: <609889.18764.qm@web36902.mail.mud.yahoo.com> <1251499435.13637.3.camel@abehat.net.rm.dk> <6069A203FD01884885C037F81DD75080171DF9241C@wsc-mail-01.intra.nwresd.k12.or.us> Message-ID: <20090831205109.GB1893@lboro.ac.uk> Hi, > I agree. LLDP is fairly slick. We're currently doing it with a non-Cisco switch and Cisco phones in some of our smaller sites. ..and i noted that LLDP is slowly leaking out as a feature on cisco switches - recent IOS for 3560 and 2960 switches can speak it... service needs to be turned on of course. alan From fasterfourier at gmail.com Mon Aug 31 17:05:24 2009 From: fasterfourier at gmail.com (Robert Johnson) Date: Mon, 31 Aug 2009 17:05:24 -0400 Subject: [c-nsp] Handling "junk traffic" with a secondary ISP using NAT Message-ID: <4f84a6f80908311405w704c459ax53c92ab8807c7a21@mail.gmail.com> Hello Cisco experts, I have an interesting configuration here. I have an organization with some /24s of IP space assigned to their internal hosts. The IGP is OSPF and connectivity to the outside world is via a single ISP with multiple links using BGP (private ASN). In an effort to cut costs, we would like to use an additional cheaper consumer-level ISP to handle some of the "junk traffic" such as streaming radio, MySpace CDN, etc. Traffic that is not mission critical. The idea is to add an additional router to the main OSPF area, redistribute static routes to the "junk traffic" IP blocks into OSPF, and run NAT on the new router to get all this traffic flowing over the "cheap consumer level FTTP ISP" connection which is attached to the new router. The configuration to retract these static routes from the OSPF area upon a failure of the cheap ISP is straightforward. However, this scheme breaks some functionality. An incoming connection from a host in one of the "junk destination" IP blocks to a host in our internal network will flow in through the normal primary ISP. Responses to this connection, however, will be routed out through the secondary ISP and NATted, causing the reply packets to come from a different IP address. A potential solution would be to have the new router inspect all flows originating from the internal network and NAT only TCP sessions that originate from the inside network. The idea was to create a reflexive ACL containing any TCP flows originating from the inside network that are not established. Then use PBR to NAT any flows defined in this reflexive ACL, and send the rest of the traffic out without performing any NAT. Unfortunately, it doesn't appear to be possible to do this using standard Cisco reflexive ACLs, since the entries in the reflexive ACL have the source and destination reversed. Any ideas to implement this properly? Thanks, Robert From rwest at zyedge.com Mon Aug 31 17:37:58 2009 From: rwest at zyedge.com (Ryan West) Date: Mon, 31 Aug 2009 17:37:58 -0400 Subject: [c-nsp] Handling "junk traffic" with a secondary ISP using NAT In-Reply-To: <4f84a6f80908311405w704c459ax53c92ab8807c7a21@mail.gmail.com> References: <4f84a6f80908311405w704c459ax53c92ab8807c7a21@mail.gmail.com> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E1401248E269DB3@zy-ex1.zyedge.local> Robert, You might want to look into OER with NAT and leverage application mapping for your outbound selection. OER can be a bit of a beast, but you might consider. In a SOHO design, the configuration is a lot less complex. http://www.cisco.com/en/US/docs/ios/12_4t/oer/configuration/guide/h_oerstr.html#wp1059322 Another choice would application aware PBR, which can also be used with OER or just with source based routing like you listed below. I was a little confused by what the /24 statement. Are you saying that each user has a publicly routed address? Is your firewall doing NAT? -ryan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Robert Johnson Sent: Monday, August 31, 2009 5:05 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Handling "junk traffic" with a secondary ISP using NAT Hello Cisco experts, I have an interesting configuration here. I have an organization with some /24s of IP space assigned to their internal hosts. The IGP is OSPF and connectivity to the outside world is via a single ISP with multiple links using BGP (private ASN). In an effort to cut costs, we would like to use an additional cheaper consumer-level ISP to handle some of the "junk traffic" such as streaming radio, MySpace CDN, etc. Traffic that is not mission critical. The idea is to add an additional router to the main OSPF area, redistribute static routes to the "junk traffic" IP blocks into OSPF, and run NAT on the new router to get all this traffic flowing over the "cheap consumer level FTTP ISP" connection which is attached to the new router. The configuration to retract these static routes from the OSPF area upon a failure of the cheap ISP is straightforward. However, this scheme breaks some functionality. An incoming connection from a host in one of the "junk destination" IP blocks to a host in our internal network will flow in through the normal primary ISP. Responses to this connection, however, will be routed out through the secondary ISP and NATted, causing the reply packets to come from a different IP address. A potential solution would be to have the new router inspect all flows originating from the internal network and NAT only TCP sessions that originate from the inside network. The idea was to create a reflexive ACL containing any TCP flows originating from the inside network that are not established. Then use PBR to NAT any flows defined in this reflexive ACL, and send the rest of the traffic out without performing any NAT. Unfortunately, it doesn't appear to be possible to do this using standard Cisco reflexive ACLs, since the entries in the reflexive ACL have the source and destination reversed. Any ideas to implement this properly? Thanks, Robert _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From davidwarner1975 at yahoo.com.au Mon Aug 31 17:46:16 2009 From: davidwarner1975 at yahoo.com.au (David Warner) Date: Mon, 31 Aug 2009 14:46:16 -0700 (PDT) Subject: [c-nsp] Troubleshooting High CPU Message-ID: <215340.46323.qm@web111604.mail.gq1.yahoo.com> Hi All, Just wondering if I can get some advice. We have two routers in a HSRP active/standby pair. If ones reloads then the CPU on the other hits 100% and crashes. The only way we can recover this is for a field engineer to pull all the Ethernet cables out and then, when system is calm, repatch them. We access the device via VTY so struggling to actually get any commands in to troubleshoot as per the Cisco 'Troubleshooting High CPU Utilization' doc as the CPU spikes . Any advice on best way to progress this? Regards, David __________________________________________________________________________________ Find local businesses and services in your area with Yahoo!7 Local. Get started: http://local.yahoo.com.au From rjs at eng.gxn.net Mon Aug 31 17:53:18 2009 From: rjs at eng.gxn.net (Rob Shakir) Date: Mon, 31 Aug 2009 22:53:18 +0100 Subject: [c-nsp] Monitoring Cisco SIP 200/400 interfaces In-Reply-To: <30911076.41251730185534.JavaMail.root@mail> References: <30911076.41251730185534.JavaMail.root@mail> Message-ID: <20090831215318.GJ5351@cappuccino.rob.sh> On Mon, Aug 31, 2009 at 10:49:45AM -0400, Elijah Savage wrote: > All, > > Does anyone have the MIB for monitoring the cpu utilization of the SIP200/400 > interfaces on a 7600? We can graph the normal interface statistics, but I have > seen scenarios where the SIP interface cpu was running very high introducing > latency and the circuit was only approaching 40% utilization. Now to Cisco's > credit in these situations it has been due to possibly misconfiguration, but > this is something I believe should be available just like all the other > resources are. Hi Elijah, What I'm using for grabbing the CPU utilisaton off our SIP-200s and SIP-400s is as follows: If you poll .1.3.6.1.4.1.9.9.109.1.1.1.1.5, this gives a list of the 5 minute CPU utilisation on the box: (22:46 - /dev/pts/27) bronze:~> snmpwalk -v2c -c community rtr .1.3.6.1.4.1.9.9.109.1.1.1.1.5 SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.5.1 = Gauge32: 10 SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.5.2 = Gauge32: 5 SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.5.3 = Gauge32: 1 SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.5.4 = Gauge32: 1 SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.5.5 = Gauge32: 1 SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.5.6 = Gauge32: 0 SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.5.7 = Gauge32: 0 SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.5.8 = Gauge32: 0 SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.5.9 = Gauge32: 1 Each of these entries can be resolved into a physIndex via polling 1.3.6.1.4.1.9.9.109.1.1.1.1.2 (22:48 - /dev/pts/27) bronze:~> snmpwalk -v2c -c community rtr 1.3.6.1.4.1.9.9.109.1.1.1.1.2 SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.2.1 = INTEGER: 6017 SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.2.2 = INTEGER: 6001 SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.2.3 = INTEGER: 2011 SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.2.4 = INTEGER: 2012 SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.2.5 = INTEGER: 3011 SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.2.6 = INTEGER: 3012 SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.2.7 = INTEGER: 4011 SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.2.8 = INTEGER: 4012 SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.2.9 = INTEGER: 1011 The Entity MIB then gives you the CPU that these correspond to: (22:49 - /dev/pts/27) bronze:~> snmpget -v2c -c community rtr 1.3.6.1.2.1.47.1.1.1.1.7.2011 SNMPv2-SMI::mib-2.47.1.1.1.1.7.2011 = STRING: "cpu 2/0" (slot 2 in this case is a SIP-400. I get a linecard utilisation for each slot in the box) I believe that this should let you monitor the CPU of the SIP. Hope this helps, Rob -- Rob Shakir Network Development Engineer GX Networks/Vialtus Solutions ddi: +44208 587 6077 mob: +44797 155 4098 pgp: 0xc07e6deb nic-hdl: RJS-RIPE This email is subject to: http//www.vialtus.com/disclaimer.html From yurixewx at yahoo.com Mon Aug 31 18:39:07 2009 From: yurixewx at yahoo.com (Yuri Bank) Date: Mon, 31 Aug 2009 15:39:07 -0700 (PDT) Subject: [c-nsp] Data VLAN/Voice VLAN In-Reply-To: <20090831205109.GB1893@lboro.ac.uk> Message-ID: <460099.53813.qm@web36902.mail.mud.yahoo.com> Thanks for all of the replies. I would like to summarize the information I've gathered so far from this thread. Please correct me if I am wrong on any of this. * If the switchport is in access mode, you must have a CDP compatible phone and CDP enabled on the switchport. When a cisco phone is connected, the trunk will be negotiated and the voice vlan will be tagged. Data will be untagged and accepted as the configured access vlan. switchport mode access switchport access vlan 77 switchport voice vlan 66 *If the switchport is in trunk mode, the configured voice vlan will be tagged in the same way, however the data vlan will be the native vlan configured on the switchport. switchport mode trunk switchport trunk allowed vlan 77,66 switchport trunk native vlan 77 switchport voice vlan 66 *If the switch supports LLDP then you can have the same configuration as the first, but with none-cisco phones. ADD: globally: lldp run --- On Mon, 8/31/09, Alan Buxey wrote: > From: Alan Buxey > Subject: Re: [c-nsp] Data VLAN/Voice VLAN > To: "Bill Blackford" > Cc: "cisco-nsp at puck.nether.net" > Date: Monday, August 31, 2009, 1:51 PM > Hi, > > I agree. LLDP is fairly slick. We're currently doing > it with a non-Cisco switch and Cisco phones in some of our > smaller sites. > > ..and i noted that LLDP is slowly leaking out as a feature > on cisco switches - > recent IOS for 3560 and 2960 switches can speak it... > service needs to be turned on > of course. > > alan > _______________________________________________ > cisco-nsp mailing list? cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From fasterfourier at gmail.com Mon Aug 31 20:48:54 2009 From: fasterfourier at gmail.com (Robert Johnson) Date: Mon, 31 Aug 2009 20:48:54 -0400 Subject: [c-nsp] Handling "junk traffic" with a secondary ISP using NAT In-Reply-To: <6E21B2BDEF6E714EA0B5BA8D5D0E1401248E269DB3@zy-ex1.zyedge.local> References: <4f84a6f80908311405w704c459ax53c92ab8807c7a21@mail.gmail.com> <6E21B2BDEF6E714EA0B5BA8D5D0E1401248E269DB3@zy-ex1.zyedge.local> Message-ID: <4f84a6f80908311748m24526f62ia0cb13cc061c500f@mail.gmail.com> I will take a look at OER shortly. But in the mean time, yes, each host on the internal network has a public address and no NAT is being performed at all currently. On Mon, Aug 31, 2009 at 5:37 PM, Ryan West wrote: > Robert, > > You might want to look into OER with NAT and leverage application mapping > for your outbound selection. OER can be a bit of a beast, but you might > consider. In a SOHO design, the configuration is a lot less complex. > > > http://www.cisco.com/en/US/docs/ios/12_4t/oer/configuration/guide/h_oerstr.html#wp1059322 > > Another choice would application aware PBR, which can also be used with OER > or just with source based routing like you listed below. > > I was a little confused by what the /24 statement. Are you saying that > each user has a publicly routed address? Is your firewall doing NAT? > > -ryan > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto: > cisco-nsp-bounces at puck.nether.net] On Behalf Of Robert Johnson > Sent: Monday, August 31, 2009 5:05 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Handling "junk traffic" with a secondary ISP using NAT > > Hello Cisco experts, > I have an interesting configuration here. I have an organization with some > /24s of IP space assigned to their internal hosts. The IGP is OSPF and > connectivity to the outside world is via a single ISP with multiple links > using BGP (private ASN). In an effort to cut costs, we would like to use an > additional cheaper consumer-level ISP to handle some of the "junk traffic" > such as streaming radio, MySpace CDN, etc. Traffic that is not mission > critical. > > The idea is to add an additional router to the main OSPF area, redistribute > static routes to the "junk traffic" IP blocks into OSPF, and run NAT on the > new router to get all this traffic flowing over the "cheap consumer level > FTTP ISP" connection which is attached to the new router. The configuration > to retract these static routes from the OSPF area upon a failure of the > cheap ISP is straightforward. However, this scheme breaks some > functionality. An incoming connection from a host in one of the "junk > destination" IP blocks to a host in our internal network will flow in > through the normal primary ISP. Responses to this connection, however, will > be routed out through the secondary ISP and NATted, causing the reply > packets to come from a different IP address. > > A potential solution would be to have the new router inspect all flows > originating from the internal network and NAT only TCP sessions that > originate from the inside network. The idea was to create a reflexive ACL > containing any TCP flows originating from the inside network that are not > established. Then use PBR to NAT any flows defined in this reflexive ACL, > and send the rest of the traffic out without performing any NAT. > Unfortunately, it doesn't appear to be possible to do this using standard > Cisco reflexive ACLs, since the entries in the reflexive ACL have the > source > and destination reversed. > > Any ideas to implement this properly? > > Thanks, > > Robert > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From eninja at gmail.com Mon Aug 31 22:11:07 2009 From: eninja at gmail.com (Eninja) Date: Tue, 1 Sep 2009 03:11:07 +0100 Subject: [c-nsp] Troubleshooting High CPU Message-ID: What platform is the device? Are the primary and standby devices the same - platform, SW, config, traffic? During the spike, is the CPU consumed at interrupt or process level? Grab and send over sh proc cpu, sh align, sh int stat, sh log (if device is too unresponsive during failover, have onsite personnel pull out traffic-laden cables one by one until device is responsive, grab captures before reinserting cable/s). -Eninja PS. Disable console logging On Aug 31, 2009, at 10:46 PM, David Warner wrote: > Hi All, > > Just wondering if I can get some advice. We have two routers in a > HSRP active/standby pair. If ones reloads then the CPU on the other > hits 100% and crashes. The only way we can recover this is for a > field engineer to pull all the Ethernet cables out and then, when > system is calm, repatch them. We access the device via VTY so > struggling to actually get any commands in to troubleshoot as per > the Cisco 'Troubleshooting High CPU Utilization' doc as the CPU > spikes . > > Any advice on best way to progress this? > > Regards, David > > > > > __________________________________________________________________________________ > Find local businesses and services in your area with Yahoo!7 Local. > Get started: http://local.yahoo.com.au > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/