From jckdaniels12 at gmail.com Sat Aug 1 04:03:52 2009 From: jckdaniels12 at gmail.com (jack daniels) Date: Sat, 1 Aug 2009 13:33:52 +0530 Subject: [c-nsp] SFC DOWN In-Reply-To: References: <8bb137f40907302114n72fafa06ldc4ef0505774454c@mail.gmail.com> <8bb137f40907302123w522dc0d7s3af539e0c38579b4@mail.gmail.com> Message-ID: <8bb137f40908010103i4fa4808s54d229ed3720650d@mail.gmail.com> Hi All, I'm working on 12416 chassis , I'm getting below errors which I'm not able to troubleshoot request your help - IOS i'm using is c12kprp-k4p-mz.120-32.SY6 Slot 14 type = Modular SPA Interface Card state = IOS RUN Line Card Enabled subslot 14/0: SPA-2XOC48POS/RPR (0x46F), status is ok subslot 14/1: SPA-5X1GE-V2 (0x50A), status is ok subslot 14/2: Empty subslot 14/3: Empty SLOT 14:Jul 28 17:15:02.588 IST: %EE192-3-SPABRG_DRV: wwolf_handle_rxpadstrb_status: Rx SPI-4.2 out of sync: 0x1, 0x408C, 0x1D0 -Traceback= 40B41258 4060D0E8 40611E04 405F2700 405F2C30 40737624 40B3D12C 401131B0 SLOT 14:Jul 28 17:15:02.588 IST: %EE192-3-SPABRG_DRV: wwolf_handle_rxpadstrb_status: DIP-4 error on the Rx SPI-4.2 data bus: 0x1, 0x408C, 0x1D0 -Traceback= 40B41258 4060D118 40611E04 405F2700 405F2C30 40737624 40B3D12C 401131B0 SLOT 14:Jul 28 17:15:04.592 IST: %EE192-3-SPABRG_DRV: wwolf_handle_rxpadstrb_status: Missing end of packet on SPI-4.2 bus: 0x1, 0x408C, 0x0 -Traceback= 40B41258 4060D058 40611E04 405F2700 405F2C30 40737624 40B3D12C 401131B0 SLOT 14:Jul 28 17:15:04.592 IST: %EE192-3-SPABRG_DRV: wwolf_handle_rxpadstrb_status: Rx SPI-4.2 out of sync: 0x1, 0x408C, 0x1D0 -Traceback= 40B41258 4060D0E8 40611E04 405F2700 405F2C30 40737624 40B3D12C 401131B0 SLOT 14:Jul 28 17:15:04.592 IST: %EE192-3-SPABRG_DRV: wwolf_handle_rxpadstrb_status: DIP-4 error on the Rx SPI-4.2 data bus: 0x1, 0x408C, 0x1D0 -Traceback= 40B41258 4060D118 40611E04 405F2700 405F2C30 40737624 40B3D12C 401131B0 SLOT 14:Jul 28 17:15:06.596 IST: %EE192-3-SPABRG_DRV: wwolf_handle_rxpadstrb_status: Missing end of packet on SPI-4.2 bus: 0x1, 0x408C, 0x0 -Traceback= 40B41258 4060D058 40611E04 405F2700 405F2C30 40737624 40B3D12C 401131B0 SLOT 14:Jul 28 17:15:06.596 IST: %EE192-3-SPABRG_DRV: wwolf_handle_rxpadstrb_status: Rx SPI-4.2 out of sync: 0x1, 0x408C, 0x1D0 -Traceback= 40B41258 4060D0E8 40611E04 405F2700 405F2C30 40737624 40B3D12C 401131B0 SLOT 14:Jul 28 17:15:06.600 IST: %EE192-3-SPABRG_DRV: wwolf_handle_rxpadstrb_status: DIP-4 error on the Rx SPI-4.2 data bus: 0x1, 0x408C, 0x1D0 -Traceback= 40B41258 4060D118 40611E04 405F2700 405F2C30 40737624 40B3D12C 401131B0 SLOT 14:Jul 28 17:15:08.604 IST: %EE192-3-SPABRG_DRV: wwolf_handle_rxpadstrb_status: Missing end of packet on SPI-4.2 bus: 0x1, 0x408C, 0x0 -Traceback= 40B41258 4060D058 40611E04 405F2700 405F2C30 40737624 40B3D12C 401131B0 SLOT 14:Jul 28 17:15:08.604 IST: %EE192-3-SPABRG_DRV: wwolf_handle_rxpadstrb_status: Rx SPI-4.2 out of sync: 0x1, 0x408C, 0x1D0 -Traceback= 40B41258 4060D0E8 40611E04 405F2700 405F2C30 40737624 40B3D12C 401131B0 SLOT 14:Jul 28 17:15:08.608 IST: %EE192-3-SPABRG_DRV: wwolf_handle_rxpadstrb_status: DIP-4 error on the Rx SPI-4.2 data bus: 0x1, 0x408C, 0x1D0 -Traceback= 40B41258 4060D118 40611E04 405F2700 405F2C30 40737624 40B3D12C 401131B0 SLOT 14:Jul 28 17:15:10.604 IST: %EE192-3-SPABRG_DRV: wwolf_handle_rxpadstrb_status: Missing end of packet on SPI-4.2 bus: 0x1, 0x408C, 0x0 -Traceback= 40B41258 4060D058 40611E04 405F2700 405F2C30 40737624 40B3D12C 401131B0 SLOT 14:Jul 28 17:15:10.608 IST: %EE192-3-SPABRG_DRV: wwolf_handle_rxpadstrb_status: Rx SPI-4.2 out of sync: 0x1, 0x408C, 0x1D0 -Traceback= 40B41258 4060D0E8 40611E04 405F2700 405F2C30 40737624 40B3D12C 401131B0 SLOT 14:Jul 28 17:15:10.608 IST: %EE192-3-SPABRG_DRV: wwolf_handle_rxpadstrb_status: DIP-4 error on the Rx SPI-4.2 data bus: 0x1, 0x408C, 0x1D0 -Traceback= 40B41258 4060D118 40611E04 405F2700 405F2C30 40737624 40B3D12C 401131B0 SLOT 14:Jul 28 17:15:12.180 IST: %GSRSPA-6-ERRORRECOVER: A Hardware or Software error occurred on Subslot 1. Reason : Fugu: RXHSPITSTATOOF Automatic Error recovery initiated. No further intervention required. -Traceback= 40031128 407E7584 407D9318 407D3670 40729FB0 40737A38 40B3E4EC 401131B0 SLOT 14:Jul 28 17:15:12.612 IST: %EE192-3-SPABRG_DRV: wwolf_handle_rxpadstrb_status: Missing end of packet on SPI-4.2 bus: 0x1, 0x408C, 0x0 -Traceback= 40B41258 4060D058 40611E04 405F2700 405F2C30 40737624 40B3D12C 401131B0 SLOT 14:Jul 28 17:15:12.612 IST: %EE192-3-SPABRG_DRV: wwolf_handle_rxpadstrb_status: Rx SPI-4.2 out of sync: 0x1, 0x408C, 0x1D0 -Traceback= 40B41258 4060D0E8 40611E04 405F2700 405F2C30 40737624 40B3D12C 401131B0 SLOT 14:Jul 28 17:15:12.612 IST: %EE192-3-SPABRG_DRV: wwolf_handle_rxpadstrb_status: DIP-4 error on the Rx SPI-4.2 data bus: 0x1, 0x408C, 0x1D0 -Traceback= 40B41258 4060D118 40611E04 405F2700 405F2C30 40737624 40B3D12C 401131B0 Thanks and Regards J.Daniels On 8/1/09, e ninja wrote: > > Jack, > > > http://howtos.mysolvr.com/How_to_Power_Off_and_On_a_Cisco_GSR_12000_Linecard > > Eninja > > > On Thu, Jul 30, 2009 at 9:23 PM, jack daniels wrote: > >> > Hi All, >> > >> > I'm facing a issue in Cisco 12416 request your help - >> > >> > show GSR - >> > "Slot 19 type = Switch Fabric Card 16XOC192 >> > state = Administratively Down, Powered" <<<<<<<<<<<<<<<<<<<<<< >> > >> > how to take it out of this Administratively down state to powered state. >> > >> > My IOS version is 12.0(32)SY6 >> > >> > >> > Regards >> > Jack >> > >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > From jckdaniels12 at gmail.com Sat Aug 1 04:06:33 2009 From: jckdaniels12 at gmail.com (jack daniels) Date: Sat, 1 Aug 2009 13:36:33 +0530 Subject: [c-nsp] CSC CARD info Message-ID: <8bb137f40908010106g3938ba62s93fb6ac604ff6b43@mail.gmail.com> Hi all, what is significance of slot no of CSC. If we use 2 CSC and 3 SFC When I do OIR of slot 17 CSC ( when MASTER ) we get 3 ping drops for transit traffic through the router. When I do OIR of slot 16 CSC ( when MASTER ) we get lot of ping drops for transit traffic through the router and neighbourships break. Regards Jack.Daniels From awilliam1981 at gmail.com Sat Aug 1 05:06:36 2009 From: awilliam1981 at gmail.com (Andy William) Date: Sat, 1 Aug 2009 12:06:36 +0300 Subject: [c-nsp] ISP in US In-Reply-To: References: <9569de140907290644j11098b10l7c9c929ce4b30bb9@mail.gmail.com> <9569de140907301542j5519a2e5j9fd32c0a8bf16ce0@mail.gmail.com> Message-ID: <9569de140908010206i51d5c476oece239816de53bca@mail.gmail.com> Daryl , so you recommed to get over-provisioned internet link and that will do the job without extra effor ? On Fri, Jul 31, 2009 at 9:22 PM, Daryl G. Jurbala wrote: > > On Jul 30, 2009, at 6:42 PM, Andy William wrote: > > Thx all and i will think about Gulfstream Daryl :) > > but i start to think about P2P connections like AT&T IPL (International > Private Line) or ATM PVC between both sites , what do you think ? what is > the estimated cost for 2M connection ? > > > > That is also a very expensive way to go (if not just as expensive), and a > lot of it depends on where your office is in the Middle East (to determine > which carrier you will need to pay AT&T to buy their last few miles of > transit through). > > I'm still not convinced that you need it - a 5 MB connection at each end > with a VPN between the two and some sane QoS at each edge device ought to be > more than enough. I deliver thousands of simultaneous calls from the Middle > East through 3 GB connections to 3 different ISPs at my colo in San > Francisco. No special agreements with anyone, the other sides of the calls > originating from internet connections owned by our customers. No real > problems. > > So before signing any contracts, I would simply give it a shot right over > the Internet. You'll likely be pleased with the results. > From eninja at gmail.com Sat Aug 1 06:09:50 2009 From: eninja at gmail.com (Eninja) Date: Sat, 1 Aug 2009 11:09:50 +0100 Subject: [c-nsp] CSC CARD info In-Reply-To: <8bb137f40908010106g3938ba62s93fb6ac604ff6b43@mail.gmail.com> References: <8bb137f40908010106g3938ba62s93fb6ac604ff6b43@mail.gmail.com> Message-ID: <132FEFEE-9C5D-466F-9474-CF73BC1ABEBA@gmail.com> OIR'ing the primary CSC (slot 17 by default) will _always_ result in traffic loss because the CSC clocks and schedules all fabric traffic. Remember to shutdown the primary CSC using hw-module shut command, wait at least 1 min before OIR'ing and failing over from primary to secondary CSC. Eninja On Aug 1, 2009, at 9:06 AM, jack daniels wrote: > Hi all, > > what is significance of slot no of CSC. > > If we use 2 CSC and 3 SFC > > When I do OIR of slot 17 CSC ( when MASTER ) we get 3 ping drops for > transit > traffic through the router. > When I do OIR of slot 16 CSC ( when MASTER ) we get lot of ping > drops for > transit traffic through the router and neighbourships break. > > > Regards > Jack.Daniels > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From gsgranados at comcast.net Sat Aug 1 10:22:39 2009 From: gsgranados at comcast.net (Scott Granados) Date: Sat, 1 Aug 2009 07:22:39 -0700 Subject: [c-nsp] ISP in US In-Reply-To: <9569de140908010206i51d5c476oece239816de53bca@mail.gmail.com> References: <9569de140907290644j11098b10l7c9c929ce4b30bb9@mail.gmail.com><9569de140907301542j5519a2e5j9fd32c0a8bf16ce0@mail.gmail.com> <9569de140908010206i51d5c476oece239816de53bca@mail.gmail.com> Message-ID: I still like the heavy business jet solution. :) ----- Original Message ----- From: "Andy William" To: "Daryl G. Jurbala" Cc: Sent: Saturday, August 01, 2009 2:06 AM Subject: Re: [c-nsp] ISP in US > Daryl , so you recommed to get over-provisioned internet link and that > will > do the job without extra effor ? > > > > > On Fri, Jul 31, 2009 at 9:22 PM, Daryl G. Jurbala > wrote: > >> >> On Jul 30, 2009, at 6:42 PM, Andy William wrote: >> >> Thx all and i will think about Gulfstream Daryl :) >> >> but i start to think about P2P connections like AT&T IPL (International >> Private Line) or ATM PVC between both sites , what do you think ? what is >> the estimated cost for 2M connection ? >> >> >> >> That is also a very expensive way to go (if not just as expensive), and a >> lot of it depends on where your office is in the Middle East (to >> determine >> which carrier you will need to pay AT&T to buy their last few miles of >> transit through). >> >> I'm still not convinced that you need it - a 5 MB connection at each end >> with a VPN between the two and some sane QoS at each edge device ought to >> be >> more than enough. I deliver thousands of simultaneous calls from the >> Middle >> East through 3 GB connections to 3 different ISPs at my colo in San >> Francisco. No special agreements with anyone, the other sides of the >> calls >> originating from internet connections owned by our customers. No real >> problems. >> >> So before signing any contracts, I would simply give it a shot right over >> the Internet. You'll likely be pleased with the results. >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > __________ Information from ESET NOD32 Antivirus, version of virus > signature database 4296 (20090801) __________ > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com > > > From snortbsd at yahoo.com.au Sat Aug 1 17:52:32 2009 From: snortbsd at yahoo.com.au (snort bsd) Date: Sat, 1 Aug 2009 14:52:32 -0700 (PDT) Subject: [c-nsp] Can't pick up ip address--cisco 1200 ap Message-ID: <546098.51753.qm@web38101.mail.mud.yahoo.com> Hi: all: I got ciscoAP 1200 configured and can connect it via wireless without problems. But the system connecting to the AP can't pick up any IP address. dot11 ssid lab vlan 20 vlan 20 max-associations 10 authentication open authentication key-management wpa guest-mode mbssid guest-mode wpa-psk ascii 7 "whatever key" information-element ssidl wps ! dot11 ssid test vlan 10 vlan 10 max-associations 10 authentication open authentication key-management wpa mbssid guest-mode wpa-psk ascii 7 "whatever key" information-element ssidl wps what else I didn't do right? Thanks ____________________________________________________________________________________ Access Yahoo!7 Mail on your mobile. Anytime. Anywhere. Show me how: http://au.mobile.yahoo.com/mail From graham at g-rock.net Sat Aug 1 20:22:13 2009 From: graham at g-rock.net (Graham Wooden) Date: Sat, 01 Aug 2009 19:22:13 -0500 Subject: [c-nsp] Can't pick up ip address--cisco 1200 ap In-Reply-To: <546098.51753.qm@web38101.mail.mud.yahoo.com> Message-ID: Hi there, Your switch port that the AP is connected to - is it in trunk mode? Like "switchport trunk encap dot1q" ? On 8/1/09 4:52 PM, "snort bsd" wrote: > > Hi: all: > > I got ciscoAP 1200 configured and can connect it via wireless without > problems. But the system connecting to the AP can't pick up any IP address. > > dot11 ssid lab vlan 20 > vlan 20 > max-associations 10 > authentication open > authentication key-management wpa > guest-mode > mbssid guest-mode > wpa-psk ascii 7 "whatever key" > information-element ssidl wps > ! > dot11 ssid test vlan 10 > vlan 10 > max-associations 10 > authentication open > authentication key-management wpa > mbssid guest-mode > wpa-psk ascii 7 "whatever key" > information-element ssidl wps > > what else I didn't do right? > > Thanks > > > > ______________________________________________________________________________ > ______ > Access Yahoo!7 Mail on your mobile. Anytime. Anywhere. > Show me how: http://au.mobile.yahoo.com/mail > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rwest at zyedge.com Sat Aug 1 20:25:54 2009 From: rwest at zyedge.com (Ryan West) Date: Sat, 1 Aug 2009 20:25:54 -0400 Subject: [c-nsp] Can't pick up ip address--cisco 1200 ap In-Reply-To: <546098.51753.qm@web38101.mail.mud.yahoo.com> References: <546098.51753.qm@web38101.mail.mud.yahoo.com> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2AE3@zy-ex1.zyedge.local> Are you trunking that interface and allowing both vlan 10 and 20? Do you have a DHCP server in both subnets or an ip-helper address? -ryan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of snort bsd Sent: Saturday, August 01, 2009 5:53 PM To: cisco-nsp Subject: [c-nsp] Can't pick up ip address--cisco 1200 ap Hi: all: I got ciscoAP 1200 configured and can connect it via wireless without problems. But the system connecting to the AP can't pick up any IP address. dot11 ssid lab vlan 20 vlan 20 max-associations 10 authentication open authentication key-management wpa guest-mode mbssid guest-mode wpa-psk ascii 7 "whatever key" information-element ssidl wps ! dot11 ssid test vlan 10 vlan 10 max-associations 10 authentication open authentication key-management wpa mbssid guest-mode wpa-psk ascii 7 "whatever key" information-element ssidl wps what else I didn't do right? Thanks ____________________________________________________________________________________ Access Yahoo!7 Mail on your mobile. Anytime. Anywhere. Show me how: http://au.mobile.yahoo.com/mail _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From snortbsd at yahoo.com.au Sat Aug 1 21:08:45 2009 From: snortbsd at yahoo.com.au (snort bsd) Date: Sat, 1 Aug 2009 18:08:45 -0700 (PDT) Subject: [c-nsp] Can't pick up ip address--cisco 1200 ap In-Reply-To: Message-ID: <979659.89285.qm@web38101.mail.mud.yahoo.com> Thanks for reply. No, we have no VLAN aware switch connecting to it yet. We want to use it to replace the linksys wireless router we are using. The idea is that some of mobile user connecting to VLAN 10 via wireless and some of mobile users connecting to VLAN 20. Users on both VLANs could get to internet but access different resources internally (with VLAN aware switches). One problem a time...:) _Dave --- On Sun, 2/8/09, Graham Wooden wrote: > From: Graham Wooden > Subject: Re: [c-nsp] Can't pick up ip address--cisco 1200 ap > To: "snort bsd" , "cisco-nsp" > Received: Sunday, 2 August, 2009, 10:22 AM > Hi there, > > Your switch port that the AP is connected to - is it in > trunk mode? > Like "switchport trunk encap dot1q" ? > > > On 8/1/09 4:52 PM, "snort bsd" > wrote: > > > > > Hi: all: > > > > I got ciscoAP 1200 configured and can connect it via > wireless without > > problems. But the system connecting to the AP can't > pick up any IP address. > > > > dot11 ssid lab vlan 20 > >? ? vlan 20 > >? ? max-associations 10 > >? ? authentication open > >? ? authentication key-management wpa > >? ? guest-mode > >? ? mbssid guest-mode > >? ? wpa-psk ascii 7 "whatever key" > >? ? information-element ssidl wps > > ! > > dot11 ssid test vlan 10 > >? ? vlan 10 > >? ? max-associations 10 > >? ? authentication open > >? ? authentication key-management wpa > >? ? mbssid guest-mode > >? ? wpa-psk ascii 7 "whatever key" > >? ? information-element ssidl wps > > > > what else I didn't do right? > > > > Thanks > > > > > >? ? ??? > > > ______________________________________________________________________________ > > ______ > > Access Yahoo!7 Mail on your mobile. Anytime. > Anywhere. > > Show me how: http://au.mobile.yahoo.com/mail > > _______________________________________________ > > cisco-nsp mailing list? cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > ____________________________________________________________________________________ Access Yahoo!7 Mail on your mobile. Anytime. Anywhere. Show me how: http://au.mobile.yahoo.com/mail From rwest at zyedge.com Sat Aug 1 21:15:35 2009 From: rwest at zyedge.com (Ryan West) Date: Sat, 1 Aug 2009 21:15:35 -0400 Subject: [c-nsp] Can't pick up ip address--cisco 1200 ap In-Reply-To: <979659.89285.qm@web38101.mail.mud.yahoo.com> References: <979659.89285.qm@web38101.mail.mud.yahoo.com> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2AE5@zy-ex1.zyedge.local> Since the switch is not VLAN aware, you'll need to configure one of the two VLANs for native to remove the tagging. You'll only be able to use one of the two SSIDs for now. -ryan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of snort bsd Sent: Saturday, August 01, 2009 9:09 PM To: cisco-nsp; Graham Wooden Subject: Re: [c-nsp] Can't pick up ip address--cisco 1200 ap Thanks for reply. No, we have no VLAN aware switch connecting to it yet. We want to use it to replace the linksys wireless router we are using. The idea is that some of mobile user connecting to VLAN 10 via wireless and some of mobile users connecting to VLAN 20. Users on both VLANs could get to internet but access different resources internally (with VLAN aware switches). One problem a time...:) _Dave --- On Sun, 2/8/09, Graham Wooden wrote: > From: Graham Wooden > Subject: Re: [c-nsp] Can't pick up ip address--cisco 1200 ap > To: "snort bsd" , "cisco-nsp" > Received: Sunday, 2 August, 2009, 10:22 AM > Hi there, > > Your switch port that the AP is connected to - is it in > trunk mode? > Like "switchport trunk encap dot1q" ? > > > On 8/1/09 4:52 PM, "snort bsd" > wrote: > > > > > Hi: all: > > > > I got ciscoAP 1200 configured and can connect it via > wireless without > > problems. But the system connecting to the AP can't > pick up any IP address. > > > > dot11 ssid lab vlan 20 > >? ? vlan 20 > >? ? max-associations 10 > >? ? authentication open > >? ? authentication key-management wpa > >? ? guest-mode > >? ? mbssid guest-mode > >? ? wpa-psk ascii 7 "whatever key" > >? ? information-element ssidl wps > > ! > > dot11 ssid test vlan 10 > >? ? vlan 10 > >? ? max-associations 10 > >? ? authentication open > >? ? authentication key-management wpa > >? ? mbssid guest-mode > >? ? wpa-psk ascii 7 "whatever key" > >? ? information-element ssidl wps > > > > what else I didn't do right? > > > > Thanks > > > > > >? ? ??? > > > ______________________________________________________________________________ > > ______ > > Access Yahoo!7 Mail on your mobile. Anytime. > Anywhere. > > Show me how: http://au.mobile.yahoo.com/mail > > _______________________________________________ > > cisco-nsp mailing list? cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > ____________________________________________________________________________________ Access Yahoo!7 Mail on your mobile. Anytime. Anywhere. Show me how: http://au.mobile.yahoo.com/mail _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From eninja at gmail.com Sat Aug 1 23:12:05 2009 From: eninja at gmail.com (e ninja) Date: Sat, 1 Aug 2009 20:12:05 -0700 Subject: [c-nsp] SFC DOWN In-Reply-To: <8bb137f40908010103i4fa4808s54d229ed3720650d@mail.gmail.com> References: <8bb137f40907302114n72fafa06ldc4ef0505774454c@mail.gmail.com> <8bb137f40907302123w522dc0d7s3af539e0c38579b4@mail.gmail.com> <8bb137f40908010103i4fa4808s54d229ed3720650d@mail.gmail.com> Message-ID: Jack, Response posted to http://bugs.mysolvr.com/TBD-3. Eninja PS. Contributors to this list should strive to post reusable knowledge to www.mysolvr.com so that it is properly documented, organized and easily searchable for posterity. On Sat, Aug 1, 2009 at 1:03 AM, jack daniels wrote: > Hi All, > > I'm working on 12416 chassis , I'm getting below errors which I'm not able > to troubleshoot request your help - > > IOS i'm using is c12kprp-k4p-mz.120-32.SY6 > > Slot 14 type = Modular SPA Interface Card > state = IOS RUN Line Card Enabled > subslot 14/0: SPA-2XOC48POS/RPR (0x46F), status is ok > subslot 14/1: SPA-5X1GE-V2 (0x50A), status is ok > subslot 14/2: Empty > subslot 14/3: Empty > > SLOT 14:Jul 28 17:15:02.588 IST: %EE192-3-SPABRG_DRV: > wwolf_handle_rxpadstrb_status: Rx SPI-4.2 out of sync: 0x1, 0x408C, 0x1D0 > -Traceback= 40B41258 4060D0E8 40611E04 405F2700 405F2C30 40737624 40B3D12C > 401131B0 > SLOT 14:Jul 28 17:15:02.588 IST: %EE192-3-SPABRG_DRV: > wwolf_handle_rxpadstrb_status: DIP-4 error on the Rx SPI-4.2 data bus: 0x1, > 0x408C, 0x1D0 > -Traceback= 40B41258 4060D118 40611E04 405F2700 405F2C30 40737624 40B3D12C > 401131B0 > SLOT 14:Jul 28 17:15:04.592 IST: %EE192-3-SPABRG_DRV: > wwolf_handle_rxpadstrb_status: Missing end of packet on SPI-4.2 bus: 0x1, > 0x408C, 0x0 > -Traceback= 40B41258 4060D058 40611E04 405F2700 405F2C30 40737624 40B3D12C > 401131B0 > SLOT 14:Jul 28 17:15:04.592 IST: %EE192-3-SPABRG_DRV: > wwolf_handle_rxpadstrb_status: Rx SPI-4.2 out of sync: 0x1, 0x408C, 0x1D0 > -Traceback= 40B41258 4060D0E8 40611E04 405F2700 405F2C30 40737624 40B3D12C > 401131B0 > SLOT 14:Jul 28 17:15:04.592 IST: %EE192-3-SPABRG_DRV: > wwolf_handle_rxpadstrb_status: DIP-4 error on the Rx SPI-4.2 data bus: 0x1, > 0x408C, 0x1D0 > -Traceback= 40B41258 4060D118 40611E04 405F2700 405F2C30 40737624 40B3D12C > 401131B0 > SLOT 14:Jul 28 17:15:06.596 IST: %EE192-3-SPABRG_DRV: > wwolf_handle_rxpadstrb_status: Missing end of packet on SPI-4.2 bus: 0x1, > 0x408C, 0x0 > -Traceback= 40B41258 4060D058 40611E04 405F2700 405F2C30 40737624 40B3D12C > 401131B0 > SLOT 14:Jul 28 17:15:06.596 IST: %EE192-3-SPABRG_DRV: > wwolf_handle_rxpadstrb_status: Rx SPI-4.2 out of sync: 0x1, 0x408C, 0x1D0 > -Traceback= 40B41258 4060D0E8 40611E04 405F2700 405F2C30 40737624 40B3D12C > 401131B0 > SLOT 14:Jul 28 17:15:06.600 IST: %EE192-3-SPABRG_DRV: > wwolf_handle_rxpadstrb_status: DIP-4 error on the Rx SPI-4.2 data bus: 0x1, > 0x408C, 0x1D0 > -Traceback= 40B41258 4060D118 40611E04 405F2700 405F2C30 40737624 40B3D12C > 401131B0 > SLOT 14:Jul 28 17:15:08.604 IST: %EE192-3-SPABRG_DRV: > wwolf_handle_rxpadstrb_status: Missing end of packet on SPI-4.2 bus: 0x1, > 0x408C, 0x0 > -Traceback= 40B41258 4060D058 40611E04 405F2700 405F2C30 40737624 40B3D12C > 401131B0 > SLOT 14:Jul 28 17:15:08.604 IST: %EE192-3-SPABRG_DRV: > wwolf_handle_rxpadstrb_status: Rx SPI-4.2 out of sync: 0x1, 0x408C, 0x1D0 > -Traceback= 40B41258 4060D0E8 40611E04 405F2700 405F2C30 40737624 40B3D12C > 401131B0 > SLOT 14:Jul 28 17:15:08.608 IST: %EE192-3-SPABRG_DRV: > wwolf_handle_rxpadstrb_status: DIP-4 error on the Rx SPI-4.2 data bus: 0x1, > 0x408C, 0x1D0 > -Traceback= 40B41258 4060D118 40611E04 405F2700 405F2C30 40737624 40B3D12C > 401131B0 > SLOT 14:Jul 28 17:15:10.604 IST: %EE192-3-SPABRG_DRV: > wwolf_handle_rxpadstrb_status: Missing end of packet on SPI-4.2 bus: 0x1, > 0x408C, 0x0 > -Traceback= 40B41258 4060D058 40611E04 405F2700 405F2C30 40737624 40B3D12C > 401131B0 > SLOT 14:Jul 28 17:15:10.608 IST: %EE192-3-SPABRG_DRV: > wwolf_handle_rxpadstrb_status: Rx SPI-4.2 out of sync: 0x1, 0x408C, 0x1D0 > -Traceback= 40B41258 4060D0E8 40611E04 405F2700 405F2C30 40737624 40B3D12C > 401131B0 > SLOT 14:Jul 28 17:15:10.608 IST: %EE192-3-SPABRG_DRV: > wwolf_handle_rxpadstrb_status: DIP-4 error on the Rx SPI-4.2 data bus: 0x1, > 0x408C, 0x1D0 > -Traceback= 40B41258 4060D118 40611E04 405F2700 405F2C30 40737624 40B3D12C > 401131B0 > SLOT 14:Jul 28 17:15:12.180 IST: %GSRSPA-6-ERRORRECOVER: A Hardware or > Software error occurred on Subslot 1. Reason : Fugu: RXHSPITSTATOOF > Automatic Error recovery initiated. No further intervention required. > -Traceback= 40031128 407E7584 407D9318 407D3670 40729FB0 40737A38 40B3E4EC > 401131B0 > SLOT 14:Jul 28 17:15:12.612 IST: %EE192-3-SPABRG_DRV: > wwolf_handle_rxpadstrb_status: Missing end of packet on SPI-4.2 bus: 0x1, > 0x408C, 0x0 > -Traceback= 40B41258 4060D058 40611E04 405F2700 405F2C30 40737624 40B3D12C > 401131B0 > SLOT 14:Jul 28 17:15:12.612 IST: %EE192-3-SPABRG_DRV: > wwolf_handle_rxpadstrb_status: Rx SPI-4.2 out of sync: 0x1, 0x408C, 0x1D0 > -Traceback= 40B41258 4060D0E8 40611E04 405F2700 405F2C30 40737624 40B3D12C > 401131B0 > SLOT 14:Jul 28 17:15:12.612 IST: %EE192-3-SPABRG_DRV: > wwolf_handle_rxpadstrb_status: DIP-4 error on the Rx SPI-4.2 data bus: 0x1, > 0x408C, 0x1D0 > -Traceback= 40B41258 4060D118 40611E04 405F2700 405F2C30 40737624 40B3D12C > 401131B0 > > Thanks and Regards > J.Daniels > > > > On 8/1/09, e ninja wrote: >> >> Jack, >> >> >> http://howtos.mysolvr.com/How_to_Power_Off_and_On_a_Cisco_GSR_12000_Linecard >> >> Eninja >> >> >> On Thu, Jul 30, 2009 at 9:23 PM, jack daniels wrote: >> >>> > Hi All, >>> > >>> > I'm facing a issue in Cisco 12416 request your help - >>> > >>> > show GSR - >>> > "Slot 19 type = Switch Fabric Card 16XOC192 >>> > state = Administratively Down, Powered" <<<<<<<<<<<<<<<<<<<<<< >>> > >>> > how to take it out of this Administratively down state to powered >>> state. >>> > >>> > My IOS version is 12.0(32)SY6 >>> > >>> > >>> > Regards >>> > Jack >>> > >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> >> > From gert at greenie.muc.de Sun Aug 2 04:45:24 2009 From: gert at greenie.muc.de (Gert Doering) Date: Sun, 2 Aug 2009 10:45:24 +0200 Subject: [c-nsp] SFC DOWN In-Reply-To: References: <8bb137f40907302114n72fafa06ldc4ef0505774454c@mail.gmail.com> <8bb137f40907302123w522dc0d7s3af539e0c38579b4@mail.gmail.com> <8bb137f40908010103i4fa4808s54d229ed3720650d@mail.gmail.com> Message-ID: <20090802084524.GL290@greenie.muc.de> Hi, On Sat, Aug 01, 2009 at 08:12:05PM -0700, e ninja wrote: > PS. Contributors to this list should strive to post reusable knowledge to > www.mysolvr.com so that it is properly documented, organized and easily > searchable for posterity. Contributors to this list should just post to this list. Archives are available in many places, google will find the answers, and it's not necessary to go to a separate web site (which is likely to profit from it in some way) to get answers to questions posted *here*. The value of this list is not "post links to web sites". gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From BBlackford at nwresd.k12.or.us Sun Aug 2 09:18:35 2009 From: BBlackford at nwresd.k12.or.us (Bill Blackford) Date: Sun, 2 Aug 2009 06:18:35 -0700 Subject: [c-nsp] Upgrading IOS core on a 3750 Stack Message-ID: <6069A203FD01884885C037F81DD75080171D1F97AF@wsc-mail-01.intra.nwresd.k12.or.us> The subject line says it all. I have some questions regarding how the upgrade works. 1. Do I only upgrade the master? 2. If not, how do I upgrade the other switches in the stack? 3. Should everything be running the same exact code(base vs. ipservices)? Switch Ports Model SW Version SW Image ------ ----- ----- ---------- ---------- * 1 52 WS-C3750-48P 12.2(25)SEE1 C3750-IPSERVICESK9-M 2 52 WS-C3750-48P 12.2(25)SEE1 C3750-IPBASEK9-M 3 52 WS-C3750-48P 12.2(25)SEE1 C3750-IPBASEK9-M 4 52 WS-C3750-48P 12.2(25)SEE1 C3750-IPSERVICESK9-M Thank you -b -- Bill Blackford Senior Network Engineer NWRESD my /home away from home From peter at rathlev.dk Sun Aug 2 09:47:05 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Sun, 02 Aug 2009 15:47:05 +0200 Subject: [c-nsp] Upgrading IOS core on a 3750 Stack In-Reply-To: <6069A203FD01884885C037F81DD75080171D1F97AF@wsc-mail-01.intra.nwresd.k12.or.us> References: <6069A203FD01884885C037F81DD75080171D1F97AF@wsc-mail-01.intra.nwresd.k12.or.us> Message-ID: <1249220826.4809.10.camel@abehat.net.rm.dk> On Sun, 2009-08-02 at 06:18 -0700, Bill Blackford wrote: > The subject line says it all. > > I have some questions regarding how the upgrade works. > > 1. Do I only upgrade the master? Technically no, but the master might be able to auto-upgrade the members. > 2. If not, how do I upgrade the other switches in the stack? You can upload software to flash1:, flash2: etc. and set the boot variables with "boot system switch 2 flash:/asdf.bin". Remember that each switch sees the flash as just "flash:" when booting, so set the boot variable accordingly. > 3. Should everything be running the same exact code(base vs. > ipservices)? > > > Switch Ports Model SW Version SW Image > ------ ----- ----- ---------- ---------- > * 1 52 WS-C3750-48P 12.2(25)SEE1 C3750-IPSERVICESK9-M > 2 52 WS-C3750-48P 12.2(25)SEE1 C3750-IPBASEK9-M > 3 52 WS-C3750-48P 12.2(25)SEE1 C3750-IPBASEK9-M > 4 52 WS-C3750-48P 12.2(25)SEE1 C3750-IPSERVICESK9-M > I actually thought potential members with another feature set than the master wouldn't become active, but if that's part of a "show version" it seems they can. I would recommend running the same feature set on all switches. I don't know how different feature sets handle a master failover, but only problems come to mind when looking at it. Regards, Peter From eninja at gmail.com Sun Aug 2 09:51:07 2009 From: eninja at gmail.com (e ninja) Date: Sun, 2 Aug 2009 06:51:07 -0700 Subject: [c-nsp] SFC DOWN In-Reply-To: <20090802084524.GL290@greenie.muc.de> References: <8bb137f40907302114n72fafa06ldc4ef0505774454c@mail.gmail.com> <8bb137f40907302123w522dc0d7s3af539e0c38579b4@mail.gmail.com> <8bb137f40908010103i4fa4808s54d229ed3720650d@mail.gmail.com> <20090802084524.GL290@greenie.muc.de> Message-ID: Gert, So if we apply your thought process, there is no value in capturing and organizing re-usable intellectual capital? I guess you must think Wikipedia is useless and we should just trawl through the web and layers of email threads to find simple answers to questions that have already been answered? The value of any list is to share knowledge. If there are free tools out there like mysolvr (a user-generated knowledge-base), that also allows us to go the extra mile of documenting and organizing re-usable know-how for the benefit of others, it is worth the effort. We have to work smarter, not harder. Eninja On Sun, Aug 2, 2009 at 1:45 AM, Gert Doering wrote: > Hi, > > On Sat, Aug 01, 2009 at 08:12:05PM -0700, e ninja wrote: > > PS. Contributors to this list should strive to post reusable knowledge to > > www.mysolvr.com so that it is properly documented, organized and easily > > searchable for posterity. > > Contributors to this list should just post to this list. Archives are > available in many places, google will find the answers, and it's not > necessary to go to a separate web site (which is likely to profit from > it in some way) to get answers to questions posted *here*. > > The value of this list is not "post links to web sites". > > gert > -- > USENET is *not* the non-clickable part of WWW! > // > www.muc.de/~gert/ > Gert Doering - Munich, Germany > gert at greenie.muc.de > fax: +49-89-35655025 > gert at net.informatik.tu-muenchen.de > From gert at greenie.muc.de Sun Aug 2 09:56:20 2009 From: gert at greenie.muc.de (Gert Doering) Date: Sun, 2 Aug 2009 15:56:20 +0200 Subject: [c-nsp] SFC DOWN In-Reply-To: References: <8bb137f40907302114n72fafa06ldc4ef0505774454c@mail.gmail.com> <8bb137f40907302123w522dc0d7s3af539e0c38579b4@mail.gmail.com> <8bb137f40908010103i4fa4808s54d229ed3720650d@mail.gmail.com> <20090802084524.GL290@greenie.muc.de> Message-ID: <20090802135620.GS290@greenie.muc.de> Hi, On Sun, Aug 02, 2009 at 06:51:07AM -0700, e ninja wrote: > We have to work smarter, not harder. That's why "hey, please go *there* to read my answer to your question" is the wrong approach. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From jbest at zyedge.com Sun Aug 2 10:30:59 2009 From: jbest at zyedge.com (Jeremiah Best) Date: Sun, 2 Aug 2009 10:30:59 -0400 Subject: [c-nsp] Upgrading IOS core on a 3750 Stack In-Reply-To: <1249220826.4809.10.camel@abehat.net.rm.dk> References: <6069A203FD01884885C037F81DD75080171D1F97AF@wsc-mail-01.intra.nwresd.k12.or.us>, <1249220826.4809.10.camel@abehat.net.rm.dk> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DED8BB@zy-ex1.zyedge.local> Here's the documentation from Cisco including CLI commands to do the upgrade. http://www.cisco.com/en/US/products/hw/switches/ps5023/products_configuration_example09186a00804799d7.shtml -Jeremiah ________________________________________ From: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net] On Behalf Of Peter Rathlev [peter at rathlev.dk] Sent: Sunday, August 02, 2009 9:47 AM To: Bill Blackford Cc: cisco-nsp mailing list Subject: Re: [c-nsp] Upgrading IOS core on a 3750 Stack On Sun, 2009-08-02 at 06:18 -0700, Bill Blackford wrote: > The subject line says it all. > > I have some questions regarding how the upgrade works. > > 1. Do I only upgrade the master? Technically no, but the master might be able to auto-upgrade the members. > 2. If not, how do I upgrade the other switches in the stack? You can upload software to flash1:, flash2: etc. and set the boot variables with "boot system switch 2 flash:/asdf.bin". Remember that each switch sees the flash as just "flash:" when booting, so set the boot variable accordingly. > 3. Should everything be running the same exact code(base vs. > ipservices)? > > > Switch Ports Model SW Version SW Image > ------ ----- ----- ---------- ---------- > * 1 52 WS-C3750-48P 12.2(25)SEE1 C3750-IPSERVICESK9-M > 2 52 WS-C3750-48P 12.2(25)SEE1 C3750-IPBASEK9-M > 3 52 WS-C3750-48P 12.2(25)SEE1 C3750-IPBASEK9-M > 4 52 WS-C3750-48P 12.2(25)SEE1 C3750-IPSERVICESK9-M > I actually thought potential members with another feature set than the master wouldn't become active, but if that's part of a "show version" it seems they can. I would recommend running the same feature set on all switches. I don't know how different feature sets handle a master failover, but only problems come to mind when looking at it. Regards, Peter _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From jeff-kell at utc.edu Sun Aug 2 11:48:06 2009 From: jeff-kell at utc.edu (Jeff Kell) Date: Sun, 02 Aug 2009 11:48:06 -0400 Subject: [c-nsp] VSS question... In-Reply-To: <44C483CB52659549BA199961AEFAD717257FCB@b-exch-recovery.internal.scmc.org> References: <4A6FAE95.6010806@utc.edu> <20090729081252.GB11496@lboro.ac.uk><4A7005ED.7060305@rollernet.us> <20090729083813.GA11906@lboro.ac.uk> <44C483CB52659549BA199961AEFAD717257FCB@b-exch-recovery.internal.scmc.org> Message-ID: <4A75B536.4030108@utc.edu> Thanks for all the feedback on the VSS basics, very helpful. If I can push the envelope just a bit further, anyone running FWSM[s] in a VSS pair? Jeff From sethm at rollernet.us Sun Aug 2 12:33:08 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Sun, 02 Aug 2009 09:33:08 -0700 Subject: [c-nsp] SFC DOWN In-Reply-To: References: <8bb137f40907302114n72fafa06ldc4ef0505774454c@mail.gmail.com> <8bb137f40907302123w522dc0d7s3af539e0c38579b4@mail.gmail.com> <8bb137f40908010103i4fa4808s54d229ed3720650d@mail.gmail.com> <20090802084524.GL290@greenie.muc.de> Message-ID: <4A75BFC4.9030203@rollernet.us> e ninja wrote: > Gert, > > So if we apply your thought process, there is no value in capturing and > organizing re-usable intellectual capital? I guess you must think Wikipedia > is useless and we should just trawl through the web and layers of email > threads to find simple answers to questions that have already been answered? > > > The value of any list is to share knowledge. If there are free tools out > there like mysolvr (a user-generated knowledge-base), that also allows us to > go the extra mile of documenting and organizing re-usable know-how for the > benefit of others, it is worth the effort. > > We have to work smarter, not harder. You're not sharing knowledge, you're pimping a website. I am fully capable of searching this list from my own archives or the ones online. I suspect others are as well. If you're going to participate here *do not* spam the archives of this list. They are likely to last far longer than at the whim of some web 2.0 fad that may or may not allow free access to said knowledge in the future. ~Seth From snortbsd at yahoo.com.au Sun Aug 2 11:53:09 2009 From: snortbsd at yahoo.com.au (snort bsd) Date: Sun, 2 Aug 2009 08:53:09 -0700 (PDT) Subject: [c-nsp] Can't pick up ip address--cisco 1200 ap In-Reply-To: <979659.89285.qm@web38101.mail.mud.yahoo.com> Message-ID: <916322.54913.qm@web38107.mail.mud.yahoo.com> Ok, here is what I have for DHCP sewrvice: ip dhcp pool r-office network 192.168.12.0 255.255.255.0 subnet prefix-length 24 default-router 192.168.12.1 lease infinite what did I do wrong? --- On Sun, 2/8/09, snort bsd wrote: > From: snort bsd > Subject: Re: [c-nsp] Can't pick up ip address--cisco 1200 ap > To: "cisco-nsp" , "Graham Wooden" > Received: Sunday, 2 August, 2009, 11:08 AM > > Thanks for reply. > > No, we have no VLAN aware switch connecting to it yet. We > want to use it to replace the linksys wireless router we are > using. > > The idea is that some of mobile user connecting to VLAN 10 > via wireless and some? of mobile users connecting to > VLAN 20. Users on both VLANs could get to internet but > access different resources internally (with VLAN aware > switches). > > One problem a time...:) > > _Dave > > --- On Sun, 2/8/09, Graham Wooden > wrote: > > > From: Graham Wooden > > Subject: Re: [c-nsp] Can't pick up ip address--cisco > 1200 ap > > To: "snort bsd" , > "cisco-nsp" > > Received: Sunday, 2 August, 2009, 10:22 AM > > Hi there, > > > > Your switch port that the AP is connected to - is it > in > > trunk mode? > > Like "switchport trunk encap dot1q" ? > > > > > > On 8/1/09 4:52 PM, "snort bsd" > > wrote: > > > > > > > > Hi: all: > > > > > > I got ciscoAP 1200 configured and can connect it > via > > wireless without > > > problems. But the system connecting to the AP > can't > > pick up any IP address. > > > > > > dot11 ssid lab vlan 20 > > >? ? vlan 20 > > >? ? max-associations 10 > > >? ? authentication open > > >? ? authentication key-management wpa > > >? ? guest-mode > > >? ? mbssid guest-mode > > >? ? wpa-psk ascii 7 "whatever key" > > >? ? information-element ssidl wps > > > ! > > > dot11 ssid test vlan 10 > > >? ? vlan 10 > > >? ? max-associations 10 > > >? ? authentication open > > >? ? authentication key-management wpa > > >? ? mbssid guest-mode > > >? ? wpa-psk ascii 7 "whatever key" > > >? ? information-element ssidl wps > > > > > > what else I didn't do right? > > > > > > Thanks > > > > > > > > >? ? ??? > > > > > > ______________________________________________________________________________ > > > ______ > > > Access Yahoo!7 Mail on your mobile. Anytime. > > Anywhere. > > > Show me how: http://au.mobile.yahoo.com/mail > > > _______________________________________________ > > > cisco-nsp mailing list? cisco-nsp at puck.nether.net > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > > > > ? ? ? > ____________________________________________________________________________________ > Access Yahoo!7 Mail on your mobile. Anytime. Anywhere. > Show me how: http://au.mobile.yahoo.com/mail > _______________________________________________ > cisco-nsp mailing list? cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ____________________________________________________________________________________ Access Yahoo!7 Mail on your mobile. Anytime. Anywhere. Show me how: http://au.mobile.yahoo.com/mail From jay at west.net Sun Aug 2 13:10:10 2009 From: jay at west.net (Jay Hennigan) Date: Sun, 02 Aug 2009 10:10:10 -0700 Subject: [c-nsp] SFC DOWN In-Reply-To: <20090802084524.GL290@greenie.muc.de> References: <8bb137f40907302114n72fafa06ldc4ef0505774454c@mail.gmail.com> <8bb137f40907302123w522dc0d7s3af539e0c38579b4@mail.gmail.com> <8bb137f40908010103i4fa4808s54d229ed3720650d@mail.gmail.com> <20090802084524.GL290@greenie.muc.de> Message-ID: <4A75C872.8060104@west.net> Gert Doering wrote: > Contributors to this list should just post to this list. Archives are > available in many places, google will find the answers, and it's not > necessary to go to a separate web site (which is likely to profit from > it in some way) to get answers to questions posted *here*. > > The value of this list is not "post links to web sites". Agreed 100%. FYI, "Mysolvr" is the same "Pingsta" outfit that scraped addresses from this list and spammed them repeatedly a while back. http://www.google.com/search?q=pingsta+spam -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV From lmeade at signal.ca Sun Aug 2 13:14:04 2009 From: lmeade at signal.ca (Leslie Meade) Date: Sun, 2 Aug 2009 10:14:04 -0700 Subject: [c-nsp] Can't pick up ip address--cisco 1200 ap In-Reply-To: <916322.54913.qm@web38107.mail.mud.yahoo.com> References: <979659.89285.qm@web38101.mail.mud.yahoo.com> <916322.54913.qm@web38107.mail.mud.yahoo.com> Message-ID: You got this on the router and what is the AP connected to ? U need to have an interface, gateway, default router commands so that the vlan 20 can connect to the router, if you want them to connect to different vlans internally you may need to look at this type of setup Ie interface Vlan12 description Wireless Vlan no ip address no ip redirects no ip unreachables no ip proxy-arp ip virtual-reassembly bridge-group 12 bridge-group 12 spanning-disabled interface BVI12 description Bridge to Internal Network ip address 192.168.12.1 255.255.255.0 ip nat inside ip virtual-reassembly bridge 12 protocol ieee bridge 12 route ip -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of snort bsd Sent: Sunday, August 02, 2009 8:53 AM To: cisco-nsp; Graham Wooden Subject: Re: [c-nsp] Can't pick up ip address--cisco 1200 ap Ok, here is what I have for DHCP sewrvice: ip dhcp pool r-office network 192.168.12.0 255.255.255.0 subnet prefix-length 24 default-router 192.168.12.1 lease infinite what did I do wrong? --- On Sun, 2/8/09, snort bsd wrote: > From: snort bsd > Subject: Re: [c-nsp] Can't pick up ip address--cisco 1200 ap > To: "cisco-nsp" , "Graham Wooden" > Received: Sunday, 2 August, 2009, 11:08 AM > > Thanks for reply. > > No, we have no VLAN aware switch connecting to it yet. We > want to use it to replace the linksys wireless router we are > using. > > The idea is that some of mobile user connecting to VLAN 10 > via wireless and some? of mobile users connecting to > VLAN 20. Users on both VLANs could get to internet but > access different resources internally (with VLAN aware > switches). > > One problem a time...:) > > _Dave > > --- On Sun, 2/8/09, Graham Wooden > wrote: > > > From: Graham Wooden > > Subject: Re: [c-nsp] Can't pick up ip address--cisco > 1200 ap > > To: "snort bsd" , > "cisco-nsp" > > Received: Sunday, 2 August, 2009, 10:22 AM > > Hi there, > > > > Your switch port that the AP is connected to - is it > in > > trunk mode? > > Like "switchport trunk encap dot1q" ? > > > > > > On 8/1/09 4:52 PM, "snort bsd" > > wrote: > > > > > > > > Hi: all: > > > > > > I got ciscoAP 1200 configured and can connect it > via > > wireless without > > > problems. But the system connecting to the AP > can't > > pick up any IP address. > > > > > > dot11 ssid lab vlan 20 > > >? ? vlan 20 > > >? ? max-associations 10 > > >? ? authentication open > > >? ? authentication key-management wpa > > >? ? guest-mode > > >? ? mbssid guest-mode > > >? ? wpa-psk ascii 7 "whatever key" > > >? ? information-element ssidl wps > > > ! > > > dot11 ssid test vlan 10 > > >? ? vlan 10 > > >? ? max-associations 10 > > >? ? authentication open > > >? ? authentication key-management wpa > > >? ? mbssid guest-mode > > >? ? wpa-psk ascii 7 "whatever key" > > >? ? information-element ssidl wps > > > > > > what else I didn't do right? > > > > > > Thanks > > > > > > > > >? ? ??? > > > > > > ______________________________________________________________________________ > > > ______ > > > Access Yahoo!7 Mail on your mobile. Anytime. > > Anywhere. > > > Show me how: http://au.mobile.yahoo.com/mail > > > _______________________________________________ > > > cisco-nsp mailing list? cisco-nsp at puck.nether.net > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > > > > ? ? ? > ____________________________________________________________________________________ > Access Yahoo!7 Mail on your mobile. Anytime. Anywhere. > Show me how: http://au.mobile.yahoo.com/mail > _______________________________________________ > cisco-nsp mailing list? cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ____________________________________________________________________________________ Access Yahoo!7 Mail on your mobile. Anytime. Anywhere. Show me how: http://au.mobile.yahoo.com/mail _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From eninja at gmail.com Sun Aug 2 13:28:31 2009 From: eninja at gmail.com (Eninja) Date: Sun, 2 Aug 2009 18:28:31 +0100 Subject: [c-nsp] SFC DOWN In-Reply-To: <4A75C872.8060104@west.net> References: <8bb137f40907302114n72fafa06ldc4ef0505774454c@mail.gmail.com> <8bb137f40907302123w522dc0d7s3af539e0c38579b4@mail.gmail.com> <8bb137f40908010103i4fa4808s54d229ed3720650d@mail.gmail.com> <20090802084524.GL290@greenie.muc.de> <4A75C872.8060104@west.net> Message-ID: <4541D4F1-BC21-4819-AE93-435A383F880F@gmail.com> That 'spam' was the result of a Pingsta mailserver bug. What exactly has that got to do with working smarter? Eninja On Aug 2, 2009, at 6:10 PM, Jay Hennigan wrote: > Gert Doering wrote: > >> Contributors to this list should just post to this list. Archives >> are >> available in many places, google will find the answers, and it's not >> necessary to go to a separate web site (which is likely to profit >> from >> it in some way) to get answers to questions posted *here*. >> The value of this list is not "post links to web sites". > > Agreed 100%. > > FYI, "Mysolvr" is the same "Pingsta" outfit that scraped addresses > from this list and spammed them repeatedly a while back. > > http://www.google.com/search?q=pingsta+spam > > -- > Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net > Impulse Internet Service - http://www.impulse.net/ > Your local telephone and internet company - 805 884-6323 - WB6RDV > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jckdaniels12 at gmail.com Sun Aug 2 13:34:57 2009 From: jckdaniels12 at gmail.com (jack daniels) Date: Sun, 2 Aug 2009 23:04:57 +0530 Subject: [c-nsp] CSC CARD info In-Reply-To: <132FEFEE-9C5D-466F-9474-CF73BC1ABEBA@gmail.com> References: <8bb137f40908010106g3938ba62s93fb6ac604ff6b43@mail.gmail.com> <132FEFEE-9C5D-466F-9474-CF73BC1ABEBA@gmail.com> Message-ID: <8bb137f40908021034l4ad7c878xefb040e7f9433b0b@mail.gmail.com> Hi, Thanks , but my querry still remains unanswered - If we use 2 CSC and 3 SFC " When I do OIR of slot 17 CSC ( when MASTER - defaul ) we get 3 ping drops for transit traffic through the router. When I do OIR of slot 16 CSC ( when MASTER ) we get lot of ping drops for transit traffic through the router and neighbourships break." Regards J.Daniels On Sat, Aug 1, 2009 at 3:39 PM, Eninja wrote: > OIR'ing the primary CSC (slot 17 by default) will _always_ result in > traffic loss because the CSC clocks and schedules all fabric traffic. > > Remember to shutdown the primary CSC using hw-module shut command, wait at > least 1 min before OIR'ing and failing over from primary to secondary CSC. > > Eninja > > > > On Aug 1, 2009, at 9:06 AM, jack daniels wrote: > > Hi all, >> >> what is significance of slot no of CSC. >> >> If we use 2 CSC and 3 SFC >> >> When I do OIR of slot 17 CSC ( when MASTER ) we get 3 ping drops for >> transit >> traffic through the router. >> When I do OIR of slot 16 CSC ( when MASTER ) we get lot of ping drops for >> transit traffic through the router and neighbourships break. >> >> >> Regards >> Jack.Daniels >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > From sethm at rollernet.us Sun Aug 2 13:59:47 2009 From: sethm at rollernet.us (Seth Mattinen) Date: Sun, 02 Aug 2009 10:59:47 -0700 Subject: [c-nsp] SFC DOWN In-Reply-To: <4541D4F1-BC21-4819-AE93-435A383F880F@gmail.com> References: <8bb137f40907302114n72fafa06ldc4ef0505774454c@mail.gmail.com> <8bb137f40907302123w522dc0d7s3af539e0c38579b4@mail.gmail.com> <8bb137f40908010103i4fa4808s54d229ed3720650d@mail.gmail.com> <20090802084524.GL290@greenie.muc.de> <4A75C872.8060104@west.net> <4541D4F1-BC21-4819-AE93-435A383F880F@gmail.com> Message-ID: <4A75D413.6050609@rollernet.us> Eninja wrote: > That 'spam' was the result of a Pingsta mailserver bug. What exactly has > that got to do with working smarter? > It means that many of us will not find any credibility in Pingsta or anything related to it. We are not a short-sighted "oooo shiny" web 2.0 audience that forgets quickly. ~Seth From josmon at rigozsaurus.com Sun Aug 2 13:32:16 2009 From: josmon at rigozsaurus.com (John Osmon) Date: Sun, 2 Aug 2009 11:32:16 -0600 Subject: [c-nsp] mailing list vs. web site (WAS: Re: SFC DOWN) In-Reply-To: References: <8bb137f40907302114n72fafa06ldc4ef0505774454c@mail.gmail.com> <8bb137f40907302123w522dc0d7s3af539e0c38579b4@mail.gmail.com> <8bb137f40908010103i4fa4808s54d229ed3720650d@mail.gmail.com> <20090802084524.GL290@greenie.muc.de> Message-ID: <20090802173216.GA18289@jeeves.rigozsaurus.com> Let me preafce my words with the thought that I find the most of the new wikis, forums, and whatnots are poor substitutes for searchable text archives. However, I learned most of my foundation material from Usenet in the late 80s and early 90s, so I might be biased... On Sun, Aug 02, 2009 at 06:51:07AM -0700, e ninja wrote: > Gert, > > So if we apply your thought process, there is no value in capturing and > organizing re-usable intellectual capital? I guess you must think Wikipedia > is useless and we should just trawl through the web and layers of email > threads to find simple answers to questions that have already been answered? You're putting words in Gert's mouth suggesting he derides the valuable (free) services available. I've never met Gert, but would buy him a beer if I found we were in the same room. Gert and others have helped me (and others) countless times without need of any of the tools you espouse -- so there is already value present without need for more work... Back to the main point: There is value -- but who has to exert energy, and who reaps the benefits? > The value of any list is to share knowledge. If there are free tools out > there like mysolvr (a user-generated knowledge-base), that also allows us to > go the extra mile of documenting and organizing re-usable know-how for the > benefit of others, it is worth the effort. Yes, there is likely value in organizing the info. However, is the marginal value greater than the marginal cost? I'm of the opinion that most of the people reading this list and the archives believe that it works well as it is. > We have to work smarter, not harder. Absolutely! However, I think that you've got a hard hill in front of you trying to change the behavior of people using this list. A amarter approach might be to start moving the data to your preferred site on your own. Perhaps even building automated tools to do so. If your idea catches on, you could very well end up with a reputation and following like Jared and/or Gert. Until that occurs, I have doubts that the wealth of info on cisco-nsp will be transferred to another medium... (With that said, I'd be happy to be proven wrong -- more knowledge is better! I don't, however, think that I'd get enough out of the process to spend my time doing any of the prep work...) From graham at g-rock.net Sun Aug 2 16:17:21 2009 From: graham at g-rock.net (Graham Wooden) Date: Sun, 02 Aug 2009 15:17:21 -0500 Subject: [c-nsp] Can't pick up ip address--cisco 1200 ap In-Reply-To: <916322.54913.qm@web38107.mail.mud.yahoo.com> Message-ID: Well, without a VLAN aware switch you are dumping tagged VLAN traffic into an interface that won't do anything with it, and in turn won't pass you traffic to your "sub interfaces" on your AP. So to move forward, you really need to have the AP plugged into a VLAN aware switch, with the port setup for dot1q and allowing these two vlans. Then set up some other ports on the switch to handle the untagged traffic for these two vlans and put your DHCP server(s) on it. Or if you running your DHCP server on a router, you can sub interface out the router and make that switchport dot1q as well. Make sense? Again, without the proper handling of the traffic leaving the AP, traffic won't go in properlly as well. HTH, -graham >> From: snort bsd >> Subject: Re: [c-nsp] Can't pick up ip address--cisco 1200 ap >> To: "cisco-nsp" , "Graham Wooden" >> >> Received: Sunday, 2 August, 2009, 11:08 AM >> >> Thanks for reply. >> >> No, we have no VLAN aware switch connecting to it yet. We >> want to use it to replace the linksys wireless router we are >> using. >> >> The idea is that some of mobile user connecting to VLAN 10 >> via wireless and some? of mobile users connecting to >> VLAN 20. Users on both VLANs could get to internet but >> access different resources internally (with VLAN aware >> switches). >> >> One problem a time...:) >> >> _Dave >> >> --- On Sun, 2/8/09, Graham Wooden >> wrote: >> >>> From: Graham Wooden >>> Subject: Re: [c-nsp] Can't pick up ip address--cisco >> 1200 ap >>> To: "snort bsd" , >> "cisco-nsp" >>> Received: Sunday, 2 August, 2009, 10:22 AM >>> Hi there, >>> >>> Your switch port that the AP is connected to - is it >> in >>> trunk mode? >>> Like "switchport trunk encap dot1q" ? >>> >>> >>> On 8/1/09 4:52 PM, "snort bsd" >>> wrote: >>> >>>> >>>> Hi: all: >>>> >>>> I got ciscoAP 1200 configured and can connect it >> via >>> wireless without >>>> problems. But the system connecting to the AP >> can't >>> pick up any IP address. >>>> >>>> dot11 ssid lab vlan 20 >>>> ? ? vlan 20 >>>> ? ? max-associations 10 >>>> ? ? authentication open >>>> ? ? authentication key-management wpa >>>> ? ? guest-mode >>>> ? ? mbssid guest-mode >>>> ? ? wpa-psk ascii 7 "whatever key" >>>> ? ? information-element ssidl wps >>>> ! >>>> dot11 ssid test vlan 10 >>>> ? ? vlan 10 >>>> ? ? max-associations 10 >>>> ? ? authentication open >>>> ? ? authentication key-management wpa >>>> ? ? mbssid guest-mode >>>> ? ? wpa-psk ascii 7 "whatever key" >>>> ? ? information-element ssidl wps >>>> >>>> what else I didn't do right? >>>> >>>> Thanks >>>> >>>> >>>> ? ? ??? >>>> >>> >> _____________________________________________________________________________>> _ >>>> ______ >>>> Access Yahoo!7 Mail on your mobile. Anytime. >>> Anywhere. >>>> Show me how: http://au.mobile.yahoo.com/mail >>>> _______________________________________________ >>>> cisco-nsp mailing list? cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >>> >>> >> >> >> ? ? ? >> _____________________________________________________________________________ >> _______ >> Access Yahoo!7 Mail on your mobile. Anytime. Anywhere. >> Show me how: http://au.mobile.yahoo.com/mail >> _______________________________________________ >> cisco-nsp mailing list? cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > > > ______________________________________________________________________________ > ______ > Access Yahoo!7 Mail on your mobile. Anytime. Anywhere. > Show me how: http://au.mobile.yahoo.com/mail From jay at west.net Sun Aug 2 17:23:20 2009 From: jay at west.net (Jay Hennigan) Date: Sun, 02 Aug 2009 14:23:20 -0700 Subject: [c-nsp] mailing list vs. web site (WAS: Re: SFC DOWN) In-Reply-To: <20090802173216.GA18289@jeeves.rigozsaurus.com> References: <8bb137f40907302114n72fafa06ldc4ef0505774454c@mail.gmail.com> <8bb137f40907302123w522dc0d7s3af539e0c38579b4@mail.gmail.com> <8bb137f40908010103i4fa4808s54d229ed3720650d@mail.gmail.com> <20090802084524.GL290@greenie.muc.de> <20090802173216.GA18289@jeeves.rigozsaurus.com> Message-ID: <4A7603C8.2090603@west.net> John Osmon wrote: > Let me preafce my words with the thought that I find the most of the new > wikis, forums, and whatnots are poor substitutes for searchable text > archives. Agreed. > However, I learned most of my foundation material from Usenet > in the late 80s and early 90s, so I might be biased... Ditto. > On Sun, Aug 02, 2009 at 06:51:07AM -0700, e ninja wrote: >> Gert, >> >> So if we apply your thought process, there is no value in capturing and >> organizing re-usable intellectual capital? I guess you must think Wikipedia >> is useless and we should just trawl through the web and layers of email >> threads to find simple answers to questions that have already been answered? > > You're putting words in Gert's mouth suggesting he derides the valuable > (free) services available. I've never met Gert, but would buy him a > beer if I found we were in the same room. Gert and others have helped > me (and others) countless times without need of any of the tools you > espouse -- so there is already value present without need for more > work... Agreed, and I'd buy him two. Issues brought to this list should be discussed on this list and hopefully resolved on this list. A "Go over there for the answer" response fragments discussion and actually tends to make future searches for the same information less likely to succeed as information on the web changes, links break, etc. A response of "Go over there for the answer" from someone with a vested interest in "Over there" is nothing more than an advertisement for "Over there". > Back to the main point: > There is value -- but who has to exert energy, and who reaps the > benefits? Those looking for the information have to exert the energy, those trying to commercialize it reap the benefits. >> The value of any list is to share knowledge. If there are free tools out >> there like mysolvr (a user-generated knowledge-base), that also allows us to >> go the extra mile of documenting and organizing re-usable know-how for the >> benefit of others, it is worth the effort. > > Yes, there is likely value in organizing the info. However, is the > marginal value greater than the marginal cost? I'm of the opinion > that most of the people reading this list and the archives believe > that it works well as it is. Agreed. >> We have to work smarter, not harder. > > Absolutely! However, I think that you've got a hard hill in front of > you trying to change the behavior of people using this list. And the smart way to work is to avoid fragmenting the information. The hard way is to fragment it among diffuse sites. The ethical way is to resist hijacking threads to promote one's own website. > A smarter approach might be to start moving the data to your preferred > site on your own. Perhaps even building automated tools to do so. If > your idea catches on, you could very well end up with a reputation and > following like Jared and/or Gert. Until that occurs, I have doubts > that the wealth of info on cisco-nsp will be transferred to > another medium... He doesn't want to move the information to his site on his own. He wants us to do it for him. This began over a year ago with scraping cisco-nsp for email addresses and spamming them with "invitations". It went mostly under-the-radar until his spambot went nuts and flooded its victims with multiple invitations at once. Faded under the radar again and now he's back hawking the sister site. > (With that said, I'd be happy to be proven wrong -- more knowledge is > better! I don't, however, think that I'd get enough out of the > process to spend my time doing any of the prep work...) Agreed. And it fragments the information. -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV From eninja at gmail.com Sun Aug 2 19:43:45 2009 From: eninja at gmail.com (e ninja) Date: Sun, 2 Aug 2009 16:43:45 -0700 Subject: [c-nsp] CSC CARD info In-Reply-To: <8bb137f40908021034l4ad7c878xefb040e7f9433b0b@mail.gmail.com> References: <8bb137f40908010106g3938ba62s93fb6ac604ff6b43@mail.gmail.com> <132FEFEE-9C5D-466F-9474-CF73BC1ABEBA@gmail.com> <8bb137f40908021034l4ad7c878xefb040e7f9433b0b@mail.gmail.com> Message-ID: Jack, Assuming the right procedures were followed for OIR, send the following captures when 17 & 16 are primary CSC to aid further assessment; 1. sh controller fia (from the RP and from an "attach" session to each of the LCs) 2. show controllers psar 3. sh fabric 4. sh log Eninja On Sun, Aug 2, 2009 at 10:34 AM, jack daniels wrote: > Hi, > > Thanks , but my querry still remains unanswered - > > > If we use 2 CSC and 3 SFC > > " When I do OIR of slot 17 CSC ( when MASTER - defaul ) we get 3 ping drops > for transit traffic through the router. > When I do OIR of slot 16 CSC ( when MASTER ) we get lot of ping drops for > transit traffic through the router and neighbourships break." > > Regards > J.Daniels > > On Sat, Aug 1, 2009 at 3:39 PM, Eninja wrote: > >> OIR'ing the primary CSC (slot 17 by default) will _always_ result in >> traffic loss because the CSC clocks and schedules all fabric traffic. >> >> Remember to shutdown the primary CSC using hw-module shut command, wait at >> least 1 min before OIR'ing and failing over from primary to secondary CSC. >> >> Eninja >> >> >> >> On Aug 1, 2009, at 9:06 AM, jack daniels wrote: >> >> Hi all, >>> >>> what is significance of slot no of CSC. >>> >>> If we use 2 CSC and 3 SFC >>> >>> When I do OIR of slot 17 CSC ( when MASTER ) we get 3 ping drops for >>> transit >>> traffic through the router. >>> When I do OIR of slot 16 CSC ( when MASTER ) we get lot of ping drops >>> for >>> transit traffic through the router and neighbourships break. >>> >>> >>> Regards >>> Jack.Daniels >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> > From snortbsd at yahoo.com.au Sun Aug 2 19:44:54 2009 From: snortbsd at yahoo.com.au (snort bsd) Date: Sun, 2 Aug 2009 16:44:54 -0700 (PDT) Subject: [c-nsp] Can't pick up ip address--cisco 1200 ap In-Reply-To: Message-ID: <563713.60520.qm@web38107.mail.mud.yahoo.com> Thanks for help! Here is what I have: internet <-> AP <-> VLAN aware switch <-> firewall <-> internal networks | | | wireless PCs (VLAN 10 or VLAN 20) I have DHCP service configured on the AP, which means those wireless PCs should get their IP addresses from the DHCP server on the AP (I don't have separated DHCP server on the internal network). what I am trying to figure out how I can tie the right pool of DHCP IP addresses to the right interface. Right now the authenticated PCs could not get IP address at all. here is my config relating to the diagram: ip dhcp pool vlan20 network 192.168.12.0 255.255.255.0 subnet prefix-length 24 default-router 192.168.12.1 lease infinite ! ip dhcp pool vlan10 network 192.168.13.0 255.255.255.0 subnet prefix-length 24 default-router 192.16.13.1 lease infinite .... ... dot11 vlan-name ming vlan 20 dot11 vlan-name rest vlan 10 ! dot11 ssid lab vlan 20 vlan 20 max-associations 10 authentication open authentication key-management wpa guest-mode mbssid guest-mode wpa-psk ascii 7 "whatever" ! information-element ssidl wps ! dot11 ssid test vlan 10 vlan 10 max-associations 10 authentication open authentication key-management wpa mbssid guest-mode wpa-psk ascii 7 "whatever" ! information-element ssidl wps .... ... interface Dot11Radio0 no ip address no ip route-cache ! encryption vlan 10 mode ciphers aes-ccm tkip ! encryption vlan 20 mode ciphers aes-ccm tkip ! ssid lab vlan 20 ! ssid test vlan 10 ! mbssid speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role root ! interface Dot11Radio0.10 encapsulation dot1Q 10 native no ip redirects no ip route-cache bridge-group 10 bridge-group 10 subscriber-loop-control bridge-group 10 block-unknown-source no bridge-group 10 source-learning no bridge-group 10 unicast-flooding bridge-group 10 spanning-disabled ! interface Dot11Radio0.20 encapsulation dot1Q 20 no ip redirects no ip route-cache bridge-group 20 bridge-group 20 subscriber-loop-control bridge-group 20 port-protected bridge-group 20 block-unknown-source no bridge-group 20 source-learning no bridge-group 20 unicast-flooding bridge-group 20 spanning-disabled ! interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface FastEthernet0.10 encapsulation dot1Q 10 ip address 192.168.13.10 255.255.255.0 no ip redirects no ip route-cache ! interface FastEthernet0.20 encapsulation dot1Q 20 ip address 192.168.12.10 255.255.255.0 no ip redirects no ip route-cache ! --- On Mon, 3/8/09, Graham Wooden wrote: > From: Graham Wooden > Subject: Re: [c-nsp] Can't pick up ip address--cisco 1200 ap > To: "snort bsd" , "cisco-nsp" > Received: Monday, 3 August, 2009, 6:17 AM > Well, without a VLAN aware switch you > are dumping tagged VLAN traffic into > an interface that won't do anything with it, and in turn > won't pass you > traffic to your "sub interfaces" on your AP. > > So to move forward, you really need to have the AP plugged > into a VLAN aware > switch, with the port setup for dot1q and allowing these > two vlans. > Then set up some other ports on the switch to handle the > untagged traffic > for these two vlans and put your DHCP server(s) on > it.? Or if you running > your DHCP server on a router, you can sub interface out the > router and make > that switchport dot1q as well. > > Make sense?? Again, without the proper handling of the > traffic leaving the > AP, traffic won't go in properlly as well. > > HTH, > > -graham > > > >> From: snort bsd > >> Subject: Re: [c-nsp] Can't pick up ip > address--cisco 1200 ap > >> To: "cisco-nsp" , > "Graham Wooden" > >> > >> Received: Sunday, 2 August, 2009, 11:08 AM > >> > >> Thanks for reply. > >> > >> No, we have no VLAN aware switch connecting to it > yet. We > >> want to use it to replace the linksys wireless > router we are > >> using. > >> > >> The idea is that some of mobile user connecting to > VLAN 10 > >> via wireless and some? of mobile users connecting > to > >> VLAN 20. Users on both VLANs could get to internet > but > >> access different resources internally (with VLAN > aware > >> switches). > >> > >> One problem a time...:) > >> > >> _Dave > >> > >> --- On Sun, 2/8/09, Graham Wooden > >> wrote: > >> > >>> From: Graham Wooden > >>> Subject: Re: [c-nsp] Can't pick up ip > address--cisco > >> 1200 ap > >>> To: "snort bsd" , > >> "cisco-nsp" > >>> Received: Sunday, 2 August, 2009, 10:22 AM > >>> Hi there, > >>> > >>> Your switch port that the AP is connected to - > is it > >> in > >>> trunk mode? > >>> Like "switchport trunk encap dot1q" ? > >>> > >>> > >>> On 8/1/09 4:52 PM, "snort bsd" > >>> wrote: > >>> > >>>> > >>>> Hi: all: > >>>> > >>>> I got ciscoAP 1200 configured and can > connect it > >> via > >>> wireless without > >>>> problems. But the system connecting to the > AP > >> can't > >>> pick up any IP address. > >>>> > >>>> dot11 ssid lab vlan 20 > >>>> ? ? vlan 20 > >>>> ? ? max-associations 10 > >>>> ? ? authentication open > >>>> ? ? authentication key-management wpa > >>>> ? ? guest-mode > >>>> ? ? mbssid guest-mode > >>>> ? ? wpa-psk ascii 7 "whatever key" > >>>> ? ? information-element ssidl wps > >>>> ! > >>>> dot11 ssid test vlan 10 > >>>> ? ? vlan 10 > >>>> ? ? max-associations 10 > >>>> ? ? authentication open > >>>> ? ? authentication key-management wpa > >>>> ? ? mbssid guest-mode > >>>> ? ? wpa-psk ascii 7 "whatever key" > >>>> ? ? information-element ssidl wps > >>>> > >>>> what else I didn't do right? > >>>> > >>>> Thanks > >>>> > >>>> > >>>> ? ? ??? > >>>> > >>> > >> > _____________________________________________________________________________>> > _ > >>>> ______ > >>>> Access Yahoo!7 Mail on your mobile. > Anytime. > >>> Anywhere. > >>>> Show me how: http://au.mobile.yahoo.com/mail > >>>> > _______________________________________________ > >>>> cisco-nsp mailing list? cisco-nsp at puck.nether.net > >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp > >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >>> > >>> > >>> > >> > >> > >> ? ? ? > >> > _____________________________________________________________________________ > >> _______ > >> Access Yahoo!7 Mail on your mobile. Anytime. > Anywhere. > >> Show me how: http://au.mobile.yahoo.com/mail > >> _______________________________________________ > >> cisco-nsp mailing list? cisco-nsp at puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >> > > > > > >? ? ??? > > > ______________________________________________________________________________ > > ______ > > Access Yahoo!7 Mail on your mobile. Anytime. > Anywhere. > > Show me how: http://au.mobile.yahoo.com/mail > > > ____________________________________________________________________________________ Access Yahoo!7 Mail on your mobile. Anytime. Anywhere. Show me how: http://au.mobile.yahoo.com/mail From jbest at zyedge.com Sun Aug 2 20:01:53 2009 From: jbest at zyedge.com (Jeremiah Best) Date: Sun, 2 Aug 2009 20:01:53 -0400 Subject: [c-nsp] SFC DOWN In-Reply-To: <4A75C872.8060104@west.net> References: <8bb137f40907302114n72fafa06ldc4ef0505774454c@mail.gmail.com> <8bb137f40907302123w522dc0d7s3af539e0c38579b4@mail.gmail.com> <8bb137f40908010103i4fa4808s54d229ed3720650d@mail.gmail.com> <20090802084524.GL290@greenie.muc.de> <4A75C872.8060104@west.net> Message-ID: <218DA613-7747-469B-9AB2-51A53140A7DB@zyedge.com> Has the original question of this thread been answered? Sent from my handheld On Aug 2, 2009, at 1:12 PM, "Jay Hennigan" wrote: > Gert Doering wrote: > >> Contributors to this list should just post to this list. Archives >> are >> available in many places, google will find the answers, and it's not >> necessary to go to a separate web site (which is likely to profit >> from >> it in some way) to get answers to questions posted *here*. >> >> The value of this list is not "post links to web sites". > > Agreed 100%. > > FYI, "Mysolvr" is the same "Pingsta" outfit that scraped addresses > from > this list and spammed them repeatedly a while back. > > http://www.google.com/search?q=pingsta+spam > > -- > Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net > Impulse Internet Service - http://www.impulse.net/ > Your local telephone and internet company - 805 884-6323 - WB6RDV > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jared at puck.nether.net Sun Aug 2 19:12:26 2009 From: jared at puck.nether.net (Jared Mauch) Date: Sun, 2 Aug 2009 19:12:26 -0400 Subject: [c-nsp] Humor: Cisco announces end of BGP In-Reply-To: <014c01ca1122$6dad3ab0$4907b010$@com> References: <020201ca106b$e8b6a730$ba23f590$@com> <4A708339.5020700@uk.clara.net> <025401ca1076$74a53590$5defa0b0$@com> <20090729.205456.74738911.sthaug@nethelp.no> <014c01ca1122$6dad3ab0$4907b010$@com> Message-ID: <460775F5-268B-4EF1-9F6C-E9384CA4AB57@puck.nether.net> Anyone can write an informational rfc. See apr 1 as an example. One can easily write up what they do, or survey responses. You can then follow the feedback from your request. Jared Mauch On Jul 30, 2009, at 10:31 AM, "TJ" wrote: >> -----Original Message----- >> From: sthaug at nethelp.no [mailto:sthaug at nethelp.no] >> Subject: Re: [c-nsp] Humor: Cisco announces end of BGP >> >>> My feeling is based on two things: >>> I don't like the idea of vendors/providers ignoring an RFC just >>> because. >>> And note the RFC in question leaves no wiggle room here. >> >> Please cite chapter and verse. As long as you use static IPv6 >> addresses, > /126 >> is fine. No, a /126 address does *not* have to be based on a 64 bit > interface >> ID. > > > Sure ... > > RFC4291 > 2.5.1 > " For all unicast addresses, except those that start with the binary > value 000, Interface IDs are required to be 64 bits long and to be > constructed in Modified EUI-64 format. " > > 2.5.4 > " All Global Unicast addresses other than those that start with > binary > 000 have a 64-bit interface ID field (i.e., n + m = 64), formatted > as > described in Section 2.5.1. Global Unicast addresses that start > with > binary 000 have no such constraint on the size or structure of the > interface ID field. " > > That would seem pretty clear cut to me, rather explicitly calling > for 64bit > IIDs in all unicast cases (excluding the "starts with 000 block"). > Additionally, 3177 implies the same: > 3. > " - /64 when it is known that one and only one subnet is > needed by > design. " > > > Again - I am not saying /126s (or others!) don't work. And most > implementations let you assign arbitrary values for prefix length. > I am not saying /126s or similar options are (evil|bad), or even > functionally problematic. > In fact, RFC3627 explicitly mentions /126s as "less bad than /127s" > ... but prefers /112s over /126s, and prefers /64s over all of the > above. > > All I am saying that I prefer the spec(s) be updated based on real > world > preferences/implementations, and that this proposed change get > reviewed as > thoroughly as the original spec(s) did to ensure nothing breaks. I > fully > realize that the real world doesn't always agree with the IETF, but in > something this "low down" and yet relatively easy to codify I fail > to see > why it hasn't been done, unless there is a reason not to? (If you > don't > mind wiggle room in specs, or implementers "reinterpreting" the > specs, that > is (cough) fine.) > > In closing, I would turn the question around - can you cite chapter > and > verse where it says you are allowed to do this? Hopefully including > an > assessment of the potential "unintended consequences" (Note: If it > exists, > Great! ... sorry I missed it!) > > > > /TJ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From snortbsd at yahoo.com.au Sun Aug 2 19:54:04 2009 From: snortbsd at yahoo.com.au (snort bsd) Date: Sun, 2 Aug 2009 16:54:04 -0700 (PDT) Subject: [c-nsp] Can't pick up ip address--cisco 1200 ap In-Reply-To: <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2AE3@zy-ex1.zyedge.local> Message-ID: <784731.72896.qm@web38105.mail.mud.yahoo.com> Yes that sole fastethernet interface is in trunk mode and allowing both tag 10 and 20. But I don't use any separated DHCP server for those wirless users. They will get IP addresses from the DHCP service activated on the AP. So I don't need the command "ip helper address" in this configuration. --- On Sun, 2/8/09, Ryan West wrote: > From: Ryan West > Subject: RE: [c-nsp] Can't pick up ip address--cisco 1200 ap > To: "snort bsd" , "cisco-nsp" > Received: Sunday, 2 August, 2009, 10:25 AM > Are you trunking that interface and > allowing both vlan 10 and 20????Do you have a > DHCP server in both subnets or an ip-helper address? > > -ryan > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] > On Behalf Of snort bsd > Sent: Saturday, August 01, 2009 5:53 PM > To: cisco-nsp > Subject: [c-nsp] Can't pick up ip address--cisco 1200 ap > > > Hi: all: > > I got ciscoAP 1200 configured and can connect it via > wireless without problems. But the system connecting to the > AP can't pick up any IP address. > > dot11 ssid lab vlan 20 > ???vlan 20 > ???max-associations 10 > ???authentication open > ???authentication key-management wpa > ???guest-mode > ???mbssid guest-mode > ???wpa-psk ascii 7 "whatever key" > ???information-element ssidl wps > ! > dot11 ssid test vlan 10 > ???vlan 10 > ???max-associations 10 > ???authentication open > ???authentication key-management wpa > ???mbssid guest-mode > ???wpa-psk ascii 7 "whatever key" > ???information-element ssidl wps > > what else I didn't do right? > > Thanks > > > ? ? ? > ____________________________________________________________________________________ > Access Yahoo!7 Mail on your mobile. Anytime. Anywhere. > Show me how: http://au.mobile.yahoo.com/mail > _______________________________________________ > cisco-nsp mailing list? cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ____________________________________________________________________________________ Access Yahoo!7 Mail on your mobile. Anytime. Anywhere. Show me how: http://au.mobile.yahoo.com/mail From eninja at gmail.com Sun Aug 2 20:55:38 2009 From: eninja at gmail.com (e ninja) Date: Sun, 2 Aug 2009 17:55:38 -0700 Subject: [c-nsp] mailing list vs. web site (WAS: Re: SFC DOWN) In-Reply-To: <4A7603C8.2090603@west.net> References: <8bb137f40907302114n72fafa06ldc4ef0505774454c@mail.gmail.com> <8bb137f40907302123w522dc0d7s3af539e0c38579b4@mail.gmail.com> <8bb137f40908010103i4fa4808s54d229ed3720650d@mail.gmail.com> <20090802084524.GL290@greenie.muc.de> <20090802173216.GA18289@jeeves.rigozsaurus.com> <4A7603C8.2090603@west.net> Message-ID: Jay, Not sure what you continue to refer to here about *"**scraping cisco-nsp for email addresses**"* but to minimize your exposure, you may want to refrain from making unsubstantiated allegations against corporate entities without facts. All that was suggested is simple, if folks have extra bandwidth, they should clearly and concisely document best practices in a format that is easily searchable and reusable for posterity. Whether that is mysolvr.com, CCO, juniper.net, private blogs or impulse.net, it really doesn't matter. Suggesting that someone taking the time to research and respond to a complex 2-day old GSR 12000 ASIC problem that no one else on the list had responded to - is doing so for an ulterior motive is highly unprofessional. You need to remove emotions from your list conversations and focus on the only reason why everybody is here - to *voluntarily* help others solve their technical problems. Remember, a list is only as good as the quality of the answers people get from it. eom on this matter. eninja On Sun, Aug 2, 2009 at 2:23 PM, Jay Hennigan wrote: > John Osmon wrote: > >> Let me preafce my words with the thought that I find the most of the new >> wikis, forums, and whatnots are poor substitutes for searchable text >> archives. >> > > Agreed. > > However, I learned most of my foundation material from Usenet >> in the late 80s and early 90s, so I might be biased... >> > > Ditto. > > On Sun, Aug 02, 2009 at 06:51:07AM -0700, e ninja wrote: >> >>> Gert, >>> >>> So if we apply your thought process, there is no value in capturing and >>> organizing re-usable intellectual capital? I guess you must think >>> Wikipedia >>> is useless and we should just trawl through the web and layers of email >>> threads to find simple answers to questions that have already been >>> answered? >>> >> >> You're putting words in Gert's mouth suggesting he derides the valuable >> (free) services available. I've never met Gert, but would buy him a beer >> if I found we were in the same room. Gert and others have helped >> me (and others) countless times without need of any of the tools you >> espouse -- so there is already value present without need for more work... >> > > Agreed, and I'd buy him two. Issues brought to this list should be > discussed on this list and hopefully resolved on this list. A "Go over > there for the answer" response fragments discussion and actually tends to > make future searches for the same information less likely to succeed as > information on the web changes, links break, etc. > > A response of "Go over there for the answer" from someone with a vested > interest in "Over there" is nothing more than an advertisement for "Over > there". > > Back to the main point: >> There is value -- but who has to exert energy, and who reaps the >> benefits? >> > > Those looking for the information have to exert the energy, those trying to > commercialize it reap the benefits. > > The value of any list is to share knowledge. If there are free tools out >>> there like mysolvr (a user-generated knowledge-base), that also allows us >>> to >>> go the extra mile of documenting and organizing re-usable know-how for >>> the >>> benefit of others, it is worth the effort. >>> >> >> Yes, there is likely value in organizing the info. However, is the >> marginal value greater than the marginal cost? I'm of the opinion >> that most of the people reading this list and the archives believe >> that it works well as it is. >> > > Agreed. > > We have to work smarter, not harder. >>> >> >> Absolutely! However, I think that you've got a hard hill in front of >> you trying to change the behavior of people using this list. >> > > And the smart way to work is to avoid fragmenting the information. The > hard way is to fragment it among diffuse sites. The ethical way is to > resist hijacking threads to promote one's own website. > > A smarter approach might be to start moving the data to your preferred >> site on your own. Perhaps even building automated tools to do so. If >> your idea catches on, you could very well end up with a reputation and >> following like Jared and/or Gert. Until that occurs, I have doubts that >> the wealth of info on cisco-nsp will be transferred to >> another medium... >> > > He doesn't want to move the information to his site on his own. He wants > us to do it for him. This began over a year ago with scraping cisco-nsp for > email addresses and spamming them with "invitations". It went mostly > under-the-radar until his spambot went nuts and flooded its victims with > multiple invitations at once. Faded under the radar again and now he's back > hawking the sister site. > > (With that said, I'd be happy to be proven wrong -- more knowledge is >> better! I don't, however, think that I'd get enough out of the >> process to spend my time doing any of the prep work...) >> > > Agreed. And it fragments the information. > > -- > Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net > Impulse Internet Service - http://www.impulse.net/ > Your local telephone and internet company - 805 884-6323 - WB6RDV > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From David at Hughes.com.au Sun Aug 2 21:23:40 2009 From: David at Hughes.com.au (David Hughes) Date: Mon, 3 Aug 2009 11:23:40 +1000 Subject: [c-nsp] BGP Multipath and unequal IGP metrics In-Reply-To: <073E0C99-024C-4D1B-8B1B-347F5CD8302F@hughes.com.au> References: <073E0C99-024C-4D1B-8B1B-347F5CD8302F@hughes.com.au> Message-ID: Hi Hate to bump my own post but does anyone have any thoughts on the below? Thanks David ... On 28/07/2009, at 10:11 AM, David Hughes wrote: > Hi > > I have a situation that looks like a problem in the making. In a > subset of our network there's a pair of well connected datacentres > (eg dual 10GE paths etc). One of our upstreams will shortly be > presenting a transit path at both of these 2 locations. No problems > I think to myself - we'll just multi-path from our core and load > share over both paths. > > Problem. Seeing as the 2 border routers in question are at > different locations, the core routers see different IGP metrics to > the nexthop of the BGP table entry. As a result they are excluded > from use with BGP multipath and I'm left with the core routers at > each DC only using the paths to the border router at the local site. > > I don't want to mess around with tweaking the OSPF metrics as I'm > sure that's just a disaster waiting to happen for some poor network > engineer in a year or two. I thought I'd found a nice clean > solution with Cisco's "multipath unequal-cost" feature but for some > reason I can't even start to understand you can only use it in a > VRF, not in the default table. > > So the only solution I can see is to reconfigure the core devices > and move all interfaces and routing processes into a VRF so that I > can effectively get this feature on our entire table. > > What am I missing here? Surely I'm not Robinson Crusoe - someone > must have done this before. Platform is Cat6k / Sup720. > > > Thanks > > David > ... > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rubensk at gmail.com Sun Aug 2 22:14:24 2009 From: rubensk at gmail.com (Rubens Kuhl) Date: Sun, 2 Aug 2009 23:14:24 -0300 Subject: [c-nsp] BGP Multipath and unequal IGP metrics In-Reply-To: <073E0C99-024C-4D1B-8B1B-347F5CD8302F@hughes.com.au> References: <073E0C99-024C-4D1B-8B1B-347F5CD8302F@hughes.com.au> Message-ID: <6bb5f5b10908021914r780d0430g4b7589eae8880ee8@mail.gmail.com> I would consider using a layered-session approach. The first layer would be used only to provide the path to the BGP loopback, both to your core routers and to your transit providers, and would be used to equalize the metric of the alternate paths. A likely scenario would consist of 4 BGP sessions among your own routers and 2 or 4 sessions to your transit provider, but might be more; it would require BGP support, but no 1 milion routes support. The second layer would use the first one to exchange provider announcements, both yours to transit and full routes from the transit providers. Disclaimer: haven't tested this exact scenario, ended up having full-route capable routers on all hops. Rubens On Mon, Jul 27, 2009 at 9:11 PM, David Hughes wrote: > Hi > > I have a situation that looks like a problem in the making. ?In a subset of > our network there's a pair of well connected datacentres (eg dual 10GE paths > etc). ?One of our upstreams will shortly be presenting a transit path at > both of these 2 locations. ?No problems I think to myself - we'll just > multi-path from our core and load share over both paths. > > Problem. ?Seeing as the 2 border routers in question are at different > locations, the core routers see different IGP metrics to the nexthop of the > BGP table entry. ?As a result they are excluded from use with BGP multipath > and I'm left with the core routers at each DC only using the paths to the > border router at the local site. > > I don't want to mess around with tweaking the OSPF metrics as I'm sure > that's just a disaster waiting to happen for some poor network engineer in a > year or two. ?I thought I'd found a nice clean solution with Cisco's > "multipath unequal-cost" feature but for some reason I can't even start to > understand you can only use it in a VRF, not in the default table. > > So the only solution I can see is to reconfigure the core devices and move > all interfaces and routing processes into a VRF so that I can effectively > get this feature on our entire table. > > What am I missing here? ?Surely I'm not Robinson Crusoe - someone must have > done this before. ?Platform is Cat6k / Sup720. > > > Thanks > > David > ... > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From peter at rathlev.dk Mon Aug 3 03:47:14 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Mon, 03 Aug 2009 09:47:14 +0200 Subject: [c-nsp] Can't pick up ip address--cisco 1200 ap In-Reply-To: <563713.60520.qm@web38107.mail.mud.yahoo.com> References: <563713.60520.qm@web38107.mail.mud.yahoo.com> Message-ID: <1249285635.3071.4.camel@abehat.net.rm.dk> AFAIK without BVI interfaces this will not work. You need to reconfigure the subinterfaces of Fa0 to match what Leslie pointed out: interface FastEthernet0.10 encapsulation dot1Q 10 bridge-group 10 bridge-group 10 spanning-disabled ! interface FastEthernet0.20 encapsulation dot1Q 20 bridge-group 20 bridge-group 20 spanning-disabled ! interface BVI10 ip address 192.168.13.10 255.255.255.0 ! interface BVI20 ip address 192.168.12.10 255.255.255.0 ! bridge 10 protocol ieee bridge 20 protocol ieee ! bridge 10 route ip bridge 20 route ip ! Regards, Peter On Sun, 2009-08-02 at 16:44 -0700, snort bsd wrote: > Thanks for help! > > Here is what I have: > > > internet <-> AP <-> VLAN aware switch <-> firewall <-> internal > networks > | > | > | > wireless PCs (VLAN 10 or VLAN 20) > > I have DHCP service configured on the AP, which means those wireless > PCs should get their IP addresses from the DHCP server on the AP (I > don't have separated DHCP server on the internal network). what I am > trying to figure out how I can tie the right pool of DHCP IP addresses > to the right interface. Right now the authenticated PCs could not get > IP address at all. > > here is my config relating to the diagram: > > ip dhcp pool vlan20 > network 192.168.12.0 255.255.255.0 > subnet prefix-length 24 > default-router 192.168.12.1 > lease infinite > ! > ip dhcp pool vlan10 > network 192.168.13.0 255.255.255.0 > subnet prefix-length 24 > default-router 192.16.13.1 > lease infinite > .... > ... > dot11 vlan-name ming vlan 20 > dot11 vlan-name rest vlan 10 > ! > dot11 ssid lab vlan 20 > vlan 20 > max-associations 10 > authentication open > authentication key-management wpa > guest-mode > mbssid guest-mode > wpa-psk ascii 7 "whatever" > ! > information-element ssidl wps > ! > dot11 ssid test vlan 10 > vlan 10 > max-associations 10 > authentication open > authentication key-management wpa > mbssid guest-mode > wpa-psk ascii 7 "whatever" > ! > information-element ssidl wps > .... > ... > interface Dot11Radio0 > no ip address > no ip route-cache > ! > encryption vlan 10 mode ciphers aes-ccm tkip > ! > encryption vlan 20 mode ciphers aes-ccm tkip > ! > ssid lab vlan 20 > ! > ssid test vlan 10 > ! > mbssid > speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 > 36.0 48.0 54.0 > station-role root > ! > interface Dot11Radio0.10 > encapsulation dot1Q 10 native > no ip redirects > no ip route-cache > bridge-group 10 > bridge-group 10 subscriber-loop-control > bridge-group 10 block-unknown-source > no bridge-group 10 source-learning > no bridge-group 10 unicast-flooding > bridge-group 10 spanning-disabled > ! > interface Dot11Radio0.20 > encapsulation dot1Q 20 > no ip redirects > no ip route-cache > bridge-group 20 > bridge-group 20 subscriber-loop-control > bridge-group 20 port-protected > bridge-group 20 block-unknown-source > no bridge-group 20 source-learning > no bridge-group 20 unicast-flooding > bridge-group 20 spanning-disabled > ! > interface FastEthernet0 > no ip address > no ip route-cache > duplex auto > speed auto > bridge-group 1 > no bridge-group 1 source-learning > bridge-group 1 spanning-disabled > ! > interface FastEthernet0.10 > encapsulation dot1Q 10 > ip address 192.168.13.10 255.255.255.0 > no ip redirects > no ip route-cache > ! > interface FastEthernet0.20 > encapsulation dot1Q 20 > ip address 192.168.12.10 255.255.255.0 > no ip redirects > no ip route-cache > ! From frosya84 at mail.ru Mon Aug 3 05:05:03 2009 From: frosya84 at mail.ru (=?koi8-r?Q?=EF=CC=D8=C7=C1_=F2=D5=D6=C1=CE=D3=CB=C1=D1?=) Date: Mon, 03 Aug 2009 13:05:03 +0400 Subject: [c-nsp] What router to choose instead of 7206VXR-G1/G2 (Ruzhanskaya Olga) Message-ID: Hello List! Questions about "platformX vs platformY" or "what platform to choose" is not new for discussion here, but I didn't find mails in archives that directly fits to my needs. So, I would really appreciate any suggestions (or usefull references or links :-)). We are using 7206VXR-G1/G2 platform as edge router (PE) in our MPLS network. When traffic volume grows, we replace NPE-G1 processor with NPE-G2. But in future we'll need something more powerfull. General requirements: - OSPF, BGP (full table for our own needs and for customers); - MPLS VPN (L3 and L2); - CBWFQ (better LLQ) QoS, uRPF, GRE.. As core routers (P) - we use 7600(RSP-720). But it is more expensive and not so flexible as software platform (NetFlow issues, specific QoS, etc. ). So, we need something "between 7206VXR-G2 and 7600(RSP-720)". Any suggestions? I was looking at ASR 10xx series and want to know the opinion of people who use it as PE router. Best regards, Olga From alex at digriz.org.uk Mon Aug 3 03:45:34 2009 From: alex at digriz.org.uk (Alexander Clouter) Date: Mon, 3 Aug 2009 08:45:34 +0100 Subject: [c-nsp] Upgrading IOS core on a 3750 Stack References: <6069A203FD01884885C037F81DD75080171D1F97AF@wsc-mail-01.intra.nwresd.k12.or.us> <1249220826.4809.10.camel@abehat.net.rm.dk> Message-ID: Peter Rathlev wrote: > On Sun, 2009-08-02 at 06:18 -0700, Bill Blackford wrote: >> The subject line says it all. >> >> I have some questions regarding how the upgrade works. >> >> 1. Do I only upgrade the master? > > Technically no, but the master might be able to auto-upgrade the > members. > There is a whole 'licencing' question issue. You can get ipservices into your network slightly cheaper if you put ipservices on the master and ipbase on the other stack members. Then you just hope the master does not die as everything will then drop to ipbase...apparently. All of our 3750's run the same IOS and you have to copy it to each flash area seperately. One hint is you can copy from flash<->flash which savessome finger wear and tear. >> 2. If not, how do I upgrade the other switches in the stack? > > You can upload software to flash1:, flash2: etc. and set the boot > variables with "boot system switch 2 flash:/asdf.bin". Remember that > each switch sees the flash as just "flash:" when booting, so set the > boot variable accordingly. > Hmmm, we run ours with 'no boot system switch all' and the switches pick up the IOS on the flash automatically. As you can only fit one IOS on the flash anyway..... Cheers -- Alexander Clouter .sigmonster says: The man who runs may fight again. -- Menander From trejrco at gmail.com Mon Aug 3 07:51:07 2009 From: trejrco at gmail.com (TJ) Date: Mon, 3 Aug 2009 07:51:07 -0400 Subject: [c-nsp] Humor: Cisco announces end of BGP In-Reply-To: <460775F5-268B-4EF1-9F6C-E9384CA4AB57@puck.nether.net> References: <020201ca106b$e8b6a730$ba23f590$@com> <4A708339.5020700@uk.clara.net> <025401ca1076$74a53590$5defa0b0$@com> <20090729.205456.74738911.sthaug@nethelp.no> <014c01ca1122$6dad3ab0$4907b010$@com> <460775F5-268B-4EF1-9F6C-E9384CA4AB57@puck.nether.net> Message-ID: <005a01ca1430$b08d81d0$11a88570$@com> >-----Original Message----- >From: Jared Mauch [mailto:jared at puck.nether.net] >Anyone can write an informational rfc. See apr 1 as an example. One can easily >write up what they do, or survey responses. You can then follow the feedback >from your request. That is exactly my point - if /126s are the "industry preferred" approach, I fail to see why it hasn't been codified in an (atleast) information RFC. Once submitted in this fashion, it could be further reviewed and perhaps even be updated later-on to be a proposed standard. ( any "directive" documentation would need to be PS as it is changing a PS. ) >Jared Mauch Thanks! /TJ From gsgranados at comcast.net Mon Aug 3 10:15:03 2009 From: gsgranados at comcast.net (Scott Granados) Date: Mon, 3 Aug 2009 07:15:03 -0700 Subject: [c-nsp] ASA5500 authentication with Kerberos/NT Domain Controler Message-ID: <007a01ca1445$08a1a270$c27b0146@am.thmulti.com> Hi, I have a pair of ASA5500 devices that I wish to use to provide VPN services. I've been googling but all the examples I've found on Cisco.com and other sites are designed for configuration using the ASDM. The ASDM is absolutely awful to use and also almost entirely inaccessible with a screen reader. Does anyone have some configuration examples using the command line that allow for users with Cisco VPN clients to authenticate against a Domain controler using Kerberos/NT and authenticates to a specific VPN group with a preshared key? I have a very basic network with a 10.x.0.0/16 network that I wish to share to users via VPN clients. Any basic pointers or any pointers to a site that's more command line specific either on or off Cisco.com would be appreciated. Thank you Scott From jbest at zyedge.com Mon Aug 3 10:27:55 2009 From: jbest at zyedge.com (Jeremiah Best) Date: Mon, 3 Aug 2009 10:27:55 -0400 Subject: [c-nsp] ASA5500 authentication with Kerberos/NT Domain Controler In-Reply-To: <007a01ca1445$08a1a270$c27b0146@am.thmulti.com> References: <007a01ca1445$08a1a270$c27b0146@am.thmulti.com> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2B08@zy-ex1.zyedge.local> Scott, I hope this helps: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml#cli . aaa-server WINDOWS protocol nt aaa-server WINDOWS (inside) host x.x.x.x nt-auth-domain-controller servername group-policy name-vpn-policy internal group-policy name-vpn-policy attributes wins-server value x.x.x.x dns-server value x.x.x.x split-tunnel-policy tunnelspecified split-tunnel-network-list value acl_namevpn address-pools value dhcp-name-pool tunnel-group name-vpn type ipsec-ra tunnel-group name-vpn general-attributes authentication-server-group WINDOWS LOCAL default-group-policy name-vpn-policy Thanks, Jeremiah -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Granados Sent: Monday, August 03, 2009 10:15 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] ASA5500 authentication with Kerberos/NT Domain Controler Hi, I have a pair of ASA5500 devices that I wish to use to provide VPN services. I've been googling but all the examples I've found on Cisco.com and other sites are designed for configuration using the ASDM. The ASDM is absolutely awful to use and also almost entirely inaccessible with a screen reader. Does anyone have some configuration examples using the command line that allow for users with Cisco VPN clients to authenticate against a Domain controler using Kerberos/NT and authenticates to a specific VPN group with a preshared key? I have a very basic network with a 10.x.0.0/16 network that I wish to share to users via VPN clients. Any basic pointers or any pointers to a site that's more command line specific either on or off Cisco.com would be appreciated. Thank you Scott _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From mulitskiy at acedsl.com Mon Aug 3 11:09:42 2009 From: mulitskiy at acedsl.com (Michael Ulitskiy) Date: Mon, 3 Aug 2009 11:09:42 -0400 Subject: [c-nsp] IP unnumbered vlan subinterfaces question Message-ID: <200908031109.42285.mulitskiy@acedsl.com> Hello, Guys, are there any drawbacks of doing the following: interface Lo0 ip address 10.10.10.1 255.255.255.0 ! interface FastEthernet0/0.1 encapsulation dot1q 1 native ip unnumbered Lo0 ! ip route 10.10.10.0 255.255.255.0 FastEthernet0/0.1 ! as opposed to having ip address configured directly on the interface as usual? I need that ip address to stay always up regardless of Fa0/0 state, 'cause it's used for other services that should stay up and I'd prefer to avoid assigning another ip address exclusively for loopback use. It seems to work in my lab, but I thought I'd better ask... Thanks, Michael From dudepron at gmail.com Mon Aug 3 11:29:52 2009 From: dudepron at gmail.com (Aaron) Date: Mon, 3 Aug 2009 11:29:52 -0400 Subject: [c-nsp] IP unnumbered vlan subinterfaces question In-Reply-To: <200908031109.42285.mulitskiy@acedsl.com> References: <200908031109.42285.mulitskiy@acedsl.com> Message-ID: <480dad640908030829kf40edccvd02d2b45522a298a@mail.gmail.com> Loopback interfaces do not go down, so I'm not sure what benefit you are getting besides the ability to blackhole the 10.10.10.0/24 if the ethernet goes down. On Mon, Aug 3, 2009 at 11:09, Michael Ulitskiy wrote: > Hello, > > Guys, are there any drawbacks of doing the following: > > interface Lo0 > ip address 10.10.10.1 255.255.255.0 > ! > interface FastEthernet0/0.1 > encapsulation dot1q 1 native > ip unnumbered Lo0 > ! > ip route 10.10.10.0 255.255.255.0 FastEthernet0/0.1 > ! > > as opposed to having ip address configured directly on the interface as > usual? > I need that ip address to stay always up regardless of Fa0/0 state, 'cause > it's used for other services that should stay up > and I'd prefer to avoid assigning another ip address exclusively for > loopback use. > It seems to work in my lab, but I thought I'd better ask... > > Thanks, > Michael > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From dudepron at gmail.com Mon Aug 3 11:31:09 2009 From: dudepron at gmail.com (Aaron) Date: Mon, 3 Aug 2009 11:31:09 -0400 Subject: [c-nsp] IP unnumbered vlan subinterfaces question In-Reply-To: <480dad640908030829kf40edccvd02d2b45522a298a@mail.gmail.com> References: <200908031109.42285.mulitskiy@acedsl.com> <480dad640908030829kf40edccvd02d2b45522a298a@mail.gmail.com> Message-ID: <480dad640908030831o446225cybf2d4105c18ce30b@mail.gmail.com> So you don't want to use another IP for loopback. Sorry, misunderstood. On Mon, Aug 3, 2009 at 11:29, Aaron wrote: > Loopback interfaces do not go down, so I'm not sure what benefit you are > getting besides the ability to blackhole the 10.10.10.0/24 if the ethernet > goes down. > > > On Mon, Aug 3, 2009 at 11:09, Michael Ulitskiy wrote: > >> Hello, >> >> Guys, are there any drawbacks of doing the following: >> >> interface Lo0 >> ip address 10.10.10.1 255.255.255.0 >> ! >> interface FastEthernet0/0.1 >> encapsulation dot1q 1 native >> ip unnumbered Lo0 >> ! >> ip route 10.10.10.0 255.255.255.0 FastEthernet0/0.1 >> ! >> >> as opposed to having ip address configured directly on the interface as >> usual? >> I need that ip address to stay always up regardless of Fa0/0 state, 'cause >> it's used for other services that should stay up >> and I'd prefer to avoid assigning another ip address exclusively for >> loopback use. >> It seems to work in my lab, but I thought I'd better ask... >> >> Thanks, >> Michael >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > From rodunn at cisco.com Mon Aug 3 11:42:09 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Mon, 03 Aug 2009 11:42:09 -0400 Subject: [c-nsp] IP unnumbered vlan subinterfaces question In-Reply-To: <480dad640908030829kf40edccvd02d2b45522a298a@mail.gmail.com> References: <200908031109.42285.mulitskiy@acedsl.com> <480dad640908030829kf40edccvd02d2b45522a298a@mail.gmail.com> Message-ID: <4A770551.4060901@cisco.com> Don't do it. It's a hack and there are other forwarding plane things that don't like it. Read as..it may or may not always work. Burn another /32 for your loopback. Rodney Aaron wrote: > Loopback interfaces do not go down, so I'm not sure what benefit you are > getting besides the ability to blackhole the 10.10.10.0/24 if the ethernet > goes down. > > On Mon, Aug 3, 2009 at 11:09, Michael Ulitskiy wrote: > >> Hello, >> >> Guys, are there any drawbacks of doing the following: >> >> interface Lo0 >> ip address 10.10.10.1 255.255.255.0 >> ! >> interface FastEthernet0/0.1 >> encapsulation dot1q 1 native >> ip unnumbered Lo0 >> ! >> ip route 10.10.10.0 255.255.255.0 FastEthernet0/0.1 >> ! >> >> as opposed to having ip address configured directly on the interface as >> usual? >> I need that ip address to stay always up regardless of Fa0/0 state, 'cause >> it's used for other services that should stay up >> and I'd prefer to avoid assigning another ip address exclusively for >> loopback use. >> It seems to work in my lab, but I thought I'd better ask... >> >> Thanks, >> Michael >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From oboehmer at cisco.com Mon Aug 3 12:01:37 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Mon, 3 Aug 2009 18:01:37 +0200 Subject: [c-nsp] CSC CARD info In-Reply-To: <8bb137f40908021034l4ad7c878xefb040e7f9433b0b@mail.gmail.com> References: <8bb137f40908010106g3938ba62s93fb6ac604ff6b43@mail.gmail.com><132FEFEE-9C5D-466F-9474-CF73BC1ABEBA@gmail.com> <8bb137f40908021034l4ad7c878xefb040e7f9433b0b@mail.gmail.com> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78407BC8BB7@xmb-ams-333.emea.cisco.com> Jack, can you define "lots of ping drops"? primary CSC OIR (or CSC switchover) is expected to cause traffic loss for a few seconds.. What type of fabric is this (2.5, 10 or 40Gbps) and which chassis? Do you see the same traffic loss on all linecard types? If you see more than 10 seconds or so loss, I would contact TAC.. oli jack daniels <> wrote on Sunday, August 02, 2009 19:35: > Hi, > > Thanks , but my querry still remains unanswered - > > > If we use 2 CSC and 3 SFC > > " When I do OIR of slot 17 CSC ( when MASTER - defaul ) we get 3 ping > drops for transit traffic through the router. > When I do OIR of slot 16 CSC ( when MASTER ) we get lot of ping > drops for transit traffic through the router and neighbourships > break." > > Regards > J.Daniels > > On Sat, Aug 1, 2009 at 3:39 PM, Eninja wrote: > >> OIR'ing the primary CSC (slot 17 by default) will _always_ result in >> traffic loss because the CSC clocks and schedules all fabric traffic. >> >> Remember to shutdown the primary CSC using hw-module shut command, >> wait at least 1 min before OIR'ing and failing over from primary to >> secondary CSC. >> >> Eninja >> >> >> >> On Aug 1, 2009, at 9:06 AM, jack daniels >> wrote: >> >> Hi all, >>> >>> what is significance of slot no of CSC. >>> >>> If we use 2 CSC and 3 SFC >>> >>> When I do OIR of slot 17 CSC ( when MASTER ) we get 3 ping drops >>> for transit traffic through the router. >>> When I do OIR of slot 16 CSC ( when MASTER ) we get lot of ping >>> drops for transit traffic through the router and neighbourships >>> break. >>> >>> >>> Regards >>> Jack.Daniels >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From zeusdadog at gmail.com Mon Aug 3 12:07:35 2009 From: zeusdadog at gmail.com (Jay Nakamura) Date: Mon, 3 Aug 2009 12:07:35 -0400 Subject: [c-nsp] DMVPN and OSPF In-Reply-To: <9418aca70907301232v1e0ab042o41b272c365734753@mail.gmail.com> References: <9418aca70907291342u477505b0vf9c937dfb7d767ed@mail.gmail.com> <4A710119.50503@cisco.com> <9418aca70907291928k2c152e81xceb3eb6fc8f72ce4@mail.gmail.com> <4A718893.1050307@cisco.com> <9418aca70907301053l3614852cq76ca441447ec9903@mail.gmail.com> <9418aca70907301054h51d73effq72a4a9b672066862@mail.gmail.com> <019f01ca1141$00f875f0$02e961d0$@net> <4A71E4C8.50505@rollernet.us> <9418aca70907301232v1e0ab042o41b272c365734753@mail.gmail.com> Message-ID: <9418aca70908030907k16a88e4ex3204ba81c454bef4@mail.gmail.com> To follow up, I have tried 12.4(20)T3, 12.4(24)T, 12.4(24)T1, all of them have the same symptom. I have downgraded back to 12.4(15)T9 and the network is stable again. I need at least 12.4(20)T because we want to implement IOS content filtering. TAC case is pending. I will post again when the situation is resolved. From ip at ioshints.info Mon Aug 3 12:12:50 2009 From: ip at ioshints.info (Ivan Pepelnjak) Date: Mon, 3 Aug 2009 18:12:50 +0200 Subject: [c-nsp] IP unnumbered vlan subinterfaces question In-Reply-To: <200908031109.42285.mulitskiy@acedsl.com> References: <200908031109.42285.mulitskiy@acedsl.com> Message-ID: <001301ca1455$40a08dc0$0a00000a@nil.si> OSPF does not work across unnumbered VLAN subinterfaces. http://wiki.nil.com/Unnumbered_Ethernet_VLAN_interfaces#Limitations Ivan http://www.ioshints.info/about http://blog.ioshints.info/ > -----Original Message----- > From: Michael Ulitskiy [mailto:mulitskiy at acedsl.com] > Sent: Monday, August 03, 2009 5:10 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] IP unnumbered vlan subinterfaces question > > Hello, > > Guys, are there any drawbacks of doing the following: > > interface Lo0 > ip address 10.10.10.1 255.255.255.0 > ! > interface FastEthernet0/0.1 > encapsulation dot1q 1 native > ip unnumbered Lo0 > ! > ip route 10.10.10.0 255.255.255.0 FastEthernet0/0.1 ! > > as opposed to having ip address configured directly on the > interface as usual? > I need that ip address to stay always up regardless of Fa0/0 > state, 'cause it's used for other services that should stay > up and I'd prefer to avoid assigning another ip address > exclusively for loopback use. > It seems to work in my lab, but I thought I'd better ask... > > Thanks, > Michael > > From asnoka at gmail.com Mon Aug 3 12:20:01 2009 From: asnoka at gmail.com (asnoka zhung) Date: Tue, 4 Aug 2009 00:20:01 +0800 Subject: [c-nsp] Help:Anyone Familar with Cisco L3VPN Inter-AS Option C MPLS Forwarding Model? Message-ID: Recently I have to configured L3VPN Inter-AS Option C on our network,while I noticed these issue on ASBR: 1.Cisco(7609 router) will allocate Implicit Null(3) label for routes locally generated on ASBR. 2.For routes learned from the PE in the same AS(suppose using LDP in the local AS),when redistributed the routes to BGP from IGP(e.g ISIS/OSPF),the ASBR will just pick the label which was allocated for IGP routes by LDP. So I am a little confused,I am not sure can this scheme working properly when forwarding mpls packet for L3VPN? -- Learning Linux:) --------------------------------------------------- Make Everyday Counts! From mulitskiy at acedsl.com Mon Aug 3 12:22:40 2009 From: mulitskiy at acedsl.com (Michael Ulitskiy) Date: Mon, 3 Aug 2009 12:22:40 -0400 Subject: [c-nsp] IP unnumbered vlan subinterfaces question In-Reply-To: <4A770551.4060901@cisco.com> References: <200908031109.42285.mulitskiy@acedsl.com> <480dad640908030829kf40edccvd02d2b45522a298a@mail.gmail.com> <4A770551.4060901@cisco.com> Message-ID: <200908031222.40296.mulitskiy@acedsl.com> It's not about saving a /32. This is a CPE device and I was just trying to save myself administrative burden of maintaining another per-customer static ip assignment. I don't need dynamic routing protocol to run on those interfaces, but thanks for pointing it out anyway. Ok, if I have to do it then I have to do it. Thanks everybody, Michael On Monday 03 August 2009 11:42:09 am Rodney Dunn wrote: > Don't do it. It's a hack and there are other forwarding plane things > that don't like it. Read as..it may or may not always work. > > Burn another /32 for your loopback. > > Rodney > > > > Aaron wrote: > > Loopback interfaces do not go down, so I'm not sure what benefit you are > > getting besides the ability to blackhole the 10.10.10.0/24 if the ethernet > > goes down. > > > > On Mon, Aug 3, 2009 at 11:09, Michael Ulitskiy wrote: > > > >> Hello, > >> > >> Guys, are there any drawbacks of doing the following: > >> > >> interface Lo0 > >> ip address 10.10.10.1 255.255.255.0 > >> ! > >> interface FastEthernet0/0.1 > >> encapsulation dot1q 1 native > >> ip unnumbered Lo0 > >> ! > >> ip route 10.10.10.0 255.255.255.0 FastEthernet0/0.1 > >> ! > >> > >> as opposed to having ip address configured directly on the interface as > >> usual? > >> I need that ip address to stay always up regardless of Fa0/0 state, 'cause > >> it's used for other services that should stay up > >> and I'd prefer to avoid assigning another ip address exclusively for > >> loopback use. > >> It seems to work in my lab, but I thought I'd better ask... > >> > >> Thanks, > >> Michael > >> _______________________________________________ > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >> > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From b.turnbow at twt.it Mon Aug 3 12:18:38 2009 From: b.turnbow at twt.it (Brian Turnbow) Date: Mon, 3 Aug 2009 18:18:38 +0200 Subject: [c-nsp] IP unnumbered vlan subinterfaces question In-Reply-To: <200908031109.42285.mulitskiy@acedsl.com> References: <200908031109.42285.mulitskiy@acedsl.com> Message-ID: Not sure what's attached to the IP, or what you want to achieve , but a different approach would be to add no keepalive to the ethernet so it is always up. Brian -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Michael Ulitskiy Sent: luned? 3 agosto 2009 17.10 To: cisco-nsp at puck.nether.net Subject: [c-nsp] IP unnumbered vlan subinterfaces question Hello, Guys, are there any drawbacks of doing the following: interface Lo0 ip address 10.10.10.1 255.255.255.0 ! interface FastEthernet0/0.1 encapsulation dot1q 1 native ip unnumbered Lo0 ! ip route 10.10.10.0 255.255.255.0 FastEthernet0/0.1 ! as opposed to having ip address configured directly on the interface as usual? I need that ip address to stay always up regardless of Fa0/0 state, 'cause it's used for other services that should stay up and I'd prefer to avoid assigning another ip address exclusively for loopback use. It seems to work in my lab, but I thought I'd better ask... Thanks, Michael _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From gert at greenie.muc.de Mon Aug 3 13:50:27 2009 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 3 Aug 2009 19:50:27 +0200 Subject: [c-nsp] What router to choose instead of 7206VXR-G1/G2 (Ruzhanskaya Olga) In-Reply-To: References: Message-ID: <20090803175027.GZ290@greenie.muc.de> Hi, On Mon, Aug 03, 2009 at 01:05:03PM +0400, ????? ????????? wrote: > We are using 7206VXR-G1/G2 platform as edge router (PE) in our MPLS network. > When traffic volume grows, we replace NPE-G1 processor with NPE-G2. > But in future we'll need something more powerfull. As far as I understand the Cisco product strategy, ASK1k is the current recommendation. The platform is powerful, but a bit "young" and lacking some features, though - so make sure that whatever you need is there. > General requirements: > - OSPF, BGP (full table for our own needs and for customers); > - MPLS VPN (L3 and L2); > - CBWFQ (better LLQ) QoS, uRPF, GRE.. As far as I understand, this should all be there today. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From mvanton at gmail.com Mon Aug 3 13:51:03 2009 From: mvanton at gmail.com (vince anton) Date: Mon, 3 Aug 2009 19:51:03 +0200 Subject: [c-nsp] vlans to customer - good practise / myth to bust ! Message-ID: <87e0d3ae0908031051q59cb627dy5a6e5951654a265c@mail.gmail.com> Hi, I currently have a setup below that works ok, but I'd like some opinions about some unanswered questions ive got. Basically i currently offer IP based services to customers. What i do is run a fibre to a customer site, which on my end terminates in a switch as a vlan or as a trunk allowing that customer's specific vlans. Then a router linked to same switch with an allow all trunk that handles all the L3 interfaces as subinterfaces using dot1q. So for example customer A has vlans 10,11,12 and say customer B has vlans 20,21,22 which are L3 subinterfaces on the router. Some of these subinterfaces are used for plain internet access, some may be a member of a vrf for private (non internet) connections between customer sites. My concern here is whether this is best practise for delivering such services, or if other ways of doing this are out there and proven better. Also scalability and stability is a concern. there is a limit to how large you want a Layer2 network to be. Last but not least, security. what if a customer plugs the fibre link into his switch with a bunch of other vlans running. the only form of 'protection' that I currently have is restriction of vlans on the trunk from the customer, but some traffic (like spanning tree) travels on vlan1 as far as i recall and this cannot be blocked. another item would be vlan hopping. Im just after some pointers from what you all do out there to offer similar services, what the best practises for this are, lessons learnt, etc... so I can then delve into the details given the pointers, to ensure im running inline with tried and testing ways of doing things. thanks anton From swmike at swm.pp.se Mon Aug 3 14:20:45 2009 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Mon, 3 Aug 2009 20:20:45 +0200 (CEST) Subject: [c-nsp] vlans to customer - good practise / myth to bust ! In-Reply-To: <87e0d3ae0908031051q59cb627dy5a6e5951654a265c@mail.gmail.com> References: <87e0d3ae0908031051q59cb627dy5a6e5951654a265c@mail.gmail.com> Message-ID: On Mon, 3 Aug 2009, vince anton wrote: > My concern here is whether this is best practise for delivering such > services, or if other ways of doing this are out there and proven better. No, that's a common model. > Last but not least, security. what if a customer plugs the fibre link > into his switch with a bunch of other vlans running. the only form of > 'protection' that I currently have is restriction of vlans on the trunk > from the customer, but some traffic (like spanning tree) travels on > vlan1 as far as i recall and this cannot be blocked. another item would > be vlan hopping. Well, you probably want to enable stp filters if you dont expect stp packets to come in on the link. Disabling the use of vlan 1 onto the customer link might be good as well (ie only use tagged vlans, do not run native vlan 1 onto customer link). > Im just after some pointers from what you all do out there to offer similar > services, what the best practises for this are, lessons learnt, etc... so I > can then delve into the details given the pointers, to ensure im running > inline with tried and testing ways of doing things. Vlan hopping shouldn't be a problem with modern equipment, but it might be good to verify that the one you're using doesn't have this problem. -- Mikael Abrahamsson email: swmike at swm.pp.se From awilliam1981 at gmail.com Mon Aug 3 14:31:16 2009 From: awilliam1981 at gmail.com (Andy William) Date: Mon, 3 Aug 2009 21:31:16 +0300 Subject: [c-nsp] ISP in US In-Reply-To: References: <9569de140907290644j11098b10l7c9c929ce4b30bb9@mail.gmail.com> <9569de140907301542j5519a2e5j9fd32c0a8bf16ce0@mail.gmail.com> <9569de140908010206i51d5c476oece239816de53bca@mail.gmail.com> Message-ID: <9569de140908031131n4d4d510cnbd8875368ce45517@mail.gmail.com> I decided to go with Internet connection solution but based on your experience as a customer what ISP should i select ? Level3 , Globalcrossing , Verizon , Sparkle , TATA or FLAG? thanks Andy On Sat, Aug 1, 2009 at 5:22 PM, Scott Granados wrote: > I still like the heavy business jet solution. > > :) > > ----- Original Message ----- From: "Andy William" > To: "Daryl G. Jurbala" > Cc: > Sent: Saturday, August 01, 2009 2:06 AM > Subject: Re: [c-nsp] ISP in US > > > Daryl , so you recommed to get over-provisioned internet link and that >> will >> do the job without extra effor ? >> >> >> >> >> On Fri, Jul 31, 2009 at 9:22 PM, Daryl G. Jurbala > >wrote: >> >> >>> On Jul 30, 2009, at 6:42 PM, Andy William wrote: >>> >>> Thx all and i will think about Gulfstream Daryl :) >>> >>> but i start to think about P2P connections like AT&T IPL (International >>> Private Line) or ATM PVC between both sites , what do you think ? what is >>> the estimated cost for 2M connection ? >>> >>> >>> >>> That is also a very expensive way to go (if not just as expensive), and a >>> lot of it depends on where your office is in the Middle East (to >>> determine >>> which carrier you will need to pay AT&T to buy their last few miles of >>> transit through). >>> >>> I'm still not convinced that you need it - a 5 MB connection at each end >>> with a VPN between the two and some sane QoS at each edge device ought to >>> be >>> more than enough. I deliver thousands of simultaneous calls from the >>> Middle >>> East through 3 GB connections to 3 different ISPs at my colo in San >>> Francisco. No special agreements with anyone, the other sides of the >>> calls >>> originating from internet connections owned by our customers. No real >>> problems. >>> >>> So before signing any contracts, I would simply give it a shot right over >>> the Internet. You'll likely be pleased with the results. >>> >>> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> __________ Information from ESET NOD32 Antivirus, version of virus >> signature database 4296 (20090801) __________ >> >> The message was checked by ESET NOD32 Antivirus. >> >> http://www.eset.com >> >> >> >> > From awilliam1981 at gmail.com Mon Aug 3 14:32:39 2009 From: awilliam1981 at gmail.com (Andy William) Date: Mon, 3 Aug 2009 21:32:39 +0300 Subject: [c-nsp] ISP in US In-Reply-To: <9569de140908031131n4d4d510cnbd8875368ce45517@mail.gmail.com> References: <9569de140907290644j11098b10l7c9c929ce4b30bb9@mail.gmail.com> <9569de140907301542j5519a2e5j9fd32c0a8bf16ce0@mail.gmail.com> <9569de140908010206i51d5c476oece239816de53bca@mail.gmail.com> <9569de140908031131n4d4d510cnbd8875368ce45517@mail.gmail.com> Message-ID: <9569de140908031132j3a264551p29997b8e166c6f1e@mail.gmail.com> selection will depend on service relaibility , network stability and support On Mon, Aug 3, 2009 at 9:31 PM, Andy William wrote: > I decided to go with Internet connection solution but based on your > experience as a customer what ISP should i select ? > > Level3 , Globalcrossing , Verizon , Sparkle , TATA or FLAG? > > thanks > Andy > > On Sat, Aug 1, 2009 at 5:22 PM, Scott Granados wrote: > >> I still like the heavy business jet solution. >> >> :) >> >> ----- Original Message ----- From: "Andy William" > > >> To: "Daryl G. Jurbala" >> Cc: >> Sent: Saturday, August 01, 2009 2:06 AM >> Subject: Re: [c-nsp] ISP in US >> >> >> Daryl , so you recommed to get over-provisioned internet link and that >>> will >>> do the job without extra effor ? >>> >>> >>> >>> >>> On Fri, Jul 31, 2009 at 9:22 PM, Daryl G. Jurbala >> >wrote: >>> >>> >>>> On Jul 30, 2009, at 6:42 PM, Andy William wrote: >>>> >>>> Thx all and i will think about Gulfstream Daryl :) >>>> >>>> but i start to think about P2P connections like AT&T IPL (International >>>> Private Line) or ATM PVC between both sites , what do you think ? what >>>> is >>>> the estimated cost for 2M connection ? >>>> >>>> >>>> >>>> That is also a very expensive way to go (if not just as expensive), and >>>> a >>>> lot of it depends on where your office is in the Middle East (to >>>> determine >>>> which carrier you will need to pay AT&T to buy their last few miles of >>>> transit through). >>>> >>>> I'm still not convinced that you need it - a 5 MB connection at each end >>>> with a VPN between the two and some sane QoS at each edge device ought >>>> to be >>>> more than enough. I deliver thousands of simultaneous calls from the >>>> Middle >>>> East through 3 GB connections to 3 different ISPs at my colo in San >>>> Francisco. No special agreements with anyone, the other sides of the >>>> calls >>>> originating from internet connections owned by our customers. No real >>>> problems. >>>> >>>> So before signing any contracts, I would simply give it a shot right >>>> over >>>> the Internet. You'll likely be pleased with the results. >>>> >>>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >>> __________ Information from ESET NOD32 Antivirus, version of virus >>> signature database 4296 (20090801) __________ >>> >>> The message was checked by ESET NOD32 Antivirus. >>> >>> http://www.eset.com >>> >>> >>> >>> >> > From tomas at soitron.com Mon Aug 3 17:13:20 2009 From: tomas at soitron.com (Tomas Daniska) Date: Mon, 3 Aug 2009 23:13:20 +0200 Subject: [c-nsp] IP unnumbered vlan subinterfaces question In-Reply-To: <200908031222.40296.mulitskiy@acedsl.com> References: <200908031109.42285.mulitskiy@acedsl.com><480dad640908030829kf40edccvd02d2b45522a298a@mail.gmail.com><4A770551.4060901@cisco.com> <200908031222.40296.mulitskiy@acedsl.com> Message-ID: <6B43981C32F8464CB24CEE209DA32BD3023E3F7F@kenya.tronet.as> Michail, you can use a different 10.10.10.x IP for f0/0.1 and have 10.10.10.1/32 on the loopback if this helps you. Proxy-ARP might be needed as well. -- deejay > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Michael Ulitskiy > Sent: Monday, August 03, 2009 6:23 PM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] IP unnumbered vlan subinterfaces question > > It's not about saving a /32. > This is a CPE device and I was just trying to save myself > administrative burden of maintaining another per-customer static ip > assignment. > I don't need dynamic routing protocol to run on those interfaces, but > thanks for pointing it out anyway. > Ok, if I have to do it then I have to do it. > Thanks everybody, > > Michael > > On Monday 03 August 2009 11:42:09 am Rodney Dunn wrote: > > Don't do it. It's a hack and there are other forwarding plane things > > that don't like it. Read as..it may or may not always work. > > > > Burn another /32 for your loopback. > > > > Rodney > > > > > > > > Aaron wrote: > > > Loopback interfaces do not go down, so I'm not sure what benefit > you are > > > getting besides the ability to blackhole the 10.10.10.0/24 if the > ethernet > > > goes down. > > > > > > On Mon, Aug 3, 2009 at 11:09, Michael Ulitskiy > wrote: > > > > > >> Hello, > > >> > > >> Guys, are there any drawbacks of doing the following: > > >> > > >> interface Lo0 > > >> ip address 10.10.10.1 255.255.255.0 > > >> ! > > >> interface FastEthernet0/0.1 > > >> encapsulation dot1q 1 native > > >> ip unnumbered Lo0 > > >> ! > > >> ip route 10.10.10.0 255.255.255.0 FastEthernet0/0.1 > > >> ! > > >> > > >> as opposed to having ip address configured directly on the > interface as > > >> usual? > > >> I need that ip address to stay always up regardless of Fa0/0 > state, 'cause > > >> it's used for other services that should stay up > > >> and I'd prefer to avoid assigning another ip address exclusively > for > > >> loopback use. > > >> It seems to work in my lab, but I thought I'd better ask... > > >> > > >> Thanks, > > >> Michael > > >> _______________________________________________ > > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > >> > > > _______________________________________________ > > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > __________ Informacia od ESET NOD32 Antivirus, verzia databazy 4300 > (20090803) __________ > > Tuto spravu preveril ESET NOD32 Antivirus. > > http://www.eset.sk > __________ Informacia od ESET NOD32 Antivirus, verzia databazy 4300 (20090803) __________ Tuto spravu preveril ESET NOD32 Antivirus. http://www.eset.sk From david at hughes.com.au Mon Aug 3 17:44:18 2009 From: david at hughes.com.au (David Hughes) Date: Tue, 4 Aug 2009 07:44:18 +1000 Subject: [c-nsp] BGP Multipath and unequal IGP metrics In-Reply-To: <6bb5f5b10908021914r780d0430g4b7589eae8880ee8@mail.gmail.com> References: <073E0C99-024C-4D1B-8B1B-347F5CD8302F@hughes.com.au> <6bb5f5b10908021914r780d0430g4b7589eae8880ee8@mail.gmail.com> Message-ID: Hi By "layers" are your suggesting building tunnels to match the iBGP topology so the peers all think they are directly connected? Interesting thought but not sure how it'd scale with gre etc. There is mpls configured on the core (just for inter-DC EoMPLS at present) so perhaps mpls-te could provide an answer. I've no experience with mpls-te but I'll go off and have a read. Thanks for your thoughts. David ... On 03/08/2009, at 12:14 PM, Rubens Kuhl wrote: > I would consider using a layered-session approach. > The first layer would be used only to provide the path to the BGP > loopback, both to your core routers and to your transit providers, and > would be used to equalize the metric of the alternate paths. A likely > scenario would consist of 4 BGP sessions among your own routers and 2 > or 4 sessions to your transit provider, but might be more; it would > require BGP support, but no 1 milion routes support. > > The second layer would use the first one to exchange provider > announcements, both yours to transit and full routes from the transit > providers. > > Disclaimer: haven't tested this exact scenario, ended up having > full-route capable routers on all hops. > > > Rubens > > > On Mon, Jul 27, 2009 at 9:11 PM, David Hughes > wrote: >> Hi >> >> I have a situation that looks like a problem in the making. In a >> subset of >> our network there's a pair of well connected datacentres (eg dual >> 10GE paths >> etc). One of our upstreams will shortly be presenting a transit >> path at >> both of these 2 locations. No problems I think to myself - we'll >> just >> multi-path from our core and load share over both paths. >> >> Problem. Seeing as the 2 border routers in question are at different >> locations, the core routers see different IGP metrics to the >> nexthop of the >> BGP table entry. As a result they are excluded from use with BGP >> multipath >> and I'm left with the core routers at each DC only using the paths >> to the >> border router at the local site. >> >> I don't want to mess around with tweaking the OSPF metrics as I'm >> sure >> that's just a disaster waiting to happen for some poor network >> engineer in a >> year or two. I thought I'd found a nice clean solution with Cisco's >> "multipath unequal-cost" feature but for some reason I can't even >> start to >> understand you can only use it in a VRF, not in the default table. >> >> So the only solution I can see is to reconfigure the core devices >> and move >> all interfaces and routing processes into a VRF so that I can >> effectively >> get this feature on our entire table. >> >> What am I missing here? Surely I'm not Robinson Crusoe - someone >> must have >> done this before. Platform is Cat6k / Sup720. >> >> >> Thanks >> >> David >> ... >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> From David at hughes.com.au Mon Aug 3 18:11:31 2009 From: David at hughes.com.au (David Hughes) Date: Tue, 4 Aug 2009 08:11:31 +1000 Subject: [c-nsp] SFC DOWN In-Reply-To: References: <8bb137f40907302114n72fafa06ldc4ef0505774454c@mail.gmail.com> <8bb137f40907302123w522dc0d7s3af539e0c38579b4@mail.gmail.com> <8bb137f40908010103i4fa4808s54d229ed3720650d@mail.gmail.com> <20090802084524.GL290@greenie.muc.de> Message-ID: <9F7B627D-9AFD-4A56-9624-B32663E67D27@Hughes.com.au> Looking for a well structure web site of info from this list? Just use markmail. David ... On 02/08/2009, at 11:51 PM, e ninja wrote: > Gert, > > So if we apply your thought process, there is no value in capturing > and > organizing re-usable intellectual capital? I guess you must think > Wikipedia > is useless and we should just trawl through the web and layers of > email > threads to find simple answers to questions that have already been > answered? > > > The value of any list is to share knowledge. If there are free tools > out > there like mysolvr (a user-generated knowledge-base), that also > allows us to > go the extra mile of documenting and organizing re-usable know-how > for the > benefit of others, it is worth the effort. > > We have to work smarter, not harder. > > Eninja > > > On Sun, Aug 2, 2009 at 1:45 AM, Gert Doering > wrote: > >> Hi, >> >> On Sat, Aug 01, 2009 at 08:12:05PM -0700, e ninja wrote: >>> PS. Contributors to this list should strive to post reusable >>> knowledge to >>> www.mysolvr.com so that it is properly documented, organized and >>> easily >>> searchable for posterity. >> >> Contributors to this list should just post to this list. Archives >> are >> available in many places, google will find the answers, and it's not >> necessary to go to a separate web site (which is likely to profit >> from >> it in some way) to get answers to questions posted *here*. >> >> The value of this list is not "post links to web sites". >> >> gert >> -- >> USENET is *not* the non-clickable part of WWW! >> // >> www.muc.de/~gert/ >> Gert Doering - Munich, Germany >> gert at greenie.muc.de >> fax: +49-89-35655025 >> gert at net.informatik.tu-muenchen.de >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From clayton at MNSi.Net Mon Aug 3 20:51:32 2009 From: clayton at MNSi.Net (Clayton Zekelman) Date: Mon, 03 Aug 2009 20:51:32 -0400 Subject: [c-nsp] Retired IOS Releases Message-ID: <1249347021_59693@surgemail.win> Looks like Cisco went and removed a bunch of IOS release from the website in May. Not sure if this has already been discussed here. http://www.cisco.com/web/software/SPRIT/swretirement/IOSRetirementTable.html Anyone with older production equipment should probably archive their images from their equipment just in case something happens, because apparently you can't get it from Cisco anymore. --- Clayton Zekelman Managed Network Systems Inc. (MNSi) 344-300 Tecumseh Rd. E. Windsor, Ontario N8X 5E8 tel. 519-985-8410 fax. 519-985-8409 From snortbsd at yahoo.com.au Tue Aug 4 00:06:49 2009 From: snortbsd at yahoo.com.au (snort bsd) Date: Mon, 3 Aug 2009 21:06:49 -0700 (PDT) Subject: [c-nsp] Can't pick up ip address--cisco 1200 ap In-Reply-To: <1249285635.3071.4.camel@abehat.net.rm.dk> Message-ID: <666686.33750.qm@web38105.mail.mud.yahoo.com> Thanks. But I did almost exactly you suggested and still not working. BTW, the command "bridge 10 route ip" doesn't work since only command "bridge 1 route ip" works. --- On Mon, 3/8/09, Peter Rathlev wrote: > From: Peter Rathlev > Subject: Re: [c-nsp] Can't pick up ip address--cisco 1200 ap > To: "snort bsd" > Cc: "cisco-nsp" > Received: Monday, 3 August, 2009, 5:47 PM > AFAIK without BVI interfaces this > will not work. You need to reconfigure > the subinterfaces of Fa0 to match what Leslie pointed out: > > interface FastEthernet0.10 > encapsulation dot1Q 10 > bridge-group 10 > bridge-group 10 spanning-disabled > ! > interface FastEthernet0.20 > encapsulation dot1Q 20 > bridge-group 20 > bridge-group 20 spanning-disabled > ! > interface BVI10 > ip address 192.168.13.10 255.255.255.0 > ! > interface BVI20 > ip address 192.168.12.10 255.255.255.0 > ! > bridge 10 protocol ieee > bridge 20 protocol ieee > ! > bridge 10 route ip > bridge 20 route ip > ! > > Regards, > Peter > > > On Sun, 2009-08-02 at 16:44 -0700, snort bsd wrote: > > Thanks for help! > > > > Here is what I have: > > > > > > internet <-> AP <-> VLAN aware switch > <-> firewall <-> internal > > networks > >? ? ? ? ? ? ? | > >? ? ? ? ? ? ? | > >? ? ? ? ? ? ? | > >? ? ? ???wireless PCs > (VLAN 10 or VLAN 20) > > > > I have DHCP service configured on the AP, which means > those wireless > > PCs should get their IP addresses from the DHCP server > on the AP (I > > don't have separated DHCP server on the internal > network). what I am > > trying to figure out how I can tie the right pool of > DHCP IP addresses > > to the right interface. Right now the authenticated > PCs could not get > > IP address at all. > > > > here is my config relating to the diagram: > > > > ip dhcp pool vlan20 > >? ? network 192.168.12.0 255.255.255.0 > >? ? subnet prefix-length 24 > >? ? default-router 192.168.12.1 > >? ? lease infinite > > ! > > ip dhcp pool vlan10 > >? ? network 192.168.13.0 255.255.255.0 > >? ? subnet prefix-length 24 > >? ? default-router 192.16.13.1 > >? ? lease infinite > > .... > > ... > > dot11 vlan-name ming vlan 20 > > dot11 vlan-name rest vlan 10 > > ! > > dot11 ssid lab vlan 20 > >? ? vlan 20 > >? ? max-associations 10 > >? ? authentication open > >? ? authentication key-management wpa > >? ? guest-mode > >? ? mbssid guest-mode > >? ? wpa-psk ascii 7 "whatever" > > ! > >? ? information-element ssidl wps > > ! > > dot11 ssid test vlan 10 > >? ? vlan 10 > >? ? max-associations 10 > >? ? authentication open > >? ? authentication key-management wpa > >? ? mbssid guest-mode > >? ? wpa-psk ascii 7 "whatever" > > ! > >? ? information-element ssidl wps > > .... > > ... > > interface Dot11Radio0 > >? no ip address > >? no ip route-cache > >? ! > >? encryption vlan 10 mode ciphers aes-ccm tkip > >? ! > >? encryption vlan 20 mode ciphers aes-ccm tkip > >? ! > >? ssid lab vlan 20 > >? ! > >? ssid test vlan 10 > >? ! > >? mbssid > >? speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 > basic-11.0 12.0 18.0 24.0 > > 36.0 48.0 54.0 > >? station-role root > > ! > > interface Dot11Radio0.10 > >? encapsulation dot1Q 10 native > >? no ip redirects > >? no ip route-cache > >? bridge-group 10 > >? bridge-group 10 subscriber-loop-control > >? bridge-group 10 block-unknown-source > >? no bridge-group 10 source-learning > >? no bridge-group 10 unicast-flooding > >? bridge-group 10 spanning-disabled > > ! > > interface Dot11Radio0.20 > >? encapsulation dot1Q 20 > >? no ip redirects > >? no ip route-cache > >? bridge-group 20 > >? bridge-group 20 subscriber-loop-control > >? bridge-group 20 port-protected > >? bridge-group 20 block-unknown-source > >? no bridge-group 20 source-learning > >? no bridge-group 20 unicast-flooding > >? bridge-group 20 spanning-disabled > > ! > > interface FastEthernet0 > >? no ip address > >? no ip route-cache > >? duplex auto > >? speed auto > >? bridge-group 1 > >? no bridge-group 1 source-learning > >? bridge-group 1 spanning-disabled > > ! > > interface FastEthernet0.10 > >? encapsulation dot1Q 10 > >? ip address 192.168.13.10 255.255.255.0 > >? no ip redirects > >? no ip route-cache > > ! > > interface FastEthernet0.20 > >? encapsulation dot1Q 20 > >? ip address 192.168.12.10 255.255.255.0 > >? no ip redirects > >? no ip route-cache > > ! > > > ____________________________________________________________________________________ Access Yahoo!7 Mail on your mobile. Anytime. Anywhere. Show me how: http://au.mobile.yahoo.com/mail From eng_mssk at hotmail.com Tue Aug 4 05:31:14 2009 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Tue, 4 Aug 2009 12:31:14 +0300 Subject: [c-nsp] VPN over WiMAX Message-ID: hey all i have 2 CPEs and 2 trendnet routers im trying to establish ipsec vpn but i cannot the setup is like below: PC (172.16.5.2) connected to router (172.16.5.1) (172.16.0.101) connected to CPE (172.16.0.138) connected to internet (x.x.x.x) PC (192.168.10.2) connected to router (192.168.10.1) (10.0.0.100) connected to CPE (10.0.0.138) connected to internet (y.y.y.y) we connected the 2 routers to our LAN with defferent subnets and it worked fine can anyone help ?? _________________________________________________________________ Drag n? drop?Get easy photo sharing with Windows Live? Photos. http://www.microsoft.com/windows/windowslive/products/photos.aspx From nick at inex.ie Tue Aug 4 05:38:26 2009 From: nick at inex.ie (Nick Hilliard) Date: Tue, 04 Aug 2009 10:38:26 +0100 Subject: [c-nsp] Retired IOS Releases In-Reply-To: <1249347021_59693@surgemail.win> References: <1249347021_59693@surgemail.win> Message-ID: <4A780192.1000205@inex.ie> On 04/08/2009 01:51, Clayton Zekelman wrote: > Looks like Cisco went and removed a bunch of IOS release from the > website in May. Not sure if this has already been discussed here. > > http://www.cisco.com/web/software/SPRIT/swretirement/IOSRetirementTable.html > > Anyone with older production equipment should probably archive their > images from their equipment just in case something happens, because > apparently you can't get it from Cisco anymore. Clayton, Although these images have been retired from the CCO web site, they are still available along with a whole pile more from the Cisco FTP site: ftp://ftp.cisco.com/cisco/ios/ You will need to log in using your web username and password. The ftp archive is great. There are still images there going back to 11.3, if you have really old equipment lying around (e.g. memory limited 2500s and that sort of thing). Unfortunately, the cisco ftp site does not contain 3des images, so if you depend on encryption, you will need to maintain a local archive. Nick From walter.keen at RainierConnect.net Tue Aug 4 05:51:07 2009 From: walter.keen at RainierConnect.net (Walter Keen) Date: Tue, 04 Aug 2009 02:51:07 -0700 Subject: [c-nsp] 7500 for DSL aggregation - RSP memory error? Message-ID: <4A78048B.60803@rainierconnect.net> I've got a 7507 with dual RSP8's attempting to use rsp-jsv-mz.124-8.bin configured for rpr-plus, but keep getting this around every 10 minutes or so. It results in a loss of connectivity for end-users of course, until the system recovers. My initial guess is something is wrong with the standby processor (slot 3) or perhaps the memory in it. I've had the tech pull it out to see if the system stabalizes and will bring it back to the lab if it does. Anyone else ran into this in the past? sea-agg-1# 2w5d: %TBRIDGE-4-NOVCFLOOD: No VC's configured for bridging on ATM4/1/0.669 2w5d: %RSP-3-ERROR: MD error 0080000000010000 -Traceback= 0x40588B14 0x405891CC 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: Cybus1 parity error (bytes 0:7) 04 -Traceback= 0x40588CDC 0x405891CC 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: bus command write 8bytes (0x7) -Traceback= 0x40588930 0x40588CF8 0x405891CC 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: physical address (bits 20:12) 0E2000 -Traceback= 0x40588A50 0x40588CF8 0x405891CC 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: virtual address (bits 23:17) 6E0000 -Traceback= 0x40588A74 0x40588CF8 0x405891CC 0x405892F0 0x4058A978 0x404CFA54 2w5d: %VIP4-80 RM7000-3-MSG: slot5 VIP-3-MVIP_CYBUSERROR_INTERRUPT: A Cybus Error occured. 2w5d: %VIP4-80 RM7000-1-MSG: slot5 CYASIC Error Interrupt register 0xB 2w5d: %VIP4-80 RM7000-1-MSG: slot5 Parity Error internal to CYA 2w5d: %VIP4-80 RM7000-1-MSG: slot5 Missing ACK on CyBus access 2w5d: %VIP4-80 RM7000-1-MSG: slot5 NACK present on CyBus access 2w5d: %VIP4-80 RM7000-1-MSG: slot5 CYASIC Other Interrupt register 0x100 2w5d: %VIP4-80 RM7000-1-MSG: slot5 QE HIGH Priority Interrupt 2w5d: %VIP4-80 RM7000-1-MSG: slot5 QE RX HIGH Priority Interrupt 2w5d: %VIP4-80 RM7000-1-MSG: slot5 CYBUS Error Cmd/Addr 0x8001A80, CYBUS Error Data 0x0 2w5d: %VIP4-80 RM7000-1-MSG: slot5 MPUIntfc/PacketBus Error register 0x0 2w5d: %VIP4-80 RM7000-1-MSG: slot5 IOBUS Error Interrupt Status register 0x4 2w5d: %VIP4-80 RM7000-1-MSG: slot5 Address/Command Strobe Timeout 2w5d: %VIP4-80 RM7000-1-MSG: slot5 IOBUS Error Address High 0x1C01 2w5d: %VIP4-80 RM7000-1-MSG: slot5 IOBUS Error Address Low 0xC 2w5d: %VIP4-80 RM7000-3-MSG: slot5 VIP-3-SVIP_RELOAD: SVIP Reload is called. 2w5d: %VIP4-80 RM7000-3-MSG: slot5 VIP-3-SYSTEM_EXCEPTION: VIP System Exception occurred sig=22, code=0x0, context=0x6199A8A8 2w5d: %RSP-3-ERROR: End of MEMD error interrupt processing -Traceback= 0x40589298 0x405892F0 0x4058A978 0x404CFA54 2w5d: %DBUS-3-CXBUSERR: Slot 5, CBus Error 2w5d: %DBUS-3-DBUSINTERRSWSET: Slot 5, Internal Error due to VIP crash 2w5d: %OSPF-5-ADJCHG: Process 10, Nbr 74.50.207.83 on FastEthernet5/1/0 from FULL to DOWN, Neighbor Down: Interface down or detached 2w5d: %RSP-3-ERROR: CyBus1 error 10 -Traceback= 0x40588DA8 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: command/address mismatch -Traceback= 0x40588E64 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: bus command read 8bytes (0x1) -Traceback= 0x40588930 0x40588F68 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: address offset (bits 3:1) 8 -Traceback= 0x40588A18 0x40588F68 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: virtual address (bits 23:17) 000000 -Traceback= 0x40588A74 0x40588F68 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %VIP4-80 RM7000-3-MSG: slot4 VIP-3-MVIP_CYBUSERROR_INTERRUPT: A Cybus Error occured. 2w5d: %VIP4-80 RM7000-1-MSG: slot4 CYASIC Error Interrupt register 0xF 2w5d: %VIP4-80 RM7000-1-MSG: slot4 Parity Error internal to CYA 2w5d: %VIP4-80 RM7000-1-MSG: slot4 Parity Error in data from CyBus 2w5d: %VIP4-80 RM7000-1-MSG: slot4 Missing ACK on CyBus access 2w5d: %VIP4-80 RM7000-1-MSG: slot4 NACK present on CyBus access 2w5d: %VIP4-80 RM7000-1-MSG: slot4 CYASIC Other Interrupt register 0x80 2w5d: %VIP4-80 RM7000-1-MSG: slot4 QE HIGH Priority Interrupt 2w5d: %VIP4-80 RM7000-1-MSG: slot4 Unknown CYA oisr bit 0x00000080 2w5d: %VIP4-80 RM7000-1-MSG: slot4 QE TX HIGH Priority Interrupt 2w5d: %VIP4-80 RM7000-1-MSG: slot4 CYBUS Error Cmd/Addr 0x1000198, CYBUS Error Data 0x0 2w5d: %VIP4-80 RM7000-1-MSG: slot4 MPUIntfc/PacketBus Error register 0x0 2w5d: %VIP4-80 RM7000-1-MSG: slot4 IOBUS Error Interrupt Status register 0x0 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %HA-5-MODE: Operating mode is hsa, configured mode is rpr-plus. 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-ERROR: CyBus1 error 10 -Traceback= 0x40588DA8 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: command/address mismatch -Traceback= 0x40588E64 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: bus command write 1byte (0xB) -Traceback= 0x40588930 0x40588F68 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: address offset (bits 3:1) 12 -Traceback= 0x40588A18 0x40588F68 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: virtual address (bits 23:17) 000000 -Traceback= 0x40588A74 0x40588F68 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %DBUS-3-SW_NOTRDY: DBUS software not ready for slot 5 after HARD_RESET, elapsed 15048, status 0x0 -Traceback= 0x40388848 0x405BA000 0x405BD2C0 0x405C3720 2w5d: %DBUS-3-WCSLDERR: Slot 5, error loading WCS, status 0x14 cmd/data 0x2E pos 5749518 2w5d: %UCODE-3-LDFAIL: Unable to download ucode from system image in slot 5, trying rom ucode 2w5d: %RSP-3-NOSTART: No microcode for VIP4-80 RM7000 card, slot 5 2w5d: %DBUS-3-WCSLDERR: Slot 5, error loading WCS, status 0x14 cmd/data 0x2E pos 5749518 2w5d: %UCODE-3-LDFAIL: Unable to download ucode from system image in slot 5, trying rom ucode 2w5d: %OIR-6-INSCARD: Card inserted in slot 5, interfaces administratively shut down 2w5d: %RSP-3-NOSTART: No microcode for VIP4-80 RM7000 card, slot 5 2w5d: %DBUS-3-SW_NOTRDY: DBUS software not ready for slot 3 after dbus_slot_enable(), elapsed 15040, status 0x29 -Traceback= 0x40388848 0x405BA000 0x405BB054 0x405D2DF4 0x405C393C 2w5d: %DBUS-3-WCSPARERR: Slot 3, WCS Controller Parity Error 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %VIP4-80 RM7000-3-MSG: slot4 VIP-3-SVIP_RELOAD: SVIP Reload is called. 2w5d: %VIP4-80 RM7000-3-MSG: slot4 VIP-3-SYSTEM_EXCEPTION: VIP System Exception occurred sig=22, code=0x0, context=0x6199A8A8 2w5d: %DBUS-3-CXBUSERR: Slot 4, CBus Error 2w5d: %DBUS-3-DBUSINTERRSWSET: Slot 4, Internal Error due to VIP crash 2w5d: %LINK-3-UPDOWN: Interface BVI3, changed state to down 2w5d: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI3, changed state to down 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %OIR-6-INSCARD: Card inserted in slot 5, interfaces administratively shut down 2w5d: %CBUS-3-CCBPTIMEOUT: CCB handover timed out, CCB 0xF800FF50, slot 4 -Traceback= 0x40388848 0x405D6054 0x405D2830 0x405D2EE0 0x405C393C 2w5d: %LINK-3-UPDOWN: Interface FastEthernet5/1/0, changed state to down 2w5d: %LINEPROTO-5-UPDOWN: Line protocol on Interface ATM4/1/0, changed state to down 2w5d: %LINK-3-UPDOWN: Interface FastEthernet5/1/0, changed state to up 2w5d: %OSPF-5-ADJCHG: Process 10, Nbr 74.50.207.83 on FastEthernet5/1/0 from LOADING to FULL, Loading Done 2w5d: %IPC_RSP_CBUS-3-NOHWQ: Hardware queue for card at slot 0 not found sea-agg-1# sea-agg-1# sea-agg-1# sea-agg-1# sea-agg-1# 2w5d: %IPC_RSP_CBUS-3-NOHWQ: Hardware queue for card at slot 0 not found sea-agg-1# 2w5d: %IPC_RSP_CBUS-3-NOHWQ: Hardware queue for card at slot 0 not found 2w5d: %IPC_RSP_CBUS-3-NOHWQ: Hardware queue for card at slot 0 not found 2w5d: %IPC_RSP_CBUS-3-NOHWQ: Hardware queue for card at slot 0 not found 2w5d: %IPC_RSP_CBUS-3-NOHWQ: Hardware queue for card at slot 0 not found -------------------- sea-agg-1# 2w5d: %RSP-3-ERROR: MD error 0080000000010000 -Traceback= 0x40588B14 0x405891CC 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: Cybus1 parity error (bytes 0:7) 04 -Traceback= 0x40588CDC 0x405891CC 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: bus command write 8bytes (0x7) -Traceback= 0x40588930 0x40588CF8 0x405891CC 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: physical address (bits 20:12) 0F8000 -Traceback= 0x40588A50 0x40588CF8 0x405891CC 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: virtual address (bits 23:17) 6E0000 -Traceback= 0x40588A74 0x40588CF8 0x405891CC 0x405892F0 0x4058A978 0x404CFA54 2w5d: %VIP4-80 RM7000-3-MSG: slot5 VIP-3-MVIP_CYBUSERROR_INTERRUPT: A Cybus Error occured. 2w5d: %VIP4-80 RM7000-1-MSG: slot5 CYASIC Error Interrupt register 0xB 2w5d: %VIP4-80 RM7000-1-MSG: slot5 Parity Error internal to CYA 2w5d: %VIP4-80 RM7000-1-MSG: slot5 Missing ACK on CyBus access 2w5d: %VIP4-80 RM7000-1-MSG: slot5 NACK present on CyBus access 2w5d: %VIP4-80 RM7000-1-MSG: slot5 CYASIC Other Interrupt register 0x100 2w5d: %VIP4-80 RM7000-1-MSG: slot5 QE HIGH Priority Interrupt 2w5d: %VIP4-80 RM7000-1-MSG: slot5 QE RX HIGH Priority Interrupt 2w5d: %VIP4-80 RM7000-1-MSG: slot5 CYBUS Error Cmd/Addr 0x76F8548, CYBUS Error Data 0x0 2w5d: %VIP4-80 RM7000-1-MSG: slot5 MPUIntfc/PacketBus Error register 0x0 2w5d: %VIP4-80 RM7000-1-MSG: slot5 IOBUS Error Interrupt Status register 0x4 2w5d: %VIP4-80 RM7000-1-MSG: slot5 Address/Command Strobe Timeout 2w5d: %VIP4-80 RM7000-1-MSG: slot5 IOBUS Error Address High 0x1C01 2w5d: %VIP4-80 RM7000-1-MSG: slot5 IOBUS Error Address Low 0xC 2w5d: %VIP4-80 RM7000-3-MSG: slot5 VIP-3-SVIP_RELOAD: SVIP Reload is called. 2w5d: %VIP4-80 RM7000-3-MSG: slot5 VIP-3-SYSTEM_EXCEPTION: VIP System Exception occurred sig=22, code=0x0, context=0x6199B028 2w5d: %RSP-3-ERROR: End of MEMD error interrupt processing -Traceback= 0x40589298 0x405892F0 0x4058A978 0x404CFA54 2w5d: %DBUS-3-CXBUSERR: Slot 5, CBus Error 2w5d: %DBUS-3-DBUSINTERRSWSET: Slot 5, Internal Error due to VIP crash 2w5d: %OSPF-5-ADJCHG: Process 10, Nbr 74.50.207.83 on FastEthernet5/1/0 from FULL to DOWN, Neighbor Down: Interface down or detached 2w5d: %RSP-3-ERROR: CyBus1 error 10 -Traceback= 0x40588DA8 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: command/address mismatch -Traceback= 0x40588E64 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: bus command read 8bytes (0x1) -Traceback= 0x40588930 0x40588F68 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: address offset (bits 3:1) 0 -Traceback= 0x40588A18 0x40588F68 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: virtual address (bits 23:17) 000000 -Traceback= 0x40588A74 0x40588F68 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %VIP4-80 RM7000-3-MSG: slot4 VIP-3-MVIP_CYBUSERROR_INTERRUPT: A Cybus Error occured. 2w5d: %VIP4-80 RM7000-1-MSG: slot4 CYASIC Error Interrupt register 0x4000F 2w5d: %VIP4-80 RM7000-1-MSG: slot4 CBus read during CBus stall 2w5d: %VIP4-80 RM7000-1-MSG: slot4 Parity Error internal to CYA 2w5d: %VIP4-80 RM7000-1-MSG: slot4 Parity Error in data from CyBus 2w5d: %VIP4-80 RM7000-1-MSG: slot4 Missing ACK on CyBus access 2w5d: %VIP4-80 RM7000-1-MSG: slot4 NACK present on CyBus access 2w5d: %VIP4-80 RM7000-1-MSG: slot4 CYASIC Other Interrupt register 0x80 2w5d: %VIP4-80 RM7000-1-MSG: slot4 QE HIGH Priority Interrupt 2w5d: %VIP4-80 RM7000-1-MSG: slot4 Unknown CYA oisr bit 0x00000080 2w5d: %VIP4-80 RM7000-1-MSG: slot4 QE TX HIGH Priority Interrupt 2w5d: %VIP4-80 RM7000-1-MSG: slot4 CYBUS Error Cmd/Addr 0x10001A0, CYBUS Error Data 0x0 2w5d: %VIP4-80 RM7000-1-MSG: slot4 MPUIntfc/PacketBus Error register 0x110000A1 2w5d: %VIP4-80 RM7000-1-MSG: slot4 IOBUS Error Interrupt Status register 0x4 2w5d: %VIP4-80 RM7000-1-MSG: slot4 Address/Command Strobe Timeout 2w5d: %VIP4-80 RM7000-1-MSG: slot4 IOBUS Error Address High 0x1C01 2w5d: %VIP4-80 RM7000-1-MSG: slot4 IOBUS Error Address Low 0xC 2w5d: %RSP-2-QAERROR: reused or zero link error, write at addr 0138 (QA) log 22013800, data A0F00000 00000000 2w5d: %QA-3-DIAG: Failed to enqueue buffer header 0xA0F0 2w5d: %QA-3-DIAG: Approximate stack backtrace prior to interrupt: 2w5d: %QA-3-DIAG: -Traceback= 0x404CD814 0x406B3684 0x406BA5F0 0x406C3770 0x406B6518 0x406AE188 0x406A5EE0 0x406B1FC4 0x4051C730 0x40642F1C 0x40643104 0x406432F8 2w5d: %QA-3-DIAG: Buffer 0xA0F0 is element 1 on queue 0x20 2w5d: %QA-3-DIAG: Queue 0x20 (E8000100) has 1 elements 2w5d: %QA-3-DIAG: Buffer 0xA0F0 is element 1154 on queue 0x27 2w5d: %QA-3-DIAG: Queue 0x27 (E8000138) has 1154 elements 2w5d: %QA-3-DIAG: No NULL terminator for queue 0x28 2w5d: %QA-3-DIAG: Queue 0x28 (E8000140) has 90 elements 2w5d: %QA-3-DIAG: No NULL terminator for queue 0x2C 2w5d: %QA-3-DIAG: Queue 0x2C (E8000160) has 5 elements 2w5d: %QA-3-DIAG: At least one QA queue is broken 2w5d: %QA-3-DIAG: Buffer header at 0xE000A0F0: 12 1A0 3FEFEFEF 8A800 2w5d: %QA-3-DIAG: Buffer contents: 2w5d: %RSP-3-IDBOFFSET: hwidb = 0x444B8760, Name = AT4/1/0, hwidb->rx_offset = 96 Possible datagram start = 0xF808A980 -Traceback= 0x40388848 0x4059E3A0 0x405A9930 0x405AA064 0x40589324 0x4058A978 0x404CFA54 2w5d: %SYS-3-DMPMEM: F808A800: 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 2w5d: %SYS-3-DMPMEM: F808A818: 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 2w5d: %SYS-3-DMPMEM: F808A830: 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 2w5d: %SYS-3-DMPMEM: F808A848: 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 2w5d: %SYS-3-DMPMEM: F808A860: 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 2w5d: %SYS-3-DMPMEM: F808A878: 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 2w5d: %QA-3-DIAG: Global queues: 2w5d: %QA-3-DIAG: 3313 buffer headers 2w5d: %QA-3-DIAG: RawQ 0xE8000100 (1), ReturnQ 0xE8000108 (0), EventQ 0xE8000110 (0) 2w5d: %QA-3-DIAG: IpcackQ 0xE8000118 (0) 2w5d: %QA-3-DIAG: VIP_CrashinfoQ 0xE8000128 (0) 2w5d: %QA-3-DIAG: IpcSlaveackQ 0xE8000120 (0) 2w5d: %QA-3-DIAG: BufhdrQ 0xE8000158 (0) 2w5d: %QA-3-DIAG: LovltrQ 0xE8000170 (0) 2w5d: %QA-3-DIAG: IpcbufQ 0xE8000180 (0) 2w5d: %QA-3-DIAG: IpcbufQ_classic 0xE8000178 (0) 2w5d: %QA-3-DIAG: Pool0: 10 buffers, 256 bytes, queue 0xE8000160 (5) 2w5d: %QA-3-DIAG: Pool1: 932 buffers, 1536 bytes, queue 0xE8000168 (0) 2w5d: %QA-3-DIAG: Pool2: 1357 buffers, 4544 bytes, queue 0xE8000188 (0) 2w5d: %QA-3-DIAG: Pool3: 4 buffers, 4576 bytes, queue 0xE8000190 (0) 2w5d: %QA-3-DIAG: Slot3: 2w5d: %QA-3-DIAG: Slot4: 2w5d: %QA-3-DIAG: ATM4/0/0: gfreeq 0xE8000188 (0), lfreeq 0xE8000198 (0) (4544 bytes) 2w5d: %QA-3-DIAG: txq 0xE8001A00 (0) 2w5d: %QA-3-DIAG: ATM4/1/0: gfreeq 0xE8000188 (0), lfreeq 0xE80001A0 (0) (4544 bytes) 2w5d: %QA-3-DIAG: txq 0xE8001A08 (0) 2w5d: %QA-3-DIAG: Slot5: 2w5d: %QA-3-DIAG: FastEthernet5/1/0: gfreeq 0xE8000168 (0), lfreeq 0xE80001A8 (0) (1536 bytes) 2w5d: %QA-3-DIAG: txq 0xE8001A80 (0) 2w5d: %QA-3-DIAG: Slot6: 2w5d: %QA-3-DIAG: ATM6/0/0: gfreeq 0xE8000188 (0), lfreeq 0xE80001B0 (0) (4544 bytes) 2w5d: %QA-3-DIAG: txq 0xE8001B00 (0) 2w5d: %QA-3-DIAG: FastEthernet6/1/0: gfreeq 0xE8000168 (0), lfreeq 0xE80001B8 (0) (1536 bytes) 2w5d: %QA-3-DIAG: txq 0xE8001B08 (0) 2w5d: %QA-3-DIAG: Trying to recover from QA ERROR. 2w5d: %QA-3-DIAG: Removing buffer header 0xA0F0 from all queues 2w5d: %QA-3-DIAG: Buffer 0xA0F0 is on queue 0x20 2w5d: %QA-3-DIAG: At least one QA queue is broken 2w5d: %QA-3-DIAG: Recovered from QA ERROR. 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %HA-5-MODE: Operating mode is hsa, configured mode is rpr-plus. 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-ERROR: CyBus1 error 10 -Traceback= 0x40588DA8 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: command/address mismatch -Traceback= 0x40588E64 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: bus command write 1byte (0xB) -Traceback= 0x40588930 0x40588F68 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: address offset (bits 3:1) 12 -Traceback= 0x40588A18 0x40588F68 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: virtual address (bits 23:17) 000000 -Traceback= 0x40588A74 0x40588F68 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %DBUS-3-SW_NOTRDY: DBUS software not ready for slot 5 after HARD_RESET, elapsed 15480, status 0x0 -Traceback= 0x40388848 0x405BA000 0x405BD2C0 0x405C3720 2w5d: %DBUS-3-WCSLDERR: Slot 5, error loading WCS, status 0x14 cmd/data 0x2E pos 5749518 2w5d: %UCODE-3-LDFAIL: Unable to download ucode from system image in slot 5, trying rom ucode 2w5d: %RSP-3-NOSTART: No microcode for VIP4-80 RM7000 card, slot 5 2w5d: %DBUS-3-WCSLDERR: Slot 5, error loading WCS, status 0x14 cmd/data 0x2E pos 5749518 2w5d: %UCODE-3-LDFAIL: Unable to download ucode from system image in slot 5, trying rom ucode 2w5d: %OIR-6-INSCARD: Card inserted in slot 5, interfaces administratively shut down 2w5d: %RSP-3-NOSTART: No microcode for VIP4-80 RM7000 card, slot 5 2w5d: %DBUS-3-SW_NOTRDY: DBUS software not ready for slot 3 after dbus_slot_enable(), elapsed 15040, status 0x29 -Traceback= 0x40388848 0x405BA000 0x405BB054 0x405D2DF4 0x405C393C 2w5d: %DBUS-3-WCSPARERR: Slot 3, WCS Controller Parity Error 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %TIGER-3-BADADDR_MBE: Invalid MBE dram address: 0xFFFFFFFF latched by Tiger 2w5d: %RSP-3-ERROR: dbus read at 3E8410C0 -Traceback= 0x405BBE30 0x405BCDA0 0x405C3720 -Traceback= 0x405887C4 0x4058AFA8 0x404E6EA8 0x404CDC04 2w5d: %DBUS-3-SLOTCOMP: Slot 3, dbus error, slot (0xF) and complement (0x0) do not match 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %VIP4-80 RM7000-3-MSG: slot4 VIP-3-SVIP_RELOAD: SVIP Reload is called. 2w5d: %VIP4-80 RM7000-3-MSG: slot4 VIP-3-SYSTEM_EXCEPTION: VIP System Exception occurred sig=22, code=0x0, context=0x6199A8A8 2w5d: %DBUS-3-CXBUSERR: Slot 4, CBus Error 2w5d: %DBUS-3-DBUSINTERRSWSET: Slot 4, Internal Error due to VIP crash 2w5d: %LINK-3-UPDOWN: Interface BVI3, changed state to down 2w5d: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI3, changed state to down 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %OIR-6-INSCARD: Card inserted in slot 5, interfaces administratively shut down 2w5d: %CBUS-3-CCBPTIMEOUT: CCB handover timed out, CCB 0xF800FF50, slot 4 -Traceback= 0x40388848 0x405D6054 0x405D2830 0x405D2EE0 0x405C393C 2w5d: %LINEPROTO-5-UPDOWN: Line protocol on Interface ATM4/1/0, changed state to down 2w5d: %OSPF-5-ADJCHG: Process 10, Nbr 74.50.207.83 on FastEthernet5/1/0 from LOADING to FULL, Loading Done 2w5d: %RADIUS-4-RADIUS_DEAD: RADIUS server 69.10.208.10:1645,1646 is not responding. 2w5d: %RADIUS-4-RADIUS_ALIVE: RADIUS server 69.10.208.10:1645,1646 has returned. 2w5d: %IPC_RSP_CBUS-3-NOHWQ: Hardware queue for card at slot 0 not found sea-agg-1# sea-agg-1# sea-agg-1# sea-agg-1# 2w5d: %IPC_RSP_CBUS-3-NOHWQ: Hardware queue for card at slot 0 not found sea-agg-1# sea-agg-1# sea-agg-1# sea-agg-1# 2w5d: %IPC_RSP_CBUS-3-NOHWQ: Hardware queue for card at slot 0 not found 2w5d: %IPC_RSP_CBUS-3-NOHWQ: Hardware queue for card at slot 0 not found 2w5d: %IPC_RSP_CBUS-3-NOHWQ: Hardware queue for card at slot 0 not found 2w5d: %IPC_RSP_CBUS-3-NOHWQ: Hardware queue for card at slot 0 not found 2w5d: %DBUS-3-SW_NOTRDY: DBUS software not ready for slot 3 after dbus_slot_enable(), elapsed 15040, status 0x29 -Traceback= 0x40388848 0x405BA000 0x405BB054 0x405D2DF4 0x405C393C 2w5d: %DBUS-3-WCSPARERR: Slot 3, WCS Controller Parity Error 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %LINK-3-UPDOWN: Interface ATM4/1/0, changed state to up 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %LINEPROTO-5-UPDOWN: Line protocol on Interface ATM4/1/0, changed state to up 2w5d: %LINK-3-UPDOWN: Interface BVI3, changed state to up 2w5d: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI3, changed state to up 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %TBRIDGE-4-NOVCFLOOD: No VC's configured for bridging on ATM4/1/0.669 2w5d: %HA-5-NOTICE: Standby (slave) configured to run HA image "disk0:rsp-jsv-mz.124-8.bin" 2w5d: %HA-5-NOTICE: Loading standby (slave) image: "disk0:rsp-jsv-mz.124-8.bin" 2w5d: %TBRIDGE-4-NOVCFLOOD: No VC's configured for bridging on ATM4/1/0.669 2w5d: %RADIUS-4-RADIUS_DEAD: RADIUS server 69.10.201.13:1645,1646 is not responding. 2w5d: %RADIUS-4-RADIUS_ALIVE: RADIUS server 69.10.201.13:1645,1646 has returned. 2w5d: %RADIUS-4-RADIUS_DEAD: RADIUS server 69.10.201.13:1645,1646 is not responding. 2w5d: %RADIUS-4-RADIUS_ALIVE: RADIUS server 69.10.201.13:1645,1646 has returned. 2w5d: %RADIUS-4-RADIUS_DEAD: RADIUS server 69.10.201.13:1645,1646 is not responding. 2w5d: %RADIUS-4-RADIUS_ALIVE: RADIUS server 69.10.201.13:1645,1646 has returned. 2w5d: %HA-5-MODE: Operating mode is hsa, configured mode is rpr-plus. 2w5d: %HA-5-SYNC_NOTICE: Bulk sync started. 2w5d: %HA-5-SYNC_NOTICE: Bulk sync completed. 2w5d: %HA-5-SYNC_NOTICE: Config sync started. sea-agg-1# From clayton at MNSi.Net Tue Aug 4 10:15:24 2009 From: clayton at MNSi.Net (Clayton Zekelman) Date: Tue, 04 Aug 2009 10:15:24 -0400 Subject: [c-nsp] Retired IOS Releases In-Reply-To: <4A780192.1000205@inex.ie> References: <1249347021_59693@surgemail.win> <4A780192.1000205@inex.ie> Message-ID: <1249395253_64723@surgemail.win> Yeah, tried that... empty directory. ftp> pwd 257 "/cisco/ios/12.3/12.3.9e/6400" is current directory ftp> ls 200 PORT: Command successful 150 Opening ASCII mode data connection for file list 226 Transfer complete. ftp> That was the most recent release for the 6400. At 05:38 AM 8/4/2009, Nick Hilliard wrote: >On 04/08/2009 01:51, Clayton Zekelman wrote: >>Looks like Cisco went and removed a bunch of IOS release from the >>website in May. Not sure if this has already been discussed here. >> >>http://www.cisco.com/web/software/SPRIT/swretirement/IOSRetirementTable.html >> >>Anyone with older production equipment should probably archive their >>images from their equipment just in case something happens, because >>apparently you can't get it from Cisco anymore. > >Clayton, > >Although these images have been retired from the CCO web site, they >are still available along with a whole pile more from the Cisco FTP site: > >ftp://ftp.cisco.com/cisco/ios/ > >You will need to log in using your web username and password. The >ftp archive is great. There are still images there going back to >11.3, if you have really old equipment lying around (e.g. memory >limited 2500s and that sort of thing). > >Unfortunately, the cisco ftp site does not contain 3des images, so >if you depend on encryption, you will need to maintain a local archive. > >Nick > > >No virus found in this incoming message. >Checked by AVG - www.avg.com >Version: 8.5.392 / Virus Database: 270.13.43/2281 - Release Date: >08/04/09 05:57:00 --- Clayton Zekelman Managed Network Systems Inc. (MNSi) 344-300 Tecumseh Rd. E. Windsor, Ontario N8X 5E8 tel. 519-985-8410 fax. 519-985-8409 From mulitskiy at acedsl.com Tue Aug 4 10:48:30 2009 From: mulitskiy at acedsl.com (Michael Ulitskiy) Date: Tue, 4 Aug 2009 10:48:30 -0400 Subject: [c-nsp] IP unnumbered vlan subinterfaces question In-Reply-To: <6B43981C32F8464CB24CEE209DA32BD3023E3F7F@kenya.tronet.as> References: <200908031109.42285.mulitskiy@acedsl.com> <200908031222.40296.mulitskiy@acedsl.com> <6B43981C32F8464CB24CEE209DA32BD3023E3F7F@kenya.tronet.as> Message-ID: <200908041048.30424.mulitskiy@acedsl.com> It wouldn't let me to do that. It would say "overlapping subnet" Michael On Monday 03 August 2009 05:13:20 pm Tomas Daniska wrote: > Michail, > > you can use a different 10.10.10.x IP for f0/0.1 and have 10.10.10.1/32 > on the loopback if this helps you. Proxy-ARP might be needed as well. > > > -- > > deejay > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > > bounces at puck.nether.net] On Behalf Of Michael Ulitskiy > > Sent: Monday, August 03, 2009 6:23 PM > > To: cisco-nsp at puck.nether.net > > Subject: Re: [c-nsp] IP unnumbered vlan subinterfaces question > > > > It's not about saving a /32. > > This is a CPE device and I was just trying to save myself > > administrative burden of maintaining another per-customer static ip > > assignment. > > I don't need dynamic routing protocol to run on those interfaces, but > > thanks for pointing it out anyway. > > Ok, if I have to do it then I have to do it. > > Thanks everybody, > > > > Michael > > > > On Monday 03 August 2009 11:42:09 am Rodney Dunn wrote: > > > Don't do it. It's a hack and there are other forwarding plane things > > > that don't like it. Read as..it may or may not always work. > > > > > > Burn another /32 for your loopback. > > > > > > Rodney > > > > > > > > > > > > Aaron wrote: > > > > Loopback interfaces do not go down, so I'm not sure what benefit > > you are > > > > getting besides the ability to blackhole the 10.10.10.0/24 if the > > ethernet > > > > goes down. > > > > > > > > On Mon, Aug 3, 2009 at 11:09, Michael Ulitskiy > > wrote: > > > > > > > >> Hello, > > > >> > > > >> Guys, are there any drawbacks of doing the following: > > > >> > > > >> interface Lo0 > > > >> ip address 10.10.10.1 255.255.255.0 > > > >> ! > > > >> interface FastEthernet0/0.1 > > > >> encapsulation dot1q 1 native > > > >> ip unnumbered Lo0 > > > >> ! > > > >> ip route 10.10.10.0 255.255.255.0 FastEthernet0/0.1 > > > >> ! > > > >> > > > >> as opposed to having ip address configured directly on the > > interface as > > > >> usual? > > > >> I need that ip address to stay always up regardless of Fa0/0 > > state, 'cause > > > >> it's used for other services that should stay up > > > >> and I'd prefer to avoid assigning another ip address exclusively > > for > > > >> loopback use. > > > >> It seems to work in my lab, but I thought I'd better ask... > > > >> > > > >> Thanks, > > > >> Michael > > > >> _______________________________________________ > > > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > > > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > > > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > >> > > > > _______________________________________________ > > > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > __________ Informacia od ESET NOD32 Antivirus, verzia databazy 4300 > > (20090803) __________ > > > > Tuto spravu preveril ESET NOD32 Antivirus. > > > > http://www.eset.sk > > > > > __________ Informacia od ESET NOD32 Antivirus, verzia databazy 4300 > (20090803) __________ > > Tuto spravu preveril ESET NOD32 Antivirus. > > http://www.eset.sk > > From kilobit at gmail.com Tue Aug 4 11:04:21 2009 From: kilobit at gmail.com (bas) Date: Tue, 4 Aug 2009 17:04:21 +0200 Subject: [c-nsp] multipath BGP not balancing equally. Message-ID: Hi, I have an issue with unequal multipath BGP loadbalancing It is a 6500 / SUP720-3BXL running 12.2.18SXF16 There are four eBGP sessions to a transit carriers ASN, all with full table However one out of four interfaces sends about 2Gbps less than the other three. RTR-HV7#sh int ten 2/2 | i output rate 1 minute output rate 6357052000 bits/sec, 546295 packets/sec RTR-HV7#sh int ten 3/1 | i output rate 1 minute output rate 8509719000 bits/sec, 729490 packets/sec RTR-HV7#sh int ten 3/3 | i output rate 1 minute output rate 8721235000 bits/sec, 746980 packets/sec RTR-HV7#sh int ten 4/4 | i output rate 1 minute output rate 8592400000 bits/sec, 734864 packets/sec All four sessions have the same settings (in the same peer-group) Through netflow I've tried to deduct if there are specific ASN's not chosen through the nexthop that has less traffic, but that does not seem to be the case. I've looked at "ip cef load-sharing algorithm universal" however that seems to already be the default algorithm in current IOS versions. With any prefix I test through "sh ip cef x.x.x.x detail" it seems all four paths are used. Thanks in advance, Bas From nsp at myzionetworks.com Tue Aug 4 11:22:24 2009 From: nsp at myzionetworks.com (Todd Shipway) Date: Tue, 4 Aug 2009 11:22:24 -0400 Subject: [c-nsp] 7513 multilink interface issue Message-ID: <6dde6e570908040822h739561e0s6baba249c67b3028@mail.gmail.com> We have several customers setup with T1's multilinked. We are running into a problem with a single multilink member bouncing causing routing issues. When a single T1 member of a multilink group bounces, traffic to the overall multilink interface stops and we have to manually shut and no shut the multilink interface to get traffic flowing again. Has anyone seen this before and if so, know what the issue may be? From b.turnbow at twt.it Tue Aug 4 11:55:58 2009 From: b.turnbow at twt.it (Brian Turnbow) Date: Tue, 4 Aug 2009 17:55:58 +0200 Subject: [c-nsp] 7500 for DSL aggregation - RSP memory error? In-Reply-To: <4A78048B.60803@rainierconnect.net> References: <4A78048B.60803@rainierconnect.net> Message-ID: It's been awhile since I've had one but The MD error is a memory parity error. 2w5d: %RSP-3-ERROR: Cybus1 parity error (bytes 0:7) 04 -Traceback= 0x40588CDC 0x405891CC 0x405892F0 0x4058A978 0x404CFA54 Means that it was received on cybus1 ( slots5-7) This comes from the VIP, so I don't think your standby processor is causing it. You need to check on your vip. I've never been brave enough to try a 7500 for dsl aggregation:) I'd pick up a 7200 instead. Brian -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Walter Keen Sent: marted? 4 agosto 2009 11.51 To: cisco-nsp at puck.nether.net Subject: [c-nsp] 7500 for DSL aggregation - RSP memory error? I've got a 7507 with dual RSP8's attempting to use rsp-jsv-mz.124-8.bin configured for rpr-plus, but keep getting this around every 10 minutes or so. It results in a loss of connectivity for end-users of course, until the system recovers. My initial guess is something is wrong with the standby processor (slot 3) or perhaps the memory in it. I've had the tech pull it out to see if the system stabalizes and will bring it back to the lab if it does. Anyone else ran into this in the past? sea-agg-1# 2w5d: %TBRIDGE-4-NOVCFLOOD: No VC's configured for bridging on ATM4/1/0.669 2w5d: %RSP-3-ERROR: MD error 0080000000010000 -Traceback= 0x40588B14 0x405891CC 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: Cybus1 parity error (bytes 0:7) 04 -Traceback= 0x40588CDC 0x405891CC 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: bus command write 8bytes (0x7) -Traceback= 0x40588930 0x40588CF8 0x405891CC 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: physical address (bits 20:12) 0E2000 -Traceback= 0x40588A50 0x40588CF8 0x405891CC 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: virtual address (bits 23:17) 6E0000 -Traceback= 0x40588A74 0x40588CF8 0x405891CC 0x405892F0 0x4058A978 0x404CFA54 2w5d: %VIP4-80 RM7000-3-MSG: slot5 VIP-3-MVIP_CYBUSERROR_INTERRUPT: A Cybus Error occured. 2w5d: %VIP4-80 RM7000-1-MSG: slot5 CYASIC Error Interrupt register 0xB 2w5d: %VIP4-80 RM7000-1-MSG: slot5 Parity Error internal to CYA 2w5d: %VIP4-80 RM7000-1-MSG: slot5 Missing ACK on CyBus access 2w5d: %VIP4-80 RM7000-1-MSG: slot5 NACK present on CyBus access 2w5d: %VIP4-80 RM7000-1-MSG: slot5 CYASIC Other Interrupt register 0x100 2w5d: %VIP4-80 RM7000-1-MSG: slot5 QE HIGH Priority Interrupt 2w5d: %VIP4-80 RM7000-1-MSG: slot5 QE RX HIGH Priority Interrupt 2w5d: %VIP4-80 RM7000-1-MSG: slot5 CYBUS Error Cmd/Addr 0x8001A80, CYBUS Error Data 0x0 2w5d: %VIP4-80 RM7000-1-MSG: slot5 MPUIntfc/PacketBus Error register 0x0 2w5d: %VIP4-80 RM7000-1-MSG: slot5 IOBUS Error Interrupt Status register 0x4 2w5d: %VIP4-80 RM7000-1-MSG: slot5 Address/Command Strobe Timeout 2w5d: %VIP4-80 RM7000-1-MSG: slot5 IOBUS Error Address High 0x1C01 2w5d: %VIP4-80 RM7000-1-MSG: slot5 IOBUS Error Address Low 0xC 2w5d: %VIP4-80 RM7000-3-MSG: slot5 VIP-3-SVIP_RELOAD: SVIP Reload is called. 2w5d: %VIP4-80 RM7000-3-MSG: slot5 VIP-3-SYSTEM_EXCEPTION: VIP System Exception occurred sig=22, code=0x0, context=0x6199A8A8 2w5d: %RSP-3-ERROR: End of MEMD error interrupt processing -Traceback= 0x40589298 0x405892F0 0x4058A978 0x404CFA54 2w5d: %DBUS-3-CXBUSERR: Slot 5, CBus Error 2w5d: %DBUS-3-DBUSINTERRSWSET: Slot 5, Internal Error due to VIP crash 2w5d: %OSPF-5-ADJCHG: Process 10, Nbr 74.50.207.83 on FastEthernet5/1/0 from FULL to DOWN, Neighbor Down: Interface down or detached 2w5d: %RSP-3-ERROR: CyBus1 error 10 -Traceback= 0x40588DA8 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: command/address mismatch -Traceback= 0x40588E64 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: bus command read 8bytes (0x1) -Traceback= 0x40588930 0x40588F68 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: address offset (bits 3:1) 8 -Traceback= 0x40588A18 0x40588F68 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: virtual address (bits 23:17) 000000 -Traceback= 0x40588A74 0x40588F68 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %VIP4-80 RM7000-3-MSG: slot4 VIP-3-MVIP_CYBUSERROR_INTERRUPT: A Cybus Error occured. 2w5d: %VIP4-80 RM7000-1-MSG: slot4 CYASIC Error Interrupt register 0xF 2w5d: %VIP4-80 RM7000-1-MSG: slot4 Parity Error internal to CYA 2w5d: %VIP4-80 RM7000-1-MSG: slot4 Parity Error in data from CyBus 2w5d: %VIP4-80 RM7000-1-MSG: slot4 Missing ACK on CyBus access 2w5d: %VIP4-80 RM7000-1-MSG: slot4 NACK present on CyBus access 2w5d: %VIP4-80 RM7000-1-MSG: slot4 CYASIC Other Interrupt register 0x80 2w5d: %VIP4-80 RM7000-1-MSG: slot4 QE HIGH Priority Interrupt 2w5d: %VIP4-80 RM7000-1-MSG: slot4 Unknown CYA oisr bit 0x00000080 2w5d: %VIP4-80 RM7000-1-MSG: slot4 QE TX HIGH Priority Interrupt 2w5d: %VIP4-80 RM7000-1-MSG: slot4 CYBUS Error Cmd/Addr 0x1000198, CYBUS Error Data 0x0 2w5d: %VIP4-80 RM7000-1-MSG: slot4 MPUIntfc/PacketBus Error register 0x0 2w5d: %VIP4-80 RM7000-1-MSG: slot4 IOBUS Error Interrupt Status register 0x0 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %HA-5-MODE: Operating mode is hsa, configured mode is rpr-plus. 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-ERROR: CyBus1 error 10 -Traceback= 0x40588DA8 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: command/address mismatch -Traceback= 0x40588E64 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: bus command write 1byte (0xB) -Traceback= 0x40588930 0x40588F68 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: address offset (bits 3:1) 12 -Traceback= 0x40588A18 0x40588F68 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: virtual address (bits 23:17) 000000 -Traceback= 0x40588A74 0x40588F68 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %DBUS-3-SW_NOTRDY: DBUS software not ready for slot 5 after HARD_RESET, elapsed 15048, status 0x0 -Traceback= 0x40388848 0x405BA000 0x405BD2C0 0x405C3720 2w5d: %DBUS-3-WCSLDERR: Slot 5, error loading WCS, status 0x14 cmd/data 0x2E pos 5749518 2w5d: %UCODE-3-LDFAIL: Unable to download ucode from system image in slot 5, trying rom ucode 2w5d: %RSP-3-NOSTART: No microcode for VIP4-80 RM7000 card, slot 5 2w5d: %DBUS-3-WCSLDERR: Slot 5, error loading WCS, status 0x14 cmd/data 0x2E pos 5749518 2w5d: %UCODE-3-LDFAIL: Unable to download ucode from system image in slot 5, trying rom ucode 2w5d: %OIR-6-INSCARD: Card inserted in slot 5, interfaces administratively shut down 2w5d: %RSP-3-NOSTART: No microcode for VIP4-80 RM7000 card, slot 5 2w5d: %DBUS-3-SW_NOTRDY: DBUS software not ready for slot 3 after dbus_slot_enable(), elapsed 15040, status 0x29 -Traceback= 0x40388848 0x405BA000 0x405BB054 0x405D2DF4 0x405C393C 2w5d: %DBUS-3-WCSPARERR: Slot 3, WCS Controller Parity Error 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %VIP4-80 RM7000-3-MSG: slot4 VIP-3-SVIP_RELOAD: SVIP Reload is called. 2w5d: %VIP4-80 RM7000-3-MSG: slot4 VIP-3-SYSTEM_EXCEPTION: VIP System Exception occurred sig=22, code=0x0, context=0x6199A8A8 2w5d: %DBUS-3-CXBUSERR: Slot 4, CBus Error 2w5d: %DBUS-3-DBUSINTERRSWSET: Slot 4, Internal Error due to VIP crash 2w5d: %LINK-3-UPDOWN: Interface BVI3, changed state to down 2w5d: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI3, changed state to down 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %OIR-6-INSCARD: Card inserted in slot 5, interfaces administratively shut down 2w5d: %CBUS-3-CCBPTIMEOUT: CCB handover timed out, CCB 0xF800FF50, slot 4 -Traceback= 0x40388848 0x405D6054 0x405D2830 0x405D2EE0 0x405C393C 2w5d: %LINK-3-UPDOWN: Interface FastEthernet5/1/0, changed state to down 2w5d: %LINEPROTO-5-UPDOWN: Line protocol on Interface ATM4/1/0, changed state to down 2w5d: %LINK-3-UPDOWN: Interface FastEthernet5/1/0, changed state to up 2w5d: %OSPF-5-ADJCHG: Process 10, Nbr 74.50.207.83 on FastEthernet5/1/0 from LOADING to FULL, Loading Done 2w5d: %IPC_RSP_CBUS-3-NOHWQ: Hardware queue for card at slot 0 not found sea-agg-1# sea-agg-1# sea-agg-1# sea-agg-1# sea-agg-1# 2w5d: %IPC_RSP_CBUS-3-NOHWQ: Hardware queue for card at slot 0 not found sea-agg-1# 2w5d: %IPC_RSP_CBUS-3-NOHWQ: Hardware queue for card at slot 0 not found 2w5d: %IPC_RSP_CBUS-3-NOHWQ: Hardware queue for card at slot 0 not found 2w5d: %IPC_RSP_CBUS-3-NOHWQ: Hardware queue for card at slot 0 not found 2w5d: %IPC_RSP_CBUS-3-NOHWQ: Hardware queue for card at slot 0 not found -------------------- sea-agg-1# 2w5d: %RSP-3-ERROR: MD error 0080000000010000 -Traceback= 0x40588B14 0x405891CC 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: Cybus1 parity error (bytes 0:7) 04 -Traceback= 0x40588CDC 0x405891CC 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: bus command write 8bytes (0x7) -Traceback= 0x40588930 0x40588CF8 0x405891CC 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: physical address (bits 20:12) 0F8000 -Traceback= 0x40588A50 0x40588CF8 0x405891CC 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: virtual address (bits 23:17) 6E0000 -Traceback= 0x40588A74 0x40588CF8 0x405891CC 0x405892F0 0x4058A978 0x404CFA54 2w5d: %VIP4-80 RM7000-3-MSG: slot5 VIP-3-MVIP_CYBUSERROR_INTERRUPT: A Cybus Error occured. 2w5d: %VIP4-80 RM7000-1-MSG: slot5 CYASIC Error Interrupt register 0xB 2w5d: %VIP4-80 RM7000-1-MSG: slot5 Parity Error internal to CYA 2w5d: %VIP4-80 RM7000-1-MSG: slot5 Missing ACK on CyBus access 2w5d: %VIP4-80 RM7000-1-MSG: slot5 NACK present on CyBus access 2w5d: %VIP4-80 RM7000-1-MSG: slot5 CYASIC Other Interrupt register 0x100 2w5d: %VIP4-80 RM7000-1-MSG: slot5 QE HIGH Priority Interrupt 2w5d: %VIP4-80 RM7000-1-MSG: slot5 QE RX HIGH Priority Interrupt 2w5d: %VIP4-80 RM7000-1-MSG: slot5 CYBUS Error Cmd/Addr 0x76F8548, CYBUS Error Data 0x0 2w5d: %VIP4-80 RM7000-1-MSG: slot5 MPUIntfc/PacketBus Error register 0x0 2w5d: %VIP4-80 RM7000-1-MSG: slot5 IOBUS Error Interrupt Status register 0x4 2w5d: %VIP4-80 RM7000-1-MSG: slot5 Address/Command Strobe Timeout 2w5d: %VIP4-80 RM7000-1-MSG: slot5 IOBUS Error Address High 0x1C01 2w5d: %VIP4-80 RM7000-1-MSG: slot5 IOBUS Error Address Low 0xC 2w5d: %VIP4-80 RM7000-3-MSG: slot5 VIP-3-SVIP_RELOAD: SVIP Reload is called. 2w5d: %VIP4-80 RM7000-3-MSG: slot5 VIP-3-SYSTEM_EXCEPTION: VIP System Exception occurred sig=22, code=0x0, context=0x6199B028 2w5d: %RSP-3-ERROR: End of MEMD error interrupt processing -Traceback= 0x40589298 0x405892F0 0x4058A978 0x404CFA54 2w5d: %DBUS-3-CXBUSERR: Slot 5, CBus Error 2w5d: %DBUS-3-DBUSINTERRSWSET: Slot 5, Internal Error due to VIP crash 2w5d: %OSPF-5-ADJCHG: Process 10, Nbr 74.50.207.83 on FastEthernet5/1/0 from FULL to DOWN, Neighbor Down: Interface down or detached 2w5d: %RSP-3-ERROR: CyBus1 error 10 -Traceback= 0x40588DA8 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: command/address mismatch -Traceback= 0x40588E64 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: bus command read 8bytes (0x1) -Traceback= 0x40588930 0x40588F68 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: address offset (bits 3:1) 0 -Traceback= 0x40588A18 0x40588F68 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: virtual address (bits 23:17) 000000 -Traceback= 0x40588A74 0x40588F68 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %VIP4-80 RM7000-3-MSG: slot4 VIP-3-MVIP_CYBUSERROR_INTERRUPT: A Cybus Error occured. 2w5d: %VIP4-80 RM7000-1-MSG: slot4 CYASIC Error Interrupt register 0x4000F 2w5d: %VIP4-80 RM7000-1-MSG: slot4 CBus read during CBus stall 2w5d: %VIP4-80 RM7000-1-MSG: slot4 Parity Error internal to CYA 2w5d: %VIP4-80 RM7000-1-MSG: slot4 Parity Error in data from CyBus 2w5d: %VIP4-80 RM7000-1-MSG: slot4 Missing ACK on CyBus access 2w5d: %VIP4-80 RM7000-1-MSG: slot4 NACK present on CyBus access 2w5d: %VIP4-80 RM7000-1-MSG: slot4 CYASIC Other Interrupt register 0x80 2w5d: %VIP4-80 RM7000-1-MSG: slot4 QE HIGH Priority Interrupt 2w5d: %VIP4-80 RM7000-1-MSG: slot4 Unknown CYA oisr bit 0x00000080 2w5d: %VIP4-80 RM7000-1-MSG: slot4 QE TX HIGH Priority Interrupt 2w5d: %VIP4-80 RM7000-1-MSG: slot4 CYBUS Error Cmd/Addr 0x10001A0, CYBUS Error Data 0x0 2w5d: %VIP4-80 RM7000-1-MSG: slot4 MPUIntfc/PacketBus Error register 0x110000A1 2w5d: %VIP4-80 RM7000-1-MSG: slot4 IOBUS Error Interrupt Status register 0x4 2w5d: %VIP4-80 RM7000-1-MSG: slot4 Address/Command Strobe Timeout 2w5d: %VIP4-80 RM7000-1-MSG: slot4 IOBUS Error Address High 0x1C01 2w5d: %VIP4-80 RM7000-1-MSG: slot4 IOBUS Error Address Low 0xC 2w5d: %RSP-2-QAERROR: reused or zero link error, write at addr 0138 (QA) log 22013800, data A0F00000 00000000 2w5d: %QA-3-DIAG: Failed to enqueue buffer header 0xA0F0 2w5d: %QA-3-DIAG: Approximate stack backtrace prior to interrupt: 2w5d: %QA-3-DIAG: -Traceback= 0x404CD814 0x406B3684 0x406BA5F0 0x406C3770 0x406B6518 0x406AE188 0x406A5EE0 0x406B1FC4 0x4051C730 0x40642F1C 0x40643104 0x406432F8 2w5d: %QA-3-DIAG: Buffer 0xA0F0 is element 1 on queue 0x20 2w5d: %QA-3-DIAG: Queue 0x20 (E8000100) has 1 elements 2w5d: %QA-3-DIAG: Buffer 0xA0F0 is element 1154 on queue 0x27 2w5d: %QA-3-DIAG: Queue 0x27 (E8000138) has 1154 elements 2w5d: %QA-3-DIAG: No NULL terminator for queue 0x28 2w5d: %QA-3-DIAG: Queue 0x28 (E8000140) has 90 elements 2w5d: %QA-3-DIAG: No NULL terminator for queue 0x2C 2w5d: %QA-3-DIAG: Queue 0x2C (E8000160) has 5 elements 2w5d: %QA-3-DIAG: At least one QA queue is broken 2w5d: %QA-3-DIAG: Buffer header at 0xE000A0F0: 12 1A0 3FEFEFEF 8A800 2w5d: %QA-3-DIAG: Buffer contents: 2w5d: %RSP-3-IDBOFFSET: hwidb = 0x444B8760, Name = AT4/1/0, hwidb->rx_offset = 96 Possible datagram start = 0xF808A980 -Traceback= 0x40388848 0x4059E3A0 0x405A9930 0x405AA064 0x40589324 0x4058A978 0x404CFA54 2w5d: %SYS-3-DMPMEM: F808A800: 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 2w5d: %SYS-3-DMPMEM: F808A818: 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 2w5d: %SYS-3-DMPMEM: F808A830: 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 2w5d: %SYS-3-DMPMEM: F808A848: 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 2w5d: %SYS-3-DMPMEM: F808A860: 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 2w5d: %SYS-3-DMPMEM: F808A878: 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 3FEFEFEF 2w5d: %QA-3-DIAG: Global queues: 2w5d: %QA-3-DIAG: 3313 buffer headers 2w5d: %QA-3-DIAG: RawQ 0xE8000100 (1), ReturnQ 0xE8000108 (0), EventQ 0xE8000110 (0) 2w5d: %QA-3-DIAG: IpcackQ 0xE8000118 (0) 2w5d: %QA-3-DIAG: VIP_CrashinfoQ 0xE8000128 (0) 2w5d: %QA-3-DIAG: IpcSlaveackQ 0xE8000120 (0) 2w5d: %QA-3-DIAG: BufhdrQ 0xE8000158 (0) 2w5d: %QA-3-DIAG: LovltrQ 0xE8000170 (0) 2w5d: %QA-3-DIAG: IpcbufQ 0xE8000180 (0) 2w5d: %QA-3-DIAG: IpcbufQ_classic 0xE8000178 (0) 2w5d: %QA-3-DIAG: Pool0: 10 buffers, 256 bytes, queue 0xE8000160 (5) 2w5d: %QA-3-DIAG: Pool1: 932 buffers, 1536 bytes, queue 0xE8000168 (0) 2w5d: %QA-3-DIAG: Pool2: 1357 buffers, 4544 bytes, queue 0xE8000188 (0) 2w5d: %QA-3-DIAG: Pool3: 4 buffers, 4576 bytes, queue 0xE8000190 (0) 2w5d: %QA-3-DIAG: Slot3: 2w5d: %QA-3-DIAG: Slot4: 2w5d: %QA-3-DIAG: ATM4/0/0: gfreeq 0xE8000188 (0), lfreeq 0xE8000198 (0) (4544 bytes) 2w5d: %QA-3-DIAG: txq 0xE8001A00 (0) 2w5d: %QA-3-DIAG: ATM4/1/0: gfreeq 0xE8000188 (0), lfreeq 0xE80001A0 (0) (4544 bytes) 2w5d: %QA-3-DIAG: txq 0xE8001A08 (0) 2w5d: %QA-3-DIAG: Slot5: 2w5d: %QA-3-DIAG: FastEthernet5/1/0: gfreeq 0xE8000168 (0), lfreeq 0xE80001A8 (0) (1536 bytes) 2w5d: %QA-3-DIAG: txq 0xE8001A80 (0) 2w5d: %QA-3-DIAG: Slot6: 2w5d: %QA-3-DIAG: ATM6/0/0: gfreeq 0xE8000188 (0), lfreeq 0xE80001B0 (0) (4544 bytes) 2w5d: %QA-3-DIAG: txq 0xE8001B00 (0) 2w5d: %QA-3-DIAG: FastEthernet6/1/0: gfreeq 0xE8000168 (0), lfreeq 0xE80001B8 (0) (1536 bytes) 2w5d: %QA-3-DIAG: txq 0xE8001B08 (0) 2w5d: %QA-3-DIAG: Trying to recover from QA ERROR. 2w5d: %QA-3-DIAG: Removing buffer header 0xA0F0 from all queues 2w5d: %QA-3-DIAG: Buffer 0xA0F0 is on queue 0x20 2w5d: %QA-3-DIAG: At least one QA queue is broken 2w5d: %QA-3-DIAG: Recovered from QA ERROR. 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %HA-5-MODE: Operating mode is hsa, configured mode is rpr-plus. 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-ERROR: CyBus1 error 10 -Traceback= 0x40588DA8 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: command/address mismatch -Traceback= 0x40588E64 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: bus command write 1byte (0xB) -Traceback= 0x40588930 0x40588F68 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: address offset (bits 3:1) 12 -Traceback= 0x40588A18 0x40588F68 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %RSP-3-ERROR: virtual address (bits 23:17) 000000 -Traceback= 0x40588A74 0x40588F68 0x405891F0 0x405892F0 0x4058A978 0x404CFA54 2w5d: %DBUS-3-SW_NOTRDY: DBUS software not ready for slot 5 after HARD_RESET, elapsed 15480, status 0x0 -Traceback= 0x40388848 0x405BA000 0x405BD2C0 0x405C3720 2w5d: %DBUS-3-WCSLDERR: Slot 5, error loading WCS, status 0x14 cmd/data 0x2E pos 5749518 2w5d: %UCODE-3-LDFAIL: Unable to download ucode from system image in slot 5, trying rom ucode 2w5d: %RSP-3-NOSTART: No microcode for VIP4-80 RM7000 card, slot 5 2w5d: %DBUS-3-WCSLDERR: Slot 5, error loading WCS, status 0x14 cmd/data 0x2E pos 5749518 2w5d: %UCODE-3-LDFAIL: Unable to download ucode from system image in slot 5, trying rom ucode 2w5d: %OIR-6-INSCARD: Card inserted in slot 5, interfaces administratively shut down 2w5d: %RSP-3-NOSTART: No microcode for VIP4-80 RM7000 card, slot 5 2w5d: %DBUS-3-SW_NOTRDY: DBUS software not ready for slot 3 after dbus_slot_enable(), elapsed 15040, status 0x29 -Traceback= 0x40388848 0x405BA000 0x405BB054 0x405D2DF4 0x405C393C 2w5d: %DBUS-3-WCSPARERR: Slot 3, WCS Controller Parity Error 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %TIGER-3-BADADDR_MBE: Invalid MBE dram address: 0xFFFFFFFF latched by Tiger 2w5d: %RSP-3-ERROR: dbus read at 3E8410C0 -Traceback= 0x405BBE30 0x405BCDA0 0x405C3720 -Traceback= 0x405887C4 0x4058AFA8 0x404E6EA8 0x404CDC04 2w5d: %DBUS-3-SLOTCOMP: Slot 3, dbus error, slot (0xF) and complement (0x0) do not match 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %VIP4-80 RM7000-3-MSG: slot4 VIP-3-SVIP_RELOAD: SVIP Reload is called. 2w5d: %VIP4-80 RM7000-3-MSG: slot4 VIP-3-SYSTEM_EXCEPTION: VIP System Exception occurred sig=22, code=0x0, context=0x6199A8A8 2w5d: %DBUS-3-CXBUSERR: Slot 4, CBus Error 2w5d: %DBUS-3-DBUSINTERRSWSET: Slot 4, Internal Error due to VIP crash 2w5d: %LINK-3-UPDOWN: Interface BVI3, changed state to down 2w5d: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI3, changed state to down 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %OIR-6-INSCARD: Card inserted in slot 5, interfaces administratively shut down 2w5d: %CBUS-3-CCBPTIMEOUT: CCB handover timed out, CCB 0xF800FF50, slot 4 -Traceback= 0x40388848 0x405D6054 0x405D2830 0x405D2EE0 0x405C393C 2w5d: %LINEPROTO-5-UPDOWN: Line protocol on Interface ATM4/1/0, changed state to down 2w5d: %OSPF-5-ADJCHG: Process 10, Nbr 74.50.207.83 on FastEthernet5/1/0 from LOADING to FULL, Loading Done 2w5d: %RADIUS-4-RADIUS_DEAD: RADIUS server 69.10.208.10:1645,1646 is not responding. 2w5d: %RADIUS-4-RADIUS_ALIVE: RADIUS server 69.10.208.10:1645,1646 has returned. 2w5d: %IPC_RSP_CBUS-3-NOHWQ: Hardware queue for card at slot 0 not found sea-agg-1# sea-agg-1# sea-agg-1# sea-agg-1# 2w5d: %IPC_RSP_CBUS-3-NOHWQ: Hardware queue for card at slot 0 not found sea-agg-1# sea-agg-1# sea-agg-1# sea-agg-1# 2w5d: %IPC_RSP_CBUS-3-NOHWQ: Hardware queue for card at slot 0 not found 2w5d: %IPC_RSP_CBUS-3-NOHWQ: Hardware queue for card at slot 0 not found 2w5d: %IPC_RSP_CBUS-3-NOHWQ: Hardware queue for card at slot 0 not found 2w5d: %IPC_RSP_CBUS-3-NOHWQ: Hardware queue for card at slot 0 not found 2w5d: %DBUS-3-SW_NOTRDY: DBUS software not ready for slot 3 after dbus_slot_enable(), elapsed 15040, status 0x29 -Traceback= 0x40388848 0x405BA000 0x405BB054 0x405D2DF4 0x405C393C 2w5d: %DBUS-3-WCSPARERR: Slot 3, WCS Controller Parity Error 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %LINK-3-UPDOWN: Interface ATM4/1/0, changed state to up 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %LINEPROTO-5-UPDOWN: Line protocol on Interface ATM4/1/0, changed state to up 2w5d: %LINK-3-UPDOWN: Interface BVI3, changed state to up 2w5d: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI3, changed state to up 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Slave to Non-participant 2w5d: %RSP-3-SLAVECHANGE: Slave changed state from Non-participant to Slave 2w5d: %TBRIDGE-4-NOVCFLOOD: No VC's configured for bridging on ATM4/1/0.669 2w5d: %HA-5-NOTICE: Standby (slave) configured to run HA image "disk0:rsp-jsv-mz.124-8.bin" 2w5d: %HA-5-NOTICE: Loading standby (slave) image: "disk0:rsp-jsv-mz.124-8.bin" 2w5d: %TBRIDGE-4-NOVCFLOOD: No VC's configured for bridging on ATM4/1/0.669 2w5d: %RADIUS-4-RADIUS_DEAD: RADIUS server 69.10.201.13:1645,1646 is not responding. 2w5d: %RADIUS-4-RADIUS_ALIVE: RADIUS server 69.10.201.13:1645,1646 has returned. 2w5d: %RADIUS-4-RADIUS_DEAD: RADIUS server 69.10.201.13:1645,1646 is not responding. 2w5d: %RADIUS-4-RADIUS_ALIVE: RADIUS server 69.10.201.13:1645,1646 has returned. 2w5d: %RADIUS-4-RADIUS_DEAD: RADIUS server 69.10.201.13:1645,1646 is not responding. 2w5d: %RADIUS-4-RADIUS_ALIVE: RADIUS server 69.10.201.13:1645,1646 has returned. 2w5d: %HA-5-MODE: Operating mode is hsa, configured mode is rpr-plus. 2w5d: %HA-5-SYNC_NOTICE: Bulk sync started. 2w5d: %HA-5-SYNC_NOTICE: Bulk sync completed. 2w5d: %HA-5-SYNC_NOTICE: Config sync started. sea-agg-1# _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From gtb at slac.stanford.edu Tue Aug 4 12:07:48 2009 From: gtb at slac.stanford.edu (Buhrmaster, Gary) Date: Tue, 4 Aug 2009 09:07:48 -0700 Subject: [c-nsp] 7500 for DSL aggregation - RSP memory error? In-Reply-To: References: <4A78048B.60803@rainierconnect.net> Message-ID: > I've never been brave enough to try a 7500 for dsl aggregation:) And while a memory parity error is probably hardware, I have this vague recollection that someone from Cisco (Rodney Dunn?) has on a couple of occasions recommended against using a 7500 for broadband aggregation, since the platform was simply not targeted or tested to that role. One *would* encounter things that do not work, and they would end up being "won't fix" on that platform. From rodunn at cisco.com Tue Aug 4 13:24:24 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Tue, 04 Aug 2009 13:24:24 -0400 Subject: [c-nsp] 7513 multilink interface issue In-Reply-To: <6dde6e570908040822h739561e0s6baba249c67b3028@mail.gmail.com> References: <6dde6e570908040822h739561e0s6baba249c67b3028@mail.gmail.com> Message-ID: <4A786EC8.2070606@cisco.com> That should never happen and is possibly a bug. Can you ping directly over the bundle to the ip address on the other side when it's broke? If not, go to the latest code and see if it's fixed...or do some debugging: 'sh ip cef for other side of bundle, debug ip packet, etc... Rodney Todd Shipway wrote: > We have several customers setup with T1's multilinked. We are running into > a problem with a single multilink member bouncing causing routing issues. > When a single T1 member of a multilink group bounces, traffic to the overall > multilink interface stops and we have to manually shut and no shut the > multilink interface to get traffic flowing again. > > Has anyone seen this before and if so, know what the issue may be? > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rodunn at cisco.com Tue Aug 4 13:25:54 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Tue, 04 Aug 2009 13:25:54 -0400 Subject: [c-nsp] 7500 for DSL aggregation - RSP memory error? In-Reply-To: References: <4A78048B.60803@rainierconnect.net> Message-ID: <4A786F22.3060309@cisco.com> Probably me. ;) There were some issues around DSL termination in to a VRF that would not work. The platform was never targeted for that market space so I wouldn't use it. 72xx, 10k, or ASR would be the pick. The ISR's on really really low end side. Rodney Buhrmaster, Gary wrote: >> I've never been brave enough to try a 7500 for dsl aggregation:) > > And while a memory parity error is probably hardware, > I have this vague recollection that someone from > Cisco (Rodney Dunn?) has on a couple of occasions > recommended against using a 7500 for broadband > aggregation, since the platform was simply not > targeted or tested to that role. One *would* > encounter things that do not work, and they would > end up being "won't fix" on that platform. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rodunn at cisco.com Tue Aug 4 13:29:58 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Tue, 04 Aug 2009 13:29:58 -0400 Subject: [c-nsp] multipath BGP not balancing equally. In-Reply-To: References: Message-ID: <4A787016.7040006@cisco.com> That's usually caused by routes not being the same on the paths. This is a hard problem to solve. Is there any way we could prove the prefix distribution is the exact same over the paths? I don't know of a way other than dumping the output for every route in the RIB looking for the next hop. Rodney bas wrote: > Hi, > > I have an issue with unequal multipath BGP loadbalancing > It is a 6500 / SUP720-3BXL running 12.2.18SXF16 > > There are four eBGP sessions to a transit carriers ASN, all with full table > > However one out of four interfaces sends about 2Gbps less than the other three. > > RTR-HV7#sh int ten 2/2 | i output rate > 1 minute output rate 6357052000 bits/sec, 546295 packets/sec > RTR-HV7#sh int ten 3/1 | i output rate > 1 minute output rate 8509719000 bits/sec, 729490 packets/sec > RTR-HV7#sh int ten 3/3 | i output rate > 1 minute output rate 8721235000 bits/sec, 746980 packets/sec > RTR-HV7#sh int ten 4/4 | i output rate > 1 minute output rate 8592400000 bits/sec, 734864 packets/sec > > All four sessions have the same settings (in the same peer-group) > Through netflow I've tried to deduct if there are specific ASN's not > chosen through the nexthop that has less traffic, but that does not > seem to be the case. > > I've looked at "ip cef load-sharing algorithm universal" however that > seems to already be the default algorithm in current IOS versions. > > With any prefix I test through "sh ip cef x.x.x.x detail" it seems all > four paths are used. > > Thanks in advance, > > Bas > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From nsp at myzionetworks.com Tue Aug 4 13:36:26 2009 From: nsp at myzionetworks.com (Todd) Date: Tue, 4 Aug 2009 13:36:26 -0400 Subject: [c-nsp] 7513 multilink interface issue In-Reply-To: <4A786EC8.2070606@cisco.com> References: <6dde6e570908040822h739561e0s6baba249c67b3028@mail.gmail.com> <4A786EC8.2070606@cisco.com> Message-ID: <000001ca152a$18a8b600$49fa2200$@com> When it happens, I can ping the remote end from the 7513, but nothing outside of the 7513. For Example.... SERVER --ethernet--- 7513 ---multilink (2 T1's)--- END USER 1 multilink T1 bounces. After the T1 comes up, the multilink interface and both T1's show as up/up and 7513 can ping END USER, but END USER can't ping 7513 and no connection to/from SERVER to END USER. Hope that makes sense. -----Original Message----- From: Rodney Dunn [mailto:rodunn at cisco.com] Sent: Tuesday, August 04, 2009 1:24 PM To: Todd Shipway Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 7513 multilink interface issue That should never happen and is possibly a bug. Can you ping directly over the bundle to the ip address on the other side when it's broke? If not, go to the latest code and see if it's fixed...or do some debugging: 'sh ip cef for other side of bundle, debug ip packet, etc... Rodney Todd Shipway wrote: > We have several customers setup with T1's multilinked. We are running into > a problem with a single multilink member bouncing causing routing issues. > When a single T1 member of a multilink group bounces, traffic to the overall > multilink interface stops and we have to manually shut and no shut the > multilink interface to get traffic flowing again. > > Has anyone seen this before and if so, know what the issue may be? > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rodunn at cisco.com Tue Aug 4 13:42:52 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Tue, 04 Aug 2009 13:42:52 -0400 Subject: [c-nsp] 7513 multilink interface issue In-Reply-To: <000001ca152a$18a8b600$49fa2200$@com> References: <6dde6e570908040822h739561e0s6baba249c67b3028@mail.gmail.com> <4A786EC8.2070606@cisco.com> <000001ca152a$18a8b600$49fa2200$@com> Message-ID: <4A78731C.7070004@cisco.com> It does. I've seen it before years ago. get 'sh ppp multilink' from the RSP and VIP console (if-con slot) and sh contr cbus. Make sure you are in dCEF mode, all links are on the same PA, and on later(est) 12.4 mainline (12.4(25) or 12.0(32)S(latest)) on Cisco.com. We had bugs in how we manage the member links of the bundle. Rodney Todd wrote: > When it happens, I can ping the remote end from the 7513, but nothing > outside of the 7513. > > For Example.... > > SERVER --ethernet--- 7513 ---multilink (2 T1's)--- END USER > > 1 multilink T1 bounces. > > After the T1 comes up, the multilink interface and both T1's show as up/up > and 7513 can ping END USER, but END USER can't ping 7513 and no connection > to/from SERVER to END USER. > > Hope that makes sense. > > -----Original Message----- > From: Rodney Dunn [mailto:rodunn at cisco.com] > Sent: Tuesday, August 04, 2009 1:24 PM > To: Todd Shipway > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] 7513 multilink interface issue > > That should never happen and is possibly a bug. > > Can you ping directly over the bundle to the ip address on the other > side when it's broke? If not, go to the latest code and see if it's > fixed...or do some debugging: 'sh ip cef for other side of bundle, debug > ip packet, etc... > > Rodney > > > > Todd Shipway wrote: >> We have several customers setup with T1's multilinked. We are running > into >> a problem with a single multilink member bouncing causing routing issues. >> When a single T1 member of a multilink group bounces, traffic to the > overall >> multilink interface stops and we have to manually shut and no shut the >> multilink interface to get traffic flowing again. >> >> Has anyone seen this before and if so, know what the issue may be? >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ From jlewis at lewis.org Tue Aug 4 13:45:02 2009 From: jlewis at lewis.org (Jon Lewis) Date: Tue, 4 Aug 2009 13:45:02 -0400 (EDT) Subject: [c-nsp] 7513 multilink interface issue In-Reply-To: <4A786EC8.2070606@cisco.com> References: <6dde6e570908040822h739561e0s6baba249c67b3028@mail.gmail.com> <4A786EC8.2070606@cisco.com> Message-ID: On Tue, 4 Aug 2009, Rodney Dunn wrote: > That should never happen and is possibly a bug. On the 7500 platform, lots of things that should never happen do. Another thing that may be worth trying is to flip dCEF off and back on (I'm assuming Todd normally has is on)...or depending on traffic levels and RSP, just leave it off if it fixes some of your problems. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From walter.keen at RainierConnect.net Tue Aug 4 13:56:56 2009 From: walter.keen at RainierConnect.net (Walter Keen) Date: Tue, 04 Aug 2009 10:56:56 -0700 Subject: [c-nsp] 7500 for DSL aggregation - RSP memory error? In-Reply-To: <4A786F22.3060309@cisco.com> References: <4A78048B.60803@rainierconnect.net> <4A786F22.3060309@cisco.com> Message-ID: <4A787668.8050909@rainierconnect.net> Yes, I believe it was you. We are trying to migrate from a 7200 to a 7500 to gain route processor redundancy. Our traffic is typically 20mbit peak from this site between 2 atm ds3's. Using radius, pppoa, and some dsl subs are behind NAT, but we're slowly weeding them out into having a typical dsl connection with a public ip. Probably about 1k subscribers, and in the next year or two we'll probably be moving them to an ethernet-based handoff from the carriers to us. Rodney Dunn wrote: > Probably me. ;) > > There were some issues around DSL termination in to a VRF that would > not work. > > The platform was never targeted for that market space so I wouldn't > use it. > > 72xx, 10k, or ASR would be the pick. > > The ISR's on really really low end side. > > Rodney > > > > Buhrmaster, Gary wrote: >>> I've never been brave enough to try a 7500 for dsl aggregation:) >> >> And while a memory parity error is probably hardware, >> I have this vague recollection that someone from >> Cisco (Rodney Dunn?) has on a couple of occasions >> recommended against using a 7500 for broadband >> aggregation, since the platform was simply not >> targeted or tested to that role. One *would* >> encounter things that do not work, and they would >> end up being "won't fix" on that platform. >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Walter Keen Network Technician Rainier Connect (o) 360-832-4024 (c) 253-302-0194 From jim.brunetti at usa.net Tue Aug 4 13:57:57 2009 From: jim.brunetti at usa.net (Jim Brunetti) Date: Tue, 04 Aug 2009 13:57:57 -0400 Subject: [c-nsp] NBAR and Netflow integration code version question Message-ID: <135NHDR569542S13.1249408677@cmsweb13.cms.usa.net> http://www.cisco.com/en/US/docs/ios/netflow/configuration/guide/nf_lay2_sec_mon_exp.html#wp1059924 describes Application-aware Netflow. Being able to correlate NBAR and Netflow information is something I am very interested in. The article implies that this feature is only available on the Catalyst 6500 with a PISA module and only using IOS version 12.2(18)ZYA2. Is this still the case? Has this feature been ported to other platforms that can run Netflow and NBAR? jim.brunetti at usa.net From swmike at swm.pp.se Tue Aug 4 13:58:56 2009 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Tue, 4 Aug 2009 19:58:56 +0200 (CEST) Subject: [c-nsp] multipath BGP not balancing equally. In-Reply-To: <4A787016.7040006@cisco.com> References: <4A787016.7040006@cisco.com> Message-ID: On Tue, 4 Aug 2009, Rodney Dunn wrote: > That's usually caused by routes not being the same on the paths. It was my understanding that this usually was caused by not having enough L4 flows to loadshare on...? Ie if you have 100 TCP flows and 4 paths, then it's not enough flows to get good load share on, but if you instead have 10k flows and all of them are low-speed, then the odds of them being equally load shared is much better? -- Mikael Abrahamsson email: swmike at swm.pp.se From andy-lists at bourges.de Tue Aug 4 14:20:56 2009 From: andy-lists at bourges.de (Andreas Bourges) Date: Tue, 4 Aug 2009 20:20:56 +0200 Subject: [c-nsp] NBAR and Netflow integration code version question In-Reply-To: <135NHDR569542S13.1249408677@cmsweb13.cms.usa.net> References: <135NHDR569542S13.1249408677@cmsweb13.cms.usa.net> Message-ID: <200908042020.56570.andy-lists@bourges.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, On Tuesday 04 August 2009 19:57:57 Jim Brunetti wrote: > http://www.cisco.com/en/US/docs/ios/netflow/configuration/guide/nf_lay2_sec >_mon_exp.html#wp1059924 describes Application-aware Netflow. > > Being able to correlate NBAR and Netflow information is something I am > very interested in. The article implies that this feature is only > available on the Catalyst 6500 with a PISA module and only using IOS > version 12.2(18)ZYA2. > > Is this still the case? Has this feature been ported to other > platforms that can run Netflow and NBAR? In a Networkers slide I found target release 12.4(Pi11)T for this feature. I know there are already BETA images for Netflow application developers available and IIRC it was targeted for the end of this year... regards, Andy -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkp4fAgACgkQRrny/uOBVy6NmgCgsLbIQKTmoBsJ2z/LnjrAHguZ tjIAn0YZ1Dj9vm7e3dFxaT5bzLFWj6lB =/Juk -----END PGP SIGNATURE----- From nsp at myzionetworks.com Tue Aug 4 14:47:02 2009 From: nsp at myzionetworks.com (Todd) Date: Tue, 4 Aug 2009 14:47:02 -0400 Subject: [c-nsp] 7513 multilink interface issue In-Reply-To: <4A78731C.7070004@cisco.com> References: <6dde6e570908040822h739561e0s6baba249c67b3028@mail.gmail.com> <4A786EC8.2070606@cisco.com> <000001ca152a$18a8b600$49fa2200$@com> <4A78731C.7070004@cisco.com> Message-ID: <012a01ca1533$f5b55ea0$e1201be0$@com> Currently running Version 12.4(23). I may upgrade to (25) to see if that helps at all. VIP Console: VIP-Slot5>sh ppp multilink dmlp_ipc_config_count 210 dmlp_bundle_count 4 Bundle Multilink75, 2 members bundle 0x61B1C3A0, frag_mode 0 tag vectors 0x6053A4A0 0x60514CBC Bundle hwidb vector 0x605AA624 idb Multilink75, vc 14, RSP vc 15 QoS disabled, fastsend (qos_fastsend 0x605AA624), visible_bandwidth 1540 board_encap 0x605A61A4, hw_if_index 0, pak_to_host 0x0 max_particles 400, mrru 1500, seq_window_size 0x8000 working_pak 0x0, working_pak_cache 0x0 una_frag_list 0x0, una_frag_end 0x0, null_link 0 rcved_end_bit 1, is_lost_frag 0, resync_count 0 timeout 0, timer_start 0, timer_running 0, timer_count 0 next_xmit_link Serial1/0:15, member 0x3, congestion 0x3 dmlp_orig_pak_to_host 0x60425D00 dmlp_orig_fastsend 0x60397B18 bundle_idb->lc_ip_turbo_fs 0x60503E70 bundle_idb->lc_ip_mdfs 0x604251B4 0 lost fragments, 0 reordered, 0 unassigned 0 discarded, 0 lost received 0x2AE received sequence, 0x319 sent sequence Member Link: 2 active Pascb for Bundle 0x61A8CD20, tx_polling_high_default 0, tx_polling_high 143 Serial1/0:14, id 0x2, fastsend 0x605A88B4, lc_turbo 0x605A97BC, PTH 0x605A8FF4, OOF 0 Pascb 0x61A8CD20, tx_polling_high_default 0, tx_polling_high 143, poll_default_addr 0x61A8CD7C, poll_addr 0x61A8CD68 Serial1/0:15, id 0x1, fastsend 0x605A88B4, lc_turbo 0x605A97BC, PTH 0x605A8FF4, OOF 0 Pascb 0x61A8CE60, tx_polling_high_default 0, tx_polling_high 143, poll_default_addr 0x61A8CEBC, poll_addr 0x61A8CEA8 RSP: Multilink75, bundle name is group75 Endpoint discriminator is group75 Bundle up for 00:19:29, total bandwidth 3080, load 1/255 Receive buffer limit 24000 bytes, frag timeout 1000 ms Bundle is Distributed 0/0 fragments/bytes in reassembly list 0 lost fragments, 0 reordered 0/0 discarded fragments/bytes, 0 lost received 0x2B3 received sequence, 0x319 sent sequence Member links: 2 active, 0 inactive (max not set, min not set) Se5/1/0/15:0, since 00:12:53 Se5/1/0/16:0, since 00:02:15 -----Original Message----- From: Rodney Dunn [mailto:rodunn at cisco.com] Sent: Tuesday, August 04, 2009 1:43 PM To: Todd Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 7513 multilink interface issue It does. I've seen it before years ago. get 'sh ppp multilink' from the RSP and VIP console (if-con slot) and sh contr cbus. Make sure you are in dCEF mode, all links are on the same PA, and on later(est) 12.4 mainline (12.4(25) or 12.0(32)S(latest)) on Cisco.com. We had bugs in how we manage the member links of the bundle. Rodney Todd wrote: > When it happens, I can ping the remote end from the 7513, but nothing > outside of the 7513. > > For Example.... > > SERVER --ethernet--- 7513 ---multilink (2 T1's)--- END USER > > 1 multilink T1 bounces. > > After the T1 comes up, the multilink interface and both T1's show as up/up > and 7513 can ping END USER, but END USER can't ping 7513 and no connection > to/from SERVER to END USER. > > Hope that makes sense. > > -----Original Message----- > From: Rodney Dunn [mailto:rodunn at cisco.com] > Sent: Tuesday, August 04, 2009 1:24 PM > To: Todd Shipway > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] 7513 multilink interface issue > > That should never happen and is possibly a bug. > > Can you ping directly over the bundle to the ip address on the other > side when it's broke? If not, go to the latest code and see if it's > fixed...or do some debugging: 'sh ip cef for other side of bundle, debug > ip packet, etc... > > Rodney > > > > Todd Shipway wrote: >> We have several customers setup with T1's multilinked. We are running > into >> a problem with a single multilink member bouncing causing routing issues. >> When a single T1 member of a multilink group bounces, traffic to the > overall >> multilink interface stops and we have to manually shut and no shut the >> multilink interface to get traffic flowing again. >> >> Has anyone seen this before and if so, know what the issue may be? >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ From mvanton at gmail.com Tue Aug 4 14:59:23 2009 From: mvanton at gmail.com (vince anton) Date: Tue, 4 Aug 2009 20:59:23 +0200 Subject: [c-nsp] vlans to customer - good practise / myth to bust ! In-Reply-To: References: <87e0d3ae0908031051q59cb627dy5a6e5951654a265c@mail.gmail.com> Message-ID: <87e0d3ae0908041159i1dcd00b7h2bdb3e812151c406@mail.gmail.com> thanks - glad to know that this model is in use what keeps on buzzing at the back of my mind is that I have a layer2 connection (actually a number of them) from my switch to many switches (of customers) that i have no control over. so not only is this a large L2 network (and best practise says to reduce the size of your L2 domain) but most of it is not within my control ! so do you typically use bpdufilter, only allow tagged vlans, not use vtp - and this keeps things under control ? thanks for your feedback anton 2009/8/3 Mikael Abrahamsson > On Mon, 3 Aug 2009, vince anton wrote: > > My concern here is whether this is best practise for delivering such >> services, or if other ways of doing this are out there and proven better. >> > > No, that's a common model. > > Last but not least, security. what if a customer plugs the fibre link >> into his switch with a bunch of other vlans running. the only form of >> 'protection' that I currently have is restriction of vlans on the trunk from >> the customer, but some traffic (like spanning tree) travels on vlan1 as far >> as i recall and this cannot be blocked. another item would be vlan hopping. >> > > Well, you probably want to enable stp filters if you dont expect stp > packets to come in on the link. Disabling the use of vlan 1 onto the > customer link might be good as well (ie only use tagged vlans, do not run > native vlan 1 onto customer link). > > Im just after some pointers from what you all do out there to offer >> similar >> services, what the best practises for this are, lessons learnt, etc... so >> I >> can then delve into the details given the pointers, to ensure im running >> inline with tried and testing ways of doing things. >> > > Vlan hopping shouldn't be a problem with modern equipment, but it might be > good to verify that the one you're using doesn't have this problem. > > -- > Mikael Abrahamsson email: swmike at swm.pp.se > -- Thanks, anton From swmike at swm.pp.se Tue Aug 4 15:56:16 2009 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Tue, 4 Aug 2009 21:56:16 +0200 (CEST) Subject: [c-nsp] vlans to customer - good practise / myth to bust ! In-Reply-To: <87e0d3ae0908041159i1dcd00b7h2bdb3e812151c406@mail.gmail.com> References: <87e0d3ae0908031051q59cb627dy5a6e5951654a265c@mail.gmail.com> <87e0d3ae0908041159i1dcd00b7h2bdb3e812151c406@mail.gmail.com> Message-ID: On Tue, 4 Aug 2009, vince anton wrote: > what keeps on buzzing at the back of my mind is that I have a layer2 > connection (actually a number of them) from my switch to many switches (of > customers) that i have no control over. If each vlan only goes -> and not -> then I'd say you have control. > so do you typically use bpdufilter, only allow tagged vlans, not use vtp > - and this keeps things under control ? Yes, I'd say so. -- Mikael Abrahamsson email: swmike at swm.pp.se From jmaimon at ttec.com Tue Aug 4 15:59:37 2009 From: jmaimon at ttec.com (Joe Maimon) Date: Tue, 04 Aug 2009 15:59:37 -0400 Subject: [c-nsp] 7500 for DSL aggregation - RSP memory error? In-Reply-To: <4A787668.8050909@rainierconnect.net> References: <4A78048B.60803@rainierconnect.net> <4A786F22.3060309@cisco.com> <4A787668.8050909@rainierconnect.net> Message-ID: <4A789329.8090804@ttec.com> I view the rpr feature as completely useless in the real world. Cold spare are way more effective. The last time I had a rp failure, it was fixed by yanking one and leaving the other. In other words, odds are it causes more issues than it resolves. Just added complexity for a box where its already a support problem. Terminate your atm into an atm switch and run a bank of agg routers, 7200 or 7500. Then you can bridge group them into both, or just manual throw pvc's from one router to the other. The 7500 are not worth the watts they consume. Walter Keen wrote: > Yes, I believe it was you. We are trying to migrate from a 7200 to a > 7500 to gain route processor redundancy. Our traffic is typically > 20mbit peak from this site between 2 atm ds3's. Using radius, pppoa, > and some dsl subs are behind NAT, but we're slowly weeding them out into > having a typical dsl connection with a public ip. Probably about 1k > subscribers, and in the next year or two we'll probably be moving them > to an ethernet-based handoff from the carriers to us. > > Rodney Dunn wrote: >> Probably me. ;) >> >> There were some issues around DSL termination in to a VRF that would >> not work. >> >> The platform was never targeted for that market space so I wouldn't >> use it. >> >> 72xx, 10k, or ASR would be the pick. >> >> The ISR's on really really low end side. >> >> Rodney >> >> >> >> Buhrmaster, Gary wrote: >>>> I've never been brave enough to try a 7500 for dsl aggregation:) >>> >>> And while a memory parity error is probably hardware, >>> I have this vague recollection that someone from >>> Cisco (Rodney Dunn?) has on a couple of occasions >>> recommended against using a 7500 for broadband >>> aggregation, since the platform was simply not >>> targeted or tested to that role. One *would* >>> encounter things that do not work, and they would >>> end up being "won't fix" on that platform. >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ > From justin at justinshore.com Tue Aug 4 16:30:21 2009 From: justin at justinshore.com (Justin Shore) Date: Tue, 04 Aug 2009 15:30:21 -0500 Subject: [c-nsp] Policing on a 3560 Message-ID: <4A789A5D.4040705@justinshore.com> I'm having a little trouble doing something that should be simple. I'm using a 3560 as a CPE to break up multiple services and bind them to unique switchports. I don't normally use 3560s for this. The port in question is for a 10Mbp PtP with no SLA across our backbone. What I currently have is apparently not doing anything and I fail to see the flaw in my logic: class-map match-all ALL ! ! policy-map Re-color-BE description Police to 10Mbps CIR - Re-color ALL to BE class ALL police 10000000 8000 exceed-action drop set ip dscp default This is my QoS trust boundary so I'm re-coloring to 0 and setting muy CIR to 10Mbps. The switch wouldn't let me define 'match any' in the class-map. I suspect that I'm not matching anything because of that. I want to match anything coming in that interface and police it to the CIR and drop everything else. I must be missing something but I'm not sure what it is. Is there something unique about this platform? The IOS is 12.2(50)SE1. Thanks Justin From walter.keen at RainierConnect.net Tue Aug 4 16:36:11 2009 From: walter.keen at RainierConnect.net (Walter Keen) Date: Tue, 04 Aug 2009 13:36:11 -0700 Subject: [c-nsp] Policing on a 3560 In-Reply-To: <4A789A5D.4040705@justinshore.com> References: <4A789A5D.4040705@justinshore.com> Message-ID: <4A789BBB.30607@rainierconnect.net> While it may not be ideal, I've run into some cases where match any was not available and matching an access list(that matched anything) was my only viable option. Justin Shore wrote: > I'm having a little trouble doing something that should be simple. > I'm using a 3560 as a CPE to break up multiple services and bind them > to unique switchports. I don't normally use 3560s for this. The port > in question is for a 10Mbp PtP with no SLA across our backbone. > > What I currently have is apparently not doing anything and I fail to > see the flaw in my logic: > > > class-map match-all ALL > ! > ! > policy-map Re-color-BE > description Police to 10Mbps CIR - Re-color ALL to BE > class ALL > police 10000000 8000 exceed-action drop > set ip dscp default > > > This is my QoS trust boundary so I'm re-coloring to 0 and setting muy > CIR to 10Mbps. The switch wouldn't let me define 'match any' in the > class-map. I suspect that I'm not matching anything because of that. > I want to match anything coming in that interface and police it to the > CIR and drop everything else. I must be missing something but I'm not > sure what it is. Is there something unique about this platform? The > IOS is 12.2(50)SE1. > > Thanks > Justin > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Walter Keen Network Technician Rainier Connect (o) 360-832-4024 (c) 253-302-0194 From peter at rathlev.dk Tue Aug 4 16:59:00 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Tue, 04 Aug 2009 22:59:00 +0200 Subject: [c-nsp] Can't pick up ip address--cisco 1200 ap In-Reply-To: <666686.33750.qm@web38105.mail.mud.yahoo.com> References: <666686.33750.qm@web38105.mail.mud.yahoo.com> Message-ID: <1249419540.4165.4.camel@abehat.net.rm.dk> On Mon, 2009-08-03 at 21:06 -0700, snort bsd wrote: > But I did almost exactly you suggested and still not working. BTW, the > command "bridge 10 route ip" doesn't work since only command "bridge 1 > route ip" works. That "almost" might be critical. ;-) What does it say if you type "bridge ?" when configuring? How many bridge groups does it support? What error do you get? I'm not familiar with the 1200 AP (vaguely remember working with a 350 AP but haven't touched it since) but unless you absolutely need to bridge the VLAN you might also be able to just configure the Dot11Radio0 subinterface with an IP address. Regards, Peter From SPfister at dps.k12.oh.us Tue Aug 4 16:32:52 2009 From: SPfister at dps.k12.oh.us (Steven Pfister) Date: Tue, 04 Aug 2009 16:32:52 -0400 Subject: [c-nsp] Question on 6500 series switches Message-ID: <4A7862F8.9E6F.00B8.0@dps.k12.oh.us> We're looking at replacing a 4507R at the core of our network with a 6500 series. Currently, the 4507R has a supervisor engine IV, 3 48-port copper blades, and 2 6-port fiber blades. We're hoping to include in the 6500 series replacement the firewall module (to replace a PIX 525), vpn (to replace a 3005 concentrator), and IDS/IPS. I'm a little confused as to what I need from looking at the Cisco product pages. Is there a guide somewhere as to what to get? The firewall that we would be replacing is actually a pair of PIX 525s in an active/standby pair. We'd like to have some redundancy in the 6500 as well. We'd also like some sort of failover for the IDS/IPS if possible. A couple of questions: - if I have two FWSMs installed, they would load balance, and if one failed, the other would take over all traffic, correct? - I see a "VPN services port adapter" and a "VPN shared port adapter"... I'm not sure how they differ - The supervisor engine 720 and the supervisor engine 32... we'd need one or the other, correct? - Would we need the Policy Feature Card and the Distributed Forwarding Card? Thanks! --Steve Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfister at dps.k12.oh.us From peter at rathlev.dk Tue Aug 4 17:39:41 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Tue, 04 Aug 2009 23:39:41 +0200 Subject: [c-nsp] Question on 6500 series switches In-Reply-To: <4A7862F8.9E6F.00B8.0@dps.k12.oh.us> References: <4A7862F8.9E6F.00B8.0@dps.k12.oh.us> Message-ID: <1249421981.4165.16.camel@abehat.net.rm.dk> On Tue, 2009-08-04 at 16:32 -0400, Steven Pfister wrote: > A couple of questions: > - if I have two FWSMs installed, they would load balance, and if one > failed, the other would take over all traffic, correct? AFAIK they can only load balance in active/active mode if you create two contexts and place them each in their own primary FWSM. Put another way: Load balancing won't be there by default and it's a little tricky to implement if you're running a single context. It doesn't matter whether they're in the same chassis or not. > - The supervisor engine 720 and the supervisor engine 32... we'd need > one or the other, correct? You very probably need one of them, unless you want to go the Sup2 or Sup1A way, which you don't. :-) The "Sup720 vs. Sup32" subject is a lengthy one (search the archives) but the main differences (IMHO) is: - The 256k TCAM entry limitation in the non XL-versions of the PFCs, and Sup32 can only use a PFC3B, non-XL. This means no full BGP table. - Performance: 32 Gb/s bus (Sup32) vs. 2x20 Gb/s full mesh fabric (Sup720). - Sup32 can't use 6700-series interface modules (e.g. WS-X6748-GE-TX). > - Would we need the Policy Feature Card and the Distributed Forwarding > Card? Both are included in Sup32 and Sup720. For Sup720 you have to decide between a "regular" PFC or an XL-version. (There's also both a PFC3B and a PFC3C version of the Sup720, the latter having 10GE uplinks as the most visible difference.) Regards, Peter From sigurbjornl at vodafone.is Tue Aug 4 17:45:16 2009 From: sigurbjornl at vodafone.is (=?ISO-8859-1?B?U2lndXJiavZybg==?= Birkir =?ISO-8859-1?B?TOFydXNzb24=?=) Date: Tue, 04 Aug 2009 21:45:16 +0000 Subject: [c-nsp] Question on 6500 series switches In-Reply-To: <4A7862F8.9E6F.00B8.0@dps.k12.oh.us> Message-ID: Never used the VPN services so I can't answer for that. The FWSMs behave just like an ASA/PIX. There is no load-balancing, it's active/standby failover. You can achieve active/active by having multiple contexts and spreading the active/standby pairs, for example Context FWSM 1 FWSM 2 A Active Standby B Standby Active C Active Standby D Standby Active Therefore having 2 contexts active on each FWSM and failover for the other 2. The SUP32 does not support distributed forwarding at all. The maximum throughput through the SUP32 is 32Gbps on the shared bus. The SUP32 also does not support the 6700 or 6800 series linecards, and features a maximum throughput of 15 Mpps for IPV4 traffic. The SUP720 does support distributed forwarding and can, with suitable line-cards and DFCs reach push 720Gbps. Different beasts for different tasks, it mostly depends on how much traffic you are looking into pushing through the box. Kind regards, Sibbi On 4.8.2009 20:32, "Steven Pfister" wrote: > We're looking at replacing a 4507R at the core of our network with a 6500 > series. Currently, the 4507R has a supervisor engine IV, 3 48-port copper > blades, and 2 6-port fiber blades. We're hoping to include in the 6500 series > replacement the firewall module (to replace a PIX 525), vpn (to replace a 3005 > concentrator), and IDS/IPS. > > I'm a little confused as to what I need from looking at the Cisco product > pages. Is there a guide somewhere as to what to get? The firewall that we > would be replacing is actually a pair of PIX 525s in an active/standby pair. > We'd like to have some redundancy in the 6500 as well. We'd also like some > sort of failover for the IDS/IPS if possible. > > A couple of questions: > - if I have two FWSMs installed, they would load balance, and if one failed, > the other would take over all traffic, correct? > - I see a "VPN services port adapter" and a "VPN shared port adapter"... I'm > not sure how they differ > - The supervisor engine 720 and the supervisor engine 32... we'd need one or > the other, correct? > - Would we need the Policy Feature Card and the Distributed Forwarding Card? > > Thanks! > > --Steve > > Steve Pfister > Technical Coordinator, > The Office of Information Technology > Dayton Public Schools > 115 S. Ludlow St. > Dayton, OH 45402 > > Office (937) 542-3149 > Cell (937) 673-6779 > Direct Connect: 137*131747*8 > Email spfister at dps.k12.oh.us > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From peter at rathlev.dk Tue Aug 4 17:56:00 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Tue, 04 Aug 2009 23:56:00 +0200 Subject: [c-nsp] OT: Sniffing TCP connection quality Message-ID: <1249422960.4165.33.camel@abehat.net.rm.dk> Hi, Since TCP works the way it does a passive observer is able to see packet loss by looking for e.g. duplicate ACKs. For some time I've had a dumpcap process picking out traffic to/from specific destinations and running it through tshark to get the wireshark "Expert Info" output. This turns out to be very interesting data. The problem is that I'd like to do some further data mining to see if certain sources/destinations are more troubled than others. For this I'd have to isolate each flow and analyse them one by one. Even though this would be possible (and not too hard) with a few scripts, I'd like to know if there might exist some tool/appliance that does this: Looks at traffic (e.g. from a SPAN port) and collects statistics about the flows including analysis of packet loss et cetera. The important part is that it looks at the seperate flows. I've been looking at tstat (http://tstat.tlc.polito.it/index.shtml) and this looks very promising, but it doesn't seem to be able to analyze the different flows seperately. Anybody know of such tool/appliance? Preferably either appliance or something that runs on Linux, but commercial solutions as well as open source. Regards, Peter From sigurbjornl at vodafone.is Tue Aug 4 17:00:19 2009 From: sigurbjornl at vodafone.is (=?iso-8859-1?Q?Sigurbj=F6rn_Birkir_L=E1russon?=) Date: Tue, 4 Aug 2009 21:00:19 -0000 Subject: [c-nsp] Policing on a 3560 In-Reply-To: <4A789BBB.30607@rainierconnect.net> Message-ID: Why not use class-default? Kind regards, Sibbi On 4.8.2009 20:36, "Walter Keen" wrote: > While it may not be ideal, I've run into some cases where match any was > not available and matching an access list(that matched anything) was my > only viable option. > > Justin Shore wrote: >> I'm having a little trouble doing something that should be simple. >> I'm using a 3560 as a CPE to break up multiple services and bind them >> to unique switchports. I don't normally use 3560s for this. The port >> in question is for a 10Mbp PtP with no SLA across our backbone. >> >> What I currently have is apparently not doing anything and I fail to >> see the flaw in my logic: >> >> >> class-map match-all ALL >> ! >> ! >> policy-map Re-color-BE >> description Police to 10Mbps CIR - Re-color ALL to BE >> class ALL >> police 10000000 8000 exceed-action drop >> set ip dscp default >> >> >> This is my QoS trust boundary so I'm re-coloring to 0 and setting muy >> CIR to 10Mbps. The switch wouldn't let me define 'match any' in the >> class-map. I suspect that I'm not matching anything because of that. >> I want to match anything coming in that interface and police it to the >> CIR and drop everything else. I must be missing something but I'm not >> sure what it is. Is there something unique about this platform? The >> IOS is 12.2(50)SE1. >> >> Thanks >> Justin >> >> >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ From guru6111 at gmail.com Tue Aug 4 18:58:32 2009 From: guru6111 at gmail.com (Atif Sid) Date: Tue, 4 Aug 2009 18:58:32 -0400 Subject: [c-nsp] Cisco 7600 - ES card VLAN Shapping Message-ID: <766b203d0908041558g5c83e9bdj11aacb8d3b21b581@mail.gmail.com> Iam trying to apply Hierarchical policymap under a inter vlan it gives an error: it is 7606 with RSP 720 and ES 40 cards. PE4(config)#int vlan 299 PE4(config-if)#service-policy output testce Hierarchical policymap is not supported for this interface. Configuration failed! here is the policy-map: policy-map testce class class-default police 450000000 service-policy pe-ce-450m Nested policy map: policy-map pe-ce-450m class pe-ce-450m-s bandwidth percent 4 random-detect random-detect precedence 0 300 1000 1 random-detect precedence 1 300 1000 1 class pe-ce-450m-p bandwidth percent 30 random-detect random-detect precedence 2 100 150 1 random-detect precedence 3 750 1000 1 random-detect precedence 6 750 1000 1 random-detect precedence 7 750 1000 1 class pe-ce-450m-nrt police cir 292496000 bc 146248 be 4470 conform-action transmit exceed-action drop violate-action drop ********************* is i use shaping than it says it is not supported. policy-map testce class class-default shape average 450000000 service-policy pe-ce-450m -> same as above... PE4(config)#int vlan 299 PE4(config-if)#service-policy output testce shape average command is not supported in output direction for this interface Configuration failed! how can we apply shaping on VLAN interface... subinterface configuration it works but not on VLAN interface. From scott at labyrinth.org Tue Aug 4 19:02:35 2009 From: scott at labyrinth.org (Scott Keoseyan) Date: Tue, 4 Aug 2009 19:02:35 -0400 Subject: [c-nsp] OT: Sniffing TCP connection quality In-Reply-To: <1249422960.4165.33.camel@abehat.net.rm.dk> References: <1249422960.4165.33.camel@abehat.net.rm.dk> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Both Netscout and Fluke make products that do this. Plus, you can buy probes to insert into your links directly (as opposed to span-port) if you want to do some sniffing on something other than an Ethernet switch. Be ready to fork out some money though. On Aug 4, 2009, at 5:56 PM, Peter Rathlev wrote: > Hi, > > Since TCP works the way it does a passive observer is able to see > packet > loss by looking for e.g. duplicate ACKs. For some time I've had a > dumpcap process picking out traffic to/from specific destinations and > running it through tshark to get the wireshark "Expert Info" output. > This turns out to be very interesting data. > > The problem is that I'd like to do some further data mining to see if > certain sources/destinations are more troubled than others. For this > I'd > have to isolate each flow and analyse them one by one. Even though > this > would be possible (and not too hard) with a few scripts, I'd like to > know if there might exist some tool/appliance that does this: Looks at > traffic (e.g. from a SPAN port) and collects statistics about the > flows > including analysis of packet loss et cetera. The important part is > that > it looks at the seperate flows. > > I've been looking at tstat (http://tstat.tlc.polito.it/index.shtml) > and > this looks very promising, but it doesn't seem to be able to analyze > the > different flows seperately. > > Anybody know of such tool/appliance? Preferably either appliance or > something that runs on Linux, but commercial solutions as well as open > source. > > Regards, > Peter > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ - -- Scott Keoseyan scott at labyrinth.org Homepage - http://www.labyrinth.org/homepages/scott Blog - http://www.labyrinth.org/wp1 PGP Key - http://www.labyrinth.org/homepages/scott/pgp.html -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.11 (Darwin) iEYEARECAAYFAkp4vgsACgkQA7TpMPAlvEfsBACgmcU0DwdGiSPkYePbIsW8nHNj TFEAn0A8GojMMhXPTkxkmMf3MhAMwj9i =IRYG -----END PGP SIGNATURE----- From mtinka at globaltransit.net Tue Aug 4 05:44:52 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Tue, 4 Aug 2009 17:44:52 +0800 Subject: [c-nsp] What router to choose instead of 7206VXR-G1/G2 (Ruzhanskaya Olga) In-Reply-To: References: Message-ID: <200908041744.58177.mtinka@globaltransit.net> On Monday 03 August 2009 05:05:03 pm ????? ????????? wrote: > We are using 7206VXR-G1/G2 platform as edge router (PE) > in our MPLS network. When traffic volume grows, we > replace NPE-G1 processor with NPE-G2. But in future we'll > need something more powerfull. General requirements: > - OSPF, BGP (full table for our own needs and for > customers); - MPLS VPN (L3 and L2); > - CBWFQ (better LLQ) QoS, uRPF, GRE.. What Gert mentions in his response is essentially what you're getting from Cisco re: the natural migration from the NPE-G2 or 7201 platforms, i.e., the ASR1000 series routers. However, if you're willing to "check out the neighbor's garage", have a look at Juniper's J6350. It's a software- based platform too, their top-end model, but you might want to test it out for performance and feature parity, to see if you're really gaining much by switching platforms, if you so choose. I'd say that by the time you're pushing a software-based platform like the NPE-G2 or J6350 to its limits, you're pretty much justified breaking into the hardware-based router realm, particularly when it's "relatively" affordable platforms like the Cisco ASR1002 or Juniper M7i (at those traffic levels, of course). Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From gert at greenie.muc.de Wed Aug 5 03:11:09 2009 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 5 Aug 2009 09:11:09 +0200 Subject: [c-nsp] 7500 for DSL aggregation - RSP memory error? In-Reply-To: <4A787668.8050909@rainierconnect.net> References: <4A78048B.60803@rainierconnect.net> <4A786F22.3060309@cisco.com> <4A787668.8050909@rainierconnect.net> Message-ID: <20090805071109.GG290@greenie.muc.de> Hi, On Tue, Aug 04, 2009 at 10:56:56AM -0700, Walter Keen wrote: > Yes, I believe it was you. We are trying to migrate from a 7200 to a > 7500 to gain route processor redundancy. "Don't". The 7200 is a much better maintained platform, and the 7500 will give you headaches just *because* you have redundant processors, distributed things and too-complex packet paths in it. > Our traffic is typically > 20mbit peak from this site between 2 atm ds3's. Using radius, pppoa, > and some dsl subs are behind NAT, but we're slowly weeding them out into > having a typical dsl connection with a public ip. Probably about 1k > subscribers, and in the next year or two we'll probably be moving them > to an ethernet-based handoff from the carriers to us. All this stuff is something that happens to be in the 7500 code base, but Cisco didn't really test it on that platform, and won't fix any bugs that you find - and there are lots :-( I'd really really go for a 7200 - and for redundancy, put a second 7200 on top of it. Yes, in theory this is much less fail-save, but in practice, 7200s just don't die... - in the last 10 years, we had a single NPE die on us (from a pool of about 12 7200s, NPE-150 to NPE-G1), but *much* more fun with CyBUS stall/resets and such on our single 7500. If you *insist* on having route-processor redundancy (what about interface and physical path redundancy?), I think you can do that with ASR1k, but I admit to not having any hands-on experience with that platform yet. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From erik at infopact.nl Wed Aug 5 04:02:24 2009 From: erik at infopact.nl (E. Versaevel) Date: Wed, 05 Aug 2009 10:02:24 +0200 Subject: [c-nsp] 7500 for DSL aggregation - RSP memory error? In-Reply-To: <20090805071109.GG290@greenie.muc.de> References: <4A78048B.60803@rainierconnect.net> <4A786F22.3060309@cisco.com> <4A787668.8050909@rainierconnect.net> <20090805071109.GG290@greenie.muc.de> Message-ID: <4A793C90.9070004@infopact.nl> Only drawback on the ASR1k platform is the lack of PPPoA support, otherwise we would have happely migrated away from our 7200/1G's We got 2 ASR1004's for ethernet aggregation and they're doing just fine for that :) > > If you *insist* on having route-processor redundancy (what about interface > and physical path redundancy?), I think you can do that with ASR1k, but > I admit to not having any hands-on experience with that platform yet. > Erik Versaevel From carl at outerloop.net Wed Aug 5 04:08:44 2009 From: carl at outerloop.net (Carl Jones) Date: Wed, 5 Aug 2009 20:08:44 +1200 Subject: [c-nsp] 3750 CPU Usage; TCAM Exhaustion? Message-ID: Hi all, I'm running 3x 3750G-24 in a stack. I'm seeing high CPU usage e.g.: CPU utilization for five seconds: 69%/24%; one minute: 63%; five minutes: 74% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 201 50885085 5144152 9891 17.41% 17.60% 16.68% 0 Spanning Tree 73 9841381 3782242 2601 9.26% 7.11% 6.23% 0 HLFM address lea 134 6355962 267005 23804 1.75% 0.93% 0.95% 0 HL3U bkgrd proce 301 3115451 273365 11396 1.43% 1.13% 0.96% 0 CEF: IPv4 proces 60 5452829 80160 68024 1.27% 1.78% 1.81% 0 Adjust Regions 192 2715297 3543754 766 1.27% 0.95% 1.15% 0 IP Input 133 3143317 3476055 904 0.95% 0.84% 1.08% 0 Hulc LED Process 9 2401841 2057237 1167 0.95% 0.71% 0.74% 0 ARP Input 153 1479640 198328 7460 0.63% 0.58% 0.55% 0 PI MATM Aging Pr 96 785363 313609 2504 0.63% 0.32% 0.31% 0 hpm counter proc 197 2776025 4243834 654 0.47% 0.63% 0.75% 0 ADJ resolve proc 142 378847 243608 1555 0.15% 0.13% 0.13% 0 HRPC qos request 92 348283 1281519 271 0.15% 0.12% 0.14% 0 hpm main process 141 353779 41162 8594 0.15% 0.10% 0.14% 0 HQM Stack Proces 23 ports are configured as trunks (to 2950/3550/2960s). They show normal CPU utilization. Enabling spanning tree debugging shows nothing out of the ordinary (just regular BPDUs). They are all attached to the first switch (nothing in use on the other two). There are ~80 VLANs that terminate on the stack and two routed interfaces. Currently I see: core-dal#sh platform tcam utilization CAM Utilization for ASIC# 0 Max Used Masks/Values Masks/values Unicast mac addresses: 400/3200 373/2911 IPv4 IGMP groups + multicast routes: 144/1152 6/26 IPv4 unicast directly-connected routes: 400/3200 373/2911 IPv4 unicast indirectly-connected routes: 1040/8320 114/848 IPv4 policy based routing aces: 384/512 1/2 IPv4 qos aces: 768/768 324/324 IPv4 security aces: 1024/1024 31/31 core-dal#sh ip arp sum 7222 IP ARP entries, with 1011 of them incomplete Currently using the routing template. Unfortunately that did not seem to help with the CPU usage (nor did 'no ip unreachables' on our VLANs). core-dal#sh sdm prefer The current template is "desktop routing" template. Using a fairly recent IOS on them: * 1 28 WS-C3750G-24TS 12.2(50)SE2 C3750-IPSERVICESK9-M I suspect I may be seeing TCAM exhaustion. Any suggestions on how I can confirm or avoid that? Regards, Carl From mschedrin at gmail.com Wed Aug 5 04:24:12 2009 From: mschedrin at gmail.com (Michael Schedrin) Date: Wed, 5 Aug 2009 12:24:12 +0400 Subject: [c-nsp] 3750 CPU Usage; TCAM Exhaustion? In-Reply-To: References: Message-ID: <73ec141e0908050124r25f75ee7jd784011866a59827@mail.gmail.com> 2009/8/5 Carl Jones > Hi all, > > I'm running 3x 3750G-24 in a stack. I'm seeing high CPU usage e.g.: > > CPU utilization for five seconds: 69%/24%; one minute: 63%; five minutes: > 74% > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process > 201 50885085 5144152 9891 17.41% 17.60% 16.68% 0 Spanning > Tree > 73 9841381 3782242 2601 9.26% 7.11% 6.23% 0 HLFM address > lea > 134 6355962 267005 23804 1.75% 0.93% 0.95% 0 HL3U bkgrd > proce > 301 3115451 273365 11396 1.43% 1.13% 0.96% 0 CEF: IPv4 > proces > 60 5452829 80160 68024 1.27% 1.78% 1.81% 0 Adjust > Regions > 192 2715297 3543754 766 1.27% 0.95% 1.15% 0 IP Input > 133 3143317 3476055 904 0.95% 0.84% 1.08% 0 Hulc LED > Process > 9 2401841 2057237 1167 0.95% 0.71% 0.74% 0 ARP Input > 153 1479640 198328 7460 0.63% 0.58% 0.55% 0 PI MATM > Aging Pr > 96 785363 313609 2504 0.63% 0.32% 0.31% 0 hpm counter > proc > 197 2776025 4243834 654 0.47% 0.63% 0.75% 0 ADJ resolve > proc > 142 378847 243608 1555 0.15% 0.13% 0.13% 0 HRPC qos > request > 92 348283 1281519 271 0.15% 0.12% 0.14% 0 hpm main > process > 141 353779 41162 8594 0.15% 0.10% 0.14% 0 HQM Stack > Proces > > 23 ports are configured as trunks (to 2950/3550/2960s). They show > normal CPU utilization. Enabling spanning tree debugging shows nothing > out of the ordinary (just regular BPDUs). They are all attached to the > first switch (nothing in use on the other two). > > There are ~80 VLANs that terminate on the stack and two routed interfaces. > > Currently I see: > > core-dal#sh platform tcam utilization > > CAM Utilization for ASIC# 0 Max Used > Masks/Values Masks/values > > Unicast mac addresses: 400/3200 373/2911 Look at "sh mac address-table count" Check "Total Mac Address Space Available:" 3750 hat a table for 6000 mac adresses. If you stack 3*3750, this bundle will also have table of 6000. > > IPv4 IGMP groups + multicast routes: 144/1152 6/26 > IPv4 unicast directly-connected routes: 400/3200 373/2911 > IPv4 unicast indirectly-connected routes: 1040/8320 114/848 > IPv4 policy based routing aces: 384/512 1/2 > IPv4 qos aces: 768/768 324/324 > IPv4 security aces: 1024/1024 31/31 > > core-dal#sh ip arp sum > 7222 IP ARP entries, with 1011 of them incomplete Yes this proves information about lack of size of mac-address-table. > > > Currently using the routing template. Unfortunately that did not seem > to help with the CPU usage (nor did 'no ip unreachables' on our > VLANs). > > core-dal#sh sdm prefer > The current template is "desktop routing" template. > > Using a fairly recent IOS on them: > * 1 28 WS-C3750G-24TS 12.2(50)SE2 C3750-IPSERVICESK9-M > > I suspect I may be seeing TCAM exhaustion. Any suggestions on how I > can confirm or avoid that? You have two ways to avoid the problem. First - change sdm to "vlan". Second - disassemble stack and make every switch use it's own mac-address-table and tcam. You will summary have 6000*3 mac addresses table. > > > Regards, > Carl > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ayourtch at cisco.com Wed Aug 5 04:48:55 2009 From: ayourtch at cisco.com (Andrew Yourtchenko) Date: Wed, 5 Aug 2009 10:48:55 +0200 (CEST) Subject: [c-nsp] OT: Sniffing TCP connection quality In-Reply-To: <1249422960.4165.33.camel@abehat.net.rm.dk> References: <1249422960.4165.33.camel@abehat.net.rm.dk> Message-ID: Hi Peter, On Tue, 4 Aug 2009, Peter Rathlev wrote: > I've been looking at tstat (http://tstat.tlc.polito.it/index.shtml) and > this looks very promising, but it doesn't seem to be able to analyze the > different flows seperately. Have you taken a look at http://jarok.cs.ohiou.edu/software/tcptrace/ ? It can handle multiple flows and outputs quite a lot of interesting aggregate data. Though, AFAIK it needs the pcap file (as opposed to reporting about the traffic realtime). cheers, andrew From dale.shaw+cisco-nsp at gmail.com Wed Aug 5 05:57:52 2009 From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw) Date: Wed, 5 Aug 2009 19:57:52 +1000 Subject: [c-nsp] OT: Using wireshark to decode IPSec/ESP Message-ID: <3329cbb40908050257y120624a4wefe6075be535585d@mail.gmail.com> Hi all, Has anyone used wireshark successfully to decode ESP traffic? The only material I can find online is people having the same problem as me, or people using null encryption. I need to peek inside esp-3des/esp-sha-hmac SAs The wireshark wiki entry is: http://wiki.wireshark.org/ESP_Preferences It's been years since I was armpit deep in IPSec but I am assuming the encryption key it wants is NOT the ISAKMP pre-shared key. If that's right, is there a way I can get the key(s)? I have access to the peers. If that's wrong, well, why isn't it working for me? :-) (no errors, just no meaningful decode.) In case you're wondering, I just want to see with my own eyes what DMVPN looks like on the wire (eth:ip:esp:gre:ip:payload) There are some screen caps here that show it's possible: http://www.carbonwind.net/VyattaOFR/AdvVPN/AdvVPN2.htm#toJj cheers, Dale From asturluismi at gmail.com Wed Aug 5 06:33:28 2009 From: asturluismi at gmail.com (luismi) Date: Wed, 05 Aug 2009 12:33:28 +0200 Subject: [c-nsp] Counters for null0? Message-ID: <1249468408.11065.7.camel@dsba-ipso> Hi, is there any way to see how much traffic is going to null0 interface? I configured several routes to be forwarded to null0 and I would like to have some info about how much traffic is going there. If the IOS doesn't provide any information about it... is it possible to obtain that information using netflow? From avayner at cisco.com Wed Aug 5 06:47:34 2009 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Wed, 5 Aug 2009 12:47:34 +0200 Subject: [c-nsp] Counters for null0? In-Reply-To: <1249468408.11065.7.camel@dsba-ipso> References: <1249468408.11065.7.camel@dsba-ipso> Message-ID: <78C984F8939D424697B15E4B1C1BB3D7011A0F7E@xmb-ams-331.emea.cisco.com> Did you try looking at "show interface null0"? I am not sure it works, but give it a try as I do not have quick access to a lab where I can test this. Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of luismi Sent: Wednesday, August 05, 2009 13:33 To: cisco-nsp Subject: [c-nsp] Counters for null0? Hi, is there any way to see how much traffic is going to null0 interface? I configured several routes to be forwarded to null0 and I would like to have some info about how much traffic is going there. If the IOS doesn't provide any information about it... is it possible to obtain that information using netflow? _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From masood at nexlinx.net.pk Wed Aug 5 08:19:00 2009 From: masood at nexlinx.net.pk (masood at nexlinx.net.pk) Date: Wed, 5 Aug 2009 17:19:00 +0500 (PKT) Subject: [c-nsp] Counters for null0? In-Reply-To: <78C984F8939D424697B15E4B1C1BB3D7011A0F7E@xmb-ams-331.emea.cisco.com> References: <1249468408.11065.7.camel@dsba-ipso> <78C984F8939D424697B15E4B1C1BB3D7011A0F7E@xmb-ams-331.emea.cisco.com> Message-ID: <4434.196.46.241.57.1249474740.squirrel@nexmail1.nexlinx.net.pk> show interface null0 always works on Cisco boxes. You can see in/out packets as well. Regards, Masood Blog: http://weblogs.com.pk/jahil/ > Did you try looking at "show interface null0"? > I am not sure it works, but give it a try as I do not have quick access > to a lab where I can test this. > > Arie > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of luismi > Sent: Wednesday, August 05, 2009 13:33 > To: cisco-nsp > Subject: [c-nsp] Counters for null0? > > Hi, is there any way to see how much traffic is going to null0 > interface? > I configured several routes to be forwarded to null0 and I would like to > have some info about how much traffic is going there. > If the IOS doesn't provide any information about it... is it possible to > obtain that information using netflow? > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From hank at efes.iucc.ac.il Wed Aug 5 07:38:58 2009 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Wed, 5 Aug 2009 14:38:58 +0300 (IDT) Subject: [c-nsp] Counters for null0? In-Reply-To: <4434.196.46.241.57.1249474740.squirrel@nexmail1.nexlinx.net.pk> References: <1249468408.11065.7.camel@dsba-ipso> <78C984F8939D424697B15E4B1C1BB3D7011A0F7E@xmb-ams-331.emea.cisco.com> <4434.196.46.241.57.1249474740.squirrel@nexmail1.nexlinx.net.pk> Message-ID: On Wed, 5 Aug 2009, masood at nexlinx.net.pk wrote: Not always. Just do: sho ip cache flow | incl Null to see pkts that are null routed and that are not counted via the null0 interface. -Hank > show interface null0 always works on Cisco boxes. You can see in/out > packets as well. > > Regards, > Masood > Blog: http://weblogs.com.pk/jahil/ > > >> Did you try looking at "show interface null0"? >> I am not sure it works, but give it a try as I do not have quick access >> to a lab where I can test this. >> >> Arie >> >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of luismi >> Sent: Wednesday, August 05, 2009 13:33 >> To: cisco-nsp >> Subject: [c-nsp] Counters for null0? >> >> Hi, is there any way to see how much traffic is going to null0 >> interface? >> I configured several routes to be forwarded to null0 and I would like to >> have some info about how much traffic is going there. >> If the IOS doesn't provide any information about it... is it possible to >> obtain that information using netflow? >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From asturluismi at gmail.com Wed Aug 5 08:04:03 2009 From: asturluismi at gmail.com (luismi) Date: Wed, 05 Aug 2009 14:04:03 +0200 Subject: [c-nsp] Counters for null0? In-Reply-To: <78C984F8939D424697B15E4B1C1BB3D7011A0F7E@xmb-ams-331.emea.cisco.com> References: <1249468408.11065.7.camel@dsba-ipso> <78C984F8939D424697B15E4B1C1BB3D7011A0F7E@xmb-ams-331.emea.cisco.com> Message-ID: <1249473843.11065.16.camel@dsba-ipso> Yes, but I just can see the "output" counters growing up. Quite strange since null0 is not generating traffic and it has configured "no ip unreachables". El mi?, 05-08-2009 a las 12:47 +0200, Arie Vayner (avayner) escribi?: > Did you try looking at "show interface null0"? > I am not sure it works, but give it a try as I do not have quick access > to a lab where I can test this. > > Arie From domintefamily at yahoo.co.uk Wed Aug 5 07:29:36 2009 From: domintefamily at yahoo.co.uk (C and C Dominte) Date: Wed, 5 Aug 2009 11:29:36 +0000 (GMT) Subject: [c-nsp] VSS 1440 issues Message-ID: <745803.32277.qm@web27904.mail.ukl.yahoo.com> Hi, ? I recently clustered 2 Catalysts 6509's into a VSS 1440 Virtual switch. ? Details about the cluster: ? - Software version:? s72033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), Version 12.2(33)SXI1, RELEASE SOFTWARE (fc3) ? - Supervisor:? VS-S720-10G? with one 10G port used as VSL link - Linecards Active chassis: ??????????????? 1 x WS-X6708-10GE with one 10G used for the VSL link for redundancy ??????????????? 4 x WS-X6748-GE-TX ? - Linecards Standby chassis ??????????????? 1 x WS-X6708-10GE with one 10G used for the VSL link for redundancy ??????????????? 2 x WS-X6748-GE-TX ??????????????? The 6748 line cards are used and configured for MEC Etherchannels. ? At the other end of the MEC channels there are non-Cisco edge switches. The multi chassis Ether Channels are configured as 2 x 1G links, and single switchport trunks are configured as 1 x 1G links. All vlans are allowed on the single switchport trunks and port channels from VSS Cluster to the edge switches. ? The issue is that unicast traffic is flooded by the VSS Cluster across all trunks. The flooded traffic generated by the VSS cluster is between 600mbps and 1gbps, and almost all of the flooded traffic is unicast and has the source MAC address of the VSS Cluster. However, if the trunk is a MEC, the unicast traffic is flooded only on one switchport. All of the flooded ports in MECs are on switch 2 in the VSS cluster. The only ports flooded in switch 1 are the ones that have a single trunk instead of MEC. ? We tried to investigate this on a low importance link. The VSS cluster learned only 10 MAC addresses on one edge trunk configured as 1 x 1G link. This edge trunk received the flood of unicast traffic from the VSS cluster as well. During testing, this trunk was modified manually on the VSS Cluster, to allow only 4 VLANS instead of all. Allowing only 4 vlans on this trunk stopped the flood on the edge trunk and stopped the flood on all other trunks as well. ? Does anyone have any idea about what can cause this? ? Thanks ? Catalin From asturluismi at gmail.com Wed Aug 5 08:30:23 2009 From: asturluismi at gmail.com (luismi) Date: Wed, 05 Aug 2009 14:30:23 +0200 Subject: [c-nsp] Counters for null0? In-Reply-To: References: <1249468408.11065.7.camel@dsba-ipso> <78C984F8939D424697B15E4B1C1BB3D7011A0F7E@xmb-ams-331.emea.cisco.com> <4434.196.46.241.57.1249474740.squirrel@nexmail1.nexlinx.net.pk> Message-ID: <1249475423.11065.31.camel@dsba-ipso> I just configure a router here to use it but it is quite strange because I can see correct traffic routed to "null", and I didn't expect to see that, I don't think it is correct. #sho ip cache flow | incl Null Fa0/1.1 10.55.0.32 Null 208.67.222.222 11 0A2A 0035 1 Fa0/1.1 10.55.0.32 Null 208.67.222.222 11 0A26 0035 5 208.67.222.222 is the opendns server but the destination interface is "null" Any idea why I see that? is that correct (I don't think so)? From jarruda-cnsp at jarruda.com Wed Aug 5 08:49:50 2009 From: jarruda-cnsp at jarruda.com (Julio Arruda) Date: Wed, 05 Aug 2009 08:49:50 -0400 Subject: [c-nsp] Counters for null0? In-Reply-To: <1249475423.11065.31.camel@dsba-ipso> References: <1249468408.11065.7.camel@dsba-ipso> <78C984F8939D424697B15E4B1C1BB3D7011A0F7E@xmb-ams-331.emea.cisco.com> <4434.196.46.241.57.1249474740.squirrel@nexmail1.nexlinx.net.pk> <1249475423.11065.31.camel@dsba-ipso> Message-ID: <4A797FEE.5090102@jarruda.com> luismi wrote: > I just configure a router here to use it but it is quite strange because > I can see correct traffic routed to "null", and I didn't expect to see > that, I don't think it is correct. > > #sho ip cache flow | incl Null > Fa0/1.1 10.55.0.32 Null 208.67.222.222 11 0A2A 0035 > 1 > Fa0/1.1 10.55.0.32 Null 208.67.222.222 11 0A26 0035 > 5 > > 208.67.222.222 is the opendns server but the destination interface is > "null" > > Any idea why I see that? is that correct (I don't think so)? Isn't all process switched/punted traffic reported as ifout == Null in Netflow ? Is this traffic going via NAT ? (likely from what I see). From p.caci at seabone.net Wed Aug 5 08:46:33 2009 From: p.caci at seabone.net (Pierfrancesco Caci) Date: Wed, 05 Aug 2009 14:46:33 +0200 Subject: [c-nsp] Counters for null0? In-Reply-To: <1249475423.11065.31.camel@dsba-ipso> (asturluismi@gmail.com's message of "Wed, 05 Aug 2009 14:30:23 +0200") References: <1249468408.11065.7.camel@dsba-ipso> <78C984F8939D424697B15E4B1C1BB3D7011A0F7E@xmb-ams-331.emea.cisco.com> <4434.196.46.241.57.1249474740.squirrel@nexmail1.nexlinx.net.pk> <1249475423.11065.31.camel@dsba-ipso> Message-ID: <874osmo2c6.fsf@clarabella.noc.seabone.net> :-> "luismi" == luismi writes: > I just configure a router here to use it but it is quite strange because > I can see correct traffic routed to "null", and I didn't expect to see > that, I don't think it is correct. > #sho ip cache flow | incl Null > Fa0/1.1 10.55.0.32 Null 208.67.222.222 11 0A2A 0035 > 1 > Fa0/1.1 10.55.0.32 Null 208.67.222.222 11 0A26 0035 > 5 Null0 appears as "Nu0" in that output, Null means something else which I don't remember, looking at my router probably traffic for which you'd get 'Network not in table'. Can someone confirm ? -- ------------------------------------------------------------------------------- Pierfrancesco Caci | Network & System Administrator - INOC-DBA: 6762*PFC p.caci at seabone.net | Telecom Italia Sparkle - http://etabeta.noc.seabone.net/ From rodunn at cisco.com Wed Aug 5 09:19:51 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Wed, 05 Aug 2009 09:19:51 -0400 Subject: [c-nsp] multipath BGP not balancing equally. In-Reply-To: References: <4A787016.7040006@cisco.com> Message-ID: <4A7986F7.4070905@cisco.com> For small flow combinations you are right. btw, it would be just L3 src/dst flows by default unless the L4 port option is enabled. I thought about there being a single flow causing the difference that would be hashing down one of the paths. But 2G, while not impossible, typically isn't used between two ip addresses. It's something to check though for sure. Rodney Mikael Abrahamsson wrote: > On Tue, 4 Aug 2009, Rodney Dunn wrote: > >> That's usually caused by routes not being the same on the paths. > > It was my understanding that this usually was caused by not having > enough L4 flows to loadshare on...? Ie if you have 100 TCP flows and 4 > paths, then it's not enough flows to get good load share on, but if you > instead have 10k flows and all of them are low-speed, then the odds of > them being equally load shared is much better? > From rodunn at cisco.com Wed Aug 5 09:23:20 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Wed, 05 Aug 2009 09:23:20 -0400 Subject: [c-nsp] Counters for null0? In-Reply-To: <1249475423.11065.31.camel@dsba-ipso> References: <1249468408.11065.7.camel@dsba-ipso> <78C984F8939D424697B15E4B1C1BB3D7011A0F7E@xmb-ams-331.emea.cisco.com> <4434.196.46.241.57.1249474740.squirrel@nexmail1.nexlinx.net.pk> <1249475423.11065.31.camel@dsba-ipso> Message-ID: <4A7987C8.3070407@cisco.com> There are scenarios (nat, acl drops, etc.) where the dst in the netflow will show null. For a transit packet that is forwarded out will not (should not) show Null. Rodney luismi wrote: > I just configure a router here to use it but it is quite strange because > I can see correct traffic routed to "null", and I didn't expect to see > that, I don't think it is correct. > > #sho ip cache flow | incl Null > Fa0/1.1 10.55.0.32 Null 208.67.222.222 11 0A2A 0035 > 1 > Fa0/1.1 10.55.0.32 Null 208.67.222.222 11 0A26 0035 > 5 > > 208.67.222.222 is the opendns server but the destination interface is > "null" > > Any idea why I see that? is that correct (I don't think so)? > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From p.caci at seabone.net Wed Aug 5 08:32:36 2009 From: p.caci at seabone.net (Pierfrancesco Caci) Date: Wed, 05 Aug 2009 14:32:36 +0200 Subject: [c-nsp] Counters for null0? In-Reply-To: <1249473843.11065.16.camel@dsba-ipso> (asturluismi@gmail.com's message of "Wed, 05 Aug 2009 14:04:03 +0200") References: <1249468408.11065.7.camel@dsba-ipso> <78C984F8939D424697B15E4B1C1BB3D7011A0F7E@xmb-ams-331.emea.cisco.com> <1249473843.11065.16.camel@dsba-ipso> Message-ID: <878whyo2zf.fsf@clarabella.noc.seabone.net> :-> "luismi" == luismi writes: > Yes, but I just can see the "output" counters growing up. Quite strange > since null0 is not generating traffic and it has configured "no ip > unreachables". yes, output counters are those that have a meaning. it's traffic that's actually dropped. I have a vague memory of some platform using inbound counters for something else, but I may be wrong. I just looked at a GSR and inbound is all 0. -- ------------------------------------------------------------------------------- Pierfrancesco Caci | Network & System Administrator - INOC-DBA: 6762*PFC p.caci at seabone.net | Telecom Italia Sparkle - http://etabeta.noc.seabone.net/ From mhuff at ox.com Wed Aug 5 09:32:05 2009 From: mhuff at ox.com (Matthew Huff) Date: Wed, 5 Aug 2009 09:32:05 -0400 Subject: [c-nsp] VSS 1440 issues In-Reply-To: <745803.32277.qm@web27904.mail.ukl.yahoo.com> References: <745803.32277.qm@web27904.mail.ukl.yahoo.com> Message-ID: <483E6B0272B0284BA86D7596C40D29F9D1221281DB@PUR-EXCH07.ox.com> I would suspect it's a timeout issue caused by it aging out of the arp cache and not the tcam table. Try adding "mac-address-table aging-time 14400" to the config. This usually happens when running HSPR/GLBP or other first-hop redudancy (VSS) where the return path may be asymmetrical. ---- Matthew Huff?????? | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff? | Fax:?? 914-460-4139 > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of C and C Dominte > Sent: Wednesday, August 05, 2009 7:30 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] VSS 1440 issues > > > > > > Hi, > > > > I recently clustered 2 Catalysts 6509's into a VSS 1440 > Virtual switch. > > > > Details about the cluster: > > > > - Software version: > s72033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), Version > 12.2(33)SXI1, > RELEASE SOFTWARE (fc3) > > > > - Supervisor: > VS-S720-10G? with one 10G port > used as VSL link > > - Linecards Active chassis: > > ??????????????? 1 x > WS-X6708-10GE with one 10G used for the VSL link for redundancy > > ??????????????? 4 x > WS-X6748-GE-TX > > > > - Linecards Standby chassis > > ??????????????? 1 x > WS-X6708-10GE with one 10G used for the VSL link for redundancy > > ??????????????? 2 x > WS-X6748-GE-TX > > > > The 6748 line cards are used and > configured for MEC Etherchannels. > > > > At the other end of the MEC > channels there are non-Cisco edge switches. The multi chassis Ether > Channels > are configured as 2 x 1G links, and single switchport trunks are > configured as > 1 x 1G links. All vlans are allowed on the single switchport trunks and > port > channels from VSS Cluster to the edge switches. > > > > The issue is that unicast > traffic is flooded by the VSS Cluster across all trunks. The flooded > traffic > generated by the VSS cluster is between 600mbps and 1gbps, and almost > all of > the flooded traffic is unicast and has the source MAC address of the > VSS > Cluster. However, if the trunk is a MEC, the unicast traffic is flooded > only on > one switchport. All of the flooded ports in MECs are on switch 2 in the > VSS > cluster. The only ports flooded in switch 1 are the ones that have a > single > trunk instead of MEC. > > > > We tried to investigate this on > a low importance link. The VSS cluster learned only 10 MAC addresses on > one > edge trunk configured as 1 x 1G link. This edge trunk received the > flood of > unicast traffic from the VSS cluster as well. During testing, this > trunk was > modified manually on the VSS Cluster, to allow only 4 VLANS instead of > all. > Allowing only 4 vlans on this trunk stopped the flood on the edge trunk > and > stopped the flood on all other trunks as well. > > > > Does anyone have any idea about > what can cause this? > > > > Thanks > > > > Catalin > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4229 bytes Desc: not available URL: From r.tahina at moov.mg Wed Aug 5 09:44:53 2009 From: r.tahina at moov.mg (RAZAFINDRATSIFA Rivo Tahina) Date: Wed, 05 Aug 2009 16:44:53 +0300 Subject: [c-nsp] 7206 NPE-G2 - Cat 3750 sfp issue In-Reply-To: References: <7.0.1.0.2.20090730185902.04b8d458@moov.mg> Message-ID: <7.0.1.0.2.20090805164429.02147ac8@moov.mg> I tried any combination but same result. Regards.At 13:24 31/07/2009, Marko Milivojevic wrote: > > I use > > 1000BASE-LX/LH (GLC-LH-SM), on both Catalyst and 7206 NPE-G2, interface and > > protocol are up but I cannot do anything, what am I missing? > >How are your speed negotiation settings on both ends? >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ From benny+usenet at amorsen.dk Wed Aug 5 09:48:25 2009 From: benny+usenet at amorsen.dk (Benny Amorsen) Date: Wed, 05 Aug 2009 15:48:25 +0200 Subject: [c-nsp] OT: Using wireshark to decode IPSec/ESP In-Reply-To: <3329cbb40908050257y120624a4wefe6075be535585d@mail.gmail.com> (Dale Shaw's message of "Wed\, 5 Aug 2009 19\:57\:52 +1000") References: <3329cbb40908050257y120624a4wefe6075be535585d@mail.gmail.com> Message-ID: Dale Shaw writes: > It's been years since I was armpit deep in IPSec but I am assuming the > encryption key it wants is NOT the ISAKMP pre-shared key. Nope, it wants the session key used for that particular session. This can be hard to get, depending on which platforms the IPSEC end points are. For Linux you can get the keys with ip xfrm state. /Benny From koug at intracom.gr Wed Aug 5 09:51:34 2009 From: koug at intracom.gr (John Kougoulos) Date: Wed, 5 Aug 2009 16:51:34 +0300 (GTB Daylight Time) Subject: [c-nsp] Counters for null0? In-Reply-To: <4A7987C8.3070407@cisco.com> References: <1249468408.11065.7.camel@dsba-ipso> <78C984F8939D424697B15E4B1C1BB3D7011A0F7E@xmb-ams-331.emea.cisco.com> <4434.196.46.241.57.1249474740.squirrel@nexmail1.nexlinx.net.pk> <1249475423.11065.31.camel@dsba-ipso> <4A7987C8.3070407@cisco.com> Message-ID: I think it will also show Null when it is forwarded but goes through a permit ACL with log keyword John On Wed, 5 Aug 2009, Rodney Dunn wrote: > There are scenarios (nat, acl drops, etc.) where the dst in the netflow will > show null. > > For a transit packet that is forwarded out will not (should not) show Null. > > Rodney > > > > luismi wrote: >> I just configure a router here to use it but it is quite strange because >> I can see correct traffic routed to "null", and I didn't expect to see >> that, I don't think it is correct. >> >> #sho ip cache flow | incl Null >> Fa0/1.1 10.55.0.32 Null 208.67.222.222 11 0A2A 0035 >> 1 Fa0/1.1 10.55.0.32 Null 208.67.222.222 11 0A26 0035 >> 5 >> 208.67.222.222 is the opendns server but the destination interface is >> "null" >> >> Any idea why I see that? is that correct (I don't think so)? >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From dean at eatworms.org.uk Wed Aug 5 09:53:05 2009 From: dean at eatworms.org.uk (Dean Smith) Date: Wed, 5 Aug 2009 14:53:05 +0100 Subject: [c-nsp] multipath BGP not balancing equally. References: <4A787016.7040006@cisco.com> <4A7986F7.4070905@cisco.com> Message-ID: <5F398FA44E094EB7BD7F6581E07943B5@experienbd1776> Would agree that volume is rare between 2xIP addresses but we have something similair although on not quite the scale. We NAT a very large organisation to the Internet. They have a large number of disparate sites that all do their own AV updates. All the PCs download at the same time in the evening and we generate about .75 Gb/s of traffic between our external PAT address and the AV download site for a good couple of hours. If we had a bigger internet pipe it would be a higher figure. (for less time of course). Dean ----- Original Message ----- From: "Rodney Dunn" To: "Mikael Abrahamsson" Cc: "Cisco" Sent: Wednesday, August 05, 2009 2:19 PM Subject: Re: [c-nsp] multipath BGP not balancing equally. > For small flow combinations you are right. btw, it would be just L3 > src/dst flows by default unless the L4 port option is enabled. > > I thought about there being a single flow causing the difference that > would be hashing down one of the paths. But 2G, while not impossible, > typically isn't used between two ip addresses. It's something to check > though for sure. > > Rodney > > > > Mikael Abrahamsson wrote: >> On Tue, 4 Aug 2009, Rodney Dunn wrote: >> >>> That's usually caused by routes not being the same on the paths. >> >> It was my understanding that this usually was caused by not having enough >> L4 flows to loadshare on...? Ie if you have 100 TCP flows and 4 paths, >> then it's not enough flows to get good load share on, but if you instead >> have 10k flows and all of them are low-speed, then the odds of them being >> equally load shared is much better? >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > __________ NOD32 4306 (20090804) Information __________ > > This message was checked by NOD32 antivirus system. > http://www.eset.com > > From asturluismi at gmail.com Wed Aug 5 10:01:41 2009 From: asturluismi at gmail.com (luismi) Date: Wed, 05 Aug 2009 16:01:41 +0200 Subject: [c-nsp] Counters for null0? In-Reply-To: <4A7987C8.3070407@cisco.com> References: <1249468408.11065.7.camel@dsba-ipso> <78C984F8939D424697B15E4B1C1BB3D7011A0F7E@xmb-ams-331.emea.cisco.com> <4434.196.46.241.57.1249474740.squirrel@nexmail1.nexlinx.net.pk> <1249475423.11065.31.camel@dsba-ipso> <4A7987C8.3070407@cisco.com> Message-ID: <1249480901.11065.35.camel@dsba-ipso> Yes, this is a NAT scenario, maybe that is the reason. So far the router is working ok, and the service is ok too. So "null" value must be related with NAT or something similar. From rdobbins at arbor.net Wed Aug 5 10:32:25 2009 From: rdobbins at arbor.net (Roland Dobbins) Date: Wed, 5 Aug 2009 21:32:25 +0700 Subject: [c-nsp] Counters for null0? In-Reply-To: <1249480901.11065.35.camel@dsba-ipso> References: <1249468408.11065.7.camel@dsba-ipso> <78C984F8939D424697B15E4B1C1BB3D7011A0F7E@xmb-ams-331.emea.cisco.com> <4434.196.46.241.57.1249474740.squirrel@nexmail1.nexlinx.net.pk> <1249475423.11065.31.camel@dsba-ipso> <4A7987C8.3070407@cisco.com> <1249480901.11065.35.camel@dsba-ipso> Message-ID: <6521E82E-BBE0-4CF6-B8D3-EB8FFD899A5D@arbor.net> On Aug 5, 2009, at 9:01 PM, luismi wrote: > So "null" value must be related with NAT or something similar. Most Cisco routers (the main exceptions being 6500/7600/4500 switches, with their well-known NetFlow caveats regarding dropped traffic) show the destination ifindex as 0 when the traffic's being dropped (ACL, uRPF, PBR, QoS, et. al.) or when the traffic is being intercepted by a software feature such as NAT or WCCP - in other words, when the RP doesn't know where the packet is going to end up. In most scenarios, this is because traffic is being dropped. But if you're running NAT on this box, it's a good bet that a lot of what you're seeing is traffic being NATted and you can sh ip nat trans to verify that. ----------------------------------------------------------------------- Roland Dobbins // Unfortunately, inefficiency scales really well. -- Kevin Lawton From jp at saucer.midcoast.com Wed Aug 5 10:34:23 2009 From: jp at saucer.midcoast.com (jp) Date: Wed, 5 Aug 2009 10:34:23 -0400 Subject: [c-nsp] 7500 for DSL aggregation - RSP memory error? In-Reply-To: <4A789329.8090804@ttec.com> References: <4A78048B.60803@rainierconnect.net> <4A786F22.3060309@cisco.com> <4A787668.8050909@rainierconnect.net> <4A789329.8090804@ttec.com> Message-ID: <20090805143423.GA17144@saucer.midcoast.com> We use a 7507 for about 800 DSL customers. We've found it works more reliably and uses quite a bit less electricity using DC power. We'd had some random crashes on AC power from little power issues that weren't enough to activate UPSs. Then I got some DC power supplies on Ebay for less than the cost of shipping, and a big old loraine DC power supply from a tadiran phone switch. We use cold spares for parts. I've played with the redundant RSPs, but its not a very clean cutover, and it takes a couple minutes before everyting is happy. I've seen issues too where something breaks, but things don't switch over. I'm looking for even more power savings and wouldn't mind something non-cisco for the ATM DSL aggregation. It'll probably eventually go ethernet based instead of ATM, so I wouldn't be inclined to invest big in a short term solution. Basically, it's in a rural area with bad power reliability, and more power use == shorter battery runtime and more frequent generator refueling. On Tue, Aug 04, 2009 at 03:59:37PM -0400, Joe Maimon wrote: > I view the rpr feature as completely useless in the real world. > > Cold spare are way more effective. > > The last time I had a rp failure, it was fixed by yanking one and leaving > the other. > > In other words, odds are it causes more issues than it resolves. > > Just added complexity for a box where its already a support problem. > > Terminate your atm into an atm switch and run a bank of agg routers, 7200 > or 7500. > > Then you can bridge group them into both, or just manual throw pvc's from > one router to the other. > > The 7500 are not worth the watts they consume. > > > Walter Keen wrote: >> Yes, I believe it was you. We are trying to migrate from a 7200 to a 7500 >> to gain route processor redundancy. Our traffic is typically 20mbit peak >> from this site between 2 atm ds3's. Using radius, pppoa, and some dsl >> subs are behind NAT, but we're slowly weeding them out into having a >> typical dsl connection with a public ip. Probably about 1k subscribers, >> and in the next year or two we'll probably be moving them to an >> ethernet-based handoff from the carriers to us. >> >> Rodney Dunn wrote: >>> Probably me. ;) >>> >>> There were some issues around DSL termination in to a VRF that would not >>> work. >>> >>> The platform was never targeted for that market space so I wouldn't use >>> it. >>> >>> 72xx, 10k, or ASR would be the pick. >>> >>> The ISR's on really really low end side. >>> >>> Rodney >>> >>> >>> >>> Buhrmaster, Gary wrote: >>>>> I've never been brave enough to try a 7500 for dsl aggregation:) >>>> >>>> And while a memory parity error is probably hardware, >>>> I have this vague recollection that someone from >>>> Cisco (Rodney Dunn?) has on a couple of occasions >>>> recommended against using a 7500 for broadband >>>> aggregation, since the platform was simply not >>>> targeted or tested to that role. One *would* >>>> encounter things that do not work, and they would >>>> end up being "won't fix" on that platform. >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- /* Jason Philbrook | Midcoast Internet Solutions - Wireless and DSL KB1IOJ | Broadband Internet Access, Dialup, and Hosting http://f64.nu/ | for Midcoast Maine http://www.midcoast.com/ */ From asturluismi at gmail.com Wed Aug 5 10:49:02 2009 From: asturluismi at gmail.com (luismi) Date: Wed, 05 Aug 2009 16:49:02 +0200 Subject: [c-nsp] Counters for null0? In-Reply-To: <6521E82E-BBE0-4CF6-B8D3-EB8FFD899A5D@arbor.net> References: <1249468408.11065.7.camel@dsba-ipso> <78C984F8939D424697B15E4B1C1BB3D7011A0F7E@xmb-ams-331.emea.cisco.com> <4434.196.46.241.57.1249474740.squirrel@nexmail1.nexlinx.net.pk> <1249475423.11065.31.camel@dsba-ipso> <4A7987C8.3070407@cisco.com> <1249480901.11065.35.camel@dsba-ipso> <6521E82E-BBE0-4CF6-B8D3-EB8FFD899A5D@arbor.net> Message-ID: <1249483742.11065.37.camel@dsba-ipso> Yes it is being translated by NAT for sure, I am 110% sure about that. From gert at greenie.muc.de Wed Aug 5 10:58:41 2009 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 5 Aug 2009 16:58:41 +0200 Subject: [c-nsp] Counters for null0? In-Reply-To: <4A797FEE.5090102@jarruda.com> References: <1249468408.11065.7.camel@dsba-ipso> <78C984F8939D424697B15E4B1C1BB3D7011A0F7E@xmb-ams-331.emea.cisco.com> <4434.196.46.241.57.1249474740.squirrel@nexmail1.nexlinx.net.pk> <1249475423.11065.31.camel@dsba-ipso> <4A797FEE.5090102@jarruda.com> Message-ID: <20090805145841.GH290@greenie.muc.de> Hi, On Wed, Aug 05, 2009 at 08:49:50AM -0400, Julio Arruda wrote: > Isn't all process switched/punted traffic reported as ifout == Null in > Netflow ? If a given IOS version does that, it's a bug. ifout = NULL usually means "traffic dropped due to ACL or no route". gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From frnkblk at iname.com Wed Aug 5 11:06:33 2009 From: frnkblk at iname.com (Frank Bulk - iName.com) Date: Wed, 5 Aug 2009 10:06:33 -0500 Subject: [c-nsp] 7500 for DSL aggregation - RSP memory error? In-Reply-To: <4A793C90.9070004@infopact.nl> References: <4A78048B.60803@rainierconnect.net> <4A786F22.3060309@cisco.com> <4A787668.8050909@rainierconnect.net> <20090805071109.GG290@greenie.muc.de> <4A793C90.9070004@infopact.nl> Message-ID: Our DSLAM vendor supports PPPoA to PPPoE encapsulation/conversion (I'm not sure how), so that's our migration plan if we need to move to a new BRAS that doesn't have OC-3 interfaces. Frank -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of E. Versaevel Sent: Wednesday, August 05, 2009 3:02 AM To: Gert Doering Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 7500 for DSL aggregation - RSP memory error? Only drawback on the ASR1k platform is the lack of PPPoA support, otherwise we would have happely migrated away from our 7200/1G's We got 2 ASR1004's for ethernet aggregation and they're doing just fine for that :) > > If you *insist* on having route-processor redundancy (what about interface > and physical path redundancy?), I think you can do that with ASR1k, but > I admit to not having any hands-on experience with that platform yet. > Erik Versaevel _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From jarruda-cnsp at jarruda.com Wed Aug 5 11:07:09 2009 From: jarruda-cnsp at jarruda.com (Julio Arruda) Date: Wed, 05 Aug 2009 11:07:09 -0400 Subject: [c-nsp] Counters for null0? In-Reply-To: <20090805145841.GH290@greenie.muc.de> References: <1249468408.11065.7.camel@dsba-ipso> <78C984F8939D424697B15E4B1C1BB3D7011A0F7E@xmb-ams-331.emea.cisco.com> <4434.196.46.241.57.1249474740.squirrel@nexmail1.nexlinx.net.pk> <1249475423.11065.31.camel@dsba-ipso> <4A797FEE.5090102@jarruda.com> <20090805145841.GH290@greenie.muc.de> Message-ID: <4A79A01D.3030007@jarruda.com> Gert Doering wrote: > Hi, > > On Wed, Aug 05, 2009 at 08:49:50AM -0400, Julio Arruda wrote: >> Isn't all process switched/punted traffic reported as ifout == Null in >> Netflow ? > > If a given IOS version does that, it's a bug. > > ifout = NULL usually means "traffic dropped due to ACL or no route". > > gert Gert, Traffic consumed by the router :-), that should be more specific. Example, OSPF/BGP traffic, NAT traffic, some VPN traffic (tunnel interface as outbound). From jarruda-cnsp at jarruda.com Wed Aug 5 11:13:28 2009 From: jarruda-cnsp at jarruda.com (Julio Arruda) Date: Wed, 05 Aug 2009 11:13:28 -0400 Subject: [c-nsp] Counters for null0? In-Reply-To: <20090805145841.GH290@greenie.muc.de> References: <1249468408.11065.7.camel@dsba-ipso> <78C984F8939D424697B15E4B1C1BB3D7011A0F7E@xmb-ams-331.emea.cisco.com> <4434.196.46.241.57.1249474740.squirrel@nexmail1.nexlinx.net.pk> <1249475423.11065.31.camel@dsba-ipso> <4A797FEE.5090102@jarruda.com> <20090805145841.GH290@greenie.muc.de> Message-ID: <4A79A198.2000202@jarruda.com> Gert Doering wrote: > Hi, > > On Wed, Aug 05, 2009 at 08:49:50AM -0400, Julio Arruda wrote: >> Isn't all process switched/punted traffic reported as ifout == Null in >> Netflow ? > > If a given IOS version does that, it's a bug. > > ifout = NULL usually means "traffic dropped due to ACL or no route". > > gert Being more specific, since clearly I used the wrong term :-).. If traffic is processed by the CPU, being it NAT or OSPF/BGP/ICMP to the box itself, I saw in most cases, the netflow would be showing as ifout == 0. I saw in one specific case a couple of years ago, some VPN traffic also being shown as IfOut=0, but this was in a 6500 running hybrid, not Native, and most likely was not the expected behaviour. From gert at greenie.muc.de Wed Aug 5 11:57:59 2009 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 5 Aug 2009 17:57:59 +0200 Subject: [c-nsp] Counters for null0? In-Reply-To: <4A79A01D.3030007@jarruda.com> References: <1249468408.11065.7.camel@dsba-ipso> <78C984F8939D424697B15E4B1C1BB3D7011A0F7E@xmb-ams-331.emea.cisco.com> <4434.196.46.241.57.1249474740.squirrel@nexmail1.nexlinx.net.pk> <1249475423.11065.31.camel@dsba-ipso> <4A797FEE.5090102@jarruda.com> <20090805145841.GH290@greenie.muc.de> <4A79A01D.3030007@jarruda.com> Message-ID: <20090805155759.GI290@greenie.muc.de> Hi, On Wed, Aug 05, 2009 at 11:07:09AM -0400, Julio Arruda wrote: > >On Wed, Aug 05, 2009 at 08:49:50AM -0400, Julio Arruda wrote: > >>Isn't all process switched/punted traffic reported as ifout == Null in > >>Netflow ? > > > >If a given IOS version does that, it's a bug. > > > >ifout = NULL usually means "traffic dropped due to ACL or no route". > > Traffic consumed by the router :-), that should be more specific. > Example, OSPF/BGP traffic, NAT traffic, some VPN traffic (tunnel > interface as outbound). I'm wondering a bit about VPN and NAT (I think this might depend very much on platform, but at least the software platforms should know the output interface). BGP shows up on our 7200s as "Local" (addresses changed): Cisco-7200>sh ip cache flow | inc 00B3 Gi0/3.123 100.100.10.219 Local 100.100.10.200 06 8355 00B3 65 Gi0/1.11 100.100.10.46 Local 100.100.10.200 06 00B3 8BA5 2 Gi0/3.123 101.10.101.79 Local 101.10.101.65 06 E514 00B3 1 Gi0/1.11 100.100.10.209 Local 100.100.10.200 06 E473 00B3 1 Gi0/3.123 100.100.10.213 Local 100.100.10.200 06 EAD7 00B3 52 Gi0/3.123 101.10.101.80 Local 101.10.101.65 06 37D3 00B3 1 EIGRP is "Null", though: Cisco-7200>sh ip cache flow | inc 224.0 Gi0/1.11 100.100.10.111 Null 224.0.0.10 58 0000 0000 47 Gi0/1.11 100.100.10.118 Null 224.0.0.10 58 0000 0000 51 Gi0/1.11 100.100.10.117 Null 224.0.0.10 58 0000 0000 56 Gi0/1.11 100.100.10.114 Null 224.0.0.10 58 0000 0000 65 gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From jarruda-cnsp at jarruda.com Wed Aug 5 12:05:32 2009 From: jarruda-cnsp at jarruda.com (Julio Arruda) Date: Wed, 05 Aug 2009 12:05:32 -0400 Subject: [c-nsp] Counters for null0? In-Reply-To: <20090805155759.GI290@greenie.muc.de> References: <1249468408.11065.7.camel@dsba-ipso> <78C984F8939D424697B15E4B1C1BB3D7011A0F7E@xmb-ams-331.emea.cisco.com> <4434.196.46.241.57.1249474740.squirrel@nexmail1.nexlinx.net.pk> <1249475423.11065.31.camel@dsba-ipso> <4A797FEE.5090102@jarruda.com> <20090805145841.GH290@greenie.muc.de> <4A79A01D.3030007@jarruda.com> <20090805155759.GI290@greenie.muc.de> Message-ID: <4A79ADCC.2080909@jarruda.com> Gert Doering wrote: > Hi, > > On Wed, Aug 05, 2009 at 11:07:09AM -0400, Julio Arruda wrote: >>> On Wed, Aug 05, 2009 at 08:49:50AM -0400, Julio Arruda wrote: >>>> Isn't all process switched/punted traffic reported as ifout == Null in >>>> Netflow ? >>> If a given IOS version does that, it's a bug. >>> >>> ifout = NULL usually means "traffic dropped due to ACL or no route". >> Traffic consumed by the router :-), that should be more specific. >> Example, OSPF/BGP traffic, NAT traffic, some VPN traffic (tunnel >> interface as outbound). > > I'm wondering a bit about VPN and NAT (I think this might depend very > much on platform, but at least the software platforms should know the > output interface). > On IPSEC, there is a great doc on www.cisco.com on the expected behaviour.. http://www.cisco.com/en/US/products/ps6601/products_white_paper09186a008022bde8.shtml What I saw in old Catos+IOS was NOT something expected...but the customer changed topology, so I'm not sure if they ever opened a case with their support. > BGP shows up on our 7200s as "Local" (addresses changed): > > Cisco-7200>sh ip cache flow | inc 00B3 > Gi0/3.123 100.100.10.219 Local 100.100.10.200 06 8355 00B3 65 > Gi0/1.11 100.100.10.46 Local 100.100.10.200 06 00B3 8BA5 2 > Gi0/3.123 101.10.101.79 Local 101.10.101.65 06 E514 00B3 1 > Gi0/1.11 100.100.10.209 Local 100.100.10.200 06 E473 00B3 1 > Gi0/3.123 100.100.10.213 Local 100.100.10.200 06 EAD7 00B3 52 > Gi0/3.123 101.10.101.80 Local 101.10.101.65 06 37D3 00B3 1 > Interesting, how this is exported ? I seem to recall it would show as ifout=0, but was looking at the 'out of the box experience' :-) And as you said, it may quite well be platform dependent... > EIGRP is "Null", though: > > Cisco-7200>sh ip cache flow | inc 224.0 > Gi0/1.11 100.100.10.111 Null 224.0.0.10 58 0000 0000 47 > Gi0/1.11 100.100.10.118 Null 224.0.0.10 58 0000 0000 51 > Gi0/1.11 100.100.10.117 Null 224.0.0.10 58 0000 0000 56 > Gi0/1.11 100.100.10.114 Null 224.0.0.10 58 0000 0000 65 > > gert From gert at greenie.muc.de Wed Aug 5 12:25:56 2009 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 5 Aug 2009 18:25:56 +0200 Subject: [c-nsp] Counters for null0? In-Reply-To: <4A79ADCC.2080909@jarruda.com> References: <1249468408.11065.7.camel@dsba-ipso> <78C984F8939D424697B15E4B1C1BB3D7011A0F7E@xmb-ams-331.emea.cisco.com> <4434.196.46.241.57.1249474740.squirrel@nexmail1.nexlinx.net.pk> <1249475423.11065.31.camel@dsba-ipso> <4A797FEE.5090102@jarruda.com> <20090805145841.GH290@greenie.muc.de> <4A79A01D.3030007@jarruda.com> <20090805155759.GI290@greenie.muc.de> <4A79ADCC.2080909@jarruda.com> Message-ID: <20090805162556.GJ290@greenie.muc.de> Hi, On Wed, Aug 05, 2009 at 12:05:32PM -0400, Julio Arruda wrote: > >BGP shows up on our 7200s as "Local" (addresses changed): > > > >Cisco-7200>sh ip cache flow | inc 00B3 > >Gi0/3.123 100.100.10.219 Local 100.100.10.200 06 8355 00B3 > >65 Gi0/1.11 100.100.10.46 Local 100.100.10.200 06 00B3 > >8BA5 2 Gi0/3.123 101.10.101.79 Local 101.10.101.65 06 > >E514 00B3 1 Gi0/1.11 100.100.10.209 Local 100.100.10.200 > >06 E473 00B3 1 Gi0/3.123 100.100.10.213 Local > >100.100.10.200 06 EAD7 00B3 52 Gi0/3.123 101.10.101.80 Local > >101.10.101.65 06 37D3 00B3 1 > > Interesting, how this is exported ? I seem to recall it would show as > ifout=0, but was looking at the 'out of the box experience' :-) I was checking the caches on the box only. Let me go to the netflow data... Indeed, you're right. These show up on the router as definitely distinct from "Null", but in the export, they have "out if = 0". OTOH, our 7600s (SXF/SXH) don't seem to export flows to "local" at all... Amazing :) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From ecables at gmail.com Wed Aug 5 14:06:39 2009 From: ecables at gmail.com (Eric Cables) Date: Wed, 5 Aug 2009 11:06:39 -0700 Subject: [c-nsp] VSS 1440 issues In-Reply-To: <483E6B0272B0284BA86D7596C40D29F9D1221281DB@PUR-EXCH07.ox.com> References: <745803.32277.qm@web27904.mail.ukl.yahoo.com> <483E6B0272B0284BA86D7596C40D29F9D1221281DB@PUR-EXCH07.ox.com> Message-ID: Take a look at this.. http://www.cisco.com/en/US/products/ps9336/products_tech_note09186a0080a7c837.shtml#oob_mac Cisco also recommends that once you enable OOB Synchronization, that the MAC aging timer be set to at least 3x the synchronization timer of 160: "Configure the MAC aging timer to three times the MAC synchronization timer value. The default MAC synchronization and MAC aging timers can cause unknown unicast flooding. VSS can cause traffic to flow asymmetrically such that the source MAC address is only learned on one chassis. The MAC aging timer of 300 seconds and MAC synchronization timer of 160 seconds allows for up to 20 seconds of unknown unicast flooding for any given MAC address in a 320 second interval. In order to resolve this, change the timers such that the aging timer is three times as long as synchronization timer, for example, mac-address-table aging-time 480 ." -- Eric Cables On Wed, Aug 5, 2009 at 6:32 AM, Matthew Huff wrote: > I would suspect it's a timeout issue caused by it aging out of the arp > cache > and not the tcam table. > > Try adding "mac-address-table aging-time 14400" to the config. This usually > happens when running HSPR/GLBP or other first-hop redudancy (VSS) where the > return path may be asymmetrical. > > > > ---- > Matthew Huff | One Manhattanville Rd > OTA Management LLC | Purchase, NY 10577 > http://www.ox.com | Phone: 914-460-4039 > aim: matthewbhuff | Fax: 914-460-4139 > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > > bounces at puck.nether.net] On Behalf Of C and C Dominte > > Sent: Wednesday, August 05, 2009 7:30 AM > > To: cisco-nsp at puck.nether.net > > Subject: [c-nsp] VSS 1440 issues > > > > > > > > > > > > Hi, > > > > > > > > I recently clustered 2 Catalysts 6509's into a VSS 1440 > > Virtual switch. > > > > > > > > Details about the cluster: > > > > > > > > - Software version: > > s72033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), Version > > 12.2(33)SXI1, > > RELEASE SOFTWARE (fc3) > > > > > > > > - Supervisor: > > VS-S720-10G with one 10G port > > used as VSL link > > > > - Linecards Active chassis: > > > > 1 x > > WS-X6708-10GE with one 10G used for the VSL link for redundancy > > > > 4 x > > WS-X6748-GE-TX > > > > > > > > - Linecards Standby chassis > > > > 1 x > > WS-X6708-10GE with one 10G used for the VSL link for redundancy > > > > 2 x > > WS-X6748-GE-TX > > > > > > > > The 6748 line cards are used and > > configured for MEC Etherchannels. > > > > > > > > At the other end of the MEC > > channels there are non-Cisco edge switches. The multi chassis Ether > > Channels > > are configured as 2 x 1G links, and single switchport trunks are > > configured as > > 1 x 1G links. All vlans are allowed on the single switchport trunks and > > port > > channels from VSS Cluster to the edge switches. > > > > > > > > The issue is that unicast > > traffic is flooded by the VSS Cluster across all trunks. The flooded > > traffic > > generated by the VSS cluster is between 600mbps and 1gbps, and almost > > all of > > the flooded traffic is unicast and has the source MAC address of the > > VSS > > Cluster. However, if the trunk is a MEC, the unicast traffic is flooded > > only on > > one switchport. All of the flooded ports in MECs are on switch 2 in the > > VSS > > cluster. The only ports flooded in switch 1 are the ones that have a > > single > > trunk instead of MEC. > > > > > > > > We tried to investigate this on > > a low importance link. The VSS cluster learned only 10 MAC addresses on > > one > > edge trunk configured as 1 x 1G link. This edge trunk received the > > flood of > > unicast traffic from the VSS cluster as well. During testing, this > > trunk was > > modified manually on the VSS Cluster, to allow only 4 VLANS instead of > > all. > > Allowing only 4 vlans on this trunk stopped the flood on the edge trunk > > and > > stopped the flood on all other trunks as well. > > > > > > > > Does anyone have any idea about > > what can cause this? > > > > > > > > Thanks > > > > > > > > Catalin > > > > > > > > > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jared.a.gillis at gmail.com Wed Aug 5 15:57:10 2009 From: jared.a.gillis at gmail.com (Jared Gillis) Date: Wed, 05 Aug 2009 12:57:10 -0700 Subject: [c-nsp] IS-IS route separation/filtering Message-ID: <4A79E416.7040909@gmail.com> Hello all, I'm trying to accomplish something with an IS-IS network, and I'm starting to think it may not be possible, but I'm hoping someone here might have a suggestion to help. Basically, what I'm trying to accomplish is to have two routers subtended off an aggregation router. So, say Router A has a link to Router B and Router C. I want Router A to advertise a default route to B and C (this I have done), and B and C should announce their routes to A (also done), but I do *not* want B to learn C's routes, nor C to learn B's. This is my sticking point. Currently my config is that A is L1/L2 and B and C are L1 only, but since they are all in the same area, they learn all of each other's routes. I could put B and C into different areas, and put A into both of those areas as well, but I need to have up to 15-20 L1 routers hung off of Router A, and all the docs say that you can only configure 3 NET addresses on a Cisco router, so this won't scale to what I need. Basically I'm trying to replicate the concept of an OSPF totally-stubby-not-so-stubby-area in IS-IS, and I'm starting to question whether it can be done. My network design is fairly flexible at this point (the only requirements are that it run IS-IS and L1 routers don't learn each other's routes), so I'm open to any ideas or suggestions. Thanks for your time -Jared From rodunn at cisco.com Wed Aug 5 16:23:27 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Wed, 05 Aug 2009 16:23:27 -0400 Subject: [c-nsp] multipath BGP not balancing equally. In-Reply-To: <5F398FA44E094EB7BD7F6581E07943B5@experienbd1776> References: <4A787016.7040006@cisco.com> <4A7986F7.4070905@cisco.com> <5F398FA44E094EB7BD7F6581E07943B5@experienbd1776> Message-ID: <4A79EA3F.6060002@cisco.com> Ah...good one. If the sources were not random enough and it's NAT'ed to one external ip you could really be multiplexing flows with NAT. ;) Dean Smith wrote: > Would agree that volume is rare between 2xIP addresses but we have > something similair although on not quite the scale. > > We NAT a very large organisation to the Internet. They have a large > number of disparate sites that all do their own AV updates. All the PCs > download at the same time in the evening and we generate about .75 Gb/s > of traffic between our external PAT address and the AV download site for > a good couple of hours. If we had a bigger internet pipe it would be a > higher figure. (for less time of course). > > Dean > ----- Original Message ----- From: "Rodney Dunn" > To: "Mikael Abrahamsson" > Cc: "Cisco" > Sent: Wednesday, August 05, 2009 2:19 PM > Subject: Re: [c-nsp] multipath BGP not balancing equally. > > >> For small flow combinations you are right. btw, it would be just L3 >> src/dst flows by default unless the L4 port option is enabled. >> >> I thought about there being a single flow causing the difference that >> would be hashing down one of the paths. But 2G, while not impossible, >> typically isn't used between two ip addresses. It's something to check >> though for sure. >> >> Rodney >> >> >> >> Mikael Abrahamsson wrote: >>> On Tue, 4 Aug 2009, Rodney Dunn wrote: >>> >>>> That's usually caused by routes not being the same on the paths. >>> >>> It was my understanding that this usually was caused by not having >>> enough L4 flows to loadshare on...? Ie if you have 100 TCP flows and >>> 4 paths, then it's not enough flows to get good load share on, but if >>> you instead have 10k flows and all of them are low-speed, then the >>> odds of them being equally load shared is much better? >>> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> __________ NOD32 4306 (20090804) Information __________ >> >> This message was checked by NOD32 antivirus system. >> http://www.eset.com >> >> From carl at outerloop.net Wed Aug 5 17:19:59 2009 From: carl at outerloop.net (Carl Jones) Date: Thu, 6 Aug 2009 09:19:59 +1200 Subject: [c-nsp] 3750 CPU Usage; TCAM Exhaustion? In-Reply-To: <73ec141e0908050124r25f75ee7jd784011866a59827@mail.gmail.com> References: <73ec141e0908050124r25f75ee7jd784011866a59827@mail.gmail.com> Message-ID: On Wed, Aug 5, 2009 at 8:24 PM, Michael Schedrin wrote: >> core-dal#sh platform tcam utilization >> >> CAM Utilization for ASIC# 0 ? ? ? ? ? ? ? ? ? ? ?Max ? ? ? ? ? ?Used >> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Masks/Values ? ?Masks/values >> >> ?Unicast mac addresses: ? ? ? ? ? ? ? ? ? ? ? ?400/3200 ? ? ? ?373/2911 > > Look at "sh mac address-table count" Check "Total Mac Address Space > Available:" > 3750 hat a table for 6000 mac adresses. If you stack 3*3750, this bundle > will also have table of 6000. Yep, that seems to be it: core-dal#sh mac address-table count | in Space Total Mac Address Space Available: 0 >> I suspect I may be seeing TCAM exhaustion. Any suggestions on how I >> can confirm or avoid that? > > You have two ways to avoid the problem. First - change sdm to "vlan". Second > - disassemble stack and make every switch use it's own mac-address-table and > tcam. You will summary have 6000*3 mac addresses table. Thanks for your suggestions Michael. Makes sense. Regards, Carl From daniel at bit.nl Wed Aug 5 17:21:46 2009 From: daniel at bit.nl (Daniel Verlouw) Date: Wed, 5 Aug 2009 23:21:46 +0200 Subject: [c-nsp] IS-IS route separation/filtering In-Reply-To: <4A79E416.7040909@gmail.com> References: <4A79E416.7040909@gmail.com> Message-ID: On Aug 5, 2009, at 9:57 PM, Jared Gillis wrote: > Basically I'm trying to replicate the concept of an OSPF > totally-stubby-not-so-stubby-area in IS-IS, and I'm starting to > question whether > it can be done. My network design is fairly flexible at this point > (the only > requirements are that it run IS-IS and L1 routers don't learn each > other's > routes), so I'm open to any ideas or suggestions. have a look at IS-IS mesh-groups. Although designed for a different purpose, it might work. Stick router A and all of its stub routers into the same L1 area. On router A, put all interfaces towards the stub routers in the same mesh-group. PS. My preference would be to use BGP for the external routes and use IS-IS only to the distribute loopback IPs. Also makes filtering towards the stub routers a lot easier using route-maps etc. Depending on your gear/software/etc that might not be an option here though. --Daniel. From lowen at pari.edu Wed Aug 5 16:38:02 2009 From: lowen at pari.edu (Lamar Owen) Date: Wed, 5 Aug 2009 16:38:02 -0400 Subject: [c-nsp] 7500 for DSL aggregation - RSP memory error? In-Reply-To: <20090805143423.GA17144@saucer.midcoast.com> References: <4A78048B.60803@rainierconnect.net> Message-ID: <200908051638.02436.lowen@pari.edu> On Wednesday 05 August 2009 10:34:23 am jp wrote: > We use cold spares for parts. I've played with the redundant RSPs, but > its not a very clean cutover, and it takes a couple minutes before > everyting is happy. I've seen issues too where something breaks, but > things don't switch over. I've got a couple or 7507's as well, but not doing DSL agg with them. RPR+ is the slow option for redundant RSP's, and is the best you can do with 12.4 IOS. 12.0(32)S supports SSO/NSF (at least on the RSP8's that I have), and that switchover isn't bad; not as smooth as 12000 GRP SSO/NSF, but not bad. -- Lamar Owen Chief Information Officer Pisgah Astronomical Research Institute 1 PARI Drive Rosman, NC 28772 http://www.pari.edu From jared.a.gillis at gmail.com Wed Aug 5 18:02:47 2009 From: jared.a.gillis at gmail.com (Jared Gillis) Date: Wed, 05 Aug 2009 15:02:47 -0700 Subject: [c-nsp] IS-IS route separation/filtering In-Reply-To: References: <4A79E416.7040909@gmail.com> Message-ID: <4A7A0187.8070807@gmail.com> Daniel Verlouw wrote: > have a look at IS-IS mesh-groups. Although designed for a different > purpose, it might work. Stick router A and all of its stub routers into > the same L1 area. On router A, put all interfaces towards the stub > routers in the same mesh-group. Hm, interesting though. Unfortunately, it doesn't seem to pan out in the lab. The LSPs don't seem to get flooded, but the routes do get passed through Router A to all the stub routers, regardless of how I set up the mesh-groups. > PS. My preference would be to use BGP for the external routes and use > IS-IS only to the distribute loopback IPs. Also makes filtering towards > the stub routers a lot easier using route-maps etc. Depending on your > gear/software/etc that might not be an option here though. This is almost what I'm trying to do, there will be very few routes in IS-IS, but the decree from on high is that each stub router should be totally stubby =( > --Daniel. From dean at eatworms.org.uk Wed Aug 5 17:34:53 2009 From: dean at eatworms.org.uk (Dean Smith) Date: Wed, 5 Aug 2009 22:34:53 +0100 Subject: [c-nsp] multipath BGP not balancing equally. In-Reply-To: <4A79EA3F.6060002@cisco.com> References: <4A787016.7040006@cisco.com> <4A7986F7.4070905@cisco.com> <5F398FA44E094EB7BD7F6581E07943B5@experienbd1776> <4A79EA3F.6060002@cisco.com> Message-ID: <00ba01ca1614$9235d940$b6a18bc0$@org.uk> Exactly whats happening. On a couple of occasions when only 1 IP address at the far end is active for downloads we see the traffic on just one of our links because its all 1 IP to 1 IP (which was the point I was going to make...and then forgot!) instead of all 3 links. In this case its 1 BGP peering (eBGP multihop) that has 3 equal cost paths between but the principle is the same. (we cant go per packet CEF load balancing because the far end doesn't support it - and the major traffic flow is inbound to us) Dean -----Original Message----- From: Rodney Dunn [mailto:rodunn at cisco.com] Sent: 05 August 2009 21:23 To: Dean Smith Cc: Mikael Abrahamsson; Cisco Subject: Re: [c-nsp] multipath BGP not balancing equally. Ah...good one. If the sources were not random enough and it's NAT'ed to one external ip you could really be multiplexing flows with NAT. ;) Dean Smith wrote: > Would agree that volume is rare between 2xIP addresses but we have > something similair although on not quite the scale. > > We NAT a very large organisation to the Internet. They have a large > number of disparate sites that all do their own AV updates. All the PCs > download at the same time in the evening and we generate about .75 Gb/s > of traffic between our external PAT address and the AV download site for > a good couple of hours. If we had a bigger internet pipe it would be a > higher figure. (for less time of course). > > Dean > ----- Original Message ----- From: "Rodney Dunn" > To: "Mikael Abrahamsson" > Cc: "Cisco" > Sent: Wednesday, August 05, 2009 2:19 PM > Subject: Re: [c-nsp] multipath BGP not balancing equally. > > >> For small flow combinations you are right. btw, it would be just L3 >> src/dst flows by default unless the L4 port option is enabled. >> >> I thought about there being a single flow causing the difference that >> would be hashing down one of the paths. But 2G, while not impossible, >> typically isn't used between two ip addresses. It's something to check >> though for sure. >> >> Rodney >> >> >> >> Mikael Abrahamsson wrote: >>> On Tue, 4 Aug 2009, Rodney Dunn wrote: >>> >>>> That's usually caused by routes not being the same on the paths. >>> >>> It was my understanding that this usually was caused by not having >>> enough L4 flows to loadshare on...? Ie if you have 100 TCP flows and >>> 4 paths, then it's not enough flows to get good load share on, but if >>> you instead have 10k flows and all of them are low-speed, then the >>> odds of them being equally load shared is much better? >>> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> __________ NOD32 4306 (20090804) Information __________ >> >> This message was checked by NOD32 antivirus system. >> http://www.eset.com >> >> From David at hughes.com.au Wed Aug 5 17:47:59 2009 From: David at hughes.com.au (David Hughes) Date: Thu, 6 Aug 2009 07:47:59 +1000 Subject: [c-nsp] multipath BGP not balancing equally. In-Reply-To: <4A79EA3F.6060002@cisco.com> References: <4A787016.7040006@cisco.com> <4A7986F7.4070905@cisco.com> <5F398FA44E094EB7BD7F6581E07943B5@experienbd1776> <4A79EA3F.6060002@cisco.com> Message-ID: Hi But seeing as the OP indicated that one of the circuits was 2GB *underutilised* you'd be looking for 3 src/dst pairs that were all doing 2GB to get this situation. It's looking pretty unlikely that this is a hashing issue. David ... On 06/08/2009, at 6:23 AM, Rodney Dunn wrote: > Ah...good one. If the sources were not random enough and it's NAT'ed > to one external ip you could really be multiplexing flows with NAT. ;) > > > > Dean Smith wrote: >> Would agree that volume is rare between 2xIP addresses but we have >> something similair although on not quite the scale. >> We NAT a very large organisation to the Internet. They have a large >> number of disparate sites that all do their own AV updates. All the >> PCs download at the same time in the evening and we generate about . >> 75 Gb/s of traffic between our external PAT address and the AV >> download site for a good couple of hours. If we had a bigger >> internet pipe it would be a higher figure. (for less time of course). >> Dean >> ----- Original Message ----- From: "Rodney Dunn" >> To: "Mikael Abrahamsson" >> Cc: "Cisco" >> Sent: Wednesday, August 05, 2009 2:19 PM >> Subject: Re: [c-nsp] multipath BGP not balancing equally. >>> For small flow combinations you are right. btw, it would be just >>> L3 src/dst flows by default unless the L4 port option is enabled. >>> >>> I thought about there being a single flow causing the difference >>> that would be hashing down one of the paths. But 2G, while not >>> impossible, typically isn't used between two ip addresses. It's >>> something to check though for sure. >>> >>> Rodney >>> >>> >>> >>> Mikael Abrahamsson wrote: >>>> On Tue, 4 Aug 2009, Rodney Dunn wrote: >>>> >>>>> That's usually caused by routes not being the same on the paths. >>>> >>>> It was my understanding that this usually was caused by not >>>> having enough L4 flows to loadshare on...? Ie if you have 100 TCP >>>> flows and 4 paths, then it's not enough flows to get good load >>>> share on, but if you instead have 10k flows and all of them are >>>> low-speed, then the odds of them being equally load shared is >>>> much better? >>>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >>> __________ NOD32 4306 (20090804) Information __________ >>> >>> This message was checked by NOD32 antivirus system. >>> http://www.eset.com >>> >>> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From cisco-nsp at itpro.co.nz Wed Aug 5 19:50:11 2009 From: cisco-nsp at itpro.co.nz (Ivan) Date: Thu, 6 Aug 2009 11:50:11 +1200 (NZST) Subject: [c-nsp] VSS Best Practices Message-ID: <23603.203.163.71.197.1249516211.squirrel@mail.orcon.net.nz> Cisco VSS best practice document states Recommendations * Always run L2 or L3 MEC. * Do not use on and off options with PAgP or LACP or Trunk protocol negotiation. o PAgP ? Run Desirable-Desirable with MEC links. o LACP ? Run Active-Active with MEC links. o Trunk ? Run Desirable-Desirable with MEC links. http://www.cisco.com/en/US/products/ps9336/products_tech_note09186a0080a7c837.shtml There is not really any explanation of the reasoning behind these recommendations. If anyone can explain the rational that would be great. I would also be interested to hear what settings people are using in production, why and how that is going. Generally in non VSS setups I have found setting links explicitly to trunk mode and as etherchannel members has been reliable and would like to understand why they are not recommended above. Thanks Ivan From carl at outerloop.net Wed Aug 5 21:21:14 2009 From: carl at outerloop.net (Carl Jones) Date: Thu, 6 Aug 2009 13:21:14 +1200 Subject: [c-nsp] 3750 Suggestions? Message-ID: Hi all, I'm looking for something suitable to take the load from our 3750G stack. But I'm not quite sure what the best solution would be. Some details of the issues I'm seeing: https://puck.nether.net/pipermail/cisco-nsp/2009-August/062932.html I anticipate the new setup will eventually need to handle roughly double the number of IPs and VLANs the stack is currently (not) handling, with 4 routed interfaces (2x GigE, 2x FE). A couple of suggestions I've had so far is a router to handle everything L3, and use the VLAN template on the 3750s. Or replace them with a 6500 series switch. Or use a 4948 for L3 and/or replacing the 3750s. Any suggestions appreciated. Regards, Carl From justin at justinshore.com Thu Aug 6 01:27:24 2009 From: justin at justinshore.com (Justin Shore) Date: Thu, 06 Aug 2009 00:27:24 -0500 Subject: [c-nsp] Policing on a 3560 In-Reply-To: References: Message-ID: <4A7A69BC.3000009@justinshore.com> I'm getting pushback from TAC on this. They're telling me that using class-default is unsupported and they pointed me to the config guide for the platform as proof: http://www.cisco.com/en/US/partner/docs/switches/metro/catalyst3750m/software/release/12.2_50_se/configuration/guide/swuncli.html I haven't gotten an actual answer from my engineer yet on what I'm doing wrong. I thought policing was simple and that this would be a simple fix. Justin Sigurbj?rn Birkir L?russon wrote: > Why not use class-default? > > Kind regards, > Sibbi From davidwarner1975 at yahoo.com.au Thu Aug 6 03:11:54 2009 From: davidwarner1975 at yahoo.com.au (David Warner) Date: Thu, 6 Aug 2009 00:11:54 -0700 (PDT) Subject: [c-nsp] 3800 - HSRP/ARP issue Message-ID: <996865.95399.qm@web111620.mail.gq1.yahoo.com> Hi All, Just came up against a bit of a weird issue and would appreciate some advice/input. Basic environment of two 3800s operating HSRP and plugging into a layer 2 switch network where servers connect (there are only 2-3 servers attached to two switches at the moment). On the face of it it looks like an ARP issue but unable to confirm and we cant even clear tables til until a maintenance window is arranged but obviously need to do some research. ? Base config on each 3800 is as follows: ?interface GigabitEthernet0/0/0.100 ?encapsulation dot1Q 100 ?ip vrf forwarding TEST ?ip address 192.168.23.13x 255.255.255.128 ?ip nat outside ?ip virtual-reassembly ?standby 3 ip 192.168.23.129 ?standby 3 priority xxx ?standby 3 preempt standby 3 track GigabitEthernet0/0.200 ? ? The issue were seeing is that dead IP addresses in the range is resolving to the same MAC of the HSRP active (the physical interface). Only three of these IP address are live on this VLAN (141-143 - servers are unable to see the network). Any ideas why: ? a)?????? the interface is holding ARP entries (age is zero) ?for a large part of this subnet when no devices with these IP are on the network? b)?????? ?CEF tables shows a (?) against the only ?real? server IP addresses on the network. Im assuming a dodgy ARP table will upset the CEF tables. ? ? This issue is causing connectivity problems to the servers on this subnet. Looks buggy to me J ? ? SydPrimary01#sh ip arp vrf TEST Protocol? Address????????? Age (min)? Hardware Addr?? Type?? Interface Internet? 192.168.23.250????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 10.220.80.33????????? 125?? 0000.5e00.0165? ARPA?? GigabitEthernet0/0.231 Internet? 10.220.80.46??????????? -?? 0000.0c07.ac17? ARPA?? GigabitEthernet0/0.231 Internet? 10.220.80..45??????????? -?? 0023.0470.85c0? ARPA?? GigabitEthernet0/0.231 Internet? 192.168.23.164????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.163????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.162????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.161????????? -?? 0023.0470..85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.160????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.154????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.153????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.152????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.151????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168..23.150????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.144????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.143????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.142????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.141????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.140????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.139????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.138????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.137????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.136????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.135????????? -?? 0023..0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.134????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.133????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.132????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.131????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.130????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.129????????? -?? 0000.0c07.ac17? ARPA?? GigabitEthernet0/0/0.100 Internet? 192.168.23.128????????? -?? 0023.0470.85c3? ARPA?? GigabitEthernet0/0/0.100 ? ? SydPrimary01#sh int gi0/0/0 | i 0023.0470.85c3 ? Hardware is PM-3387, address is 0023.0470.85c3 (bia 0023.0470.85c3) ? ? NPMDS5DAWMDAR01#sh ip cef vrf? TEST Prefix????????????? Next Hop???????????? Interface 0.0.0.0/0?????????? 10.220.80.33???????? GigabitEthernet0/0.231 0.0.0.0/8?????????? drop 0.0.0.0/32????????? receive 10.136.191.0/24???? 192..168.23.150?????? GigabitEthernet0/0/0.100 10.220.80.32/28???? attached???????????? GigabitEthernet0/0.231 10.220.80.32/32???? receive 10.220.80.33/32???? 10.220.80.33???????? GigabitEthernet0/0.231 10.220.80.45/32???? receive 10.220.80.46/32???? receive 10.220.80.47/32???? receive 10.220.194.141/32?? 192.168.23.141 (?)?? GigabitEthernet0/0/0.100 10.220.194.142/32?? 192.168.23.142 (?)?? GigabitEthernet0/0/0.100 10.220.194.143/32?? 192.168.23.143 (?)?? GigabitEthernet0/0/0.100 127.0.0..0/8???????? drop 192.168.23.128/25?? attached???????????? GigabitEthernet0/0/0.100 192.168.23.128/32?? receive 192.168.23.129/32?? receive 192.168.23.130/32?? receive 192.168.23.131/32?? receive 192.168.23.132/32?? receive 192.168.23.133/32?? receive 192.168.23..134/32?? receive 192.168.23.135/32?? receive 192.168.23.136/32?? receive 192.168.23.137/32?? receive 192.168.23.138/32?? receive 192.168.23.139/32?? receive 192.168.23.140/32?? receive 192.168.23.141/32?? receive 192.168.23.142/32?? receive 192.168.23.143/32?? receive 192.168.23.144/32?? receive 192.168.23.150/32?? receive 192.168.23.151/32?? receive 192.168.23.152/32?? receive 192.168.23.153/32?? receive 192.168..23.154/32?? receive 192.168.23.160/32?? receive 192.168.23.161/32?? receive 192.168.23.162/32?? receive 192.168.23.163/32?? receive 192.168.23.164/32?? receive 192.168.23.250/32?? receive 192.168.23.255/32?? receive 224.0.0.0/4???????? drop 224.0.0.0/24??????? receive 240.0.0.0/4???????? drop 255.255.255.255/32? receive ? SydPrimary01#sh ip cef vrf? TEST 192.168.23.141 detail 192.168.23.141/32, version 50, epoch 0, receive ? Cheers, David __________________________________________________________________________________ Find local businesses and services in your area with Yahoo!7 Local. Get started: http://local.yahoo.com.au From zivl at gilat.net Thu Aug 6 03:27:19 2009 From: zivl at gilat.net (Ziv Leyes) Date: Thu, 6 Aug 2009 10:27:19 +0300 Subject: [c-nsp] Policing on a 3560 In-Reply-To: <4A789A5D.4040705@justinshore.com> References: <4A789A5D.4040705@justinshore.com> Message-ID: I had the same problem when trying to police L2 traffic and I've been told to use the dscp default to match all traffic You don't need to qualify it, it is already default, so why setting it again? This is what you should try based on what I use and it works fine: ! Don't forget to set this globally mls qos class-map match-all ALL match ip dscp 0 ! policy-map Re-color-BE description Police to 10Mbps CIR - Re-color ALL to BE class ALL police 10000000 8000 exceed-action drop ! not sure the following line is required ! set ip dscp default Hope this helps Ziv -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin Shore Sent: Tuesday, August 04, 2009 11:30 PM To: 'Cisco-nsp' Subject: [c-nsp] Policing on a 3560 I'm having a little trouble doing something that should be simple. I'm using a 3560 as a CPE to break up multiple services and bind them to unique switchports. I don't normally use 3560s for this. The port in question is for a 10Mbp PtP with no SLA across our backbone. What I currently have is apparently not doing anything and I fail to see the flaw in my logic: class-map match-all ALL ! ! policy-map Re-color-BE description Police to 10Mbps CIR - Re-color ALL to BE class ALL police 10000000 8000 exceed-action drop set ip dscp default This is my QoS trust boundary so I'm re-coloring to 0 and setting muy CIR to 10Mbps. The switch wouldn't let me define 'match any' in the class-map. I suspect that I'm not matching anything because of that. I want to match anything coming in that interface and police it to the CIR and drop everything else. I must be missing something but I'm not sure what it is. Is there something unique about this platform? The IOS is 12.2(50)SE1. Thanks Justin _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ __________ Information from ESET NOD32 Antivirus, version of virus signature database 4310 (20090805) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __________ Information from ESET NOD32 Antivirus, version of virus signature database 4310 (20090805) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From peter at rathlev.dk Thu Aug 6 04:53:14 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Thu, 06 Aug 2009 10:53:14 +0200 Subject: [c-nsp] OT: Sniffing TCP connection quality In-Reply-To: References: <1249422960.4165.33.camel@abehat.net.rm.dk> Message-ID: <1249548794.4662.10.camel@abehat.net.rm.dk> Thank you all for the pointers. Tcptrace does seem quite interesting, even though it doesn't seem to be actively maintained since 2004. I had of course overlooked Arbor Peakflow SP which seems very interesting. Would there happen to be anybody on this list using Peakflow for quality analysis? Any comments on how it does? Regards, Peter On Wed, 2009-08-05 at 10:48 +0200, Andrew Yourtchenko wrote: > Hi Peter, > > On Tue, 4 Aug 2009, Peter Rathlev wrote: > > > I've been looking at tstat (http://tstat.tlc.polito.it/index.shtml) and > > this looks very promising, but it doesn't seem to be able to analyze the > > different flows seperately. > > Have you taken a look at http://jarok.cs.ohiou.edu/software/tcptrace/ ? > > It can handle multiple flows and outputs quite a lot of interesting > aggregate data. Though, AFAIK it needs the pcap file (as opposed to > reporting about the traffic realtime). > > cheers, > andrew From daniel at bit.nl Thu Aug 6 04:58:51 2009 From: daniel at bit.nl (Daniel Verlouw) Date: Thu, 06 Aug 2009 10:58:51 +0200 Subject: [c-nsp] IS-IS route separation/filtering In-Reply-To: <4A7A0187.8070807@gmail.com> References: <4A79E416.7040909@gmail.com> <4A7A0187.8070807@gmail.com> Message-ID: <1249549131.28552.14.camel@daniel.office.bit.nl> On Wed, 2009-08-05 at 15:02 -0700, Jared Gillis wrote: > Hm, interesting though. Unfortunately, it doesn't seem to pan out in the lab. > The LSPs don't seem to get flooded, but the routes do get passed through Router > A to all the stub routers, regardless of how I set up the mesh-groups. right. Mesh-groups block only LSPs, CSNPs would still be flooded. > This is almost what I'm trying to do, there will be very few routes in IS-IS, > but the decree from on high is that each stub router should be totally stubby =( -why- !? --Daniel. From edlazerus20 at gmail.com Thu Aug 6 07:50:28 2009 From: edlazerus20 at gmail.com (Ed Lazerus) Date: Thu, 6 Aug 2009 21:50:28 +1000 Subject: [c-nsp] Single LNS, two providers Message-ID: Hi, We have an LNS (7200) configured for DSL from one provider, we wish to keep this provider, however they only offer us DSL1, but we are negotiating with another wholesaler to supply us with ADSL2+ (only) . My question is how easy is it to have this single LNS server to service all customers using two wholesalers Is it a mater of duplicating the following? vpdn-group cca1 accept-dialin protocol l2tp virtual-template 1 source-ip 10.255.255.2 lcp renegotiation on-mismatch l2tp tunnel password XXXXXXX ip mtu adjust ! interface Virtual-Template1 ip unnumbered Loopback0 ip tcp adjust-mss 1360 peer default ip address pool default ppp mtu adaptive ppp authentication pap chap /Ed/ From manafo at hotmail.com Thu Aug 6 08:13:33 2009 From: manafo at hotmail.com (Manaf Al Oqlah) Date: Thu, 6 Aug 2009 15:13:33 +0300 Subject: [c-nsp] Deny Default Route Propagation Message-ID: hello, In OSPF, how can I filter the default route from being propagated out in the same area? I want to deny the external default route in outbound routes so other routers in the same area doesn't accept the default route from that router. Thank you, Manaf From manafo at hotmail.com Thu Aug 6 08:28:35 2009 From: manafo at hotmail.com (Manaf Al Oqlah) Date: Thu, 6 Aug 2009 15:28:35 +0300 Subject: [c-nsp] 3750 Suggestions? In-Reply-To: References: Message-ID: use the "desktop vlan" template -------------------------------------------------- From: "Carl Jones" Sent: Thursday, August 06, 2009 4:21 AM To: "cisco-nsp" Subject: [c-nsp] 3750 Suggestions? > Hi all, > > I'm looking for something suitable to take the load from our 3750G > stack. But I'm not quite sure what the best solution would be. > > Some details of the issues I'm seeing: > https://puck.nether.net/pipermail/cisco-nsp/2009-August/062932.html > > I anticipate the new setup will eventually need to handle roughly > double the number of IPs and VLANs the stack is currently (not) > handling, with 4 routed interfaces (2x GigE, 2x FE). > > A couple of suggestions I've had so far is a router to handle > everything L3, and use the VLAN template on the 3750s. Or replace them > with a 6500 series switch. Or use a 4948 for L3 and/or replacing the > 3750s. > > Any suggestions appreciated. > > Regards, > Carl > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From manafo at hotmail.com Thu Aug 6 08:33:16 2009 From: manafo at hotmail.com (Manaf Al Oqlah) Date: Thu, 6 Aug 2009 15:33:16 +0300 Subject: [c-nsp] Single LNS, two providers In-Reply-To: References: Message-ID: why you don't configure another vpdn-group with another virtual-template interface? it should be working very well! -------------------------------------------------- From: "Ed Lazerus" Sent: Thursday, August 06, 2009 2:50 PM To: Subject: [c-nsp] Single LNS, two providers > Hi, > > We have an LNS (7200) configured for DSL from one provider, we wish to > keep > this provider, however they only offer us DSL1, but we are negotiating > with > another wholesaler to supply us with ADSL2+ (only) . > > My question is how easy is it to have this single LNS server to service > all > customers using two wholesalers > > Is it a mater of duplicating the following? > > vpdn-group cca1 > accept-dialin > protocol l2tp > virtual-template 1 > source-ip 10.255.255.2 > lcp renegotiation on-mismatch > l2tp tunnel password XXXXXXX > ip mtu adjust > ! > interface Virtual-Template1 > ip unnumbered Loopback0 > ip tcp adjust-mss 1360 > peer default ip address pool default > ppp mtu adaptive > ppp authentication pap chap > > > > /Ed/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From Bagosi.Romeo at iqsys.hu Thu Aug 6 08:01:02 2009 From: Bagosi.Romeo at iqsys.hu (=?ISO-8859-2?Q?Bagosi_R=F3me=F3?=) Date: Thu, 6 Aug 2009 14:01:02 +0200 Subject: [c-nsp] Monitoring VPN User on ASA In-Reply-To: <008901ca0fef$d599fe80$80cdfb80$@com> References: <008901ca0fef$d599fe80$80cdfb80$@com> Message-ID: <085C022C25FF9C4EBCF76712A2588DCB035CB188@X-SPIRIT.integris.hu> http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?objectInput=1.3.6.1.4.1.9.9.392.1.3.21.1.1&translate=Translate&submitValue=SUBMIT&submitClicked=true Permission: not-accessible -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Narma Wahyuadi Sent: Wednesday, July 29, 2009 3:57 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Monitoring VPN User on ASA I want to monitoring vpn user on my ASA by snmp, it can trap vpn group but it cannot trap the username (no such object available .) I use oid 1.3.6.1.4.1.9.9.392.1.3.21.1.1 , can you help me solve this problem ? _____________________________________________________________________ Note: The information contained in this e-mail is intended only for the use of the individual or entity named above and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended party to receive the message and its attachment(s), you are hereby notified that any dissemination, distribution or copy of the message is strictly prohibited. Please immediately notify the sender and delete the message as soon as possible. Thank you for kind attention. Catatan: Informasi yang terdapat dalam e-mail ini ditujukan hanya untuk penggunaan individu atau kelompok yang disebutkan di atas dan mungkin berisi informasi yang istimewa, rahasia dan dikecualikan dari pengungkapan menurut hukum yang berlaku. Jika Anda bukan pihak yang ditujukan untuk menerima pesan ini beserta lampirannya, dengan ini Anda diberitahukan bahwa penyebaran, pendistribusian atau penyalinan pesan ini adalah sangat dilarang. Harap segera memberitahu pengirim dan menghapus pesan ini secepatnya. Terima kasih atas perhatian Anda. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From b.turnbow at twt.it Thu Aug 6 09:03:56 2009 From: b.turnbow at twt.it (Brian Turnbow) Date: Thu, 6 Aug 2009 15:03:56 +0200 Subject: [c-nsp] 3750 Suggestions? In-Reply-To: References: Message-ID: It'll give for more mac space , but you'll have the same problem with routes. Vlan is basically a layer 2 only template so all your ip routes with not be hardware forwarded. For this you'd need an external router.You could try and take a 3750 out of the stack and use it as the router , the default template gives 6k mac and 8k IP routes, but in you original post it shows over 6k arp entries so it may make it better but is not a complete solution. You mentioned also a 4948 or a 6500 , I think the right choice depends on your current traffic requirements and expected growth in both traffic ports and hosts, with the 6500 giving the maximum room for expansion. Brian -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Manaf Al Oqlah Sent: gioved? 6 agosto 2009 14.29 To: Carl Jones; cisco-nsp Subject: Re: [c-nsp] 3750 Suggestions? use the "desktop vlan" template -------------------------------------------------- From: "Carl Jones" Sent: Thursday, August 06, 2009 4:21 AM To: "cisco-nsp" Subject: [c-nsp] 3750 Suggestions? > Hi all, > > I'm looking for something suitable to take the load from our 3750G > stack. But I'm not quite sure what the best solution would be. > > Some details of the issues I'm seeing: > https://puck.nether.net/pipermail/cisco-nsp/2009-August/062932.html > > I anticipate the new setup will eventually need to handle roughly > double the number of IPs and VLANs the stack is currently (not) > handling, with 4 routed interfaces (2x GigE, 2x FE). > > A couple of suggestions I've had so far is a router to handle > everything L3, and use the VLAN template on the 3750s. Or replace them > with a 6500 series switch. Or use a 4948 for L3 and/or replacing the > 3750s. > > Any suggestions appreciated. > > Regards, > Carl > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From skoal at skoal.name Thu Aug 6 08:23:38 2009 From: skoal at skoal.name (Gergely Antal) Date: Thu, 06 Aug 2009 14:23:38 +0200 Subject: [c-nsp] Deny Default Route Propagation In-Reply-To: References: Message-ID: <4A7ACB4A.90805@skoal.name> http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/routmap.html Manaf Al Oqlah wrote: > hello, > > In OSPF, how can I filter the default route from being propagated out in the same area? I want to deny the external default route in outbound routes so other routers in the same area doesn't accept the default route from that router. > > Thank you, > Manaf > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 261 bytes Desc: OpenPGP digital signature URL: From ariemer at wesenergy.com.au Thu Aug 6 09:27:03 2009 From: ariemer at wesenergy.com.au (Aaron Riemer) Date: Thu, 6 Aug 2009 21:27:03 +0800 Subject: [c-nsp] Monitoring VPN User on ASA In-Reply-To: <085C022C25FF9C4EBCF76712A2588DCB035CB188@X-SPIRIT.integris.hu> References: <008901ca0fef$d599fe80$80cdfb80$@com> <085C022C25FF9C4EBCF76712A2588DCB035CB188@X-SPIRIT.integris.hu> Message-ID: I use a script that logs on to the ASA runs a cmd and exports the result as a data source within cacti. It works quite well for overall avg statistics. Sent from my iPod Touch. On 06/08/2009, at 8:56 PM, Bagosi R?me? wrote: > http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?objectInput=1.3.6.1.4.1.9.9.392.1.3.21.1.1&translate=Translate&submitValue=SUBMIT&submitClicked=true > > Permission: not-accessible > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net > ] On Behalf Of Narma Wahyuadi > Sent: Wednesday, July 29, 2009 3:57 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Monitoring VPN User on ASA > > I want to monitoring vpn user on my ASA by snmp, it can trap vpn > group but > it cannot trap the username (no such object available .) I use oid > 1.3.6.1.4.1.9.9.392.1.3.21.1.1 , can you help me solve this problem ? > > > _____________________________________________________________________ > > Note: The information contained in this e-mail is intended only for > the use of the individual or entity named above and may contain > information that is privileged, confidential and exempt from > disclosure under applicable law. If you are not the intended party > to receive the message and its attachment(s), you are hereby > notified that any dissemination, distribution or copy of the message > is strictly prohibited. Please immediately notify the sender and > delete the message as soon as possible. Thank you for kind attention. > > Catatan: Informasi yang terdapat dalam e-mail ini ditujukan hanya > untuk penggunaan individu atau kelompok yang disebutkan di atas dan > mungkin berisi informasi yang istimewa, rahasia dan dikecualikan > dari pengungkapan menurut hukum yang berlaku. Jika Anda bukan pihak > yang ditujukan untuk menerima pesan ini beserta lampirannya, dengan > ini Anda diberitahukan bahwa penyebaran, pendistribusian atau > penyalinan pesan ini adalah sangat dilarang. Harap segera > memberitahu pengirim dan menghapus pesan ini secepatnya. Terima > kasih atas perhatian Anda. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. From moua0100 at umn.edu Thu Aug 6 09:39:39 2009 From: moua0100 at umn.edu (Ge Moua) Date: Thu, 06 Aug 2009 08:39:39 -0500 Subject: [c-nsp] tcam exhaustion for netflow & vacl capture for cat6500 In-Reply-To: <4A5BB029.7070702@umn.edu> References: <98E30C61-3FE0-4FF6-8B1D-C11023E0F4C8@gmail.com> <4A5BB029.7070702@umn.edu> Message-ID: <4A7ADD1B.5020509@umn.edu> on 6500 with 3bxl sup720: will concurrent use of (> 10K) netflow exports & (> 10Gb/s) vacl caputure exhaust tcam more quickly than each by itself? how do I monitor this? how do I check status? Regards, Ge Moua | Email: moua0100 at umn.edu Network Design Engineer University of Minnesota | Networking & Telecommunications Services From rodunn at cisco.com Thu Aug 6 09:43:54 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Thu, 06 Aug 2009 09:43:54 -0400 Subject: [c-nsp] multipath BGP not balancing equally. In-Reply-To: References: <4A787016.7040006@cisco.com> <4A7986F7.4070905@cisco.com> <5F398FA44E094EB7BD7F6581E07943B5@experienbd1776> <4A79EA3F.6060002@cisco.com> Message-ID: <4A7ADE1A.8060103@cisco.com> I don't disagree. It was a good theory though. Rodney David Hughes wrote: > > Hi > > But seeing as the OP indicated that one of the circuits was 2GB > *underutilised* you'd be looking for 3 src/dst pairs that were all doing > 2GB to get this situation. It's looking pretty unlikely that this is a > hashing issue. > > > David > ... > > On 06/08/2009, at 6:23 AM, Rodney Dunn wrote: > >> Ah...good one. If the sources were not random enough and it's NAT'ed >> to one external ip you could really be multiplexing flows with NAT. ;) >> >> >> >> Dean Smith wrote: >>> Would agree that volume is rare between 2xIP addresses but we have >>> something similair although on not quite the scale. >>> We NAT a very large organisation to the Internet. They have a large >>> number of disparate sites that all do their own AV updates. All the >>> PCs download at the same time in the evening and we generate about >>> .75 Gb/s of traffic between our external PAT address and the AV >>> download site for a good couple of hours. If we had a bigger internet >>> pipe it would be a higher figure. (for less time of course). >>> Dean >>> ----- Original Message ----- From: "Rodney Dunn" >>> To: "Mikael Abrahamsson" >>> Cc: "Cisco" >>> Sent: Wednesday, August 05, 2009 2:19 PM >>> Subject: Re: [c-nsp] multipath BGP not balancing equally. >>>> For small flow combinations you are right. btw, it would be just L3 >>>> src/dst flows by default unless the L4 port option is enabled. >>>> >>>> I thought about there being a single flow causing the difference >>>> that would be hashing down one of the paths. But 2G, while not >>>> impossible, typically isn't used between two ip addresses. It's >>>> something to check though for sure. >>>> >>>> Rodney >>>> >>>> >>>> >>>> Mikael Abrahamsson wrote: >>>>> On Tue, 4 Aug 2009, Rodney Dunn wrote: >>>>> >>>>>> That's usually caused by routes not being the same on the paths. >>>>> >>>>> It was my understanding that this usually was caused by not having >>>>> enough L4 flows to loadshare on...? Ie if you have 100 TCP flows >>>>> and 4 paths, then it's not enough flows to get good load share on, >>>>> but if you instead have 10k flows and all of them are low-speed, >>>>> then the odds of them being equally load shared is much better? >>>>> >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> >>>> __________ NOD32 4306 (20090804) Information __________ >>>> >>>> This message was checked by NOD32 antivirus system. >>>> http://www.eset.com >>>> >>>> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ From rodunn at cisco.com Thu Aug 6 09:46:53 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Thu, 06 Aug 2009 09:46:53 -0400 Subject: [c-nsp] 7513 multilink interface issue In-Reply-To: <012a01ca1533$f5b55ea0$e1201be0$@com> References: <6dde6e570908040822h739561e0s6baba249c67b3028@mail.gmail.com> <4A786EC8.2070606@cisco.com> <000001ca152a$18a8b600$49fa2200$@com> <4A78731C.7070004@cisco.com> <012a01ca1533$f5b55ea0$e1201be0$@com> Message-ID: <4A7ADECD.3010704@cisco.com> sh contr cbus | incl 1/0:14|1/0:15 Todd wrote: > Currently running Version 12.4(23). I may upgrade to (25) to see if that > helps at all. > > VIP Console: > VIP-Slot5>sh ppp multilink > dmlp_ipc_config_count 210 > dmlp_bundle_count 4 > > Bundle Multilink75, 2 members > bundle 0x61B1C3A0, frag_mode 0 > tag vectors 0x6053A4A0 0x60514CBC > Bundle hwidb vector 0x605AA624 > idb Multilink75, vc 14, RSP vc 15 > QoS disabled, fastsend (qos_fastsend 0x605AA624), visible_bandwidth 1540 > board_encap 0x605A61A4, hw_if_index 0, pak_to_host 0x0 > max_particles 400, mrru 1500, seq_window_size 0x8000 > working_pak 0x0, working_pak_cache 0x0 > una_frag_list 0x0, una_frag_end 0x0, null_link 0 > rcved_end_bit 1, is_lost_frag 0, resync_count 0 > timeout 0, timer_start 0, timer_running 0, timer_count 0 > next_xmit_link Serial1/0:15, member 0x3, congestion 0x3 > dmlp_orig_pak_to_host 0x60425D00 > dmlp_orig_fastsend 0x60397B18 > bundle_idb->lc_ip_turbo_fs 0x60503E70 > bundle_idb->lc_ip_mdfs 0x604251B4 > 0 lost fragments, 0 reordered, 0 unassigned > 0 discarded, 0 lost received > 0x2AE received sequence, 0x319 sent sequence > Member Link: 2 active > Pascb for Bundle 0x61A8CD20, tx_polling_high_default 0, tx_polling_high 143 > Serial1/0:14, id 0x2, fastsend 0x605A88B4, lc_turbo 0x605A97BC, PTH > 0x605A8FF4, OOF 0 > Pascb 0x61A8CD20, tx_polling_high_default 0, tx_polling_high > 143, poll_default_addr 0x61A8CD7C, poll_addr 0x61A8CD68 > Serial1/0:15, id 0x1, fastsend 0x605A88B4, lc_turbo 0x605A97BC, PTH > 0x605A8FF4, OOF 0 > Pascb 0x61A8CE60, tx_polling_high_default 0, tx_polling_high > 143, poll_default_addr 0x61A8CEBC, poll_addr 0x61A8CEA8 > > > RSP: > Multilink75, bundle name is group75 > Endpoint discriminator is group75 > Bundle up for 00:19:29, total bandwidth 3080, load 1/255 > Receive buffer limit 24000 bytes, frag timeout 1000 ms > Bundle is Distributed > 0/0 fragments/bytes in reassembly list > 0 lost fragments, 0 reordered > 0/0 discarded fragments/bytes, 0 lost received > 0x2B3 received sequence, 0x319 sent sequence > Member links: 2 active, 0 inactive (max not set, min not set) > Se5/1/0/15:0, since 00:12:53 > Se5/1/0/16:0, since 00:02:15 > > > > -----Original Message----- > From: Rodney Dunn [mailto:rodunn at cisco.com] > Sent: Tuesday, August 04, 2009 1:43 PM > To: Todd > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] 7513 multilink interface issue > > It does. I've seen it before years ago. > > get 'sh ppp multilink' from the RSP and VIP console (if-con slot) > and sh contr cbus. > > Make sure you are in dCEF mode, all links are on the same PA, and on > later(est) 12.4 mainline (12.4(25) or 12.0(32)S(latest)) on Cisco.com. > > We had bugs in how we manage the member links of the bundle. > > Rodney > > > > Todd wrote: >> When it happens, I can ping the remote end from the 7513, but nothing >> outside of the 7513. >> >> For Example.... >> >> SERVER --ethernet--- 7513 ---multilink (2 T1's)--- END USER >> >> 1 multilink T1 bounces. >> >> After the T1 comes up, the multilink interface and both T1's show as up/up >> and 7513 can ping END USER, but END USER can't ping 7513 and no connection >> to/from SERVER to END USER. >> >> Hope that makes sense. >> >> -----Original Message----- >> From: Rodney Dunn [mailto:rodunn at cisco.com] >> Sent: Tuesday, August 04, 2009 1:24 PM >> To: Todd Shipway >> Cc: cisco-nsp at puck.nether.net >> Subject: Re: [c-nsp] 7513 multilink interface issue >> >> That should never happen and is possibly a bug. >> >> Can you ping directly over the bundle to the ip address on the other >> side when it's broke? If not, go to the latest code and see if it's >> fixed...or do some debugging: 'sh ip cef for other side of bundle, debug >> ip packet, etc... >> >> Rodney >> >> >> >> Todd Shipway wrote: >>> We have several customers setup with T1's multilinked. We are running >> into >>> a problem with a single multilink member bouncing causing routing issues. >>> When a single T1 member of a multilink group bounces, traffic to the >> overall >>> multilink interface stops and we have to manually shut and no shut the >>> multilink interface to get traffic flowing again. >>> >>> Has anyone seen this before and if so, know what the issue may be? >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ From ayourtch at cisco.com Thu Aug 6 10:01:02 2009 From: ayourtch at cisco.com (Andrew Yourtchenko) Date: Thu, 6 Aug 2009 16:01:02 +0200 (CEST) Subject: [c-nsp] OT: Sniffing TCP connection quality In-Reply-To: <1249548794.4662.10.camel@abehat.net.rm.dk> References: <1249422960.4165.33.camel@abehat.net.rm.dk> <1249548794.4662.10.camel@abehat.net.rm.dk> Message-ID: Peter, (not to hijack the thread, just to comment on tcptrace) On Thu, 6 Aug 2009, Peter Rathlev wrote: > Thank you all for the pointers. Tcptrace does seem quite interesting, > even though it doesn't seem to be actively maintained since 2004. At the IETF in Stockholm I had a chat with one of maintainers - basically they haven't seen any bug reports, hence no new releases. Might be understandable since the TCP has not majorly changed lately. Of course, could be still bugs, so if you notice something, let them know. cheers, andrew From Grzegorz at Janoszka.pl Thu Aug 6 10:03:40 2009 From: Grzegorz at Janoszka.pl (Grzegorz Janoszka) Date: Thu, 06 Aug 2009 16:03:40 +0200 Subject: [c-nsp] Freezing counters at 6500 In-Reply-To: <4A7067C3.7090200@kl.net> References: <4A6F6A2D.40101@Janoszka.pl> <4A7067C3.7090200@kl.net> Message-ID: <4A7AE2BC.80506@Janoszka.pl> Kevin Loch wrote: > Try adjusting 'service counters max age' to zero if you haven't already. > As others have pointed out a delay of 3-4 minutes is not normal > What does your SP (not RP) cpu usage look like? Try disabling netflow > if your SP cpu usage is maxing out. Are there any snmp oids we can use to have access to the real counters, not the 'soft' ones? -- Grzegorz Janoszka From nsp at myzionetworks.com Thu Aug 6 11:09:59 2009 From: nsp at myzionetworks.com (Todd) Date: Thu, 6 Aug 2009 11:09:59 -0400 Subject: [c-nsp] 7513 multilink interface issue In-Reply-To: <4A7ADECD.3010704@cisco.com> References: <6dde6e570908040822h739561e0s6baba249c67b3028@mail.gmail.com> <4A786EC8.2070606@cisco.com> <000001ca152a$18a8b600$49fa2200$@com> <4A78731C.7070004@cisco.com> <012a01ca1533$f5b55ea0$e1201be0$@com> <4A7ADECD.3010704@cisco.com> Message-ID: <000001ca16a7$fa106b50$ee3141f0$@com> No output from the command. summit#sh contr cbus | incl 1/0:14|1/0:15 summit# I also upgrade to 12.4(25) last night and no change in the issue. The same issue still remains. -----Original Message----- From: Rodney Dunn [mailto:rodunn at cisco.com] Sent: Thursday, August 06, 2009 9:47 AM To: Todd Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 7513 multilink interface issue sh contr cbus | incl 1/0:14|1/0:15 Todd wrote: > Currently running Version 12.4(23). I may upgrade to (25) to see if that > helps at all. > > VIP Console: > VIP-Slot5>sh ppp multilink > dmlp_ipc_config_count 210 > dmlp_bundle_count 4 > > Bundle Multilink75, 2 members > bundle 0x61B1C3A0, frag_mode 0 > tag vectors 0x6053A4A0 0x60514CBC > Bundle hwidb vector 0x605AA624 > idb Multilink75, vc 14, RSP vc 15 > QoS disabled, fastsend (qos_fastsend 0x605AA624), visible_bandwidth 1540 > board_encap 0x605A61A4, hw_if_index 0, pak_to_host 0x0 > max_particles 400, mrru 1500, seq_window_size 0x8000 > working_pak 0x0, working_pak_cache 0x0 > una_frag_list 0x0, una_frag_end 0x0, null_link 0 > rcved_end_bit 1, is_lost_frag 0, resync_count 0 > timeout 0, timer_start 0, timer_running 0, timer_count 0 > next_xmit_link Serial1/0:15, member 0x3, congestion 0x3 > dmlp_orig_pak_to_host 0x60425D00 > dmlp_orig_fastsend 0x60397B18 > bundle_idb->lc_ip_turbo_fs 0x60503E70 > bundle_idb->lc_ip_mdfs 0x604251B4 > 0 lost fragments, 0 reordered, 0 unassigned > 0 discarded, 0 lost received > 0x2AE received sequence, 0x319 sent sequence > Member Link: 2 active > Pascb for Bundle 0x61A8CD20, tx_polling_high_default 0, tx_polling_high 143 > Serial1/0:14, id 0x2, fastsend 0x605A88B4, lc_turbo 0x605A97BC, PTH > 0x605A8FF4, OOF 0 > Pascb 0x61A8CD20, tx_polling_high_default 0, tx_polling_high > 143, poll_default_addr 0x61A8CD7C, poll_addr 0x61A8CD68 > Serial1/0:15, id 0x1, fastsend 0x605A88B4, lc_turbo 0x605A97BC, PTH > 0x605A8FF4, OOF 0 > Pascb 0x61A8CE60, tx_polling_high_default 0, tx_polling_high > 143, poll_default_addr 0x61A8CEBC, poll_addr 0x61A8CEA8 > > > RSP: > Multilink75, bundle name is group75 > Endpoint discriminator is group75 > Bundle up for 00:19:29, total bandwidth 3080, load 1/255 > Receive buffer limit 24000 bytes, frag timeout 1000 ms > Bundle is Distributed > 0/0 fragments/bytes in reassembly list > 0 lost fragments, 0 reordered > 0/0 discarded fragments/bytes, 0 lost received > 0x2B3 received sequence, 0x319 sent sequence > Member links: 2 active, 0 inactive (max not set, min not set) > Se5/1/0/15:0, since 00:12:53 > Se5/1/0/16:0, since 00:02:15 > > > > -----Original Message----- > From: Rodney Dunn [mailto:rodunn at cisco.com] > Sent: Tuesday, August 04, 2009 1:43 PM > To: Todd > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] 7513 multilink interface issue > > It does. I've seen it before years ago. > > get 'sh ppp multilink' from the RSP and VIP console (if-con slot) > and sh contr cbus. > > Make sure you are in dCEF mode, all links are on the same PA, and on > later(est) 12.4 mainline (12.4(25) or 12.0(32)S(latest)) on Cisco.com. > > We had bugs in how we manage the member links of the bundle. > > Rodney > > > > Todd wrote: >> When it happens, I can ping the remote end from the 7513, but nothing >> outside of the 7513. >> >> For Example.... >> >> SERVER --ethernet--- 7513 ---multilink (2 T1's)--- END USER >> >> 1 multilink T1 bounces. >> >> After the T1 comes up, the multilink interface and both T1's show as up/up >> and 7513 can ping END USER, but END USER can't ping 7513 and no connection >> to/from SERVER to END USER. >> >> Hope that makes sense. >> >> -----Original Message----- >> From: Rodney Dunn [mailto:rodunn at cisco.com] >> Sent: Tuesday, August 04, 2009 1:24 PM >> To: Todd Shipway >> Cc: cisco-nsp at puck.nether.net >> Subject: Re: [c-nsp] 7513 multilink interface issue >> >> That should never happen and is possibly a bug. >> >> Can you ping directly over the bundle to the ip address on the other >> side when it's broke? If not, go to the latest code and see if it's >> fixed...or do some debugging: 'sh ip cef for other side of bundle, debug >> ip packet, etc... >> >> Rodney >> >> >> >> Todd Shipway wrote: >>> We have several customers setup with T1's multilinked. We are running >> into >>> a problem with a single multilink member bouncing causing routing issues. >>> When a single T1 member of a multilink group bounces, traffic to the >> overall >>> multilink interface stops and we have to manually shut and no shut the >>> multilink interface to get traffic flowing again. >>> >>> Has anyone seen this before and if so, know what the issue may be? >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ From bgoulet at harris.com Thu Aug 6 11:37:05 2009 From: bgoulet at harris.com (Goulet, Brian) Date: Thu, 6 Aug 2009 10:37:05 -0500 Subject: [c-nsp] Counters for null0? In-Reply-To: References: Message-ID: <86E53CC251ECC1469D0ED710E68DC278017F809C@mspe2k1.cs.myharris.net> >BGP shows up on our 7200s as "Local" (addresses changed): > >Cisco-7200>sh ip cache flow | inc 00B3 >Gi0/3.123 100.100.10.219 Local 100.100.10.200 06 >8355 00B3 65 > >EIGRP is "Null", though: > >Cisco-7200>sh ip cache flow | inc 224.0 >Gi0/1.11 100.100.10.111 Null 224.0.0.10 58 >0000 0000 47 > >gert Due to the difference between unicast and multicast I presume? Brian From ip at ioshints.info Thu Aug 6 12:00:54 2009 From: ip at ioshints.info (Ivan Pepelnjak) Date: Thu, 6 Aug 2009 18:00:54 +0200 Subject: [c-nsp] Deny Default Route Propagation In-Reply-To: <4A7ACB4A.90805@skoal.name> References: <4A7ACB4A.90805@skoal.name> Message-ID: <005d01ca16af$14f26c00$0a00000a@nil.si> Just make sure you configure the "distribute-list in" on ALL OTHER routers in the area, otherwise you'll get some hard-to-troubleshoot loops or blackholes. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ > -----Original Message----- > From: Gergely Antal [mailto:skoal at skoal.name] > Sent: Thursday, August 06, 2009 2:24 PM > To: Manaf Al Oqlah > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Deny Default Route Propagation > > http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/routmap.html > > Manaf Al Oqlah wrote: > > hello, > > > > In OSPF, how can I filter the default route from being > propagated out in the same area? I want to deny the external > default route in outbound routes so other routers in the same > area doesn't accept the default route from that router. > > > > Thank you, > > Manaf > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From jbest at zyedge.com Thu Aug 6 12:12:57 2009 From: jbest at zyedge.com (Jeremiah Best) Date: Thu, 6 Aug 2009 12:12:57 -0400 Subject: [c-nsp] Deny Default Route Propagation In-Reply-To: <005d01ca16af$14f26c00$0a00000a@nil.si> References: <4A7ACB4A.90805@skoal.name> <005d01ca16af$14f26c00$0a00000a@nil.si> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2D94@zy-ex1.zyedge.local> Can't you do a "distribute-list out" on the ABR/ASBR whichever the router is? -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ivan Pepelnjak Sent: Thursday, August 06, 2009 12:01 PM To: skoal at skoal.name; 'Manaf Al Oqlah' Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Deny Default Route Propagation Just make sure you configure the "distribute-list in" on ALL OTHER routers in the area, otherwise you'll get some hard-to-troubleshoot loops or blackholes. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ > -----Original Message----- > From: Gergely Antal [mailto:skoal at skoal.name] > Sent: Thursday, August 06, 2009 2:24 PM > To: Manaf Al Oqlah > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Deny Default Route Propagation > > http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/routmap.html > > Manaf Al Oqlah wrote: > > hello, > > > > In OSPF, how can I filter the default route from being > propagated out in the same area? I want to deny the external > default route in outbound routes so other routers in the same > area doesn't accept the default route from that router. > > > > Thank you, > > Manaf > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From lists at nexus6.co.za Thu Aug 6 12:20:46 2009 From: lists at nexus6.co.za (Andy Ashley) Date: Thu, 06 Aug 2009 18:20:46 +0200 Subject: [c-nsp] Cisco 7206 - IOS version for L2TPV3 Message-ID: <4A7B02DE.6040601@nexus6.co.za> Hi, We are trying to upgrade IOS on a Cisco 7206VXR (NPE-G1) processor (revision B) with 983040K/65536K bytes of memory. Currently running Version 12.3(13a), RELEASE SOFTWARE (fc2) but we need L2TPv3 functionality to configure a xconnects using a pw-class statement. We tried running Version 12.2(33)SRC4, RELEASE SOFTWARE (fc2) but the router was unstable. Our peering sessions would come up and die after about a minute, the logs had lots of these entries: %BGP_SESSION-5-ADJCHANGE: neighbor X.X.X.X IPv4 Unicast topology base removed from session BGP Notification sent I noticed that the BGP sessions had high InQ and OutQ values of 300+ where they usually sit at 0 and router was generally not very responsive on the command line. Also our RADIUS athentication was not working for some reason. Is this just incompatability or unstable code? Can anyone recommend an image version for this hardware platform that has this feature set and is known to be stable in your environment? Thanks. Andy. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rodunn at cisco.com Thu Aug 6 12:23:58 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Thu, 06 Aug 2009 12:23:58 -0400 Subject: [c-nsp] 7513 multilink interface issue In-Reply-To: <000001ca16a7$fa106b50$ee3141f0$@com> References: <6dde6e570908040822h739561e0s6baba249c67b3028@mail.gmail.com> <4A786EC8.2070606@cisco.com> <000001ca152a$18a8b600$49fa2200$@com> <4A78731C.7070004@cisco.com> <012a01ca1533$f5b55ea0$e1201be0$@com> <4A7ADECD.3010704@cisco.com> <000001ca16a7$fa106b50$ee3141f0$@com> Message-ID: <4A7B039E.5060504@cisco.com> Can you get me remote access to it to look? You can use the ip of: 64.100.21.4 if you want to punch a hole for me. Just get "sh contr cbus". The | probably didn't match the exact interface number correctly. Todd wrote: > No output from the command. > > summit#sh contr cbus | incl 1/0:14|1/0:15 > summit# > > I also upgrade to 12.4(25) last night and no change in the issue. The same > issue still remains. > > -----Original Message----- > From: Rodney Dunn [mailto:rodunn at cisco.com] > Sent: Thursday, August 06, 2009 9:47 AM > To: Todd > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] 7513 multilink interface issue > > sh contr cbus | incl 1/0:14|1/0:15 > > Todd wrote: >> Currently running Version 12.4(23). I may upgrade to (25) to see if that >> helps at all. >> >> VIP Console: >> VIP-Slot5>sh ppp multilink >> dmlp_ipc_config_count 210 >> dmlp_bundle_count 4 >> >> Bundle Multilink75, 2 members >> bundle 0x61B1C3A0, frag_mode 0 >> tag vectors 0x6053A4A0 0x60514CBC >> Bundle hwidb vector 0x605AA624 >> idb Multilink75, vc 14, RSP vc 15 >> QoS disabled, fastsend (qos_fastsend 0x605AA624), visible_bandwidth 1540 >> board_encap 0x605A61A4, hw_if_index 0, pak_to_host 0x0 >> max_particles 400, mrru 1500, seq_window_size 0x8000 >> working_pak 0x0, working_pak_cache 0x0 >> una_frag_list 0x0, una_frag_end 0x0, null_link 0 >> rcved_end_bit 1, is_lost_frag 0, resync_count 0 >> timeout 0, timer_start 0, timer_running 0, timer_count 0 >> next_xmit_link Serial1/0:15, member 0x3, congestion 0x3 >> dmlp_orig_pak_to_host 0x60425D00 >> dmlp_orig_fastsend 0x60397B18 >> bundle_idb->lc_ip_turbo_fs 0x60503E70 >> bundle_idb->lc_ip_mdfs 0x604251B4 >> 0 lost fragments, 0 reordered, 0 unassigned >> 0 discarded, 0 lost received >> 0x2AE received sequence, 0x319 sent sequence >> Member Link: 2 active >> Pascb for Bundle 0x61A8CD20, tx_polling_high_default 0, tx_polling_high > 143 >> Serial1/0:14, id 0x2, fastsend 0x605A88B4, lc_turbo 0x605A97BC, PTH >> 0x605A8FF4, OOF 0 >> Pascb 0x61A8CD20, tx_polling_high_default 0, > tx_polling_high >> 143, poll_default_addr 0x61A8CD7C, poll_addr 0x61A8CD68 >> Serial1/0:15, id 0x1, fastsend 0x605A88B4, lc_turbo 0x605A97BC, PTH >> 0x605A8FF4, OOF 0 >> Pascb 0x61A8CE60, tx_polling_high_default 0, > tx_polling_high >> 143, poll_default_addr 0x61A8CEBC, poll_addr 0x61A8CEA8 >> >> >> RSP: >> Multilink75, bundle name is group75 >> Endpoint discriminator is group75 >> Bundle up for 00:19:29, total bandwidth 3080, load 1/255 >> Receive buffer limit 24000 bytes, frag timeout 1000 ms >> Bundle is Distributed >> 0/0 fragments/bytes in reassembly list >> 0 lost fragments, 0 reordered >> 0/0 discarded fragments/bytes, 0 lost received >> 0x2B3 received sequence, 0x319 sent sequence >> Member links: 2 active, 0 inactive (max not set, min not set) >> Se5/1/0/15:0, since 00:12:53 >> Se5/1/0/16:0, since 00:02:15 >> >> >> >> -----Original Message----- >> From: Rodney Dunn [mailto:rodunn at cisco.com] >> Sent: Tuesday, August 04, 2009 1:43 PM >> To: Todd >> Cc: cisco-nsp at puck.nether.net >> Subject: Re: [c-nsp] 7513 multilink interface issue >> >> It does. I've seen it before years ago. >> >> get 'sh ppp multilink' from the RSP and VIP console (if-con slot) >> and sh contr cbus. >> >> Make sure you are in dCEF mode, all links are on the same PA, and on >> later(est) 12.4 mainline (12.4(25) or 12.0(32)S(latest)) on Cisco.com. >> >> We had bugs in how we manage the member links of the bundle. >> >> Rodney >> >> >> >> Todd wrote: >>> When it happens, I can ping the remote end from the 7513, but nothing >>> outside of the 7513. >>> >>> For Example.... >>> >>> SERVER --ethernet--- 7513 ---multilink (2 T1's)--- END USER >>> >>> 1 multilink T1 bounces. >>> >>> After the T1 comes up, the multilink interface and both T1's show as > up/up >>> and 7513 can ping END USER, but END USER can't ping 7513 and no > connection >>> to/from SERVER to END USER. >>> >>> Hope that makes sense. >>> >>> -----Original Message----- >>> From: Rodney Dunn [mailto:rodunn at cisco.com] >>> Sent: Tuesday, August 04, 2009 1:24 PM >>> To: Todd Shipway >>> Cc: cisco-nsp at puck.nether.net >>> Subject: Re: [c-nsp] 7513 multilink interface issue >>> >>> That should never happen and is possibly a bug. >>> >>> Can you ping directly over the bundle to the ip address on the other >>> side when it's broke? If not, go to the latest code and see if it's >>> fixed...or do some debugging: 'sh ip cef for other side of bundle, debug >>> ip packet, etc... >>> >>> Rodney >>> >>> >>> >>> Todd Shipway wrote: >>>> We have several customers setup with T1's multilinked. We are running >>> into >>>> a problem with a single multilink member bouncing causing routing > issues. >>>> When a single T1 member of a multilink group bounces, traffic to the >>> overall >>>> multilink interface stops and we have to manually shut and no shut the >>>> multilink interface to get traffic flowing again. >>>> >>>> Has anyone seen this before and if so, know what the issue may be? >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ From walter.keen at RainierConnect.net Thu Aug 6 12:51:59 2009 From: walter.keen at RainierConnect.net (Walter Keen) Date: Thu, 06 Aug 2009 09:51:59 -0700 Subject: [c-nsp] soft-disco/redirection Message-ID: <4A7B0A2F.4060104@rainierconnect.net> We're trying to formulate a plan to do a soft-disconnect or redirect users to a site where they can pay their bill online to get reconnected when they get disconnected for billing. Mostly we're talking about either bridged or pppoa dsl customers, or cablemodem customers. Using 7204's and 7246vxr respectively. Our intial thoughts included using some route-maps, but I was wondering if anyone had experience in doing this, and if there are any more graceful ways of doing this (including using snmp to trigger this instead of a scripted telnet session) -- Walter Keen Network Technician Rainier Connect From domintefamily at yahoo.co.uk Thu Aug 6 11:59:47 2009 From: domintefamily at yahoo.co.uk (C and C Dominte) Date: Thu, 6 Aug 2009 15:59:47 +0000 (GMT) Subject: [c-nsp] VSS 1440 issues In-Reply-To: Message-ID: <569473.50338.qm@web27907.mail.ukl.yahoo.com> Hi, ? Thank you for your advice, however, increasing the timers did not work. ? I powered down the active linecards from switch 2 yesterday to see if it stopped the unicast flood, which it did. ? Today I increased the mac address syncronisation activity time to 640 and the mac address aging time to 1920 (3x640) as below: ? ----------------------------------------------------------- ? ??? Module Status: Statistics collected from Switch/Module???????????? :? 1/1 Number of L2 asics in this module?????????????????? :? 1 ? ??? Global Status: Status of feature enabled on the switch???????????? :? on Default activity time?????????????????????????????? :? 160 Configured current activity time??????????????????? :? 640 ? ------------------------------------------------------------ ? Module Status: Statistics collected from Switch/Module???????????? :? 2/1 Number of L2 asics in this module?????????????????? :? 1 ? ??? Global Status: Status of feature enabled on the switch???????????? :? on Default activity time?????????????????????????????? :? 160 Configured current activity time??????????????????? :? 640 ? ------------------------------------------------------------ ? #sh mac-addr aging-time Vlan??? Aging Time ----??? ---------- Global? 1920 no vlan age other than global age configured ? ------------------------------------------------------------ ? Once this was done, I re-enabled one of the linecards on switch 2, and the same thing happens. The network is flooded with loads of unicast traffic, on all the trunk ports on switch 2. ? Is there any other reason that this unicast flood is being caused? ? Catalin --- On Wed, 5/8/09, Eric Cables wrote: From: Eric Cables Subject: Re: [c-nsp] VSS 1440 issues To: "Matthew Huff" Cc: "C and C Dominte" , "cisco-nsp at puck.nether.net" Date: Wednesday, 5 August, 2009, 9:06 PM Take a look at this.. http://www.cisco.com/en/US/products/ps9336/products_tech_note09186a0080a7c837.shtml#oob_mac Cisco also recommends that once you enable OOB Synchronization, that the MAC aging timer be set to at least 3x the synchronization timer of 160: "Configure the MAC aging timer to three times the MAC synchronization timer value. The default MAC synchronization and MAC aging timers can cause unknown unicast flooding. VSS can cause traffic to flow asymmetrically such that the source MAC address is only learned on one chassis. The MAC aging timer of 300 seconds and MAC synchronization timer of 160 seconds allows for up to 20 seconds of unknown unicast flooding for any given MAC address in a 320 second interval. In order to resolve this, change the timers such that the aging timer is three times as long as synchronization timer, for example, mac-address-table aging-time 480 ." -- Eric Cables On Wed, Aug 5, 2009 at 6:32 AM, Matthew Huff wrote: I would suspect it's a timeout issue caused by it aging out of the arp cache and not the tcam table. Try adding "mac-address-table aging-time 14400" to the config. This usually happens when running HSPR/GLBP or other first-hop redudancy (VSS) where the return path may be asymmetrical. ---- Matthew Huff?????? | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com ?| Phone: 914-460-4039 aim: matthewbhuff? | Fax:?? 914-460-4139 > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of C and C Dominte > Sent: Wednesday, August 05, 2009 7:30 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] VSS 1440 issues > > > > > > Hi, > > > > I recently clustered 2 Catalysts 6509's into a VSS 1440 > Virtual switch. > > > > Details about the cluster: > > > > - Software version: > s72033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), Version > 12.2(33)SXI1, > RELEASE SOFTWARE (fc3) > > > > - Supervisor: > VS-S720-10G? with one 10G port > used as VSL link > > - Linecards Active chassis: > > ??????????????? 1 x > WS-X6708-10GE with one 10G used for the VSL link for redundancy > > ??????????????? 4 x > WS-X6748-GE-TX > > > > - Linecards Standby chassis > > ??????????????? 1 x > WS-X6708-10GE with one 10G used for the VSL link for redundancy > > ??????????????? 2 x > WS-X6748-GE-TX > > > > The 6748 line cards are used and > configured for MEC Etherchannels. > > > > At the other end of the MEC > channels there are non-Cisco edge switches. The multi chassis Ether > Channels > are configured as 2 x 1G links, and single switchport trunks are > configured as > 1 x 1G links. All vlans are allowed on the single switchport trunks and > port > channels from VSS Cluster to the edge switches. > > > > The issue is that unicast > traffic is flooded by the VSS Cluster across all trunks. The flooded > traffic > generated by the VSS cluster is between 600mbps and 1gbps, and almost > all of > the flooded traffic is unicast and has the source MAC address of the > VSS > Cluster. However, if the trunk is a MEC, the unicast traffic is flooded > only on > one switchport. All of the flooded ports in MECs are on switch 2 in the > VSS > cluster. The only ports flooded in switch 1 are the ones that have a > single > trunk instead of MEC. > > > > We tried to investigate this on > a low importance link. The VSS cluster learned only 10 MAC addresses on > one > edge trunk configured as 1 x 1G link. This edge trunk received the > flood of > unicast traffic from the VSS cluster as well. During testing, this > trunk was > modified manually on the VSS Cluster, to allow only 4 VLANS instead of > all. > Allowing only 4 vlans on this trunk stopped the flood on the edge trunk > and > stopped the flood on all other trunks as well. > > > > Does anyone have any idea about > what can cause this? > > > > Thanks > > > > Catalin > > > > > > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list ?cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ip at ioshints.info Thu Aug 6 13:40:08 2009 From: ip at ioshints.info (Ivan Pepelnjak) Date: Thu, 6 Aug 2009 19:40:08 +0200 Subject: [c-nsp] Deny Default Route Propagation In-Reply-To: <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2D94@zy-ex1.zyedge.local> References: <4A7ACB4A.90805@skoal.name> <005d01ca16af$14f26c00$0a00000a@nil.si> <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2D94@zy-ex1.zyedge.local> Message-ID: <006801ca16bc$f1b45330$0a00000a@nil.si> No, you cannot control the LSA flooding (apart from blocking the flooding over a particular interface). All LSAs still get to all the routers (this is what you've asked for: OSPF is a link-state protocol :), but you can control which of the best OSPF routes get inserted in the IP routing table with the "distribute-list in". Ivan http://www.ioshints.info/about http://blog.ioshints.info/ > -----Original Message----- > From: Jeremiah Best [mailto:jbest at zyedge.com] > Sent: Thursday, August 06, 2009 6:13 PM > To: Ivan Pepelnjak; skoal at skoal.name; 'Manaf Al Oqlah' > Cc: cisco-nsp at puck.nether.net > Subject: RE: [c-nsp] Deny Default Route Propagation > > Can't you do a "distribute-list out" on the ABR/ASBR > whichever the router is? > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ivan Pepelnjak > Sent: Thursday, August 06, 2009 12:01 PM > To: skoal at skoal.name; 'Manaf Al Oqlah' > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Deny Default Route Propagation > > Just make sure you configure the "distribute-list in" on ALL > OTHER routers in the area, otherwise you'll get some > hard-to-troubleshoot loops or blackholes. > > Ivan > > http://www.ioshints.info/about > http://blog.ioshints.info/ > > > -----Original Message----- > > From: Gergely Antal [mailto:skoal at skoal.name] > > Sent: Thursday, August 06, 2009 2:24 PM > > To: Manaf Al Oqlah > > Cc: cisco-nsp at puck.nether.net > > Subject: Re: [c-nsp] Deny Default Route Propagation > > > > http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/routmap.html > > > > Manaf Al Oqlah wrote: > > > hello, > > > > > > In OSPF, how can I filter the default route from being > > propagated out in the same area? I want to deny the > external default > > route in outbound routes so other routers in the same area doesn't > > accept the default route from that router. > > > > > > Thank you, > > > Manaf > > > _______________________________________________ > > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jared.a.gillis at gmail.com Thu Aug 6 14:47:39 2009 From: jared.a.gillis at gmail.com (Jared Gillis) Date: Thu, 06 Aug 2009 11:47:39 -0700 Subject: [c-nsp] IS-IS route separation/filtering In-Reply-To: <1249549131.28552.14.camel@daniel.office.bit.nl> References: <4A79E416.7040909@gmail.com> <4A7A0187.8070807@gmail.com> <1249549131.28552.14.camel@daniel.office.bit.nl> Message-ID: <4A7B254B.8040607@gmail.com> Daniel Verlouw wrote: > On Wed, 2009-08-05 at 15:02 -0700, Jared Gillis wrote: >> Hm, interesting though. Unfortunately, it doesn't seem to pan out in the lab. >> The LSPs don't seem to get flooded, but the routes do get passed through Router >> A to all the stub routers, regardless of how I set up the mesh-groups. > > right. Mesh-groups block only LSPs, CSNPs would still be flooded. > >> This is almost what I'm trying to do, there will be very few routes in IS-IS, >> but the decree from on high is that each stub router should be totally stubby =( Mostly due to longevity, planning for the worst case of high growth, IPv6 deployment, etc that will make each route in our routers very costly over time. Also, given our topology, there's no reason for the stub routers to learn anything but default. It's looking like we might have to run OSPF on this, but we'd really rather stick with IS-IS. It seems that OSPF's ability to put individual interfaces into different areas might be the required feature that forces us that way. That is, unless anyone knows a way to put an IS-IS router into different areas aside from assigning multiple NET addresses... > -why- !? > > --Daniel. > From oliver.gorwits at oucs.ox.ac.uk Thu Aug 6 14:54:04 2009 From: oliver.gorwits at oucs.ox.ac.uk (Oliver Gorwits) Date: Thu, 06 Aug 2009 19:54:04 +0100 Subject: [c-nsp] Free NMS Tools In-Reply-To: <20090717070140.GA22208@mx.ytti.net> References: <4f890e580907030600y3f8e6c15qfa6c4b4db539fec@mail.gmail.com> <20090717070140.GA22208@mx.ytti.net> Message-ID: <4A7B26CC.70800@oucs.ox.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Sorry for the late follow-up on this, Saku Ytti wrote: > Other thing that annoys me is how SNMP pollers are implemented, > they're blocking, giving sucky performance on misbehaving or down > nodes. Oh I agree, most of the free NMS systems out there do a fairly poor job of efficiently polling devices. So we put some development time in, and what we came up with is not really cutting edge, but explores a few novel ideas: http://search.cpan.org/perldoc?YATG http://search.cpan.org/perldoc?YATG::Tutorial Simply, it's an SNMP poller daemon which polls devices in parallel at some time interval, for OIDs specified in config. We then take that data and put it into a Memcached server, from where other services can read. The nice thing there is that we only poll devices once (it being CPU intensive) but many client systems can check the retrieved data (e.g. tools for end users, tools for helpdesk, Nagios, etc). We actually have a Nagios plugin which reads the Memcached store for the ports and errors state for each device. Well, it's Nagios within Opsview - a much better piece of software which I highly recommend: http://www.opsview.org/ The traffic counter data is also stored to flat file, from which we draw graphs in some tools such as Netdisco. I dislike RRD because of the (potential) loss of resolution in the long term, and the binary format. We have tuned text file storage to be quite efficient and it works very well (better than RRD, and databases/SQL which we also tested). http://netdisco.org/ Most of the above (YATG) is a 1st gen. effort, and we'd rewrite it given a chance, but it works very well and has proved the concepts. HTH, - -- Oliver Gorwits, Network and Telecommunications Group, Oxford University Computing Services -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFKeybM2NPq7pwWBt4RAtTfAKC45gktQF9k9rlgX/4NqJbFaSaTwACgkraX TwJ7/c3xgMxxpR9QLz3a34M= =MAK7 -----END PGP SIGNATURE----- From jared.a.gillis at gmail.com Thu Aug 6 15:09:54 2009 From: jared.a.gillis at gmail.com (Jared Gillis) Date: Thu, 06 Aug 2009 12:09:54 -0700 Subject: [c-nsp] IS-IS route separation/filtering In-Reply-To: <1249549131.28552.14.camel@daniel.office.bit.nl> References: <4A79E416.7040909@gmail.com> <4A7A0187.8070807@gmail.com> <1249549131.28552.14.camel@daniel.office.bit.nl> Message-ID: <4A7B2A82.7020105@gmail.com> Here's a thought: If I change Router A to L2 and Routers B and C to L2/L1, I can put B and C in different areas, but because they are L2/L1, they learn all the routes to all the areas, just as L2 routes instead of L1 routes. This gets me each stub router and everything behind it into different areas, but doesn't solve the problem of needing local-only routes plus default on B and C... Daniel Verlouw wrote: > On Wed, 2009-08-05 at 15:02 -0700, Jared Gillis wrote: >> Hm, interesting though. Unfortunately, it doesn't seem to pan out in the lab. >> The LSPs don't seem to get flooded, but the routes do get passed through Router >> A to all the stub routers, regardless of how I set up the mesh-groups. > > right. Mesh-groups block only LSPs, CSNPs would still be flooded. > >> This is almost what I'm trying to do, there will be very few routes in IS-IS, >> but the decree from on high is that each stub router should be totally stubby =( > > -why- !? > > --Daniel. > From gert at greenie.muc.de Thu Aug 6 16:08:26 2009 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 6 Aug 2009 22:08:26 +0200 Subject: [c-nsp] Single LNS, two providers In-Reply-To: References: Message-ID: <20090806200826.GQ290@greenie.muc.de> Hi, On Thu, Aug 06, 2009 at 09:50:28PM +1000, Ed Lazerus wrote: > Is it a mater of duplicating the following? Basically, yes. Add a new vpdn-group, and (optionally) a new virtual-template. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From Jeff.Wojciechowski at midlandpaper.com Thu Aug 6 16:50:59 2009 From: Jeff.Wojciechowski at midlandpaper.com (Jeff Wojciechowski) Date: Thu, 6 Aug 2009 15:50:59 -0500 Subject: [c-nsp] IPSLAs with OpenNMS or Other? Message-ID: <6B8401A83219DF499C34DEAEE9A599921256B58E2A@XBOX.midlandpaper.com> Hi All: Anyone using IPSLAs with OpenNMS or any other favorite tool? I just set up a small test network and am thinking about adding this to a couple of our WAN routers closest to our PBXs and setting up remote switches that VoIP phones are on to monitor jitter, etc of our VoIP traffic. Any thoughts on: 1) Is it best to locate the IPSLA monitor on the switch near the phone system or on the WAN edge router (right now we even have anything resembling congestion is on our WAN links)? 2) Any gotchas that I need to look out for? (False positives on bad performance, etc - for a start I plan on marking the test traffic with the same ToS bit that our VoIP will be marked so it gets the same priority) 3) This should be simple but whats the minimum IOS flavor required to configure the IPSLA monitor (2811 router if I decide to make the WAN router the IPSLA monitor or 3560 switch if I decide to locate monitor to the switch the PBX is on) (I cant figure out the IOS feature browser to save my life - sorry I am a N00b) 4) Suggestion on other tools other than OpenNMS to monitor IPSLA stats? 5) Suggested intervals, packet sizes, anything else of each test? Thanks all, Jeff From td_miles at yahoo.com Thu Aug 6 17:55:17 2009 From: td_miles at yahoo.com (Tony) Date: Thu, 6 Aug 2009 14:55:17 -0700 (PDT) Subject: [c-nsp] Cisco 7206 - IOS version for L2TPV3 In-Reply-To: <4A7B02DE.6040601@nexus6.co.za> Message-ID: <581927.18016.qm@web110103.mail.gq1.yahoo.com> Hi Andy, We're using 12.2(33)SRD1 and recently before that SRC3 on 7204 LNS routers without any issues. We don't have any eBGP on these devices, but iBGP works fine with about 9 peers on each router carrying internal MP-BGP routes. These routers also authenticate PPP sessions via RADIUS and that continues to function fine through the upgrade from SCR3 to SRD1 without problems. Perhaps you need to turn on some BGP & RADIUS debug and work out what is going wrong because it probably should work for you. If the BGP queues are sitting at 300, it means that your BGP speakers aren't talking to each other and you need to look at why (eg. MTU mismatch, disagree on some other parameter). There might be some defaults for BGP parameters that have been changed and you need to explicitly set now. Not very responsive on the command line suggests that CPU was busy doing other stuff (like continually setting up BGP sessions). If you have the time to do some debugging then you probably should be able to get a 12.2(33)SR version working. regards, Tony. --- On Fri, 7/8/09, Andy Ashley wrote: > From: Andy Ashley > Subject: [c-nsp] Cisco 7206 - IOS version for L2TPV3 > To: cisco-nsp at puck.nether.net > Date: Friday, 7 August, 2009, 2:20 AM > Hi, > > We are trying to upgrade IOS on a Cisco 7206VXR (NPE-G1) > processor (revision B) with 983040K/65536K bytes of memory. > > Currently running Version 12.3(13a), RELEASE SOFTWARE (fc2) > but we need L2TPv3 functionality to configure a xconnects > using a pw-class statement. > We tried running Version 12.2(33)SRC4, RELEASE SOFTWARE > (fc2) but the router was unstable. > > Our peering sessions would come up and die after about a > minute, the logs had lots of these entries: > > %BGP_SESSION-5-ADJCHANGE: neighbor X.X.X.X IPv4 Unicast > topology base removed from session? BGP Notification > sent > > I noticed that the BGP sessions had high InQ and OutQ > values of 300+ where they usually sit at 0 and router was > generally not very responsive on the command line. > Also our RADIUS athentication was not working for some > reason. > > Is this just incompatability or unstable code? > Can anyone recommend an image version for this hardware > platform that has this feature set and is known to be stable > in your environment? > > Thanks. > > Andy. > > > > -- This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > _______________________________________________ > cisco-nsp mailing list? cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From td_miles at yahoo.com Thu Aug 6 18:06:25 2009 From: td_miles at yahoo.com (Tony) Date: Thu, 6 Aug 2009 15:06:25 -0700 (PDT) Subject: [c-nsp] Deny Default Route Propagation In-Reply-To: <006801ca16bc$f1b45330$0a00000a@nil.si> Message-ID: <282601.36178.qm@web110105.mail.gq1.yahoo.com> Ivan is correct, I know this first hand after wrestling with this very recently. You can only filter inbound from OSPF to the route table and you will need to do it on each OSPF router in the area. Cisco reference is here: http://www.cisco.com/en/US/tech/tk365/technologies_q_and_a_item09186a0080094704.shtml#q12 http://tinyurl.com/m4kvgg regards, Tony. --- On Fri, 7/8/09, Ivan Pepelnjak wrote: > From: Ivan Pepelnjak > Subject: Re: [c-nsp] Deny Default Route Propagation > To: "'Jeremiah Best'" , skoal at skoal.name, "'Manaf Al Oqlah'" > Cc: cisco-nsp at puck.nether.net > Date: Friday, 7 August, 2009, 3:40 AM > No, you cannot control the LSA > flooding (apart from blocking the flooding > over a particular interface). All LSAs still get to all the > routers (this is > what you've asked for: OSPF is a link-state protocol :), > but you can control > which of the best OSPF routes get inserted in the IP > routing table with the > "distribute-list in". > > Ivan > > http://www.ioshints.info/about > http://blog.ioshints.info/ > > > -----Original Message----- > > From: Jeremiah Best [mailto:jbest at zyedge.com] > > > Sent: Thursday, August 06, 2009 6:13 PM > > To: Ivan Pepelnjak; skoal at skoal.name; > 'Manaf Al Oqlah' > > Cc: cisco-nsp at puck.nether.net > > Subject: RE: [c-nsp] Deny Default Route Propagation > > > > Can't you do a "distribute-list out" on the ABR/ASBR > > whichever the router is? > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net > > > [mailto:cisco-nsp-bounces at puck.nether.net] > On Behalf Of Ivan Pepelnjak > > Sent: Thursday, August 06, 2009 12:01 PM > > To: skoal at skoal.name; > 'Manaf Al Oqlah' > > Cc: cisco-nsp at puck.nether.net > > Subject: Re: [c-nsp] Deny Default Route Propagation > > > > Just make sure you configure the "distribute-list in" > on ALL > > OTHER routers in the area, otherwise you'll get some > > hard-to-troubleshoot loops or blackholes. > > > > Ivan > >? > > http://www.ioshints..info/about > > http://blog.ioshints.info/ > > > > > -----Original Message----- > > > From: Gergely Antal [mailto:skoal at skoal.name] > > > Sent: Thursday, August 06, 2009 2:24 PM > > > To: Manaf Al Oqlah > > > Cc: cisco-nsp at puck.nether.net > > > Subject: Re: [c-nsp] Deny Default Route > Propagation > > > > > > http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/routmap.html > > > > > > Manaf Al Oqlah wrote: > > > > hello, > > > > > > > > In OSPF, how can I filter the default route > from being > > > propagated out in the same area? I want to deny > the > > external default > > > route in outbound routes so other routers in the > same area doesn't > > > accept the default route from that router. > > > > > > > > Thank you, > > > > Manaf > > > > From chunt at reachone.com Thu Aug 6 17:57:11 2009 From: chunt at reachone.com (Christopher Hunt) Date: Thu, 06 Aug 2009 14:57:11 -0700 Subject: [c-nsp] MPLS MTU [override] bug 12.4(22)T? Message-ID: <4A7B51B7.2080808@reachone.com> I'm trying to configure "mpls mtu 1508" on a dot1q subinterface on a 2851. IOS 12.4(7) will allow it, but IOS 12.4(22)T won't. The Bug Toolkit doesn't show any relevant bugs. Has anyone else run into this? Is there a recommended release? I would really like a release that supports mpls tracroute. router-1#sh ver Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(7), RELEASE SOFTWARE (fc6) ... ROM: System Bootstrap, Version 12.4(1r) [hqluong 1r], RELEASE SOFTWARE (fc1) ... router-1 uptime is 53 minutes System returned to ROM by reload at 14:42:21 PDT Thu Aug 6 2009 System image file is "flash:c2800nm-advipservicesk9-mz.124-7.bin" ... Cisco 2851 (revision 53.51) with 509952K/14336K bytes of memory. Processor board ID FTX... 16 FastEthernet interfaces 2 Gigabit Ethernet interfaces 1 Virtual Private Network (VPN) Module DRAM configuration is 64 bits wide with parity enabled. 239K bytes of non-volatile configuration memory. 125440K bytes of ATA CompactFlash (Read/Write) Configuration register is 0x2102 router-1#config term Enter configuration commands, one per line. End with CNTL/Z. router-1(config)#int gi0/1.457 router-1(config-subif)#mpls mtu ? <64-65535> MTU (bytes) router-1(config-subif)#mpls mtu 1508 router-1(config-subif)#end router-1#sh run int gi0/1.457 ... interface GigabitEthernet0/1.457 encapsulation dot1Q 457 ip address x.x.x.x 255.255.255.252 ip ospf network point-to-point no snmp trap link-status mpls ip mpls mtu 1508 no cdp enable end !!!! router-1#sh ver Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(22)T, RELEASE SOFTWARE (fc1) ... router-1#conf term Enter configuration commands, one per line. End with CNTL/Z. router-1(config)#int gi0/1.457 router-1(config-subif)#mpls mt router-1(config-subif)#mpls mtu ? <64-1500> MTU (bytes) router-1(config-subif)#mpls mtu 1508 ^ % Invalid input detected at '^' marker. router-1(config-subif)#end shelton-1#sh run int gi0/1.457 ... interface GigabitEthernet0/1.457 encapsulation dot1Q 457 ip address x.x.x.x 255.255.255.252 ip ospf network point-to-point mpls mtu 1508 mpls ip no cdp enable end -- cheers Christopher Hunt From kloch at kl.net Fri Aug 7 00:35:40 2009 From: kloch at kl.net (Kevin Loch) Date: Fri, 07 Aug 2009 00:35:40 -0400 Subject: [c-nsp] VSS 1440 issues In-Reply-To: <569473.50338.qm@web27907.mail.ukl.yahoo.com> References: <569473.50338.qm@web27907.mail.ukl.yahoo.com> Message-ID: <4A7BAF1C.4070009@kl.net> C and C Dominte wrote: > Thank you for your advice, however, increasing the timers > did not work. > > > > I powered down the active linecards from switch 2 > yesterday to see if it stopped the unicast flood, which it did. > > > > Today I increased the mac address syncronisation activity > time to 640 and the mac address aging time to 1920 (3x640) as below: While I have not run 6500's in VSS mode I have run into similar unicast flooding with certain non-VSS configurations of 6500's. The most reliable fix I have found is "arp timeout 120" in the affected vlan interfaces. - Kevin From swmike at swm.pp.se Fri Aug 7 00:51:07 2009 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Fri, 7 Aug 2009 06:51:07 +0200 (CEST) Subject: [c-nsp] MPLS MTU [override] bug 12.4(22)T? In-Reply-To: <4A7B51B7.2080808@reachone.com> References: <4A7B51B7.2080808@reachone.com> Message-ID: On Thu, 6 Aug 2009, Christopher Hunt wrote: > I'm trying to configure "mpls mtu 1508" on a dot1q subinterface on a 2851. > IOS 12.4(7) will allow it, but IOS 12.4(22)T won't. The Bug Toolkit doesn't > show any relevant bugs. Has anyone else run into this? Is there a > recommended release? I would really like a release that supports mpls > tracroute. Don't use "mpls mtu", instead use "mtu", "ip mtu" and "clns mtu" in combination instead. -- Mikael Abrahamsson email: swmike at swm.pp.se From kloch at kl.net Fri Aug 7 00:59:06 2009 From: kloch at kl.net (Kevin Loch) Date: Fri, 07 Aug 2009 00:59:06 -0400 Subject: [c-nsp] multipath BGP not balancing equally. In-Reply-To: References: <4A787016.7040006@cisco.com> <4A7986F7.4070905@cisco.com> <5F398FA44E094EB7BD7F6581E07943B5@experienbd1776> <4A79EA3F.6060002@cisco.com> Message-ID: <4A7BB49A.2060902@kl.net> This sounds like the unequal multipath is a quirk (feature?) of sup720 default load sharing behavior. It happens to any multipath routes (static, ospf, bgp) installed in the FIB: http://cisco.cluepon.net/index.php/Sup720_load_balancing shows a different ratios than OP but that might be due to different behavior in different IOS versions or hardware revisions. "mls ip cef load-sharing simple" works well for me but "mls ip cef load-sharing full simple" should also work if you also want layer4 hashes involved. - Kevin David Hughes wrote: > > Hi > > But seeing as the OP indicated that one of the circuits was 2GB > *underutilised* you'd be looking for 3 src/dst pairs that were all doing > 2GB to get this situation. It's looking pretty unlikely that this is a > hashing issue. > > > David > ... > > On 06/08/2009, at 6:23 AM, Rodney Dunn wrote: > >> Ah...good one. If the sources were not random enough and it's NAT'ed >> to one external ip you could really be multiplexing flows with NAT. ;) >> >> >> >> Dean Smith wrote: >>> Would agree that volume is rare between 2xIP addresses but we have >>> something similair although on not quite the scale. >>> We NAT a very large organisation to the Internet. They have a large >>> number of disparate sites that all do their own AV updates. All the >>> PCs download at the same time in the evening and we generate about >>> .75 Gb/s of traffic between our external PAT address and the AV >>> download site for a good couple of hours. If we had a bigger internet >>> pipe it would be a higher figure. (for less time of course). >>> Dean >>> ----- Original Message ----- From: "Rodney Dunn" >>> To: "Mikael Abrahamsson" >>> Cc: "Cisco" >>> Sent: Wednesday, August 05, 2009 2:19 PM >>> Subject: Re: [c-nsp] multipath BGP not balancing equally. >>>> For small flow combinations you are right. btw, it would be just L3 >>>> src/dst flows by default unless the L4 port option is enabled. >>>> >>>> I thought about there being a single flow causing the difference >>>> that would be hashing down one of the paths. But 2G, while not >>>> impossible, typically isn't used between two ip addresses. It's >>>> something to check though for sure. >>>> >>>> Rodney >>>> >>>> >>>> >>>> Mikael Abrahamsson wrote: >>>>> On Tue, 4 Aug 2009, Rodney Dunn wrote: >>>>> >>>>>> That's usually caused by routes not being the same on the paths. >>>>> >>>>> It was my understanding that this usually was caused by not having >>>>> enough L4 flows to loadshare on...? Ie if you have 100 TCP flows >>>>> and 4 paths, then it's not enough flows to get good load share on, >>>>> but if you instead have 10k flows and all of them are low-speed, >>>>> then the odds of them being equally load shared is much better? >>>>> >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> >>>> __________ NOD32 4306 (20090804) Information __________ >>>> >>>> This message was checked by NOD32 antivirus system. >>>> http://www.eset.com >>>> >>>> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From ecables at gmail.com Fri Aug 7 01:43:23 2009 From: ecables at gmail.com (Eric Cables) Date: Thu, 6 Aug 2009 22:43:23 -0700 Subject: [c-nsp] VSS 1440 issues In-Reply-To: <4A7BAF1C.4070009@kl.net> References: <569473.50338.qm@web27907.mail.ukl.yahoo.com> <4A7BAF1C.4070009@kl.net> Message-ID: Agreed, your mileage may vary on the exact timers to use (I ended up at 900 seconds), but synchronizing MAC and ARP aging timers should solve your unicast flooding issues, assuming the traffic is to legitimate destinations. Have you captured any traffic to identify the destination of flooded traffic? -- Eric Cables On Thu, Aug 6, 2009 at 9:35 PM, Kevin Loch wrote: > C and C Dominte wrote: > > Thank you for your advice, however, increasing the timers >> did not work. >> >> >> I powered down the active linecards from switch 2 >> yesterday to see if it stopped the unicast flood, which it did. >> >> Today I increased the mac address syncronisation activity >> time to 640 and the mac address aging time to 1920 (3x640) as below: >> > > While I have not run 6500's in VSS mode I have run into similar unicast > flooding with certain non-VSS configurations of 6500's. The most > reliable fix I have found is "arp timeout 120" in the affected vlan > interfaces. > > - Kevin > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From oboehmer at cisco.com Fri Aug 7 02:34:15 2009 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Fri, 7 Aug 2009 08:34:15 +0200 Subject: [c-nsp] IS-IS route separation/filtering In-Reply-To: <4A7B254B.8040607@gmail.com> References: <4A79E416.7040909@gmail.com> <4A7A0187.8070807@gmail.com><1249549131.28552.14.camel@daniel.office.bit.nl> <4A7B254B.8040607@gmail.com> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78407C2FE1C@xmb-ams-333.emea.cisco.com> Jared Gillis <> wrote on Thursday, August 06, 2009 20:48: > Daniel Verlouw wrote: >> On Wed, 2009-08-05 at 15:02 -0700, Jared Gillis wrote: >>> Hm, interesting though. Unfortunately, it doesn't seem to pan out >>> in the lab. The LSPs don't seem to get flooded, but the routes do >>> get passed through Router A to all the stub routers, regardless of >>> how I set up the mesh-groups. >> >> right. Mesh-groups block only LSPs, CSNPs would still be flooded. >> >>> This is almost what I'm trying to do, there will be very few routes >>> in IS-IS, but the decree from on high is that each stub router >>> should be totally stubby =( > > Mostly due to longevity, planning for the worst case of high growth, > IPv6 deployment, etc that will make each route in our routers very > costly over time. Also, given our topology, there's no reason for the > stub routers to learn anything but default. Well.. not sure how large you want to grow your L1 area, but you could investigate "advertise-passive-only" to only adveritse the loopbacks (all customer routes should be in BGP if you need to plan for growth), and you'll be fine, even with a 1000 nodes in the area. And if you reach this number, address summarization (and the implications of it) will become an issue (even with OSPF).. > It's looking like we might have to run OSPF on this, but we'd really > rather stick with IS-IS. It seems that OSPF's ability to put > individual interfaces into different areas might be the required > feature that forces us that way. That is, unless anyone knows a way > to put an IS-IS router into different areas aside from assigning > multiple NET addresses... No, doesn't work with Integrated ISIS (only CLNS allows you to use different ISIS areas on a single node).. oli From asturluismi at gmail.com Fri Aug 7 07:01:55 2009 From: asturluismi at gmail.com (luismi) Date: Fri, 07 Aug 2009 13:01:55 +0200 Subject: [c-nsp] TACACs access filtered by device Message-ID: <1249642915.11716.6.camel@dsba-ipso> Hi, We have here several Cisco devices and I would like to know if it is possible to filter who get access to some specific devices using the tacacs.conf file or the AAA configuration inside the devices. Is that possible? From jbest at zyedge.com Fri Aug 7 08:08:01 2009 From: jbest at zyedge.com (Jeremiah Best) Date: Fri, 7 Aug 2009 08:08:01 -0400 Subject: [c-nsp] TACACs access filtered by device In-Reply-To: <1249642915.11716.6.camel@dsba-ipso> References: <1249642915.11716.6.camel@dsba-ipso> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2DEF@zy-ex1.zyedge.local> You can do it using ACS if you have an ACS server. The way we've done it is create groups of devices and then just assign the user whatever rights and then only allow said user to access that group of users. Works well. Outside of ACS I'm not sure if there's a way. If you want more details let me know. -Jeremiah -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of luismi Sent: Friday, August 07, 2009 7:02 AM To: cisco_nsp Subject: [c-nsp] TACACs access filtered by device Hi, We have here several Cisco devices and I would like to know if it is possible to filter who get access to some specific devices using the tacacs.conf file or the AAA configuration inside the devices. Is that possible? _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From asturluismi at gmail.com Fri Aug 7 08:35:45 2009 From: asturluismi at gmail.com (luismi) Date: Fri, 07 Aug 2009 14:35:45 +0200 Subject: [c-nsp] TACACs access filtered by device In-Reply-To: <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2DEF@zy-ex1.zyedge.local> References: <1249642915.11716.6.camel@dsba-ipso> <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2DEF@zy-ex1.zyedge.local> Message-ID: <1249648545.11716.8.camel@dsba-ipso> Hi, We don't use here ACS, just tacacs-server over linux. From chunt at reachone.com Fri Aug 7 09:27:50 2009 From: chunt at reachone.com (Christopher Hunt) Date: Fri, 07 Aug 2009 06:27:50 -0700 Subject: [c-nsp] TACACs access filtered by device In-Reply-To: <1249642915.11716.6.camel@dsba-ipso> References: <1249642915.11716.6.camel@dsba-ipso> Message-ID: <4A7C2BD6.3000801@reachone.com> We don't use it this way, but it looks like the linux tac_plus daemon supports authorization ACLs. See the line "acl = dial_only" at http://www.linuxcertif.com/man/5/tac_plus.conf/#EXAMPLE_TAC_PLUS_CONFIGURATION_311843h Christopher Hunt luismi wrote: > Hi, > > We have here several Cisco devices and I would like to know if it is > possible to filter who get access to some specific devices using the > tacacs.conf file or the AAA configuration inside the devices. > > Is that possible? > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From peter at rathlev.dk Fri Aug 7 10:21:32 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Fri, 07 Aug 2009 16:21:32 +0200 Subject: [c-nsp] TACACs access filtered by device In-Reply-To: <1249642915.11716.6.camel@dsba-ipso> References: <1249642915.11716.6.camel@dsba-ipso> Message-ID: <1249654892.3168.2.camel@abehat.net.rm.dk> On Fri, 2009-08-07 at 13:01 +0200, luismi wrote: > We have here several Cisco devices and I would like to know if it is > possible to filter who get access to some specific devices using the > tacacs.conf file or the AAA configuration inside the devices. > > Is that possible? It is, and it works like a charm. The link Christopher Hunt posted has a good example. We use it e.g. like this: acl = pop1-access { permit = ^10\.0\.0\. } user = example-pop1-operator { member = admin acl = pop1-access } group = other-example-acl { acl = pop1-access } Regards, Peter From asturluismi at gmail.com Fri Aug 7 10:25:47 2009 From: asturluismi at gmail.com (luismi) Date: Fri, 07 Aug 2009 16:25:47 +0200 Subject: [c-nsp] TACACs access filtered by device In-Reply-To: <1249654892.3168.2.camel@abehat.net.rm.dk> References: <1249642915.11716.6.camel@dsba-ipso> <1249654892.3168.2.camel@abehat.net.rm.dk> Message-ID: <1249655147.11716.22.camel@dsba-ipso> Yes! seems to be pretty simple I will try it today :-D From walter.keen at RainierConnect.net Fri Aug 7 11:28:06 2009 From: walter.keen at RainierConnect.net (Walter Keen) Date: Fri, 07 Aug 2009 08:28:06 -0700 Subject: [c-nsp] TACACs access filtered by device In-Reply-To: <1249655147.11716.22.camel@dsba-ipso> References: <1249642915.11716.6.camel@dsba-ipso> <1249654892.3168.2.camel@abehat.net.rm.dk> <1249655147.11716.22.camel@dsba-ipso> Message-ID: <4A7C4806.9040605@rainierconnect.net> We take it another step, using the linux tac-plus, specifying a acl for each user, and commands they can or cannot run.... The only problem we've run into is one user who needs higher access on one router but still limited access on another, we've gotten around that a little bit by setting privilege levels in the routers, and making tacacs send the privilege level data to router, but we still had one or two cases where one user had to have 2 usernames for different routers (and acl's to make sure they didn't use the wrong one on the wrong router) If anyone's interested, i can send an example offline. luismi wrote: > Yes! seems to be pretty simple I will try it today :-D > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Walter Keen Network Technician Rainier Connect (o) 360-832-4024 (c) 253-302-0194 From ecables at gmail.com Fri Aug 7 13:21:12 2009 From: ecables at gmail.com (Eric Cables) Date: Fri, 7 Aug 2009 10:21:12 -0700 Subject: [c-nsp] RedSeal users? Message-ID: Slightly OT, but with all the NMS e-mails going around lately it might have some relevance. I'm in the middle of a RedSeal (http://www.redseal.net/) deployment, and I was wondering if anyone else on the list was using this product. I'd just like to get an idea of whether it has been useful, and what applications you've used it for. Thanks, -- Eric Cables From Jeff.Wojciechowski at midlandpaper.com Fri Aug 7 13:47:26 2009 From: Jeff.Wojciechowski at midlandpaper.com (Jeff Wojciechowski) Date: Fri, 7 Aug 2009 12:47:26 -0500 Subject: [c-nsp] IPSLAs with OpenNMS or Other? In-Reply-To: <6B8401A83219DF499C34DEAEE9A599921256B58E2A@XBOX.midlandpaper.com> References: <6B8401A83219DF499C34DEAEE9A599921256B58E2A@XBOX.midlandpaper.com> Message-ID: <6B8401A83219DF499C34DEAEE9A599921256B58E7E@XBOX.midlandpaper.com> Not one hit on this one, perhaps broadening the question to as follows might help: Anyone using IPSLA's standalone have any pointers to monitor voice have any pointers (what tests to run, packet sizes, frequency of tests)? Thanks, -Jeff -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jeff Wojciechowski Sent: Thursday, August 06, 2009 3:51 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] IPSLAs with OpenNMS or Other? Hi All: Anyone using IPSLAs with OpenNMS or any other favorite tool? I just set up a small test network and am thinking about adding this to a couple of our WAN routers closest to our PBXs and setting up remote switches that VoIP phones are on to monitor jitter, etc of our VoIP traffic. Any thoughts on: 1) Is it best to locate the IPSLA monitor on the switch near the phone system or on the WAN edge router (right now we even have anything resembling congestion is on our WAN links)? 2) Any gotchas that I need to look out for? (False positives on bad performance, etc - for a start I plan on marking the test traffic with the same ToS bit that our VoIP will be marked so it gets the same priority) 3) This should be simple but whats the minimum IOS flavor required to configure the IPSLA monitor (2811 router if I decide to make the WAN router the IPSLA monitor or 3560 switch if I decide to locate monitor to the switch the PBX is on) (I cant figure out the IOS feature browser to save my life - sorry I am a N00b) 4) Suggestion on other tools other than OpenNMS to monitor IPSLA stats? 5) Suggested intervals, packet sizes, anything else of each test? Thanks all, Jeff _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From gsgranados at comcast.net Fri Aug 7 16:47:27 2009 From: gsgranados at comcast.net (Scott Granados) Date: Fri, 7 Aug 2009 13:47:27 -0700 Subject: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client and inside network? Message-ID: <002b01ca17a0$4d104ac0$2208120a@am.thmulti.com> Hi, I'm having difficulties configuring VPN tunnels between a PC with the Cisco VPN client (windows XP) and an ASA5520. BACKGROUND I have an ASA5520 with a public interface of 206.x.x.232 and an inside address of 10.18.14.6. The outside interface is connected to the public internet directly, the inside interface is attached to a switch with layer 3 capabilities and has an address of 10.18.14.1/24. The default route is pointed to the public Internet gateway and the 10.18.0.0/16 network is routed via the 10.18.14.1 inside address. The VPN device is running version 7 software (according to the VPN client log file). PROBLEM When I initiate a connection from the PC to the public facing interface over an external network the session authenticates and reports connected, the client is assigned an address from the correct pool, but I'm not able to pass traffic. Looking at the stats the routes learned appear (10.18.0.0/16) or what ever routes I added to the split-tunnel network list. I do notice that the tunnel stats do not show the encrypted packet count increasing so I assume I'm not tagging something correctly or the ASA is confused about what to encrypt. I've been using the Cisco ASA configuration examples as a starting point but think I'm missing the point somewhere. Any pointers would be appreciated, config tidbits follow. split-tunnel ACL access-list vpn-nets standard permit 10.1.0.0 255.255.0.0 access-list vpn-nets standard permit 10.11.0.0 255.255.0.0 access-list vpn-nets standard permit 10.18.0.0 255.255.0.0 access-list vpn-nets standard permit 10.64.0.0 255.255.0.0 access-list vpn-nets standard permit 10.66.0.0 255.255.0.0 local pool definition ip local pool VPRN-team-vpn-pool1 10.18.14.96-10.18.14.127 mask 255.255.255.0 STATIC ROUTES route outside 0.0.0.0 0.0.0.0 206.x.x.225 1 route inside 10.66.0.0 255.255.0.0 10.18.14.1 1 route inside 10.11.0.0 255.255.0.0 10.18.14.1 1 route inside 10.64.0.0 255.255.0.0 10.18.14.1 1 route inside 10.1.0.0 255.255.0.0 10.18.14.1 1 route inside 10.18.0.0 255.255.0.0 10.18.14.1 1 GROUP POLICY DEFINITION group-policy VPRN-team-policy internal group-policy VPRN-team-policy attributes banner value This is a private network connection for XXX authorized users only. If you do not have explicit permission from the XXX Network Services department you must disconnect now. banner value Thank you, banner value Network Services banner value 415.xxx.xxxx wins-server value 10.18.1.14 10.18.1.15 dns-server value 10.18.1.14 10.18.1.15 dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 1 vpn-idle-timeout 30 vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec password-storage disable ip-comp enable re-xauth disable group-lock none pfs disable ipsec-udp enable ipsec-udp-port 10000 split-tunnel-policy tunnelspecified split-tunnel-network-list value vpn-nets default-domain value MY-COMPANY.COM split-dns none secure-unit-authentication disable user-authentication enable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers 206.x.x.233 client-firewall opt cisco-integrated acl-in FWBlockIn acl-out FWAllowAnyOut webvpn functions none tunnel-group VPRN-team type ipsec-ra tunnel-group VPRN-team general-attributes address-pool VPRN-team-vpn-pool1 authentication-server-group my_authent_grp default-group-policy VPRN-team-policy tunnel-group VPRN-team ipsec-attributes pre-shared-key * CRYPTO MAP and ISAKMP crypto ipsec transform-set vpn-transform1 esp-3des esp-sha-hmac crypto dynamic-map dynmap1 10 set transform-set vpn-transform1 crypto dynamic-map dynmap1 10 set reverse-route crypto map vpnmap 10 ipsec-isakmp dynamic dynmap1 crypto map vpnmap interface outside isakmp enable outside isakmp policy 1 authentication pre-share isakmp policy 1 encryption aes isakmp policy 1 hash sha isakmp policy 1 group 2 isakmp policy 1 lifetime 28800 isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 1000 isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 10000 isakmp policy 30 authentication pre-share isakmp policy 30 encryption 3des isakmp policy 30 hash sha isakmp policy 30 group 2 isakmp policy 30 lifetime 10000 isakmp policy 40 authentication pre-share isakmp policy 40 encryption 3des isakmp policy 40 hash sha isakmp policy 40 group 2 isakmp policy 40 lifetime 86400 isakmp nat-traversal 20 isakmp reload-wait From mksmith at adhost.com Fri Aug 7 17:40:21 2009 From: mksmith at adhost.com (Michael K. Smith - Adhost) Date: Fri, 7 Aug 2009 14:40:21 -0700 Subject: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client andinside network? In-Reply-To: <002b01ca17a0$4d104ac0$2208120a@am.thmulti.com> References: <002b01ca17a0$4d104ac0$2208120a@am.thmulti.com> Message-ID: <17838240D9A5544AAA5FF95F8D5203160676BDAA@ad-exh01.adhost.lan> > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Scott Granados > Sent: Friday, August 07, 2009 1:47 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] ASA5520,can't pass traffic over ipsec tunnel between > Cisco client andinside network? > > Hi, I'm having difficulties configuring VPN tunnels between a PC with > the > Cisco VPN client (windows XP) and an ASA5520. > > BACKGROUND > > I have an ASA5520 with a public interface of 206.x.x.232 and an inside > address of 10.18.14.6. The outside interface is connected to the > public > internet directly, the inside interface is attached to a switch with > layer 3 > capabilities and has an address of 10.18.14.1/24. The default route is > pointed to the public Internet gateway and the 10.18.0.0/16 network is > routed via the 10.18.14.1 inside address. The VPN device is running > version > 7 software (according to the VPN client log file). > > PROBLEM > > > When I initiate a connection from the PC to the public facing > interface > over an external network the session authenticates and reports > connected, > the client is assigned an address from the correct pool, but I'm not > able to > pass traffic. Looking at the stats the routes learned appear > (10.18.0.0/16) > or what ever routes I added to the split-tunnel network list. I do > notice > that the tunnel stats do not show the encrypted packet count increasing > so I > assume I'm not tagging something correctly or the ASA is confused about > what > to encrypt. I've been using the Cisco ASA configuration examples as a > starting point but think I'm missing the point somewhere. Any pointers > would be appreciated, config tidbits follow. > > split-tunnel ACL I would imagine having the /16 that encompasses the /24 of your inside interface and your VPN pool is a "bad thing." The /16 route is injected into the tunnel, which encompasses your default gateway for the VPN. But, you have forwarded all that traffic to the .1 address. As a start, I would get more specific on your subnets, since the 10.18.14.0/24 is physically tied to the ASA. Why not try more specifics like 10.18.1.0/24, 10.18.2.0/24, etc. and see if that helps. Regards, Mike From gsgranados at comcast.net Fri Aug 7 17:51:49 2009 From: gsgranados at comcast.net (Scott Granados) Date: Fri, 7 Aug 2009 14:51:49 -0700 Subject: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client and inside network? References: <002b01ca17a0$4d104ac0$2208120a@am.thmulti.com> <200908071635.21214.rgilreath@hbs.net> Message-ID: <00b201ca17a9$49e6e120$2208120a@am.thmulti.com> I actually don't have any nat entries because I didn't think I needed any what with this not being used for anything but VPN, is this incorrect? ----- Original Message ----- From: "Rob Gilreath" To: Cc: "Scott Granados" Sent: Friday, August 07, 2009 2:35 PM Subject: Re: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client and inside network? > > Is your nat 0 exception setup? > > Send the config lines starting with nat as well. > > > > On Friday 07 August 2009 03:47:27 pm Scott Granados wrote: >> Hi, I'm having difficulties configuring VPN tunnels between a PC with the >> Cisco VPN client (windows XP) and an ASA5520. >> >> BACKGROUND >> >> I have an ASA5520 with a public interface of 206.x.x.232 and an inside >> address of 10.18.14.6. The outside interface is connected to the public >> internet directly, the inside interface is attached to a switch with >> layer >> 3 capabilities and has an address of 10.18.14.1/24. The default route is >> pointed to the public Internet gateway and the 10.18.0.0/16 network is >> routed via the 10.18.14.1 inside address. The VPN device is running >> version 7 software (according to the VPN client log file). >> >> PROBLEM >> >> >> When I initiate a connection from the PC to the public facing >> interface >> over an external network the session authenticates and reports connected, >> the client is assigned an address from the correct pool, but I'm not able >> to pass traffic. Looking at the stats the routes learned appear >> (10.18.0.0/16) or what ever routes I added to the split-tunnel network >> list. I do notice that the tunnel stats do not show the encrypted packet >> count increasing so I assume I'm not tagging something correctly or the >> ASA >> is confused about what to encrypt. I've been using the Cisco ASA >> configuration examples as a starting point but think I'm missing the >> point >> somewhere. Any pointers would be appreciated, config tidbits follow. >> >> split-tunnel ACL >> >> access-list vpn-nets standard permit 10.1.0.0 255.255.0.0 >> access-list vpn-nets standard permit 10.11.0.0 255.255.0.0 >> access-list vpn-nets standard permit 10.18.0.0 255.255.0.0 >> access-list vpn-nets standard permit 10.64.0.0 255.255.0.0 >> access-list vpn-nets standard permit 10.66.0.0 255.255.0.0 >> >> local pool definition >> ip local pool VPRN-team-vpn-pool1 10.18.14.96-10.18.14.127 mask >> 255.255.255.0 >> >> STATIC ROUTES >> route outside 0.0.0.0 0.0.0.0 206.x.x.225 1 >> route inside 10.66.0.0 255.255.0.0 10.18.14.1 1 >> route inside 10.11.0.0 255.255.0.0 10.18.14.1 1 >> route inside 10.64.0.0 255.255.0.0 10.18.14.1 1 >> route inside 10.1.0.0 255.255.0.0 10.18.14.1 1 >> route inside 10.18.0.0 255.255.0.0 10.18.14.1 1 >> >> GROUP POLICY DEFINITION >> >> group-policy VPRN-team-policy internal >> group-policy VPRN-team-policy attributes >> banner value This is a private network connection for XXX authorized >> users >> only. If you do not have explicit permission from the XXX Network >> Services >> department you must disconnect now. >> banner value Thank you, >> banner value Network Services >> banner value 415.xxx.xxxx >> wins-server value 10.18.1.14 10.18.1.15 >> dns-server value 10.18.1.14 10.18.1.15 >> dhcp-network-scope none >> vpn-access-hours none >> vpn-simultaneous-logins 1 >> vpn-idle-timeout 30 >> vpn-session-timeout none >> vpn-filter none >> vpn-tunnel-protocol IPSec >> password-storage disable >> ip-comp enable >> re-xauth disable >> group-lock none >> pfs disable >> ipsec-udp enable >> ipsec-udp-port 10000 >> split-tunnel-policy tunnelspecified >> split-tunnel-network-list value vpn-nets >> default-domain value MY-COMPANY.COM >> split-dns none >> secure-unit-authentication disable >> user-authentication enable >> user-authentication-idle-timeout 30 >> ip-phone-bypass disable >> leap-bypass disable >> nem disable >> backup-servers 206.x.x.233 >> client-firewall opt cisco-integrated acl-in FWBlockIn acl-out >> FWAllowAnyOut webvpn >> functions none >> >> tunnel-group VPRN-team type ipsec-ra >> tunnel-group VPRN-team general-attributes >> address-pool VPRN-team-vpn-pool1 >> authentication-server-group my_authent_grp >> default-group-policy VPRN-team-policy >> tunnel-group VPRN-team ipsec-attributes >> pre-shared-key * >> >> CRYPTO MAP and ISAKMP >> >> crypto ipsec transform-set vpn-transform1 esp-3des esp-sha-hmac >> crypto dynamic-map dynmap1 10 set transform-set vpn-transform1 >> crypto dynamic-map dynmap1 10 set reverse-route >> crypto map vpnmap 10 ipsec-isakmp dynamic dynmap1 >> crypto map vpnmap interface outside >> isakmp enable outside >> isakmp policy 1 authentication pre-share >> isakmp policy 1 encryption aes >> isakmp policy 1 hash sha >> isakmp policy 1 group 2 >> isakmp policy 1 lifetime 28800 >> isakmp policy 10 authentication pre-share >> isakmp policy 10 encryption 3des >> isakmp policy 10 hash sha >> isakmp policy 10 group 2 >> isakmp policy 10 lifetime 1000 >> isakmp policy 20 authentication pre-share >> isakmp policy 20 encryption 3des >> isakmp policy 20 hash md5 >> isakmp policy 20 group 2 >> isakmp policy 20 lifetime 10000 >> isakmp policy 30 authentication pre-share >> isakmp policy 30 encryption 3des >> isakmp policy 30 hash sha >> isakmp policy 30 group 2 >> isakmp policy 30 lifetime 10000 >> isakmp policy 40 authentication pre-share >> isakmp policy 40 encryption 3des >> isakmp policy 40 hash sha >> isakmp policy 40 group 2 >> isakmp policy 40 lifetime 86400 >> isakmp nat-traversal 20 >> isakmp reload-wait >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > -- > Rob Gilreath > Systems Engineer - CCNP, CCDP > Heartland Business Systems > rgilreath at hbs.net > (920) 850-3018 From gsgranados at comcast.net Fri Aug 7 18:03:58 2009 From: gsgranados at comcast.net (Scott Granados) Date: Fri, 7 Aug 2009 15:03:58 -0700 Subject: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client andinside network? References: <002b01ca17a0$4d104ac0$2208120a@am.thmulti.com> <17838240D9A5544AAA5FF95F8D5203160676BDAA@ad-exh01.adhost.lan> Message-ID: <00e401ca17aa$fb9e3890$2208120a@am.thmulti.com> Hi Michael, Wouldn't the more specific /24 come in to play instead of the much larger /16? If I route the /16 via 10.18.14.1 but the /24 of 10.18.14.1 is directly connected I would have thought the /24 would win. I'll definitely give this a try however. Thanks Scott ----- Original Message ----- From: "Michael K. Smith - Adhost" To: "Scott Granados" ; Sent: Friday, August 07, 2009 2:40 PM Subject: RE: [c-nsp] ASA5520,can't pass traffic over ipsec tunnel between Cisco client andinside network? > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Scott Granados > Sent: Friday, August 07, 2009 1:47 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] ASA5520,can't pass traffic over ipsec tunnel between > Cisco client andinside network? > > Hi, I'm having difficulties configuring VPN tunnels between a PC with > the > Cisco VPN client (windows XP) and an ASA5520. > > BACKGROUND > > I have an ASA5520 with a public interface of 206.x.x.232 and an inside > address of 10.18.14.6. The outside interface is connected to the > public > internet directly, the inside interface is attached to a switch with > layer 3 > capabilities and has an address of 10.18.14.1/24. The default route is > pointed to the public Internet gateway and the 10.18.0.0/16 network is > routed via the 10.18.14.1 inside address. The VPN device is running > version > 7 software (according to the VPN client log file). > > PROBLEM > > > When I initiate a connection from the PC to the public facing > interface > over an external network the session authenticates and reports > connected, > the client is assigned an address from the correct pool, but I'm not > able to > pass traffic. Looking at the stats the routes learned appear > (10.18.0.0/16) > or what ever routes I added to the split-tunnel network list. I do > notice > that the tunnel stats do not show the encrypted packet count increasing > so I > assume I'm not tagging something correctly or the ASA is confused about > what > to encrypt. I've been using the Cisco ASA configuration examples as a > starting point but think I'm missing the point somewhere. Any pointers > would be appreciated, config tidbits follow. > > split-tunnel ACL I would imagine having the /16 that encompasses the /24 of your inside interface and your VPN pool is a "bad thing." The /16 route is injected into the tunnel, which encompasses your default gateway for the VPN. But, you have forwarded all that traffic to the .1 address. As a start, I would get more specific on your subnets, since the 10.18.14.0/24 is physically tied to the ASA. Why not try more specifics like 10.18.1.0/24, 10.18.2.0/24, etc. and see if that helps. Regards, Mike From gsgranados at comcast.net Fri Aug 7 19:12:01 2009 From: gsgranados at comcast.net (Scott Granados) Date: Fri, 7 Aug 2009 16:12:01 -0700 Subject: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client and inside network? References: <870133.47242.qm@web80503.mail.mud.yahoo.com> Message-ID: <015501ca17b4$7e9c11f0$2208120a@am.thmulti.com> Hi, so the client is attached directly to a Sprint air card or directly to a cable internet connection with a real IP address. I have udp 10000 defined in the group policy and see that port being used in the client logs. Thanks Scott ----- Original Message ----- From: Randy To: Rob Gilreath ; cisco-nsp at puck.nether.net ; Scott Granados Sent: Friday, August 07, 2009 3:40 PM Subject: Re: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client and inside network? ..NAT entries are not required as long as *nat-control* is not enabled. I can't recall the default but you can verify your setup - sh run nat-control. The PC in question wouldn't happen to be behind a firewall and using an rfc1918 addr. on the 10.x space as well ? Also, NAT-T (ipsec/UDP port 10,000 is enabled on the client? --- On Fri, 8/7/09, Scott Granados wrote: From: Scott Granados Subject: Re: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client and inside network? To: "Rob Gilreath" , cisco-nsp at puck.nether.net Date: Friday, August 7, 2009, 2:51 PM I actually don't have any nat entries because I didn't think I needed any what with this not being used for anything but VPN, is this incorrect? ----- Original Message ----- From: "Rob Gilreath" To: Cc: "Scott Granados" Sent: Friday, August 07, 2009 2:35 PM Subject: Re: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client and inside network? > > Is your nat 0 exception setup? > > Send the config lines starting with nat as well. > > > > On Friday 07 August 2009 03:47:27 pm Scott Granados wrote: >> Hi, I'm having difficulties configuring VPN tunnels between a PC with the >> Cisco VPN client (windows XP) and an ASA5520. >> >> BACKGROUND >> >> I have an ASA5520 with a public interface of 206.x.x.232 and an inside >> address of 10.18.14.6. The outside interface is connected to the public >> internet directly, the inside interface is attached to a switch with layer >> 3 capabilities and has an address of 10.18.14.1/24. The default route is >> pointed to the public Internet gateway and the 10.18.0.0/16 network is >> routed via the 10.18.14.1 inside address. The VPN device is running >> version 7 software (according to the VPN client log file). >> >> PROBLEM >> >> >> When I initiate a connection from the PC to the public facing interface >> over an external network the session authenticates and reports connected, >> the client is assigned an address from the correct pool, but I'm not able >> to pass traffic. Looking at the stats the routes learned appear >> (10.18.0.0/16) or what ever routes I added to the split-tunnel network >> list. I do notice that the tunnel stats do not show the encrypted packet >> count increasing so I assume I'm not tagging something correctly or the ASA >> is confused about what to encrypt. I've been using the Cisco ASA >> configuration examples as a starting point but think I'm missing the point >> somewhere. Any pointers would be appreciated, config tidbits follow. >> >> split-tunnel ACL >> >> access-list vpn-nets standard permit 10.1.0.0 255.255.0.0 >> access-list vpn-nets standard permit 10.11.0.0 255.255.0.0 >> access-list vpn-nets standard permit 10.18.0.0 255.255.0.0 >> access-list vpn-nets standard permit 10.64.0.0 255.255.0.0 >> access-list vpn-nets standard permit 10.66.0.0 255.255.0.0 >> >> local pool definition >> ip local pool VPRN-team-vpn-pool1 10.18.14.96-10.18.14.127 mask >> 255.255.255.0 >> >> STATIC ROUTES >> route outside 0.0.0.0 0.0.0.0 206.x.x.225 1 >> route inside 10.66.0.0 255.255.0.0 10.18.14.1 1 >> route inside 10.11.0.0 255.255.0.0 10.18.14.1 1 >> route inside 10.64.0.0 255.255.0.0 10.18.14.1 1 >> route inside 10.1.0.0 255.255.0.0 10.18.14.1 1 >> route inside 10.18.0.0 255.255.0.0 10.18.14.1 1 >> >> GROUP POLICY DEFINITION >> >> group-policy VPRN-team-policy internal >> group-policy VPRN-team-policy attributes >> banner value This is a private network connection for XXX authorized users >> only. If you do not have explicit permission from the XXX Network Services >> department you must disconnect now. >> banner value Thank you, >> banner value Network Services >> banner value 415.xxx.xxxx >> wins-server value 10.18.1.14 10.18.1.15 >> dns-server value 10.18.1.14 10.18.1.15 >> dhcp-network-scope none >> vpn-access-hours none >> vpn-simultaneous-logins 1 >> vpn-idle-timeout 30 >> vpn-session-timeout none >> vpn-filter none >> vpn-tunnel-protocol IPSec >> password-storage disable >> ip-comp enable >> re-xauth disable >> group-lock none >> pfs disable >> ipsec-udp enable >> ipsec-udp-port 10000 >> split-tunnel-policy tunnelspecified >> split-tunnel-network-list value vpn-nets >> default-domain value MY-COMPANY.COM >> split-dns none >> secure-unit-authentication disable >> user-authentication enable >> user-authentication-idle-timeout 30 >> ip-phone-bypass disable >> leap-bypass disable >> nem disable >> backup-servers 206.x.x.233 >> client-firewall opt cisco-integrated acl-in FWBlockIn acl-out >> FWAllowAnyOut webvpn >> functions none >> >> tunnel-group VPRN-team type ipsec-ra >> tunnel-group VPRN-team general-attributes >> address-pool VPRN-team-vpn-pool1 >> authentication-server-group my_authent_grp >> default-group-policy VPRN-team-policy >> tunnel-group VPRN-team ipsec-attributes >> pre-shared-key * >> >> CRYPTO MAP and ISAKMP >> >> crypto ipsec transform-set vpn-transform1 esp-3des esp-sha-hmac >> crypto dynamic-map dynmap1 10 set transform-set vpn-transform1 >> crypto dynamic-map dynmap1 10 set reverse-route >> crypto map vpnmap 10 ipsec-isakmp dynamic dynmap1 >> crypto map vpnmap interface outside >> isakmp enable outside >> isakmp policy 1 authentication pre-share >> isakmp policy 1 encryption aes >> isakmp policy 1 hash sha >> isakmp policy 1 group 2 >> isakmp policy 1 lifetime 28800 >> isakmp policy 10 authentication pre-share >> isakmp policy 10 encryption 3des >> isakmp policy 10 hash sha >> isakmp policy 10 group 2 >> isakmp policy 10 lifetime 1000 >> isakmp policy 20 authentication pre-share >> isakmp policy 20 encryption 3des >> isakmp policy 20 hash md5 >> isakmp policy 20 group 2 >> isakmp policy 20 lifetime 10000 >> isakmp policy 30 authentication pre-share >> isakmp policy 30 encryption 3des >> isakmp policy 30 hash sha >> isakmp policy 30 group 2 >> isakmp policy 30 lifetime 10000 >> isakmp policy 40 authentication pre-share >> isakmp policy 40 encryption 3des >> isakmp policy 40 hash sha >> isakmp policy 40 group 2 >> isakmp policy 40 lifetime 86400 >> isakmp nat-traversal 20 >> isakmp reload-wait >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > -- Rob Gilreath > Systems Engineer - CCNP, CCDP > Heartland Business Systems > rgilreath at hbs.net > (920) 850-3018 _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From gsgranados at comcast.net Fri Aug 7 19:13:33 2009 From: gsgranados at comcast.net (Scott Granados) Date: Fri, 7 Aug 2009 16:13:33 -0700 Subject: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client andinside network? References: <752681.4220.qm@web80506.mail.mud.yahoo.com> Message-ID: <016501ca17b4$b67fee70$2208120a@am.thmulti.com> I'm thinking this might be it. I'm probably doing bad things with the connected pool. Thanks for the pointers. ----- Original Message ----- From: Randy To: Michael K. Smith - Adhost ; Scott Granados Cc: cisco-nsp at puck.nether.net Sent: Friday, August 07, 2009 4:02 PM Subject: Re: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client andinside network? ..also keep in mind that your split-tunnel ACL can be extended if specified in the following format: x.x.x.x mask y.y.y.y mask (your vpn pool) 10.18.0.0 255.255.0.0 10.18.14.0 255.255.255.0 --- On Fri, 8/7/09, Scott Granados wrote: From: Scott Granados Subject: Re: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client andinside network? To: "Michael K. Smith - Adhost" Cc: cisco-nsp at puck.nether.net Date: Friday, August 7, 2009, 3:03 PM Hi Michael, Wouldn't the more specific /24 come in to play instead of the much larger /16? If I route the /16 via 10.18.14.1 but the /24 of 10.18.14.1 is directly connected I would have thought the /24 would win. I'll definitely give this a try however. Thanks Scott ----- Original Message ----- From: "Michael K. Smith - Adhost" To: "Scott Granados" ; Sent: Friday, August 07, 2009 2:40 PM Subject: RE: [c-nsp] ASA5520,can't pass traffic over ipsec tunnel between Cisco client andinside network? > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Scott Granados > Sent: Friday, August 07, 2009 1:47 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] ASA5520,can't pass traffic over ipsec tunnel between > Cisco client andinside network? > > Hi, I'm having difficulties configuring VPN tunnels between a PC with > the > Cisco VPN client (windows XP) and an ASA5520. > > BACKGROUND > > I have an ASA5520 with a public interface of 206.x.x.232 and an inside > address of 10.18.14.6. The outside interface is connected to the > public > internet directly, the inside interface is attached to a switch with > layer 3 > capabilities and has an address of 10.18.14.1/24. The default route is > pointed to the public Internet gateway and the 10.18.0.0/16 network is > routed via the 10.18.14.1 inside address. The VPN device is running > version > 7 software (according to the VPN client log file). > > PROBLEM > > > When I initiate a connection from the PC to the public facing > interface > over an external network the session authenticates and reports > connected, > the client is assigned an address from the correct pool, but I'm not > able to > pass traffic. Looking at the stats the routes learned appear > (10.18.0.0/16) > or what ever routes I added to the split-tunnel network list. I do > notice > that the tunnel stats do not show the encrypted packet count increasing > so I > assume I'm not tagging something correctly or the ASA is confused about > what > to encrypt. I've been using the Cisco ASA configuration examples as a > starting point but think I'm missing the point somewhere. Any pointers > would be appreciated, config tidbits follow. > > split-tunnel ACL I would imagine having the /16 that encompasses the /24 of your inside interface and your VPN pool is a "bad thing." The /16 route is injected into the tunnel, which encompasses your default gateway for the VPN. But, you have forwarded all that traffic to the .1 address. As a start, I would get more specific on your subnets, since the 10.18.14.0/24 is physically tied to the ASA. Why not try more specifics like 10.18.1.0/24, 10.18.2.0/24, etc. and see if that helps. Regards, Mike _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From randy_94108 at yahoo.com Fri Aug 7 18:15:12 2009 From: randy_94108 at yahoo.com (Randy) Date: Fri, 7 Aug 2009 15:15:12 -0700 (PDT) Subject: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client and inside network? In-Reply-To: <002b01ca17a0$4d104ac0$2208120a@am.thmulti.com> Message-ID: <831090.36449.qm@web80505.mail.mud.yahoo.com> Hi Scott, ...at first pass - have you *exempted* your vpn pool<->split-tunnel subnets from NAT on the?appropriate interfaces? Regards, ./Randy --- On Fri, 8/7/09, Scott Granados wrote: From: Scott Granados Subject: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client and inside network? To: cisco-nsp at puck.nether.net Date: Friday, August 7, 2009, 1:47 PM Hi, I'm having difficulties configuring VPN tunnels between a PC with the Cisco VPN client (windows XP) and an ASA5520. BACKGROUND I have an ASA5520 with a public interface of 206.x.x.232 and an inside address of 10.18.14.6.? The outside interface is connected to the public internet directly, the inside interface is attached to a switch with layer 3 capabilities and has an address of 10.18.14.1/24.? The default route is pointed to the public Internet gateway and the 10.18.0.0/16 network is routed via the 10.18.14.1 inside address.? The VPN device is running version 7 software (according to the VPN client log file). PROBLEM ???When I initiate a connection from the PC to the public facing interface over an external network the session authenticates and reports connected, the client is assigned an address from the correct pool, but I'm not able to pass traffic.? Looking at the stats the routes learned appear (10.18.0.0/16) or what ever routes I added to the split-tunnel network list.? I do notice that the tunnel stats do not show the encrypted packet count increasing so I assume I'm not tagging something correctly or the ASA is confused about what to encrypt. I've been using the Cisco ASA configuration examples as a starting point but think I'm missing the point somewhere.? Any pointers would be appreciated, config tidbits follow. split-tunnel ACL access-list vpn-nets standard permit 10.1.0.0 255.255.0.0 access-list vpn-nets standard permit 10.11.0.0 255.255.0.0 access-list vpn-nets standard permit 10.18.0.0 255.255.0.0 access-list vpn-nets standard permit 10.64.0.0 255.255.0.0 access-list vpn-nets standard permit 10.66.0.0 255.255.0.0 local pool definition ip local pool VPRN-team-vpn-pool1 10.18.14.96-10.18.14.127 mask 255.255.255.0 STATIC ROUTES route outside 0.0.0.0 0.0.0.0 206.x.x.225 1 route inside 10.66.0.0 255.255.0.0 10.18.14.1 1 route inside 10.11.0.0 255.255.0.0 10.18.14.1 1 route inside 10.64.0.0 255.255.0.0 10.18.14.1 1 route inside 10.1.0.0 255.255.0.0 10.18.14.1 1 route inside 10.18.0.0 255.255.0.0 10.18.14.1 1 GROUP POLICY DEFINITION group-policy VPRN-team-policy internal group-policy VPRN-team-policy attributes banner value This is a private network connection for XXX authorized users only.? If you do not have explicit permission from the XXX Network Services department you must disconnect now. banner value Thank you, banner value Network Services banner value 415.xxx.xxxx wins-server value 10.18.1.14 10.18.1.15 dns-server value 10.18.1.14 10.18.1.15 dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 1 vpn-idle-timeout 30 vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec password-storage disable ip-comp enable re-xauth disable group-lock none pfs disable ipsec-udp enable ipsec-udp-port 10000 split-tunnel-policy tunnelspecified split-tunnel-network-list value vpn-nets default-domain value MY-COMPANY.COM split-dns none secure-unit-authentication disable user-authentication enable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers 206.x.x.233 client-firewall opt cisco-integrated acl-in FWBlockIn acl-out FWAllowAnyOut webvpn functions none tunnel-group VPRN-team type ipsec-ra tunnel-group VPRN-team general-attributes address-pool VPRN-team-vpn-pool1 authentication-server-group my_authent_grp default-group-policy VPRN-team-policy tunnel-group VPRN-team ipsec-attributes pre-shared-key * CRYPTO MAP and ISAKMP crypto ipsec transform-set vpn-transform1 esp-3des esp-sha-hmac crypto dynamic-map dynmap1 10 set transform-set vpn-transform1 crypto dynamic-map dynmap1 10 set reverse-route crypto map vpnmap 10 ipsec-isakmp dynamic dynmap1 crypto map vpnmap interface outside isakmp enable outside isakmp policy 1 authentication pre-share isakmp policy 1 encryption aes isakmp policy 1 hash sha isakmp policy 1 group 2 isakmp policy 1 lifetime 28800 isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 1000 isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 10000 isakmp policy 30 authentication pre-share isakmp policy 30 encryption 3des isakmp policy 30 hash sha isakmp policy 30 group 2 isakmp policy 30 lifetime 10000 isakmp policy 40 authentication pre-share isakmp policy 40 encryption 3des isakmp policy 40 hash sha isakmp policy 40 group 2 isakmp policy 40 lifetime 86400 isakmp nat-traversal? 20 isakmp reload-wait _______________________________________________ cisco-nsp mailing list? cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From randy_94108 at yahoo.com Fri Aug 7 18:40:56 2009 From: randy_94108 at yahoo.com (Randy) Date: Fri, 7 Aug 2009 15:40:56 -0700 (PDT) Subject: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client and inside network? In-Reply-To: <00b201ca17a9$49e6e120$2208120a@am.thmulti.com> Message-ID: <870133.47242.qm@web80503.mail.mud.yahoo.com> ..NAT entries are not required as long as *nat-control* is not enabled. I can't recall the default but you can verify your setup?- sh run nat-control. The PC in question wouldn't happen to be behind a firewall and using an rfc1918 addr. on the 10.x space as well ? Also, NAT-T (ipsec/UDP port 10,000 is enabled on the client? --- On Fri, 8/7/09, Scott Granados wrote: From: Scott Granados Subject: Re: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client and inside network? To: "Rob Gilreath" , cisco-nsp at puck.nether.net Date: Friday, August 7, 2009, 2:51 PM I actually don't have any nat entries because I didn't think I needed any what with this not being used for anything but VPN, is this incorrect? ----- Original Message ----- From: "Rob Gilreath" To: Cc: "Scott Granados" Sent: Friday, August 07, 2009 2:35 PM Subject: Re: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client and inside network? > > Is your nat 0 exception setup? > > Send the config lines starting with nat as well. > > > > On Friday 07 August 2009 03:47:27 pm Scott Granados wrote: >> Hi, I'm having difficulties configuring VPN tunnels between a PC with the >> Cisco VPN client (windows XP) and an ASA5520. >> >> BACKGROUND >> >> I have an ASA5520 with a public interface of 206.x.x.232 and an inside >> address of 10.18.14.6.? The outside interface is connected to the public >> internet directly, the inside interface is attached to a switch with layer >> 3 capabilities and has an address of 10.18.14.1/24.? The default route is >> pointed to the public Internet gateway and the 10.18.0.0/16 network is >> routed via the 10.18.14.1 inside address.? The VPN device is running >> version 7 software (according to the VPN client log file). >> >> PROBLEM >> >> >>? ???When I initiate a connection from the PC to the public facing interface >> over an external network the session authenticates and reports connected, >> the client is assigned an address from the correct pool, but I'm not able >> to pass traffic.? Looking at the stats the routes learned appear >> (10.18.0.0/16) or what ever routes I added to the split-tunnel network >> list.? I do notice that the tunnel stats do not show the encrypted packet >> count increasing so I assume I'm not tagging something correctly or the ASA >> is confused about what to encrypt. I've been using the Cisco ASA >> configuration examples as a starting point but think I'm missing the point >> somewhere.? Any pointers would be appreciated, config tidbits follow. >> >> split-tunnel ACL >> >> access-list vpn-nets standard permit 10.1.0.0 255.255.0.0 >> access-list vpn-nets standard permit 10.11.0.0 255.255.0.0 >> access-list vpn-nets standard permit 10.18.0.0 255.255.0.0 >> access-list vpn-nets standard permit 10.64.0.0 255.255.0.0 >> access-list vpn-nets standard permit 10.66.0.0 255.255.0.0 >> >> local pool definition >> ip local pool VPRN-team-vpn-pool1 10.18.14.96-10.18.14.127 mask >> 255.255.255.0 >> >> STATIC ROUTES >> route outside 0.0.0.0 0.0.0.0 206.x.x.225 1 >> route inside 10.66.0.0 255.255.0.0 10.18.14.1 1 >> route inside 10.11.0.0 255.255.0.0 10.18.14.1 1 >> route inside 10.64.0.0 255.255.0.0 10.18.14.1 1 >> route inside 10.1.0.0 255.255.0.0 10.18.14.1 1 >> route inside 10.18.0.0 255.255.0.0 10.18.14.1 1 >> >> GROUP POLICY DEFINITION >> >> group-policy VPRN-team-policy internal >> group-policy VPRN-team-policy attributes >>? banner value This is a private network connection for XXX authorized users >> only.? If you do not have explicit permission from the XXX Network Services >> department you must disconnect now. >>? banner value Thank you, >>? banner value Network Services >>? banner value 415.xxx.xxxx >>? wins-server value 10.18.1.14 10.18.1.15 >>? dns-server value 10.18.1.14 10.18.1.15 >>? dhcp-network-scope none >>? vpn-access-hours none >>? vpn-simultaneous-logins 1 >>? vpn-idle-timeout 30 >>? vpn-session-timeout none >>? vpn-filter none >>? vpn-tunnel-protocol IPSec >>? password-storage disable >>? ip-comp enable >>? re-xauth disable >>? group-lock none >>? pfs disable >>? ipsec-udp enable >>? ipsec-udp-port 10000 >>? split-tunnel-policy tunnelspecified >>? split-tunnel-network-list value vpn-nets >>? default-domain value MY-COMPANY.COM >>? split-dns none >>? secure-unit-authentication disable >>? user-authentication enable >>? user-authentication-idle-timeout 30 >>? ip-phone-bypass disable >>? leap-bypass disable >>? nem disable >>? backup-servers 206.x.x.233 >>? client-firewall opt cisco-integrated acl-in FWBlockIn acl-out >> FWAllowAnyOut webvpn >>???functions none >> >> tunnel-group VPRN-team type ipsec-ra >> tunnel-group VPRN-team general-attributes >>? address-pool VPRN-team-vpn-pool1 >>? authentication-server-group my_authent_grp >>? default-group-policy VPRN-team-policy >> tunnel-group VPRN-team ipsec-attributes >>? pre-shared-key * >> >> CRYPTO MAP and ISAKMP >> >> crypto ipsec transform-set vpn-transform1 esp-3des esp-sha-hmac >> crypto dynamic-map dynmap1 10 set transform-set vpn-transform1 >> crypto dynamic-map dynmap1 10 set reverse-route >> crypto map vpnmap 10 ipsec-isakmp dynamic dynmap1 >> crypto map vpnmap interface outside >> isakmp enable outside >> isakmp policy 1 authentication pre-share >> isakmp policy 1 encryption aes >> isakmp policy 1 hash sha >> isakmp policy 1 group 2 >> isakmp policy 1 lifetime 28800 >> isakmp policy 10 authentication pre-share >> isakmp policy 10 encryption 3des >> isakmp policy 10 hash sha >> isakmp policy 10 group 2 >> isakmp policy 10 lifetime 1000 >> isakmp policy 20 authentication pre-share >> isakmp policy 20 encryption 3des >> isakmp policy 20 hash md5 >> isakmp policy 20 group 2 >> isakmp policy 20 lifetime 10000 >> isakmp policy 30 authentication pre-share >> isakmp policy 30 encryption 3des >> isakmp policy 30 hash sha >> isakmp policy 30 group 2 >> isakmp policy 30 lifetime 10000 >> isakmp policy 40 authentication pre-share >> isakmp policy 40 encryption 3des >> isakmp policy 40 hash sha >> isakmp policy 40 group 2 >> isakmp policy 40 lifetime 86400 >> isakmp nat-traversal? 20 >> isakmp reload-wait >> >> >> _______________________________________________ >> cisco-nsp mailing list? cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > -- Rob Gilreath > Systems Engineer - CCNP, CCDP > Heartland Business Systems > rgilreath at hbs.net > (920) 850-3018 _______________________________________________ cisco-nsp mailing list? cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From randy_94108 at yahoo.com Fri Aug 7 19:02:51 2009 From: randy_94108 at yahoo.com (Randy) Date: Fri, 7 Aug 2009 16:02:51 -0700 (PDT) Subject: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client andinside network? In-Reply-To: <00e401ca17aa$fb9e3890$2208120a@am.thmulti.com> Message-ID: <752681.4220.qm@web80506.mail.mud.yahoo.com> ..also keep in mind that your split-tunnel ACL can be extended if specified in the following format: ? x.x.x.x mask? y.y.y.y mask (your vpn pool) 10.18.0.0 255.255.0.0 10.18.14.0 255.255.255.0 ? --- On Fri, 8/7/09, Scott Granados wrote: From: Scott Granados Subject: Re: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client andinside network? To: "Michael K. Smith - Adhost" Cc: cisco-nsp at puck.nether.net Date: Friday, August 7, 2009, 3:03 PM Hi Michael, Wouldn't the more specific /24 come in to play instead of the much larger /16?? If I route the /16 via 10.18.14.1 but the /24 of 10.18.14.1 is directly connected I would have thought the /24 would win.? I'll definitely give this a try however. Thanks Scott ----- Original Message ----- From: "Michael K. Smith - Adhost" To: "Scott Granados" ; Sent: Friday, August 07, 2009 2:40 PM Subject: RE: [c-nsp] ASA5520,can't pass traffic over ipsec tunnel between Cisco client andinside network? > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Scott Granados > Sent: Friday, August 07, 2009 1:47 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] ASA5520,can't pass traffic over ipsec tunnel between > Cisco client andinside network? > > Hi, I'm having difficulties configuring VPN tunnels between a PC with > the > Cisco VPN client (windows XP) and an ASA5520. > > BACKGROUND > > I have an ASA5520 with a public interface of 206.x.x.232 and an inside > address of 10.18.14.6.? The outside interface is connected to the > public > internet directly, the inside interface is attached to a switch with > layer 3 > capabilities and has an address of 10.18.14.1/24.? The default route is > pointed to the public Internet gateway and the 10.18.0.0/16 network is > routed via the 10.18.14.1 inside address.? The VPN device is running > version > 7 software (according to the VPN client log file). > > PROBLEM > > >? ???When I initiate a connection from the PC to the public facing > interface > over an external network the session authenticates and reports > connected, > the client is assigned an address from the correct pool, but I'm not > able to > pass traffic.? Looking at the stats the routes learned appear > (10.18.0.0/16) > or what ever routes I added to the split-tunnel network list.? I do > notice > that the tunnel stats do not show the encrypted packet count increasing > so I > assume I'm not tagging something correctly or the ASA is confused about > what > to encrypt. I've been using the Cisco ASA configuration examples as a > starting point but think I'm missing the point somewhere.? Any pointers > would be appreciated, config tidbits follow. > > split-tunnel ACL I would imagine having the /16 that encompasses the /24 of your inside interface and your VPN pool is a "bad thing."? The /16 route is injected into the tunnel, which encompasses your default gateway for the VPN. But, you have forwarded all that traffic to the .1 address.? As a start, I would get more specific on your subnets, since the 10.18.14.0/24 is physically tied to the ASA.? Why not try more specifics like 10.18.1.0/24, 10.18.2.0/24, etc. and see if that helps. Regards, Mike _______________________________________________ cisco-nsp mailing list? cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From peter at rathlev.dk Sat Aug 8 07:36:49 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Sat, 08 Aug 2009 13:36:49 +0200 Subject: [c-nsp] IPSLAs with OpenNMS or Other? In-Reply-To: <6B8401A83219DF499C34DEAEE9A599921256B58E7E@XBOX.midlandpaper.com> References: <6B8401A83219DF499C34DEAEE9A599921256B58E2A@XBOX.midlandpaper.com> <6B8401A83219DF499C34DEAEE9A599921256B58E7E@XBOX.midlandpaper.com> Message-ID: <1249731409.3129.29.camel@abehat.net.rm.dk> I'll give it a shot, even though we don't really have a planned professional setup. :-) We only use the data for internal purposes. We're an enterprise and our SLAs (OLAs) currently do not require us to present any data on latency/jitter/loss. We use Cacti to graph the results. For voice circuits we typically measure "standard" 20 packets, 192 bytes payload, 20 ms interval with a jitter probe. We always use both an EF-marked and a DSCP0-marked. For data circuit quality we use N x 1000 packets, 384 bytes payload, 50 ms interval, also a jitter probe. This means they run for longer time and thus will catch the extreme jitter. OTOH it gives a good picture of the base line. Regarding the questions: > 1) Is it best to locate the IPSLA monitor on the switch near the phone > system or on the WAN edge router (right now we even have anything > resembling congestion is on our WAN links)? I'd locate the measuring unit as close to the phone system as possible, unless of course your part of the responsibility only goes to the edge router. > 2) Any gotchas that I need to look out for? (False positives on bad > performance, etc - for a start I plan on marking the test traffic with > the same ToS bit that our VoIP will be marked so it gets the same > priority) We often use 3560 and 3750 switches as responders (they happen to be in the right place) and see very varying quality compared to a 2800 in the same place. I guess that's because of a slow processor or something. > 3) This should be simple but whats the minimum IOS flavor required to > configure the IPSLA monitor (2811 router if I decide to make the WAN > router the IPSLA monitor or 3560 switch if I decide to locate monitor > to the switch the PBX is on) (I cant figure out the IOS feature > browser to save my life - sorry I am a N00b) I seem to remember that the 2800 requires an Enterprise Base license to run IP SLA probes. I don't know about 3560 since we only use those as responders. I think almost all currently availably IOS versions support either "rtr" or "ip sla monitor" and a jitter probe. > 4) Suggestion on other tools other than OpenNMS to monitor IPSLA > stats? Cacti works very well for us. > 5) Suggested intervals, packet sizes, anything else of each test? We largely went for the defaults believing (possibly naively) that this would follow some "industry standard". Regards, Peter From gert at greenie.muc.de Sat Aug 8 09:45:50 2009 From: gert at greenie.muc.de (Gert Doering) Date: Sat, 8 Aug 2009 15:45:50 +0200 Subject: [c-nsp] MPLS MTU [override] bug 12.4(22)T? In-Reply-To: <4A7B51B7.2080808@reachone.com> References: <4A7B51B7.2080808@reachone.com> Message-ID: <20090808134550.GS290@greenie.muc.de> Hi, On Thu, Aug 06, 2009 at 02:57:11PM -0700, Christopher Hunt wrote: > I'm trying to configure "mpls mtu 1508" on a dot1q subinterface on a > 2851. IOS 12.4(7) will allow it, but IOS 12.4(22)T won't. Quite possibly you need to configure "mtu 1508" and then "ip mtu 1500" to get the desired behaviour - "standard" IOS wants a maximum interface MTU, and all protocols (ip, mpls, ...) can go up to that maximum, but not further. Being able to set "mpls mtu" to a value larger than the generic interface MTU was a workaround for some issues on single-port 7200 FEs, if I remember correctly, and should not be needed for 2800s anyway. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From frnkblk at iname.com Sat Aug 8 11:43:06 2009 From: frnkblk at iname.com (Frank Bulk) Date: Sat, 8 Aug 2009 10:43:06 -0500 Subject: [c-nsp] soft-disco/redirection In-Reply-To: <4A7B0A2F.4060104@rainierconnect.net> References: <4A7B0A2F.4060104@rainierconnect.net> Message-ID: What about giving them a different IP address (via RADIUS or DHCP), for which there is a route-map to webserver? Yes, it's not immediate, but with PPPoA/E users could you could "clear int Vi#", CM users just wait for their next DHCP lease. Frank -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Walter Keen Sent: Thursday, August 06, 2009 11:52 AM To: 'Cisco-nsp' Subject: [c-nsp] soft-disco/redirection We're trying to formulate a plan to do a soft-disconnect or redirect users to a site where they can pay their bill online to get reconnected when they get disconnected for billing. Mostly we're talking about either bridged or pppoa dsl customers, or cablemodem customers. Using 7204's and 7246vxr respectively. Our intial thoughts included using some route-maps, but I was wondering if anyone had experience in doing this, and if there are any more graceful ways of doing this (including using snmp to trigger this instead of a scripted telnet session) -- Walter Keen Network Technician Rainier Connect _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From avayner at cisco.com Sat Aug 8 12:14:21 2009 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Sat, 8 Aug 2009 18:14:21 +0200 Subject: [c-nsp] soft-disco/redirection In-Reply-To: <4A7B0A2F.4060104@rainierconnect.net> References: <4A7B0A2F.4060104@rainierconnect.net> Message-ID: You could do L2TP switching (VPDN) and terminate them on a remote LNS or just in another VRF, which would have a closed garden, redirecting any HTTP session to your own server (DNS...) and displaying whatever you like them to see. Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Walter Keen Sent: Thursday, August 06, 2009 19:52 To: 'Cisco-nsp' Subject: [c-nsp] soft-disco/redirection We're trying to formulate a plan to do a soft-disconnect or redirect users to a site where they can pay their bill online to get reconnected when they get disconnected for billing. Mostly we're talking about either bridged or pppoa dsl customers, or cablemodem customers. Using 7204's and 7246vxr respectively. Our intial thoughts included using some route-maps, but I was wondering if anyone had experience in doing this, and if there are any more graceful ways of doing this (including using snmp to trigger this instead of a scripted telnet session) -- Walter Keen Network Technician Rainier Connect _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From noreply at netlogmail.com Sat Aug 8 12:20:39 2009 From: noreply at netlogmail.com (Robert Kern) Date: Sat, 8 Aug 2009 12:20:39 -0400 (EDT) Subject: [c-nsp] =?iso-8859-2?q?Obi=B9=E8i_moj_profil_na_Netlogu?= Message-ID: <200908081620.n78GKdIQ050466@puck.nether.net> Hej, Ustvaril/a sem profil na Netlogu s svojimi slikami, video posnetki, blogi in dogodki in ?elim te dodati kot prijatelja, da bo? lahko vse to videl/a. Najprej se mora? registrirati na Netlogu! Ko se vpi?e?, lahko ustvari? svoj profil. Poglej: http://sl.netlog.com/go/mailurl/type=invite_1&mailid=46293374&id=1&url=-L2dvL3JlZ2lzdGVyL2lkPTczNzA3MzQwMCZpPXQ5MQ__ Pozdrav, Robert ---------------------------------------------------------------- Ne ?eli? ve? prejemati povabil od svojih prijateljev? http://sl.netlog.com/go/mailurl/type=invite_1&mailid=46293374&id=2&url=-L2dvL25vbWFpbHMvaW52aXRlL2VtYWlsPS1ZMmx6WTI4dGJuTndRSEIxWTJzdWJtVjBhR1Z5TG01bGRBX18mY29kZT0xNDQxNTEyMiZpZD03MzcwNzM0MDAmaT10OTI_ From zivl at gilat.net Sun Aug 9 03:57:58 2009 From: zivl at gilat.net (Ziv Leyes) Date: Sun, 9 Aug 2009 10:57:58 +0300 Subject: [c-nsp] TACACS/RADUIS/AD Message-ID: Hi all, I'm in need to implement an AAA method other than local for our Cisco devices (routers/switches) I was thinking of using the already existing Active Directory, because all people has an account there and a strict secure password policy. Also when someone quits, their user is always removed from there but I don't always get notifications about personnel changes so to manage another independent user DB is not good for me. At the beginning I was thinking to directly connect the AD servers, but this doesn't give me too much flexibility, I don't manage those servers and I don't want to depend on others regarding the authorizations. I was thinking about a server like radius or tacacs that will check only the user authentication against the AD server and perhaps retrieve a value of which group the user belongs to, let's say I only need two or three degrees of authorization, (read-only, operator, and admins). All the rest of the commands authorization granularity will be performed by the radius/tacacs server, based on the user's groups. Is this possible to implement? If yes, do you have some ideas, tips, howtos? Thanks in advance! Regards, Ziv ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From p.mayers at imperial.ac.uk Sun Aug 9 08:07:33 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Sun, 09 Aug 2009 13:07:33 +0100 Subject: [c-nsp] TACACS/RADUIS/AD In-Reply-To: References: Message-ID: <4A7EBC05.60000@imperial.ac.uk> Ziv Leyes wrote: > Hi all, > > I'm in need to implement an AAA method other than local for our Cisco > devices (routers/switches) > > I was thinking of using the already existing Active Directory, > because all people has an account there and a strict secure password > policy. > > Also when someone quits, their user is always removed from there but > I don't always get notifications about personnel changes so to manage > another independent user DB is not good for me. > > At the beginning I was thinking to directly connect the AD servers, > but this doesn't give me too much flexibility, I don't manage those > servers and I don't want to depend on others regarding the > authorizations. > > I was thinking about a server like radius or tacacs that will check > only the user authentication against the AD server and perhaps > retrieve a value of which group the user belongs to, let's say I only > need two or three degrees of authorization, (read-only, operator, and > admins). All the rest of the commands authorization granularity will > be performed by the radius/tacacs server, based on the user's groups. Beware: Cisco does not support per-command authorisation via Radius - only TACACS. > > > Is this possible to implement? If yes, do you have some ideas, tips, > howtos? It's certainly possible to run a Radius server authenticating against Active Directory, and extract groups (subject to one minor caveat - see below). You'll have to write the config to map those groups to authz levels, but that's not usually hard. FreeRadius can do this trivially. I don't know much about TACACS but I can't imagine it's that hard to make a TACACS server talk to LDAP. N.B. Active Directory groups have one slightly funny aspect, which is that the "primary" group for a user object is *not* stored as a memberOf attribute - it's stored as the numerical RID of the group on the LDAP attribute, and can be difficult to match via LDAP. Also, nested groups are difficult to match via LDAP. From zivl at gilat.net Sun Aug 9 08:46:20 2009 From: zivl at gilat.net (Ziv Leyes) Date: Sun, 9 Aug 2009 15:46:20 +0300 Subject: [c-nsp] TACACS/RADUIS/AD In-Reply-To: <4A7EBC05.60000@imperial.ac.uk> References: <4A7EBC05.60000@imperial.ac.uk> Message-ID: Ok, guys, thanks for the answers, I'm now more confused than before ;-) Let's simplify it, I have cisco devices we authenticate locally on each device. We want to centralize the AAA on a server, so I though to install a tac-plus or a freeradius on a linux box, so far not a problem, the problem is I don't want to make another user management because that won't be much different from managing local users on the devices, so I thought to make the tacacs or radius server interact with the AD/LDAP whatever Windows server that already exist and have by default a managed users list that is dynamically updated as new users come or old users leave. This is the user and password used by everyone to log in to their workstations, so they all remember their password and it's a "secure" one (up and low case, numbers, special charaters) which is also requested from users to change every once in a while. All I need is to see that the user exist and that the password is correct, I was thinking also to retrieve some kind of attribute that will allow me to match it against the tacacs/radius group and then setting a sort of permission for the user, it could be per command based (better) or per general permission (have enable 15 or not) Is this possible or too complicated? Thanks, Ziv -----Original Message----- From: David Barak [mailto:thegameiam at yahoo.com] Sent: Sunday, August 09, 2009 3:07 PM To: Ziv Leyes Cc: cisco-nsp at puck.nether.net Subject: RE: [c-nsp] TACACS/RADUIS/AD A Cisco ACS can perform pass-through authentication against AD servers. There is a client which should be installed on the AD servers to do so. The only real gotcha with this is making sure your groups match. Other than that, it works like a champ. I have not tried to do this with any of the non-Cisco implementations of TACACS+. -David Barak -----Original Message----- From: Phil Mayers [mailto:p.mayers at imperial.ac.uk] Sent: Sunday, August 09, 2009 3:08 PM To: Ziv Leyes Cc: 'Cisco-nsp' Subject: Re: [c-nsp] TACACS/RADUIS/AD Ziv Leyes wrote: > Hi all, > > I'm in need to implement an AAA method other than local for our Cisco > devices (routers/switches) > > I was thinking of using the already existing Active Directory, > because all people has an account there and a strict secure password > policy. > > Also when someone quits, their user is always removed from there but > I don't always get notifications about personnel changes so to manage > another independent user DB is not good for me. > > At the beginning I was thinking to directly connect the AD servers, > but this doesn't give me too much flexibility, I don't manage those > servers and I don't want to depend on others regarding the > authorizations. > > I was thinking about a server like radius or tacacs that will check > only the user authentication against the AD server and perhaps > retrieve a value of which group the user belongs to, let's say I only > need two or three degrees of authorization, (read-only, operator, and > admins). All the rest of the commands authorization granularity will > be performed by the radius/tacacs server, based on the user's groups. Beware: Cisco does not support per-command authorisation via Radius - only TACACS. > > > Is this possible to implement? If yes, do you have some ideas, tips, > howtos? It's certainly possible to run a Radius server authenticating against Active Directory, and extract groups (subject to one minor caveat - see below). You'll have to write the config to map those groups to authz levels, but that's not usually hard. FreeRadius can do this trivially. I don't know much about TACACS but I can't imagine it's that hard to make a TACACS server talk to LDAP. N.B. Active Directory groups have one slightly funny aspect, which is that the "primary" group for a user object is *not* stored as a memberOf attribute - it's stored as the numerical RID of the group on the LDAP attribute, and can be difficult to match via LDAP. Also, nested groups are difficult to match via LDAP. ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ __________ Information from ESET NOD32 Antivirus, version of virus signature database 4319 (20090809) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __________ Information from ESET NOD32 Antivirus, version of virus signature database 4319 (20090809) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From thegameiam at yahoo.com Sun Aug 9 08:07:29 2009 From: thegameiam at yahoo.com (David Barak) Date: Sun, 9 Aug 2009 05:07:29 -0700 (PDT) Subject: [c-nsp] TACACS/RADUIS/AD In-Reply-To: Message-ID: <245035.47642.qm@web31808.mail.mud.yahoo.com> A Cisco ACS can perform pass-through authentication against AD servers. There is a client which should be installed on the AD servers to do so. The only real gotcha with this is making sure your groups match. Other than that, it works like a champ. I have not tried to do this with any of the non-Cisco implementations of TACACS+. -David Barak Ziv Leyes wrote: > Hi all, > I'm in need to implement an AAA method other than local for our Cisco devices (routers/switches) > I was thinking of using the already existing Active Directory, because all people has an account there and a strict secure password policy. > Also when someone quits, their user is always removed from there but I don't always get notifications about personnel changes so to manage another independent user DB is not good for me. > At the beginning I was thinking to directly connect the AD servers, but this doesn't give me too much flexibility, I don't manage those servers and I don't want to depend on others regarding the authorizations. > I was thinking about a server like radius or tacacs that will check only the user authentication against the AD server and perhaps retrieve a value of which group the user belongs to, let's say I only need two or three degrees of authorization, (read-only, operator, and admins). All the rest of the commands authorization granularity will be performed by the radius/tacacs server, based on the user's groups. > Is this possible to implement? If yes, do you have some ideas, tips, howtos? > Thanks in advance! > Regards, > Ziv > > > ************************************************************************************ > This footnote confirms that this email message has been scanned by > PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. > ************************************************************************************ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rwest at zyedge.com Sun Aug 9 10:25:06 2009 From: rwest at zyedge.com (Ryan West) Date: Sun, 9 Aug 2009 10:25:06 -0400 Subject: [c-nsp] TACACS/RADUIS/AD In-Reply-To: References: <4A7EBC05.60000@imperial.ac.uk> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2E9D@zy-ex1.zyedge.local> Ziv, I think Phil pretty much covered everything already, it sounds like you're going to lean towards the tac-plus implementation. Here is a walkthrough for getting it going with backend LDAP authentication, there are some extra functions in his blog as well, like a TACACS log viewer: http://www.sweetfixes.com/blogs/robert/archive/2008/11/20/configuring-a-tacacs-server-on-ubuntu-8-10-linux.aspx I can't comment on the structure of your AD, but you can limit your query scope to a particular starting OU and avoid unwanted built-in accounts or sets of users. The rest of your command sets or privilege levels would be defined in the /etc/tacplus.conf file. -ryan From zivl at gilat.net Sun Aug 9 10:41:48 2009 From: zivl at gilat.net (Ziv Leyes) Date: Sun, 9 Aug 2009 17:41:48 +0300 Subject: [c-nsp] TACACS/RADUIS/AD In-Reply-To: <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2E9D@zy-ex1.zyedge.local> References: <4A7EBC05.60000@imperial.ac.uk> <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2E9D@zy-ex1.zyedge.local> Message-ID: Thank you very much! That looks like something that will help me get started with -----Original Message----- From: Ryan West [mailto:rwest at zyedge.com] Sent: Sunday, August 09, 2009 5:25 PM To: Ziv Leyes Cc: 'Cisco-nsp' Subject: RE: [c-nsp] TACACS/RADUIS/AD Ziv, I think Phil pretty much covered everything already, it sounds like you're going to lean towards the tac-plus implementation. Here is a walkthrough for getting it going with backend LDAP authentication, there are some extra functions in his blog as well, like a TACACS log viewer: http://www.sweetfixes.com/blogs/robert/archive/2008/11/20/configuring-a-tacacs-server-on-ubuntu-8-10-linux.aspx I can't comment on the structure of your AD, but you can limit your query scope to a particular starting OU and avoid unwanted built-in accounts or sets of users. The rest of your command sets or privilege levels would be defined in the /etc/tacplus.conf file. -ryan ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ __________ Information from ESET NOD32 Antivirus, version of virus signature database 4319 (20090809) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __________ Information from ESET NOD32 Antivirus, version of virus signature database 4319 (20090809) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From andy.saykao at staff.netspace.net.au Sun Aug 9 18:42:33 2009 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Mon, 10 Aug 2009 08:42:33 +1000 Subject: [c-nsp] soft-disco/redirection References: Message-ID: <56F211C5E3F24F47B103EA1B253822BE044AAB04@vic-cr-ex1.staff.netspace.net.au> We use SSG which is what Arie's talking about in this previous email. You basically tunnel users who haven't paid their bill to a SSG LNS router and lock them down to the dns and url's they can access. You can read more about what some people do from this older post: http://puck.nether.net/pipermail/cisco-bba/2007-November/000985.html SSG information here: http://www.cisco.com/en/US/tech/tk888/tk890/tsd_technology_support_proto col_home.html Cheers. Andy This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From gsgranados at comcast.net Sun Aug 9 18:58:15 2009 From: gsgranados at comcast.net (Scott Granados) Date: Sun, 9 Aug 2009 15:58:15 -0700 Subject: [c-nsp] ASA5520, can't pass traffic over ipsec tunnel between Cisco client andinside network? References: <002b01ca17a0$4d104ac0$2208120a@am.thmulti.com> <17838240D9A5544AAA5FF95F8D5203160676BDAA@ad-exh01.adhost.lan> Message-ID: <00df01ca1944$e1a52ed0$bf00a8c0@am.thmulti.com> Hi, just to follow up on this. Thanks to everyone who responded this solution worked. I adjusted the routes as Mike and Randy and others suggested and things seem to be working now. Thanks to everyone for the help Scott ----- Original Message ----- From: "Michael K. Smith - Adhost" To: "Scott Granados" ; Sent: Friday, August 07, 2009 2:40 PM Subject: RE: [c-nsp] ASA5520,can't pass traffic over ipsec tunnel between Cisco client andinside network? > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Scott Granados > Sent: Friday, August 07, 2009 1:47 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] ASA5520,can't pass traffic over ipsec tunnel between > Cisco client andinside network? > > Hi, I'm having difficulties configuring VPN tunnels between a PC with > the > Cisco VPN client (windows XP) and an ASA5520. > > BACKGROUND > > I have an ASA5520 with a public interface of 206.x.x.232 and an inside > address of 10.18.14.6. The outside interface is connected to the > public > internet directly, the inside interface is attached to a switch with > layer 3 > capabilities and has an address of 10.18.14.1/24. The default route is > pointed to the public Internet gateway and the 10.18.0.0/16 network is > routed via the 10.18.14.1 inside address. The VPN device is running > version > 7 software (according to the VPN client log file). > > PROBLEM > > > When I initiate a connection from the PC to the public facing > interface > over an external network the session authenticates and reports > connected, > the client is assigned an address from the correct pool, but I'm not > able to > pass traffic. Looking at the stats the routes learned appear > (10.18.0.0/16) > or what ever routes I added to the split-tunnel network list. I do > notice > that the tunnel stats do not show the encrypted packet count increasing > so I > assume I'm not tagging something correctly or the ASA is confused about > what > to encrypt. I've been using the Cisco ASA configuration examples as a > starting point but think I'm missing the point somewhere. Any pointers > would be appreciated, config tidbits follow. > > split-tunnel ACL I would imagine having the /16 that encompasses the /24 of your inside interface and your VPN pool is a "bad thing." The /16 route is injected into the tunnel, which encompasses your default gateway for the VPN. But, you have forwarded all that traffic to the .1 address. As a start, I would get more specific on your subnets, since the 10.18.14.0/24 is physically tied to the ASA. Why not try more specifics like 10.18.1.0/24, 10.18.2.0/24, etc. and see if that helps. Regards, Mike From tom at snnap.net Sun Aug 9 22:01:34 2009 From: tom at snnap.net (Tom Storey) Date: Mon, 10 Aug 2009 11:01:34 +0900 (EIT) Subject: [c-nsp] Packet drops on MPLS xconnect Message-ID: <55338.172.25.144.4.1249869694.squirrel@imap.snnap.net> Hi all, I am experiencing packet drops in the tx direction of an MPLS based xconnect. The xconnect is between a 7304 NPE-G100 and a 7206VXR NPE-G1, and only seems to be an issue with tx from the 7304. rx on the 7304 is fine, and tx and rx on the 7206 are also fine. Moving the xconnect from the 7304 onto another 7206VXR NPE-G1 resolves the issue. Ive tried an IOS upgrade, reboot, rebuild of the xconnect, but to no avail. Ive also tried turning on various debug commands but wasnt able to obtain any usefil hints as to what the problem is. Here is part of the output of a "show mpls l2 vc detail" for the xconnect: VC statistics: packet totals: receive 545, send 485 byte totals: receive 72955, send 61850 packet drops: receive 0, seq error 0, send 60 This was captured after the reboot so there isnt much happening, but you can see there are tx packet drops. Ive used various debug commands to try and get something to work on, including the following: debug mpls l2 vc event debug mpls l2 vc fsm debug mpls l2transport signaling message debug mpls l2 packet error I was hoping the last one would reveal something interesting, but I only seemed to get output from the first 1-2 commands. The xconnect establishes with no problems, and it will stay up, it just seems to be dropping packets for some reason. Is anyone familiar with the causes of these types of issues and what else can be looked at/debugged and how to resolve it? Thanks, Tom From tom at snnap.net Sun Aug 9 22:30:58 2009 From: tom at snnap.net (Tom Storey) Date: Mon, 10 Aug 2009 11:30:58 +0900 (EIT) Subject: [c-nsp] Packet drops on MPLS xconnect Message-ID: <53380.172.25.144.4.1249871458.squirrel@imap.snnap.net> Nevermind, I reckon Ive got it sorted. MTU strikes again. :-) > Hi all, > > I am experiencing packet drops in the tx direction of an MPLS based > xconnect. > > The xconnect is between a 7304 NPE-G100 and a 7206VXR NPE-G1, and only > seems to be an issue with tx from the 7304. rx on the 7304 is fine, and tx > and rx on the 7206 are also fine. > > Moving the xconnect from the 7304 onto another 7206VXR NPE-G1 resolves the > issue. > > Ive tried an IOS upgrade, reboot, rebuild of the xconnect, but to no > avail. > > Ive also tried turning on various debug commands but wasnt able to obtain > any usefil hints as to what the problem is. > > Here is part of the output of a "show mpls l2 vc detail" for the xconnect: > > VC statistics: > packet totals: receive 545, send 485 > byte totals: receive 72955, send 61850 > packet drops: receive 0, seq error 0, send 60 > > This was captured after the reboot so there isnt much happening, but you > can see there are tx packet drops. > > Ive used various debug commands to try and get something to work on, > including the following: > > debug mpls l2 vc event > debug mpls l2 vc fsm > debug mpls l2transport signaling message > debug mpls l2 packet error > > I was hoping the last one would reveal something interesting, but I only > seemed to get output from the first 1-2 commands. > > The xconnect establishes with no problems, and it will stay up, it just > seems to be dropping packets for some reason. > > Is anyone familiar with the causes of these types of issues and what else > can be looked at/debugged and how to resolve it? > > Thanks, > Tom > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From brett at looney.id.au Sun Aug 9 19:27:47 2009 From: brett at looney.id.au (Brett Looney) Date: Mon, 10 Aug 2009 07:27:47 +0800 Subject: [c-nsp] TACACS/RADUIS/AD In-Reply-To: References: <4A7EBC05.60000@imperial.ac.uk> Message-ID: <04cc01ca1949$06672350$133569f0$@id.au> > Let's simplify it, > I have cisco devices we authenticate locally on each device. > We want to centralize the AAA on a server, so I though to > install a tac-plus or a freeradius on a linux box, You can do (almost) everything you want by using the IAS (Internet Authentication Service - the badly named RADIUS server) that is included with your Windows servers. You can create groups; set up those groups so that different authentication parameters are returned; set up command group with different "enable" levels on the devices and have your different levels of authorisation. It isn't the simplest setup but I have done it before and it works fine. It avoids having to have another server in the mix; it is free (which is good for most people); and if you want redundancy you can simply set up IAS on multiple AD servers and point your devices to them as you see fit. The only downside is you can't do per-command authorisation because RADIUS doesn't support that. B. From mtinka at globaltransit.net Sun Aug 9 23:26:49 2009 From: mtinka at globaltransit.net (Mark Tinka) Date: Mon, 10 Aug 2009 11:26:49 +0800 Subject: [c-nsp] Cisco 7206 - IOS version for L2TPV3 In-Reply-To: <4A7B02DE.6040601@nexus6.co.za> References: <4A7B02DE.6040601@nexus6.co.za> Message-ID: <200908101126.56928.mtinka@globaltransit.net> On Friday 07 August 2009 12:20:46 am Andy Ashley wrote: > I noticed that the BGP sessions had high InQ and OutQ > values of 300+ where they usually sit at 0 and router was > generally not very responsive on the command line. Sounds like an MTU issue between your BGP speakers. Can you verify the negotiated MSS over the BGP session and ensure all transit interfaces can actually support that value, at a minimum?: #sh ip bgp neighbors 1.2.3.4 | i Datagram Datagrams (max data segment is 1500 bytes): # Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From jckdaniels12 at gmail.com Mon Aug 10 00:55:24 2009 From: jckdaniels12 at gmail.com (jack daniels) Date: Mon, 10 Aug 2009 10:25:24 +0530 Subject: [c-nsp] ALARM CARD ERROR Message-ID: <8bb137f40908092155t24d11bc7g6a0776aa07b4f545@mail.gmail.com> Hi All I'm getting below error on GSR 12416 ALARM CARD - IOS 12.0(32)SY6 WARNING: Unknown MBUS agent controller type, slot 24 Contact your technical support representative.<<<<<<<<<<<<<<<<<<<<<<<<<<<<< Hi All, We had a requirement in which customer wants that the ISP- AS should not be visible when route are advertised to internet via a upstream(L2 VPN solution). Can we use BGP command no-prepend with Replace AS attribute to hide ISP AS in internet. ------------ Can we peer with customer using local AS which will be private AS.We will use no prepend command along with Replace AS which will replace ISP AS with the private AS which is used for Peering.While going out to any international Peer we will remove private AS . On internet only customer AS and Peer AS will be visible. Please advise is this solution will work . Also advise if any better solution for this scenario. Thanks and Regards J.Daniels From affanzbasalamah at gmail.com Mon Aug 10 01:46:46 2009 From: affanzbasalamah at gmail.com (Affan Basalamah) Date: Mon, 10 Aug 2009 12:46:46 +0700 Subject: [c-nsp] TestMacNotification test problem on 7600 SRC3, SUP720-3B, X6748-DFC3B Message-ID: Hi all, I would like to know what problem usually happen to the router (7600 SRC3, SUP720-3B, X6748-DFC) which most of the time failing the TestmacNotification diagnostic test. Router# sh diagnostic result module 3 detail 12) TestMacNotification -------------> . Error code ------------------> 1 (DIAG_FAILURE) Total run count -------------> 13 Last test execution time ----> Aug 10 2009 11:39:09 First test failure time -----> Aug 10 2009 11:20:28 Last test failure time ------> Aug 10 2009 11:39:09 Last test pass time ---------> Aug 10 2009 11:31:58 Total failure count ---------> 7 Consecutive failure count ---> 3 And sometimes the linecard is failing the test consecutively and make the linecard reset. Please help me to troubleshoot this problem. Thanks! -affan From brett at looney.id.au Mon Aug 10 03:49:24 2009 From: brett at looney.id.au (Brett Looney) Date: Mon, 10 Aug 2009 15:49:24 +0800 Subject: [c-nsp] TACACS/RADUIS/AD In-Reply-To: References: <4A7EBC05.60000@imperial.ac.uk> <04cc01ca1949$06672350$133569f0$@id.au> <052d01ca198b$4c49bd50$e4dd37f0$@id.au> Message-ID: <053401ca198f$19175e20$4b461a60$@id.au> Just to keep the list archives up-to-date with things so that other people can benefit: Between us, Ziv came up with this link: http://www.blindhog.net/cisco-aaa-login-authentication-with-radius-ms-ias/ And there is a much older guide on the Cisco website: http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008009465c. shtml B. From david.freedman at uk.clara.net Mon Aug 10 06:32:21 2009 From: david.freedman at uk.clara.net (David Freedman) Date: Mon, 10 Aug 2009 11:32:21 +0100 Subject: [c-nsp] TACACS/RADUIS/AD In-Reply-To: References: Message-ID: You can also use RADIATOR radius server (http://www.open.com.au/radiator/) which is as flexible (if not more IMHO) as freeradius and has the added benefit of a TACACS+ interface to routers. It is written in and configured with PERL. Unfortunately, it costs money (but the sum is trivial for the functionality AFAIK) Dave Ziv Leyes wrote: > Hi all, > > I'm in need to implement an AAA method other than local for our Cisco devices (routers/switches) > > I was thinking of using the already existing Active Directory, because all people has an account there and a strict secure password policy. > > Also when someone quits, their user is always removed from there but I don't always get notifications about personnel changes so to manage another independent user DB is not good for me. > > At the beginning I was thinking to directly connect the AD servers, but this doesn't give me too much flexibility, I don't manage those servers and I don't want to depend on others regarding the authorizations. > > I was thinking about a server like radius or tacacs that will check only the user authentication against the AD server and perhaps retrieve a value of which group the user belongs to, let's say I only need two or three degrees of authorization, (read-only, operator, and admins). All the rest of the commands authorization granularity will be performed by the radius/tacacs server, based on the user's groups. > > Is this possible to implement? If yes, do you have some ideas, tips, howtos? > > Thanks in advance! > > Regards, > > > > Ziv > > > > > > > ************************************************************************************ > This footnote confirms that this email message has been scanned by > PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. > ************************************************************************************ > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From david.freedman at uk.clara.net Mon Aug 10 06:33:32 2009 From: david.freedman at uk.clara.net (David Freedman) Date: Mon, 10 Aug 2009 11:33:32 +0100 Subject: [c-nsp] HIDE AS BGP In-Reply-To: <8bb137f40908092151vf8ea9fbr7eebc2b4afb82b25@mail.gmail.com> References: <8bb137f40908092151vf8ea9fbr7eebc2b4afb82b25@mail.gmail.com> Message-ID: <4A7FF77C.6000703@uk.clara.net> If the ISP is in the middle , who is the upstream and what does the L2VPN do? can you provide a simple diagram? Dave. jack daniels wrote: > Hi All, > > We had a requirement in which customer wants that the ISP- AS should not be > visible when route are advertised to internet via a upstream(L2 VPN > solution). > Can we use BGP command no-prepend with Replace AS attribute to hide ISP AS > in internet. ------------ > > Can we peer with customer using local AS which will be private AS.We will > use no prepend command along with Replace AS which will replace ISP AS with > the private AS which is used for Peering.While going out to any > international Peer we will remove private AS . On internet only customer AS > and Peer AS will be visible. > > Please advise is this solution will work . Also advise if any better > solution for this scenario. > > > Thanks and Regards > J.Daniels > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From david.freedman at uk.clara.net Mon Aug 10 06:33:32 2009 From: david.freedman at uk.clara.net (David Freedman) Date: Mon, 10 Aug 2009 11:33:32 +0100 Subject: [c-nsp] HIDE AS BGP In-Reply-To: <8bb137f40908092151vf8ea9fbr7eebc2b4afb82b25@mail.gmail.com> References: <8bb137f40908092151vf8ea9fbr7eebc2b4afb82b25@mail.gmail.com> Message-ID: <4A7FF77C.6000703@uk.clara.net> If the ISP is in the middle , who is the upstream and what does the L2VPN do? can you provide a simple diagram? Dave. jack daniels wrote: > Hi All, > > We had a requirement in which customer wants that the ISP- AS should not be > visible when route are advertised to internet via a upstream(L2 VPN > solution). > Can we use BGP command no-prepend with Replace AS attribute to hide ISP AS > in internet. ------------ > > Can we peer with customer using local AS which will be private AS.We will > use no prepend command along with Replace AS which will replace ISP AS with > the private AS which is used for Peering.While going out to any > international Peer we will remove private AS . On internet only customer AS > and Peer AS will be visible. > > Please advise is this solution will work . Also advise if any better > solution for this scenario. > > > Thanks and Regards > J.Daniels > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jckdaniels12 at gmail.com Mon Aug 10 07:19:24 2009 From: jckdaniels12 at gmail.com (jack daniels) Date: Mon, 10 Aug 2009 16:49:24 +0530 Subject: [c-nsp] HIDE AS BGP In-Reply-To: <4A7FF77C.6000703@uk.clara.net> References: <8bb137f40908092151vf8ea9fbr7eebc2b4afb82b25@mail.gmail.com> <4A7FF77C.6000703@uk.clara.net> Message-ID: <8bb137f40908100419x5566c88cv2a15cc53dc02b1c9@mail.gmail.com> Hi, Customer---ISP1---ISP2---Internet using "local-as no-prepend replace-as" (Cisco commands) configured for ISP1 BGP peering sessions with "Customer" and "ISP2" would do the trick of hiding ISP1's AS#. ISP1 will pretend to look like "Customer" to ISP2, and look like "ISP2" to "Customer". Furthermore, you may use tunneling in ISP1 (e.g. deploy MPLS) and make it look almost completely transparent to "Customer". The following conditions apply: If the AS_PATH includes both private and public AS numbers, BGP doesn't remove the private AS numbers. This situation is considered a configuration error.<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< Please advise how to go for this. Regards J.Daniels On 8/10/09, David Freedman wrote: > > If the ISP is in the middle , who is the upstream and what does the > L2VPN do? can you provide a simple diagram? > > Dave. > > jack daniels wrote: > > Hi All, > > > > We had a requirement in which customer wants that the ISP- AS should not > be > > visible when route are advertised to internet via a upstream(L2 VPN > > solution). > > Can we use BGP command no-prepend with Replace AS attribute to hide ISP > AS > > in internet. ------------ > > > > Can we peer with customer using local AS which will be private AS.We will > > use no prepend command along with Replace AS which will replace ISP AS > with > > the private AS which is used for Peering.While going out to any > > international Peer we will remove private AS . On internet only customer > AS > > and Peer AS will be visible. > > > > Please advise is this solution will work . Also advise if any better > > solution for this scenario. > > > > > > Thanks and Regards > > J.Daniels > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > From jckdaniels12 at gmail.com Mon Aug 10 07:59:23 2009 From: jckdaniels12 at gmail.com (jack daniels) Date: Mon, 10 Aug 2009 17:29:23 +0530 Subject: [c-nsp] HIDE AS BGP In-Reply-To: <8bb137f40908100419x5566c88cv2a15cc53dc02b1c9@mail.gmail.com> References: <8bb137f40908092151vf8ea9fbr7eebc2b4afb82b25@mail.gmail.com> <4A7FF77C.6000703@uk.clara.net> <8bb137f40908100419x5566c88cv2a15cc53dc02b1c9@mail.gmail.com> Message-ID: <8bb137f40908100459s1f74f6e6t676ceeb02e24411c@mail.gmail.com> Hi , Just to be more specific on the solution requirement - Customer---ISP1---ISP2---Internet Internet should not see ISP1 AS number . I 'm looking for L3 solution. Thanks and Regards J.daniels On 8/10/09, jack daniels wrote: > Hi, > > Customer---ISP1---ISP2---Internet > > using "local-as no-prepend replace-as" (Cisco commands) > configured for ISP1 BGP peering sessions with "Customer" and "ISP2" > would do the trick of hiding ISP1's AS#. ISP1 will pretend to look > like "Customer" to ISP2, and look like "ISP2" to "Customer". > Furthermore, you may use tunneling in ISP1 (e.g. deploy MPLS) and make > it look almost completely transparent to "Customer". > > The following conditions apply: > If the AS_PATH includes both private and public AS numbers, BGP doesn't > remove the private AS numbers. This situation is considered a configuration > error.<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< > > Please advise how to go for this. > Regards > J.Daniels > > > On 8/10/09, David Freedman wrote: >> >> If the ISP is in the middle , who is the upstream and what does the >> L2VPN do? can you provide a simple diagram? >> >> Dave. >> >> jack daniels wrote: >> > Hi All, >> > >> > We had a requirement in which customer wants that the ISP- AS should not >> be >> > visible when route are advertised to internet via a upstream(L2 VPN >> > solution). >> > Can we use BGP command no-prepend with Replace AS attribute to hide ISP >> AS >> > in internet. ------------ >> > >> > Can we peer with customer using local AS which will be private AS.We >> will >> > use no prepend command along with Replace AS which will replace ISP AS >> with >> > the private AS which is used for Peering.While going out to any >> > international Peer we will remove private AS . On internet only customer >> AS >> > and Peer AS will be visible. >> > >> > Please advise is this solution will work . Also advise if any better >> > solution for this scenario. >> > >> > >> > Thanks and Regards >> > J.Daniels >> > _______________________________________________ >> > cisco-nsp mailing list cisco-nsp at puck.nether.net >> > https://puck.nether.net/mailman/listinfo/cisco-nsp >> > archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > >> >> > From td_miles at yahoo.com Mon Aug 10 08:43:59 2009 From: td_miles at yahoo.com (Tony) Date: Mon, 10 Aug 2009 05:43:59 -0700 (PDT) Subject: [c-nsp] cross-vrf tunnels Message-ID: <795601.43456.qm@web110114.mail.gq1.yahoo.com> Hi all, I want to route traffic from one VRF to another VRF on the same router. I did some searching and came across a prior discussion of this very same topic: http://puck.nether.net/pipermail/cisco-nsp/2009-February/058594.html So I decided to create a tunnel between two VRF's on the same box using loopback addresses for the tunnels. I set it all up and I can ping from the IP of one end of the tunnel in one VRF to the other end of the tunnel in the second VRF. The problem I have is that traffic from other sources isn't going over the tunnel properly. The config looks something like this: ! interface Loopback 501 ip address 10.1.41.201 255.255.255.255 ! interface Loopback 502 ip address 10.1.41.202 255.255.255.255 ! interface Tunnel 501 ip vrf forwarding vrf1 ip address 10.1.41.197 255.255.255.252 tunnel source Loopback 501 tunnel destination 10.1.41.202 ! interface Tunnel 502 ip vrf forward vrf2 ip address 10.1.41.198 255.255.255.252 tunnel source Loopback 502 tunnel destination 10.1.41.201 ! I setup a test lab with a 2611 router either side of a 7206 running 12.2(33)SRC (which is doing the VRF crossover). It's all ethernet, no BGP, just two local VRF's on the 7200, nothing fancy. When I attempt to ping the 2611 router on the other side (via my loopback tunnel crossover connection) I get no response. If I look at the stats on the tunnel interface it's as if the traffic isn't going into the tunnel. The input and output counters are all staying the same. This contrasts to when I ping directly from one end of the tunnel to the other as the counters do increase (and I get responses back). If I enable some debug, I get the following: * Tunnel502: adjacency fixup, 10.1.41.202->10.1.41.201, tos set to 0x0 * CEF-Drop: Packet from 10.1.41.202 (Nu0) to 10.1.41.201, Unclassified reason Which shows that my packet across the tunnel is being dropped, but I don't know why. When I do the ping direct from one tunnel end IP to the other, I see the normal sequence of events I would expect (packet routed via RIB, packet goes into tunnel, GRE encap, packet from one loopback to other, GRE decap, etc). Is this supposed to work ? Does anyone else have it working ? What might I be doing wrong ? Many thanks, Tony. From Jeff.Wojciechowski at midlandpaper.com Mon Aug 10 08:53:08 2009 From: Jeff.Wojciechowski at midlandpaper.com (Jeff Wojciechowski) Date: Mon, 10 Aug 2009 07:53:08 -0500 Subject: [c-nsp] IPSLAs with OpenNMS or Other? In-Reply-To: <1249731409.3129.29.camel@abehat.net.rm.dk> References: <6B8401A83219DF499C34DEAEE9A599921256B58E2A@XBOX.midlandpaper.com> <6B8401A83219DF499C34DEAEE9A599921256B58E7E@XBOX.midlandpaper.com> <1249731409.3129.29.camel@abehat.net.rm.dk> Message-ID: <6B8401A83219DF499C34DEAEE9A599921256B58EB5@XBOX.midlandpaper.com> Thanks Peter. I appreciate the insight. -Jeff -----Original Message----- From: Peter Rathlev [mailto:peter at rathlev.dk] Sent: Saturday, August 08, 2009 6:37 AM To: Jeff Wojciechowski Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] IPSLAs with OpenNMS or Other? I'll give it a shot, even though we don't really have a planned professional setup. :-) We only use the data for internal purposes. We're an enterprise and our SLAs (OLAs) currently do not require us to present any data on latency/jitter/loss. We use Cacti to graph the results. For voice circuits we typically measure "standard" 20 packets, 192 bytes payload, 20 ms interval with a jitter probe. We always use both an EF-marked and a DSCP0-marked. For data circuit quality we use N x 1000 packets, 384 bytes payload, 50 ms interval, also a jitter probe. This means they run for longer time and thus will catch the extreme jitter. OTOH it gives a good picture of the base line. Regarding the questions: > 1) Is it best to locate the IPSLA monitor on the switch near the phone > system or on the WAN edge router (right now we even have anything > resembling congestion is on our WAN links)? I'd locate the measuring unit as close to the phone system as possible, unless of course your part of the responsibility only goes to the edge router. > 2) Any gotchas that I need to look out for? (False positives on bad > performance, etc - for a start I plan on marking the test traffic with > the same ToS bit that our VoIP will be marked so it gets the same > priority) We often use 3560 and 3750 switches as responders (they happen to be in the right place) and see very varying quality compared to a 2800 in the same place. I guess that's because of a slow processor or something. > 3) This should be simple but whats the minimum IOS flavor required to > configure the IPSLA monitor (2811 router if I decide to make the WAN > router the IPSLA monitor or 3560 switch if I decide to locate monitor > to the switch the PBX is on) (I cant figure out the IOS feature > browser to save my life - sorry I am a N00b) I seem to remember that the 2800 requires an Enterprise Base license to run IP SLA probes. I don't know about 3560 since we only use those as responders. I think almost all currently availably IOS versions support either "rtr" or "ip sla monitor" and a jitter probe. > 4) Suggestion on other tools other than OpenNMS to monitor IPSLA > stats? Cacti works very well for us. > 5) Suggested intervals, packet sizes, anything else of each test? We largely went for the defaults believing (possibly naively) that this would follow some "industry standard". Regards, Peter From jfitz at Princeton.EDU Mon Aug 10 09:24:22 2009 From: jfitz at Princeton.EDU (Jeff Fitzwater) Date: Mon, 10 Aug 2009 09:24:22 -0400 Subject: [c-nsp] cross-vrf tunnels In-Reply-To: <795601.43456.qm@web110114.mail.gq1.yahoo.com> References: <795601.43456.qm@web110114.mail.gq1.yahoo.com> Message-ID: I believe your problem is that both ends of the tunnel have the same mac address causing arp to fail. You can change one end and it should work. I had similar problem with VRF path back to global on the same router, but I had to use the physical interfaces to get around the "single lookup in cef issue". Jeff Fitzwater OIT Network Systems Princeton University On Aug 10, 2009, at 8:43 AM, Tony wrote: > Hi all, > > I want to route traffic from one VRF to another VRF on the same > router. I did some searching and came across a prior discussion of > this very same topic: > > http://puck.nether.net/pipermail/cisco-nsp/2009-February/058594.html > > So I decided to create a tunnel between two VRF's on the same box > using loopback addresses for the tunnels. > > I set it all up and I can ping from the IP of one end of the tunnel > in one VRF to the other end of the tunnel in the second VRF. > > The problem I have is that traffic from other sources isn't going > over the tunnel properly. > > The config looks something like this: > > ! > interface Loopback 501 > ip address 10.1.41.201 255.255.255.255 > ! > interface Loopback 502 > ip address 10.1.41.202 255.255.255.255 > ! > interface Tunnel 501 > ip vrf forwarding vrf1 > ip address 10.1.41.197 255.255.255.252 > tunnel source Loopback 501 > tunnel destination 10.1.41.202 > ! > interface Tunnel 502 > ip vrf forward vrf2 > ip address 10.1.41.198 255.255.255.252 > tunnel source Loopback 502 > tunnel destination 10.1.41.201 > ! > > I setup a test lab with a 2611 router either side of a 7206 running > 12.2(33)SRC (which is doing the VRF crossover). It's all ethernet, > no BGP, just two local VRF's on the 7200, nothing fancy. > > When I attempt to ping the 2611 router on the other side (via my > loopback tunnel crossover connection) I get no response. > > If I look at the stats on the tunnel interface it's as if the > traffic isn't going into the tunnel. The input and output counters > are all staying the same. This contrasts to when I ping directly > from one end of the tunnel to the other as the counters do increase > (and I get responses back). > > If I enable some debug, I get the following: > * Tunnel502: adjacency fixup, 10.1.41.202->10.1.41.201, tos set to 0x0 > * CEF-Drop: Packet from 10.1.41.202 (Nu0) to 10.1.41.201, > Unclassified reason > > Which shows that my packet across the tunnel is being dropped, but I > don't know why. > > When I do the ping direct from one tunnel end IP to the other, I see > the normal sequence of events I would expect (packet routed via RIB, > packet goes into tunnel, GRE encap, packet from one loopback to > other, GRE decap, etc). > > Is this supposed to work ? Does anyone else have it working ? What > might I be doing wrong ? > > Many thanks, > Tony. > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From david.freedman at uk.clara.net Mon Aug 10 09:24:20 2009 From: david.freedman at uk.clara.net (David Freedman) Date: Mon, 10 Aug 2009 14:24:20 +0100 Subject: [c-nsp] HIDE AS BGP In-Reply-To: <8bb137f40908100459s1f74f6e6t676ceeb02e24411c@mail.gmail.com> References: <8bb137f40908092151vf8ea9fbr7eebc2b4afb82b25@mail.gmail.com> <4A7FF77C.6000703@uk.clara.net> <8bb137f40908100419x5566c88cv2a15cc53dc02b1c9@mail.gmail.com> <8bb137f40908100459s1f74f6e6t676ceeb02e24411c@mail.gmail.com> Message-ID: <4A801F84.9000104@uk.clara.net> Well, not sure how your solution would work, the dual-as configuration will not achieve this unless it is between ISP2 and ISP1 which is unlikely to be the case. ISP2 will not accept the customer's in updates directly from ISP1 without disabling "bgp enforce-first-as" which it is unlikely to want to do. jack daniels wrote: > Hi , > > Just to be more specific on the solution requirement - > > Customer---ISP1---ISP2---Internet > > > Internet should not see ISP1 AS number . I 'm looking for L3 solution. > > Thanks and Regards > J.daniels > > > On 8/10/09, jack daniels wrote: > > >> Hi, >> >> Customer---ISP1---ISP2---Internet >> >> using "local-as no-prepend replace-as" (Cisco commands) >> configured for ISP1 BGP peering sessions with "Customer" and "ISP2" >> would do the trick of hiding ISP1's AS#. ISP1 will pretend to look >> like "Customer" to ISP2, and look like "ISP2" to "Customer". >> Furthermore, you may use tunneling in ISP1 (e.g. deploy MPLS) and make >> it look almost completely transparent to "Customer". >> >> The following conditions apply: >> If the AS_PATH includes both private and public AS numbers, BGP doesn't >> remove the private AS numbers. This situation is considered a configuration >> error.<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< >> >> Please advise how to go for this. >> Regards >> J.Daniels >> >> >> On 8/10/09, David Freedman wrote: >>> If the ISP is in the middle , who is the upstream and what does the >>> L2VPN do? can you provide a simple diagram? >>> >>> Dave. >>> >>> jack daniels wrote: >>>> Hi All, >>>> >>>> We had a requirement in which customer wants that the ISP- AS should not >>> be >>>> visible when route are advertised to internet via a upstream(L2 VPN >>>> solution). >>>> Can we use BGP command no-prepend with Replace AS attribute to hide ISP >>> AS >>>> in internet. ------------ >>>> >>>> Can we peer with customer using local AS which will be private AS.We >>> will >>>> use no prepend command along with Replace AS which will replace ISP AS >>> with >>>> the private AS which is used for Peering.While going out to any >>>> international Peer we will remove private AS . On internet only customer >>> AS >>>> and Peer AS will be visible. >>>> >>>> Please advise is this solution will work . Also advise if any better >>>> solution for this scenario. >>>> >>>> >>>> Thanks and Regards >>>> J.Daniels >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> >>> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From david.freedman at uk.clara.net Mon Aug 10 09:24:20 2009 From: david.freedman at uk.clara.net (David Freedman) Date: Mon, 10 Aug 2009 14:24:20 +0100 Subject: [c-nsp] HIDE AS BGP In-Reply-To: <8bb137f40908100459s1f74f6e6t676ceeb02e24411c@mail.gmail.com> References: <8bb137f40908092151vf8ea9fbr7eebc2b4afb82b25@mail.gmail.com> <4A7FF77C.6000703@uk.clara.net> <8bb137f40908100419x5566c88cv2a15cc53dc02b1c9@mail.gmail.com> <8bb137f40908100459s1f74f6e6t676ceeb02e24411c@mail.gmail.com> Message-ID: <4A801F84.9000104@uk.clara.net> Well, not sure how your solution would work, the dual-as configuration will not achieve this unless it is between ISP2 and ISP1 which is unlikely to be the case. ISP2 will not accept the customer's in updates directly from ISP1 without disabling "bgp enforce-first-as" which it is unlikely to want to do. jack daniels wrote: > Hi , > > Just to be more specific on the solution requirement - > > Customer---ISP1---ISP2---Internet > > > Internet should not see ISP1 AS number . I 'm looking for L3 solution. > > Thanks and Regards > J.daniels > > > On 8/10/09, jack daniels wrote: > > >> Hi, >> >> Customer---ISP1---ISP2---Internet >> >> using "local-as no-prepend replace-as" (Cisco commands) >> configured for ISP1 BGP peering sessions with "Customer" and "ISP2" >> would do the trick of hiding ISP1's AS#. ISP1 will pretend to look >> like "Customer" to ISP2, and look like "ISP2" to "Customer". >> Furthermore, you may use tunneling in ISP1 (e.g. deploy MPLS) and make >> it look almost completely transparent to "Customer". >> >> The following conditions apply: >> If the AS_PATH includes both private and public AS numbers, BGP doesn't >> remove the private AS numbers. This situation is considered a configuration >> error.<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< >> >> Please advise how to go for this. >> Regards >> J.Daniels >> >> >> On 8/10/09, David Freedman wrote: >>> If the ISP is in the middle , who is the upstream and what does the >>> L2VPN do? can you provide a simple diagram? >>> >>> Dave. >>> >>> jack daniels wrote: >>>> Hi All, >>>> >>>> We had a requirement in which customer wants that the ISP- AS should not >>> be >>>> visible when route are advertised to internet via a upstream(L2 VPN >>>> solution). >>>> Can we use BGP command no-prepend with Replace AS attribute to hide ISP >>> AS >>>> in internet. ------------ >>>> >>>> Can we peer with customer using local AS which will be private AS.We >>> will >>>> use no prepend command along with Replace AS which will replace ISP AS >>> with >>>> the private AS which is used for Peering.While going out to any >>>> international Peer we will remove private AS . On internet only customer >>> AS >>>> and Peer AS will be visible. >>>> >>>> Please advise is this solution will work . Also advise if any better >>>> solution for this scenario. >>>> >>>> >>>> Thanks and Regards >>>> J.Daniels >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> >>> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From markom at markom.info Mon Aug 10 09:36:38 2009 From: markom at markom.info (Marko Milivojevic) Date: Mon, 10 Aug 2009 13:36:38 +0000 Subject: [c-nsp] HIDE AS BGP In-Reply-To: <8bb137f40908100459s1f74f6e6t676ceeb02e24411c@mail.gmail.com> References: <8bb137f40908092151vf8ea9fbr7eebc2b4afb82b25@mail.gmail.com> <4A7FF77C.6000703@uk.clara.net> <8bb137f40908100419x5566c88cv2a15cc53dc02b1c9@mail.gmail.com> <8bb137f40908100459s1f74f6e6t676ceeb02e24411c@mail.gmail.com> Message-ID: You can use CSC in ISP1 and run BGP directly between Customer and ISP2. On Mon, Aug 10, 2009 at 11:59, jack daniels wrote: > Hi , > > Just to be more specific on the solution requirement - > > Customer---ISP1---ISP2---Internet > > > Internet should not see ISP1 AS number . I 'm looking for L3 solution. From frosya84 at mail.ru Mon Aug 10 09:42:47 2009 From: frosya84 at mail.ru (=?koi8-r?Q?=EF=CC=D8=C7=C1_=F2=D5=D6=C1=CE=D3=CB=C1=D1?=) Date: Mon, 10 Aug 2009 17:42:47 +0400 Subject: [c-nsp] =?koi8-r?b?Q2lzY28gNzIwNiAtIElPUyB2ZXJzaW9uIGZvciBMMlRQ?= =?koi8-r?b?VjM=?= Message-ID: Hi, We are using 12.2(31)SB11 for 7206VXR (G1/G2). Maybe little old, but BGP sessions, EVC (xconnect) is stable enough on it. Instead RADIUS we're using TACACS Best regards, Olga From frosya84 at mail.ru Mon Aug 10 10:10:57 2009 From: frosya84 at mail.ru (=?koi8-r?Q?=EF=CC=D8=C7=C1_=F2=D5=D6=C1=CE=D3=CB=C1=D1?=) Date: Mon, 10 Aug 2009 18:10:57 +0400 Subject: [c-nsp] MPLS QoS at SPA-5X1GE-V2, SIP 400, 7604RSP720 (Ruzhanskaya Olga) Message-ID: Hello List! In our MPLS network we use 7604RSP720 with SPA-5X1GE-V2 installed in SIP 400 as PE router, where clients services terminates. As in MPLS edge, we perform "typical" traffic classification and marking. Standart policy-map looks like this (matching based on DSCP, marking with MPLS EXP): Policy Map Network-VoIP-In Class qos-realtime set mpls experimental imposition 5 ... Class class-default set mpls experimental imposition 0 Class Map match-any qos-realtime (id 21) Match ip dscp ef (46) For example, we have two subinterfaces, gi3/0/0.210 and gi3/0/0.211. Both of them have policy-map looks like described one. If packet enters gi3/0/0.210 with DSCP=EF and go to gi3/0/0.211, it appears with DSCP=CS5. Is this normal? For 76x, it is. Because of 76x platform QoS realization traffic local for router (IP-IP), router overwrites DSCP value of packet when such policy-map in use: http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/guide/mplsqos.html#wp1475897 I've even opened a case, but the best proposed approach was to distinguish with ACL IP-IP traffic and IP-MPLS traffic. This is a bad solution for us: increased load on router, many hand-work and we have hundreds of such circuits.. We are trying to resolve this problem from April - and no sufficient solution.. Maybe someone have resolved this? P.S. "no mls qos rewite ip dscp" doesn't work properly on PFC MPLS, already tried. Best regards, Olga From linux.yahoo at gmail.com Mon Aug 10 10:51:39 2009 From: linux.yahoo at gmail.com (Manu Chao) Date: Mon, 10 Aug 2009 16:51:39 +0200 Subject: [c-nsp] VSS Best Practices In-Reply-To: <23603.203.163.71.197.1249516211.squirrel@mail.orcon.net.nz> References: <23603.203.163.71.197.1249516211.squirrel@mail.orcon.net.nz> Message-ID: <7100ed370908100751v11df5501u3c348997109e7019@mail.gmail.com> Cisco Best Practice will be use PAgP if you want to like to avoid VSS dual active scenario (better than BFD) On Thu, Aug 6, 2009 at 1:50 AM, Ivan wrote: > Cisco VSS best practice document states > > Recommendations > * Always run L2 or L3 MEC. > * Do not use on and off options with PAgP or LACP or Trunk > protocol negotiation. > o PAgP ? Run Desirable-Desirable with MEC links. > o LACP ? Run Active-Active with MEC links. > o Trunk ? Run Desirable-Desirable with MEC links. > > > > http://www.cisco.com/en/US/products/ps9336/products_tech_note09186a0080a7c837.shtml > > There is not really any explanation of the reasoning behind these > recommendations. If anyone can explain the rational that would be great. > I would also be interested to hear what settings people are using in > production, why and how that is going. > > Generally in non VSS setups I have found setting links explicitly to trunk > mode and as etherchannel members has been reliable and would like to > understand why they are not recommended above. > > Thanks > > Ivan > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jckdaniels12 at gmail.com Mon Aug 10 11:00:41 2009 From: jckdaniels12 at gmail.com (jack daniels) Date: Mon, 10 Aug 2009 20:30:41 +0530 Subject: [c-nsp] HIDE AS BGP In-Reply-To: References: <8bb137f40908092151vf8ea9fbr7eebc2b4afb82b25@mail.gmail.com> <4A7FF77C.6000703@uk.clara.net> <8bb137f40908100419x5566c88cv2a15cc53dc02b1c9@mail.gmail.com> <8bb137f40908100459s1f74f6e6t676ceeb02e24411c@mail.gmail.com> Message-ID: <8bb137f40908100800w46d67c33w9006ee35bc7c51c4@mail.gmail.com> Hi Mark, can you please put more light on the example you proposed . Thanks and Regards J.Daniels On 8/10/09, Marko Milivojevic wrote: > > You can use CSC in ISP1 and run BGP directly between Customer and ISP2. > > On Mon, Aug 10, 2009 at 11:59, jack daniels wrote: > > Hi , > > > > Just to be more specific on the solution requirement - > > > > Customer---ISP1---ISP2---Internet > > > > > > Internet should not see ISP1 AS number . I 'm looking for L3 solution. > From linux.yahoo at gmail.com Mon Aug 10 11:51:22 2009 From: linux.yahoo at gmail.com (Manu Chao) Date: Mon, 10 Aug 2009 17:51:22 +0200 Subject: [c-nsp] cross-vrf tunnels In-Reply-To: <795601.43456.qm@web110114.mail.gq1.yahoo.com> References: <795601.43456.qm@web110114.mail.gq1.yahoo.com> Message-ID: <7100ed370908100851w734a1907s66f6bfd0e5694a01@mail.gmail.com> You can do it just by using Routing Target Import / Export Communities On Mon, Aug 10, 2009 at 2:43 PM, Tony wrote: > Hi all, > > I want to route traffic from one VRF to another VRF on the same router. I > did some searching and came across a prior discussion of this very same > topic: > > http://puck.nether.net/pipermail/cisco-nsp/2009-February/058594.html > > So I decided to create a tunnel between two VRF's on the same box using > loopback addresses for the tunnels. > > I set it all up and I can ping from the IP of one end of the tunnel in one > VRF to the other end of the tunnel in the second VRF. > > The problem I have is that traffic from other sources isn't going over the > tunnel properly. > > The config looks something like this: > > ! > interface Loopback 501 > ip address 10.1.41.201 255.255.255.255 > ! > interface Loopback 502 > ip address 10.1.41.202 255.255.255.255 > ! > interface Tunnel 501 > ip vrf forwarding vrf1 > ip address 10.1.41.197 255.255.255.252 > tunnel source Loopback 501 > tunnel destination 10.1.41.202 > ! > interface Tunnel 502 > ip vrf forward vrf2 > ip address 10.1.41.198 255.255.255.252 > tunnel source Loopback 502 > tunnel destination 10.1.41.201 > ! > > I setup a test lab with a 2611 router either side of a 7206 running > 12.2(33)SRC (which is doing the VRF crossover). It's all ethernet, no BGP, > just two local VRF's on the 7200, nothing fancy. > > When I attempt to ping the 2611 router on the other side (via my loopback > tunnel crossover connection) I get no response. > > If I look at the stats on the tunnel interface it's as if the traffic isn't > going into the tunnel. The input and output counters are all staying the > same. This contrasts to when I ping directly from one end of the tunnel to > the other as the counters do increase (and I get responses back). > > If I enable some debug, I get the following: > * Tunnel502: adjacency fixup, 10.1.41.202->10.1.41.201, tos set to 0x0 > * CEF-Drop: Packet from 10.1.41.202 (Nu0) to 10.1.41.201, Unclassified > reason > > Which shows that my packet across the tunnel is being dropped, but I don't > know why. > > When I do the ping direct from one tunnel end IP to the other, I see the > normal sequence of events I would expect (packet routed via RIB, packet goes > into tunnel, GRE encap, packet from one loopback to other, GRE decap, etc). > > Is this supposed to work ? Does anyone else have it working ? What might I > be doing wrong ? > > Many thanks, > Tony. > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jon at defenderhosting.com Mon Aug 10 11:52:30 2009 From: jon at defenderhosting.com (Jon Wolberg) Date: Mon, 10 Aug 2009 11:52:30 -0400 (EDT) Subject: [c-nsp] SSH no longer functions after hostname change Message-ID: <1651088143.2146011249919550531.JavaMail.root@mail.dtgmail.com> Hello- We recently changed some of our hostnames on various legacy switches to follow our naming convention, and after one change I can no longer SSH to the switch. I get the below errors on the console with debug ip ssh client running: Aug 10 11:23:44 EST: SSH5: sent protocol version id SSH-2.0-Cisco-1.25 Aug 10 11:23:44 EST: SSH5: protocol version id is - SSH-2.0-OpenSSH_4.3 Aug 10 11:23:44 EST: SSH2 5: RSA_sign: private key not found Aug 10 11:23:44 EST: SSH2 5: signature creation failed, status -1 Aug 10 11:23:44 EST: SSH5: Session disconnected - error 0x00 I zero'ized the old keys and re-generated as well as set the hostname back to the original and zero'ized and re-generated to no avail. Nothing shows up on Google and I can find no errata related to SSH access on the version of code we are running. Has anyone encountered this before? This is a 3750 running 12.2(44)SE2 Jon Wolberg Systems Engineer Virtacore Systems Inc. "We Virtualize IT!" From jon at defenderhosting.com Mon Aug 10 12:19:37 2009 From: jon at defenderhosting.com (Jon Wolberg) Date: Mon, 10 Aug 2009 12:19:37 -0400 (EDT) Subject: [c-nsp] SSH no longer functions after hostname change In-Reply-To: <002001ca19d6$16a5a290$43f0e7b0$@org> Message-ID: <305794761.2147971249921175732.JavaMail.root@mail.dtgmail.com> Hi Paul- The funny thing is this is the only switch causing problems. We changed the hostnames on over a dozen others without any issues. I tried re-generating the keys to no avail. Jon Wolberg Systems Engineer Virtacore Systems Inc. "We Virtualize IT!" ----- Original Message ----- From: "Paul Stewart" To: "Jon Wolberg" , cisco-nsp at puck.nether.net Sent: Monday, August 10, 2009 12:17:14 PM GMT -05:00 US/Canada Eastern Subject: RE: [c-nsp] SSH no longer functions after hostname change Normally all we do is a "crypto key gen rsa" if a hostname changes and we continue on... this regens the keys and stops/starts the SSH process.... Paul -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jon Wolberg Sent: Monday, August 10, 2009 11:53 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] SSH no longer functions after hostname change Hello- We recently changed some of our hostnames on various legacy switches to follow our naming convention, and after one change I can no longer SSH to the switch. I get the below errors on the console with debug ip ssh client running: Aug 10 11:23:44 EST: SSH5: sent protocol version id SSH-2.0-Cisco-1.25 Aug 10 11:23:44 EST: SSH5: protocol version id is - SSH-2.0-OpenSSH_4.3 Aug 10 11:23:44 EST: SSH2 5: RSA_sign: private key not found Aug 10 11:23:44 EST: SSH2 5: signature creation failed, status -1 Aug 10 11:23:44 EST: SSH5: Session disconnected - error 0x00 I zero'ized the old keys and re-generated as well as set the hostname back to the original and zero'ized and re-generated to no avail. Nothing shows up on Google and I can find no errata related to SSH access on the version of code we are running. Has anyone encountered this before? This is a 3750 running 12.2(44)SE2 Jon Wolberg Systems Engineer Virtacore Systems Inc. "We Virtualize IT!" _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From rwest at zyedge.com Mon Aug 10 12:23:58 2009 From: rwest at zyedge.com (Ryan West) Date: Mon, 10 Aug 2009 12:23:58 -0400 Subject: [c-nsp] SSH no longer functions after hostname change In-Reply-To: <305794761.2147971249921175732.JavaMail.root@mail.dtgmail.com> References: <002001ca19d6$16a5a290$43f0e7b0$@org> <305794761.2147971249921175732.JavaMail.root@mail.dtgmail.com> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2EDF@zy-ex1.zyedge.local> I hate to mention this as an option, but have you rebooted it yet? -ryan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jon Wolberg Sent: Monday, August 10, 2009 12:20 PM To: Paul Stewart Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] SSH no longer functions after hostname change Hi Paul- The funny thing is this is the only switch causing problems. We changed the hostnames on over a dozen others without any issues. I tried re-generating the keys to no avail. Jon Wolberg Systems Engineer Virtacore Systems Inc. "We Virtualize IT!" ----- Original Message ----- From: "Paul Stewart" To: "Jon Wolberg" , cisco-nsp at puck.nether.net Sent: Monday, August 10, 2009 12:17:14 PM GMT -05:00 US/Canada Eastern Subject: RE: [c-nsp] SSH no longer functions after hostname change Normally all we do is a "crypto key gen rsa" if a hostname changes and we continue on... this regens the keys and stops/starts the SSH process.... Paul -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jon Wolberg Sent: Monday, August 10, 2009 11:53 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] SSH no longer functions after hostname change Hello- We recently changed some of our hostnames on various legacy switches to follow our naming convention, and after one change I can no longer SSH to the switch. I get the below errors on the console with debug ip ssh client running: Aug 10 11:23:44 EST: SSH5: sent protocol version id SSH-2.0-Cisco-1.25 Aug 10 11:23:44 EST: SSH5: protocol version id is - SSH-2.0-OpenSSH_4.3 Aug 10 11:23:44 EST: SSH2 5: RSA_sign: private key not found Aug 10 11:23:44 EST: SSH2 5: signature creation failed, status -1 Aug 10 11:23:44 EST: SSH5: Session disconnected - error 0x00 I zero'ized the old keys and re-generated as well as set the hostname back to the original and zero'ized and re-generated to no avail. Nothing shows up on Google and I can find no errata related to SSH access on the version of code we are running. Has anyone encountered this before? This is a 3750 running 12.2(44)SE2 Jon Wolberg Systems Engineer Virtacore Systems Inc. "We Virtualize IT!" _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From jon at defenderhosting.com Mon Aug 10 11:34:26 2009 From: jon at defenderhosting.com (jon at defenderhosting.com) Date: Mon, 10 Aug 2009 11:34:26 -0400 (EDT) Subject: [c-nsp] SSH no longer functions In-Reply-To: <446521240.2143611249918367658.JavaMail.root@mail.dtgmail.com> Message-ID: <1704111585.2143691249918466670.JavaMail.root@mail.dtgmail.com> Hello- We recently changed some of our hostnames on various legacy switches to follow our naming convention, and after one change I can no longer SSH to the switch. I get the below errors on the console with debug ip ssh client running: Aug 10 11:23:44 EST: SSH5: sent protocol version id SSH-2.0-Cisco-1.25 Aug 10 11:23:44 EST: SSH5: protocol version id is - SSH-2.0-OpenSSH_4.3 Aug 10 11:23:44 EST: SSH2 5: RSA_sign: private key not found Aug 10 11:23:44 EST: SSH2 5: signature creation failed, status -1 Aug 10 11:23:44 EST: SSH5: Session disconnected - error 0x00 I zero'ized the old keys and re-generated as well as set the hostname back to the original and zero'ized and re-generated to no avail. Nothing shows up on Google and I can find no errata related to SSH access on the version of code we are running. Has anyone encountered this before? This is a 3750 running 12.2(44)SE2 Jon Wolberg Systems Engineer Virtacore Systems Inc. "We Virtualize IT!" From ip at ioshints.info Mon Aug 10 12:30:30 2009 From: ip at ioshints.info (Ivan Pepelnjak) Date: Mon, 10 Aug 2009 18:30:30 +0200 Subject: [c-nsp] HIDE AS BGP In-Reply-To: <8bb137f40908100800w46d67c33w9006ee35bc7c51c4@mail.gmail.com> References: <8bb137f40908092151vf8ea9fbr7eebc2b4afb82b25@mail.gmail.com><4A7FF77C.6000703@uk.clara.net><8bb137f40908100419x5566c88cv2a15cc53dc02b1c9@mail.gmail.com><8bb137f40908100459s1f74f6e6t676ceeb02e24411c@mail.gmail.com> <8bb137f40908100800w46d67c33w9006ee35bc7c51c4@mail.gmail.com> Message-ID: <004b01ca19d7$e139e010$0a00000a@nil.si> Much easier: run multihop EBGP session between Customer and ISP2 (plus the regular EBGP session Customer-ISP1). Just make sure something reachable within ISP1 is announced as the next-hop. > -----Original Message----- > From: jack daniels [mailto:jckdaniels12 at gmail.com] > Sent: Monday, August 10, 2009 5:01 PM > To: Marko Milivojevic > Cc: Cisco-NSP > Subject: Re: [c-nsp] HIDE AS BGP > > Hi Mark, > > can you please put more light on the example you proposed . > > Thanks and Regards > J.Daniels > > > On 8/10/09, Marko Milivojevic wrote: > > > > You can use CSC in ISP1 and run BGP directly between > Customer and ISP2. > > > > On Mon, Aug 10, 2009 at 11:59, jack > daniels wrote: > > > Hi , > > > > > > Just to be more specific on the solution requirement - > > > > > > Customer---ISP1---ISP2---Internet > > > > > > > > > Internet should not see ISP1 AS number . I 'm looking for > L3 solution. > > > > From jon at defenderhosting.com Mon Aug 10 12:41:38 2009 From: jon at defenderhosting.com (jon at defenderhosting.com) Date: Mon, 10 Aug 2009 12:41:38 -0400 (EDT) Subject: [c-nsp] SSH no longer functions after hostname change In-Reply-To: <233097658.2149811249922487269.JavaMail.root@mail.dtgmail.com> Message-ID: <908369987.2149831249922498535.JavaMail.root@mail.dtgmail.com> Hi Ryan/Paul- Not without scheduling a maintenance window which I was hoping to avoid. I am sure a reload would fix the problem as i'd also use it as an opportunity to upgrade the code since I am a half dozen revs behind and have switches running newer versions without any stability issues. Jon Wolberg Systems Engineer Virtacore Systems Inc. "We Virtualize IT!" ----- Original Message ----- From: "Paul Stewart" To: "Jon Wolberg" Cc: cisco-nsp at puck.nether.net Sent: Monday, August 10, 2009 12:35:14 PM GMT -05:00 US/Canada Eastern Subject: RE: [c-nsp] SSH no longer functions after hostname change That is very strange.... are you able to kick the switch (power cycle) to see if it resolves or not? I know you shouldn't have to but I'm out of answers too ;) -----Original Message----- From: Jon Wolberg [mailto:jon at defenderhosting.com] Sent: Monday, August 10, 2009 12:20 PM To: Paul Stewart Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] SSH no longer functions after hostname change Hi Paul- The funny thing is this is the only switch causing problems. We changed the hostnames on over a dozen others without any issues. I tried re-generating the keys to no avail. Jon Wolberg Systems Engineer Virtacore Systems Inc. "We Virtualize IT!" ----- Original Message ----- From: "Paul Stewart" To: "Jon Wolberg" , cisco-nsp at puck.nether.net Sent: Monday, August 10, 2009 12:17:14 PM GMT -05:00 US/Canada Eastern Subject: RE: [c-nsp] SSH no longer functions after hostname change Normally all we do is a "crypto key gen rsa" if a hostname changes and we continue on... this regens the keys and stops/starts the SSH process.... Paul -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jon Wolberg Sent: Monday, August 10, 2009 11:53 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] SSH no longer functions after hostname change Hello- We recently changed some of our hostnames on various legacy switches to follow our naming convention, and after one change I can no longer SSH to the switch. I get the below errors on the console with debug ip ssh client running: Aug 10 11:23:44 EST: SSH5: sent protocol version id SSH-2.0-Cisco-1.25 Aug 10 11:23:44 EST: SSH5: protocol version id is - SSH-2.0-OpenSSH_4.3 Aug 10 11:23:44 EST: SSH2 5: RSA_sign: private key not found Aug 10 11:23:44 EST: SSH2 5: signature creation failed, status -1 Aug 10 11:23:44 EST: SSH5: Session disconnected - error 0x00 I zero'ized the old keys and re-generated as well as set the hostname back to the original and zero'ized and re-generated to no avail. Nothing shows up on Google and I can find no errata related to SSH access on the version of code we are running. Has anyone encountered this before? This is a 3750 running 12.2(44)SE2 Jon Wolberg Systems Engineer Virtacore Systems Inc. "We Virtualize IT!" _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From dudepron at gmail.com Mon Aug 10 12:45:05 2009 From: dudepron at gmail.com (Aaron) Date: Mon, 10 Aug 2009 12:45:05 -0400 Subject: [c-nsp] ALARM CARD ERROR In-Reply-To: <8bb137f40908092155t24d11bc7g6a0776aa07b4f545@mail.gmail.com> References: <8bb137f40908092155t24d11bc7g6a0776aa07b4f545@mail.gmail.com> Message-ID: <480dad640908100945u3574e534p957306c49d5d3ab@mail.gmail.com> Open a tac case. On Mon, Aug 10, 2009 at 00:55, jack daniels wrote: > Hi All > > I'm getting below error on GSR 12416 ALARM CARD - > > IOS 12.0(32)SY6 > > > > WARNING: Unknown MBUS agent controller type, slot 24 > Contact your technical support > representative.<<<<<<<<<<<<<<<<<<<<<<<<<<<<< > > > sh diag 24 > > SLOT 24 (ALM 0 ): Alarm Module(16) > MAIN: type 64, 800-5570-05 rev C0 > Deviation: 0 > HW config: 0x00 SW key: 00-00-00 > PCA: 73-4266-04 rev B0 ver 3 > Design Release 1.0 S/N SAL1250CZJ9 > MBUS: Unknown (0) 00-0000-00 rev 70 dev 0 > HW version 1.2 S/N SAL1248BSQ5 > Test hist: 0x00 RMA#: 00-00-00 RMA hist: 0x00 > DIAG: Test count: 0x00000000 Test results: 0x00000000 > FRU: Linecard/Module: GSR16-ALRM= > MBUS Agent Software version 2.68 (RAM) (ROM version is 3.66) > > > > > sh gsr > Slot 0 type = Modular SPA Interface Card > state = IOS RUN Line Card Enabled > subslot 0/0: SPA-1X10GE-L-V2 (0x50C), status is ok > subslot 0/1: Empty > subslot 0/2: Empty > subslot 0/3: Empty > Slot 5 type = Modular SPA Interface Card > state = IOS RUN Line Card Enabled > subslot 5/0: SPA-2XOC48POS/RPR (0x46F), status is ok > subslot 5/1: SPA-5X1GE-V2 (0x50A), status is ok > subslot 5/2: Empty > subslot 5/3: Empty > Slot 6 type = Modular SPA Interface Card > state = IOS RUN Line Card Enabled > subslot 6/0: SPA-4XT3/E3 (0x40B), status is ok > subslot 6/1: SPA-4XT3/E3 (0x40B), status is ok > subslot 6/2: SPA-8XOC3-POS (0x505), status is ok > subslot 6/3: SPA-8XOC3-POS (0x505), status is ok > Slot 7 type = Performance Route Processor > state = ACTV RP IOS Running ACTIVE > Slot 8 type = Performance Route Processor > state = STBY RP IOS Running STANDBY > Slot 9 type = Modular SPA Interface Card > state = IOS RUN Line Card Enabled > subslot 9/0: SPA-1X10GE-L-V2 (0x50C), status is ok > subslot 9/1: Empty > subslot 9/2: Empty > subslot 9/3: Empty > Slot 14 type = Modular SPA Interface Card > state = IOS RUN Line Card Enabled > subslot 14/0: SPA-2XOC48POS/RPR (0x46F), status is ok > subslot 14/1: SPA-5X1GE-V2 (0x50A), status is ok > subslot 14/2: Empty > subslot 14/3: Empty > Slot 15 type = Modular SPA Interface Card > state = IOS RUN Line Card Enabled > subslot 15/0: SPA-4XOC12-POS (0x507), status is ok > subslot 15/1: SPA-8XOC3-POS (0x505), status is ok > subslot 15/2: SPA-4XT3/E3 (0x40B), status is ok > subslot 15/3: Empty > Slot 16 type = Clock Scheduler Card OC192 Dual Priority > state = Card Powered > Slot 17 type = Clock Scheduler Card OC192 Dual Priority > state = Card Powered PRIMARY CLOCK > Slot 18 type = Switch Fabric Card 16XOC192 > state = Card Powered > Slot 19 type = Switch Fabric Card 16XOC192 > state = Card Powered > Slot 20 type = Switch Fabric Card 16XOC192 > state = Card Powered > Slot 24 type = Alarm Module(16) > state = Card Powered > Slot 25 type = Alarm Module(16) > state = Card Powered > Slot 27 type = Bus Board(16) > state = Card Powered > Slot 28 type = Blower Module(16) > state = Card Powered > Slot 29 type = Blower Module(16) > state = Card Powered > > > Thanks and Regards > J.Daniels > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From paul at paulstewart.org Mon Aug 10 12:35:14 2009 From: paul at paulstewart.org (Paul Stewart) Date: Mon, 10 Aug 2009 12:35:14 -0400 Subject: [c-nsp] SSH no longer functions after hostname change In-Reply-To: <305794761.2147971249921175732.JavaMail.root@mail.dtgmail.com> References: <002001ca19d6$16a5a290$43f0e7b0$@org> <305794761.2147971249921175732.JavaMail.root@mail.dtgmail.com> Message-ID: <002101ca19d8$9924b330$cb6e1990$@org> That is very strange.... are you able to kick the switch (power cycle) to see if it resolves or not? I know you shouldn't have to but I'm out of answers too ;) -----Original Message----- From: Jon Wolberg [mailto:jon at defenderhosting.com] Sent: Monday, August 10, 2009 12:20 PM To: Paul Stewart Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] SSH no longer functions after hostname change Hi Paul- The funny thing is this is the only switch causing problems. We changed the hostnames on over a dozen others without any issues. I tried re-generating the keys to no avail. Jon Wolberg Systems Engineer Virtacore Systems Inc. "We Virtualize IT!" ----- Original Message ----- From: "Paul Stewart" To: "Jon Wolberg" , cisco-nsp at puck.nether.net Sent: Monday, August 10, 2009 12:17:14 PM GMT -05:00 US/Canada Eastern Subject: RE: [c-nsp] SSH no longer functions after hostname change Normally all we do is a "crypto key gen rsa" if a hostname changes and we continue on... this regens the keys and stops/starts the SSH process.... Paul -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jon Wolberg Sent: Monday, August 10, 2009 11:53 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] SSH no longer functions after hostname change Hello- We recently changed some of our hostnames on various legacy switches to follow our naming convention, and after one change I can no longer SSH to the switch. I get the below errors on the console with debug ip ssh client running: Aug 10 11:23:44 EST: SSH5: sent protocol version id SSH-2.0-Cisco-1.25 Aug 10 11:23:44 EST: SSH5: protocol version id is - SSH-2.0-OpenSSH_4.3 Aug 10 11:23:44 EST: SSH2 5: RSA_sign: private key not found Aug 10 11:23:44 EST: SSH2 5: signature creation failed, status -1 Aug 10 11:23:44 EST: SSH5: Session disconnected - error 0x00 I zero'ized the old keys and re-generated as well as set the hostname back to the original and zero'ized and re-generated to no avail. Nothing shows up on Google and I can find no errata related to SSH access on the version of code we are running. Has anyone encountered this before? This is a 3750 running 12.2(44)SE2 Jon Wolberg Systems Engineer Virtacore Systems Inc. "We Virtualize IT!" _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From jared at puck.nether.net Mon Aug 10 12:55:02 2009 From: jared at puck.nether.net (Jared Mauch) Date: Mon, 10 Aug 2009 12:55:02 -0400 Subject: [c-nsp] SSH no longer functions after hostname change In-Reply-To: <908369987.2149831249922498535.JavaMail.root@mail.dtgmail.com> References: <908369987.2149831249922498535.JavaMail.root@mail.dtgmail.com> Message-ID: You should call TAC and your SE/AM as well to insure they capture what happened to avoid this defect in the future. You may also be able to entirely disable/restart the SSH subsystem, or at least make sure they have the ability to restart it. If Cisco doesn't make progress on this front, I'm not sure how they will continue to survive. The internet of 2000 and later really needs protected memory and restartable processes instead of the old tech support "have you turned it off and back on again" policy of dealing with defects. While that has a place, certainly this is not one of them. - Jared On Aug 10, 2009, at 12:41 PM, jon at defenderhosting.com wrote: > Hi Ryan/Paul- > > Not without scheduling a maintenance window which I was hoping to > avoid. I am sure a reload would fix the problem as i'd also use it > as an opportunity to upgrade the code since I am a half dozen revs > behind and have switches running newer versions without any > stability issues. > > > Jon Wolberg > Systems Engineer > Virtacore Systems Inc. > "We Virtualize IT!" > > > ----- Original Message ----- > From: "Paul Stewart" > To: "Jon Wolberg" > Cc: cisco-nsp at puck.nether.net > Sent: Monday, August 10, 2009 12:35:14 PM GMT -05:00 US/Canada Eastern > Subject: RE: [c-nsp] SSH no longer functions after hostname change > > That is very strange.... are you able to kick the switch (power > cycle) to see if it resolves or not? I know you shouldn't have to > but I'm out of answers too ;) > > -----Original Message----- > From: Jon Wolberg [mailto:jon at defenderhosting.com] > Sent: Monday, August 10, 2009 12:20 PM > To: Paul Stewart > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] SSH no longer functions after hostname change > > Hi Paul- > > The funny thing is this is the only switch causing problems. We > changed the hostnames on over a dozen others without any issues. > > I tried re-generating the keys to no avail. > > > Jon Wolberg > Systems Engineer > Virtacore Systems Inc. > "We Virtualize IT!" > > > ----- Original Message ----- > From: "Paul Stewart" > To: "Jon Wolberg" , cisco-nsp at puck.nether.net > Sent: Monday, August 10, 2009 12:17:14 PM GMT -05:00 US/Canada Eastern > Subject: RE: [c-nsp] SSH no longer functions after hostname change > > Normally all we do is a "crypto key gen rsa" if a hostname changes > and we > continue on... this regens the keys and stops/starts the SSH > process.... > > Paul > > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jon Wolberg > Sent: Monday, August 10, 2009 11:53 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] SSH no longer functions after hostname change > > Hello- > > We recently changed some of our hostnames on various legacy switches > to > follow our naming convention, and after one change I can no longer > SSH to > the switch. > > I get the below errors on the console with debug ip ssh client > running: > > Aug 10 11:23:44 EST: SSH5: sent protocol version id SSH-2.0-Cisco-1.25 > Aug 10 11:23:44 EST: SSH5: protocol version id is - SSH-2.0- > OpenSSH_4.3 > Aug 10 11:23:44 EST: SSH2 5: RSA_sign: private key not found > Aug 10 11:23:44 EST: SSH2 5: signature creation failed, status -1 > Aug 10 11:23:44 EST: SSH5: Session disconnected - error 0x00 > > I zero'ized the old keys and re-generated as well as set the > hostname back > to the original and zero'ized and re-generated to no avail. Nothing > shows > up on Google and I can find no errata related to SSH access on the > version > of code we are running. > > Has anyone encountered this before? This is a 3750 running > 12.2(44)SE2 > > > Jon Wolberg > Systems Engineer > Virtacore Systems Inc. > "We Virtualize IT!" > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From paul at paulstewart.org Mon Aug 10 12:17:14 2009 From: paul at paulstewart.org (Paul Stewart) Date: Mon, 10 Aug 2009 12:17:14 -0400 Subject: [c-nsp] SSH no longer functions after hostname change In-Reply-To: <1651088143.2146011249919550531.JavaMail.root@mail.dtgmail.com> References: <1651088143.2146011249919550531.JavaMail.root@mail.dtgmail.com> Message-ID: <002001ca19d6$16a5a290$43f0e7b0$@org> Normally all we do is a "crypto key gen rsa" if a hostname changes and we continue on... this regens the keys and stops/starts the SSH process.... Paul -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jon Wolberg Sent: Monday, August 10, 2009 11:53 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] SSH no longer functions after hostname change Hello- We recently changed some of our hostnames on various legacy switches to follow our naming convention, and after one change I can no longer SSH to the switch. I get the below errors on the console with debug ip ssh client running: Aug 10 11:23:44 EST: SSH5: sent protocol version id SSH-2.0-Cisco-1.25 Aug 10 11:23:44 EST: SSH5: protocol version id is - SSH-2.0-OpenSSH_4.3 Aug 10 11:23:44 EST: SSH2 5: RSA_sign: private key not found Aug 10 11:23:44 EST: SSH2 5: signature creation failed, status -1 Aug 10 11:23:44 EST: SSH5: Session disconnected - error 0x00 I zero'ized the old keys and re-generated as well as set the hostname back to the original and zero'ized and re-generated to no avail. Nothing shows up on Google and I can find no errata related to SSH access on the version of code we are running. Has anyone encountered this before? This is a 3750 running 12.2(44)SE2 Jon Wolberg Systems Engineer Virtacore Systems Inc. "We Virtualize IT!" _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From moua0100 at umn.edu Mon Aug 10 13:41:48 2009 From: moua0100 at umn.edu (Ge Moua) Date: Mon, 10 Aug 2009 12:41:48 -0500 Subject: [c-nsp] SSH no longer functions after hostname change In-Reply-To: References: <908369987.2149831249922498535.JavaMail.root@mail.dtgmail.com> Message-ID: <4A805BDC.7020401@umn.edu> We saw similar symptoms on cat6k; even a reboot & regen rssa key did not fix the ssh issue; turned out to be some sort of conflict with IP SLA, removed that then all was working. Regards, Ge Moua | Email: moua0100 at umn.edu Network Design Engineer University of Minnesota | Networking & Telecommunications Services Jared Mauch wrote: > You should call TAC and your SE/AM as well to insure they capture what > happened to avoid this defect in the future. You may also be able to > entirely disable/restart the SSH subsystem, or at least make sure they > have the ability to restart it. If Cisco doesn't make progress on > this front, I'm not sure how they will continue to survive. The > internet of 2000 and later really needs protected memory and > restartable processes instead of the old tech support "have you turned > it off and back on again" policy of dealing with defects. While that > has a place, certainly this is not one of them. > > - Jared > > On Aug 10, 2009, at 12:41 PM, jon at defenderhosting.com wrote: > >> Hi Ryan/Paul- >> >> Not without scheduling a maintenance window which I was hoping to >> avoid. I am sure a reload would fix the problem as i'd also use it >> as an opportunity to upgrade the code since I am a half dozen revs >> behind and have switches running newer versions without any stability >> issues. >> >> >> Jon Wolberg >> Systems Engineer >> Virtacore Systems Inc. >> "We Virtualize IT!" >> >> >> ----- Original Message ----- >> From: "Paul Stewart" >> To: "Jon Wolberg" >> Cc: cisco-nsp at puck.nether.net >> Sent: Monday, August 10, 2009 12:35:14 PM GMT -05:00 US/Canada Eastern >> Subject: RE: [c-nsp] SSH no longer functions after hostname change >> >> That is very strange.... are you able to kick the switch (power >> cycle) to see if it resolves or not? I know you shouldn't have to >> but I'm out of answers too ;) >> >> -----Original Message----- >> From: Jon Wolberg [mailto:jon at defenderhosting.com] >> Sent: Monday, August 10, 2009 12:20 PM >> To: Paul Stewart >> Cc: cisco-nsp at puck.nether.net >> Subject: Re: [c-nsp] SSH no longer functions after hostname change >> >> Hi Paul- >> >> The funny thing is this is the only switch causing problems. We >> changed the hostnames on over a dozen others without any issues. >> >> I tried re-generating the keys to no avail. >> >> >> Jon Wolberg >> Systems Engineer >> Virtacore Systems Inc. >> "We Virtualize IT!" >> >> >> ----- Original Message ----- >> From: "Paul Stewart" >> To: "Jon Wolberg" , cisco-nsp at puck.nether.net >> Sent: Monday, August 10, 2009 12:17:14 PM GMT -05:00 US/Canada Eastern >> Subject: RE: [c-nsp] SSH no longer functions after hostname change >> >> Normally all we do is a "crypto key gen rsa" if a hostname changes >> and we >> continue on... this regens the keys and stops/starts the SSH process.... >> >> Paul >> >> >> >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jon Wolberg >> Sent: Monday, August 10, 2009 11:53 AM >> To: cisco-nsp at puck.nether.net >> Subject: [c-nsp] SSH no longer functions after hostname change >> >> Hello- >> >> We recently changed some of our hostnames on various legacy switches to >> follow our naming convention, and after one change I can no longer >> SSH to >> the switch. >> >> I get the below errors on the console with debug ip ssh client running: >> >> Aug 10 11:23:44 EST: SSH5: sent protocol version id SSH-2.0-Cisco-1.25 >> Aug 10 11:23:44 EST: SSH5: protocol version id is - SSH-2.0-OpenSSH_4.3 >> Aug 10 11:23:44 EST: SSH2 5: RSA_sign: private key not found >> Aug 10 11:23:44 EST: SSH2 5: signature creation failed, status -1 >> Aug 10 11:23:44 EST: SSH5: Session disconnected - error 0x00 >> >> I zero'ized the old keys and re-generated as well as set the hostname >> back >> to the original and zero'ized and re-generated to no avail. Nothing >> shows >> up on Google and I can find no errata related to SSH access on the >> version >> of code we are running. >> >> Has anyone encountered this before? This is a 3750 running 12.2(44)SE2 >> >> >> Jon Wolberg >> Systems Engineer >> Virtacore Systems Inc. >> "We Virtualize IT!" >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jon at defenderhosting.com Mon Aug 10 14:09:41 2009 From: jon at defenderhosting.com (Jon Wolberg) Date: Mon, 10 Aug 2009 14:09:41 -0400 (EDT) Subject: [c-nsp] SSH no longer functions after hostname change In-Reply-To: <4A805BDC.7020401@umn.edu> Message-ID: <1839562794.2157121249927781445.JavaMail.root@mail.dtgmail.com> Jared- Unfortunately we do not have SmartNET for this specific device, although we do have coverage for our higher up infrastructure. I do not know Cisco's policy on supporting devices without a contract but I highly doubt they would work with me to a resolution without an existing SmartNET contract for this device. I will try JF's solution ( I did this already but did not do it in the specific order he mentioned ) and then schedule a reload if that fails. Thanks. Jon Wolberg Systems Engineer Virtacore Systems Inc. "We Virtualize IT!" ----- Original Message ----- From: "Ge Moua" To: "Jared Mauch" Cc: "Jon Wolberg" , cisco-nsp at puck.nether.net Sent: Monday, August 10, 2009 1:41:48 PM GMT -05:00 US/Canada Eastern Subject: Re: [c-nsp] SSH no longer functions after hostname change We saw similar symptoms on cat6k; even a reboot & regen rssa key did not fix the ssh issue; turned out to be some sort of conflict with IP SLA, removed that then all was working. Regards, Ge Moua | Email: moua0100 at umn.edu Network Design Engineer University of Minnesota | Networking & Telecommunications Services Jared Mauch wrote: > You should call TAC and your SE/AM as well to insure they capture what > happened to avoid this defect in the future. You may also be able to > entirely disable/restart the SSH subsystem, or at least make sure they > have the ability to restart it. If Cisco doesn't make progress on > this front, I'm not sure how they will continue to survive. The > internet of 2000 and later really needs protected memory and > restartable processes instead of the old tech support "have you turned > it off and back on again" policy of dealing with defects. While that > has a place, certainly this is not one of them. > > - Jared > > On Aug 10, 2009, at 12:41 PM, jon at defenderhosting.com wrote: > >> Hi Ryan/Paul- >> >> Not without scheduling a maintenance window which I was hoping to >> avoid. I am sure a reload would fix the problem as i'd also use it >> as an opportunity to upgrade the code since I am a half dozen revs >> behind and have switches running newer versions without any stability >> issues. >> >> >> Jon Wolberg >> Systems Engineer >> Virtacore Systems Inc. >> "We Virtualize IT!" >> >> >> ----- Original Message ----- >> From: "Paul Stewart" >> To: "Jon Wolberg" >> Cc: cisco-nsp at puck.nether.net >> Sent: Monday, August 10, 2009 12:35:14 PM GMT -05:00 US/Canada Eastern >> Subject: RE: [c-nsp] SSH no longer functions after hostname change >> >> That is very strange.... are you able to kick the switch (power >> cycle) to see if it resolves or not? I know you shouldn't have to >> but I'm out of answers too ;) >> >> -----Original Message----- >> From: Jon Wolberg [mailto:jon at defenderhosting.com] >> Sent: Monday, August 10, 2009 12:20 PM >> To: Paul Stewart >> Cc: cisco-nsp at puck.nether.net >> Subject: Re: [c-nsp] SSH no longer functions after hostname change >> >> Hi Paul- >> >> The funny thing is this is the only switch causing problems. We >> changed the hostnames on over a dozen others without any issues. >> >> I tried re-generating the keys to no avail. >> >> >> Jon Wolberg >> Systems Engineer >> Virtacore Systems Inc. >> "We Virtualize IT!" >> >> >> ----- Original Message ----- >> From: "Paul Stewart" >> To: "Jon Wolberg" , cisco-nsp at puck.nether.net >> Sent: Monday, August 10, 2009 12:17:14 PM GMT -05:00 US/Canada Eastern >> Subject: RE: [c-nsp] SSH no longer functions after hostname change >> >> Normally all we do is a "crypto key gen rsa" if a hostname changes >> and we >> continue on... this regens the keys and stops/starts the SSH process.... >> >> Paul >> >> >> >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jon Wolberg >> Sent: Monday, August 10, 2009 11:53 AM >> To: cisco-nsp at puck.nether.net >> Subject: [c-nsp] SSH no longer functions after hostname change >> >> Hello- >> >> We recently changed some of our hostnames on various legacy switches to >> follow our naming convention, and after one change I can no longer >> SSH to >> the switch. >> >> I get the below errors on the console with debug ip ssh client running: >> >> Aug 10 11:23:44 EST: SSH5: sent protocol version id SSH-2.0-Cisco-1.25 >> Aug 10 11:23:44 EST: SSH5: protocol version id is - SSH-2.0-OpenSSH_4.3 >> Aug 10 11:23:44 EST: SSH2 5: RSA_sign: private key not found >> Aug 10 11:23:44 EST: SSH2 5: signature creation failed, status -1 >> Aug 10 11:23:44 EST: SSH5: Session disconnected - error 0x00 >> >> I zero'ized the old keys and re-generated as well as set the hostname >> back >> to the original and zero'ized and re-generated to no avail. Nothing >> shows >> up on Google and I can find no errata related to SSH access on the >> version >> of code we are running. >> >> Has anyone encountered this before? This is a 3750 running 12.2(44)SE2 >> >> >> Jon Wolberg >> Systems Engineer >> Virtacore Systems Inc. >> "We Virtualize IT!" >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jon at defenderhosting.com Mon Aug 10 14:15:24 2009 From: jon at defenderhosting.com (Jon Wolberg) Date: Mon, 10 Aug 2009 14:15:24 -0400 (EDT) Subject: [c-nsp] SSH no longer functions after hostname change In-Reply-To: <4A804DD8.5020907@emich.edu> Message-ID: <2007826425.2157421249928124288.JavaMail.root@mail.dtgmail.com> All- Using the exact order that JF listed below it worked perfect and resolved my issue. I can now SSH to this device again. Thanks. Jon Wolberg Systems Engineer Virtacore Systems Inc. "We Virtualize IT!" ----- Original Message ----- From: "jf" To: "Jon Wolberg" Cc: cisco-nsp at puck.nether.net Sent: Monday, August 10, 2009 12:42:00 PM GMT -05:00 US/Canada Eastern Subject: Re: [c-nsp] SSH no longer functions after hostname change We experienced this problem on a 3550 12g several years ago. We solved it by temporarily changing the configured hostname back, zeroing the key, changing the hostname again, and regenerating. Jon Wolberg wrote: > Hello- > > We recently changed some of our hostnames on various legacy switches to follow our naming convention, and after one change I can no longer SSH to the switch. > > I get the below errors on the console with debug ip ssh client running: > > Aug 10 11:23:44 EST: SSH5: sent protocol version id SSH-2.0-Cisco-1.25 > Aug 10 11:23:44 EST: SSH5: protocol version id is - SSH-2.0-OpenSSH_4.3 > Aug 10 11:23:44 EST: SSH2 5: RSA_sign: private key not found > Aug 10 11:23:44 EST: SSH2 5: signature creation failed, status -1 > Aug 10 11:23:44 EST: SSH5: Session disconnected - error 0x00 > > I zero'ized the old keys and re-generated as well as set the hostname back to the original and zero'ized and re-generated to no avail. Nothing shows up on Google and I can find no errata related to SSH access on the version of code we are running. > > Has anyone encountered this before? This is a 3750 running 12.2(44)SE2 > > > Jon Wolberg > Systems Engineer > Virtacore Systems Inc. > "We Virtualize IT!" > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From tdurack at gmail.com Mon Aug 10 14:16:50 2009 From: tdurack at gmail.com (Tim Durack) Date: Mon, 10 Aug 2009 14:16:50 -0400 Subject: [c-nsp] mvrf leaking Message-ID: <9e246b4d0908101116v766f4bedjfb4e7c13d3555b6e@mail.gmail.com> Anyone know if an mvrf can be "leaked" across several vrfs? ip vrf mvpn-cus1 rd 10.0.0.1:201 route-target export 65000:201 route-target import 65000:201 route-target import 65000:202 mdt default 239.1.1.1 ! ip vrf mvpn-cus2 rd 10.0.0.1:202 route-target export 65000:202 route-target import 65000:202 route-target import 65000:201 mdt default 239.1.1.1 ! Cisco doc says: "When configuring the default MDT, note the following information: ?The group_address is the multicast IPv4 address of the default MDT group. This address serves as an identifier for the MVRF community, because all provider-edge (PE) routers configured with this same group address become members of the group, which allows them to receive the PIM control messages and multicast traffic that are sent by other members of the group. ?This same default MDT must be configured on each PE router to enable the PE routers to receive multicast traffic for this particular MVRF." Which makes me think it might work... Tim:> From gsgranados at comcast.net Mon Aug 10 14:20:01 2009 From: gsgranados at comcast.net (Scott Granados) Date: Mon, 10 Aug 2009 11:20:01 -0700 Subject: [c-nsp] ASA5520 different crypt options and general tuning question? Message-ID: <002101ca19e7$30fb3630$2208120a@am.thmulti.com> Hi, thanks to many on this list and the great pointers I now have a working pair of ASA5520 devices with Cisco VPN client remote access working correctly. My question is a two parter. First, I see several encryption options including 3DES, DES and various AES entries with different bit counts. I understand generally what these different options do and what the associated hash options are used for but is there a better crypt type and hash type for differing jobs? When would you want to use 3DES instead of say aes-256? Is there ever a reason you'd use MD5 instead of sha??? Secondly, are there any good general documents for performance tuning? (maybe something that helps detail which knobs to twittle and why?) As always, any pointers would be greatly appreciated. Thanks Scott From jared.a.gillis at gmail.com Mon Aug 10 15:05:05 2009 From: jared.a.gillis at gmail.com (Jared Gillis) Date: Mon, 10 Aug 2009 12:05:05 -0700 Subject: [c-nsp] IS-IS route separation/filtering In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78407C2FE1C@xmb-ams-333.emea.cisco.com> References: <4A79E416.7040909@gmail.com> <4A7A0187.8070807@gmail.com><1249549131.28552.14.camel@daniel.office.bit.nl> <4A7B254B.8040607@gmail.com> <70B7A1CCBFA5C649BD562B6D9F7ED78407C2FE1C@xmb-ams-333.emea.cisco.com> Message-ID: <4A806F61.1000600@gmail.com> Oliver Boehmer (oboehmer) wrote: > Well.. not sure how large you want to grow your L1 area, but you could > investigate "advertise-passive-only" to only adveritse the loopbacks > (all customer routes should be in BGP if you need to plan for growth), > and you'll be fine, even with a 1000 nodes in the area. And if you reach > this number, address summarization (and the implications of it) will > become an issue (even with OSPF).. > >> It's looking like we might have to run OSPF on this, but we'd really >> rather stick with IS-IS. It seems that OSPF's ability to put >> individual interfaces into different areas might be the required >> feature that forces us that way. That is, unless anyone knows a way >> to put an IS-IS router into different areas aside from assigning >> multiple NET addresses... > > No, doesn't work with Integrated ISIS (only CLNS allows you to use > different ISIS areas on a single node).. Hm, I think I may have found my answer in IS-IS Multiarea: http://www.cisco.com/en/US/products/ps6599/products_data_sheet09186a00800e9780.html I've configured it up in our lab, and running IP IS-IS it seems to do exactly what I need. I've got my Router A set up running multi-area with one L2 instance for backbone and multiple L1 instances for each L1 stub area. The L1 areas only see their own internal routes, plus default towards Router A, and I have full connectivity from stub to stub. > > oli From eng_mssk at hotmail.com Mon Aug 10 15:20:57 2009 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Mon, 10 Aug 2009 22:20:57 +0300 Subject: [c-nsp] IPSEC VPN Message-ID: hi i configured the below on GNS3 simulator Router(config)#crypto isakmp policy 1 Router(config-isakmp)#authentication pre-share Router(config)#crypto isakmp key VPNKEY address x.x.x.x Router(config)#access-list extended LIST Router(config-list)#permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 Router(config)#crypto ipsec transform-set SET Router(config)#crypto map MAP 10 ipsec-isakmp Router(config-crypto-map)#set peer x.x.x.x Router(config-crypto-map)#set transform-set SET Router(config-crypto-map)#match address LIST Router(config)#interface f0/0 Router(config-if)#crypto map MAP and im trying to ping 192.168.2.1 source 192.168.1.1 (loopbacks) but im not able to , and the show crypto isakmp sa produces empty o/p am i missing something here ?? _________________________________________________________________ Drag n? drop?Get easy photo sharing with Windows Live? Photos. http://www.microsoft.com/windows/windowslive/products/photos.aspx From mksmith at adhost.com Mon Aug 10 15:30:54 2009 From: mksmith at adhost.com (Michael K. Smith - Adhost) Date: Mon, 10 Aug 2009 12:30:54 -0700 Subject: [c-nsp] IPSEC VPN In-Reply-To: References: Message-ID: <17838240D9A5544AAA5FF95F8D5203160676BE9C@ad-exh01.adhost.lan> Hi Mohammad: > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Mohammad Khalil > Sent: Monday, August 10, 2009 12:21 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] IPSEC VPN > > > hi > i configured the below on GNS3 simulator > > Router(config)#crypto isakmp policy 1 > > Router(config-isakmp)#authentication pre-share > Router(config)#crypto isakmp key VPNKEY address x.x.x.x > > Router(config)#access-list extended LIST > > Router(config-list)#permit ip 192.168.1.0 0.0.0.255 192.168.2.0 > 0.0.0.255 > > Router(config)#crypto ipsec transform-set SET > > Router(config)#crypto map MAP 10 ipsec-isakmp > > Router(config-crypto-map)#set peer x.x.x.x > > Router(config-crypto-map)#set transform-set SET > > Router(config-crypto-map)#match address LIST > > Router(config)#interface f0/0 > > Router(config-if)#crypto map MAP > > and im trying to ping 192.168.2.1 source 192.168.1.1 (loopbacks) but im > not able to , and the show crypto isakmp sa produces empty o/p > > am i missing something here ?? > nat (inside) 0 access-list LIST If the .1 address in both subnets are the firewall IP addresses you won't be able to ping them. Instead, try pinging through them to a host on either side. Finally, "debug crypto isakmp" and "debug crypto ipsec" are your friend, along with a "term mon" :-) Regards, Mike From eninja at gmail.com Mon Aug 10 15:49:35 2009 From: eninja at gmail.com (Eninja) Date: Mon, 10 Aug 2009 21:49:35 +0200 Subject: [c-nsp] SSH no longer functions after hostname change In-Reply-To: <305794761.2147971249921175732.JavaMail.root@mail.dtgmail.com> References: <305794761.2147971249921175732.JavaMail.root@mail.dtgmail.com> Message-ID: <2670183C-4DD5-4777-892E-5E3D7F4E66D5@gmail.com> Jon, What is different with respect to software version, SSH config & platform between this swtich and the dozen others that (could be seeing a similar problem but) aren't? -Eninja On Aug 10, 2009, at 6:19 PM, Jon Wolberg wrote: > Hi Paul- > > The funny thing is this is the only switch causing problems. We > changed the hostnames on over a dozen others without any issues. > > I tried re-generating the keys to no avail. > > > Jon Wolberg > Systems Engineer > Virtacore Systems Inc. > "We Virtualize IT!" > > > ----- Original Message ----- > From: "Paul Stewart" > To: "Jon Wolberg" , cisco-nsp at puck.nether.net > Sent: Monday, August 10, 2009 12:17:14 PM GMT -05:00 US/Canada Eastern > Subject: RE: [c-nsp] SSH no longer functions after hostname change > > Normally all we do is a "crypto key gen rsa" if a hostname changes > and we > continue on... this regens the keys and stops/starts the SSH > process.... > > Paul > > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jon Wolberg > Sent: Monday, August 10, 2009 11:53 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] SSH no longer functions after hostname change > > Hello- > > We recently changed some of our hostnames on various legacy switches > to > follow our naming convention, and after one change I can no longer > SSH to > the switch. > > I get the below errors on the console with debug ip ssh client > running: > > Aug 10 11:23:44 EST: SSH5: sent protocol version id SSH-2.0-Cisco-1.25 > Aug 10 11:23:44 EST: SSH5: protocol version id is - SSH-2.0- > OpenSSH_4.3 > Aug 10 11:23:44 EST: SSH2 5: RSA_sign: private key not found > Aug 10 11:23:44 EST: SSH2 5: signature creation failed, status -1 > Aug 10 11:23:44 EST: SSH5: Session disconnected - error 0x00 > > I zero'ized the old keys and re-generated as well as set the > hostname back > to the original and zero'ized and re-generated to no avail. Nothing > shows > up on Google and I can find no errata related to SSH access on the > version > of code we are running. > > Has anyone encountered this before? This is a 3750 running 12.2(44)SE2 > > > Jon Wolberg > Systems Engineer > Virtacore Systems Inc. > "We Virtualize IT!" > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From daryl at introspect.net Mon Aug 10 15:52:53 2009 From: daryl at introspect.net (Daryl G. Jurbala) Date: Mon, 10 Aug 2009 15:52:53 -0400 Subject: [c-nsp] Best bang for the buck in L2TP devices Message-ID: So I'm running unencrypted L2TP back to my colo and currently have about 300 clients terminated to a 3825. Anyone have a good feeling for what the best bang for the buck would be to scale that up to 5000? I am looking at the ASA 5540s, but even Cisco pre-sales doesn't seem to be able to tell me how many L2TP connections they support, whether the AnyConnect essentials licensing is what is needed for L2TP, etc, etc. Thanks, Daryl From peter at rathlev.dk Mon Aug 10 15:54:32 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Mon, 10 Aug 2009 21:54:32 +0200 Subject: [c-nsp] ASA5520 different crypt options and general tuning question? In-Reply-To: <002101ca19e7$30fb3630$2208120a@am.thmulti.com> References: <002101ca19e7$30fb3630$2208120a@am.thmulti.com> Message-ID: <1249934072.2853.4.camel@abehat.net.rm.dk> On Mon, 2009-08-10 at 11:20 -0700, Scott Granados wrote: > When would you want to use 3DES instead of say aes-256? Is > there ever a reason you'd use MD5 instead of sha??? Legacy. You might need to establish a tunnel to some device that doesn't know AES and/or SHA1. > Secondly, are there any good general documents for performance tuning? Generally AES is better suited to 32-bit processors than 3DES, the latter being a 168-bit cipher (3 x 56-bit) more suited for 7-bit processors. So in theory you'd get better performance from a 128-bit AES cipher than a 168-bit 3DES cipher and you would have better security. Regards, Peter From jon at defenderhosting.com Mon Aug 10 15:56:27 2009 From: jon at defenderhosting.com (Jon Wolberg) Date: Mon, 10 Aug 2009 15:56:27 -0400 (EDT) Subject: [c-nsp] SSH no longer functions after hostname change In-Reply-To: <2670183C-4DD5-4777-892E-5E3D7F4E66D5@gmail.com> Message-ID: <1879072909.2164421249934187667.JavaMail.root@mail.dtgmail.com> Hello- Nothing, they are all identical switches running the same IOS. Jon Wolberg Systems Engineer Virtacore Systems Inc. "We Virtualize IT!" ----- Original Message ----- From: "Eninja" To: "Jon Wolberg" Cc: "Paul Stewart" , cisco-nsp at puck.nether.net, "Eninja" Sent: Monday, August 10, 2009 3:49:35 PM GMT -05:00 US/Canada Eastern Subject: Re: [c-nsp] SSH no longer functions after hostname change Jon, What is different with respect to software version, SSH config & platform between this swtich and the dozen others that (could be seeing a similar problem but) aren't? -Eninja On Aug 10, 2009, at 6:19 PM, Jon Wolberg wrote: > Hi Paul- > > The funny thing is this is the only switch causing problems. We > changed the hostnames on over a dozen others without any issues. > > I tried re-generating the keys to no avail. > > > Jon Wolberg > Systems Engineer > Virtacore Systems Inc. > "We Virtualize IT!" > > > ----- Original Message ----- > From: "Paul Stewart" > To: "Jon Wolberg" , cisco-nsp at puck.nether.net > Sent: Monday, August 10, 2009 12:17:14 PM GMT -05:00 US/Canada Eastern > Subject: RE: [c-nsp] SSH no longer functions after hostname change > > Normally all we do is a "crypto key gen rsa" if a hostname changes > and we > continue on... this regens the keys and stops/starts the SSH > process.... > > Paul > > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jon Wolberg > Sent: Monday, August 10, 2009 11:53 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] SSH no longer functions after hostname change > > Hello- > > We recently changed some of our hostnames on various legacy switches > to > follow our naming convention, and after one change I can no longer > SSH to > the switch. > > I get the below errors on the console with debug ip ssh client > running: > > Aug 10 11:23:44 EST: SSH5: sent protocol version id SSH-2.0-Cisco-1.25 > Aug 10 11:23:44 EST: SSH5: protocol version id is - SSH-2.0- > OpenSSH_4.3 > Aug 10 11:23:44 EST: SSH2 5: RSA_sign: private key not found > Aug 10 11:23:44 EST: SSH2 5: signature creation failed, status -1 > Aug 10 11:23:44 EST: SSH5: Session disconnected - error 0x00 > > I zero'ized the old keys and re-generated as well as set the > hostname back > to the original and zero'ized and re-generated to no avail. Nothing > shows > up on Google and I can find no errata related to SSH access on the > version > of code we are running. > > Has anyone encountered this before? This is a 3750 running 12.2(44)SE2 > > > Jon Wolberg > Systems Engineer > Virtacore Systems Inc. > "We Virtualize IT!" > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From nigel at theroys.me.uk Mon Aug 10 15:14:06 2009 From: nigel at theroys.me.uk (Nigel Roy) Date: Mon, 10 Aug 2009 20:14:06 +0100 Subject: [c-nsp] MPLS QoS at SPA-5X1GE-V2, SIP 400, 7604RSP720 (Ruzhanskaya Olga) In-Reply-To: Message-ID: <200981020146.055612@SystemLink> Hi Olga, Came across the same problem as you recently on some of our 7600 PE routers. Like you I raised it as a TAC case as I thought it was a bug but after a couple of weeks the TAC engineer discovered exactly what you say. For locally routed packets (IP-IP) the set mpls exp overwrites the DSCP value. Works fine when going from IP-MPLS though! Because you can never be certain whether packets are going to be locally or MPLS switched the command becomes useless. They did say they would try and find an alternative but they never cam up with anything. The alternative I have tested is what we are thinking of using. This uses the global dscp-exp mutation map. This is enabled by default but obviously is overridden by the policy-map set mpls exp command. This worked in the tests I have done but the documentation states "?This command is supported in PFC3BXL or PFC3B mode only.? This is not a problem for us as the hardware we are using matches the requirement. The following is used in global config to modify the default setting for the dscp-exp map: mls qos map dscp-exp 46 to 5 mls qos map dscp-exp 10 18 26 40 45 to 2 mls qos map dscp-exp 1 2 3 4 5 6 7 8 to 1 The only other possibility I started to look at was "table-maps" however they were not supported in the IOS we use and I am not even sure if there is an IOS for the 7600s that supports them. Regards Nigel > Hello List! > > In our MPLS network we use 7604RSP720 with SPA-5X1GE-V2 installed > in SIP 400 as PE router, where clients services terminates. As in > MPLS edge, we perform "typical" traffic classification and marking. > Standart policy-map looks like this (matching based on DSCP, > marking with MPLS EXP): Policy Map Network-VoIP-In Class qos- > realtime set mpls experimental imposition 5 ... Class class-default > set mpls experimental imposition 0 Class Map match-any qos-realtime > (id 21) Match ip dscp ef (46) > > For example, we have two subinterfaces, gi3/0/0.210 and > gi3/0/0.211. Both of them have policy-map looks like described one. > If packet enters gi3/0/0.210 with DSCP=EF and go to gi3/0/0.211, it > appears with DSCP=CS5. Is this normal? > For 76x, it is. > Because of 76x platform QoS realization traffic local for router > (IP-IP), router overwrites DSCP value of packet when such policy- > map in use: > http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/ > guide/mplsqos.html#wp1475897 > > I've even opened a case, but the best proposed approach was to > distinguish with ACL IP-IP traffic and IP-MPLS traffic. This is a > bad solution for us: increased load on router, many hand-work and > we have hundreds of such circuits.. > > We are trying to resolve this problem from April - and no > sufficient solution.. Maybe someone have resolved this? > > P.S. "no mls qos rewite ip dscp" doesn't work properly on PFC MPLS, > already tried. > > Best regards, > Olga > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp archive at > http://puck.nether.net/pipermail/cisco-nsp/ From A.L.M.Buxey at lboro.ac.uk Mon Aug 10 16:08:11 2009 From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey) Date: Mon, 10 Aug 2009 21:08:11 +0100 Subject: [c-nsp] Best bang for the buck in L2TP devices In-Reply-To: References: Message-ID: <20090810200811.GA15910@lboro.ac.uk> Hi, > I am looking at the ASA 5540s, but even Cisco pre-sales doesn't seem to > be able to tell me how many L2TP connections they support, whether the > AnyConnect essentials licensing is what is needed for L2TP, etc, etc. if you can go with standard IPSec to handle transit then its unlimited. if you have to go anyconnect/SSL then you pay for clients. i cant say how much bang you'll get with a 5540 off-hand.... thats also related to how much data is in transit rather than number of connections alan From peter at rathlev.dk Mon Aug 10 16:12:25 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Mon, 10 Aug 2009 22:12:25 +0200 Subject: [c-nsp] IPSEC VPN In-Reply-To: References: Message-ID: <1249935146.2853.21.camel@abehat.net.rm.dk> On Mon, 2009-08-10 at 22:20 +0300, Mohammad Khalil wrote: > i configured the below on GNS3 simulator > > Router(config)#crypto isakmp policy 1 > Router(config-isakmp)#authentication pre-share > Router(config)#crypto isakmp key VPNKEY address x.x.x.x > Router(config)#access-list extended LIST > Router(config-list)#permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 > Router(config)#crypto ipsec transform-set SET > Router(config)#crypto map MAP 10 ipsec-isakmp > Router(config-crypto-map)#set peer x.x.x.x > Router(config-crypto-map)#set transform-set SET > Router(config-crypto-map)#match address LIST > Router(config)#interface f0/0 > Router(config-if)#crypto map MAP > > and im trying to ping 192.168.2.1 source 192.168.1.1 (loopbacks) but > im not able to , and the show crypto isakmp sa produces empty o/p > > am i missing something here ?? That's hard to say without knowing what's in the other end. :-) Or are both ends configured the same? You haven't defined any explicit encryption or hashing in your ISAKMP policy. AFAICT a 7200 running 12.4 defaults to single DES encryption and SHA hashing with a lifetime of 86400 seconds. I don't understand the "crypto ipsec transform-set SET"; wasn't there supposed to be an IPSec transform set after this? Like "esp-aes 128 esp-sha-hmac"? Otherwise, as Michael mentions, debug is a good thing. A "debug crypto isakmp" probably tells relevant things. (Though this seems to be IOS and not PIX.) We have something like this in a working configuration: ip access-list extended SomeCryptoACL permit gre host 10.0.0.2 host 10.0.0.1 ! crypto isakmp policy 15 encr 3des hash md5 authentication pre-share lifetime 43200 ! crypto keyring SomeKeyRing pre-shared-key address 10.0.0.1 key SomeKey ! crypto isakmp profile SomeISAKMPProfile keyring SomeKeyRing match identity address 10.0.0.1 255.255.255.255 initiate mode aggressive ! crypto ipsec transform-set MD5_3DES esp-3des esp-md5-hmac ! crypto map SomeCryptoMap 5 ipsec-isakmp description Some description set peer 10.0.0.1 set transform-set MD5_3DES set isakmp-profile SomeISAKMPProfile match address SomeCryptoACL ! interface GigabitEthernet0/1 ip address 10.0.0.2 255.255.255.0 crypto map SomeCryptoMap ! This isn't best practise, but it does work. Regards, Peter From rodunn at cisco.com Mon Aug 10 16:14:32 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Mon, 10 Aug 2009 16:14:32 -0400 Subject: [c-nsp] mvrf leaking In-Reply-To: <9e246b4d0908101116v766f4bedjfb4e7c13d3555b6e@mail.gmail.com> References: <9e246b4d0908101116v766f4bedjfb4e7c13d3555b6e@mail.gmail.com> Message-ID: <4A807FA8.4010901@cisco.com> I don't *think* so. I think to get traffic from the VRF's you need MVPN Extranet support: http://www.cisco.com/en/US/docs/ios/12_2sb/feature/guide/extvpnsb.html Rodney Tim Durack wrote: > Anyone know if an mvrf can be "leaked" across several vrfs? > > ip vrf mvpn-cus1 > rd 10.0.0.1:201 > route-target export 65000:201 > route-target import 65000:201 > route-target import 65000:202 > mdt default 239.1.1.1 > ! > ip vrf mvpn-cus2 > rd 10.0.0.1:202 > route-target export 65000:202 > route-target import 65000:202 > route-target import 65000:201 > mdt default 239.1.1.1 > ! > > Cisco doc says: > > "When configuring the default MDT, note the following information: > ?The group_address is the multicast IPv4 address of the default MDT > group. This address serves as an identifier for the MVRF community, > because all provider-edge (PE) routers configured with this same group > address become members of the group, which allows them to receive the > PIM control messages and multicast traffic that are sent by other > members of the group. > ?This same default MDT must be configured on each PE router to enable > the PE routers to receive multicast traffic for this particular MVRF." > > Which makes me think it might work... > > Tim:> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From cisco-nsp at itpro.co.nz Mon Aug 10 16:15:36 2009 From: cisco-nsp at itpro.co.nz (Ivan) Date: Tue, 11 Aug 2009 08:15:36 +1200 Subject: [c-nsp] VSS Best Practices In-Reply-To: <7100ed370908100751v11df5501u3c348997109e7019@mail.gmail.com> References: <23603.203.163.71.197.1249516211.squirrel@mail.orcon.net.nz> <7100ed370908100751v11df5501u3c348997109e7019@mail.gmail.com> Message-ID: <4A807FE8.40808@itpro.co.nz> Thanks for the reply. I am aware of three options for dual active detection *Enhanced PAgP - requires selected switches with specific IOS versions on the other end to work *BFD *Fast Hello I understand that if using ePAgP as the dual active detection method then running PAgP on channels is required. Not everyone will select this method (I have selected Fast Hello). I don't believe the section of the best practice guide below relates directly to dual-active detection as LACP is presented as a recommended option. Any other ideas for why explicit trunks are not recommend are welcome. Ivan > Cisco Best Practice will be use PAgP if you want to like to avoid VSS > dual active scenario (better than BFD) > > On Thu, Aug 6, 2009 at 1:50 AM, Ivan > wrote: > > Cisco VSS best practice document states > > Recommendations > * Always run L2 or L3 MEC. > * Do not use on and off options with PAgP or LACP or Trunk > protocol negotiation. > o PAgP ? Run Desirable-Desirable with MEC links. > o LACP ? Run Active-Active with MEC links. > o Trunk ? Run Desirable-Desirable with MEC links. > > > http://www.cisco.com/en/US/products/ps9336/products_tech_note09186a0080a7c837.shtml > > There is not really any explanation of the reasoning behind these > recommendations. If anyone can explain the rational that would be > great. > I would also be interested to hear what settings people are using in > production, why and how that is going. > > Generally in non VSS setups I have found setting links explicitly > to trunk > mode and as etherchannel members has been reliable and would like to > understand why they are not recommended above. > > Thanks > > Ivan > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From vanormer at gmail.com Mon Aug 10 16:34:57 2009 From: vanormer at gmail.com (Robert VanOrmer) Date: Mon, 10 Aug 2009 15:34:57 -0500 Subject: [c-nsp] Disabling ssh v1 on IOS Message-ID: <020f01ca19fa$07d70190$178504b0$@com> Anyone know of a way to disable an IOS device 12.2(18)SXF15a in test) from accepting SSH v1 connections and maintaining SSH v2 sessions? I want to be able to connect to the device, but with SSHv2 only. I haven't found any option for this. From gsgranados at comcast.net Mon Aug 10 16:35:01 2009 From: gsgranados at comcast.net (Scott Granados) Date: Mon, 10 Aug 2009 13:35:01 -0700 Subject: [c-nsp] ASA5520 different crypt options and general tuning question? References: <002101ca19e7$30fb3630$2208120a@am.thmulti.com> <1249934072.2853.4.camel@abehat.net.rm.dk> Message-ID: <005201ca19fa$0e7e7f50$2208120a@am.thmulti.com> Peter, thank you this makes a lot of sense. Thanks Scott ----- Original Message ----- From: "Peter Rathlev" To: "Scott Granados" Cc: Sent: Monday, August 10, 2009 12:54 PM Subject: Re: [c-nsp] ASA5520 different crypt options and general tuning question? > On Mon, 2009-08-10 at 11:20 -0700, Scott Granados wrote: >> When would you want to use 3DES instead of say aes-256? Is >> there ever a reason you'd use MD5 instead of sha??? > > Legacy. You might need to establish a tunnel to some device that doesn't > know AES and/or SHA1. > >> Secondly, are there any good general documents for performance tuning? > > Generally AES is better suited to 32-bit processors than 3DES, the > latter being a 168-bit cipher (3 x 56-bit) more suited for 7-bit > processors. So in theory you'd get better performance from a 128-bit AES > cipher than a 168-bit 3DES cipher and you would have better security. > > Regards, > Peter > > From erey at ernw.de Mon Aug 10 15:51:33 2009 From: erey at ernw.de (Enno Rey) Date: Mon, 10 Aug 2009 21:51:33 +0200 Subject: [c-nsp] IPSEC VPN In-Reply-To: References: Message-ID: <20090810195133.GO20887@ws25.ernw.de> no idea if you need this on the simulator, but on older platforms it was mandatory to "crypto isakmp enable" thanks, Enno On Mon, Aug 10, 2009 at 10:20:57PM +0300, Mohammad Khalil wrote: > > hi > i configured the below on GNS3 simulator > > Router(config)#crypto isakmp policy 1 > > Router(config-isakmp)#authentication pre-share > Router(config)#crypto isakmp key VPNKEY address x.x.x.x > > Router(config)#access-list extended LIST > > Router(config-list)#permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 > > Router(config)#crypto ipsec transform-set SET > > Router(config)#crypto map MAP 10 ipsec-isakmp > > Router(config-crypto-map)#set peer x.x.x.x > > Router(config-crypto-map)#set transform-set SET > > Router(config-crypto-map)#match address LIST > > Router(config)#interface f0/0 > > Router(config-if)#crypto map MAP > > and im trying to ping 192.168.2.1 source 192.168.1.1 (loopbacks) but im not able to , and the show crypto isakmp sa produces empty o/p > > am i missing something here ?? > > > > > _________________________________________________________________ > Drag n? drop?Get easy photo sharing with Windows Live? Photos. > > http://www.microsoft.com/windows/windowslive/products/photos.aspx > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Enno Rey ERNW GmbH - Breslauer Str. 28 - 69124 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 PGP FP 055F B3F3 FE9D 71DD C0D5 444E C611 033E 3296 1CC1 Handelsregister Mannheim: HRB 337135 Geschaeftsfuehrer: Enno Rey From A.L.M.Buxey at lboro.ac.uk Mon Aug 10 16:47:40 2009 From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey) Date: Mon, 10 Aug 2009 21:47:40 +0100 Subject: [c-nsp] Disabling ssh v1 on IOS In-Reply-To: <020f01ca19fa$07d70190$178504b0$@com> References: <020f01ca19fa$07d70190$178504b0$@com> Message-ID: <20090810204740.GB16014@lboro.ac.uk> Hi, > Anyone know of a way to disable an IOS device 12.2(18)SXF15a in test) from > accepting SSH v1 connections and maintaining SSH v2 sessions? I want to be > able to connect to the device, but with SSHv2 only. I haven't found any > option for this. ip ssh version 2 ? alan From jared at puck.nether.net Mon Aug 10 16:51:41 2009 From: jared at puck.nether.net (Jared Mauch) Date: Mon, 10 Aug 2009 16:51:41 -0400 Subject: [c-nsp] Disabling ssh v1 on IOS In-Reply-To: <020f01ca19fa$07d70190$178504b0$@com> References: <020f01ca19fa$07d70190$178504b0$@com> Message-ID: conf t ip ssh version 2 ? - Jared On Aug 10, 2009, at 4:34 PM, Robert VanOrmer wrote: > Anyone know of a way to disable an IOS device 12.2(18)SXF15a in > test) from > accepting SSH v1 connections and maintaining SSH v2 sessions? I > want to be > able to connect to the device, but with SSHv2 only. I haven't found > any > option for this. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From tdurack at gmail.com Mon Aug 10 17:02:42 2009 From: tdurack at gmail.com (Tim Durack) Date: Mon, 10 Aug 2009 17:02:42 -0400 Subject: [c-nsp] mvrf leaking In-Reply-To: <4A807FA8.4010901@cisco.com> References: <9e246b4d0908101116v766f4bedjfb4e7c13d3555b6e@mail.gmail.com> <4A807FA8.4010901@cisco.com> Message-ID: <9e246b4d0908101402i1cad1612r70f29f68b0292fe9@mail.gmail.com> On Mon, Aug 10, 2009 at 4:14 PM, Rodney Dunn wrote: > I don't *think* so. I think to get traffic from the VRF's you need MVPN > Extranet support: > > http://www.cisco.com/en/US/docs/ios/12_2sb/feature/guide/extvpnsb.html > > Rodney Thanks for the link - this looks useful. Will see what I can make work. Tim:> From ross at kallisti.us Mon Aug 10 17:37:19 2009 From: ross at kallisti.us (Ross Vandegrift) Date: Mon, 10 Aug 2009 17:37:19 -0400 Subject: [c-nsp] VSS Best Practices In-Reply-To: <4A807FE8.40808@itpro.co.nz> References: <23603.203.163.71.197.1249516211.squirrel@mail.orcon.net.nz> <7100ed370908100751v11df5501u3c348997109e7019@mail.gmail.com> <4A807FE8.40808@itpro.co.nz> Message-ID: <20090810213719.GA31785@kallisti.us> On Tue, Aug 11, 2009 at 08:15:36AM +1200, Ivan wrote: > I don't believe the section of the best practice guide below relates > directly to dual-active detection as LACP is presented as a recommended > option. Any other ideas for why explicit trunks are not recommend are > welcome. LACP does a good job of detecting when links have mis-matched speed or duplex parameters. My guess for Cisco's rationale would be that it prevents accidental misconfiguration from splitting your stack. I've seen accidently broken LACP port-channel members, and IOS splits off the incompatible members into another sub-group (that gets named like "Po4A"). This can happen while leaving the currently-active member of the bundle undisturbed. On the other hand, I've also seen statically configured port-channels have members with speed and duplex broken. This way lies madness - some platforms handle this gracefully (2960 forcibly disables the just-changed member), others don't (6500 stops switching on the port channel and any members, causing loss of connectivity). Ross -- Ross Vandegrift ross at kallisti.us "If the fight gets hot, the songs get hotter. If the going gets tough, the songs get tougher." --Woody Guthrie From jmenendez at mecon.gov.ar Mon Aug 10 16:51:21 2009 From: jmenendez at mecon.gov.ar (Juan Angel Menendez) Date: Mon, 10 Aug 2009 17:51:21 -0300 Subject: [c-nsp] Disabling ssh v1 on IOS In-Reply-To: <020f01ca19fa$07d70190$178504b0$@com> References: <020f01ca19fa$07d70190$178504b0$@com> Message-ID: <200908102051.n7AKp4WG031205@racing2.mecon.ar> ip ssh version 2 At 17:34 10/08/2009, Robert VanOrmer wrote: >Anyone know of a way to disable an IOS device 12.2(18)SXF15a in test) from >accepting SSH v1 connections and maintaining SSH v2 sessions? I want to be >able to connect to the device, but with SSHv2 only. I haven't found any >option for this. > >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ From td_miles at yahoo.com Mon Aug 10 17:54:51 2009 From: td_miles at yahoo.com (Tony) Date: Mon, 10 Aug 2009 14:54:51 -0700 (PDT) Subject: [c-nsp] cross-vrf tunnels In-Reply-To: Message-ID: <525717.65310.qm@web110113.mail.gq1.yahoo.com> Hi Jeff, Thanks for the suggestion. The tunnel interfaces don't have a MAC address (under "show int tun501"), but I added a different one to each tunnel anyway (and now it. The outcome was no different, still no traffic and packets still being dropped by CEF. I tried to add a MAC to the loopback interfaces, but it wouldn't let me. So your tunnel from VRF to global routing table works ok ? I have been looking at stuff on packet recirculation, but it all seems to apply to 6500/7600 with no references for anything smaller than this ? I am aware that I could leak routes between VRF's, but I'd prefer to do it this way if it's at all possible. Thanks, Tony. --- On Mon, 10/8/09, Jeff Fitzwater wrote: > From: Jeff Fitzwater > Subject: Re: [c-nsp] cross-vrf tunnels > To: "Tony" > Cc: cisco-nsp at puck.nether.net > Date: Monday, 10 August, 2009, 11:24 PM > I believe your problem is that both > ends of the tunnel have the same mac address causing arp to > fail.? You can change one end and it should work. > > I had similar problem with VRF path back to global on the > same router, but I had to use the physical interfaces to get > around the "single lookup in cef issue". > > > > Jeff Fitzwater > OIT Network Systems > Princeton University > On Aug 10, 2009, at 8:43 AM, Tony wrote: > > > Hi all, > > > > I want to route traffic from one VRF to another VRF on > the same router. I did some searching and came across a > prior discussion of this very same topic: > > > > http://puck.nether.net/pipermail/cisco-nsp/2009-February/058594.html > > > > So I decided to create a tunnel between two VRF's on > the same box using loopback addresses for the tunnels. > > > > I set it all up and I can ping from the IP of one end > of the tunnel in one VRF to the other end of the tunnel in > the second VRF. > > > > The problem I have is that traffic from other sources > isn't going over the tunnel properly. > > > > The config looks something like this: > > > > ! > > interface Loopback 501 > >? ip address 10.1.41.201 255.255.255.255 > > ! > > interface Loopback 502 > >? ip address 10.1.41.202 255..255.255.255 > > ! > > interface Tunnel 501 > >? ip vrf forwarding vrf1 > >? ip address 10.1.41.197 255.255.255.252 > >? tunnel source Loopback 501 > >? tunnel destination 10.1.41.202 > > ! > > interface Tunnel 502 > >? ip vrf forward vrf2 > >? ip address 10.1.41.198 255.255.255.252 > >? tunnel source Loopback 502 > >? tunnel destination 10.1.41.201 > > ! > > > > I setup a test lab with a 2611 router either side of a > 7206 running 12.2(33)SRC (which is doing the VRF crossover). > It's all ethernet, no BGP, just two local VRF's on the 7200, > nothing fancy. > > > > When I attempt to ping the 2611 router on the other > side (via my loopback tunnel crossover connection) I get no > response. > > > > If I look at the stats on the tunnel interface it's as > if the traffic isn't going into the tunnel. The input and > output counters are all staying the same. This contrasts to > when I ping directly from one end of the tunnel to the other > as the counters do increase (and I get responses back). > > > > If I enable some debug, I get the following: > > * Tunnel502: adjacency fixup, > 10.1.41.202->10.1.41.201, tos set to 0x0 > > * CEF-Drop: Packet from 10.1.41.202 (Nu0) to > 10..1.41.201, Unclassified reason > > > > Which shows that my packet across the tunnel is being > dropped, but I don't know why. > > > > When I do the ping direct from one tunnel end IP to > the other, I see the normal sequence of events I would > expect (packet routed via RIB, packet goes into tunnel, GRE > encap, packet from one loopback to other, GRE decap, etc). > > > > Is this supposed to work ? Does anyone else have it > working ? What might I be doing wrong ? > > > > Many thanks, > > Tony. > > > > > > > > > > > > _______________________________________________ > > cisco-nsp mailing list? cisco-nsp at puck.nether..net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From damin at nacs.net Mon Aug 10 17:24:37 2009 From: damin at nacs.net (Gregory Boehnlein) Date: Mon, 10 Aug 2009 17:24:37 -0400 Subject: [c-nsp] Linux Com Driver to Modem on Cisco Terminal Server Message-ID: <06cb01ca1a00$f9f4c290$edde47b0$@net> Hello, Received a request from a client that needs to access a modem on a Cisco router from standard serial applications on a Linux box. These are for standard applications that do modem control (I.E. ATDT1XXXXXXXXX etc..) and not PPP. There used to be a few piece of software out there that did it, but I can't seem to find any of them. Anyone have any solutions for this? From vanormer at gmail.com Mon Aug 10 18:16:38 2009 From: vanormer at gmail.com (Robert VanOrmer) Date: Mon, 10 Aug 2009 17:16:38 -0500 Subject: [c-nsp] Disabling ssh v1 on IOS Message-ID: <021a01ca1a08$3b8bf910$b2a3eb30$@com> >Date: Mon, 10 Aug 2009 21:47:40 +0100 >From: Alan Buxey >To: Robert VanOrmer >Cc: cisco-nsp at puck.nether.net >Subject: Re: [c-nsp] Disabling ssh v1 on IOS >Message-ID: <20090810204740.GB16014 at lboro.ac.uk> >Content-Type: text/plain; charset=us-ascii > >Hi, >> Anyone know of a way to disable an IOS device 12.2(18)SXF15a in test) from >> accepting SSH v1 connections and maintaining SSH v2 sessions? I want to be >> able to connect to the device, but with SSHv2 only. I haven't found any >> option for this. > >ip ssh version 2 ? Yes, that will do it.. and I feel like an idiot for missing that. Thanks for the post. >alan > > >------------------------------ From stephane.tsacas at gmail.com Mon Aug 10 18:29:22 2009 From: stephane.tsacas at gmail.com (Stephane Tsacas) Date: Tue, 11 Aug 2009 00:29:22 +0200 Subject: [c-nsp] Linux Com Driver to Modem on Cisco Terminal Server In-Reply-To: <06cb01ca1a00$f9f4c290$edde47b0$@net> References: <06cb01ca1a00$f9f4c290$edde47b0$@net> Message-ID: On Mon, Aug 10, 2009 at 23:24, Gregory Boehnlein wrote: > Hello, > Received a request from a client that needs to access a modem on a > Cisco router from standard serial applications on a Linux box. These are > for > standard applications that do modem control (I.E. ATDT1XXXXXXXXX etc..) and > not PPP. > > There used to be a few piece of software out there that did it, but > I can't seem to find any of them. Anyone have any solutions for this? > Something like "tip" but for Linux ? http://www.freebsd.org/cgi/man.cgi?query=tip&apropos=0&sektion=0&manpath=FreeBSD+7.2-RELEASE&format=html This is what you're looking for ? -- Stephane http://3w.posterous.com From NMaio at guesswho.com Mon Aug 10 17:02:28 2009 From: NMaio at guesswho.com (NMaio at guesswho.com) Date: Mon, 10 Aug 2009 17:02:28 -0400 Subject: [c-nsp] Disabling ssh v1 on IOS In-Reply-To: <020f01ca19fa$07d70190$178504b0$@com> References: <020f01ca19fa$07d70190$178504b0$@com> Message-ID: Robert, By specifying the command "ip ssh version 2" you should be disabling SSHv1. The default is to specify neither which means you will accept both v1 and v2. Nick -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Robert VanOrmer Sent: Monday, August 10, 2009 4:35 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Disabling ssh v1 on IOS Anyone know of a way to disable an IOS device 12.2(18)SXF15a in test) from accepting SSH v1 connections and maintaining SSH v2 sessions? I want to be able to connect to the device, but with SSHv2 only. I haven't found any option for this. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From streiner at cluebyfour.org Mon Aug 10 18:14:53 2009 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Mon, 10 Aug 2009 18:14:53 -0400 (EDT) Subject: [c-nsp] Linux Com Driver to Modem on Cisco Terminal Server In-Reply-To: <06cb01ca1a00$f9f4c290$edde47b0$@net> References: <06cb01ca1a00$f9f4c290$edde47b0$@net> Message-ID: On Mon, 10 Aug 2009, Gregory Boehnlein wrote: > Received a request from a client that needs to access a modem on a > Cisco router from standard serial applications on a Linux box. These are for > standard applications that do modem control (I.E. ATDT1XXXXXXXXX etc..) and > not PPP. > > There used to be a few piece of software out there that did it, but > I can't seem to find any of them. Anyone have any solutions for this? Depending on how low-level you want to get, you could probably do what you need with Minicom, Kermit, Seyon (X11), and a few others. Some of these can also work with scripts to automate tasks. More info on how serial com devices are created and used in Linux may be found at http://tldp.org/HOWTO/Modem-HOWTO.html jms From tony at cambiumdata.com Mon Aug 10 19:25:48 2009 From: tony at cambiumdata.com (Tony Underwood) Date: Mon, 10 Aug 2009 16:25:48 -0700 Subject: [c-nsp] SSH no longer functions after hostname change In-Reply-To: <1879072909.2164421249934187667.JavaMail.root@mail.dtgmail.com> References: <2670183C-4DD5-4777-892E-5E3D7F4E66D5@gmail.com> <1879072909.2164421249934187667.JavaMail.root@mail.dtgmail.com> Message-ID: <0F205F18DCB4724DB15EAF8FF93E0A21129EE5014C@P3PW5EX1MB04.EX1.SECURESERVER.NET> I know you have to have a hostname configured to generate a key on the box, so it's obviously using the hostname at some level in the key. Whenever I change a hostname I've experienced the same result, but regenerating the key always fixes the problem. "crypto key gen rsa" as someone mentioned earlier. Tony Underwood Cambium Data Inc. 5050 So. 111th St. Omaha, NE 68137 (402) 514-3201 (402) 960-3107 - C http://www.CambiumData.com -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jon Wolberg Sent: Monday, August 10, 2009 2:56 PM To: Eninja Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] SSH no longer functions after hostname change Hello- Nothing, they are all identical switches running the same IOS. Jon Wolberg Systems Engineer Virtacore Systems Inc. "We Virtualize IT!" ----- Original Message ----- From: "Eninja" To: "Jon Wolberg" Cc: "Paul Stewart" , cisco-nsp at puck.nether.net, "Eninja" Sent: Monday, August 10, 2009 3:49:35 PM GMT -05:00 US/Canada Eastern Subject: Re: [c-nsp] SSH no longer functions after hostname change Jon, What is different with respect to software version, SSH config & platform between this swtich and the dozen others that (could be seeing a similar problem but) aren't? -Eninja On Aug 10, 2009, at 6:19 PM, Jon Wolberg wrote: > Hi Paul- > > The funny thing is this is the only switch causing problems. We > changed the hostnames on over a dozen others without any issues. > > I tried re-generating the keys to no avail. > > > Jon Wolberg > Systems Engineer > Virtacore Systems Inc. > "We Virtualize IT!" > > > ----- Original Message ----- > From: "Paul Stewart" > To: "Jon Wolberg" , cisco-nsp at puck.nether.net > Sent: Monday, August 10, 2009 12:17:14 PM GMT -05:00 US/Canada Eastern > Subject: RE: [c-nsp] SSH no longer functions after hostname change > > Normally all we do is a "crypto key gen rsa" if a hostname changes > and we > continue on... this regens the keys and stops/starts the SSH > process.... > > Paul > > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jon Wolberg > Sent: Monday, August 10, 2009 11:53 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] SSH no longer functions after hostname change > > Hello- > > We recently changed some of our hostnames on various legacy switches > to > follow our naming convention, and after one change I can no longer > SSH to > the switch. > > I get the below errors on the console with debug ip ssh client > running: > > Aug 10 11:23:44 EST: SSH5: sent protocol version id SSH-2.0-Cisco-1.25 > Aug 10 11:23:44 EST: SSH5: protocol version id is - SSH-2.0- > OpenSSH_4.3 > Aug 10 11:23:44 EST: SSH2 5: RSA_sign: private key not found > Aug 10 11:23:44 EST: SSH2 5: signature creation failed, status -1 > Aug 10 11:23:44 EST: SSH5: Session disconnected - error 0x00 > > I zero'ized the old keys and re-generated as well as set the > hostname back > to the original and zero'ized and re-generated to no avail. Nothing > shows > up on Google and I can find no errata related to SSH access on the > version > of code we are running. > > Has anyone encountered this before? This is a 3750 running 12.2(44)SE2 > > > Jon Wolberg > Systems Engineer > Virtacore Systems Inc. > "We Virtualize IT!" > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ayourtch at gmail.com Mon Aug 10 19:32:20 2009 From: ayourtch at gmail.com (Andrew Yourtchenko) Date: Tue, 11 Aug 2009 01:32:20 +0200 Subject: [c-nsp] Linux Com Driver to Modem on Cisco Terminal Server In-Reply-To: <06cb01ca1a00$f9f4c290$edde47b0$@net> References: <06cb01ca1a00$f9f4c290$edde47b0$@net> Message-ID: <530c5af60908101632y24d4e653kbe4361aa3ed76cb@mail.gmail.com> Hi Gregory, http://www.net-track.ch/opensource/remtty/ - does that fit the bill ? thanks, andrew NB: to get it working on a x86_64 system you need to carefully weed out all the compilation warnings before it runs correctly. On Mon, Aug 10, 2009 at 11:24 PM, Gregory Boehnlein wrote: > Hello, > Received a request from a client that needs to access a modem on a > Cisco router from standard serial applications on a Linux box. These are for > standard applications that do modem control (I.E. ATDT1XXXXXXXXX etc..) and > not PPP. > > There used to be a few piece of software out there that did it, but > I can't seem to find any of them. Anyone have any solutions for this? > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From moua0100 at umn.edu Mon Aug 10 20:53:26 2009 From: moua0100 at umn.edu (Ge Moua) Date: Mon, 10 Aug 2009 19:53:26 -0500 Subject: [c-nsp] Linux Com Driver to Modem on Cisco Terminal Server In-Reply-To: <06cb01ca1a00$f9f4c290$edde47b0$@net> References: <06cb01ca1a00$f9f4c290$edde47b0$@net> Message-ID: <4A80C106.2050703@umn.edu> I like "minicom". Regards, Ge Moua | Email: moua0100 at umn.edu Network Design Engineer University of Minnesota | Networking & Telecommunications Services Gregory Boehnlein wrote: > Hello, > Received a request from a client that needs to access a modem on a > Cisco router from standard serial applications on a Linux box. These are for > standard applications that do modem control (I.E. ATDT1XXXXXXXXX etc..) and > not PPP. > > There used to be a few piece of software out there that did it, but > I can't seem to find any of them. Anyone have any solutions for this? > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From meenoo at gmail.com Mon Aug 10 22:11:30 2009 From: meenoo at gmail.com (Meenoo Shivdasani) Date: Mon, 10 Aug 2009 22:11:30 -0400 Subject: [c-nsp] ASA 5505 stops servicing inbound connections Message-ID: I have an ASA 5505 that randomly stops handling incoming connections to the servers that are behind it. When it fails, the only solution that I have (since it's remote) is to have it power-cycled. I have it logging to a log server, but nothing in the logs seems to be illuminating. System image file is "disk0:/asa724-k8.bin" Anyone run into this one? Thanks in advance, M From rwest at zyedge.com Mon Aug 10 22:17:50 2009 From: rwest at zyedge.com (Ryan West) Date: Mon, 10 Aug 2009 22:17:50 -0400 Subject: [c-nsp] ASA 5505 stops servicing inbound connections In-Reply-To: References: Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2F59@zy-ex1.zyedge.local> Post a show ver, you might be hitting a 10 user license count issue. What is your trap logging set to? -ryan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Meenoo Shivdasani Sent: Monday, August 10, 2009 10:12 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] ASA 5505 stops servicing inbound connections I have an ASA 5505 that randomly stops handling incoming connections to the servers that are behind it. When it fails, the only solution that I have (since it's remote) is to have it power-cycled. I have it logging to a log server, but nothing in the logs seems to be illuminating. System image file is "disk0:/asa724-k8.bin" Anyone run into this one? Thanks in advance, M _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From jckdaniels12 at gmail.com Mon Aug 10 22:45:46 2009 From: jckdaniels12 at gmail.com (jack daniels) Date: Tue, 11 Aug 2009 08:15:46 +0530 Subject: [c-nsp] ALARM CARD ERROR In-Reply-To: <480dad640908100945u3574e534p957306c49d5d3ab@mail.gmail.com> References: <8bb137f40908092155t24d11bc7g6a0776aa07b4f545@mail.gmail.com> <480dad640908100945u3574e534p957306c49d5d3ab@mail.gmail.com> Message-ID: <8bb137f40908101945r72b8a8fes8c581ad05395b4bc@mail.gmail.com> Hi, opened just tac case and as per them its a hardware isssue . Thanks and Regards J.Daniels On 8/10/09, Aaron wrote: > > Open a tac case. > > On Mon, Aug 10, 2009 at 00:55, jack daniels wrote: > >> Hi All >> >> I'm getting below error on GSR 12416 ALARM CARD - >> >> IOS 12.0(32)SY6 >> >> >> >> WARNING: Unknown MBUS agent controller type, slot 24 >> Contact your technical support >> representative.<<<<<<<<<<<<<<<<<<<<<<<<<<<<<> >> >> >> sh diag 24 >> >> SLOT 24 (ALM 0 ): Alarm Module(16) >> MAIN: type 64, 800-5570-05 rev C0 >> Deviation: 0 >> HW config: 0x00 SW key: 00-00-00 >> PCA: 73-4266-04 rev B0 ver 3 >> Design Release 1.0 S/N SAL1250CZJ9 >> MBUS: Unknown (0) 00-0000-00 rev 70 dev 0 >> HW version 1.2 S/N SAL1248BSQ5 >> Test hist: 0x00 RMA#: 00-00-00 RMA hist: 0x00 >> DIAG: Test count: 0x00000000 Test results: 0x00000000 >> FRU: Linecard/Module: GSR16-ALRM= >> MBUS Agent Software version 2.68 (RAM) (ROM version is 3.66) >> >> >> >> >> sh gsr >> Slot 0 type = Modular SPA Interface Card >> state = IOS RUN Line Card Enabled >> subslot 0/0: SPA-1X10GE-L-V2 (0x50C), status is ok >> subslot 0/1: Empty >> subslot 0/2: Empty >> subslot 0/3: Empty >> Slot 5 type = Modular SPA Interface Card >> state = IOS RUN Line Card Enabled >> subslot 5/0: SPA-2XOC48POS/RPR (0x46F), status is ok >> subslot 5/1: SPA-5X1GE-V2 (0x50A), status is ok >> subslot 5/2: Empty >> subslot 5/3: Empty >> Slot 6 type = Modular SPA Interface Card >> state = IOS RUN Line Card Enabled >> subslot 6/0: SPA-4XT3/E3 (0x40B), status is ok >> subslot 6/1: SPA-4XT3/E3 (0x40B), status is ok >> subslot 6/2: SPA-8XOC3-POS (0x505), status is ok >> subslot 6/3: SPA-8XOC3-POS (0x505), status is ok >> Slot 7 type = Performance Route Processor >> state = ACTV RP IOS Running ACTIVE >> Slot 8 type = Performance Route Processor >> state = STBY RP IOS Running STANDBY >> Slot 9 type = Modular SPA Interface Card >> state = IOS RUN Line Card Enabled >> subslot 9/0: SPA-1X10GE-L-V2 (0x50C), status is ok >> subslot 9/1: Empty >> subslot 9/2: Empty >> subslot 9/3: Empty >> Slot 14 type = Modular SPA Interface Card >> state = IOS RUN Line Card Enabled >> subslot 14/0: SPA-2XOC48POS/RPR (0x46F), status is ok >> subslot 14/1: SPA-5X1GE-V2 (0x50A), status is ok >> subslot 14/2: Empty >> subslot 14/3: Empty >> Slot 15 type = Modular SPA Interface Card >> state = IOS RUN Line Card Enabled >> subslot 15/0: SPA-4XOC12-POS (0x507), status is ok >> subslot 15/1: SPA-8XOC3-POS (0x505), status is ok >> subslot 15/2: SPA-4XT3/E3 (0x40B), status is ok >> subslot 15/3: Empty >> Slot 16 type = Clock Scheduler Card OC192 Dual Priority >> state = Card Powered >> Slot 17 type = Clock Scheduler Card OC192 Dual Priority >> state = Card Powered PRIMARY CLOCK >> Slot 18 type = Switch Fabric Card 16XOC192 >> state = Card Powered >> Slot 19 type = Switch Fabric Card 16XOC192 >> state = Card Powered >> Slot 20 type = Switch Fabric Card 16XOC192 >> state = Card Powered >> Slot 24 type = Alarm Module(16) >> state = Card Powered >> Slot 25 type = Alarm Module(16) >> state = Card Powered >> Slot 27 type = Bus Board(16) >> state = Card Powered >> Slot 28 type = Blower Module(16) >> state = Card Powered >> Slot 29 type = Blower Module(16) >> state = Card Powered >> >> >> Thanks and Regards >> J.Daniels >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > From jckdaniels12 at gmail.com Mon Aug 10 22:43:49 2009 From: jckdaniels12 at gmail.com (jack daniels) Date: Tue, 11 Aug 2009 08:13:49 +0530 Subject: [c-nsp] HIDE AS BGP In-Reply-To: <004b01ca19d7$e139e010$0a00000a@nil.si> References: <8bb137f40908092151vf8ea9fbr7eebc2b4afb82b25@mail.gmail.com> <4A7FF77C.6000703@uk.clara.net> <8bb137f40908100419x5566c88cv2a15cc53dc02b1c9@mail.gmail.com> <8bb137f40908100459s1f74f6e6t676ceeb02e24411c@mail.gmail.com> <8bb137f40908100800w46d67c33w9006ee35bc7c51c4@mail.gmail.com> <004b01ca19d7$e139e010$0a00000a@nil.si> Message-ID: <8bb137f40908101943p480c3308lda92404c528dde90@mail.gmail.com> Hi, Thanks All got it now :) Regards J.Daniels On 8/10/09, Ivan Pepelnjak wrote: > > Much easier: run multihop EBGP session between Customer and ISP2 (plus the > regular EBGP session Customer-ISP1). Just make sure something reachable > within ISP1 is announced as the next-hop. > > > -----Original Message----- > > From: jack daniels [mailto:jckdaniels12 at gmail.com] > > Sent: Monday, August 10, 2009 5:01 PM > > To: Marko Milivojevic > > Cc: Cisco-NSP > > Subject: Re: [c-nsp] HIDE AS BGP > > > > Hi Mark, > > > > can you please put more light on the example you proposed . > > > > Thanks and Regards > > J.Daniels > > > > > > On 8/10/09, Marko Milivojevic wrote: > > > > > > You can use CSC in ISP1 and run BGP directly between > > Customer and ISP2. > > > > > > On Mon, Aug 10, 2009 at 11:59, jack > > daniels wrote: > > > > Hi , > > > > > > > > Just to be more specific on the solution requirement - > > > > > > > > Customer---ISP1---ISP2---Internet > > > > > > > > > > > > Internet should not see ISP1 AS number . I 'm looking for > > L3 solution. > > > > > > > > > From zivl at gilat.net Tue Aug 11 02:52:05 2009 From: zivl at gilat.net (Ziv Leyes) Date: Tue, 11 Aug 2009 09:52:05 +0300 Subject: [c-nsp] Linux Com Driver to Modem on Cisco Terminal Server In-Reply-To: <4A80C106.2050703@umn.edu> References: <06cb01ca1a00$f9f4c290$edde47b0$@net> <4A80C106.2050703@umn.edu> Message-ID: First of all, to access a modem connected to an async or aux port of a router it's possible by telneting the router on port 2000 + the line number the modem is connected, if you perform a "show line" command on the router you'll get something like this, for example: Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int 0 CTY - - - - - 0 0 0/0 - 1 AUX 0/0 - - - - - 0 0 0/0 - * 2 VTY - - - - - 22 0 0/0 - In this case, if the modem was connected to the AUX port you would telnet the router on port 2001 and you can get direct access to modem control and be able to perform any AT commands. I also like minicom for direct serial access, but now for normal console I use a nice graphical took named gtk term which is more simple and friendly if you're in a GUI environment, for the command line and specific modem protocols and commands support, minicom is still the one you want. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ge Moua Sent: Tuesday, August 11, 2009 3:53 AM To: Gregory Boehnlein Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Linux Com Driver to Modem on Cisco Terminal Server I like "minicom". Regards, Ge Moua | Email: moua0100 at umn.edu Network Design Engineer University of Minnesota | Networking & Telecommunications Services Gregory Boehnlein wrote: > Hello, > Received a request from a client that needs to access a modem on a > Cisco router from standard serial applications on a Linux box. These are for > standard applications that do modem control (I.E. ATDT1XXXXXXXXX etc..) and > not PPP. > > There used to be a few piece of software out there that did it, but > I can't seem to find any of them. Anyone have any solutions for this? > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ __________ Information from ESET NOD32 Antivirus, version of virus signature database 4324 (20090811) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __________ Information from ESET NOD32 Antivirus, version of virus signature database 4324 (20090811) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From zivl at gilat.net Tue Aug 11 02:56:10 2009 From: zivl at gilat.net (Ziv Leyes) Date: Tue, 11 Aug 2009 09:56:10 +0300 Subject: [c-nsp] SSH no longer functions after hostname change In-Reply-To: <2007826425.2157421249928124288.JavaMail.root@mail.dtgmail.com> References: <4A804DD8.5020907@emich.edu> <2007826425.2157421249928124288.JavaMail.root@mail.dtgmail.com> Message-ID: That should be the exact procedure to follow when changing hostnames, even if on most devices there are no problems, the best is to follow this sequence 1. Zeroize the key 2. Change hostname 3. Generate a new key -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jon Wolberg Sent: Monday, August 10, 2009 9:15 PM To: jf Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] SSH no longer functions after hostname change All- Using the exact order that JF listed below it worked perfect and resolved my issue. I can now SSH to this device again. Thanks. Jon Wolberg Systems Engineer Virtacore Systems Inc. "We Virtualize IT!" ----- Original Message ----- From: "jf" To: "Jon Wolberg" Cc: cisco-nsp at puck.nether.net Sent: Monday, August 10, 2009 12:42:00 PM GMT -05:00 US/Canada Eastern Subject: Re: [c-nsp] SSH no longer functions after hostname change We experienced this problem on a 3550 12g several years ago. We solved it by temporarily changing the configured hostname back, zeroing the key, changing the hostname again, and regenerating. Jon Wolberg wrote: > Hello- > > We recently changed some of our hostnames on various legacy switches to follow our naming convention, and after one change I can no longer SSH to the switch. > > I get the below errors on the console with debug ip ssh client running: > > Aug 10 11:23:44 EST: SSH5: sent protocol version id SSH-2.0-Cisco-1.25 > Aug 10 11:23:44 EST: SSH5: protocol version id is - SSH-2.0-OpenSSH_4.3 > Aug 10 11:23:44 EST: SSH2 5: RSA_sign: private key not found > Aug 10 11:23:44 EST: SSH2 5: signature creation failed, status -1 > Aug 10 11:23:44 EST: SSH5: Session disconnected - error 0x00 > > I zero'ized the old keys and re-generated as well as set the hostname back to the original and zero'ized and re-generated to no avail. Nothing shows up on Google and I can find no errata related to SSH access on the version of code we are running. > > Has anyone encountered this before? This is a 3750 running 12.2(44)SE2 > > > Jon Wolberg > Systems Engineer > Virtacore Systems Inc. > "We Virtualize IT!" > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ __________ Information from ESET NOD32 Antivirus, version of virus signature database 4324 (20090811) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __________ Information from ESET NOD32 Antivirus, version of virus signature database 4324 (20090811) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From gert at greenie.muc.de Tue Aug 11 03:10:25 2009 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 11 Aug 2009 09:10:25 +0200 Subject: [c-nsp] Linux Com Driver to Modem on Cisco Terminal Server In-Reply-To: References: <06cb01ca1a00$f9f4c290$edde47b0$@net> Message-ID: <20090811071025.GZ290@greenie.muc.de> Hi, On Mon, Aug 10, 2009 at 06:14:53PM -0400, Justin M. Streiner wrote: > On Mon, 10 Aug 2009, Gregory Boehnlein wrote: > > > Received a request from a client that needs to access a modem on a > >Cisco router from standard serial applications on a Linux box. These are > >for > >standard applications that do modem control (I.E. ATDT1XXXXXXXXX etc..) and > >not PPP. > > > > There used to be a few piece of software out there that did it, but > >I can't seem to find any of them. Anyone have any solutions for this? > > Depending on how low-level you want to get, you could probably do what you > need with Minicom, Kermit, Seyon (X11), and a few others. Some of these > can also work with scripts to automate tasks. I think the issue here is "the modem is not connected to the linux box" (but built-in to the Cisco router), so you need some glue logic to connect /dev/ttySOMETHING on the Linux side to the Cisco modem ("telnet cisco 20xx"). Unfortunately, I do not have an *answer* for that question either. I did some googling, and found one page mention "ser2net" (which is not exactly what Gregory needs, but could be tweaked) and another page mentioned that "socat" has a "pty" option that will connect a pseudo tty on one side to "whatever you want on the other side" - this could be a port on the Cisco side. Further hits mentioned: - Tibbo VSPDL - http://soi.tibbo.com/vspdl.html, a kernel level "virtual serial port" driver - TTY redirector - http://www.ttyredirector.com/ (commercial, but targets *exactly* this problem - "an application on the Linux side, talking to a Cisco ASxxx server" [among others]) - Remserial - http://lpccomp.bc.ca/remserial/ gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From gert at greenie.muc.de Tue Aug 11 04:03:18 2009 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 11 Aug 2009 10:03:18 +0200 Subject: [c-nsp] ASA5520 different crypt options and general tuning question? In-Reply-To: <002101ca19e7$30fb3630$2208120a@am.thmulti.com> References: <002101ca19e7$30fb3630$2208120a@am.thmulti.com> Message-ID: <20090811080318.GA290@greenie.muc.de> Hi, On Mon, Aug 10, 2009 at 11:20:01AM -0700, Scott Granados wrote: > hash type for differing jobs? When would you want to use 3DES instead of > say aes-256? Is there ever a reason you'd use MD5 instead of sha??? Sometimes you need to VPN to remote decices that have problems with AES or with SHA - buggy implementations, old implementations, slow CPUs (which might you choose AES128 vs. AES256), ... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From A.L.M.Buxey at lboro.ac.uk Tue Aug 11 05:39:35 2009 From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey) Date: Tue, 11 Aug 2009 10:39:35 +0100 Subject: [c-nsp] ASA 5505 stops servicing inbound connections In-Reply-To: <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2F59@zy-ex1.zyedge.local> References: <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2F59@zy-ex1.zyedge.local> Message-ID: <20090811093935.GC17453@lboro.ac.uk> Hi, > Post a show ver, you might be hitting a 10 user license count issue. we hit a wierd bug a while back in which the connection counts were being lowered by an extra 1 for each session finished by another user..... which then led to a situation where users lost ability to connect to any new session (active sessions fine). nasty. fixed. why 7.x - join the 8.x train? alan From gkg at gmx.de Tue Aug 11 05:44:38 2009 From: gkg at gmx.de (Garry) Date: Tue, 11 Aug 2009 11:44:38 +0200 Subject: [c-nsp] Anybody noticed yet? CSC 6.3 phones home :( Message-ID: <4A813D86.80805@gmx.de> Hi ::/0, I just received a call from one of our customers, who was having some problems with duplicate records being created in a remote system ... the system is used through a web interface, and data is stored via a GET operation ... (no, I did not implement that system, as I would have opted to use both SSL as well as decent authentication & POST instead) Anyway, it turns out the duplicate requests were created an IP 150.70.84.25, which according to some research turns out to be used by Trend Micro, Japan (APNIC records are pretty unusable, though, as usual) According to the customer, the behavior started around July 30th, which is a couple days after I upgraded the customer ASA / CSC, which 6.3.1172 installed on the CSC ... So it turns out that the new release uses a subset of URLs requested, transfers those to TM, which in turn probably uses them to find potential malware ... as such, this might be OK, but I could not locate ANYWHERE in the CSC where there is an option to disable this function, or at least an information about that feature having been introduced ... (previous releases to my knowledge didn't do that ...) Anybody else notice this yet? I just opened a ticket with TAC and complained about it ... for me, it's a pretty bad case of security and confidentiality breach ... but maybe that's just me ... -garry From asturluismi at gmail.com Tue Aug 11 07:14:25 2009 From: asturluismi at gmail.com (luismi) Date: Tue, 11 Aug 2009 13:14:25 +0200 Subject: [c-nsp] Etherchannel between 2x2960 and 1x7600 Message-ID: <1249989265.10538.2.camel@dsba-ipso> Hi all, I would like to know if it is possible to create an etherchannel between just 1 router 7600 and 2 switches 2960 connected between them by a trunk. The schema would be.... 2960-------\ | \ Trunk FEC----7600 | / 2960-------/ Is it possible? From peter at rathlev.dk Tue Aug 11 07:32:07 2009 From: peter at rathlev.dk (Peter Rathlev) Date: Tue, 11 Aug 2009 13:32:07 +0200 Subject: [c-nsp] Etherchannel between 2x2960 and 1x7600 In-Reply-To: <1249989265.10538.2.camel@dsba-ipso> References: <1249989265.10538.2.camel@dsba-ipso> Message-ID: <1249990327.4222.3.camel@abehat.net.rm.dk> On Tue, 2009-08-11 at 13:14 +0200, luismi wrote: > I would like to know if it is possible to create an etherchannel > between just 1 router 7600 and 2 switches 2960 connected between them > by a trunk. > > The schema would be.... > > 2960-------\ > | \ > Trunk FEC----7600 > | / > 2960-------/ > > Is it possible? No. Bundling interfaces in port-channels is only possible between exactly two distinct STP nodes since port-channels break the split-horizon rule (sort of, on a physical interface level). What would you achieve by this? There might be another solution to your needs. Regards, Peter From braaen at zcorum.com Tue Aug 11 07:50:56 2009 From: braaen at zcorum.com (Brian Raaen) Date: Tue, 11 Aug 2009 07:50:56 -0400 Subject: [c-nsp] Etherchannel between 2x2960 and 1x7600 In-Reply-To: <1249989265.10538.2.camel@dsba-ipso> References: <1249989265.10538.2.camel@dsba-ipso> Message-ID: <4A815B20.9040702@zcorum.com> Are the 2960's in a stack, and you are trying to terminate an etherchannel for the stack? I'd have to double check but, I believe that I have this set up on a 7200 that is termination PPPoE. luismi wrote: > Hi all, > > I would like to know if it is possible to create an etherchannel between > just 1 router 7600 and 2 switches 2960 connected between them by a > trunk. > > The schema would be.... > > 2960-------\ > | \ > Trunk FEC----7600 > | / > 2960-------/ > > Is it possible? > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From asturluismi at gmail.com Tue Aug 11 08:00:46 2009 From: asturluismi at gmail.com (luismi) Date: Tue, 11 Aug 2009 14:00:46 +0200 Subject: [c-nsp] Etherchannel between 2x2960 and 1x7600 In-Reply-To: <1249990327.4222.3.camel@abehat.net.rm.dk> References: <1249989265.10538.2.camel@dsba-ipso> <1249990327.4222.3.camel@abehat.net.rm.dk> Message-ID: <1249992046.10538.4.camel@dsba-ipso> Well, I would like to see if it could be possible to improve the HA, I didn't expect that 2960 had support for this idea. So far, the schema we have here is working ok without FEC. Just want to know if we could do it better. From asturluismi at gmail.com Tue Aug 11 08:01:08 2009 From: asturluismi at gmail.com (luismi) Date: Tue, 11 Aug 2009 14:01:08 +0200 Subject: [c-nsp] Etherchannel between 2x2960 and 1x7600 In-Reply-To: <4A815B20.9040702@zcorum.com> References: <1249989265.10538.2.camel@dsba-ipso> <4A815B20.9040702@zcorum.com> Message-ID: <1249992068.10538.6.camel@dsba-ipso> 2960 doesn't support stack as far as I know. it could support cluster, I think. From rwest at zyedge.com Tue Aug 11 08:19:35 2009 From: rwest at zyedge.com (Ryan West) Date: Tue, 11 Aug 2009 08:19:35 -0400 Subject: [c-nsp] Etherchannel between 2x2960 and 1x7600 In-Reply-To: <1249992068.10538.6.camel@dsba-ipso> References: <1249989265.10538.2.camel@dsba-ipso> <4A815B20.9040702@zcorum.com> <1249992068.10538.6.camel@dsba-ipso> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2F5C@zy-ex1.zyedge.local> 2960's will not support stacking and yes, they do support clustering, but pretty much every low end switch supports that. To achieve this type of channeling, you would need 2970's or 3750's with stackwise and then I think you're limited to LACP and regular etherchannel only. -ryan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of luismi Sent: Tuesday, August 11, 2009 8:01 AM To: Brian Raaen Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Etherchannel between 2x2960 and 1x7600 2960 doesn't support stack as far as I know. it could support cluster, I think. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From asturluismi at gmail.com Tue Aug 11 08:21:42 2009 From: asturluismi at gmail.com (luismi) Date: Tue, 11 Aug 2009 14:21:42 +0200 Subject: [c-nsp] Etherchannel between 2x2960 and 1x7600 In-Reply-To: <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2F5C@zy-ex1.zyedge.local> References: <1249989265.10538.2.camel@dsba-ipso> <4A815B20.9040702@zcorum.com> <1249992068.10538.6.camel@dsba-ipso> <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2F5C@zy-ex1.zyedge.local> Message-ID: <1249993302.10538.8.camel@dsba-ipso> Ok, thanks for the info, I think we will continue with our actual topology for a while :-D From vijay.ramcharan at verizonbusiness.com Tue Aug 11 09:17:20 2009 From: vijay.ramcharan at verizonbusiness.com (Ramcharan, Vijay A) Date: Tue, 11 Aug 2009 13:17:20 +0000 Subject: [c-nsp] Etherchannel between 2x2960 and 1x7600 In-Reply-To: <1249993302.10538.8.camel@dsba-ipso> Message-ID: <8171C8272CE8FE4A8F5BFF8A97CE6AB3013A8429@ASHEVS006.mcilink.com> There is perhaps another possibility if you are looking for simple physical layer redundancy. Since you have one router and two switches I assume that you're looking to do just that. You could use IRB and create a bridge group on the router and do your layer 3 config on the bvi. I'm only throwing this out as a possibility as I've never actually used this in a production environment. Don't see why it won't work though. Vijay Ramcharan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of luismi Sent: Tuesday, August 11, 2009 8:22 AM To: Ryan West Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Etherchannel between 2x2960 and 1x7600 Ok, thanks for the info, I think we will continue with our actual topology for a while :-D _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ______________________________________________________________________ This e-mail has been scanned by Verizon Managed Email Content Service, using Skeptic(tm) technology powered by MessageLabs. For more information on Verizon Managed Email Content Service, visit http://www.verizonbusiness.com. ______________________________________________________________________ From damin at nacs.net Tue Aug 11 09:22:03 2009 From: damin at nacs.net (Gregory Boehnlein) Date: Tue, 11 Aug 2009 09:22:03 -0400 Subject: [c-nsp] Linux Com Driver to Modem on Cisco Terminal Server In-Reply-To: <20090811071025.GZ290@greenie.muc.de> References: <06cb01ca1a00$f9f4c290$edde47b0$@net> <20090811071025.GZ290@greenie.muc.de> Message-ID: <087101ca1a86$b9eb35e0$2dc1a1a0$@net> Thank you everyone for your responses.. I got great feedback and information. They two options that look the most promising: Commercial: TTYredirector OpenSource: remtty Excellent! This is why I love c-nsp! From nbernadeau at gallantsys.com Tue Aug 11 10:47:55 2009 From: nbernadeau at gallantsys.com (Nathaniel Bernadeau) Date: Tue, 11 Aug 2009 10:47:55 -0400 Subject: [c-nsp] Tech question about 15216-EDFA-2 Message-ID: <4A81849B.8080808@gallantsys.com> Our Customer is have problems getting them to work in what is called ASH mode. The units have 2 methods of provisioning, ASH and TL1 mode. They do not want to use TL1 mode as they are familiar with ASH mode better. Cisco told them that the unit internal software cannot be converted from TL1 to ASH mode since they are to old. Even though the manual states that it should work. Is there some sort of command that is not listed in the manual that can convert the shell from TL1 to ASH? --- regards, Nathaniel Bernadeau Gallant Systems, LLC 11064 Livingston RD Suite 106-C Fort Washington, MD 20744 Toll Free: 888-836-3751 Ph: 301-627-6358 Fax: 240-823-6897 Cell: 202-246-2229 nbernadeau at gallantsys.com www.gallantsys.com From asturluismi at gmail.com Tue Aug 11 11:11:34 2009 From: asturluismi at gmail.com (luismi) Date: Tue, 11 Aug 2009 17:11:34 +0200 Subject: [c-nsp] Etherchannel between 2x2960 and 1x7600 In-Reply-To: <8171C8272CE8FE4A8F5BFF8A97CE6AB3013A8429@ASHEVS006.mcilink.com> References: <8171C8272CE8FE4A8F5BFF8A97CE6AB3013A8429@ASHEVS006.mcilink.com> Message-ID: <1250003494.10538.10.camel@dsba-ipso> I take note about your idea but I never worked with bvi interfaces and I should check that before in the lab. Thanks anyway :D From Jason.Mishka at UToledo.Edu Tue Aug 11 11:44:03 2009 From: Jason.Mishka at UToledo.Edu (Mishka, Jason) Date: Tue, 11 Aug 2009 11:44:03 -0400 Subject: [c-nsp] ASA 5505 stops servicing inbound connections In-Reply-To: <20090811093935.GC17453@lboro.ac.uk> References: <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2F59@zy-ex1.zyedge.local> <20090811093935.GC17453@lboro.ac.uk> Message-ID: You could also have exhausted your translation of number of connections. Try 'show xlate' and 'show conn' to see what this is like. Rebooting would clear all xlates and connections so you should do this before you reboot if it happens again. Jason > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Alan Buxey > Sent: Tuesday, August 11, 2009 5:40 AM > To: Ryan West > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] ASA 5505 stops servicing inbound connections > > Hi, > > Post a show ver, you might be hitting a 10 user license count issue. > > we hit a wierd bug a while back in which the connection counts > were being lowered by an extra 1 for each session > finished by another user..... which then led to a situation where > users lost ability to connect to any new session (active sessions fine). > nasty. fixed. > > why 7.x - join the 8.x train? > > alan > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From tsuther at i3businesssolutions.com Tue Aug 11 12:29:30 2009 From: tsuther at i3businesssolutions.com (Tom Sutherland) Date: Tue, 11 Aug 2009 12:29:30 -0400 Subject: [c-nsp] Linux Com Driver to Modem on Cisco Terminal Server In-Reply-To: References: <06cb01ca1a00$f9f4c290$edde47b0$@net> Message-ID: <1250008170.4502.11.camel@angry-butler09> I use "cu" - looks to be a lot like "tip" http://www.computerhope.com/unix/ucu.htm On Mon, 2009-08-10 at 18:29 -0400, Stephane Tsacas wrote: > On Mon, Aug 10, 2009 at 23:24, Gregory Boehnlein wrote: > > > Hello, > > Received a request from a client that needs to access a modem on a > > Cisco router from standard serial applications on a Linux box. These are > > for > > standard applications that do modem control (I.E. ATDT1XXXXXXXXX etc..) and > > not PPP. > > > > There used to be a few piece of software out there that did it, but > > I can't seem to find any of them. Anyone have any solutions for this? > > > > Something like "tip" but for Linux ? > http://www.freebsd.org/cgi/man.cgi?query=tip&apropos=0&sektion=0&manpath=FreeBSD+7.2-RELEASE&format=html > This > is what you're looking for ? > From damin at nacs.net Tue Aug 11 12:51:28 2009 From: damin at nacs.net (Gregory Boehnlein) Date: Tue, 11 Aug 2009 12:51:28 -0400 Subject: [c-nsp] Linux Com Driver to Modem on Cisco Terminal Server In-Reply-To: <1250008170.4502.11.camel@angry-butler09> References: <06cb01ca1a00$f9f4c290$edde47b0$@net> <1250008170.4502.11.camel@angry-butler09> Message-ID: <0a0c01ca1aa3$fb93f690$f2bbe3b0$@net> > I use "cu" - looks to be a lot like "tip" > > http://www.computerhope.com/unix/ucu.htm Per the E-mail, the issue is that I need things like HylaFax and other commercial software that relies on direct access to the /dev/tty device to access a modem on a remote Cisco box.. Minicom, CU, all of that is great, but I can't have Hylafax use Minicom to communicate w/ a remote modem. I need a driver that appears to be a serial port on the Linux box, that is connected to a remote modem on the Cisco so that proprietary software can communicate w/ the modem as if it were locally attached. From khunt at huntbrothers.com Tue Aug 11 09:51:26 2009 From: khunt at huntbrothers.com (Kevin Hunt) Date: Tue, 11 Aug 2009 08:51:26 -0500 Subject: [c-nsp] ASA 5505 stops servicing inbound connections In-Reply-To: Message-ID: Are you logging via TCP or UDP ? If you are logging via TCP to a logging server and the logging server is down, the pix will only permit a limited number of logs to be "uncomfirmed" and then it will stop all traffic as a security measure. At least this was the rule in pix 6.3.5, I've not researched it on the ASA platform... W. Kevin Hunt On 8/10/09 9:11 PM, "Meenoo Shivdasani" wrote: > I have an ASA 5505 that randomly stops handling incoming connections > to the servers that are behind it. When it fails, the only solution > that I have (since it's remote) is to have it power-cycled. I have it > logging to a log server, but nothing in the logs seems to be > illuminating. > > System image file is "disk0:/asa724-k8.bin" > > Anyone run into this one? > > Thanks in advance, > > M > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- W. Kevin Hunt CCIE #11841 Linux+ SME From mike-cisconsplist at tiedyenetworks.com Tue Aug 11 12:39:55 2009 From: mike-cisconsplist at tiedyenetworks.com (Mike) Date: Tue, 11 Aug 2009 09:39:55 -0700 Subject: [c-nsp] pseudowire over ip/mpls Message-ID: <4A819EDB.7070602@tiedyenetworks.com> Hello, This may not be a strictly cisco question, but does anyone here have good operational experience with pseudowire (t1 and ds3) carried over ip/mpls? I'm just interested in real world experiences and deployment scenarios that have went live. I previously posted to the nanog list without success. Thank you. From meenoo at gmail.com Tue Aug 11 14:11:53 2009 From: meenoo at gmail.com (Meenoo Shivdasani) Date: Tue, 11 Aug 2009 14:11:53 -0400 Subject: [c-nsp] ASA 5505 stops servicing inbound connections In-Reply-To: References: Message-ID: The license is a 10-user license, but that's 10 internal hosts, not external hosts. trap logging was set to informational -- now set to debug. 7.x rather than 8.x because there was a deadline for installing the system and that's what it shipped with. It's not dying because of the logging -- this is the 3rd time it's done this and logging wasn't set up the first time. It also continues to log other messages -- it logs that it's sending syslog data to an internal server and it logs that certain traffic is denied: "Deny tcp src outside" for example. Shortly before it died, it logged "%ASA-6-302010: 190 in use, 837 most used" and right after it stopped handling connections it logged "%ASA-6-302010: 2 in use, 837 most used" so I don't think that it's a connection limitation. M From moua0100 at umn.edu Tue Aug 11 14:19:08 2009 From: moua0100 at umn.edu (Ge Moua) Date: Tue, 11 Aug 2009 13:19:08 -0500 Subject: [c-nsp] pseudowire over ip/mpls In-Reply-To: <4A819EDB.7070602@tiedyenetworks.com> References: <4A819EDB.7070602@tiedyenetworks.com> Message-ID: <4A81B61C.60709@umn.edu> Been doing that for a few years over here; works fairly good (although ds-z ckts are pricey). Regards, Ge Moua | Email: moua0100 at umn.edu Network Design Engineer University of Minnesota | Networking & Telecommunications Services Mike wrote: > Hello, > > This may not be a strictly cisco question, but does anyone here have > good operational experience with pseudowire (t1 and ds3) carried over > ip/mpls? I'm just interested in real world experiences and deployment > scenarios that have went live. I previously posted to the nanog list > without success. > > Thank you. > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From deric.kwok2000 at gmail.com Tue Aug 11 14:29:13 2009 From: deric.kwok2000 at gmail.com (Deric Kwok) Date: Tue, 11 Aug 2009 14:29:13 -0400 Subject: [c-nsp] help: can someone know about linksys? Message-ID: <40d8a95a0908111129p7d3fc6d0ma199246f504527a3@mail.gmail.com> Hi all Can can someone know about linksys? eg: forum as cisco I have rv082 but don't have any manuel I don't know how to connect and configure it too as don't have any console port Thank you for your help From gsgranados at comcast.net Tue Aug 11 14:39:20 2009 From: gsgranados at comcast.net (Scott Granados) Date: Tue, 11 Aug 2009 11:39:20 -0700 Subject: [c-nsp] VPN-3000 and PIX VPN peer change question? Message-ID: <009e01ca1ab3$0e0383e0$2208120a@am.thmulti.com> Hi, I have a question about upgrading a connection for a remote site and changing the VPN peer on a VPN-3000. BACKGROUND In the field I have a branch office with a Pix that provides their office connectivity and VPN tunnel back to HQ. The branch office is having its bandwidth increased by swapping to a new provider that offers a metro E package. The IP addressing of the firewall will change but all the other services and internal addressing remain the same. At HQ I have a VPN-3000 with that wonderful point / click thingy instead of a real usable command interface. On the VPN-3000 I have a profile that sets up a lan to lan VPN (their wording) back to the Pix at the branch. QUESTION My question is assuming the Pix in the field is updated and all other things work will I simply need to change the peer address on the VPN-3000 to reconnect the VPN? Also, am I correct in my thinking that you change the peer address under configuration / policies / ipsec / L2L/ (profile)? There's a peer address that matches my far end, are there any other instances or things I should adjust? Pointers would be appreciated. To me it looks like I make this one change and it should work but I want to make sure before I have a guy sitting in the field holding his shmeckle while I try to figure things out.:) Thanks Scott From brandon at burn.net Tue Aug 11 14:40:16 2009 From: brandon at burn.net (Brandon Applegate) Date: Tue, 11 Aug 2009 14:40:16 -0400 (EDT) Subject: [c-nsp] Linux Com Driver to Modem on Cisco Terminal Server In-Reply-To: <0a0c01ca1aa3$fb93f690$f2bbe3b0$@net> References: <06cb01ca1a00$f9f4c290$edde47b0$@net> <1250008170.4502.11.camel@angry-butler09> <0a0c01ca1aa3$fb93f690$f2bbe3b0$@net> Message-ID: On Tue, 11 Aug 2009, Gregory Boehnlein wrote: >> I use "cu" - looks to be a lot like "tip" >> >> http://www.computerhope.com/unix/ucu.htm > > Per the E-mail, the issue is that I need things like HylaFax and other > commercial software that relies on direct access to the /dev/tty device to > access a modem on a remote Cisco box.. > > Minicom, CU, all of that is great, but I can't have Hylafax use Minicom to > communicate w/ a remote modem. > > I need a driver that appears to be a serial port on the Linux box, that is > connected to a remote modem on the Cisco so that proprietary software can > communicate w/ the modem as if it were locally attached. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > What about socat ? http://www.dest-unreach.org/socat/ Surely your distro has packages in $repo. You could have this start from and rc script. socat PTY,link=$HOME/dev/vmodem0,raw,echo=0,waitslave EXEC:'"ssh modemserver.us.org socat - /dev/ttyS0,nonblock,raw,echo=0"' Yours would be even simpler, as the right hand side would be (probably) just a tcp-connect: -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996 "SH1-0151. This is the serial number, of our orbital gun." From steve.tillinger at sourcemedia.com Tue Aug 11 14:44:56 2009 From: steve.tillinger at sourcemedia.com (Tillinger, Steve) Date: Tue, 11 Aug 2009 14:44:56 -0400 Subject: [c-nsp] ASA 5505 stops servicing inbound connections Message-ID: Have you tried "sh local" ? That should tell you if you're hitting the 10 user limit. # sh loc Detected interface 'outside' as the Internet interface. Host limit applies to all other interfaces. Current host count: 4, towards licensed host limit of: 10 -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Meenoo Shivdasani Sent: Tuesday, August 11, 2009 2:12 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] ASA 5505 stops servicing inbound connections The license is a 10-user license, but that's 10 internal hosts, not external hosts. trap logging was set to informational -- now set to debug. 7.x rather than 8.x because there was a deadline for installing the system and that's what it shipped with. It's not dying because of the logging -- this is the 3rd time it's done this and logging wasn't set up the first time. It also continues to log other messages -- it logs that it's sending syslog data to an internal server and it logs that certain traffic is denied: "Deny tcp src outside" for example. Shortly before it died, it logged "%ASA-6-302010: 190 in use, 837 most used" and right after it stopped handling connections it logged "%ASA-6-302010: 2 in use, 837 most used" so I don't think that it's a connection limitation. M _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ "This communication is intended solely for the addressee and is confidential and not for third party unauthorized distribution" From meenoo at gmail.com Tue Aug 11 16:06:39 2009 From: meenoo at gmail.com (Meenoo Shivdasani) Date: Tue, 11 Aug 2009 16:06:39 -0400 Subject: [c-nsp] ASA 5505 stops servicing inbound connections In-Reply-To: References: Message-ID: On Tue, Aug 11, 2009 at 2:44 PM, Tillinger, Steve wrote: > Have you tried "sh local" ? ? That should tell you if you're hitting the > 10 user limit. "Detected interface 'outside' as the Internet interface. Host limit applies to all other interfaces. Current host count: 2, towards licensed host limit of: 10 Interface dmz: 2 active, 2 maximum active, 0 denied" The connections that get dropped are hitting the outside interface. Also, the firewall is non-responsive to remote login via SSH or ASDM when this happens. M From steve.tillinger at sourcemedia.com Tue Aug 11 16:17:44 2009 From: steve.tillinger at sourcemedia.com (Tillinger, Steve) Date: Tue, 11 Aug 2009 16:17:44 -0400 Subject: [c-nsp] ASA 5505 stops servicing inbound connections Message-ID: OK so it's not the host count. Maybe the number of connections? I'm out of ideas. # sh res usa Resource Current Peak Limit Denied Context SSH 1 1 5 0 System Conns 15 129 280000 0 System Hosts 63 95 N/A 0 System -----Original Message----- From: Meenoo Shivdasani [mailto:meenoo at gmail.com] Sent: Tuesday, August 11, 2009 4:07 PM To: Tillinger, Steve Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] ASA 5505 stops servicing inbound connections On Tue, Aug 11, 2009 at 2:44 PM, Tillinger, Steve wrote: > Have you tried "sh local" ? ? That should tell you if you're hitting the > 10 user limit. "Detected interface 'outside' as the Internet interface. Host limit applies to all other interfaces. Current host count: 2, towards licensed host limit of: 10 Interface dmz: 2 active, 2 maximum active, 0 denied" The connections that get dropped are hitting the outside interface. Also, the firewall is non-responsive to remote login via SSH or ASDM when this happens. M "This communication is intended solely for the addressee and is confidential and not for third party unauthorized distribution" From wim.holemans at ua.ac.be Tue Aug 11 16:35:44 2009 From: wim.holemans at ua.ac.be (Holemans Wim) Date: Tue, 11 Aug 2009 22:35:44 +0200 Subject: [c-nsp] ASA 5505 stops servicing inbound connections In-Reply-To: References: Message-ID: Look in the log files for the following error : <160>Aug 01 2009 15:29:49: %ASA-0-716528: Unexpected fiber scheduler error; possible out-of-memory condition This kills our asa's (running version 8) on a regular basis (once a month), reload is the only way to resolve this. We have a case open for this, but without any good respons from cisco yet. Wim Holemans Network Services University of Antwerp -----Oorspronkelijk bericht----- Van: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] Namens Meenoo Shivdasani Verzonden: dinsdag 11 augustus 2009 22:07 Aan: Tillinger, Steve CC: cisco-nsp at puck.nether.net Onderwerp: Re: [c-nsp] ASA 5505 stops servicing inbound connections On Tue, Aug 11, 2009 at 2:44 PM, Tillinger, Steve wrote: > Have you tried "sh local" ? ? That should tell you if you're hitting the > 10 user limit. "Detected interface 'outside' as the Internet interface. Host limit applies to all other interfaces. Current host count: 2, towards licensed host limit of: 10 Interface dmz: 2 active, 2 maximum active, 0 denied" The connections that get dropped are hitting the outside interface. Also, the firewall is non-responsive to remote login via SSH or ASDM when this happens. M _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From rwest at zyedge.com Tue Aug 11 16:44:12 2009 From: rwest at zyedge.com (Ryan West) Date: Tue, 11 Aug 2009 16:44:12 -0400 Subject: [c-nsp] ASA 5505 stops servicing inbound connections In-Reply-To: References: Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2FCD@zy-ex1.zyedge.local> Is this on 8.2.x or 8.0? I'm making an assumption that it's not a 5580-SMP. If it is 8.2.x, you may not have enough memory, our test FW is having similar issues with 8.2.1(3). I just ordered some "Cisco compatible" RAM (Kingston Value Select) to help out with it. -ryan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Holemans Wim Sent: Tuesday, August 11, 2009 4:36 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] ASA 5505 stops servicing inbound connections Look in the log files for the following error : <160>Aug 01 2009 15:29:49: %ASA-0-716528: Unexpected fiber scheduler error; possible out-of-memory condition This kills our asa's (running version 8) on a regular basis (once a month), reload is the only way to resolve this. We have a case open for this, but without any good respons from cisco yet. Wim Holemans Network Services University of Antwerp -----Oorspronkelijk bericht----- Van: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] Namens Meenoo Shivdasani Verzonden: dinsdag 11 augustus 2009 22:07 Aan: Tillinger, Steve CC: cisco-nsp at puck.nether.net Onderwerp: Re: [c-nsp] ASA 5505 stops servicing inbound connections On Tue, Aug 11, 2009 at 2:44 PM, Tillinger, Steve wrote: > Have you tried "sh local" ? ? That should tell you if you're hitting the > 10 user limit. "Detected interface 'outside' as the Internet interface. Host limit applies to all other interfaces. Current host count: 2, towards licensed host limit of: 10 Interface dmz: 2 active, 2 maximum active, 0 denied" The connections that get dropped are hitting the outside interface. Also, the firewall is non-responsive to remote login via SSH or ASDM when this happens. M _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From lmeade at signal.ca Tue Aug 11 17:30:17 2009 From: lmeade at signal.ca (Leslie Meade) Date: Tue, 11 Aug 2009 14:30:17 -0700 Subject: [c-nsp] ASDM not working after upgrades Message-ID: I am getting the error of Unable to launch device manager from 10.1.254.254 I have uploaded the correct files and change the config to match ASA5540-01# sh run asdm asdm image disk0:/asdm-621.bin asdm location 10.1.6.25 255.255.255.255 inside asdm history enable ASA5540-01# sh run http http server enable http 10.1.6.0 255.255.255.0 inside ASA5540-01# sh flash --#-- --length-- -----date/time------ path 131 11348300 Aug 11 2009 10:09:00 asdm-621.bin 132 16275456 Aug 11 2009 10:10:10 asa821-k8.bin If I roll back to the older code and asdm it works fine. Any ideas Leslie From A.L.M.Buxey at lboro.ac.uk Tue Aug 11 17:36:59 2009 From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey) Date: Tue, 11 Aug 2009 22:36:59 +0100 Subject: [c-nsp] help: can someone know about linksys? In-Reply-To: <40d8a95a0908111129p7d3fc6d0ma199246f504527a3@mail.gmail.com> References: <40d8a95a0908111129p7d3fc6d0ma199246f504527a3@mail.gmail.com> Message-ID: <20090811213659.GA22615@lboro.ac.uk> Hi, > Hi all > > Can can someone know about linksys? > > eg: forum as cisco > > I have rv082 but don't have any manuel and your place of work blocks Google or Bing? http://www.retrevo.com/support/Linksys-RV082-Routers-manual/id/420bh939/t/2/ alan> From gsgranados at comcast.net Tue Aug 11 17:43:46 2009 From: gsgranados at comcast.net (Scott Granados) Date: Tue, 11 Aug 2009 14:43:46 -0700 Subject: [c-nsp] ASDM not working after upgrades References: Message-ID: <00ea01ca1acc$d3338520$0202fea9@am.thmulti.com> Count your blessings? :) That ASDM deal sucks big hairy ones not to mention is utterly inaccessible with a screen reader. ----- Original Message ----- From: "Leslie Meade" To: Sent: Tuesday, August 11, 2009 2:30 PM Subject: [c-nsp] ASDM not working after upgrades >I am getting the error of > Unable to launch device manager from 10.1.254.254 > > I have uploaded the correct files and change the config to match > > ASA5540-01# sh run asdm > asdm image disk0:/asdm-621.bin > asdm location 10.1.6.25 255.255.255.255 inside > asdm history enable > > ASA5540-01# sh run http > http server enable > http 10.1.6.0 255.255.255.0 inside > > ASA5540-01# sh flash > --#-- --length-- -----date/time------ path > 131 11348300 Aug 11 2009 10:09:00 asdm-621.bin > 132 16275456 Aug 11 2009 10:10:10 asa821-k8.bin > > If I roll back to the older code and asdm it works fine. Any ideas > > > Leslie > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From lmeade at signal.ca Tue Aug 11 17:47:22 2009 From: lmeade at signal.ca (Leslie Meade) Date: Tue, 11 Aug 2009 14:47:22 -0700 Subject: [c-nsp] ASDM not working after upgrades In-Reply-To: <607f1e0a0908111437rb955ffeka65037d7b8ca83cf@mail.gmail.com> References: <607f1e0a0908111437rb955ffeka65037d7b8ca83cf@mail.gmail.com> Message-ID: I thought that but I cannot find where it is in the doco on what version of java to use -----Original Message----- From: Charles Mills [mailto:w3yni1 at gmail.com] Sent: Tuesday, August 11, 2009 2:38 PM To: Leslie Meade Subject: Re: [c-nsp] ASDM not working after upgrades Shooting from the hip...java version? On Tue, Aug 11, 2009 at 5:30 PM, Leslie Meade wrote: > I am getting the error of > Unable to launch device manager from 10.1.254.254 > > I have uploaded the correct files and change the config to match > > ASA5540-01# sh run asdm > asdm image disk0:/asdm-621.bin > asdm location 10.1.6.25 255.255.255.255 inside asdm history enable > > ASA5540-01# sh run http > http server enable > http 10.1.6.0 255.255.255.0 inside > > ASA5540-01# sh flash > --#-- ?--length-- ?-----date/time------ ?path > ?131 ?11348300 ? ?Aug 11 2009 10:09:00 ?asdm-621.bin > ?132 ?16275456 ? ?Aug 11 2009 10:10:10 ?asa821-k8.bin > > If I roll back to the older code and asdm it works fine. Any ideas > > > Leslie > > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From erey at ernw.de Tue Aug 11 18:16:07 2009 From: erey at ernw.de (Enno Rey) Date: Wed, 12 Aug 2009 00:16:07 +0200 Subject: [c-nsp] ASDM not working after upgrades In-Reply-To: References: Message-ID: <20090811221607.GT98052@ws25.ernw.de> Hi, haven't touched the stuff for a while... but imho your config only allows http(s) connections for 10.1.6.0/24 whereas the denied connection comes from 10.1.254.254 ... thanks, Enno On Tue, Aug 11, 2009 at 02:30:17PM -0700, Leslie Meade wrote: > I am getting the error of > Unable to launch device manager from 10.1.254.254 > > I have uploaded the correct files and change the config to match > > ASA5540-01# sh run asdm > asdm image disk0:/asdm-621.bin > asdm location 10.1.6.25 255.255.255.255 inside > asdm history enable > > ASA5540-01# sh run http > http server enable > http 10.1.6.0 255.255.255.0 inside > > ASA5540-01# sh flash > --#-- --length-- -----date/time------ path > 131 11348300 Aug 11 2009 10:09:00 asdm-621.bin > 132 16275456 Aug 11 2009 10:10:10 asa821-k8.bin > > If I roll back to the older code and asdm it works fine. Any ideas > > > Leslie > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Enno Rey ERNW GmbH - Breslauer Str. 28 - 69124 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 PGP FP 055F B3F3 FE9D 71DD C0D5 444E C611 033E 3296 1CC1 Handelsregister Mannheim: HRB 337135 Geschaeftsfuehrer: Enno Rey From justin at justinshore.com Tue Aug 11 18:16:11 2009 From: justin at justinshore.com (Justin Shore) Date: Tue, 11 Aug 2009 17:16:11 -0500 Subject: [c-nsp] EEM applets and conditional statements Message-ID: <4A81EDAB.2030409@justinshore.com> I'm having trouble figuring out how to use the conditional capabilities of EEM applets to do something fairly simple. I'd like to check for DHCP conflicts on a schedule and if any exist I'd like to generate a syslog message and send an email. What I can't figure out how to do is parse the output of 'sh ip dh con' and if then perform an action if there are any conflicts (ie, more than just the single header line in the output). I've gone through some of the EEM community scripts but they all seem to be full blown TCL scripts. I'm thinking that I can handle this with a simple applet. The applets have if, for, and while capabilities but I haven't figured out how to apply them to parsing command output? Any suggestions or pointers? Example scripts that demonstrate how to use the EEM logic capabilities would be fine too. I can build off that to do what I need. Thanks Justin From larry at maxqe.com Tue Aug 11 19:09:02 2009 From: larry at maxqe.com (Larry) Date: Tue, 11 Aug 2009 18:09:02 -0500 Subject: [c-nsp] help: can someone know about linksys? In-Reply-To: <40d8a95a0908111129p7d3fc6d0ma199246f504527a3@mail.gmail.com> References: <40d8a95a0908111129p7d3fc6d0ma199246f504527a3@mail.gmail.com> Message-ID: <4A81FA0E.5000508@maxqe.com> http://lmgtfy.com/?q=Linksys+rv082+manual Deric Kwok wrote: > Hi all > > Can can someone know about linksys? > > eg: forum as cisco > > I have rv082 but don't have any manuel > > I don't know how to connect and configure it too as don't have any console > port > > Thank you for your help > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6635 bytes Desc: S/MIME Cryptographic Signature URL: From sidney.boumendil at gmail.com Tue Aug 11 19:40:07 2009 From: sidney.boumendil at gmail.com (Sidney Boumendil) Date: Wed, 12 Aug 2009 01:40:07 +0200 Subject: [c-nsp] BFD static routes on 6500 SXI Message-ID: <41522e900908111640m70672fdcm3567024f1ca87def@mail.gmail.com> Hi list, I am pretty much confused whether bfd for static routes is actualy supported on 6500 running SXI release. On 7600 it's been added starting with SRC (cf http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6970/ps1838/prod_presentation0900aecd8072c43a.pdf ). SXI release notes exhibits the exact same feature (cf http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6970/ps6017/ps9673/prod_presentation_12_2_33_SXI.pdf) yet I've tried SXI2 and the command 'ip route static bfd' is simply not available. Anyone has information on that ? Thanks! Sidney PS: feature navigator do not list 6500 as a supported platform for BFD static routes From deric.kwok2000 at gmail.com Tue Aug 11 21:09:55 2009 From: deric.kwok2000 at gmail.com (Deric Kwok) Date: Tue, 11 Aug 2009 21:09:55 -0400 Subject: [c-nsp] vpn configure Message-ID: <40d8a95a0908111809r4d03b3edr1580ad5869ffc2e1@mail.gmail.com> Hi How can I configure remote subnet and local subnet for vpn in cli? ls pix only accessed by https in inside for configuration? No other way for http configuration outside? Thank you From rwest at zyedge.com Tue Aug 11 21:28:57 2009 From: rwest at zyedge.com (Ryan West) Date: Tue, 11 Aug 2009 21:28:57 -0400 Subject: [c-nsp] vpn configure In-Reply-To: <40d8a95a0908111809r4d03b3edr1580ad5869ffc2e1@mail.gmail.com> References: <40d8a95a0908111809r4d03b3edr1580ad5869ffc2e1@mail.gmail.com> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2FEC@zy-ex1.zyedge.local> You can configure the PIX for local and remote subnets using your interesting traffic ACL. Access-list vpn_myacl permit ip The PIX can be configured from the outside using PDM: http outside hth -ryan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Deric Kwok Sent: Tuesday, August 11, 2009 9:10 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] vpn configure Hi How can I configure remote subnet and local subnet for vpn in cli? ls pix only accessed by https in inside for configuration? No other way for http configuration outside? Thank you _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From rodunn at cisco.com Tue Aug 11 22:03:46 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Tue, 11 Aug 2009 22:03:46 -0400 Subject: [c-nsp] EEM applets and conditional statements In-Reply-To: <4A81EDAB.2030409@justinshore.com> References: <4A81EDAB.2030409@justinshore.com> Message-ID: <4A822302.7050804@cisco.com> I don't think you can do it with an EEM applet to compare data in the output. I think you need to do it via a TCL script where you can save the variables. Rodney Justin Shore wrote: > I'm having trouble figuring out how to use the conditional capabilities > of EEM applets to do something fairly simple. I'd like to check for > DHCP conflicts on a schedule and if any exist I'd like to generate a > syslog message and send an email. What I can't figure out how to do is > parse the output of 'sh ip dh con' and if then perform an action if > there are any conflicts (ie, more than just the single header line in > the output). I've gone through some of the EEM community scripts but > they all seem to be full blown TCL scripts. I'm thinking that I can > handle this with a simple applet. The applets have if, for, and while > capabilities but I haven't figured out how to apply them to parsing > command output? > > Any suggestions or pointers? Example scripts that demonstrate how to > use the EEM logic capabilities would be fine too. I can build off that > to do what I need. > > Thanks > Justin > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rodunn at cisco.com Tue Aug 11 22:06:25 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Tue, 11 Aug 2009 22:06:25 -0400 Subject: [c-nsp] BFD static routes on 6500 SXI In-Reply-To: <41522e900908111640m70672fdcm3567024f1ca87def@mail.gmail.com> References: <41522e900908111640m70672fdcm3567024f1ca87def@mail.gmail.com> Message-ID: <4A8223A1.8090706@cisco.com> It's not there yet Sidney. It's on the roadmap. Rodney Sidney Boumendil wrote: > Hi list, > > I am pretty much confused whether bfd for static routes is actualy supported > on 6500 running SXI release. > On 7600 it's been added starting with SRC (cf > http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6970/ps1838/prod_presentation0900aecd8072c43a.pdf > ). > SXI release notes exhibits the exact same feature (cf > http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6970/ps6017/ps9673/prod_presentation_12_2_33_SXI.pdf) > yet I've tried SXI2 and the command 'ip route static bfd' is simply not > available. > > Anyone has information on that ? > > Thanks! > > Sidney > > PS: feature navigator do not list 6500 as a supported platform for BFD > static routes > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From engel.labiro at gmail.com Tue Aug 11 22:14:09 2009 From: engel.labiro at gmail.com (Engelhard Mahandar Labiro) Date: Wed, 12 Aug 2009 11:14:09 +0900 Subject: [c-nsp] vpn configure In-Reply-To: <40d8a95a0908111809r4d03b3edr1580ad5869ffc2e1@mail.gmail.com> References: <40d8a95a0908111809r4d03b3edr1580ad5869ffc2e1@mail.gmail.com> Message-ID: <74b0c3330908111914w4b56fa43u1dcb6c872e0f4c4a@mail.gmail.com> > How can I configure remote subnet and local subnet for vpn in cli? > > ls pix only accessed by https in inside for configuration? > > No other way for http configuration outside? I won't enable HTTP on an outside I/F let alone a Firewall that suppose to be secured. Better to enable an IPSec tunnel to the Firewall and access the ASDM through the tunnel using the Firewall's management IP address. Engel From dale.shaw+cisco-nsp at gmail.com Tue Aug 11 23:41:48 2009 From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw) Date: Wed, 12 Aug 2009 13:41:48 +1000 Subject: [c-nsp] OT: Learning about SONET/SDH In-Reply-To: <3329cbb40908112040n10bcc440x1825f50467775c30@mail.gmail.com> References: <3329cbb40908112040n10bcc440x1825f50467775c30@mail.gmail.com> Message-ID: <3329cbb40908112041w1e726f3u66b05c19d4c20ba2@mail.gmail.com> Hi all, I'd like to learn more about SONET/SDH, as deployed in carrier transmission networks. Something practical that starts from the beginning would be best, as I have had very little exposure to this stuff to date. Some of the books I've read about are very much buried in the land of academia. I can Google as well as the next person, but pointers to good resources are appreciated. cheers, Dale From ip at ioshints.info Wed Aug 12 00:16:02 2009 From: ip at ioshints.info (Ivan Pepelnjak) Date: Wed, 12 Aug 2009 06:16:02 +0200 Subject: [c-nsp] EEM applets and conditional statements In-Reply-To: <4A822302.7050804@cisco.com> References: <4A81EDAB.2030409@justinshore.com> <4A822302.7050804@cisco.com> Message-ID: <002101ca1b03$9bd2b650$0a00000a@nil.si> You can do it with EEM 3.0 (12.4(22)T if I'm not mistaken). Unfortunately I haven't been writing about this feature yet, but here's a sample applet that compares DHCP-acquired address to the previously-acquired one, maybe it will come handy: event manager applet DetectDHCPChange event syslog pattern "DHCP-6-ADDRESS_ASSIGN" action 1.0 regexp "Interface (.*) assigned DHCP address ([0-9.]+)" "$_syslog_msg" match interface ipaddress action 2.0 context retrieve key DHCP_address variable "addr" action 2.3 set oldip "$addr" action 2.4 set addr "$ipaddress" action 2.5 context save key DHCP_address variable "addr" action 8.0 if $ipaddress ne $oldip action 9.1 info type routername action 9.2 mail server "$_mail_smtp" to "$_mail_rcpt" from "$_info_routername@$_mail_domain" subject "DHCP address on $interface changed to $ipaddress" body "\n$_syslog_msg" action 9.3 syslog msg "address changed to $ipaddress, e-mail sent to the operator" action 9.4 else action 9.5 syslog msg "DHCP address on $interface still $ipaddress" action 9.9 end ! event manager applet SetDHCPKey event syslog pattern "SYS-5-RESTART" action 1.0 set addr "" action 1.1 context save key DHCP_address variable "addr" This article has a sample applet that uses command output (in $_cli_result variable) http://wiki.nil.com/Send_a_list_of_high-CPU_processes_on_CPU_overload Hope this helps Ivan http://www.ioshints.info/about http://blog.ioshints.info/ > -----Original Message----- > From: Rodney Dunn [mailto:rodunn at cisco.com] > Sent: Wednesday, August 12, 2009 4:04 AM > To: Justin Shore > Cc: 'Cisco-nsp' > Subject: Re: [c-nsp] EEM applets and conditional statements > > I don't think you can do it with an EEM applet to compare > data in the output. I think you need to do it via a TCL > script where you can save the variables. > > Rodney > > > > Justin Shore wrote: > > I'm having trouble figuring out how to use the conditional > > capabilities of EEM applets to do something fairly simple. > I'd like > > to check for DHCP conflicts on a schedule and if any exist > I'd like to > > generate a syslog message and send an email. What I can't > figure out > > how to do is parse the output of 'sh ip dh con' and if then > perform an > > action if there are any conflicts (ie, more than just the single > > header line in the output). I've gone through some of the EEM > > community scripts but they all seem to be full blown TCL > scripts. I'm > > thinking that I can handle this with a simple applet. The applets > > have if, for, and while capabilities but I haven't figured > out how to > > apply them to parsing command output? > > > > Any suggestions or pointers? Example scripts that > demonstrate how to > > use the EEM logic capabilities would be fine too. I can build off > > that to do what I need. > > > > Thanks > > Justin > > > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From abalashov at evaristesys.com Wed Aug 12 00:55:45 2009 From: abalashov at evaristesys.com (Alex Balashov) Date: Wed, 12 Aug 2009 00:55:45 -0400 Subject: [c-nsp] OT: Learning about SONET/SDH In-Reply-To: <3329cbb40908112041w1e726f3u66b05c19d4c20ba2@mail.gmail.com> References: <3329cbb40908112040n10bcc440x1825f50467775c30@mail.gmail.com> <3329cbb40908112041w1e726f3u66b05c19d4c20ba2@mail.gmail.com> Message-ID: <4A824B51.3010500@evaristesys.com> I got a lot of mileage out of: http://search.barnesandnoble.com/SONET-SDH-3rd-Edition/Walter-J-Goralski/e/9780072225242 Dale Shaw wrote: > Hi all, > > I'd like to learn more about SONET/SDH, as deployed in carrier > transmission networks. > > Something practical that starts from the beginning would be best, as I > have had very little exposure to this stuff to date. Some of the books > I've read about are very much buried in the land of academia. > > I can Google as well as the next person, but pointers to good > resources are appreciated. > > cheers, > Dale > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Alex Balashov Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 From engel.labiro at gmail.com Wed Aug 12 01:35:35 2009 From: engel.labiro at gmail.com (Engelhard Mahandar Labiro) Date: Wed, 12 Aug 2009 14:35:35 +0900 Subject: [c-nsp] OT: Learning about SONET/SDH In-Reply-To: <3329cbb40908112041w1e726f3u66b05c19d4c20ba2@mail.gmail.com> References: <3329cbb40908112040n10bcc440x1825f50467775c30@mail.gmail.com> <3329cbb40908112041w1e726f3u66b05c19d4c20ba2@mail.gmail.com> Message-ID: <74b0c3330908112235l49402f08n2cb718948e19b824@mail.gmail.com> As always a book from Cisco Press. It covers some case studies to design and implement SONET/SDH Optical Network Design and Implementation by Vivek Alwayn Publisher: Cisco Press Pub Date: March 17, 2004 Print ISBN-10: 1-58705-105-2 Print ISBN-13: 978-1-58705-105-0 Pages: 840 HTH Engel On Wed, Aug 12, 2009 at 12:41 PM, Dale Shaw wrote: > Hi all, > > I'd like to learn more about SONET/SDH, as deployed in carrier > transmission networks. > > Something practical that starts from the beginning would be best, as I > have had very little exposure to this stuff to date. Some of the books > I've read about are very much buried in the land of academia. > > I can Google as well as the next person, but pointers to good > resources are appreciated. > > cheers, > Dale > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jckdaniels12 at gmail.com Wed Aug 12 01:54:15 2009 From: jckdaniels12 at gmail.com (jack daniels) Date: Wed, 12 Aug 2009 11:24:15 +0530 Subject: [c-nsp] OT:SUSHI REGISTER RESET ERROR Message-ID: <8bb137f40908112254j7d9ea69aj42613f00bcac743b@mail.gmail.com> Hi all, I'm getting below error in gsr chassis 12416 , please suggest 048724: .Aug 11 20:09:13.853 IST: %MBUS-6-SWITCHED_FABCLK: Slot 9 primary clock switched to clock 0 048725: .Aug 11 20:09:17.191 IST: %FABRIC-3-ERR_HANDLE: Reconfigure all fabric cards due to SUSHI REGISTER RESET ERROR error from slot 18 048726: .Aug 11 20:09:18.067 IST: %MBUS-6-SWITCHED_FABCLK: Slot 0 primary clock switched to clock 0 048727: .Aug 11 20:09:18.067 IST: %MBUS-6-SWITCHED_FABCLK: Slot 9 primary clock switched to clock 0 048728: .Aug 11 20:09:21.413 IST: %FABRIC-3-ERR_HANDLE: Reconfigure all fabric cards due to SUSHI REGISTER RESET ERROR error from slot 18 048729: .Aug 11 20:09:22.289 IST: %MBUS-6-SWITCHED_FABCLK: Slot 0 primary clock switched to clock 0 048730: .Aug 11 20:09:22.289 IST: %MBUS-6-SWITCHED_FABCLK: Slot 9 primary clock switched to clock 0 048731: .Aug 11 20:09:25.627 IST: %FABRIC-3-ERR_HANDLE: Reconfigure all fabric cards due to SUSHI REGISTER RESET ERROR error from slot 18 048732: .Aug 11 20:09:26.502 IST: %MBUS-6-SWITCHED_FABCLK: Slot 0 primary clock switched to clock 0 048733: .Aug 11 20:09:26.502 IST: %MBUS-6-SWITCHED_FABCLK: Slot 9 primary clock switched to clock 0 048734: .Aug 11 20:09:29.841 IST: %FABRIC-3-ERR_HANDLE: Reconfigure all fabric cards due to SUSHI REGISTER RESET ERROR error from slot 18 048735: .Aug 11 20:09:30.716 IST: %MBUS-6-SWITCHED_FABCLK: Slot 0 primary clock switched to clock 0 048736: .Aug 11 20:09:30.716 IST: %MBUS-6-SWITCHED_FABCLK: Slot 9 primary clock switched to clock 0 048737: .Aug 11 20:09:34.054 IST: %FABRIC-3-ERR_HANDLE: Reconfigure all fabric cards due to SUSHI REGISTER RESET ERROR error from slot 18 sh gsr Slot 0 type = Modular SPA Interface Card state = IOS RUN Line Card Enabled subslot 0/0: SPA-1X10GE-L-V2 (0x50C), status is ok subslot 0/1: Empty subslot 0/2: Empty subslot 0/3: Empty Slot 6 type = Modular SPA Interface Card state = RTRYWAIT Waiting to retry download after persistent failures Slot 7 type = Performance Route Processor state = ACTV RP IOS Running ACTIVE Slot 8 type = Performance Route Processor state = RP RDY Route Processor Powered Slot 9 type = Modular SPA Interface Card state = IOS RUN Line Card Enabled subslot 9/0: Empty subslot 9/1: Empty subslot 9/2: Empty subslot 9/3: Empty Slot 15 type = Modular SPA Interface Card state = RTRYWAIT Waiting to retry download after persistent failures Slot 16 type = Clock Scheduler Card OC192 Dual Priority state = Card Powered Slot 17 type = Clock Scheduler Card OC192 Dual Priority state = Card Powered PRIMARY CLOCK Slot 18 type = Switch Fabric Card 16XOC192 state = Card Powered Slot 19 type = Switch Fabric Card 16XOC192 state = Card Powered Slot 20 type = Switch Fabric Card 16XOC192 state = Card Powered Slot 24 type = Alarm Module(16) state = Card Powered Slot 25 type = Alarm Module(16) state = Card Powered Slot 27 type = Bus Board(16) state = Card Powered Slot 28 type = Blower Module(16) state = Card Powered Slot 29 type = Blower Module(16) state = Card Powered sh led SLOT 0 : RUN IOS SLOT 6 : WAITRTRY SLOT 7 : RP ACTV SLOT 8 : INITMEM SLOT 9 : RUN IOS SLOT 15 : WAITRTRY Regards From howard at leadmon.net Wed Aug 12 02:47:16 2009 From: howard at leadmon.net (Howard Leadmon) Date: Wed, 12 Aug 2009 02:47:16 -0400 Subject: [c-nsp] Cisco ASA PAT issues with dynamic translations, any ideas? Message-ID: <000001ca1b18$be72cc80$3b586580$@net> OK, I am sure this is just something I haven't run into before, but I just setup an ASA5520, and overall it's doing well, except this one gotcha. We are using it in routed/NAT mode, but some internal servers need to be on their own external IP's as well, we have multiple DNS, Mail, and so on servers in the network. I have the external IP's on the firewall, mapped to the specific internal servers, and all is well. Also my TCP mappings all seem to be fine, but when I try and put in a translation for UDP on port 53 it has a cow. ERROR: unable to reserve port 53 for static PAT ERROR: unable to download policy So needless to say the outside DNS queries to that server are NOT working.. L Here is some of my config, hopefully I don't need to post it all as it's quite extensive (with multiple VPN's and so on), so I will try and post what I think are the relevant parts. name 10.98.4.33 MAIL1-Inside name 207.xx.xx.33 MAIL1-Outside object-group protocol TCPUDP protocol-object udp protocol-object tcp access-list Internet_access_in remark DNS Server on MAIL1 access-list Internet_access_in extended permit object-group TCPUDP any host MAIL1-Outside eq domain nat-control global (Internet) 101 interface global (Internet) 102 MAIL1-Outside netmask 255.0.0.0 nat (LAN) 0 access-list LAN_nat0_outbound nat (LAN) 102 MAIL1-Inside 255.255.255.255 nat (LAN) 101 0.0.0.0 0.0.0.0 static (LAN,Internet) tcp MAIL1-Outside domain MAIL1-Inside domain netmask 255.255.255.255 static (LAN,Internet) tcp MAIL1-Outside smtp MAIL1-Inside smtp netmask 255.255.255.255 NOTE: The TCP static translations above works just fine, but if I try and put in a UDP translation as well like this: static (LAN,Internet) udp MAIL1-Outside domain MAIL1-Inside domain netmask 255.255.255.255 The ASA throws a bitch and kicks out "ERROR: unable to reserve port 53 for static PAT" error. Of course without UDP on port 53 working, DNS lookups from that machine to the outside world are dead. What am I missing here?? I know if I didn't have it on it's own specific external IP, then I could put in the UDP rule (as I have some in for servers that don't need there own), but if I pull that, then I don't have the server on it's own IP, and then mail/SMTP service becomes an issue as some sites reject unreachable mail servers. So I guess the million dollar question is, how can I have the MAIL1 server on it's own specific outside IP address, and also have it responding to UDP DNS queries. I am sure I am missing something silly here, and this is running "Cisco Adaptive Security Appliance Software Version 8.2(1)" software, so is current. Any input on how to resolve this would be most appreciated.. --- Howard Leadmon - howard at leadmon.net From CJones at enterprisedata.com.au Wed Aug 12 03:32:45 2009 From: CJones at enterprisedata.com.au (Chris Jones) Date: Wed, 12 Aug 2009 17:32:45 +1000 Subject: [c-nsp] Cisco ASA PAT issues with dynamic translations, any ideas? In-Reply-To: <000001ca1b18$be72cc80$3b586580$@net> References: <000001ca1b18$be72cc80$3b586580$@net> Message-ID: <61C1A30B39817D4DACC0C5CA4DF79CCA07352802@syd1exstore01.entdata.local> Hi Howard, What about doing something like: static (LAN,Internet) MAIL1-Outside MAIL1-Inside netmask 255.255.255.255 Then using the ACL on the outside interface to control the access. With that, you wouldn't need an individual mapping for each port - only to open it in the ACL. Regards, Chris -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Howard Leadmon Sent: Wednesday, 12 August 2009 4:47 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Cisco ASA PAT issues with dynamic translations, any ideas? OK, I am sure this is just something I haven't run into before, but I just setup an ASA5520, and overall it's doing well, except this one gotcha. We are using it in routed/NAT mode, but some internal servers need to be on their own external IP's as well, we have multiple DNS, Mail, and so on servers in the network. I have the external IP's on the firewall, mapped to the specific internal servers, and all is well. Also my TCP mappings all seem to be fine, but when I try and put in a translation for UDP on port 53 it has a cow. ERROR: unable to reserve port 53 for static PAT ERROR: unable to download policy So needless to say the outside DNS queries to that server are NOT working.. L Here is some of my config, hopefully I don't need to post it all as it's quite extensive (with multiple VPN's and so on), so I will try and post what I think are the relevant parts. name 10.98.4.33 MAIL1-Inside name 207.xx.xx.33 MAIL1-Outside object-group protocol TCPUDP protocol-object udp protocol-object tcp access-list Internet_access_in remark DNS Server on MAIL1 access-list Internet_access_in extended permit object-group TCPUDP any host MAIL1-Outside eq domain nat-control global (Internet) 101 interface global (Internet) 102 MAIL1-Outside netmask 255.0.0.0 nat (LAN) 0 access-list LAN_nat0_outbound nat (LAN) 102 MAIL1-Inside 255.255.255.255 nat (LAN) 101 0.0.0.0 0.0.0.0 static (LAN,Internet) tcp MAIL1-Outside domain MAIL1-Inside domain netmask 255.255.255.255 static (LAN,Internet) tcp MAIL1-Outside smtp MAIL1-Inside smtp netmask 255.255.255.255 NOTE: The TCP static translations above works just fine, but if I try and put in a UDP translation as well like this: static (LAN,Internet) udp MAIL1-Outside domain MAIL1-Inside domain netmask 255.255.255.255 The ASA throws a bitch and kicks out "ERROR: unable to reserve port 53 for static PAT" error. Of course without UDP on port 53 working, DNS lookups from that machine to the outside world are dead. What am I missing here?? I know if I didn't have it on it's own specific external IP, then I could put in the UDP rule (as I have some in for servers that don't need there own), but if I pull that, then I don't have the server on it's own IP, and then mail/SMTP service becomes an issue as some sites reject unreachable mail servers. So I guess the million dollar question is, how can I have the MAIL1 server on it's own specific outside IP address, and also have it responding to UDP DNS queries. I am sure I am missing something silly here, and this is running "Cisco Adaptive Security Appliance Software Version 8.2(1)" software, so is current. Any input on how to resolve this would be most appreciated.. --- Howard Leadmon - howard at leadmon.net _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you receive this email by mistake, please notify the author and do not make any use of the email. We do not waive any privilege, confidentiality or copyright associated with it. Please consider the environment before printing this e-mail. From kron at linkey.ru Wed Aug 12 04:46:17 2009 From: kron at linkey.ru (Aleksandr Gurbo) Date: Wed, 12 Aug 2009 12:46:17 +0400 Subject: [c-nsp] 6VPE, redistribute routes Message-ID: <20090812124617.5b411932.kron@linkey.ru> Hello, I have test lab with two routers connected together. c7507-----c7604 I can redistribute default ipv6 route from c7507(default table) to c7604(default table). I would like to know if it is possible to redistribute default ipv6 route from c7507(default table) to VRF vpnv6 on c7604? -- Alexandr Gurbo From deric.kwok2000 at gmail.com Wed Aug 12 06:59:10 2009 From: deric.kwok2000 at gmail.com (Deric Kwok) Date: Wed, 12 Aug 2009 06:59:10 -0400 Subject: [c-nsp] vpn configure In-Reply-To: <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2FEC@zy-ex1.zyedge.local> References: <40d8a95a0908111809r4d03b3edr1580ad5869ffc2e1@mail.gmail.com> <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2FEC@zy-ex1.zyedge.local> Message-ID: <40d8a95a0908120359m1e6fbb1do21b13dcd04da5fec@mail.gmail.com> Thank you Do you know what is cli to configure remote subnet and local subnet for vpn? On Tue, Aug 11, 2009 at 9:28 PM, Ryan West wrote: > You can configure the PIX for local and remote subnets using your > interesting traffic ACL. > > Access-list vpn_myacl permit ip > > > The PIX can be configured from the outside using PDM: > http outside > > hth > > -ryan > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto: > cisco-nsp-bounces at puck.nether.net] On Behalf Of Deric Kwok > Sent: Tuesday, August 11, 2009 9:10 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] vpn configure > > Hi > > How can I configure remote subnet and local subnet for vpn in cli? > > ls pix only accessed by https in inside for configuration? > > No other way for http configuration outside? > > Thank you > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From kron at linkey.ru Wed Aug 12 08:43:35 2009 From: kron at linkey.ru (Aleksandr Gurbo) Date: Wed, 12 Aug 2009 16:43:35 +0400 Subject: [c-nsp] 6VPE, redistribute routes In-Reply-To: <20090812124617.5b411932.kron@linkey.ru> References: <20090812124617.5b411932.kron@linkey.ru> Message-ID: <20090812164335.55902512.kron@linkey.ru> > I have test lab with two routers connected together. > c7507-----c7604 > I can redistribute default ipv6 route from c7507(default table) to c7604(default table). > I would like to know if it is possible to redistribute default ipv6 route from c7507(default table) to VRF vpnv6 on c7604? I redistributed ipv6 default route throught eBGP between c7507(default table) and VRF vpnv6 on c7604. See page 26. http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6553/prod_presentation0900aecd80311df4.pdf I would like to know if it is possible to redistribute default ipv6 route throught OSPFv3? -- Alexandr Gurbo From rwest at zyedge.com Wed Aug 12 08:50:14 2009 From: rwest at zyedge.com (Ryan West) Date: Wed, 12 Aug 2009 08:50:14 -0400 Subject: [c-nsp] vpn configure In-Reply-To: <40d8a95a0908120359m1e6fbb1do21b13dcd04da5fec@mail.gmail.com> References: <40d8a95a0908111809r4d03b3edr1580ad5869ffc2e1@mail.gmail.com> <6E21B2BDEF6E714EA0B5BA8D5D0E14012489DA2FEC@zy-ex1.zyedge.local> <40d8a95a0908120359m1e6fbb1do21b13dcd04da5fec@mail.gmail.com> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E1401248E2694C2@zy-ex1.zyedge.local> Deric, It was listed in my original reply: Access-list vpn_myacl permit ip Assuming you're doing NAT, then you would apply that same ACL to your noNAT ACL. The "vpn_myacl" interesting traffic ACL is then called from the 'crypto map match address vpn_myacl' command. -ryan From: Deric Kwok [mailto:deric.kwok2000 at gmail.com] Sent: Wednesday, August 12, 2009 6:59 AM To: Ryan West; engel.labiro at gmail.com Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] vpn configure Thank you Do you know what is cli to configure remote subnet and local subnet for vpn? On Tue, Aug 11, 2009 at 9:28 PM, Ryan West > wrote: You can configure the PIX for local and remote subnets using your interesting traffic ACL. Access-list vpn_myacl permit ip The PIX can be configured from the outside using PDM: http outside hth -ryan From jcartier at acs.on.ca Wed Aug 12 09:31:19 2009 From: jcartier at acs.on.ca (Jeff Cartier) Date: Wed, 12 Aug 2009 09:31:19 -0400 Subject: [c-nsp] Cisco 6509-E & WiSM - OIR Message-ID: Does anyone know if a Cisco 6509-E w/ Sup720 & WiSM will support OIR? I've dug around Google and Cisco, but haven't found a concrete 'YES'. My gut feeling is telling me it's okay; but I figure I'd ask the group J Thanks!!! From cchurc05 at harris.com Wed Aug 12 09:51:30 2009 From: cchurc05 at harris.com (Church, Charles) Date: Wed, 12 Aug 2009 08:51:30 -0500 Subject: [c-nsp] ASDM not working after upgrades In-Reply-To: <00ea01ca1acc$d3338520$0202fea9@am.thmulti.com> References: <00ea01ca1acc$d3338520$0202fea9@am.thmulti.com> Message-ID: Can you HTTPS to the device using a normal browser and get the initial screen? Chuck ----- Original Message ----- From: "Leslie Meade" To: Sent: Tuesday, August 11, 2009 2:30 PM Subject: [c-nsp] ASDM not working after upgrades >I am getting the error of > Unable to launch device manager from 10.1.254.254 > > I have uploaded the correct files and change the config to match > > ASA5540-01# sh run asdm > asdm image disk0:/asdm-621.bin > asdm location 10.1.6.25 255.255.255.255 inside > asdm history enable > > ASA5540-01# sh run http > http server enable > http 10.1.6.0 255.255.255.0 inside > > ASA5540-01# sh flash > --#-- --length-- -----date/time------ path > 131 11348300 Aug 11 2009 10:09:00 asdm-621.bin > 132 16275456 Aug 11 2009 10:10:10 asa821-k8.bin > > If I roll back to the older code and asdm it works fine. Any ideas > > > Leslie > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From nick at inex.ie Wed Aug 12 10:08:52 2009 From: nick at inex.ie (Nick Hilliard) Date: Wed, 12 Aug 2009 15:08:52 +0100 Subject: [c-nsp] Cisco 6509-E & WiSM - OIR In-Reply-To: References: Message-ID: <4A82CCF4.7020205@inex.ie> On 12/08/2009 14:31, Jeff Cartier wrote: > Does anyone know if a Cisco 6509-E w/ Sup720& WiSM will support OIR? > > I've dug around Google and Cisco, but haven't found a concrete 'YES'. > > My gut feeling is telling me it's okay; but I figure I'd ask the group J "Online insertion and removal" or "online insertion and reload"? Definitely the latter. Unfortunately, OIR stability is a hardware problem and cannot really be avoided on the c65k/c76k chassis, regardless of the line card in question. There's a little more information on: http://en.wikipedia.org/wiki/Catalyst_6500#Online_Insertion_.26_Removal Personally, I've never had any problems, but as a matter of policy I don't do line card changes outside maintenance windows (except in specifically defined cases of emergency). It's embarrassing to have to tell people that their downtime was due to avoidable operator error. Nick From KaeglerM at tessco.com Wed Aug 12 10:31:59 2009 From: KaeglerM at tessco.com (Kaegler, Mike) Date: Wed, 12 Aug 2009 10:31:59 -0400 Subject: [c-nsp] Cisco 6509-E & WiSM - OIR In-Reply-To: Message-ID: On 8/12/09 9:31 AM, "Jeff Cartier" wrote: > Does anyone know if a Cisco 6509-E w/ Sup720 & WiSM will support OIR? > I've dug around Google and Cisco, but haven't found a concrete 'YES'. > My gut feeling is telling me it's okay; but I figure I'd ask the group J > Thanks!!! I've done it several times with a WiSM without problem. I'd avoid OIR of anything on the 6500 platform during production hours. During an OIR, the backplane stalls (by design). Several things can cause the bus not to un-stall for longer than the magic reload timer. If this is your first WiSM in the chasis, you'll need to do some special configuration on the sup before you can do much with it. -mKaegler -- Michael Kaegler, TESSCO Technologies: Engineering, 410 229 1295 Your wireless success, nothing less. http://www.tessco.com/ From BBlackford at nwresd.k12.or.us Wed Aug 12 11:25:51 2009 From: BBlackford at nwresd.k12.or.us (Bill Blackford) Date: Wed, 12 Aug 2009 08:25:51 -0700 Subject: [c-nsp] IOS Recommendation | 7600/RSP720-3CXL Message-ID: <6069A203FD01884885C037F81DD75080171D1F9DFA@wsc-mail-01.intra.nwresd.k12.or.us> I'm looking for a recommendation for upgrade and perhaps some possible explanation of the code branches. I am currently on 12.2(33)SRB1. The role of the box is Internet border, two full feeds, 10 other bilateral peers. No MPLS. Do I stick with SRB (I believe it's up to SRB6 now) or jump up to SRD2a? Any personal experience from the trenches would be appreciated. Thank you -b -- Bill Blackford Senior Network Engineer Technology Systems Group Northwest Regional ESD my /home away from home From Steven.Raymond at integratelecom.com Wed Aug 12 11:45:18 2009 From: Steven.Raymond at integratelecom.com (Raymond, Steven) Date: Wed, 12 Aug 2009 08:45:18 -0700 Subject: [c-nsp] IOS Recommendation | 7600/RSP720-3CXL In-Reply-To: <6069A203FD01884885C037F81DD75080171D1F9DFA@wsc-mail-01.intra.nwresd.k12.or.us> References: <6069A203FD01884885C037F81DD75080171D1F9DFA@wsc-mail-01.intra.nwresd.k12.or.us> Message-ID: <775A75B5625C6B418FC01477094E0BCC259C886A02@IDCMAILBOX1.ads.integratelecom.com> > I'm looking for a recommendation for upgrade and perhaps some possible > explanation of the code branches. > > I am currently on 12.2(33)SRB1. The role of the box is Internet border, > two full feeds, 10 other bilateral peers. No MPLS. > > Do I stick with SRB (I believe it's up to SRB6 now) or jump up to SRD2a? > > Any personal experience from the trenches would be appreciated. We had bad results with all of SRB. SRC3 seemed better but had a bad BFD bug that TAC couldn't resolve. Have found the least bugs in SRD1, but non-cisco bgp neighbors sometimes require the use of hidden command "neighbor x.x.x.x dont-capability-negotiate" or the session won't restore. SRB issues we remember: SRB1 CSCek71050 Symptoms: Compared to other Cisco IOS software releases, unusually high CPU usage may occur in the BGP router process on a Cisco 7600 series that runs Cisco IOS Release 12.2(33)SRB1. from SRB2 - very nasty bug with SIP/6700 linecards. linecard would stop forwarding, only fix was to reset both cards CSCsl50569 sh mem causes primary supervisor to fail, sh mem sum does not. Occurs in SRB2 and SRB3, only fix is upgrade When deleting multilink member via 'no controller bla' if the multilink-group config is still under the serial interface it will eventually cause the SPA to reload. May take up to 24 hrs, also, no new multilinks will work until SPA is reset Similar bug is when adding a multilink configuration to serial interface with service-policy applied, no multilinks will enable and SPA will eventually reload SRB3 Caused router to misreport sampled traffic drastically as the linecards stop sending netflow. CSCsq14299 SRB4 BGP phantom announcements stops sending routes to peers. BGP is up and fine but neighbors get no routes, can be seen in "show ip bgp neighbor" as "prefixes total 0". Possibly related to CSCsm57494. SRB5 Appears to have same netflow bug as SRB3. Tech added removed static route pointing to serial interface and added it back which caused standby to reload. Still undetermined if that was root cause From gert at greenie.muc.de Wed Aug 12 12:31:38 2009 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 12 Aug 2009 18:31:38 +0200 Subject: [c-nsp] Cisco 6509-E & WiSM - OIR In-Reply-To: <4A82CCF4.7020205@inex.ie> References: <4A82CCF4.7020205@inex.ie> Message-ID: <20090812163138.GG29143@greenie.muc.de> Hi, On Wed, Aug 12, 2009 at 03:08:52PM +0100, Nick Hilliard wrote: > >My gut feeling is telling me it's okay; but I figure I'd ask the group J > > "Online insertion and removal" or "online insertion and reload"? > > Definitely the latter. Unfortunately, OIR stability is a hardware problem > and cannot really be avoided on the c65k/c76k chassis, regardless of the > line card in question. > > There's a little more information on: > > http://en.wikipedia.org/wiki/Catalyst_6500#Online_Insertion_.26_Removal > > Personally, I've never had any problems, [..] Personally, I think that this is all folklore from the 7500 times... We *never* had any problems with OIR on 7200 or 6500/7600 platforms - but lots of fun with CyBUS stalls and crashes on 7500... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 303 bytes Desc: not available URL: From rodunn at cisco.com Wed Aug 12 13:48:32 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Wed, 12 Aug 2009 13:48:32 -0400 Subject: [c-nsp] IOS Upgrade Planner changes thread Message-ID: <4A830070.2020101@cisco.com> Can someone point me to the thread about the new IOS Upgrade Planner changes that were made to the list? I can't seem to find it. Rodney From shaw38 at gmail.com Wed Aug 12 13:50:14 2009 From: shaw38 at gmail.com (Steve Shaw) Date: Wed, 12 Aug 2009 13:50:14 -0400 Subject: [c-nsp] Cisco 6509-E & WiSM - OIR In-Reply-To: <20090812163138.GG29143@greenie.muc.de> References: <4A82CCF4.7020205@inex.ie> <20090812163138.GG29143@greenie.muc.de> Message-ID: <1d3cfae10908121050y6e85d991t4bf8c07e0c5a02ee@mail.gmail.com> Guys, I second (or third) the "do it inside a maintenance window" recommendation. The effect of doing an OIR in a 6500 chassis really depends on the types of modules within the chassis at that time....basically-- DFCs = OK CFC=bus stall i.e. traffic loss I've personally been bitten by doing an OIR during the day in a 6500 with CFC modules. Here's some literature from Cisco: http://www.cisco.com/en/US/products/hw/switches/ps708/products_qanda_item09186a00809a7673.shtml#qa4 The addition of a DFC module effectively disconnects a module from the Data Bus. As such, a DFC-enabled module is not subject to the bus stall mechanism that occurs when a module is inserted or removed from the chassis. Throughout these Online Insertion and Removal (OIR) events, the Data Bus is temporarily paused for just enough time to ensure that the insertion/removal process does not cause any data corruption on the backplane. This protection mechanism causes a very brief amount of packet loss (sub-second, but dependent on the time it takes to fully insert a module). A module with a DFC onboard is not directly affected by this stall mechanism and does not have any packet loss on OIR. -Steve On Wed, Aug 12, 2009 at 12:31 PM, Gert Doering wrote: > Hi, > > On Wed, Aug 12, 2009 at 03:08:52PM +0100, Nick Hilliard wrote: > > >My gut feeling is telling me it's okay; but I figure I'd ask the group J > > > > "Online insertion and removal" or "online insertion and reload"? > > > > Definitely the latter. Unfortunately, OIR stability is a hardware > problem > > and cannot really be avoided on the c65k/c76k chassis, regardless of the > > line card in question. > > > > There's a little more information on: > > > > http://en.wikipedia.org/wiki/Catalyst_6500#Online_Insertion_.26_Removal > > > > Personally, I've never had any problems, [..] > > Personally, I think that this is all folklore from the 7500 times... > > We *never* had any problems with OIR on 7200 or 6500/7600 platforms - but > lots of fun with CyBUS stalls and crashes on 7500... > > gert > > -- > USENET is *not* the non-clickable part of WWW! > // > www.muc.de/~gert/ > Gert Doering - Munich, Germany > gert at greenie.muc.de > fax: +49-89-35655025 > gert at net.informatik.tu-muenchen.de > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From mhuff at ox.com Wed Aug 12 13:53:26 2009 From: mhuff at ox.com (Matthew Huff) Date: Wed, 12 Aug 2009 13:53:26 -0400 Subject: [c-nsp] Cisco 6509-E & WiSM - OIR In-Reply-To: <20090812163138.GG29143@greenie.muc.de> References: <4A82CCF4.7020205@inex.ie> <20090812163138.GG29143@greenie.muc.de> Message-ID: <483E6B0272B0284BA86D7596C40D29F9D122BBDAA0@PUR-EXCH07.ox.com> Not folklore. I've had a 6509 with Sup 720-3B crash twice during OIR. Cisco claims the first time I inserted too fast, the second time too slow. I've also had a 6509 linecard scorch the backplane due to a short. Not a fun day. ---- Matthew Huff?????? | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff? | Fax:?? 914-460-4139 > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Gert Doering > Sent: Wednesday, August 12, 2009 12:32 PM > To: Nick Hilliard > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Cisco 6509-E & WiSM - OIR > > Hi, > > On Wed, Aug 12, 2009 at 03:08:52PM +0100, Nick Hilliard wrote: > > >My gut feeling is telling me it's okay; but I figure I'd ask the > group J > > > > "Online insertion and removal" or "online insertion and reload"? > > > > Definitely the latter. Unfortunately, OIR stability is a hardware > problem > > and cannot really be avoided on the c65k/c76k chassis, regardless of > the > > line card in question. > > > > There's a little more information on: > > > > > http://en.wikipedia.org/wiki/Catalyst_6500#Online_Insertion_.26_Removal > > > > Personally, I've never had any problems, [..] > > Personally, I think that this is all folklore from the 7500 times... > > We *never* had any problems with OIR on 7200 or 6500/7600 platforms - > but > lots of fun with CyBUS stalls and crashes on 7500... > > gert > > -- > USENET is *not* the non-clickable part of WWW! > > //www.muc.de/~gert/ > Gert Doering - Munich, Germany > gert at greenie.muc.de > fax: +49-89-35655025 gert at net.informatik.tu- > muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4229 bytes Desc: not available URL: From rodunn at cisco.com Wed Aug 12 14:21:43 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Wed, 12 Aug 2009 14:21:43 -0400 Subject: [c-nsp] IOS Recommendation | 7600/RSP720-3CXL In-Reply-To: <6069A203FD01884885C037F81DD75080171D1F9DFA@wsc-mail-01.intra.nwresd.k12.or.us> References: <6069A203FD01884885C037F81DD75080171D1F9DFA@wsc-mail-01.intra.nwresd.k12.or.us> Message-ID: <4A830837.3070105@cisco.com> If you are going to move go to the latest SRB rebuild on Cisco.com. There were a ton of fixes in the early SRB releases due to a huge quality push on that throttle. SRC and SRD simply have less field exposure. Rodney Bill Blackford wrote: > I'm looking for a recommendation for upgrade and perhaps some possible explanation of the code branches. > > I am currently on 12.2(33)SRB1. The role of the box is Internet border, two full feeds, 10 other bilateral peers. No MPLS. > > Do I stick with SRB (I believe it's up to SRB6 now) or jump up to SRD2a? > > Any personal experience from the trenches would be appreciated. > > Thank you > > -b > > -- > Bill Blackford > Senior Network Engineer > Technology Systems Group > Northwest Regional ESD > > my /home away from home > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From gtb at slac.stanford.edu Wed Aug 12 14:49:40 2009 From: gtb at slac.stanford.edu (Buhrmaster, Gary) Date: Wed, 12 Aug 2009 11:49:40 -0700 Subject: [c-nsp] Cisco 6509-E & WiSM - OIR In-Reply-To: <20090812163138.GG29143@greenie.muc.de> References: <4A82CCF4.7020205@inex.ie> <20090812163138.GG29143@greenie.muc.de> Message-ID: > > Personally, I've never had any problems, [..] > > Personally, I think that this is all folklore from the 7500 times... *Personally* I have never had a problem. However, I *have* seen a bus reset/hang on a 6500 OIR when a card was inserted by former colleague. His memory about whether he inserted it quickly, slowly, partially in and then pulled back out, or whatever, was a little imprecise after the experience. Given the number of 6500 OIRs I have participated in, it is by experiment statistically hard to get wrong, but some people do manage some of the time. (I do not have enough statistics to determine if we can qualify particular people as being special, but I do have some anecdotal evidence.) Gary From maddison at lightbound.net Wed Aug 12 14:44:07 2009 From: maddison at lightbound.net (Matt Addison) Date: Wed, 12 Aug 2009 14:44:07 -0400 Subject: [c-nsp] IOS Recommendation | 7600/RSP720-3CXL In-Reply-To: <775A75B5625C6B418FC01477094E0BCC259C886A02@IDCMAILBOX1.ads.integratelecom.com> References: <6069A203FD01884885C037F81DD75080171D1F9DFA@wsc-mail-01.intra.nwresd.k12.or.us> <775A75B5625C6B418FC01477094E0BCC259C886A02@IDCMAILBOX1.ads.integratelecom.com> Message-ID: > Have found the least bugs in SRD1, but non-cisco bgp neighbors > sometimes require the use of hidden command "neighbor x.x.x.x dont- > capability-negotiate" or the session won't restore. We're also quite happy with SRD1. Early SRBx had a few issues with OSPF, and SSO/ISSU with static routes up until B4 or so. SRC1 (and everything up to it presumably) have some bugs in the how PPP (at least on T1/DS3, not sure about POS) gets put on the fabric which affects interop with non-Cisco PPP implementations, I hear that fix also made it into SRC2 but we migrated to SRD1 because at that time SRC2 was still a month or two out. ~Matt From Kiran.Oddiraju at cbre.com Wed Aug 12 15:57:43 2009 From: Kiran.Oddiraju at cbre.com (Oddiraju, Kiran @ London SMC) Date: Wed, 12 Aug 2009 20:57:43 +0100 Subject: [c-nsp] DS3 circuit error Message-ID: Hi Guys, Our T3 controller is down and the SP has asked me what I am seeing on my end. Below is the show controllers command on my router. Could you tell me where the problem is based on the output below? Router#sh controllers t3 T3 3/0 is down. Applique type is Subrate T3 Description: Carrier_Circuit_ID Transmitter is sending remote alarm. Receiver is getting AIS. MDL transmission is disabled FEAC code received: No code is being received Framing is C-BIT Parity, Line Code is B3ZS, Clock Source is Line Data in current interval (250 seconds elapsed): 0 Line Code Violations, 0 P-bit Coding Violation 0 C-bit Coding Violation, 0 P-bit Err Secs 0 P-bit Severely Err Secs, 0 Severely Err Framing Secs 250 Unavailable Secs, 0 Line Errored Secs 0 C-bit Errored Secs, 0 C-bit Severely Errored Secs Cheers, K CB Richard Ellis Limited, Registered Office: St Martin's Court, 10 Paternoster Row, London, EC4M 7HP, registered in England and Wales No. 3536032. Regulated by the RICS and an appointed representative of CB Richard Ellis Indirect Investment Services Limited which is authorised and regulated by the Financial Services Authority. This communication is from CB Richard Ellis Limited or one of its associated/subsidiary companies. This communication contains information which is confidential and may be privileged. If you are not the intended recipient, please contact the sender immediately. Any use of its contents is strictly prohibited and you must not copy, send or disclose it, or rely on its contents in any way whatsoever. Reasonable care has been taken to ensure that this communication (and any attachments or hyperlinks contained within it) is free from computer viruses. No responsibility is accepted by CB Richard Ellis Limited or its associated/subsidiary companies and the recipient should carry out any appropriate virus checks. From MatlockK at exempla.org Wed Aug 12 16:08:24 2009 From: MatlockK at exempla.org (Matlock, Kenneth L) Date: Wed, 12 Aug 2009 14:08:24 -0600 Subject: [c-nsp] DS3 circuit error In-Reply-To: References: Message-ID: <4288131ED5E3024C9CD4782CECCAD2C7065D3959@LMC-MAIL2.exempla.org> " Receiver is getting AIS." Looks like you have an open in the circuit. Your device is reporting an AIS (All ones, usually indicative of an open circuit). Ken Matlock Network Analyst Exempla Healthcare (303) 467-4671 matlockk at exempla.org -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Oddiraju, Kiran @ London SMC Sent: Wednesday, August 12, 2009 1:58 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] DS3 circuit error Hi Guys, Our T3 controller is down and the SP has asked me what I am seeing on my end. Below is the show controllers command on my router. Could you tell me where the problem is based on the output below? Router#sh controllers t3 T3 3/0 is down. Applique type is Subrate T3 Description: Carrier_Circuit_ID Transmitter is sending remote alarm. Receiver is getting AIS. MDL transmission is disabled FEAC code received: No code is being received Framing is C-BIT Parity, Line Code is B3ZS, Clock Source is Line Data in current interval (250 seconds elapsed): 0 Line Code Violations, 0 P-bit Coding Violation 0 C-bit Coding Violation, 0 P-bit Err Secs 0 P-bit Severely Err Secs, 0 Severely Err Framing Secs 250 Unavailable Secs, 0 Line Errored Secs 0 C-bit Errored Secs, 0 C-bit Severely Errored Secs Cheers, K CB Richard Ellis Limited, Registered Office: St Martin's Court, 10 Paternoster Row, London, EC4M 7HP, registered in England and Wales No. 3536032. Regulated by the RICS and an appointed representative of CB Richard Ellis Indirect Investment Services Limited which is authorised and regulated by the Financial Services Authority. This communication is from CB Richard Ellis Limited or one of its associated/subsidiary companies. This communication contains information which is confidential and may be privileged. If you are not the intended recipient, please contact the sender immediately. Any use of its contents is strictly prohibited and you must not copy, send or disclose it, or rely on its contents in any way whatsoever. Reasonable care has been taken to ensure that this communication (and any attachments or hyperlinks contained within it) is free from computer viruses. No responsibility is accepted by CB Richard Ellis Limited or its associated/subsidiary companies and the recipient should carry out any appropriate virus checks. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From petelists at templin.org Wed Aug 12 16:12:08 2009 From: petelists at templin.org (Pete Templin) Date: Wed, 12 Aug 2009 15:12:08 -0500 Subject: [c-nsp] DS3 circuit error In-Reply-To: References: Message-ID: <4A832218.30805@templin.org> Oddiraju, Kiran @ London SMC wrote: > Our T3 controller is down and the SP has asked me what I am seeing on my > end. Below is the show controllers command on my router. Could you tell > me where the problem is based on the output below? > > Router#sh controllers t3 > T3 3/0 is down. > Applique type is Subrate T3 > Description: Carrier_Circuit_ID > Transmitter is sending remote alarm. > Receiver is getting AIS. You're seeing AIS from the carrier and sending 'remote alarm' because of the inbound AIS. My circuit-fu is a little rusty, but I think this means that the inbound side of the circuit is good end-to-end, but the outbound side of the circuit has a problem between your end and the other end. The far-side router (or whatever) is seeing an LOS/LOF/xxx and is announcing that to your router. Middle of circuit, towards far side: Far side of circuit: into router AIS out of router Circuit, towards near side: AIS (indicates problem on opposite side of circuit) Near side of circuit: AIS into router (opposite direction is bad) out of router (acknowledging same-direction alarm to carrier) pt From jay at west.net Wed Aug 12 16:52:03 2009 From: jay at west.net (Jay Hennigan) Date: Wed, 12 Aug 2009 13:52:03 -0700 Subject: [c-nsp] DS3 circuit error In-Reply-To: References: Message-ID: <4A832B73.3090706@west.net> Oddiraju, Kiran @ London SMC wrote: > Hi Guys, > > > > Our T3 controller is down and the SP has asked me what I am seeing on my > end. Below is the show controllers command on my router. Could you tell > me where the problem is based on the output below? > > > > Router#sh controllers t3 > > T3 3/0 is down. > > Applique type is Subrate T3 > > Description: Carrier_Circuit_ID > > Transmitter is sending remote alarm. You are sending a signal to the other end reporting that the signal that you are receiving is unacceptable. This is happening because... > Receiver is getting AIS. You are receiving all 1s from the other end. Typically, this means that there is a problem with the equipment sending toward you. Something upstream has lost signal and is sending an AIS (Alarm Indication Signal) to you. You respond by sending RAI (Remote Alarm Indicator) notifying the other end of the bad signal that you are receiving. More info here: http://www.cisco.com/en/US/tech/tk713/tk628/technologies_tech_note09186a0080344194.shtml which shortens to: http://tinyurl.com/r6jvzo -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV From gert at greenie.muc.de Wed Aug 12 16:53:32 2009 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 12 Aug 2009 22:53:32 +0200 Subject: [c-nsp] Cisco 6509-E & WiSM - OIR In-Reply-To: <483E6B0272B0284BA86D7596C40D29F9D122BBDAA0@PUR-EXCH07.ox.com> References: <4A82CCF4.7020205@inex.ie> <20090812163138.GG29143@greenie.muc.de> <483E6B0272B0284BA86D7596C40D29F9D122BBDAA0@PUR-EXCH07.ox.com> Message-ID: <20090812205332.GI29143@greenie.muc.de> Hi, On Wed, Aug 12, 2009 at 01:53:26PM -0400, Matthew Huff wrote: > Not folklore. > > I've had a 6509 with Sup 720-3B crash twice during OIR. Cisco claims the > first time I inserted too fast, the second time too slow. I've also had a > 6509 linecard scorch the backplane due to a short. Not a fun day. OK - noted. We'll do it in maintenance windows... :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 303 bytes Desc: not available URL: From randy_94108 at yahoo.com Wed Aug 12 16:20:01 2009 From: randy_94108 at yahoo.com (Randy) Date: Wed, 12 Aug 2009 13:20:01 -0700 (PDT) Subject: [c-nsp] DS3 circuit error In-Reply-To: Message-ID: <498318.85099.qm@web80508.mail.mud.yahoo.com> ...at the far-end...:-) Tell your SP you are Rx is AIS --- On Wed, 8/12/09, Oddiraju, Kiran @ London SMC wrote: From: Oddiraju, Kiran @ London SMC Subject: [c-nsp] DS3 circuit error To: cisco-nsp at puck.nether.net Date: Wednesday, August 12, 2009, 12:57 PM Hi Guys, Our T3 controller is down and the SP has asked me what I am seeing on my end. Below is the show controllers command on my router. Could you tell me where the problem is based on the output below? Router#sh controllers t3 T3 3/0 is down. ? Applique type is Subrate T3 ? Description: Carrier_Circuit_ID? ? Transmitter is sending remote alarm. ? Receiver is getting AIS. ? MDL transmission is disabled ? FEAC code received: No code is being received ? Framing is C-BIT Parity, Line Code is B3ZS, Clock Source is Line ? Data in current interval (250 seconds elapsed): ? ???0 Line Code Violations, 0 P-bit Coding Violation ? ???0 C-bit Coding Violation, 0 P-bit Err Secs ? ???0 P-bit Severely Err Secs, 0 Severely Err Framing Secs ? ???250 Unavailable Secs, 0 Line Errored Secs ? ???0 C-bit Errored Secs, 0 C-bit Severely Errored Secs Cheers, K CB Richard Ellis Limited, Registered Office: St Martin's Court, 10 Paternoster Row, London, EC4M 7HP, registered in England and Wales No. 3536032. Regulated by the RICS and an appointed representative of CB Richard Ellis Indirect Investment Services Limited which is authorised and regulated by the Financial Services Authority. This communication is from CB Richard Ellis Limited or one of its associated/subsidiary companies. This communication contains information which is confidential and may be privileged. If you are not the intended recipient, please contact the sender immediately. Any use of its contents is strictly prohibited and you must not copy, send or disclose it, or rely on its contents in any way whatsoever. Reasonable care has been taken to ensure that this communication (and any attachments or hyperlinks contained within it) is free from computer viruses. No responsibility is accepted by CB Richard Ellis Limited or its associated/subsidiary companies and the recipient should carry out any appropriate virus checks. _______________________________________________ cisco-nsp mailing list? cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From felixnkansah at gmail.com Wed Aug 12 17:42:58 2009 From: felixnkansah at gmail.com (Felix Nkansah) Date: Wed, 12 Aug 2009 21:42:58 +0000 Subject: [c-nsp] OT: Difference between the CSS and ACE Message-ID: <18dba4e50908121442k5cc09494vc9509b9c02ff2634@mail.gmail.com> Hi Team, Pardon me if this question seems dumb. I have deployed a number of Cisco Content Services Switches for clients who needed Layer 4-7 application load balancing and acceleration for their web-based applications in the data centre. I am presently reviewing the datasheet of the Cisco Application Control Engine and find its role to be similar to the CSS. Under what scenarios or requirements would one prefer the ACE to the CSS? In what way is the ACE different from the CSS? Thanks in advance for your replies. Felix From eninja at gmail.com Wed Aug 12 17:45:11 2009 From: eninja at gmail.com (e ninja) Date: Wed, 12 Aug 2009 14:45:11 -0700 Subject: [c-nsp] OT:SUSHI REGISTER RESET ERROR In-Reply-To: <8bb137f40908112254j7d9ea69aj42613f00bcac743b@mail.gmail.com> References: <8bb137f40908112254j7d9ea69aj42613f00bcac743b@mail.gmail.com> Message-ID: Jack, What changed prior to the errors? Also, is this a lab or production device? Either way, reply all (or unicast) the complete sh tech and sh log along with a sh controller fia from an attach session to all LCs. -Eninja On Tue, Aug 11, 2009 at 10:54 PM, jack daniels wrote: > Hi all, > > I'm getting below error in gsr chassis 12416 , please suggest > > 048724: .Aug 11 20:09:13.853 IST: %MBUS-6-SWITCHED_FABCLK: Slot 9 primary > clock switched to clock 0 > 048725: .Aug 11 20:09:17.191 IST: %FABRIC-3-ERR_HANDLE: Reconfigure all > fabric cards due to SUSHI REGISTER RESET ERROR error from slot 18 > 048726: .Aug 11 20:09:18.067 IST: %MBUS-6-SWITCHED_FABCLK: Slot 0 primary > clock switched to clock 0 > 048727: .Aug 11 20:09:18.067 IST: %MBUS-6-SWITCHED_FABCLK: Slot 9 primary > clock switched to clock 0 > 048728: .Aug 11 20:09:21.413 IST: %FABRIC-3-ERR_HANDLE: Reconfigure all > fabric cards due to SUSHI REGISTER RESET ERROR error from slot 18 > 048729: .Aug 11 20:09:22.289 IST: %MBUS-6-SWITCHED_FABCLK: Slot 0 primary > clock switched to clock 0 > 048730: .Aug 11 20:09:22.289 IST: %MBUS-6-SWITCHED_FABCLK: Slot 9 primary > clock switched to clock 0 > 048731: .Aug 11 20:09:25.627 IST: %FABRIC-3-ERR_HANDLE: Reconfigure all > fabric cards due to SUSHI REGISTER RESET ERROR error from slot 18 > 048732: .Aug 11 20:09:26.502 IST: %MBUS-6-SWITCHED_FABCLK: Slot 0 primary > clock switched to clock 0 > 048733: .Aug 11 20:09:26.502 IST: %MBUS-6-SWITCHED_FABCLK: Slot 9 primary > clock switched to clock 0 > 048734: .Aug 11 20:09:29.841 IST: %FABRIC-3-ERR_HANDLE: Reconfigure all > fabric cards due to SUSHI REGISTER RESET ERROR error from slot 18 > 048735: .Aug 11 20:09:30.716 IST: %MBUS-6-SWITCHED_FABCLK: Slot 0 primary > clock switched to clock 0 > 048736: .Aug 11 20:09:30.716 IST: %MBUS-6-SWITCHED_FABCLK: Slot 9 primary > clock switched to clock 0 > 048737: .Aug 11 20:09:34.054 IST: %FABRIC-3-ERR_HANDLE: Reconfigure all > fabric cards due to SUSHI REGISTER RESET ERROR error from slot 18 > > > sh gsr > Slot 0 type = Modular SPA Interface Card > state = IOS RUN Line Card Enabled > subslot 0/0: SPA-1X10GE-L-V2 (0x50C), status is ok > subslot 0/1: Empty > subslot 0/2: Empty > subslot 0/3: Empty > Slot 6 type = Modular SPA Interface Card > state = RTRYWAIT Waiting to retry download after persistent > failures > Slot 7 type = Performance Route Processor > state = ACTV RP IOS Running ACTIVE > Slot 8 type = Performance Route Processor > state = RP RDY Route Processor Powered > Slot 9 type = Modular SPA Interface Card > state = IOS RUN Line Card Enabled > subslot 9/0: Empty > subslot 9/1: Empty > subslot 9/2: Empty > subslot 9/3: Empty > Slot 15 type = Modular SPA Interface Card > state = RTRYWAIT Waiting to retry download after persistent > failures > Slot 16 type = Clock Scheduler Card OC192 Dual Priority > state = Card Powered > Slot 17 type = Clock Scheduler Card OC192 Dual Priority > state = Card Powered PRIMARY CLOCK > Slot 18 type = Switch Fabric Card 16XOC192 > state = Card Powered > Slot 19 type = Switch Fabric Card 16XOC192 > state = Card Powered > Slot 20 type = Switch Fabric Card 16XOC192 > state = Card Powered > Slot 24 type = Alarm Module(16) > state = Card Powered > Slot 25 type = Alarm Module(16) > state = Card Powered > Slot 27 type = Bus Board(16) > state = Card Powered > Slot 28 type = Blower Module(16) > state = Card Powered > Slot 29 type = Blower Module(16) > > state = Card Powered > > > sh led > SLOT 0 : RUN IOS > SLOT 6 : WAITRTRY > SLOT 7 : RP ACTV > SLOT 8 : INITMEM > SLOT 9 : RUN IOS > SLOT 15 : WAITRTRY > > Regards > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From Kiran.Oddiraju at cbre.com Wed Aug 12 18:01:10 2009 From: Kiran.Oddiraju at cbre.com (Oddiraju, Kiran @ London SMC) Date: Wed, 12 Aug 2009 23:01:10 +0100 Subject: [c-nsp] DS3 circuit error In-Reply-To: <4A832B73.3090706@west.net> References: <4A832B73.3090706@west.net> Message-ID: Cheers Jay. Have logged a call with the SP based on the below explanation... :-) Many thanks for your input guys -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jay Hennigan Sent: 12 August 2009 21:52 To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] DS3 circuit error Oddiraju, Kiran @ London SMC wrote: > Hi Guys, > > > > Our T3 controller is down and the SP has asked me what I am seeing on my > end. Below is the show controllers command on my router. Could you tell > me where the problem is based on the output below? > > > > Router#sh controllers t3 > > T3 3/0 is down. > > Applique type is Subrate T3 > > Description: Carrier_Circuit_ID > > Transmitter is sending remote alarm. You are sending a signal to the other end reporting that the signal that you are receiving is unacceptable. This is happening because... > Receiver is getting AIS. You are receiving all 1s from the other end. Typically, this means that there is a problem with the equipment sending toward you. Something upstream has lost signal and is sending an AIS (Alarm Indication Signal) to you. You respond by sending RAI (Remote Alarm Indicator) notifying the other end of the bad signal that you are receiving. More info here: http://www.cisco.com/en/US/tech/tk713/tk628/technologies_tech_note09186a 0080344194.shtml which shortens to: http://tinyurl.com/r6jvzo -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ CB Richard Ellis Limited, Registered Office: St Martin's Court, 10 Paternoster Row, London, EC4M 7HP, registered in England and Wales No. 3536032. Regulated by the RICS and an appointed representative of CB Richard Ellis Indirect Investment Services Limited which is authorised and regulated by the Financial Services Authority. This communication is from CB Richard Ellis Limited or one of its associated/subsidiary companies. This communication contains information which is confidential and may be privileged. If you are not the intended recipient, please contact the sender immediately. Any use of its contents is strictly prohibited and you must not copy, send or disclose it, or rely on its contents in any way whatsoever. Reasonable care has been taken to ensure that this communication (and any attachments or hyperlinks contained within it) is free from computer viruses. No responsibility is accepted by CB Richard Ellis Limited or its associated/subsidiary companies and the recipient should carry out any appropriate virus checks. From ras at e-gerbil.net Wed Aug 12 18:01:12 2009 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Wed, 12 Aug 2009 17:01:12 -0500 Subject: [c-nsp] IOS Recommendation | 7600/RSP720-3CXL In-Reply-To: <4A830837.3070105@cisco.com> References: <6069A203FD01884885C037F81DD75080171D1F9DFA@wsc-mail-01.intra.nwresd.k12.or.us> <4A830837.3070105@cisco.com> Message-ID: <20090812220112.GO51443@gerbil.cluepon.net> On Wed, Aug 12, 2009 at 02:21:43PM -0400, Rodney Dunn wrote: > If you are going to move go to the latest SRB rebuild on Cisco.com. > > There were a ton of fixes in the early SRB releases due to a huge > quality push on that throttle. > > SRC and SRD simply have less field exposure. I can actually name quite a few major networks who are running SRC in very widespread deployment, including mine, and a couple of tier 1's. From what I've seen this is actually the train with the most service provider field exposure, and amazingly enough (not trying to jinx it here) SRC4 has been solid for us so far. We did hit quite a few serious issues in the earlier builds, things like BGP announcements which stopped working until you deleted and readded the neighbor, rsvp that didn't actually reserve bandwidth, many SNMP counter issues, a runaway CPU loop in the BGP process, etc, but they've all been fixed in SRC4. The biggest issue we've encountered so far is that when you reload the router to upgrade to SRC4 the "switchport trunk allowed vlan" list on trunk ports tends to drop vlan IDs during the reboot (particularly on port-channels and port-channel members, causing port-channel desyncs). Comparing the before and after in rancid will save you a lot of grief, we've seen this happen at least a dozen times now so it definitely appears to be an SRC4 specific issue. -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From William.Murphy at uth.tmc.edu Wed Aug 12 18:10:38 2009 From: William.Murphy at uth.tmc.edu (Murphy, William) Date: Wed, 12 Aug 2009 17:10:38 -0500 Subject: [c-nsp] OT: Difference between the CSS and ACE In-Reply-To: <18dba4e50908121442k5cc09494vc9509b9c02ff2634@mail.gmail.com> References: <18dba4e50908121442k5cc09494vc9509b9c02ff2634@mail.gmail.com> Message-ID: I believe the ACE supports multiple contexts so it's like having a bunch of independent (virtual) load balancers... Bill Murphy Network Architect The University of Texas Health Science Center at Houston -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Felix Nkansah Sent: Wednesday, August 12, 2009 4:43 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] OT: Difference between the CSS and ACE Hi Team, Pardon me if this question seems dumb. I have deployed a number of Cisco Content Services Switches for clients who needed Layer 4-7 application load balancing and acceleration for their web-based applications in the data centre. I am presently reviewing the datasheet of the Cisco Application Control Engine and find its role to be similar to the CSS. Under what scenarios or requirements would one prefer the ACE to the CSS? In what way is the ACE different from the CSS? Thanks in advance for your replies. Felix _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4327 bytes Desc: not available URL: From tvarriale at comcast.net Wed Aug 12 19:36:20 2009 From: tvarriale at comcast.net (Tony Varriale) Date: Wed, 12 Aug 2009 18:36:20 -0500 Subject: [c-nsp] OT: Difference between the CSS and ACE References: <18dba4e50908121442k5cc09494vc9509b9c02ff2634@mail.gmail.com> Message-ID: ACE is the product moving forward. Althought the EoL/S hasn't been announced the writing is on the wall. The most important thing moving forward is that your existing requirements on CSS map into ACE. The ACE doesn't have feature parity yet (and the blade and appliance even have different stuff) so be careful. tv ----- Original Message ----- From: "Felix Nkansah" To: Sent: Wednesday, August 12, 2009 4:42 PM Subject: [c-nsp] OT: Difference between the CSS and ACE > Hi Team, > Pardon me if this question seems dumb. I have deployed a number of Cisco > Content Services Switches for clients who needed Layer 4-7 application > load > balancing and acceleration for their web-based applications in the data > centre. > > I am presently reviewing the datasheet of the Cisco Application Control > Engine and find its role to be similar to the CSS. > > Under what scenarios or requirements would one prefer the ACE to the CSS? > In > what way is the ACE different from the CSS? > > Thanks in advance for your replies. > > Felix > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From andy.saykao at staff.netspace.net.au Wed Aug 12 19:51:37 2009 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Thu, 13 Aug 2009 09:51:37 +1000 Subject: [c-nsp] Trying to collect flows for NAT VRF aware traffic Message-ID: <56F211C5E3F24F47B103EA1B253822BE044AAB27@vic-cr-ex1.staff.netspace.net.au> Hi All, I've set up an MPLS L3 VPN Internet Gateway on one of our PE routers and need some ideas on how to collect netflow for public IP's in the NAT-POOL so we can bill the customer for usage. We are using NAT VRF aware as seen by the config below. -------------------------------------------------------- PE Config: -------------------------------------------------------- interface GigabitEthernet0/0.1 description Router / MPLS Backbone encapsulation dot1Q 1 native ip address A.B.C.D X.X.X.X ip nat inside ip flow ingress mpls ip ! interface GigabitEthernet0/0.20 description VPN Internet Gateway encapsulation dot1Q 20 ip address 172.16.76.10 255.255.255.248 ip nat outside ip flow ingress ip flow egress ! ip route vrf NSTEST 0.0.0.0 0.0.0.0 GigabitEthernet0/0.20 172.16.76.9 global ip route 210.15.226.136 255.255.255.252 Null0 ! ip nat pool NSTEST-NAT-POOL 210.15.226.137 210.15.226.137 netmask 255.255.255.252 ip nat inside source list NSTEST-NAT-ACL pool NSTEST-NAT-POOL vrf NSTEST overload ! ip access-list standard NSTEST-NAT-ACL permit 192.168.0.0 0.0.255.255 ! ip flow-export source Loopback0 ip flow-export version 5 ip flow-export destination X.X.X.X 5000 ip flow-export destination X.X.X.X 5000 -------------------------------------------------------- P Config: -------------------------------------------------------- interface Vlan1 description Router / MPLS Backbone bandwidth 10000000 ip address A.B.C.D X.X.X.X no ip redirects no ip mroute-cache load-interval 30 tag-switching ip ! interface Vlan20 description VPN Internet Gateway ip address 172.16.76.9 255.255.255.248 no ip redirects load-interval 30 ! ip route 210.15.226.136 255.255.255.252 Vlan20 172.16.76.10 -------------------------------------------------------- When I do a "sh ip cache flow", I can see flows in one direction only and with the public NAT IP as the source IP. For billing purposes we need to see the public NAT IP in the destination fields so we can count their download usage. #sh ip cache flow | inc 210.15.226.137 SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts Gi0/0.1 210.15.226.137 Gi0/0.20* 203.10.110.102 01 0000 0800 549 I have both "ip flow ingress" and "ip flow egress" on the nat outside interface on the PE (Gi0/0.20) so not sure why I'm not seeing bidirectional flows. I'm thinking that a NAT lookup/translation is performed first on the return traffic through the PE (Gi0/020) before flows are process/captured - hence why I don't see any flows going to the public NAT IP. Is this correct? Any ideas how to capture flows for these public IP's in the NAT POOL? Do I need to capture flows at the P router on Vlan 20?? Thanks. Andy This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From tvarriale at comcast.net Wed Aug 12 21:35:11 2009 From: tvarriale at comcast.net (Tony Varriale) Date: Wed, 12 Aug 2009 20:35:11 -0500 Subject: [c-nsp] OT: Difference between the CSS and ACE References: <18dba4e50908121442k5cc09494vc9509b9c02ff2634@mail.gmail.com> Message-ID: <5EA079600C21483AA3969AE02D64B11F@flamdt01> Just to be clear, the writing is on the wall for CSS not ACE. tv ----- Original Message ----- From: "Tony Varriale" To: Sent: Wednesday, August 12, 2009 6:36 PM Subject: Re: [c-nsp] OT: Difference between the CSS and ACE > ACE is the product moving forward. Althought the EoL/S hasn't been > announced the writing is on the wall. > > The most important thing moving forward is that your existing requirements > on CSS map into ACE. The ACE doesn't have feature parity yet (and the > blade and appliance even have different stuff) so be careful. > > tv > ----- Original Message ----- > From: "Felix Nkansah" > To: > Sent: Wednesday, August 12, 2009 4:42 PM > Subject: [c-nsp] OT: Difference between the CSS and ACE > > >> Hi Team, >> Pardon me if this question seems dumb. I have deployed a number of Cisco >> Content Services Switches for clients who needed Layer 4-7 application >> load >> balancing and acceleration for their web-based applications in the data >> centre. >> >> I am presently reviewing the datasheet of the Cisco Application Control >> Engine and find its role to be similar to the CSS. >> >> Under what scenarios or requirements would one prefer the ACE to the CSS? >> In >> what way is the ACE different from the CSS? >> >> Thanks in advance for your replies. >> >> Felix >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From esavage at digitalrage.org Wed Aug 12 21:12:35 2009 From: esavage at digitalrage.org (Elijah Savage) Date: Wed, 12 Aug 2009 21:12:35 -0400 Subject: [c-nsp] EVDO Technology Message-ID: All, I would appreciate speaking with anyone using EVDO technology to deliver WAN services. Specifically I am looking for reputable kit's you have used to extend EVDO outside of your computer rooms to get better signal or better antenna's you have used. Thank you From jckdaniels12 at gmail.com Thu Aug 13 01:15:31 2009 From: jckdaniels12 at gmail.com (jack daniels) Date: Thu, 13 Aug 2009 10:45:31 +0530 Subject: [c-nsp] OT:SUSHI REGISTER RESET ERROR In-Reply-To: References: <8bb137f40908112254j7d9ea69aj42613f00bcac743b@mail.gmail.com> Message-ID: <8bb137f40908122215g2951d36cm79239279578250d7@mail.gmail.com> Hi All, I found this error was coming on SLOT 18 which is SFC. EARLIER OUTPUT WAS - sh led SLOT 0 : RUN IOS SLOT 6 : WAITRTRY SLOT 7 : RP ACTV SLOT 8 : INITMEM SLOT 9 : RUN IOS SLOT 15 : WAITRTRY FOR TROUBLESHOOT , then I saw - 1) output of sh gsr Slot 18 type = Switch Fabric Card 16XOC192 state = Card Powered<<<<<<<<<<<<<<<<<<<<< Slot 19 type = Switch Fabric Card 16XOC192 state = Card Powered<<<<<<<<<<<<<<<<<<<<<<< Slot 20 type = Switch Fabric Card 16XOC192 state = Card Powered<<<<<<<<<<<<<<<<<<<<<<< 2) Again executed show gsr command and found - Slot 17 type = Clock Scheduler Card OC192 Dual Priority state = Card NOT Powered; Power cycle fabric cards PRIMARY CLOCK<<<<<<<<<<<<<<<<<<<<<<<<<<<<< Slot 18 type = Switch Fabric Card 16XOC192 state = Card NOT Powered; Power cycle fabric cards<<<<<<<<<<<<<<<<<<<<<<< Slot 19 type = Switch Fabric Card 16XOC192 state = Card NOT Po<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< 3) After shutting down SFC ? slot 18 <<<<<<<<<<<<<<<<<<<<<<<<<<< sh led SLOT 0 : RUN IOS SLOT 6 : RUN IOS SLOT 7 : RP STBY SLOT 8 : RP ACTV SLOT 9 : RUN IOS SLOT 15 : RUN IOS At the moment all cards show powered up and in RUN IOS mode. 4) sh controller fia Fabric configuration: 10Gbps bandwidth, nonredundant fabric<<<<<<<<<<<<<<<<<<<<<<< Master Scheduler: Slot 17 Backup Scheduler: Slot 16 Fab epoch no 235 Halt count 0 >From Fabric FIA Errors ----------------------- redund overflow 0 cell drops 0 cell parity 0 Switch cards present 0x001B Slots 16 17 19 20 Switch cards monitored 0x001B Slots 16 17 19 20 CAN someone guide me why shutting down one SFC in slot 18 all LC 0,615 and 7 came in IOS RUN mode and started working. I think - Each LC is connected in 10 Gbps mode via 4 link to switch fabric . Now what I know is for full b/w mode 10 Gbps half duplex , you require atleast 2 SFC online working. But if you see all SFC went to power down and then power up state , so why few LC cards were still online. Please ALSO guide - what is signiface of 2 SFC or 1 SFC running . Regards On 8/13/09, e ninja wrote: > > Jack, > > What changed prior to the errors? Also, is this a lab or production device? > > > Either way, reply all (or unicast) the complete sh tech and sh log along > with a sh controller fia from an attach session to all LCs. > > -Eninja > > > On Tue, Aug 11, 2009 at 10:54 PM, jack daniels wrote: > >> Hi all, >> >> I'm getting below error in gsr chassis 12416 , please suggest >> >> 048724: .Aug 11 20:09:13.853 IST: %MBUS-6-SWITCHED_FABCLK: Slot 9 primary >> clock switched to clock 0 >> 048725: .Aug 11 20:09:17.191 IST: %FABRIC-3-ERR_HANDLE: Reconfigure all >> fabric cards due to SUSHI REGISTER RESET ERROR error from slot 18 >> 048726: .Aug 11 20:09:18.067 IST: %MBUS-6-SWITCHED_FABCLK: Slot 0 primary >> clock switched to clock 0 >> 048727: .Aug 11 20:09:18.067 IST: %MBUS-6-SWITCHED_FABCLK: Slot 9 primary >> clock switched to clock 0 >> 048728: .Aug 11 20:09:21.413 IST: %FABRIC-3-ERR_HANDLE: Reconfigure all >> fabric cards due to SUSHI REGISTER RESET ERROR error from slot 18 >> 048729: .Aug 11 20:09:22.289 IST: %MBUS-6-SWITCHED_FABCLK: Slot 0 primary >> clock switched to clock 0 >> 048730: .Aug 11 20:09:22.289 IST: %MBUS-6-SWITCHED_FABCLK: Slot 9 primary >> clock switched to clock 0 >> 048731: .Aug 11 20:09:25.627 IST: %FABRIC-3-ERR_HANDLE: Reconfigure all >> fabric cards due to SUSHI REGISTER RESET ERROR error from slot 18 >> 048732: .Aug 11 20:09:26.502 IST: %MBUS-6-SWITCHED_FABCLK: Slot 0 primary >> clock switched to clock 0 >> 048733: .Aug 11 20:09:26.502 IST: %MBUS-6-SWITCHED_FABCLK: Slot 9 primary >> clock switched to clock 0 >> 048734: .Aug 11 20:09:29.841 IST: %FABRIC-3-ERR_HANDLE: Reconfigure all >> fabric cards due to SUSHI REGISTER RESET ERROR error from slot 18 >> 048735: .Aug 11 20:09:30.716 IST: %MBUS-6-SWITCHED_FABCLK: Slot 0 primary >> clock switched to clock 0 >> 048736: .Aug 11 20:09:30.716 IST: %MBUS-6-SWITCHED_FABCLK: Slot 9 primary >> clock switched to clock 0 >> 048737: .Aug 11 20:09:34.054 IST: %FABRIC-3-ERR_HANDLE: Reconfigure all >> fabric cards due to SUSHI REGISTER RESET ERROR error from slot 18 >> >> >> sh gsr >> Slot 0 type = Modular SPA Interface Card >> state = IOS RUN Line Card Enabled >> subslot 0/0: SPA-1X10GE-L-V2 (0x50C), status is ok >> subslot 0/1: Empty >> subslot 0/2: Empty >> subslot 0/3: Empty >> Slot 6 type = Modular SPA Interface Card >> state = RTRYWAIT Waiting to retry download after persistent >> failures >> Slot 7 type = Performance Route Processor >> state = ACTV RP IOS Running ACTIVE >> Slot 8 type = Performance Route Processor >> state = RP RDY Route Processor Powered >> Slot 9 type = Modular SPA Interface Card >> state = IOS RUN Line Card Enabled >> subslot 9/0: Empty >> subslot 9/1: Empty >> subslot 9/2: Empty >> subslot 9/3: Empty >> Slot 15 type = Modular SPA Interface Card >> state = RTRYWAIT Waiting to retry download after persistent >> failures >> Slot 16 type = Clock Scheduler Card OC192 Dual Priority >> state = Card Powered >> Slot 17 type = Clock Scheduler Card OC192 Dual Priority >> state = Card Powered PRIMARY CLOCK >> Slot 18 type = Switch Fabric Card 16XOC192 >> state = Card Powered >> Slot 19 type = Switch Fabric Card 16XOC192 >> state = Card Powered >> Slot 20 type = Switch Fabric Card 16XOC192 >> state = Card Powered >> Slot 24 type = Alarm Module(16) >> state = Card Powered >> Slot 25 type = Alarm Module(16) >> state = Card Powered >> Slot 27 type = Bus Board(16) >> state = Card Powered >> Slot 28 type = Blower Module(16) >> state = Card Powered >> Slot 29 type = Blower Module(16) >> >> state = Card Powered >> >> >> sh led >> SLOT 0 : RUN IOS >> SLOT 6 : WAITRTRY >> SLOT 7 : RP ACTV >> SLOT 8 : INITMEM >> SLOT 9 : RUN IOS >> SLOT 15 : WAITRTRY >> >> Regards >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > From jmaimon at ttec.com Thu Aug 13 09:04:27 2009 From: jmaimon at ttec.com (Joe Maimon) Date: Thu, 13 Aug 2009 09:04:27 -0400 Subject: [c-nsp] Route redistribution and selection Message-ID: <4A840F5B.2030800@ttec.com> We are having a problem where routes originated by the customer because of their backup paths are preventing the mpls bgp routes from being installed and used on the PE. Customer has an eigrp routed network. We are hosting a bgp mpls network for the customer. At the Customer's HQ PE router, we talk eigrp to the customer. The customer has an alternate path to the sites served by the bgp mpls network. We allow redistribution of eigrp routes into bgp to advertise to the mpls bgp sites. This includes the sites known prefixes themselves, due to the potential for the backup path becoming the better/only one. We redistribute the bgp routes for the mpls sites into eigrp. Normally this is a fairly common setup and works very well, and has for quite some time with this customer. However, on one PE we have been having issues where the customer backup path eigrp routes are installed into the PE routing table, the bgp routes show the originated via eigrp routes as the best and used path our of both the local originated via eigrp and the P mpls bgp learned route. The current fix is to flap the customer eigrp connection or have the customer withdraw the backup path routes. The P routers and the PE routers are an ebgp connection. The eigrp route has an admin distance of 170 and the ebgp route when installed has an admin distance of 20. We have tried setting the weight, local preference, metric of the mpls P router prefixes to cause the route to be preferred over the redistributed locally from eigrp route. The PE router running rsp-jk9o3sv-mz.124-18a.bin Any insight would be greatly appreciated. Thanks, Joe From jmaimon at ttec.com Thu Aug 13 09:34:39 2009 From: jmaimon at ttec.com (Joe Maimon) Date: Thu, 13 Aug 2009 09:34:39 -0400 Subject: [c-nsp] IOS Recommendation | 7600/RSP720-3CXL In-Reply-To: <775A75B5625C6B418FC01477094E0BCC259C886A02@IDCMAILBOX1.ads.integratelecom.com> References: <6069A203FD01884885C037F81DD75080171D1F9DFA@wsc-mail-01.intra.nwresd.k12.or.us> <775A75B5625C6B418FC01477094E0BCC259C886A02@IDCMAILBOX1.ads.integratelecom.com> Message-ID: <4A84166F.4050400@ttec.com> Raymond, Steven wrote: > > Have found the least bugs in SRD1, but non-cisco bgp neighbors sometimes require the use of hidden command "neighbor x.x.x.x dont-capability-negotiate" or the session won't restore. > I recall being on the other end of that one. Good tip. From felixnkansah at gmail.com Thu Aug 13 09:41:27 2009 From: felixnkansah at gmail.com (Felix Nkansah) Date: Thu, 13 Aug 2009 13:41:27 +0000 Subject: [c-nsp] OT: Internet Web Caching Solution Message-ID: <18dba4e50908130641h40165942ia3f032fa779c5f63@mail.gmail.com> Hi, I am looking for a web caching and acceleration platform. The Cisco Cache Engines were replaced by the Content Engines which has also been replaced with the WAE running ACNS software. The datasheets on ACNS seem to imply caching and acceleration of multimedia traffic between branch offices and central office, with ACNS appliances at both ends. That is not what I am looking for. I want a one-site appliance for Internet web traffic caching only. Many thanks for your clarification. Felix From luan at netcraftsmen.net Thu Aug 13 09:44:25 2009 From: luan at netcraftsmen.net (Luan Nguyen) Date: Thu, 13 Aug 2009 09:44:25 -0400 Subject: [c-nsp] Route redistribution and selection In-Reply-To: <4A840F5B.2030800@ttec.com> References: <4A840F5B.2030800@ttec.com> Message-ID: <001801ca1c1c$2bf9be90$83ed3bb0$@net> You might want to check this link out: http://wiki.nil.com/Multihomed_MPLS_VPN_sites_running_EIGRP Regards, ------------------------------- Luan Nguyen Chesapeake NetCraftsmen, LLC. http://www.netcraftsmen.net ------------------------------ -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joe Maimon Sent: Thursday, August 13, 2009 9:04 AM To: cisco-nsp Subject: [c-nsp] Route redistribution and selection We are having a problem where routes originated by the customer because of their backup paths are preventing the mpls bgp routes from being installed and used on the PE. Customer has an eigrp routed network. We are hosting a bgp mpls network for the customer. At the Customer's HQ PE router, we talk eigrp to the customer. The customer has an alternate path to the sites served by the bgp mpls network. We allow redistribution of eigrp routes into bgp to advertise to the mpls bgp sites. This includes the sites known prefixes themselves, due to the potential for the backup path becoming the better/only one. We redistribute the bgp routes for the mpls sites into eigrp. Normally this is a fairly common setup and works very well, and has for quite some time with this customer. However, on one PE we have been having issues where the customer backup path eigrp routes are installed into the PE routing table, the bgp routes show the originated via eigrp routes as the best and used path our of both the local originated via eigrp and the P mpls bgp learned route. The current fix is to flap the customer eigrp connection or have the customer withdraw the backup path routes. The P routers and the PE routers are an ebgp connection. The eigrp route has an admin distance of 170 and the ebgp route when installed has an admin distance of 20. We have tried setting the weight, local preference, metric of the mpls P router prefixes to cause the route to be preferred over the redistributed locally from eigrp route. The PE router running rsp-jk9o3sv-mz.124-18a.bin Any insight would be greatly appreciated. Thanks, Joe _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From jmaimon at ttec.com Thu Aug 13 09:44:13 2009 From: jmaimon at ttec.com (Joe Maimon) Date: Thu, 13 Aug 2009 09:44:13 -0400 Subject: [c-nsp] SHDSL Wic in a 1751-1 CPE Message-ID: <4A8418AD.2070508@ttec.com> I am testing a turnkey CPE solution combining T1, SDSL, ADSL and PRI handoff to customer PBX, with the 1751 transcoding SIP to PRI channels. A CPE I am testing with a WIC-1SHDSL-V2 doesnt seem to be training properly. The controller continues to report DSL firmware download in progress, please wait I have had good experience with the ADSL wic, but the SHDSL wic seems to be far less useful. Any tips or pointers would be greatly appreciated. Thanks, Joe Router#sh controllers dsl 0/0 DSL 0/0 controller DOWN SLOT 0: Globespan xDSL controller chipset DSL mode: Not Trained Frame mode: Utopia Configured Line rate: 2304Kbps Line Re-activated 0 times after system bootup LOSW Defect alarm: ACTIVE CRC per second alarm: ACTIVE Line termination: CPE FPGA Revision: 0xB2 Current 15 min CRC: 0 Current 15 min LOSW Defect: 0 Current 15 min ES: 0 Current 15 min SES: 0 Current 15 min UAS: 833 Previous 15 min CRC: 0 Previous 15 min LOSW Defect: 0 Previous 15 min ES: 0 Previous 15 min SES: 0 Previous 15 min UAS: 900 Line-0 status Chipset Version: 0 Firmware Version: R3.0.1 Modem Status: Handshake, Status 10 Last Fail Mode: No Failure status:0x0 DSL firmware download in progress, please wait Dying Gasp: Present Router#sh inv NAME: "1751-V chassis", DESCR: "1751-V chassis, Hw Serial#: 3808685901, Hw Revision: 0x600" PID: 1751-V , VID: 0x600, SN: FOC09331N37 (3808685901) NAME: "Chassis Slot", DESCR: "1700 Chassis Slot" PID: 1700 Chassis Slot , VID: , SN: NAME: "C1751 Mainboard", DESCR: "C1751 Mainboard" PID: C1751 Mainboard , VID: 0x600, SN: FOC09331N37 (3808685901) NAME: "Daughter card slot:0", DESCR: "1700 DaughterCard Slot" PID: 1700 DaughterCard Slot, VID: , SN: NAME: "WAN Interface Card - T1E1 or ATM (With GSHDSL-F module)", DESCR: "WAN Interface Card - T1E1 or ATM (With GSHDSL-F module)" PID: WIC-1SHDSL-V2 , VID: V02 , SN: FOC085029XC NAME: "ATM0/0", DESCR: "DSLSAR" PID: DSLSAR , VID: , SN: NAME: "Daughter card slot:1", DESCR: "1700 DaughterCard Slot" PID: 1700 DaughterCard Slot, VID: , SN: NAME: "WAN Interface Card - Ethernet", DESCR: "WAN Interface Card - Ethernet" PID: WIC-1ENET= , VID: 3.0, SN: VMS06050AZH NAME: "Ethernet1/0", DESCR: "PQUICC Ethernet" PID: PQUICC Ethernet , VID: , SN: NAME: "Daughter card slot:2", DESCR: "1700 DaughterCard Slot" PID: 1700 DaughterCard Slot, VID: , SN: NAME: "One port T1 voice interface daughtercard", DESCR: "One port T1 voice interface daughtercard" PID: VWIC-1MFT-T1= , VID: 1.0, SN: 31795887 NAME: "T1 2/0", DESCR: "T1 2/0" PID: T1 2/0 , VID: , SN: NAME: "DSP Module Slot 0", DESCR: "Packet Voice DSP Module Slot 0" PID: Packet Voice DSP Module Slot 0, VID: , SN: NAME: "DSP Module 0", DESCR: "Packet Voice DSP Module with 4 Unknown DSPs" PID: Packet Voice DSP Module with 4 Unknown DSPs, VID: 2.2, SN: ICP0411000Z NAME: "DSP Port 0/0", DESCR: "Unknown" PID: Unknown , VID: , SN: NAME: "DSP Port 0/1", DESCR: "Unknown" PID: Unknown , VID: , SN: NAME: "DSP Port 0/2", DESCR: "Unknown" PID: Unknown , VID: , SN: NAME: "DSP Port 0/3", DESCR: "Unknown" PID: Unknown , VID: , SN: NAME: "DSP Module Slot 1", DESCR: "Packet Voice DSP Module Slot 1" PID: Packet Voice DSP Module Slot 1, VID: , SN: NAME: "FastEthernet0/0", DESCR: "PQUICC_FEC" PID: PQUICC_FEC , VID: , SN: Router#sh ver Cisco IOS Software, C1700 Software (C1700-ADVENTERPRISEK9-M), Version 12.4(25a), RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2009 by Cisco Systems, Inc. Compiled Fri 22-May-09 20:24 by prod_rel_team ROM: System Bootstrap, Version 12.2(7r)XM2, RELEASE SOFTWARE (fc1) Router uptime is 7 hours, 14 minutes System returned to ROM by reload System image file is "flash:c1700-adventerprisek9-mz.124-25a.bin" This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export at cisco.com. Cisco 1751-V (MPC860P) processor (revision 0x600) with 118570K/12502K bytes of memory. Processor board ID FOC09331N37 (3808685901), with hardware revision 0000 MPC860P processor: part number 5, mask 2 1 DSL controller 1 Ethernet interface 1 FastEthernet interface 1 ATM interface 1 Channelized T1/PRI port 32K bytes of NVRAM. 32768K bytes of processor board System flash (Read/Write) Configuration register is 0x2102 Router#sh conf | b DSL controller DSL 0/0 mode atm line-term cpe line-mode 2-wire line-zero dsl-mode shdsl symmetric annex A-B-ANFP line-rate 2304 From lists at motorcitynet.com Thu Aug 13 09:46:36 2009 From: lists at motorcitynet.com (M Callahan) Date: Thu, 13 Aug 2009 09:46:36 -0400 Subject: [c-nsp] Open Source Substitute for Cisco's Secure ACS? Message-ID: <50797b9b0908130646t5233893co25f7964658878ec1@mail.gmail.com> We're currently using a very dated version of Cisco's Secure ACS to authenticate a relatively small group of PPPoE ADSL users. We have a planned hardware upgrade for this system, but no funding for updated ACS software. That said, I was wondering what open source alternatives folks on the list have found to be an adequate substitute for ACS. Thanks, Mike From rodunn at cisco.com Thu Aug 13 10:01:45 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Thu, 13 Aug 2009 10:01:45 -0400 Subject: [c-nsp] Feedback on Bug Toolkit (BTK), IOS Software Download Planner, etc... Message-ID: <4A841CC9.4090909@cisco.com> I got involved through a few channels and encouraged the teams responsible for some of the Cisco.com Support tools to leverage this forum directly for feedback. They were very interested in the idea. Can those of you that care enough to give direct feedback based on the past threads around IOS Upgrade Planner, Bug Toolkit, etc. please take a few minutes and compose an email directly to: Wilson Shiu (wshiu) He is the point of contact for feedback. They are eager to listen so now is a good time to get involved. I encourage you guys to take advantage of this. Thanks Rodney From luan at netcraftsmen.net Thu Aug 13 10:05:08 2009 From: luan at netcraftsmen.net (Luan Nguyen) Date: Thu, 13 Aug 2009 10:05:08 -0400 Subject: [c-nsp] OT: Internet Web Caching Solution In-Reply-To: <18dba4e50908130641h40165942ia3f032fa779c5f63@mail.gmail.com> References: <18dba4e50908130641h40165942ia3f032fa779c5f63@mail.gmail.com> Message-ID: <001901ca1c1f$10ce4d40$326ae7c0$@net> WAAS and ACNS are two different animals. WAAS is double-ended (there has to be a device at both ends) and ACNS is single-ended, acting as a caching device (though it can have information pushed to it from a central manager). Typically - WAAS between remote site and central site; ACNS between remote site and the Internet, or as a push client receiving content from a central site. Hope that help. Regards, ---------------------------------- Luan Nguyen Chesapeake NetCraftsmen, LLC. http://www.netcraftsmen.net --------------------------------- -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Felix Nkansah Sent: Thursday, August 13, 2009 9:41 AM To: Cisco certification; cisco-nsp at puck.nether.net Subject: [c-nsp] OT: Internet Web Caching Solution Hi, I am looking for a web caching and acceleration platform. The Cisco Cache Engines were replaced by the Content Engines which has also been replaced with the WAE running ACNS software. The datasheets on ACNS seem to imply caching and acceleration of multimedia traffic between branch offices and central office, with ACNS appliances at both ends. That is not what I am looking for. I want a one-site appliance for Internet web traffic caching only. Many thanks for your clarification. Felix _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From p.mayers at imperial.ac.uk Thu Aug 13 10:13:01 2009 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Thu, 13 Aug 2009 15:13:01 +0100 Subject: [c-nsp] Open Source Substitute for Cisco's Secure ACS? In-Reply-To: <50797b9b0908130646t5233893co25f7964658878ec1@mail.gmail.com> References: <50797b9b0908130646t5233893co25f7964658878ec1@mail.gmail.com> Message-ID: <4A841F6D.3070209@imperial.ac.uk> M Callahan wrote: > We're currently using a very dated version of Cisco's Secure ACS to > authenticate a relatively small group of PPPoE ADSL users. We have a > planned hardware upgrade for this system, but no funding for updated ACS > software. That said, I was wondering what open source alternatives folks on > the list have found to be an adequate substitute for ACS. FreeRadius From felixnkansah at gmail.com Thu Aug 13 10:13:35 2009 From: felixnkansah at gmail.com (Felix Nkansah) Date: Thu, 13 Aug 2009 14:13:35 +0000 Subject: [c-nsp] OT: Internet Web Caching Solution In-Reply-To: <6ce8ea5f0908130710s2a5e95f7m791004faf9fab86c@mail.gmail.com> References: <18dba4e50908130641h40165942ia3f032fa779c5f63@mail.gmail.com> <6ce8ea5f0908130710s2a5e95f7m791004faf9fab86c@mail.gmail.com> Message-ID: <18dba4e50908130713g32abb4dfm736415bd5683ff9b@mail.gmail.com> Hi Shiran, I must say that I am NOT looking for a WAN optimization tool. I want an Internet web proxy, caching and acceleration appliance. Is that also covered by Expand Networks? Many Thanks. On Thu, Aug 13, 2009 at 2:10 PM, shiran guez wrote: > I can suggest a better solution "Expand Networks" one of the leaders in the > last several years in WAN optimization > > ( for being frankly i would indicate that I work for Expand as 3rd level > Eng) > > > On Thu, Aug 13, 2009 at 4:41 PM, Felix Nkansah wrote: > >> Hi, >> I am looking for a web caching and acceleration platform. >> >> The Cisco Cache Engines were replaced by the Content Engines which has >> also >> been replaced with the WAE running ACNS software. >> >> The datasheets on ACNS seem to imply caching and acceleration of >> multimedia >> traffic between branch offices and central office, with ACNS appliances at >> both ends. >> >> That is not what I am looking for. I want a one-site appliance for >> Internet >> web traffic caching only. >> >> Many thanks for your clarification. >> >> Felix >> >> >> Blogs and organic groups at http://www.ccie.net >> >> _______________________________________________________________________ >> Subscription information may be found at: >> http://www.groupstudy.com/list/CCIELab.html >> >> >> >> >> >> >> >> > > > -- > Shiran Guez > MCSE CCNP NCE1 JNCIA-ER CCIE #20572 > http://cciep3.blogspot.com > http://www.linkedin.com/in/cciep3 > http://twitter.com/cciep3 > From scott at labyrinth.org Thu Aug 13 10:13:24 2009 From: scott at labyrinth.org (Scott Keoseyan) Date: Thu, 13 Aug 2009 10:13:24 -0400 Subject: [c-nsp] Open Source Substitute for Cisco's Secure ACS? In-Reply-To: <50797b9b0908130646t5233893co25f7964658878ec1@mail.gmail.com> References: <50797b9b0908130646t5233893co25f7964658878ec1@mail.gmail.com> Message-ID: <16038BE5-66F3-4C6D-8A23-B4C6E32AB05B@labyrinth.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://freeradius.org/ Scott On Aug 13, 2009, at 9:46 AM, M Callahan wrote: > We're currently using a very dated version of Cisco's Secure ACS to > authenticate a relatively small group of PPPoE ADSL users. We have a > planned hardware upgrade for this system, but no funding for updated > ACS > software. That said, I was wondering what open source alternatives > folks on > the list have found to be an adequate substitute for ACS. > > Thanks, > > Mike > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ - -- Scott Keoseyan scott at labyrinth.org Homepage - http://www.labyrinth.org/homepages/scott Blog - http://www.labyrinth.org/wp1 PGP Key - http://www.labyrinth.org/homepages/scott/pgp.html -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.12 (Darwin) iEYEARECAAYFAkqEH4gACgkQA7TpMPAlvEcb1gCeLSGwFpDEkckr8qbQLIp9KwN4 n60AoJRmhnjiVJrbL1IkmrS7T/C0N4rt =/Rtk -----END PGP SIGNATURE----- From johnps at IowaTelecom.com Thu Aug 13 10:21:51 2009 From: johnps at IowaTelecom.com (John P. Schneider) Date: Thu, 13 Aug 2009 09:21:51 -0500 Subject: [c-nsp] OT: Internet Web Caching Solution In-Reply-To: <18dba4e50908130641h40165942ia3f032fa779c5f63@mail.gmail.com> References: <18dba4e50908130641h40165942ia3f032fa779c5f63@mail.gmail.com> Message-ID: http://www.peerapp.com/ Regards, John -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Felix Nkansah Sent: Thursday, August 13, 2009 8:41 AM To: Cisco certification; cisco-nsp at puck.nether.net Subject: [c-nsp] OT: Internet Web Caching Solution Hi, I am looking for a web caching and acceleration platform. The Cisco Cache Engines were replaced by the Content Engines which has also been replaced with the WAE running ACNS software. The datasheets on ACNS seem to imply caching and acceleration of multimedia traffic between branch offices and central office, with ACNS appliances at both ends. That is not what I am looking for. I want a one-site appliance for Internet web traffic caching only. Many thanks for your clarification. Felix _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From KaeglerM at tessco.com Thu Aug 13 10:25:12 2009 From: KaeglerM at tessco.com (Kaegler, Mike) Date: Thu, 13 Aug 2009 10:25:12 -0400 Subject: [c-nsp] Open Source Substitute for Cisco's Secure ACS? In-Reply-To: <50797b9b0908130646t5233893co25f7964658878ec1@mail.gmail.com> Message-ID: Assuming you're using TACACS+ to handle this, since radius servers are everywhere... I've been using tac_plus from http://www.pro-bono-publico.de/projects/tac_plus.html (there appear to be several projects named "tac_plus", this was the first one to work well for me.) As an added bonus, the author was happy and eager to help squash a bug I ran into. It'll backend to ldap, radius, or keep a local database. Supports all three A's. -porkchop On 8/13/09 9:46 AM, "M Callahan" wrote: > We're currently using a very dated version of Cisco's Secure ACS to > authenticate a relatively small group of PPPoE ADSL users. We have a > planned hardware upgrade for this system, but no funding for updated ACS > software. That said, I was wondering what open source alternatives folks on > the list have found to be an adequate substitute for ACS. > > Thanks, > > Mike > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Michael Kaegler, TESSCO Technologies: Engineering, 410 229 1295 Your wireless success, nothing less. http://www.tessco.com/ From manafo at hotmail.com Thu Aug 13 10:30:45 2009 From: manafo at hotmail.com (Manaf Al Oqlah) Date: Thu, 13 Aug 2009 17:30:45 +0300 Subject: [c-nsp] Event Manager question Message-ID: Hi all, Can I configure event manager to be started when it gets notification from another router. for example, I want router1 to be configured with policy based routing on a specific interface once the bgp peer on router2 is down. I don't want to permanently configure the PBR since it is consume very high CPU utilizing on router1 Thank you, Manaf From ip at ioshints.info Thu Aug 13 10:31:43 2009 From: ip at ioshints.info (Ivan Pepelnjak) Date: Thu, 13 Aug 2009 16:31:43 +0200 Subject: [c-nsp] Route redistribution and selection In-Reply-To: <001801ca1c1c$2bf9be90$83ed3bb0$@net> References: <4A840F5B.2030800@ttec.com> <001801ca1c1c$2bf9be90$83ed3bb0$@net> Message-ID: <000e01ca1c22$c8b96720$0a00000a@nil.si> @Luan: Thanks for the link :)) @Joe: if you have EBGP sessions with the core MPLS VPN network, you're losing the BGP cost community (resulting in the EIGRP-related redistribution issues). It might be possible to tweak the WEIGHT attribute on the PE routers (the routes redistributed into BGP have very high weight and are thus never replaced by other BGP routes), but you'd probably need access-lists to select the backup routes. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ > -----Original Message----- > From: Luan Nguyen [mailto:luan at netcraftsmen.net] > Sent: Thursday, August 13, 2009 3:44 PM > To: 'Joe Maimon'; 'cisco-nsp' > Subject: Re: [c-nsp] Route redistribution and selection > > You might want to check this link out: > http://wiki.nil.com/Multihomed_MPLS_VPN_sites_running_EIGRP > > Regards, > > ------------------------------- > Luan Nguyen > Chesapeake NetCraftsmen, LLC. > http://www.netcraftsmen.net > ------------------------------ > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joe Maimon > Sent: Thursday, August 13, 2009 9:04 AM > To: cisco-nsp > Subject: [c-nsp] Route redistribution and selection > > We are having a problem where routes originated by the > customer because of their backup paths are preventing the > mpls bgp routes from being installed and used on the PE. > > Customer has an eigrp routed network. > > We are hosting a bgp mpls network for the customer. > > At the Customer's HQ PE router, we talk eigrp to the customer. > > The customer has an alternate path to the sites served by the > bgp mpls network. > > We allow redistribution of eigrp routes into bgp to advertise > to the mpls bgp sites. This includes the sites known prefixes > themselves, due to the potential for the backup path becoming > the better/only one. > > We redistribute the bgp routes for the mpls sites into eigrp. > > Normally this is a fairly common setup and works very well, > and has for quite some time with this customer. > > However, on one PE we have been having issues where the > customer backup path eigrp routes are installed into the PE > routing table, the bgp routes show the originated via eigrp > routes as the best and used path our of both the local > originated via eigrp and the P mpls bgp learned route. > > The current fix is to flap the customer eigrp connection or > have the customer withdraw the backup path routes. > > The P routers and the PE routers are an ebgp connection. The > eigrp route has an admin distance of 170 and the ebgp route > when installed has an admin distance of 20. > > We have tried setting the weight, local preference, metric of > the mpls P > router prefixes to cause the route to be preferred over the > redistributed locally from eigrp route. > > The PE router running rsp-jk9o3sv-mz.124-18a.bin > > Any insight would be greatly appreciated. > > Thanks, > > Joe > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > From rdobbins at arbor.net Thu Aug 13 10:52:50 2009 From: rdobbins at arbor.net (Roland Dobbins) Date: Thu, 13 Aug 2009 21:52:50 +0700 Subject: [c-nsp] Feedback on Bug Toolkit (BTK), IOS Software Download Planner, etc... In-Reply-To: <4A841CC9.4090909@cisco.com> References: <4A841CC9.4090909@cisco.com> Message-ID: <8E5F1F9B-4402-4357-A64B-B056FA8CEF42@arbor.net> On Aug 13, 2009, at 9:01 PM, Rodney Dunn wrote: > They are eager to listen so now is a good time to get involved. Let's all keep in mind that *constructive, actionable, specific* feedback is what's needed, and is what will have an impact. ----------------------------------------------------------------------- Roland Dobbins // Unfortunately, inefficiency scales really well. -- Kevin Lawton From mcgrath at fas.harvard.edu Thu Aug 13 11:05:00 2009 From: mcgrath at fas.harvard.edu (Scott McGrath) Date: Thu, 13 Aug 2009 11:05:00 -0400 Subject: [c-nsp] Open Source Substitute for Cisco's Secure ACS? Message-ID: <13C9443BD0C7344D835569B0CFC9BB75358DB940@HARVBE01.fasmail.priv> Radiator RADIUS server. There are multiple versions of this software and support is available for a reasonable fee runs on Windows/Solaris/Linux Www open com au -----Original Message----- From: "Phil Mayers" Subj: Re: [c-nsp] Open Source Substitute for Cisco's Secure ACS? Date: Thu Aug 13, 2009 10:40 Size: 602 bytes To: "M Callahan" cc: "cisco-nsp at puck.nether.net" M Callahan wrote: > We're currently using a very dated version of Cisco's Secure ACS to > authenticate a relatively small group of PPPoE ADSL users. We have a > planned hardware upgrade for this system, but no funding for updated ACS > software. That said, I was wondering what open source alternatives folks on > the list have found to be an adequate substitute for ACS. FreeRadius _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From rekordmeister at gmail.com Thu Aug 13 11:27:20 2009 From: rekordmeister at gmail.com (MKS) Date: Thu, 13 Aug 2009 15:27:20 +0000 Subject: [c-nsp] STM-1 over Ethernet Message-ID: Hi list I know that this is a bit off topic, but can you know of any cheap devices that can emulate STM-1 over ethernet (or mpls)? or a cheap box that can do ATMoMPLS Thanks in advance MKS From jmaimon at ttec.com Thu Aug 13 11:33:58 2009 From: jmaimon at ttec.com (Joe Maimon) Date: Thu, 13 Aug 2009 11:33:58 -0400 Subject: [c-nsp] Route redistribution and selection In-Reply-To: <000e01ca1c22$c8b96720$0a00000a@nil.si> References: <4A840F5B.2030800@ttec.com> <001801ca1c1c$2bf9be90$83ed3bb0$@net> <000e01ca1c22$c8b96720$0a00000a@nil.si> Message-ID: <4A843266.9050109@ttec.com> Quite gorgeous. Lots to think about. Thanks, Joe Ivan Pepelnjak wrote: > @Luan: Thanks for the link :)) > > @Joe: if you have EBGP sessions with the core MPLS VPN network, you're > losing the BGP cost community (resulting in the EIGRP-related redistribution > issues). It might be possible to tweak the WEIGHT attribute on the PE > routers (the routes redistributed into BGP have very high weight and are > thus never replaced by other BGP routes), but you'd probably need > access-lists to select the backup routes. > > Ivan > > http://www.ioshints.info/about > http://blog.ioshints.info/ > >> -----Original Message----- >> From: Luan Nguyen [mailto:luan at netcraftsmen.net] >> Sent: Thursday, August 13, 2009 3:44 PM >> To: 'Joe Maimon'; 'cisco-nsp' >> Subject: Re: [c-nsp] Route redistribution and selection >> >> You might want to check this link out: >> http://wiki.nil.com/Multihomed_MPLS_VPN_sites_running_EIGRP >> >> Regards, >> >> ------------------------------- >> Luan Nguyen >> Chesapeake NetCraftsmen, LLC. >> http://www.netcraftsmen.net >> ------------------------------ >> >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joe Maimon >> Sent: Thursday, August 13, 2009 9:04 AM >> To: cisco-nsp >> Subject: [c-nsp] Route redistribution and selection >> >> We are having a problem where routes originated by the >> customer because of their backup paths are preventing the >> mpls bgp routes from being installed and used on the PE. >> >> Customer has an eigrp routed network. >> >> We are hosting a bgp mpls network for the customer. >> >> At the Customer's HQ PE router, we talk eigrp to the customer. >> >> The customer has an alternate path to the sites served by the >> bgp mpls network. >> >> We allow redistribution of eigrp routes into bgp to advertise >> to the mpls bgp sites. This includes the sites known prefixes >> themselves, due to the potential for the backup path becoming >> the better/only one. >> >> We redistribute the bgp routes for the mpls sites into eigrp. >> >> Normally this is a fairly common setup and works very well, >> and has for quite some time with this customer. >> >> However, on one PE we have been having issues where the >> customer backup path eigrp routes are installed into the PE >> routing table, the bgp routes show the originated via eigrp >> routes as the best and used path our of both the local >> originated via eigrp and the P mpls bgp learned route. >> >> The current fix is to flap the customer eigrp connection or >> have the customer withdraw the backup path routes. >> >> The P routers and the PE routers are an ebgp connection. The >> eigrp route has an admin distance of 170 and the ebgp route >> when installed has an admin distance of 20. >> >> We have tried setting the weight, local preference, metric of >> the mpls P >> router prefixes to cause the route to be preferred over the >> redistributed locally from eigrp route. >> >> The PE router running rsp-jk9o3sv-mz.124-18a.bin >> >> Any insight would be greatly appreciated. >> >> Thanks, >> >> Joe >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> >> > > From tvarriale at comcast.net Thu Aug 13 12:00:54 2009 From: tvarriale at comcast.net (Tony Varriale) Date: Thu, 13 Aug 2009 11:00:54 -0500 Subject: [c-nsp] Feedback on Bug Toolkit (BTK), IOS Software Download Planner, etc... References: <4A841CC9.4090909@cisco.com> <8E5F1F9B-4402-4357-A64B-B056FA8CEF42@arbor.net> Message-ID: <4437558BE1EA4B2F95D6A5947D737288@flamdt01> Hey, you don't work at Cisco anymore! :) tv ----- Original Message ----- From: "Roland Dobbins" To: "Cisco-nsp" Sent: Thursday, August 13, 2009 9:52 AM Subject: Re: [c-nsp] Feedback on Bug Toolkit (BTK),IOS Software Download Planner, etc... > > On Aug 13, 2009, at 9:01 PM, Rodney Dunn wrote: > >> They are eager to listen so now is a good time to get involved. > > Let's all keep in mind that *constructive, actionable, specific* feedback > is what's needed, and is what will have an impact. > > ----------------------------------------------------------------------- > Roland Dobbins // > > Unfortunately, inefficiency scales really well. > > -- Kevin Lawton > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From tvarriale at comcast.net Thu Aug 13 12:01:38 2009 From: tvarriale at comcast.net (Tony Varriale) Date: Thu, 13 Aug 2009 11:01:38 -0500 Subject: [c-nsp] Feedback on Bug Toolkit (BTK), IOS Software Download Planner, etc... References: <4A841CC9.4090909@cisco.com> Message-ID: Rodney, Do you have an official list of items/tools that feedback can be provided on? Or, should we ping Wilson? tv ----- Original Message ----- From: "Rodney Dunn" To: Sent: Thursday, August 13, 2009 9:01 AM Subject: [c-nsp] Feedback on Bug Toolkit (BTK), IOS Software Download Planner,etc... >I got involved through a few channels and encouraged the teams responsible >for some of the Cisco.com Support tools to leverage this forum directly for >feedback. They were very interested in the idea. > > Can those of you that care enough to give direct feedback based on the > past threads around IOS Upgrade Planner, Bug Toolkit, etc. please take a > few minutes and compose an email directly to: > > Wilson Shiu (wshiu) > > He is the point of contact for feedback. > > They are eager to listen so now is a good time to get involved. > > I encourage you guys to take advantage of this. > > Thanks > Rodney > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From eriks at nationalfastfreight.com Thu Aug 13 11:19:53 2009 From: eriks at nationalfastfreight.com (Erik Soosalu) Date: Thu, 13 Aug 2009 11:19:53 -0400 Subject: [c-nsp] OT: Internet Web Caching Solution In-Reply-To: <18dba4e50908130713g32abb4dfm736415bd5683ff9b@mail.gmail.com> References: <18dba4e50908130641h40165942ia3f032fa779c5f63@mail.gmail.com><6ce8ea5f0908130710s2a5e95f7m791004faf9fab86c@mail.gmail.com> <18dba4e50908130713g32abb4dfm736415bd5683ff9b@mail.gmail.com> Message-ID: <0B224A2FE01CC54C860290D42474BF6003DFA649@exchange.nff.local> Squid on a Linux/FreeBSD box McAfee WebGateway (can be bought as an appliance) ISA on Windows Untangle Pretty much any Web filtering package runs on a proxy/cache or includes one. I've run the first three with user loads in 300-400 range with no issues. Thanks, Erik -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Felix Nkansah Sent: Thursday, August 13, 2009 10:14 AM To: shiran guez Cc: Cisco certification; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] OT: Internet Web Caching Solution Hi Shiran, I must say that I am NOT looking for a WAN optimization tool. I want an Internet web proxy, caching and acceleration appliance. Is that also covered by Expand Networks? Many Thanks. On Thu, Aug 13, 2009 at 2:10 PM, shiran guez wrote: > I can suggest a better solution "Expand Networks" one of the leaders in the > last several years in WAN optimization > > ( for being frankly i would indicate that I work for Expand as 3rd level > Eng) > > > On Thu, Aug 13, 2009 at 4:41 PM, Felix Nkansah wrote: > >> Hi, >> I am looking for a web caching and acceleration platform. >> >> The Cisco Cache Engines were replaced by the Content Engines which has >> also >> been replaced with the WAE running ACNS software. >> >> The datasheets on ACNS seem to imply caching and acceleration of >> multimedia >> traffic between branch offices and central office, with ACNS appliances at >> both ends. >> >> That is not what I am looking for. I want a one-site appliance for >> Internet >> web traffic caching only. >> >> Many thanks for your clarification. >> >> Felix >> >> >> Blogs and organic groups at http://www.ccie.net >> >> _______________________________________________________________________ >> Subscription information may be found at: >> http://www.groupstudy.com/list/CCIELab.html >> >> >> >> >> >> >> >> > > > -- > Shiran Guez > MCSE CCNP NCE1 JNCIA-ER CCIE #20572 > http://cciep3.blogspot.com > http://www.linkedin.com/in/cciep3 > http://twitter.com/cciep3 > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ashnet2009 at gmail.com Thu Aug 13 13:07:26 2009 From: ashnet2009 at gmail.com (Ash Net) Date: Thu, 13 Aug 2009 13:07:26 -0400 Subject: [c-nsp] Monitoring Nexus 7000 platform Message-ID: <896a291f0908131007s218f5489rf466cd0ed6e7eb7@mail.gmail.com> Hello, We have recently deployed N7k's in our DC and want to enable monitoring on them. The current ESM systems in Place are HPOV and Concord ehealth. I'd like to get feedback on whether anybody has had experience with Monitoring the 7K chassis with either of the above ESM solutions and/or are using a different system and what it took to get monitoring enabled. Thanks in Advance. From A.L.M.Buxey at lboro.ac.uk Thu Aug 13 13:59:31 2009 From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey) Date: Thu, 13 Aug 2009 18:59:31 +0100 Subject: [c-nsp] Open Source Substitute for Cisco's Secure ACS? In-Reply-To: <13C9443BD0C7344D835569B0CFC9BB75358DB940@HARVBE01.fasmail.priv> References: <13C9443BD0C7344D835569B0CFC9BB75358DB940@HARVBE01.fasmail.priv> Message-ID: <20090813175931.GB14517@lboro.ac.uk> Hi, > Radiator RADIUS server. There are multiple versions of this software and support is available for a reasonable fee runs on Windows/Solaris/Linux with fear of pouring petrol onto a RADIUS flamewar I'd say if the original post aint got funding for ACS then free open source is pushing the answer to FreeRADIUS. alan From rdobbins at arbor.net Thu Aug 13 14:03:40 2009 From: rdobbins at arbor.net (Roland Dobbins) Date: Fri, 14 Aug 2009 01:03:40 +0700 Subject: [c-nsp] Monitoring Nexus 7000 platform In-Reply-To: <896a291f0908131007s218f5489rf466cd0ed6e7eb7@mail.gmail.com> References: <896a291f0908131007s218f5489rf466cd0ed6e7eb7@mail.gmail.com> Message-ID: <352D947C-7CAC-4322-9BAC-830E489CB070@arbor.net> On Aug 14, 2009, at 12:07 AM, Ash Net wrote: > We have recently deployed N7k's in our DC and want to enable > monitoring on them. N7Ks have a dedicated management processor; they also have a management software system which I believe ships with every N7K. They also output operationally useful NetFlow. ----------------------------------------------------------------------- Roland Dobbins // Unfortunately, inefficiency scales really well. -- Kevin Lawton From A.L.M.Buxey at lboro.ac.uk Thu Aug 13 14:08:08 2009 From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey) Date: Thu, 13 Aug 2009 19:08:08 +0100 Subject: [c-nsp] Open Source Substitute for Cisco's Secure ACS? In-Reply-To: References: <50797b9b0908130646t5233893co25f7964658878ec1@mail.gmail.com> Message-ID: <20090813180808.GE14517@lboro.ac.uk> Hi, > I've been using tac_plus from > http://www.pro-bono-publico.de/projects/tac_plus.html (there appear to be > several projects named "tac_plus", this was the first one to work well for > me.) As an added bonus, the author was happy and eager to help squash a bug > I ran into. > It'll backend to ldap, radius, or keep a local database. Supports all three > A's. hmmmm, looks a little more flexible currently that Shrubberys software alan From graham at g-rock.net Thu Aug 13 14:41:52 2009 From: graham at g-rock.net (Graham Wooden) Date: Thu, 13 Aug 2009 14:41:52 -0400 Subject: [c-nsp] Bridge devices - ARP takeover Message-ID: <20090813144152.xzep12cjc0kg48s4@webmail.iamforeverme.com> Hi there, I have a customer hanging off of my edge router (6509/Sup32/12.2.33SXI), doing a Point-to-Point wireless shot from the DC to another site. On myside, it's a L3 VLAN doing a /30 to a smaller Cisco router on the other end. I am then statically routing some additional subnets to the far end router. After about 30 minutes of the link being powered up, the MAC address of local Radio appears to take over the /30, and hence all routing breaks. To fix this, seems to that if I hardcode the MAC that belongs to the Cisco router on the far, all seems good and traffic keeps on trucking. The other fix that was being done until the hardcode went into affect, was power cycling the local radio. My question is this: While the hardcoding seems to be the trick to solve this, is there another command, maybe on the interface to achieve this fix too? I have yet to find out from the customer if there are any MAC/ARP settings in his radios and that could be doing take over on purpose. I am hoping that I can curb this type of behaviour without getting him involved. Thoughts to this? Thanks, -graham From jlewis at lewis.org Thu Aug 13 14:43:21 2009 From: jlewis at lewis.org (Jon Lewis) Date: Thu, 13 Aug 2009 14:43:21 -0400 (EDT) Subject: [c-nsp] Open Source Substitute for Cisco's Secure ACS? In-Reply-To: <20090813175931.GB14517@lboro.ac.uk> References: <13C9443BD0C7344D835569B0CFC9BB75358DB940@HARVBE01.fasmail.priv> <20090813175931.GB14517@lboro.ac.uk> Message-ID: On Thu, 13 Aug 2009, Alan Buxey wrote: > Hi, >> Radiator RADIUS server. There are multiple versions of this software and support is available for a reasonable fee runs on Windows/Solaris/Linux > > with fear of pouring petrol onto a RADIUS flamewar I'd say if > the original post aint got funding for ACS then free open source is > pushing the answer to FreeRADIUS. Compared to Open Source, RADIATOR is not cheap. It's a great product (we've got a site license, and have used it for years) and you do get the source (it's perl)...but it's not free. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From mcgrath at fas.harvard.edu Thu Aug 13 14:46:03 2009 From: mcgrath at fas.harvard.edu (Scott McGrath) Date: Thu, 13 Aug 2009 14:46:03 -0400 Subject: [c-nsp] Open Source Substitute for Cisco's Secure ACS? In-Reply-To: <20090813175931.GB14517@lboro.ac.uk> References: <13C9443BD0C7344D835569B0CFC9BB75358DB940@HARVBE01.fasmail.priv> <20090813175931.GB14517@lboro.ac.uk> Message-ID: <4A845F6B.30907@fas.harvard.edu> Not so much - we use ACS for TACACS services and proxy the TACACS via RADIUS for some application but Cisco ACS is now an appliance and on the close order of 8K + SmartNet so you are looking at 20K $US for a new solution. RADIATOR is open-source but not 'free' it has 200+ authenticators and interfaces to billing systems built in and a basic license and support for 1 yr is under $2000 US Nothing wrong with FreeRADIUS it's just you need to 'roll your own' for a lot of stuff, If your time is worth nothing or it's a hobby or experimental setup FreeRADIUS may be the better choice. But if you want someting with AD, LDAP, Kerberos, Unix, NTLM, SQL etc built in and ready to go RADIATOR is your tool. - Scott Alan Buxey wrote: > Hi, > >> Radiator RADIUS server. There are multiple versions of this software and support is available for a reasonable fee runs on Windows/Solaris/Linux >> > > with fear of pouring petrol onto a RADIUS flamewar I'd say if > the original post aint got funding for ACS then free open source is > pushing the answer to FreeRADIUS. > > alan > From A.L.M.Buxey at lboro.ac.uk Thu Aug 13 14:53:32 2009 From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey) Date: Thu, 13 Aug 2009 19:53:32 +0100 Subject: [c-nsp] Open Source Substitute for Cisco's Secure ACS? In-Reply-To: <4A845F6B.30907@fas.harvard.edu> References: <13C9443BD0C7344D835569B0CFC9BB75358DB940@HARVBE01.fasmail.priv> <20090813175931.GB14517@lboro.ac.uk> <4A845F6B.30907@fas.harvard.edu> Message-ID: <20090813185332.GH14517@lboro.ac.uk> Hi, > > Nothing wrong with FreeRADIUS it's just you need to 'roll your own' for > a lot of stuff, If your time is worth nothing or it's a hobby or > experimental setup FreeRADIUS may be the better choice. But if you want > someting with AD, LDAP, Kerberos, Unix, NTLM, SQL etc built in and > ready to go RADIATOR is your tool. I have to comment on this. AD, LDAP, Kerberos, Unix, NTLM, SQL etc are all built into FreeRADIUS too.. the question is whether your distro has a premade recent version that has it all prebuilt...or, if you built it from source you had all the required libs (eg mysql-devel) installed. of course...you still have to actually configure the mschap or ldap module but thats true of RADIATOR too 8-) alan From rodunn at cisco.com Thu Aug 13 14:55:43 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Thu, 13 Aug 2009 14:55:43 -0400 Subject: [c-nsp] Feedback on Bug Toolkit (BTK), IOS Software Download Planner, etc... In-Reply-To: <4437558BE1EA4B2F95D6A5947D737288@flamdt01> References: <4A841CC9.4090909@cisco.com> <8E5F1F9B-4402-4357-A64B-B056FA8CEF42@arbor.net> <4437558BE1EA4B2F95D6A5947D737288@flamdt01> Message-ID: <4A8461AF.5070607@cisco.com> But he can still "care" (TM). ;) Tony Varriale wrote: > Hey, you don't work at Cisco anymore! :) > > tv > ----- Original Message ----- From: "Roland Dobbins" > To: "Cisco-nsp" > Sent: Thursday, August 13, 2009 9:52 AM > Subject: Re: [c-nsp] Feedback on Bug Toolkit (BTK),IOS Software Download > Planner, etc... > > >> >> On Aug 13, 2009, at 9:01 PM, Rodney Dunn wrote: >> >>> They are eager to listen so now is a good time to get involved. >> >> Let's all keep in mind that *constructive, actionable, specific* >> feedback is what's needed, and is what will have an impact. >> >> ----------------------------------------------------------------------- >> Roland Dobbins // >> >> Unfortunately, inefficiency scales really well. >> >> -- Kevin Lawton >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rodunn at cisco.com Thu Aug 13 15:05:05 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Thu, 13 Aug 2009 15:05:05 -0400 Subject: [c-nsp] Feedback on Bug Toolkit (BTK), IOS Software Download Planner, etc... In-Reply-To: References: <4A841CC9.4090909@cisco.com> Message-ID: <4A8463E1.2030709@cisco.com> I'm getting that for clarity. I'll respond back. Tony Varriale wrote: > Rodney, > > Do you have an official list of items/tools that feedback can be > provided on? Or, should we ping Wilson? > > tv > ----- Original Message ----- From: "Rodney Dunn" > To: > Sent: Thursday, August 13, 2009 9:01 AM > Subject: [c-nsp] Feedback on Bug Toolkit (BTK), IOS Software Download > Planner,etc... > > >> I got involved through a few channels and encouraged the teams >> responsible for some of the Cisco.com Support tools to leverage this >> forum directly for feedback. They were very interested in the idea. >> >> Can those of you that care enough to give direct feedback based on the >> past threads around IOS Upgrade Planner, Bug Toolkit, etc. please take >> a few minutes and compose an email directly to: >> >> Wilson Shiu (wshiu) >> >> He is the point of contact for feedback. >> >> They are eager to listen so now is a good time to get involved. >> >> I encourage you guys to take advantage of this. >> >> Thanks >> Rodney >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From moua0100 at umn.edu Thu Aug 13 15:09:47 2009 From: moua0100 at umn.edu (Ge Moua) Date: Thu, 13 Aug 2009 14:09:47 -0500 Subject: [c-nsp] Open Source Substitute for Cisco's Secure ACS? In-Reply-To: <4A845F6B.30907@fas.harvard.edu> References: <13C9443BD0C7344D835569B0CFC9BB75358DB940@HARVBE01.fasmail.priv> <20090813175931.GB14517@lboro.ac.uk> <4A845F6B.30907@fas.harvard.edu> Message-ID: <4A8464FB.4060801@umn.edu> Yep, RADIATOR is great; we use it over here :-) Regards, Ge Moua | Email: moua0100 at umn.edu Network Design Engineer University of Minnesota | Networking & Telecommunications Services Scott McGrath wrote: > Not so much - we use ACS for TACACS services and proxy the TACACS via > RADIUS for some application but Cisco ACS is now an appliance and on > the close order of 8K + SmartNet so you are looking at 20K $US for a > new solution. > > RADIATOR is open-source but not 'free' it has 200+ authenticators and > interfaces to billing systems built in and a basic license and support > for 1 yr is under $2000 US > > Nothing wrong with FreeRADIUS it's just you need to 'roll your own' > for a lot of stuff, If your time is worth nothing or it's a hobby or > experimental setup FreeRADIUS may be the better choice. But if you > want someting with AD, LDAP, Kerberos, Unix, NTLM, SQL etc built in > and ready to go RADIATOR is your tool. > > - Scott > > Alan Buxey wrote: >> Hi, >> >>> Radiator RADIUS server. There are multiple versions of this >>> software and support is available for a reasonable fee runs on >>> Windows/Solaris/Linux >>> >> >> with fear of pouring petrol onto a RADIUS flamewar I'd say if >> the original post aint got funding for ACS then free open source is >> pushing the answer to FreeRADIUS. >> alan >> > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rodunn at cisco.com Thu Aug 13 15:08:06 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Thu, 13 Aug 2009 15:08:06 -0400 Subject: [c-nsp] Bridge devices - ARP takeover In-Reply-To: <20090813144152.xzep12cjc0kg48s4@webmail.iamforeverme.com> References: <20090813144152.xzep12cjc0kg48s4@webmail.iamforeverme.com> Message-ID: <4A846496.80109@cisco.com> I can't follow the problem. The router should try to defend the mac address it owns but if another device simply takes over for it the only way to resolve that is fix that device. How exactly is it taking over? What is the topo (ascii diagram would work). Rodney Graham Wooden wrote: > Hi there, > > I have a customer hanging off of my edge router (6509/Sup32/12.2.33SXI), > doing a Point-to-Point wireless shot from the DC to another site. > On myside, it's a L3 VLAN doing a /30 to a smaller Cisco router on the > other end. I am then statically routing some additional subnets to the > far end router. > > After about 30 minutes of the link being powered up, the MAC address of > local Radio appears to take over the /30, and hence all routing breaks. > To fix this, seems to that if I hardcode the MAC that belongs to the > Cisco router on the far, all seems good and traffic keeps on trucking. > The other fix that was being done until the hardcode went into affect, > was power cycling the local radio. > > My question is this: While the hardcoding seems to be the trick to > solve this, is there another command, maybe on the interface to achieve > this fix too? > I have yet to find out from the customer if there are any MAC/ARP > settings in his radios and that could be doing take over on purpose. > > I am hoping that I can curb this type of behaviour without getting him > involved. > Thoughts to this? Thanks, > > -graham > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From mhuff at ox.com Thu Aug 13 15:27:47 2009 From: mhuff at ox.com (Matthew Huff) Date: Thu, 13 Aug 2009 15:27:47 -0400 Subject: [c-nsp] Open Source Substitute for Cisco's Secure ACS? In-Reply-To: <4A845F6B.30907@fas.harvard.edu> References: <13C9443BD0C7344D835569B0CFC9BB75358DB940@HARVBE01.fasmail.priv> <20090813175931.GB14517@lboro.ac.uk> <4A845F6B.30907@fas.harvard.edu> Message-ID: <483E6B0272B0284BA86D7596C40D29F9D122BBDAF8@PUR-EXCH07.ox.com> > Not so much - we use ACS for TACACS services and proxy the TACACS via > RADIUS for some application but Cisco ACS is now an appliance and on > the > close order of 8K + SmartNet so you are looking at 20K $US for a new > solution. The newer version 5.0 of ACS is available only as an appliance, but the 4.x is still available for Unix and Windows. Cisco will be providing upgrade paths in the future to 5.0 on the software side. From http://cisco.com/en/US/prod/collateral/netmgtsw/ps5698/ps6767/ps9911/ps9915/ data_sheet_c78-504202.html "Ordering Information Cisco Secure ACS 5.0 does not replace ACS 4.2. Cisco Secure ACS 5.0 is the next-generation platform for centralized identity and access policy management. Some of the key areas of functionality differences include protocol support, external database support, and provisioning interfaces. Customers that choose to deploy ACS 4.2 will have future upgrade paths to the next-generation ACS 5.x platform. Please see the Cisco Secure ACS 5.0 User Guide at http://www.cisco.com/en/US/products/ps9911/tsd_products_support_series_home. html for a more detailed comparison of ACS 4.0 and ACS 5.0." ---- Matthew Huff?????? | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff? | Fax:?? 914-460-4139 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4229 bytes Desc: not available URL: From ip at ioshints.info Thu Aug 13 15:31:51 2009 From: ip at ioshints.info (Ivan Pepelnjak) Date: Thu, 13 Aug 2009 21:31:51 +0200 Subject: [c-nsp] Event Manager question In-Reply-To: References: Message-ID: <002d01ca1c4c$b5dc8220$0a00000a@nil.si> Absolutely, with EEM 3.0 an applet can be triggered with an SNMP trap or inform. The details are here (although the article describes a slightly different task): http://wiki.nil.com/Trigger_EEM_applets_with_SNMP_Informs However, are you absolutely positive there is no other way to get what you need? In many cases you could use a smart routing design instead of the PBR. Ivan http://www.ioshints.info/about http://blog.ioshints.info/ > -----Original Message----- > From: Manaf Al Oqlah [mailto:manafo at hotmail.com] > Sent: Thursday, August 13, 2009 4:31 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Event Manager question > > > Hi all, > > Can I configure event manager to be started when it gets > notification from another router. for example, I want router1 > to be configured with policy based routing on a specific > interface once the bgp peer on router2 is down. I don't want > to permanently configure the PBR since it is consume very > high CPU utilizing on router1 > > Thank you, > Manaf > From jfitz at Princeton.EDU Thu Aug 13 15:55:56 2009 From: jfitz at Princeton.EDU (Jeff Fitzwater) Date: Thu, 13 Aug 2009 15:55:56 -0400 Subject: [c-nsp] Bridge devices - ARP takeover In-Reply-To: <4A846496.80109@cisco.com> References: <20090813144152.xzep12cjc0kg48s4@webmail.iamforeverme.com> <4A846496.80109@cisco.com> Message-ID: It's interesting to note that this occurs at about the default ARP timeout of 1800 seconds (Is that what the router is configured for?). That implies that when the arp times out and the router arps for the other end, it get an ARP REPLY from the wireless device. Is that what you are saying? This would seem to say that the wireless device may have some local proxy arp enabled so it responds to arp requests on the local net. Jeff Fitzwater OIT Network Systems Princeton University On Aug 13, 2009, at 3:08 PM, Rodney Dunn wrote: > I can't follow the problem. > > The router should try to defend the mac address it owns but if > another device simply takes over for it the only way to resolve that > is fix that device. > > How exactly is it taking over? > What is the topo (ascii diagram would work). > > Rodney > > > > Graham Wooden wrote: >> Hi there, >> I have a customer hanging off of my edge router (6509/ >> Sup32/12.2.33SXI), doing a Point-to-Point wireless shot from the DC >> to another site. >> On myside, it's a L3 VLAN doing a /30 to a smaller Cisco router on >> the other end. I am then statically routing some additional subnets >> to the far end router. >> After about 30 minutes of the link being powered up, the MAC >> address of local Radio appears to take over the /30, and hence all >> routing breaks. To fix this, seems to that if I hardcode the MAC >> that belongs to the Cisco router on the far, all seems good and >> traffic keeps on trucking. The other fix that was being done until >> the hardcode went into affect, was power cycling the local radio. >> My question is this: While the hardcoding seems to be the trick to >> solve this, is there another command, maybe on the interface to >> achieve this fix too? >> I have yet to find out from the customer if there are any MAC/ARP >> settings in his radios and that could be doing take over on purpose. >> I am hoping that I can curb this type of behaviour without getting >> him involved. >> Thoughts to this? Thanks, >> -graham >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From graham at g-rock.net Thu Aug 13 16:48:06 2009 From: graham at g-rock.net (Graham Wooden) Date: Thu, 13 Aug 2009 15:48:06 -0500 Subject: [c-nsp] Bridge devices - ARP takeover In-Reply-To: <4A846496.80109@cisco.com> Message-ID: Yeah, kinda messy - sorry about that. It's taking over as when I do a "sh arp ip", instead of seeing the far end router's MAC for the other end of the /30, I see the radio's. c6509/sup32 -> radio <------------------------> radio -> c2621 Between the c6509 and c2621 is a routable /30. I should note that I didn't have this problem when had this setup on a Sup2, and ran fine for several months. Is there a different ARP timeout between the two? On 8/13/09 2:08 PM, "Rodney Dunn" wrote: > I can't follow the problem. > > The router should try to defend the mac address it owns but if another > device simply takes over for it the only way to resolve that is fix that > device. > > How exactly is it taking over? > What is the topo (ascii diagram would work). > > Rodney > > > > Graham Wooden wrote: >> Hi there, >> >> I have a customer hanging off of my edge router (6509/Sup32/12.2.33SXI), >> doing a Point-to-Point wireless shot from the DC to another site. >> On myside, it's a L3 VLAN doing a /30 to a smaller Cisco router on the >> other end. I am then statically routing some additional subnets to the >> far end router. >> >> After about 30 minutes of the link being powered up, the MAC address of >> local Radio appears to take over the /30, and hence all routing breaks. >> To fix this, seems to that if I hardcode the MAC that belongs to the >> Cisco router on the far, all seems good and traffic keeps on trucking. >> The other fix that was being done until the hardcode went into affect, >> was power cycling the local radio. >> >> My question is this: While the hardcoding seems to be the trick to >> solve this, is there another command, maybe on the interface to achieve >> this fix too? >> I have yet to find out from the customer if there are any MAC/ARP >> settings in his radios and that could be doing take over on purpose. >> >> I am hoping that I can curb this type of behaviour without getting him >> involved. >> Thoughts to this? Thanks, >> >> -graham >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ From graham at g-rock.net Thu Aug 13 16:53:39 2009 From: graham at g-rock.net (Graham Wooden) Date: Thu, 13 Aug 2009 15:53:39 -0500 Subject: [c-nsp] Bridge devices - ARP takeover In-Reply-To: Message-ID: I say 30 minutes ... But I just had it occur on less than 5 minutes from having the far end router and radio rebooted. And apparently my attempt to hardcode the MAC addresses on both ends didn't fix it. I am going to start blaming the radios I think ... On 8/13/09 2:55 PM, "Jeff Fitzwater" wrote: > It's interesting to note that this occurs at about the default ARP > timeout of 1800 seconds (Is that what the router is configured > for?). That implies that when the arp times out and the router arps > for the other end, it get an ARP REPLY from the wireless device. Is > that what you are saying? This would seem to say that the wireless > device may have some local proxy arp enabled so it responds to arp > requests on the local net. > > > > Jeff Fitzwater > OIT Network Systems > Princeton University > On Aug 13, 2009, at 3:08 PM, Rodney Dunn wrote: > >> I can't follow the problem. >> >> The router should try to defend the mac address it owns but if >> another device simply takes over for it the only way to resolve that >> is fix that device. >> >> How exactly is it taking over? >> What is the topo (ascii diagram would work). >> >> Rodney >> >> >> >> Graham Wooden wrote: >>> Hi there, >>> I have a customer hanging off of my edge router (6509/ >>> Sup32/12.2.33SXI), doing a Point-to-Point wireless shot from the DC >>> to another site. >>> On myside, it's a L3 VLAN doing a /30 to a smaller Cisco router on >>> the other end. I am then statically routing some additional subnets >>> to the far end router. >>> After about 30 minutes of the link being powered up, the MAC >>> address of local Radio appears to take over the /30, and hence all >>> routing breaks. To fix this, seems to that if I hardcode the MAC >>> that belongs to the Cisco router on the far, all seems good and >>> traffic keeps on trucking. The other fix that was being done until >>> the hardcode went into affect, was power cycling the local radio. >>> My question is this: While the hardcoding seems to be the trick to >>> solve this, is there another command, maybe on the interface to >>> achieve this fix too? >>> I have yet to find out from the customer if there are any MAC/ARP >>> settings in his radios and that could be doing take over on purpose. >>> I am hoping that I can curb this type of behaviour without getting >>> him involved. >>> Thoughts to this? Thanks, >>> -graham >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > From rodunn at cisco.com Thu Aug 13 16:53:34 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Thu, 13 Aug 2009 16:53:34 -0400 Subject: [c-nsp] Bridge devices - ARP takeover In-Reply-To: References: Message-ID: <4A847D4E.1000800@cisco.com> Graham Wooden wrote: > Yeah, kinda messy - sorry about that. > > It's taking over as when I do a "sh arp ip", instead of seeing the far end > router's MAC for the other end of the /30, I see the radio's. > > c6509/sup32 -> radio <------------------------> radio -> c2621 > > Between the c6509 and c2621 is a routable /30. > ok. If the radio responds to an arp on refresh you can't stop that on the hub side unless you statically map it. The router has no way to know who is valid and who isn't. > I should note that I didn't have this problem when had this setup on a Sup2, > and ran fine for several months. Is there a different ARP timeout between > the two? Shouldn't be. The timeout is 4 hrs by default. Have you determined it's 60 seconds prior to the 4 hr default timeout? You could test it by doing a manual "clear arp" as it does the same thing and sends out a unicast refresh. Can you try sh ip arp, clear arp (with debug arp enabled") and get 'sh ip arp' again? > > On 8/13/09 2:08 PM, "Rodney Dunn" wrote: > >> I can't follow the problem. >> >> The router should try to defend the mac address it owns but if another >> device simply takes over for it the only way to resolve that is fix that >> device. >> >> How exactly is it taking over? >> What is the topo (ascii diagram would work). >> >> Rodney >> >> >> >> Graham Wooden wrote: >>> Hi there, >>> >>> I have a customer hanging off of my edge router (6509/Sup32/12.2.33SXI), >>> doing a Point-to-Point wireless shot from the DC to another site. >>> On myside, it's a L3 VLAN doing a /30 to a smaller Cisco router on the >>> other end. I am then statically routing some additional subnets to the >>> far end router. >>> >>> After about 30 minutes of the link being powered up, the MAC address of >>> local Radio appears to take over the /30, and hence all routing breaks. >>> To fix this, seems to that if I hardcode the MAC that belongs to the >>> Cisco router on the far, all seems good and traffic keeps on trucking. >>> The other fix that was being done until the hardcode went into affect, >>> was power cycling the local radio. >>> >>> My question is this: While the hardcoding seems to be the trick to >>> solve this, is there another command, maybe on the interface to achieve >>> this fix too? >>> I have yet to find out from the customer if there are any MAC/ARP >>> settings in his radios and that could be doing take over on purpose. >>> >>> I am hoping that I can curb this type of behaviour without getting him >>> involved. >>> Thoughts to this? Thanks, >>> >>> -graham >>> >>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ashnet2009 at gmail.com Thu Aug 13 17:01:26 2009 From: ashnet2009 at gmail.com (Ash Net) Date: Thu, 13 Aug 2009 17:01:26 -0400 Subject: [c-nsp] Monitoring Nexus 7000 platform In-Reply-To: <352D947C-7CAC-4322-9BAC-830E489CB070@arbor.net> References: <896a291f0908131007s218f5489rf466cd0ed6e7eb7@mail.gmail.com> <352D947C-7CAC-4322-9BAC-830E489CB070@arbor.net> Message-ID: <896a291f0908131401q2d32fdden198fd5f500ce2052@mail.gmail.com> Yep, we know that already. I'm finding that there isn't a lot of management systems (OV/Concord atleast) that can natively monitor the 7k's since they haven't certified the platform yet. Wondering how people are monitoring elements such as CPU Health, intf utilization, topology change event traps of the 7K Chassis etc. There doesn't appear to be a comprehensive MIB that has all the elements defined. It'd be great to hear from folks who have these boxes deployed and have them in any enterprise monitoring systems. On 8/13/09, Roland Dobbins wrote: > > On Aug 14, 2009, at 12:07 AM, Ash Net wrote: > >> We have recently deployed N7k's in our DC and want to enable >> monitoring on them. > > N7Ks have a dedicated management processor; they also have a > management software system which I believe ships with every N7K. > > They also output operationally useful NetFlow. > > ----------------------------------------------------------------------- > Roland Dobbins // > > Unfortunately, inefficiency scales really well. > > -- Kevin Lawton > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jfitz at Princeton.EDU Thu Aug 13 17:01:02 2009 From: jfitz at Princeton.EDU (Jeff Fitzwater) Date: Thu, 13 Aug 2009 17:01:02 -0400 Subject: [c-nsp] Bridge devices - ARP takeover In-Reply-To: References: Message-ID: <5527E0AC-9864-413B-80F9-6993BDC9EAF3@Princeton.EDU> IF you hardcoded the ARP in both routers, then they should never change. So what exactly breaks? Can you ping the other router? What is the other routers ARP entry and visa versa? They better be the ones you put in. Jeff On Aug 13, 2009, at 4:53 PM, Graham Wooden wrote: > I say 30 minutes ... But I just had it occur on less than 5 minutes > from > having the far end router and radio rebooted. And apparently my > attempt to > hardcode the MAC addresses on both ends didn't fix it. I am going > to start > blaming the radios I think ... > > > On 8/13/09 2:55 PM, "Jeff Fitzwater" wrote: > >> It's interesting to note that this occurs at about the default ARP >> timeout of 1800 seconds (Is that what the router is configured >> for?). That implies that when the arp times out and the router arps >> for the other end, it get an ARP REPLY from the wireless device. Is >> that what you are saying? This would seem to say that the wireless >> device may have some local proxy arp enabled so it responds to arp >> requests on the local net. >> >> >> >> Jeff Fitzwater >> OIT Network Systems >> Princeton University >> On Aug 13, 2009, at 3:08 PM, Rodney Dunn wrote: >> >>> I can't follow the problem. >>> >>> The router should try to defend the mac address it owns but if >>> another device simply takes over for it the only way to resolve that >>> is fix that device. >>> >>> How exactly is it taking over? >>> What is the topo (ascii diagram would work). >>> >>> Rodney >>> >>> >>> >>> Graham Wooden wrote: >>>> Hi there, >>>> I have a customer hanging off of my edge router (6509/ >>>> Sup32/12.2.33SXI), doing a Point-to-Point wireless shot from the DC >>>> to another site. >>>> On myside, it's a L3 VLAN doing a /30 to a smaller Cisco router on >>>> the other end. I am then statically routing some additional subnets >>>> to the far end router. >>>> After about 30 minutes of the link being powered up, the MAC >>>> address of local Radio appears to take over the /30, and hence all >>>> routing breaks. To fix this, seems to that if I hardcode the MAC >>>> that belongs to the Cisco router on the far, all seems good and >>>> traffic keeps on trucking. The other fix that was being done until >>>> the hardcode went into affect, was power cycling the local radio. >>>> My question is this: While the hardcoding seems to be the trick to >>>> solve this, is there another command, maybe on the interface to >>>> achieve this fix too? >>>> I have yet to find out from the customer if there are any MAC/ARP >>>> settings in his radios and that could be doing take over on >>>> purpose. >>>> I am hoping that I can curb this type of behaviour without getting >>>> him involved. >>>> Thoughts to this? Thanks, >>>> -graham >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > From rogelio.gamino at dc.gov Thu Aug 13 17:26:45 2009 From: rogelio.gamino at dc.gov (Gamino, Rogelio (OCTO-Contractor)) Date: Thu, 13 Aug 2009 17:26:45 -0400 Subject: [c-nsp] Monitoring Nexus 7000 platform In-Reply-To: <896a291f0908131401q2d32fdden198fd5f500ce2052@mail.gmail.com> References: <896a291f0908131007s218f5489rf466cd0ed6e7eb7@mail.gmail.com> <352D947C-7CAC-4322-9BAC-830E489CB070@arbor.net> <896a291f0908131401q2d32fdden198fd5f500ce2052@mail.gmail.com> Message-ID: Cisco DCNM might give you the info you are looking for. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ash Net Sent: Thursday, August 13, 2009 5:01 PM To: Roland Dobbins; Cisco-nsp Subject: Re: [c-nsp] Monitoring Nexus 7000 platform Yep, we know that already. I'm finding that there isn't a lot of management systems (OV/Concord atleast) that can natively monitor the 7k's since they haven't certified the platform yet. Wondering how people are monitoring elements such as CPU Health, intf utilization, topology change event traps of the 7K Chassis etc. There doesn't appear to be a comprehensive MIB that has all the elements defined. It'd be great to hear from folks who have these boxes deployed and have them in any enterprise monitoring systems. On 8/13/09, Roland Dobbins wrote: > > On Aug 14, 2009, at 12:07 AM, Ash Net wrote: > >> We have recently deployed N7k's in our DC and want to enable >> monitoring on them. > > N7Ks have a dedicated management processor; they also have a > management software system which I believe ships with every N7K. > > They also output operationally useful NetFlow. > > ----------------------------------------------------------------------- > Roland Dobbins // > > Unfortunately, inefficiency scales really well. > > -- Kevin Lawton > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From rshughes at gmail.com Thu Aug 13 17:30:39 2009 From: rshughes at gmail.com (Ryan Hughes) Date: Thu, 13 Aug 2009 17:30:39 -0400 Subject: [c-nsp] Monitoring Nexus 7000 platform In-Reply-To: <896a291f0908131401q2d32fdden198fd5f500ce2052@mail.gmail.com> References: <896a291f0908131007s218f5489rf466cd0ed6e7eb7@mail.gmail.com> <352D947C-7CAC-4322-9BAC-830E489CB070@arbor.net> <896a291f0908131401q2d32fdden198fd5f500ce2052@mail.gmail.com> Message-ID: >From what I've seen on much of the new DC equipment, Cisco focused more on XML than SNMP for the monitoring hook into the Nexus gear. I know many of the features you're asking for were bolted on per customer requests but I haven't seen any specific templates out there around this. I'd be interested in to hear what some of the TME's who pay attention to this have to say. DCNM is the platform that Cisco deployment to handle management/monitoring for the Nexus but I haven't seen many customers buy it yet ( IIRC - it makes excellent use of the XML API's available ). Ryan On Thu, Aug 13, 2009 at 5:01 PM, Ash Net wrote: > Yep, we know that already. I'm finding that there isn't a lot of > management systems (OV/Concord atleast) that can natively monitor the > 7k's since they haven't certified the platform yet. > > Wondering how people are monitoring elements such as CPU Health, intf > utilization, topology change event traps of the 7K Chassis etc. There > doesn't appear to be a comprehensive MIB that has all the elements > defined. > > It'd be great to hear from folks who have these boxes deployed and > have them in any enterprise monitoring systems. > > > > On 8/13/09, Roland Dobbins wrote: > > > > On Aug 14, 2009, at 12:07 AM, Ash Net wrote: > > > >> We have recently deployed N7k's in our DC and want to enable > >> monitoring on them. > > > > N7Ks have a dedicated management processor; they also have a > > management software system which I believe ships with every N7K. > > > > They also output operationally useful NetFlow. > > > > ----------------------------------------------------------------------- > > Roland Dobbins // > > > > Unfortunately, inefficiency scales really well. > > > > -- Kevin Lawton > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From rodunn at cisco.com Thu Aug 13 17:58:54 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Thu, 13 Aug 2009 17:58:54 -0400 Subject: [c-nsp] Bridge devices - ARP takeover In-Reply-To: <5527E0AC-9864-413B-80F9-6993BDC9EAF3@Princeton.EDU> References: <5527E0AC-9864-413B-80F9-6993BDC9EAF3@Princeton.EDU> Message-ID: <4A848C9E.8030909@cisco.com> I've seen some funky things like this before, ie: with cable modems that are supposed to be L1 only transparent but monkey up the stack. If he hardcoded the mac's the adj should never change for CEF. Verify it with 'sh adj detail' and sh ip arp. Rodney Jeff Fitzwater wrote: > IF you hardcoded the ARP in both routers, then they should never > change. So what exactly breaks? Can you ping the other router? What > is the other routers ARP entry and visa versa? They better be the ones > you put in. > > > > Jeff > On Aug 13, 2009, at 4:53 PM, Graham Wooden wrote: > >> I say 30 minutes ... But I just had it occur on less than 5 minutes from >> having the far end router and radio rebooted. And apparently my >> attempt to >> hardcode the MAC addresses on both ends didn't fix it. I am going to >> start >> blaming the radios I think ... >> >> >> On 8/13/09 2:55 PM, "Jeff Fitzwater" wrote: >> >>> It's interesting to note that this occurs at about the default ARP >>> timeout of 1800 seconds (Is that what the router is configured >>> for?). That implies that when the arp times out and the router arps >>> for the other end, it get an ARP REPLY from the wireless device. Is >>> that what you are saying? This would seem to say that the wireless >>> device may have some local proxy arp enabled so it responds to arp >>> requests on the local net. >>> >>> >>> >>> Jeff Fitzwater >>> OIT Network Systems >>> Princeton University >>> On Aug 13, 2009, at 3:08 PM, Rodney Dunn wrote: >>> >>>> I can't follow the problem. >>>> >>>> The router should try to defend the mac address it owns but if >>>> another device simply takes over for it the only way to resolve that >>>> is fix that device. >>>> >>>> How exactly is it taking over? >>>> What is the topo (ascii diagram would work). >>>> >>>> Rodney >>>> >>>> >>>> >>>> Graham Wooden wrote: >>>>> Hi there, >>>>> I have a customer hanging off of my edge router (6509/ >>>>> Sup32/12.2.33SXI), doing a Point-to-Point wireless shot from the DC >>>>> to another site. >>>>> On myside, it's a L3 VLAN doing a /30 to a smaller Cisco router on >>>>> the other end. I am then statically routing some additional subnets >>>>> to the far end router. >>>>> After about 30 minutes of the link being powered up, the MAC >>>>> address of local Radio appears to take over the /30, and hence all >>>>> routing breaks. To fix this, seems to that if I hardcode the MAC >>>>> that belongs to the Cisco router on the far, all seems good and >>>>> traffic keeps on trucking. The other fix that was being done until >>>>> the hardcode went into affect, was power cycling the local radio. >>>>> My question is this: While the hardcoding seems to be the trick to >>>>> solve this, is there another command, maybe on the interface to >>>>> achieve this fix too? >>>>> I have yet to find out from the customer if there are any MAC/ARP >>>>> settings in his radios and that could be doing take over on purpose. >>>>> I am hoping that I can curb this type of behaviour without getting >>>>> him involved. >>>>> Thoughts to this? Thanks, >>>>> -graham >>>>> _______________________________________________ >>>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> >> From jcdarby at usgs.gov Thu Aug 13 18:09:51 2009 From: jcdarby at usgs.gov (Justin C. Darby) Date: Thu, 13 Aug 2009 17:09:51 -0500 Subject: [c-nsp] Monitoring Nexus 7000 platform In-Reply-To: References: <896a291f0908131007s218f5489rf466cd0ed6e7eb7@mail.gmail.com> <352D947C-7CAC-4322-9BAC-830E489CB070@arbor.net> <896a291f0908131401q2d32fdden198fd5f500ce2052@mail.gmail.com> Message-ID: <4A848F2F.8090502@usgs.gov> We use DCNM for real-time monitoring here (e.g. we use it to troubleshoot issues as they arise) - works great for this purpose, though in my opinion the configuration interface is a little over-complicated compared to just using the CLI, which is a bad sign. :) The XML interface is very, very well documented. Each revision of NX-OS ships with a new XML spec package to describe the interfaces. You can do a lot more than just monitor things with the XML interfaces - e.g. automate port provisioning tasks in an in-house product/app. We're planning to use some of this functionality to integrate switch configurations into our inventory system (eventually). If you hit up the downloads page for NX-OS you should see a zip file of XML specifications in there. Justin Ryan Hughes wrote: > >From what I've seen on much of the new DC equipment, Cisco focused more on > XML than SNMP for the monitoring hook into the Nexus gear. I know many of > the features you're asking for were bolted on per customer requests but I > haven't seen any specific templates out there around this. I'd be interested > in to hear what some of the TME's who pay attention to this have to say. > DCNM is the platform that Cisco deployment to handle management/monitoring > for the Nexus but I haven't seen many customers buy it yet ( IIRC - it makes > excellent use of the XML API's available ). > Ryan > > On Thu, Aug 13, 2009 at 5:01 PM, Ash Net wrote: > > >> Yep, we know that already. I'm finding that there isn't a lot of >> management systems (OV/Concord atleast) that can natively monitor the >> 7k's since they haven't certified the platform yet. >> >> Wondering how people are monitoring elements such as CPU Health, intf >> utilization, topology change event traps of the 7K Chassis etc. There >> doesn't appear to be a comprehensive MIB that has all the elements >> defined. >> >> It'd be great to hear from folks who have these boxes deployed and >> have them in any enterprise monitoring systems. >> >> >> >> On 8/13/09, Roland Dobbins wrote: >> >>> On Aug 14, 2009, at 12:07 AM, Ash Net wrote: >>> >>> >>>> We have recently deployed N7k's in our DC and want to enable >>>> monitoring on them. >>>> >>> N7Ks have a dedicated management processor; they also have a >>> management software system which I believe ships with every N7K. >>> >>> They also output operationally useful NetFlow. >>> >>> ----------------------------------------------------------------------- >>> Roland Dobbins // >>> >>> Unfortunately, inefficiency scales really well. >>> >>> -- Kevin Lawton >>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >>> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From manafo at hotmail.com Thu Aug 13 18:27:48 2009 From: manafo at hotmail.com (Manaf Al Oqlah) Date: Fri, 14 Aug 2009 01:27:48 +0300 Subject: [c-nsp] Event Manager question In-Reply-To: <002d01ca1c4c$b5dc8220$0a00000a@nil.si> References: <002d01ca1c4c$b5dc8220$0a00000a@nil.si> Message-ID: Hello Ivan, Thank you for your response. In my design, I am load sharing the traffic by multihomed BGP with two ISPs through two local 7600 routers. To avoid any single point of failure, we have a backup link for each ISP connected to each local router. as below: Router1 connected with primary link of ISP1 and backup link of ISP2. Router2 connected with primary link of ISP2 and backup link of ISP1 I only receive default-route from each ISP (primary bgp peer has higher local preference on each router). my network is divided into two subnets (x.x.32.0/20 & x.x.48.0/20) normally, x.x.32.0/20 go through Router1 & ISP1, and x.x.48.0/20 go through Router2 & ISP2 incoming and outgoing. what I need is, once the primary BGP peer of ISP1 on Router1 goes down, the subnet x.x.32.0/20 go to backup link on Router2 which is already has a preferred default route from ISP2 serving the subnet x.x.48.0/20. The same case should be applied vice versa. load sharing for incoming traffic is working properly, but my problem is with outgoing traffic since I am only receiving default-route from each ISP! I know it is a bit complicated but I hope you can give me some help. Thank you, Manaf -------------------------------------------------- From: "Ivan Pepelnjak" Sent: Thursday, August 13, 2009 10:31 PM To: "'Manaf Al Oqlah'" ; Subject: RE: [c-nsp] Event Manager question > Absolutely, with EEM 3.0 an applet can be triggered with an SNMP trap or > inform. The details are here (although the article describes a slightly > different task): > > http://wiki.nil.com/Trigger_EEM_applets_with_SNMP_Informs > > However, are you absolutely positive there is no other way to get what you > need? In many cases you could use a smart routing design instead of the > PBR. > > Ivan > > http://www.ioshints.info/about > http://blog.ioshints.info/ > >> -----Original Message----- >> From: Manaf Al Oqlah [mailto:manafo at hotmail.com] >> Sent: Thursday, August 13, 2009 4:31 PM >> To: cisco-nsp at puck.nether.net >> Subject: [c-nsp] Event Manager question >> >> >> Hi all, >> >> Can I configure event manager to be started when it gets >> notification from another router. for example, I want router1 >> to be configured with policy based routing on a specific >> interface once the bgp peer on router2 is down. I don't want >> to permanently configure the PBR since it is consume very >> high CPU utilizing on router1 >> >> Thank you, >> Manaf >> > > From spencer at ceiva.com Thu Aug 13 17:02:09 2009 From: spencer at ceiva.com (Spencer Barnes) Date: Thu, 13 Aug 2009 14:02:09 -0700 Subject: [c-nsp] Cisco 2960 12.2(50)SE3 - MAC ACL Deny Statement Allowing DHCP Traffic Through? Message-ID: <0BE527EE61205F409B0EDB4F6544552E01FA62B2@stewie.ceiva.local> Hello, I have a Cisco 2960 running 12.2(50)SE3 (c2960-lanbasek9-mz.122-50.SE3.bin). Interface FA0/1 is an uplink to the main network/DHCP server and has no restrictions. FA0/19 is connected to a switch and that switch has a variety of wireless access points. I want to restrict inbound access on FA0/19 to certain MAC addresses. Port FA0/19 has a mac access-group assigned to it and here is the corresponding mac access-list: mac access-list extended frames permit host 0000.0000.0001 any deny host 0000.0000.0002 any Somehow the denied client (0000.0000.0002) is getting DHCP. I sniffed traffic from the DHCP server and indeed, the denied MAC address was making it through. The client is unable to route after getting DHCP so this is almost working but I can't have the denied clients successfully negotiating DHCP before getting blocked. Switchport port-security is working but I don't want to use this method. Scrapping the access-list configuration, if I set switchport security on FA0/19 to a maximum of 1 and add the permitted host (switchport port-security mac-address 0000.0000.0001), the denied host is unable to route or get DHCP. Why does the mac access-list allow the denied host to push DHCP traffic through and how do I prevent this? Spencer From dharmachris at gmail.com Thu Aug 13 18:23:42 2009 From: dharmachris at gmail.com (Christopher Hunt) Date: Thu, 13 Aug 2009 15:23:42 -0700 Subject: [c-nsp] best PE-CE protocol Message-ID: Given a customer with a 10mbps fiber connection into PE1 on a L3 MPLS VPN and also a backup ADSL link to PE2 on the same provider's L3 MPLS VPN, what is the best PE-CE protocol to use? I assume we could run eBGP over both links and weight them from the provider's end, as well as the customer end. But I'm starting to wonder if PE-CE OSPF wouldn't be a better choice. The customer site only hosts a few /24s and the SP would be the default route as the customer is colocating a firewall at the SP's colo. Any experience or opinions would be greatly appreciated. Thanks DC From rwest at zyedge.com Thu Aug 13 18:51:27 2009 From: rwest at zyedge.com (Ryan West) Date: Thu, 13 Aug 2009 18:51:27 -0400 Subject: [c-nsp] Event Manager question In-Reply-To: References: <002d01ca1c4c$b5dc8220$0a00000a@nil.si> Message-ID: <6E21B2BDEF6E714EA0B5BA8D5D0E1401248E2695EC@zy-ex1.zyedge.local> Manaf, Do you have an iBGP peer between the 7600's? Why not just create IGP between the two 7600's or use next-hop-self between the peers and set the default-route received from each other to be higher than the backup default. ISP1 primary local-pref 110, unchanged local-pref for iBGP and then local-pref of 90 for backup link of ISP2 on router 1 and then vice-versa on router 2. Load Sharing with BGP -> http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a00800945bf.shtml If you're feeling brave later, you can look into OER/PfR. -ryan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Manaf Al Oqlah Sent: Thursday, August 13, 2009 6:28 PM To: Ivan Pepelnjak; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Event Manager question Hello Ivan, Thank you for your response. In my design, I am load sharing the traffic by multihomed BGP with two ISPs through two local 7600 routers. To avoid any single point of failure, we have a backup link for each ISP connected to each local router. as below: Router1 connected with primary link of ISP1 and backup link of ISP2. Router2 connected with primary link of ISP2 and backup link of ISP1 I only receive default-route from each ISP (primary bgp peer has higher local preference on each router). my network is divided into two subnets (x.x.32.0/20 & x.x.48.0/20) normally, x.x.32.0/20 go through Router1 & ISP1, and x.x.48.0/20 go through Router2 & ISP2 incoming and outgoing. what I need is, once the primary BGP peer of ISP1 on Router1 goes down, the subnet x.x.32.0/20 go to backup link on Router2 which is already has a preferred default route from ISP2 serving the subnet x.x.48.0/20. The same case should be applied vice versa. load sharing for incoming traffic is working properly, but my problem is with outgoing traffic since I am only receiving default-route from each ISP! I know it is a bit complicated but I hope you can give me some help. Thank you, Manaf -------------------------------------------------- From: "Ivan Pepelnjak" Sent: Thursday, August 13, 2009 10:31 PM To: "'Manaf Al Oqlah'" ; Subject: RE: [c-nsp] Event Manager question > Absolutely, with EEM 3.0 an applet can be triggered with an SNMP trap or > inform. The details are here (although the article describes a slightly > different task): > > http://wiki.nil.com/Trigger_EEM_applets_with_SNMP_Informs > > However, are you absolutely positive there is no other way to get what you > need? In many cases you could use a smart routing design instead of the > PBR. > > Ivan > > http://www.ioshints.info/about > http://blog.ioshints.info/ > >> -----Original Message----- >> From: Manaf Al Oqlah [mailto:manafo at hotmail.com] >> Sent: Thursday, August 13, 2009 4:31 PM >> To: cisco-nsp at puck.nether.net >> Subject: [c-nsp] Event Manager question >> >> >> Hi all, >> >> Can I configure event manager to be started when it gets >> notification from another router. for example, I want router1 >> to be configured with policy based routing on a specific >> interface once the bgp peer on router2 is down. I don't want >> to permanently configure the PBR since it is consume very >> high CPU utilizing on router1 >> >> Thank you, >> Manaf >> > > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From graham at g-rock.net Thu Aug 13 19:08:36 2009 From: graham at g-rock.net (Graham Wooden) Date: Thu, 13 Aug 2009 18:08:36 -0500 Subject: [c-nsp] Bridge devices - ARP takeover In-Reply-To: <4A848C9E.8030909@cisco.com> Message-ID: I know - the whole thing is bizarre. I was able to get access to that remote C2621, and noticed that ip proxy-arp was disabled. I enabled to to match my interface on the 6500. It's been up for close to an hour now with no issues (hopefully I just didn't jinx myself). I removed the hardcoded MACs as that didn't seem to help. And no, I can't see the otherside at all when the issue arises. Here is the "show adj detail" from the VLAN (6500 side). The 172.20.255.248/28 is the secondary address subnet on the VLAN to manage the radios. Poorman's OOB. Radios are .250 and .251. IP Vlan201 12.nn.nn.246(11) 291469 packets, 216514528 bytes epoch 0 sourced in sev-epoch 2 Encap length 14 000628A343000004DEFF70000800 ARP IP Vlan201 172.20.255.250(7) 376 packets, 46187 bytes epoch 0 sourced in sev-epoch 2 Encap length 14 000B6B2E5A2C0004DEFF70000800 ARP IP Vlan201 172.20.255.251(7) 370 packets, 43771 bytes epoch 0 sourced in sev-epoch 2 Encap length 14 000B6B2E59FB0004DEFF70000800 ARP And then from the 2621 side ... IP FastEthernet0/0 172.20.255.251(5) 1983 packets, 266146 bytes 000B6B2E59FB000628A343000800 ARP 03:58:41 Epoch: 0 IP FastEthernet0/0 172.20.255.249(5) 7 packets, 686 bytes 0004DEFF7000000628A343000800 ARP 03:26:18 Epoch: 0 IP FastEthernet0/0 xxxxxx(7) (12.nn.nn.245) 232362 packets, 51704892 bytes 0004DEFF7000000628A343000800 ARP 02:42:29 Epoch: 0 On 8/13/09 4:58 PM, "Rodney Dunn" wrote: > I've seen some funky things like this before, ie: with cable modems that > are supposed to be L1 only transparent but monkey up the stack. > > If he hardcoded the mac's the adj should never change for CEF. > > Verify it with 'sh adj detail' and sh ip arp. > > Rodney > > > > Jeff Fitzwater wrote: >> IF you hardcoded the ARP in both routers, then they should never >> change. So what exactly breaks? Can you ping the other router? What >> is the other routers ARP entry and visa versa? They better be the ones >> you put in. >> >> >> >> Jeff >> On Aug 13, 2009, at 4:53 PM, Graham Wooden wrote: >> >>> I say 30 minutes ... But I just had it occur on less than 5 minutes from >>> having the far end router and radio rebooted. And apparently my >>> attempt to >>> hardcode the MAC addresses on both ends didn't fix it. I am going to >>> start >>> blaming the radios I think ... >>> >>> >>> On 8/13/09 2:55 PM, "Jeff Fitzwater" wrote: >>> >>>> It's interesting to note that this occurs at about the default ARP >>>> timeout of 1800 seconds (Is that what the router is configured >>>> for?). That implies that when the arp times out and the router arps >>>> for the other end, it get an ARP REPLY from the wireless device. Is >>>> that what you are saying? This would seem to say that the wireless >>>> device may have some local proxy arp enabled so it responds to arp >>>> requests on the local net. >>>> >>>> >>>> >>>> Jeff Fitzwater >>>> OIT Network Systems >>>> Princeton University >>>> On Aug 13, 2009, at 3:08 PM, Rodney Dunn wrote: >>>> >>>>> I can't follow the problem. >>>>> >>>>> The router should try to defend the mac address it owns but if >>>>> another device simply takes over for it the only way to resolve that >>>>> is fix that device. >>>>> >>>>> How exactly is it taking over? >>>>> What is the topo (ascii diagram would work). >>>>> >>>>> Rodney >>>>> >>>>> >>>>> >>>>> Graham Wooden wrote: >>>>>> Hi there, >>>>>> I have a customer hanging off of my edge router (6509/ >>>>>> Sup32/12.2.33SXI), doing a Point-to-Point wireless shot from the DC >>>>>> to another site. >>>>>> On myside, it's a L3 VLAN doing a /30 to a smaller Cisco router on >>>>>> the other end. I am then statically routing some additional subnets >>>>>> to the far end router. >>>>>> After about 30 minutes of the link being powered up, the MAC >>>>>> address of local Radio appears to take over the /30, and hence all >>>>>> routing breaks. To fix this, seems to that if I hardcode the MAC >>>>>> that belongs to the Cisco router on the far, all seems good and >>>>>> traffic keeps on trucking. The other fix that was being done until >>>>>> the hardcode went into affect, was power cycling the local radio. >>>>>> My question is this: While the hardcoding seems to be the trick to >>>>>> solve this, is there another command, maybe on the interface to >>>>>> achieve this fix too? >>>>>> I have yet to find out from the customer if there are any MAC/ARP >>>>>> settings in his radios and that could be doing take over on purpose. >>>>>> I am hoping that I can curb this type of behaviour without getting >>>>>> him involved. >>>>>> Thoughts to this? Thanks, >>>>>> -graham >>>>>> _______________________________________________ >>>>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>>> _______________________________________________ >>>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> >>> >>> From netsecuredata at gmail.com Thu Aug 13 19:26:27 2009 From: netsecuredata at gmail.com (Jorge Evangelista) Date: Thu, 13 Aug 2009 18:26:27 -0500 Subject: [c-nsp] How to enable ssh o telnet via outside interface ASA Message-ID: Hi folks I want to configure my ASA for remote access via outside however it configuration do not work, IP are fake for reasons security. My configuration is In the outside interface I have interface Vlan2 nameif outside security-level 1 ip address 200.10.45.98 255.255.255.240 telnet 200.100.50.0 255.255.255.0 outside ssh 200.100.50.0 255.255.255.0 outside Also, I do not have any ACL In the logs I can see: %ASA-4-402117: IPSEC: Received a non-IPSec packet (protocol= TCP) Could you help me with this configuration? Regards. -- "The network is the computer" From kunkel at w-link.net Thu Aug 13 20:30:51 2009 From: kunkel at w-link.net (Rick Kunkel) Date: Thu, 13 Aug 2009 17:30:51 -0700 (Pacific Daylight Time) Subject: [c-nsp] Funny (and hard to describe) AWOL routes Message-ID: Hello all, I've got a problem that I unfortunately don't know a heck of a lot about, which I understand makes answering this question difficult. But I thought I'd pick people's brains in the hopes of at least getting pointed in the right direction. Here's the deal. I run EIGRP for the internal network, and BGP to talk to the outside world. Occasionally, I go to add a new block or router to the EIGRP network, and it just won't work. Strangely, all the "show ip route" commands look good, but traffic just won't get where it's supposed to go. Crazily, sometimes I can get 20-40% of packets through to the internet, but traffic to the internal network is usually lost. However, it sometimes seems as if the traffic might be lost at a border router we have, which is currently getting two full route tables on a Sup2 running IOS 12.1(26)E8. (Yes, I know, impossible.) In an effort to minimize downtime, I can only poke around at things for so long, before performing the wonky fix. The fix... Usually I can do something that will withdraw or otherwise change the new announcement, and then put it back, and it will work. The LAST time this happened, however, when I re-added the new block, suddenly another block on our network became unreachable. It was as if the new block kicked the old one out. To me, this smacks of a memory shortage somewhere, and it's occurred to me that it may be that border router that has a bunch of EIGRP stuff AND the BGP stuff. I've heard tell of the TCAM filling, but that's supposed to log messages, and I've seen none of those. And does EIGRP use the TCAM? Perhaps an OS bug? Anyhow, I don't expect anyone to solve the mystery for me (unless they immediately know what's causing it), but I was hoping for some direction. Any commands I can run to quickly show me exhausted space, etc.? I know the Sup2 needs to be upgraded, but I find myself wondering if that will fix the problem, or if this is a result of something else entirely. This is not a horrendous problem, but it rears its head from time to time, and makes things difficult. Most frustrating of all is that I can't get a bead on it, and have minimal time to troubleshoot on a production network. Any ideas and/or pointers? Thanks much! Rick Kunkel From jared at puck.nether.net Thu Aug 13 21:31:25 2009 From: jared at puck.nether.net (Jared Mauch) Date: Thu, 13 Aug 2009 21:31:25 -0400 Subject: [c-nsp] Funny (and hard to describe) AWOL routes In-Reply-To: References: Message-ID: Your tcam is full. It may not log that, you likely need 12.2sxe or sxf to see the logs on sup2. Cut down the number of routes you listen to from your upstreams, having them send you just their customer routes and use default for the rest. In sup720 and sup1a when the tcam is full it would then process switch. Not sure on sup2 but I presume it's the same. Jared Mauch On Aug 13, 2009, at 8:30 PM, Rick Kunkel wrote: > Hello all, > > I've got a problem that I unfortunately don't know a heck of a lot > about, which I understand makes answering this question difficult. > But I thought I'd pick people's brains in the hopes of at least > getting pointed in the right direction. > > Here's the deal. I run EIGRP for the internal network, and BGP to > talk to the outside world. Occasionally, I go to add a new block or > router to the EIGRP network, and it just won't work. Strangely, all > the "show ip route" commands look good, but traffic just won't get > where it's supposed to go. Crazily, sometimes I can get 20-40% of > packets through to the internet, but traffic to the internal network > is usually lost. However, it sometimes seems as if the traffic > might be lost at a border router we have, which is currently getting > two full route tables on a Sup2 running IOS 12.1(26)E8. (Yes, I > know, impossible.) In an effort to minimize downtime, I can only > poke around at things for so long, before performing the wonky fix. > > The fix... Usually I can do something that will withdraw or > otherwise change the new announcement, and then put it back, and it > will work. > > The LAST time this happened, however, when I re-added the new block, > suddenly another block on our network became unreachable. It was as > if the new block kicked the old one out. > > To me, this smacks of a memory shortage somewhere, and it's occurred > to me that it may be that border router that has a bunch of EIGRP > stuff AND the BGP stuff. I've heard tell of the TCAM filling, but > that's supposed to log messages, and I've seen none of those. And > does EIGRP use the TCAM? Perhaps an OS bug? > > Anyhow, I don't expect anyone to solve the mystery for me (unless > they immediately know what's causing it), but I was hoping for some > direction. Any commands I can run to quickly show me exhausted > space, etc.? I know the Sup2 needs to be upgraded, but I find > myself wondering if that will fix the problem, or if this is a > result of something else entirely. > > This is not a horrendous problem, but it rears its head from time to > time, and makes things difficult. Most frustrating of all is that I > can't get a bead on it, and have minimal time to troubleshoot on a > production network. > > Any ideas and/or pointers? > > Thanks much! > > Rick Kunkel > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rdobbins at arbor.net Thu Aug 13 21:48:03 2009 From: rdobbins at arbor.net (Roland Dobbins) Date: Fri, 14 Aug 2009 08:48:03 +0700 Subject: [c-nsp] Funny (and hard to describe) AWOL routes In-Reply-To: References: Message-ID: On Aug 14, 2009, at 8:31 AM, Jared Mauch wrote: > Not sure on sup2 but I presume it's the same. Yes, it is. Whether or not one sees log messages depends upon one's logging level (I think 3 or above should see it). sh fm sum will show if ACLs are being processed in software due to the TCAM being full. ----------------------------------------------------------------------- Roland Dobbins // Unfortunately, inefficiency scales really well. -- Kevin Lawton From jlewis at lewis.org Thu Aug 13 21:46:33 2009 From: jlewis at lewis.org (Jon Lewis) Date: Thu, 13 Aug 2009 21:46:33 -0400 (EDT) Subject: [c-nsp] Funny (and hard to describe) AWOL routes In-Reply-To: References: Message-ID: On Thu, 13 Aug 2009, Jared Mauch wrote: > Your tcam is full. It may not log that, you likely need 12.2sxe or sxf to see > the logs on sup2. Cut down the number of routes you listen to from your > upstreams, having them send you just their customer routes and use default > for the rest. > > In sup720 and sup1a when the tcam is full it would then process switch. Not > sure on sup2 but I presume it's the same. When we were discussing this on-list a year or more ago, I think someone said that what the sup2 did when tcam filled was IOS version dependent. Newer IOS would process switch. Older IOS would blackhole. I never verified this. I really expected to see messages like this about a year ago. A full view is around 290k routes...way more than the sup2 tcam can handle. This guy has to have been having issues for months. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From ashnet2009 at gmail.com Thu Aug 13 21:50:10 2009 From: ashnet2009 at gmail.com (Ash Net) Date: Thu, 13 Aug 2009 21:50:10 -0400 Subject: [c-nsp] Monitoring Nexus 7000 platform In-Reply-To: <4A848F2F.8090502@usgs.gov> References: <896a291f0908131007s218f5489rf466cd0ed6e7eb7@mail.gmail.com> <352D947C-7CAC-4322-9BAC-830E489CB070@arbor.net> <896a291f0908131401q2d32fdden198fd5f500ce2052@mail.gmail.com> <4A848F2F.8090502@usgs.gov> Message-ID: <896a291f0908131850s404feb69h309a6b704558e09b@mail.gmail.com> Thanks All for the feedback. The only issue with DCNM deployment is its a new tool and there will be a learning curve for the ops team plus will take time to customize the interfaces. We were mainly hoping to get 6K level of monitoring in place for the 7K as well since SNMP is much more prevalent in our envrionment and quick to deploy with DCNM planned in the future. I'm quite surprised to see thus far that not too many orgs have perhaps utilized the snmp monitoring capabilities of the chassis and wondering what Cisco is doing to enable ESM vendors to integrate Nexus platform in the monitoring suite. Would still really appreciate If somebody could share there snmp based monitoring experiences. Best, On 8/13/09, Justin C. Darby wrote: > We use DCNM for real-time monitoring here (e.g. we use it to > troubleshoot issues as they arise) - works great for this purpose, > though in my opinion the configuration interface is a little > over-complicated compared to just using the CLI, which is a bad sign. :) > > The XML interface is very, very well documented. Each revision of NX-OS > ships with a new XML spec package to describe the interfaces. You can do > a lot more than just monitor things with the XML interfaces - e.g. > automate port provisioning tasks in an in-house product/app. We're > planning to use some of this functionality to integrate switch > configurations into our inventory system (eventually). > > If you hit up the downloads page for NX-OS you should see a zip file of > XML specifications in there. > > Justin > > Ryan Hughes wrote: >> >From what I've seen on much of the new DC equipment, Cisco focused more >> on >> XML than SNMP for the monitoring hook into the Nexus gear. I know many of >> the features you're asking for were bolted on per customer requests but I >> haven't seen any specific templates out there around this. I'd be >> interested >> in to hear what some of the TME's who pay attention to this have to say. >> DCNM is the platform that Cisco deployment to handle management/monitoring >> for the Nexus but I haven't seen many customers buy it yet ( IIRC - it >> makes >> excellent use of the XML API's available ). >> Ryan >> >> On Thu, Aug 13, 2009 at 5:01 PM, Ash Net wrote: >> >> >>> Yep, we know that already. I'm finding that there isn't a lot of >>> management systems (OV/Concord atleast) that can natively monitor the >>> 7k's since they haven't certified the platform yet. >>> >>> Wondering how people are monitoring elements such as CPU Health, intf >>> utilization, topology change event traps of the 7K Chassis etc. There >>> doesn't appear to be a comprehensive MIB that has all the elements >>> defined. >>> >>> It'd be great to hear from folks who have these boxes deployed and >>> have them in any enterprise monitoring systems. >>> >>> >>> >>> On 8/13/09, Roland Dobbins wrote: >>> >>>> On Aug 14, 2009, at 12:07 AM, Ash Net wrote: >>>> >>>> >>>>> We have recently deployed N7k's in our DC and want to enable >>>>> monitoring on them. >>>>> >>>> N7Ks have a dedicated management processor; they also have a >>>> management software system which I believe ships with every N7K. >>>> >>>> They also output operationally useful NetFlow. >>>> >>>> ----------------------------------------------------------------------- >>>> Roland Dobbins // >>>> >>>> Unfortunately, inefficiency scales really well. >>>> >>>> -- Kevin Lawton >>>> >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> >>>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >>> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > From william.mccall at gmail.com Thu Aug 13 21:50:41 2009 From: william.mccall at gmail.com (William McCall) Date: Thu, 13 Aug 2009 20:50:41 -0500 Subject: [c-nsp] best PE-CE protocol In-Reply-To: References: Message-ID: What kind of boxes are you using for PE? How many VRFs do you have on the box? What code is running? There are limits to the number of OSPF processes (at least on some platforms and code), so I tend to prefer eBGP, but OSPF has its obvious advantages. --William McCall On Thu, Aug 13, 2009 at 5:23 PM, Christopher Hunt wrote: > Given a customer with a 10mbps fiber connection into PE1 on a L3 MPLS VPN > and also a backup ADSL link to PE2 on the same provider's L3 MPLS VPN, what > is the best PE-CE protocol to use? ?I assume we could run eBGP over both > links and weight them from the provider's end, as well as the customer end. > But I'm starting to wonder if PE-CE OSPF wouldn't be a better choice. ?The > customer site only hosts a few /24s and the SP would be the default route as > the customer is colocating a firewall at the SP's colo. ?Any experience or > opinions would be greatly appreciated. > > Thanks > DC > _______________________________________________ > cisco-nsp mailing list ?cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ltd at cisco.com Thu Aug 13 22:11:23 2009 From: ltd at cisco.com (Lincoln Dale) Date: Fri, 14 Aug 2009 12:11:23 +1000 Subject: [c-nsp] Monitoring Nexus 7000 platform In-Reply-To: <896a291f0908131401q2d32fdden198fd5f500ce2052@mail.gmail.com> References: <896a291f0908131007s218f5489rf466cd0ed6e7eb7@mail.gmail.com> <352D947C-7CAC-4322-9BAC-830E489CB070@arbor.net> <896a291f0908131401q2d32fdden198fd5f500ce2052@mail.gmail.com> Message-ID: <69327D9B-7780-424B-BB28-C839DA21DA08@cisco.com> hi Ash, On 14/08/2009, at 7:01 AM, Ash Net wrote: > Yep, we know that already. I'm finding that there isn't a lot of > management systems (OV/Concord atleast) that can natively monitor the > 7k's since they haven't certified the platform yet. actually, there is quite a lot of management partners that support N7K / NX-OS. a non exhaustive list is: HP Opsware NAS (Configuration and Compliance EMC Smarts (Fault Management) IBM Tivoli Netcool (Fault Management) CA Spectrum (Fault Management) CA eHealth (Network Perf. Monitoring) SolarWinds Orion [Network Performance Monitor , Network Configuration Manager, NetFlow Traffic Analyzer (Network Perf. Monitoring) Alterpoint [Network Authority] (Config. and Compliance BMC BladeLogic for Networks (BCAN) (Compliance) CiscoWorks Lan Management Solution (LMS) (General Purpose) CiscoWorks Network Compliance Manager (NCM) (Compliance) Cisco Network Analysis Module (NAM) (Traffic and Flow Analysis) there is no doubt a more complete list, the above is what i explicitly know about. in addition to the above, there are numerous MIBs, SNMP traps and Netflow v5/v9 that all sorts of 3rd party management and monitoring systems plug in to > > > Wondering how people are monitoring elements such as CPU Health, intf > utilization, topology change event traps of the 7K Chassis etc. There > doesn't appear to be a comprehensive MIB that has all the elements > defined. see http://ftp-sj.cisco.com/pub/mibs/supportlists/nexus7000/Nexus7000MIBSupportList.html for a list of MIBs. we do also have a list of 'key performance indicators' that best practice would say that you poll for. e.g.: MIB: CISCO-PROCESS-MIB OID: cpmCPUTotal5minRev Loc: .1.3.6.1.4.1.9.9.109.1.1.1.1.8 Range: 0..100 (%) Desc: The overall CPU busy percentage in the last 5 minute period. Normal operating range: Value should remain below 80% normal conditions. Poll interval: once every 5 minutes MIB: CISCO-SYSTEM-EXT-MIB OID: cseSysMemoryUtilization Loc: .1.3.6.1.4.1.9.9.305.1.1.2 Range: 0..100 (%) Desc: The average utilization of memory on the active supervisor. Thresholds for RMON should probes should be set based on baselining the memory utilization within a production environment Poll interval: once every 5-15 minutes can provide you with the complete list if you wish (quite long). ping me off list if you want that. interface utilization is provided via standard IF-MIB. suggest you use high speed counters, e.g. ifHCInOctets, ifHCOutOctets, ifHCInUcastPkts, ifHCOutUcastPkts, etc. cheers, lincoln. From sf at lists.esoteric.ca Thu Aug 13 21:51:23 2009 From: sf at lists.esoteric.ca (Stephen Fulton) Date: Thu, 13 Aug 2009 21:51:23 -0400 Subject: [c-nsp] Open Source Substitute for Cisco's Secure ACS? In-Reply-To: <50797b9b0908130646t5233893co25f7964658878ec1@mail.gmail.com> References: <50797b9b0908130646t5233893co25f7964658878ec1@mail.gmail.com> Message-ID: <4A84C31B.3020809@lists.esoteric.ca> For PPPoE, FreeRADIUS is very worthwhile. The options the software provides on on-par with the best commercial RADIUS software. The downside? It is not GUI based (though you can write your own and link it to SQL/LDAP/etc, we have and I suspect most ISP's do) and also, it does involve a learning curve. If you are willing to take the time to read the documentation, and look at the notes associated with most functions (conveniently within the module configurations, usually), and ask intelligent questions on the mailing list, then you'll be fine. If you are looking to use TACACS, others have suggested good alternatives (we will be using TACACS for change management, because it provides finer control with IOS devices [thanks Cisco, grrr]). Any migration should be thought through carefully, with a view to the future. Generally I suggest looking ahead to what you'd like something to be, and use this as an opportunity to make it so. -- Stephen M Callahan wrote: > We're currently using a very dated version of Cisco's Secure ACS to > authenticate a relatively small group of PPPoE ADSL users. We have a > planned hardware upgrade for this system, but no funding for updated ACS > software. That said, I was wondering what open source alternatives folks on > the list have found to be an adequate substitute for ACS. > > Thanks, > > Mike > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From eninja at gmail.com Fri Aug 14 00:13:42 2009 From: eninja at gmail.com (e ninja) Date: Thu, 13 Aug 2009 21:13:42 -0700 Subject: [c-nsp] OT:SUSHI REGISTER RESET ERROR In-Reply-To: <8bb137f40908122215g2951d36cm79239279578250d7@mail.gmail.com> References: <8bb137f40908112254j7d9ea69aj42613f00bcac743b@mail.gmail.com> <8bb137f40908122215g2951d36cm79239279578250d7@mail.gmail.com> Message-ID: Jack, Several things can lead to the symptoms you describe. That is why it is important you shed further light on the events that led to the problem. (i.e what changed? Is this a lab or production device? sh captures? IOS version??? etc) When posting to public fora, it is always a good idea to describe recreate steps to problems so that a clear picture of the issue is projected from the get go to aid troubleshooting and resolution. This will also help the manufacturer learn a thing or two about it and hopefully fix the root cause. Anyhow, your SFC in slot 18 reported SUSHI errors which apparently compromised the fabric integrity and removing it seem to have resolved the problem. As designed, the backup CSC kicked in as a Switch Fabric Card and relinquished its backup CSC duties thus the "nonredundant fabric" output you see in sh cont fia. Your backup CSC will continue to function as an SFC and your fabric will remain nonredundant until you install a working SFC in slot 18. Each SFC/CSC card provides 10-Gbps full-duplex connection to all LCs and 10-Gbps switch fabric does not operate in one-quarter bandwidth mode. http://www.cisco.com/en/US/docs/routers/12000/12016s/maintenance/guides/16084csa.html#wp56884 http://www.cisco.com/en/US/products/hw/routers/ps167/products_tech_note09186a00801e1da7.shtml -Eninja PS. Someone at Cisco's c12k team may want to check the code for notes on when and why we call "SUSHI REGISTER RESET ERROR" and attempt a recreate of this seemingly critical problem as it doesn't have a precedence - at least in the public domain. On Wed, Aug 12, 2009 at 10:15 PM, jack daniels wrote: > Hi All, > > I found this error was coming on SLOT 18 which is SFC. > > EARLIER OUTPUT WAS - > > sh led > SLOT 0 : RUN IOS > SLOT 6 : WAITRTRY > SLOT 7 : RP ACTV > SLOT 8 : INITMEM > SLOT 9 : RUN IOS > SLOT 15 : WAITRTRY > > > > FOR TROUBLESHOOT , then I saw - > > 1) output of sh gsr > > > Slot 18 type = Switch Fabric Card 16XOC192 > state = Card Powered<<<<<<<<<<<<<<<<<<<<< > Slot 19 type = Switch Fabric Card 16XOC192 > state = Card Powered<<<<<<<<<<<<<<<<<<<<<<< > Slot 20 type = Switch Fabric Card 16XOC192 > state = Card Powered<<<<<<<<<<<<<<<<<<<<<<< > > > 2) Again executed show gsr command and found - > > > Slot 17 type = Clock Scheduler Card OC192 Dual Priority > state = Card NOT Powered; Power cycle fabric cards PRIMARY > CLOCK<<<<<<<<<<<<<<<<<<<<<<<<<<<<< > Slot 18 type = Switch Fabric Card 16XOC192 > state = Card NOT Powered; Power cycle fabric > cards<<<<<<<<<<<<<<<<<<<<<<< > Slot 19 type = Switch Fabric Card 16XOC192 > state = Card NOT Po<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< > > > 3) After shutting down SFC ? slot 18 <<<<<<<<<<<<<<<<<<<<<<<<<<< > > sh led > SLOT 0 : RUN IOS > SLOT 6 : RUN IOS > SLOT 7 : RP STBY > SLOT 8 : RP ACTV > SLOT 9 : RUN IOS > SLOT 15 : RUN IOS > > > At the moment all cards show powered up and in RUN IOS mode. > > 4) sh controller fia > Fabric configuration: 10Gbps bandwidth, nonredundant > fabric<<<<<<<<<<<<<<<<<<<<<<< > Master Scheduler: Slot 17 Backup Scheduler: Slot 16 > Fab epoch no 235 Halt count 0 > > From Fabric FIA Errors > ----------------------- > redund overflow 0 cell drops 0 > cell parity 0 > Switch cards present 0x001B Slots 16 17 19 20 > Switch cards monitored 0x001B Slots 16 17 19 20 > > > > > CAN someone guide me why shutting down one SFC in slot 18 all LC 0,615 and > 7 came in IOS RUN mode and started working. > > I think - Each LC is connected in 10 Gbps mode via 4 link to switch fabric > . Now what I know is for full b/w mode 10 Gbps half duplex , you require > atleast 2 SFC online working. But if you see all SFC went to power down and > then power up state , so why few LC cards were still online. > > Please ALSO guide - what is signiface of 2 SFC or 1 SFC running . > > Regards > > On 8/13/09, e ninja wrote: >> >> Jack, >> >> What changed prior to the errors? Also, is this a lab or production >> device? >> >> Either way, reply all (or unicast) the complete sh tech and sh log along >> with a sh controller fia from an attach session to all LCs. >> >> -Eninja >> >> >> On Tue, Aug 11, 2009 at 10:54 PM, jack daniels wrote: >> >>> Hi all, >>> >>> I'm getting below error in gsr chassis 12416 , please suggest >>> >>> 048724: .Aug 11 20:09:13.853 IST: %MBUS-6-SWITCHED_FABCLK: Slot 9 primary >>> clock switched to clock 0 >>> 048725: .Aug 11 20:09:17.191 IST: %FABRIC-3-ERR_HANDLE: Reconfigure all >>> fabric cards due to SUSHI REGISTER RESET ERROR error from slot 18 >>> 048726: .Aug 11 20:09:18.067 IST: %MBUS-6-SWITCHED_FABCLK: Slot 0 primary >>> clock switched to clock 0 >>> 048727: .Aug 11 20:09:18.067 IST: %MBUS-6-SWITCHED_FABCLK: Slot 9 primary >>> clock switched to clock 0 >>> 048728: .Aug 11 20:09:21.413 IST: %FABRIC-3-ERR_HANDLE: Reconfigure all >>> fabric cards due to SUSHI REGISTER RESET ERROR error from slot 18 >>> 048729: .Aug 11 20:09:22.289 IST: %MBUS-6-SWITCHED_FABCLK: Slot 0 primary >>> clock switched to clock 0 >>> 048730: .Aug 11 20:09:22.289 IST: %MBUS-6-SWITCHED_FABCLK: Slot 9 primary >>> clock switched to clock 0 >>> 048731: .Aug 11 20:09:25.627 IST: %FABRIC-3-ERR_HANDLE: Reconfigure all >>> fabric cards due to SUSHI REGISTER RESET ERROR error from slot 18 >>> 048732: .Aug 11 20:09:26.502 IST: %MBUS-6-SWITCHED_FABCLK: Slot 0 primary >>> clock switched to clock 0 >>> 048733: .Aug 11 20:09:26.502 IST: %MBUS-6-SWITCHED_FABCLK: Slot 9 primary >>> clock switched to clock 0 >>> 048734: .Aug 11 20:09:29.841 IST: %FABRIC-3-ERR_HANDLE: Reconfigure all >>> fabric cards due to SUSHI REGISTER RESET ERROR error from slot 18 >>> 048735: .Aug 11 20:09:30.716 IST: %MBUS-6-SWITCHED_FABCLK: Slot 0 primary >>> clock switched to clock 0 >>> 048736: .Aug 11 20:09:30.716 IST: %MBUS-6-SWITCHED_FABCLK: Slot 9 primary >>> clock switched to clock 0 >>> 048737: .Aug 11 20:09:34.054 IST: %FABRIC-3-ERR_HANDLE: Reconfigure all >>> fabric cards due to SUSHI REGISTER RESET ERROR error from slot 18 >>> >>> >>> sh gsr >>> Slot 0 type = Modular SPA Interface Card >>> state = IOS RUN Line Card Enabled >>> subslot 0/0: SPA-1X10GE-L-V2 (0x50C), status is ok >>> subslot 0/1: Empty >>> subslot 0/2: Empty >>> subslot 0/3: Empty >>> Slot 6 type = Modular SPA Interface Card >>> state = RTRYWAIT Waiting to retry download after persistent >>> failures >>> Slot 7 type = Performance Route Processor >>> state = ACTV RP IOS Running ACTIVE >>> Slot 8 type = Performance Route Processor >>> state = RP RDY Route Processor Powered >>> Slot 9 type = Modular SPA Interface Card >>> state = IOS RUN Line Card Enabled >>> subslot 9/0: Empty >>> subslot 9/1: Empty >>> subslot 9/2: Empty >>> subslot 9/3: Empty >>> Slot 15 type = Modular SPA Interface Card >>> state = RTRYWAIT Waiting to retry download after persistent >>> failures >>> Slot 16 type = Clock Scheduler Card OC192 Dual Priority >>> state = Card Powered >>> Slot 17 type = Clock Scheduler Card OC192 Dual Priority >>> state = Card Powered PRIMARY CLOCK >>> Slot 18 type = Switch Fabric Card 16XOC192 >>> state = Card Powered >>> Slot 19 type = Switch Fabric Card 16XOC192 >>> state = Card Powered >>> Slot 20 type = Switch Fabric Card 16XOC192 >>> state = Card Powered >>> Slot 24 type = Alarm Module(16) >>> state = Card Powered >>> Slot 25 type = Alarm Module(16) >>> state = Card Powered >>> Slot 27 type = Bus Board(16) >>> state = Card Powered >>> Slot 28 type = Blower Module(16) >>> state = Card Powered >>> Slot 29 type = Blower Module(16) >>> >>> state = Card Powered >>> >>> >>> sh led >>> SLOT 0 : RUN IOS >>> SLOT 6 : WAITRTRY >>> SLOT 7 : RP ACTV >>> SLOT 8 : INITMEM >>> SLOT 9 : RUN IOS >>> SLOT 15 : WAITRTRY >>> >>> Regards >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> >> > From kunkel at w-link.net Fri Aug 14 00:17:11 2009 From: kunkel at w-link.net (Rick Kunkel) Date: Thu, 13 Aug 2009 21:17:11 -0700 (Pacific Daylight Time) Subject: [c-nsp] Funny (and hard to describe) AWOL routes In-Reply-To: References: Message-ID: Thanks for the input all. It appears unanimous: My TCAM is stuffed. I'm a little baffled by the EIGRP aspect (which I don't think anyone addressed), but it makes sense that it would all be using the same resources. Is there not a simple command to show the used capacity of the TCAM? Thanks! --Rick On Thu, 13 Aug 2009, Jon Lewis wrote: > On Thu, 13 Aug 2009, Jared Mauch wrote: > >> Your tcam is full. It may not log that, you likely need 12.2sxe or sxf to >> see the logs on sup2. Cut down the number of routes you listen to from your >> upstreams, having them send you just their customer routes and use default >> for the rest. >> >> In sup720 and sup1a when the tcam is full it would then process switch. Not >> sure on sup2 but I presume it's the same. > > When we were discussing this on-list a year or more ago, I think someone said > that what the sup2 did when tcam filled was IOS version dependent. Newer IOS > would process switch. Older IOS would blackhole. I never verified this. > > I really expected to see messages like this about a year ago. A full view is > around 290k routes...way more than the sup2 tcam can handle. This guy has to > have been having issues for months. > > ---------------------------------------------------------------------- > Jon Lewis | I route > Senior Network Engineer | therefore you are > Atlantic Net | > _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ > From rdobbins at arbor.net Fri Aug 14 01:02:21 2009 From: rdobbins at arbor.net (Roland Dobbins) Date: Fri, 14 Aug 2009 12:02:21 +0700 Subject: [c-nsp] Funny (and hard to describe) AWOL routes In-Reply-To: References: Message-ID: <471B74F7-6B22-4937-996B-E75934203F21@arbor.net> On Aug 14, 2009, at 11:17 AM, Rick Kunkel wrote: > Is there not a simple command to show the used capacity of the TCAM? sh tcam ? ----------------------------------------------------------------------- Roland Dobbins // Unfortunately, inefficiency scales really well. -- Kevin Lawton From kunkel at w-link.net Fri Aug 14 01:24:58 2009 From: kunkel at w-link.net (Rick Kunkel) Date: Thu, 13 Aug 2009 22:24:58 -0700 (Pacific Daylight Time) Subject: [c-nsp] Funny (and hard to describe) AWOL routes In-Reply-To: <471B74F7-6B22-4937-996B-E75934203F21@arbor.net> References: <471B74F7-6B22-4937-996B-E75934203F21@arbor.net> Message-ID: That all looks pretty good though, unless I'm missing something... Used Free Percent Used Reserved ---- ---- ------------ -------- Labels: 4 508 0 ACL_TCAM Masks: 10 4086 0 0 Entries: 29 32739 0 0 QOS_TCAM Masks: 0 4096 0 0 Entries: 0 32768 0 0 LOU: 0 64 0 ANDOR: 0 16 0 ORAND: 0 16 0 ADJ: 1 1023 0 --Rick On Fri, 14 Aug 2009, Roland Dobbins wrote: > > On Aug 14, 2009, at 11:17 AM, Rick Kunkel wrote: > >> Is there not a simple command to show the used capacity of the TCAM? > > sh tcam ? > > ----------------------------------------------------------------------- > Roland Dobbins // > > Unfortunately, inefficiency scales really well. > > -- Kevin Lawton > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From rdobbins at arbor.net Fri Aug 14 01:32:38 2009 From: rdobbins at arbor.net (Roland Dobbins) Date: Fri, 14 Aug 2009 12:32:38 +0700 Subject: [c-nsp] Funny (and hard to describe) AWOL routes In-Reply-To: References: <471B74F7-6B22-4937-996B-E75934203F21@arbor.net> Message-ID: <3258E125-B153-4CAE-A007-64193847623C@arbor.net> On Aug 14, 2009, at 12:24 PM, Rick Kunkel wrote: > That all looks pretty good though, unless I'm missing something... Try sh mls cef maximum-routes & sh platform hardware capacity pfc I can tell you that as the global table topped 256K entries long ago, you've been hurting for a while if you're taking full tables into a Sup2-based box. ----------------------------------------------------------------------- Roland Dobbins // Unfortunately, inefficiency scales really well. -- Kevin Lawton From rdobbins at arbor.net Fri Aug 14 01:34:29 2009 From: rdobbins at arbor.net (Roland Dobbins) Date: Fri, 14 Aug 2009 12:34:29 +0700 Subject: [c-nsp] Funny (and hard to describe) AWOL routes In-Reply-To: <3258E125-B153-4CAE-A007-64193847623C@arbor.net> References: <471B74F7-6B22-4937-996B-E75934203F21@arbor.net> <3258E125-B153-4CAE-A007-64193847623C@arbor.net> Message-ID: On Aug 14, 2009, at 12:32 PM, Roland Dobbins wrote: > Try sh mls cef maximum-routes & sh platform hardware capacity pfc And sh mls cef su ----------------------------------------------------------------------- Roland Dobbins // Unfortunately, inefficiency scales really well. -- Kevin Lawton From dharmachris at gmail.com Fri Aug 14 01:54:09 2009 From: dharmachris at gmail.com (Christopher Hunt) Date: Thu, 13 Aug 2009 22:54:09 -0700 Subject: [c-nsp] best PE-CE protocol In-Reply-To: References: Message-ID: PE1 is a 7200 VXR NPE-1G, PE2 is a 2851 with 512MB , both running 12.4(9)T or better. For this customer, less than 10 vrfs on each PE On Thu, Aug 13, 2009 at 6:50 PM, William McCall wrote: > What kind of boxes are you using for PE? How many VRFs do you have on > the box? What code is running? > > There are limits to the number of OSPF processes (at least on some > platforms and code), so I tend to prefer eBGP, but OSPF has its > obvious advantages. > > --William McCall > > On Thu, Aug 13, 2009 at 5:23 PM, Christopher Hunt > wrote: > > Given a customer with a 10mbps fiber connection into PE1 on a L3 MPLS VPN > > and also a backup ADSL link to PE2 on the same provider's L3 MPLS VPN, > what > > is the best PE-CE protocol to use? I assume we could run eBGP over both > > links and weight them from the provider's end, as well as the customer > end. > > But I'm starting to wonder if PE-CE OSPF wouldn't be a better choice. > The > > customer site only hosts a few /24s and the SP would be the default route > as > > the customer is colocating a firewall at the SP's colo. Any experience > or > > opinions would be greatly appreciated. > > > > Thanks > > DC > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > From ltd at cisco.com Fri Aug 14 02:17:19 2009 From: ltd at cisco.com (Lincoln Dale) Date: Fri, 14 Aug 2009 16:17:19 +1000 Subject: [c-nsp] Monitoring Nexus 7000 platform In-Reply-To: <4A848F2F.8090502@usgs.gov> References: <896a291f0908131007s218f5489rf466cd0ed6e7eb7@mail.gmail.com> <352D947C-7CAC-4322-9BAC-830E489CB070@arbor.net> <896a291f0908131401q2d32fdden198fd5f500ce2052@mail.gmail.com> <4A848F2F.8090502@usgs.gov> Message-ID: <97229F86-6C23-4BC0-92E3-F4AFA54C7855@cisco.com> On 14/08/2009, at 8:09 AM, Justin C. Darby wrote: > > The XML interface is very, very well documented. Each revision of NX- > OS ships with a new XML spec package to describe the interfaces. You > can do a lot more than just monitor things with the XML interfaces - speaking from the cisco side of the fence, the real benefit of Netconf/ XML is that its pretty much anything you can do in CLI config or exec command wise is available in NetConf/XML "for free". its not like SNMP where one has to create MIBs and write code especially to populate the MIBs. in essence, any output from the switch in CLI can be 'tokenized' into XML. so: in essence, the literally thousands of CLI commands can all be used via CLI or XML, giving you the equivalent of 100% like for like with CLI. its unlikely that SNMP on any box or platform will never have parity - ever - just by virtue of the time/effort and resources required to do so. > e.g. automate port provisioning tasks in an in-house product/app. > We're planning to use some of this functionality to integrate switch > configurations into our inventory system (eventually). beginning with NX-OS 4.2 we've now also allow some variations on XML that makes for (easier) script building. many people like CLI commands for their simplicity - and NX-OS has always allowed preshared ssh keys to be specified in the configuration such that you can 'ssh' into the switch without needing a password or passphrase.[conf t ; username (your_name) sshkey (insert_your_~/.ssh/ identity.pub_here) ] i.e. lincoln-dales-macbook:~ lincolndale$ ssh ltd at ltd-n7010-1 "show module" | head -6 Mod Ports Module-Type Model Status --- ----- -------------------------------- ------------------ ------------ 1 48 10/100/1000 Mbps Ethernet Module N7K-M148GT-11 ok 2 32 10 Gbps Ethernet Module N7K-M132XP-12 ok 5 0 Supervisor module-1X N7K-SUP1 ha- standby 6 0 Supervisor module-1X N7K-SUP1 active * lincoln-dales-macbook:~ lincolndale$ expanding on this concept, with NX-OS 4.2, we've added a couple of new things: 1. the ability to specify multiple CLI commands via ssh, e.g. # remove vlan 5 from trunk port ethernet2/1 lincoln-dales-macbook:~ lincolndale$ ssh ltd at ltd-n7010-1 "conf t ; int ethernet2/1 ; switchport trunk allowed vlan remove 5" lincoln-dales-macbook:~ lincolndale$ # show vlan membership of ethernet2/1 with output in text format lincoln-dales-macbook:~ lincolndale$ ssh ltd at ltd-n7010-1 "show int eth2/1 trunk" -------------------------------------------------------------------------------- Port Vlans Allowed on Trunk -------------------------------------------------------------------------------- Eth2/1 1-4,6-3967,4048-4093 2. the ability to take CLI commands IN to the switch but for the switch to output in XML: # show vlan membership of ethernet2/1 with output in XML lincoln-dales-macbook:~ lincolndale$ ssh ltd at ltd-n7010-1 "show int eth2/1 trunk | xml" Ethernet2/1 Ethernet2/1 1 trunking -- Ethernet2/1 1-4,6-3967,4048-4093 ... why one would ever touch SNMP willingly after using the above is beyond me. :) however, we aren't religious in that regard, if you wish to use SNMP there is support there. cheers, lincoln. From manafo at hotmail.com Fri Aug 14 05:03:25 2009 From: manafo at hotmail.com (Manaf Al Oqlah) Date: Fri, 14 Aug 2009 12:03:25 +0300 Subject: [c-nsp] Event Manager question In-Reply-To: <6E21B2BDEF6E714EA0B5BA8D5D0E1401248E2695EC@zy-ex1.zyedge.local> References: <002d01ca1c4c$b5dc8220$0a00000a@nil.si> <6E21B2BDEF6E714EA0B5BA8D5D0E1401248E2695EC@zy-ex1.zyedge.local> Message-ID: Ryan, I already have iBGP between the 7600's, and already use local-pref 150 for primary links on router1 and router2. but when the primary link from ISP1 on router1 goes down, I want the same subnet go through ISP1 backup link on Router2 ( Router2 already has local-pref 150 for ISP2 primary link), Regards, Manaf -------------------------------------------------- From: "Ryan West" Sent: Friday, August 14, 2009 1:51 AM To: "Manaf Al Oqlah" ; "Ivan Pepelnjak" ; Subject: RE: [c-nsp] Event Manager question > Manaf, > > Do you have an iBGP peer between the 7600's? Why not just create IGP > between the two 7600's or use next-hop-self between the peers and set the > default-route received from each other to be higher than the backup > default. ISP1 primary local-pref 110, unchanged local-pref for iBGP and > then local-pref of 90 for backup link of ISP2 on router 1 and then > vice-versa on router 2. > > Load Sharing with BGP -> > http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a00800945bf.shtml > > If you're feeling brave later, you can look into OER/PfR. > > -ryan > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Manaf Al Oqlah > Sent: Thursday, August 13, 2009 6:28 PM > To: Ivan Pepelnjak; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Event Manager question > > Hello Ivan, > > Thank you for your response. > In my design, I am load sharing the traffic by multihomed BGP with two > ISPs > through two local 7600 routers. To avoid any single point of failure, we > have a backup link for each ISP connected to each local router. as below: > Router1 connected with primary link of ISP1 and backup link of ISP2. > Router2 connected with primary link of ISP2 and backup link of ISP1 > I only receive default-route from each ISP (primary bgp peer has higher > local preference on each router). > my network is divided into two subnets (x.x.32.0/20 & x.x.48.0/20) > normally, x.x.32.0/20 go through Router1 & ISP1, and x.x.48.0/20 go > through > Router2 & ISP2 incoming and outgoing. > > what I need is, once the primary BGP peer of ISP1 on Router1 goes down, > the > subnet x.x.32.0/20 go to backup link on Router2 which is already has a > preferred default route from ISP2 serving the subnet x.x.48.0/20. The same > case should be applied vice versa. > load sharing for incoming traffic is working properly, but my problem is > with outgoing traffic since I am only receiving default-route from each > ISP! > > I know it is a bit complicated but I hope you can give me some help. > > Thank you, > Manaf > -------------------------------------------------- > From: "Ivan Pepelnjak" > Sent: Thursday, August 13, 2009 10:31 PM > To: "'Manaf Al Oqlah'" ; > Subject: RE: [c-nsp] Event Manager question > >> Absolutely, with EEM 3.0 an applet can be triggered with an SNMP trap or >> inform. The details are here (although the article describes a slightly >> different task): >> >> http://wiki.nil.com/Trigger_EEM_applets_with_SNMP_Informs >> >> However, are you absolutely positive there is no other way to get what >> you >> need? In many cases you could use a smart routing design instead of the >> PBR. >> >> Ivan >> >> http://www.ioshints.info/about >> http://blog.ioshints.info/ >> >>> -----Original Message----- >>> From: Manaf Al Oqlah [mailto:manafo at hotmail.com] >>> Sent: Thursday, August 13, 2009 4:31 PM >>> To: cisco-nsp at puck.nether.net >>> Subject: [c-nsp] Event Manager question >>> >>> >>> Hi all, >>> >>> Can I configure event manager to be started when it gets >>> notification from another router. for example, I want router1 >>> to be configured with policy based routing on a specific >>> interface once the bgp peer on router2 is down. I don't want >>> to permanently configure the PBR since it is consume very >>> high CPU utilizing on router1 >>> >>> Thank you, >>> Manaf >>> >> >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From gert at greenie.muc.de Fri Aug 14 05:26:53 2009 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 14 Aug 2009 11:26:53 +0200 Subject: [c-nsp] Bridge devices - ARP takeover In-Reply-To: References: <4A848C9E.8030909@cisco.com> Message-ID: <20090814092653.GU29143@greenie.muc.de> Hi, On Thu, Aug 13, 2009 at 06:08:36PM -0500, Graham Wooden wrote: > I know - the whole thing is bizarre. I was able to get access to that > remote C2621, and noticed that ip proxy-arp was disabled. I enabled to to > match my interface on the 6500. It's been up for close to an hour now with > no issues (hopefully I just didn't jinx myself). "ip proxy-arp" should be always disabled, unless you specifically know that you need it. For a normal point-to-point link between routers, you'll never need it. (Having proxy-arp on-by-default is one of the major design errors that Cisco did - it's seen as a "convenience", because it "makes things works" that would break otherwise. In reality, all it does is "it hides problems", because mis-configured systems still work - until the point where they no longer work, and then it's much harder to find where the brokenness is) To me, this sounds a bit as if the *Radio* is answering the ARP requests on its own, for some sort of "management interface" or so. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 303 bytes Desc: not available URL: From graham at g-rock.net Fri Aug 14 07:57:08 2009 From: graham at g-rock.net (Graham Wooden) Date: Fri, 14 Aug 2009 06:57:08 -0500 Subject: [c-nsp] Bridge devices - ARP takeover In-Reply-To: <20090814092653.GU29143@greenie.muc.de> Message-ID: Agreed on the ip proxy-arp, but if it makes the link work for the time being ... I am waiting access into the radios to see if I can do a true dot1q OOB interface on it. I also lowered the arp timeout to just under 5 minutes. With my SNMP interface scripts running every 5 minutes, I am hoping that with this combination, that it will stay up until I am ready to completely debug it. I appreciate everyone's feedback on this. On 8/14/09 4:26 AM, "Gert Doering" wrote: > Hi, > > On Thu, Aug 13, 2009 at 06:08:36PM -0500, Graham Wooden wrote: >> I know - the whole thing is bizarre. I was able to get access to that >> remote C2621, and noticed that ip proxy-arp was disabled. I enabled to to >> match my interface on the 6500. It's been up for close to an hour now with >> no issues (hopefully I just didn't jinx myself). > > "ip proxy-arp" should be always disabled, unless you specifically know that > you need it. > > For a normal point-to-point link between routers, you'll never need it. > > (Having proxy-arp on-by-default is one of the major design errors that > Cisco did - it's seen as a "convenience", because it "makes things works" > that would break otherwise. In reality, all it does is "it hides problems", > because mis-configured systems still work - until the point where they no > longer work, and then it's much harder to find where the brokenness is) > > > To me, this sounds a bit as if the *Radio* is answering the ARP requests > on its own, for some sort of "management interface" or so. > > gert From gert at greenie.muc.de Fri Aug 14 08:00:38 2009 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 14 Aug 2009 14:00:38 +0200 Subject: [c-nsp] Bridge devices - ARP takeover In-Reply-To: References: <20090814092653.GU29143@greenie.muc.de> Message-ID: <20090814120038.GW29143@greenie.muc.de> Hi, On Fri, Aug 14, 2009 at 06:57:08AM -0500, Graham Wooden wrote: > Agreed on the ip proxy-arp, but if it makes the link work for the time being > ... This would be VERY surprising - "ip proxy-arp" makes a difference only if one of the devices sends ARP requests for IP addresses that are off-link (specifically: that the router with "ip proxy-arp" knows to be off-link and has a route for it). Your routers on both sides shouldn't do any ARPing for off-link addresses unless one of them has a static route pointing to the ethernet itself ("ip route 0.0.0.0 0.0.0.0 ethernet0" is a quite typical example). dot1q-tagging the management interface sounds like a good plan, though :) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 303 bytes Desc: not available URL: From tdurack at gmail.com Fri Aug 14 08:12:47 2009 From: tdurack at gmail.com (Tim Durack) Date: Fri, 14 Aug 2009 08:12:47 -0400 Subject: [c-nsp] Monitoring Nexus 7000 platform In-Reply-To: <97229F86-6C23-4BC0-92E3-F4AFA54C7855@cisco.com> References: <896a291f0908131007s218f5489rf466cd0ed6e7eb7@mail.gmail.com> <352D947C-7CAC-4322-9BAC-830E489CB070@arbor.net> <896a291f0908131401q2d32fdden198fd5f500ce2052@mail.gmail.com> <4A848F2F.8090502@usgs.gov> <97229F86-6C23-4BC0-92E3-F4AFA54C7855@cisco.com> Message-ID: <9e246b4d0908140512m233175d4hcc01afa46ee9048b@mail.gmail.com> On Fri, Aug 14, 2009 at 2:17 AM, Lincoln Dale wrote: > > > many people like CLI commands for their simplicity - and NX-OS has always > allowed preshared ssh keys to be specified in the configuration such that > you can 'ssh' into the switch without needing a password or passphrase.[conf > t ; username (your_name) sshkey (insert_your_~/.ssh/identity.pub_here) ] > If only we could get such sanity in C6K IOS... Tim:> From rodunn at cisco.com Fri Aug 14 09:33:42 2009 From: rodunn at cisco.com (Rodney Dunn) Date: Fri, 14 Aug 2009 09:33:42 -0400 Subject: [c-nsp] Feedback on Bug Toolkit (BTK), IOS Software Download Planner, etc... In-Reply-To: <4A8463E1.2030709@cisco.com> References: <4A841CC9.4090909@cisco.com> <4A8463E1.2030709@cisco.com> Message-ID: <4A8567B6.5080408@cisco.com> Ok...the first list is this. Use Wilson Shiu (wshiu) as the contact for: Bitswapping Tool Bug Tool Kit Cisco Notification System Command Lookup Tool Error Message Decoder File Exchange IP Subnet Calculator MYTECH Support Output Interpreter Product Alert Tool SNMP Object Navigator Special File Access TAC Case Connection TSRT Voice Codec Bandwidth Calculator I'm getting the contact for the Software Center stuff and will report back. Rodney Rodney Dunn wrote: > I'm getting that for clarity. I'll respond back. > > > > Tony Varriale wrote: >> Rodney, >> >> Do you have an official list of items/tools that feedback can be >> provided on? Or, should we ping Wilson? >> >> tv >> ----- Original Message ----- From: "Rodney Dunn" >> To: >> Sent: Thursday, August 13, 2009 9:01 AM >> Subject: [c-nsp] Feedback on Bug Toolkit (BTK), IOS Software Download >> Planner,etc... >> >> >>> I got involved through a few channels and encouraged the teams >>> responsible for some of the Cisco.com Support tools to leverage this >>> forum directly for feedback. They were very interested in the idea. >>> >>> Can those of you that care enough to give direct feedback based on >>> the past threads around IOS Upgrade Planner, Bug Toolkit, etc. please >>> take a few minutes and compose an email directly to: >>> >>> Wilson Shiu (wshiu) >>> >>> He is the point of contact for feedback. >>> >>> They are eager to listen so now is a good time to get involved. >>> >>> I encourage you guys to take advantage of this. >>> >>> Thanks >>> Rodney >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From william.mccall at gmail.com Fri Aug 14 09:55:14 2009 From: william.mccall at gmail.com (William McCall) Date: Fri, 14 Aug 2009 08:55:14 -0500 Subject: [c-nsp] best PE-CE protocol In-Reply-To: References: Message-ID: Certainly there are no technical issues with doing OSPF there... and it may be easier in the long run. In my experience, I like BGP because we get a lot more flexibility in policies, but I don't think that is your concern here. The deciding factor for me would be "how familiar is your customer with BGP vs OSPF?" Pick the one they won't screw up on and it'll be fine. --WM On Fri, Aug 14, 2009 at 12:54 AM, Christopher Hunt wrote: > PE1 is a 7200 VXR NPE-1G, PE2 is a 2851 with 512MB , both running 12.4(9)T > or better.? For this customer, less than 10 vrfs on each PE > > On Thu, Aug 13, 2009 at 6:50 PM, William McCall > wrote: >> >> What kind of boxes are you using for PE? How many VRFs do you have on >> the box? What code is running? >> >> There are limits to the number of OSPF processes (at least on some >> platforms and code), so I tend to prefer eBGP, but OSPF has its >> obvious advantages. >> >> --William McCall >> >> On Thu, Aug 13, 2009 at 5:23 PM, Christopher Hunt >> wrote: >> > Given a customer with a 10mbps fiber connection into PE1 on a L3 MPLS >> > VPN >> > and also a backup ADSL link to PE2 on the same provider's L3 MPLS VPN, >> > what >> > is the best PE-CE protocol to use? ?I assume we could run eBGP over both >> > links and weight them from the provider's end, as well as the customer >> > end. >> > But I'm starting to wonder if PE-CE OSPF wouldn't be a better choice. >> > ?The >> > customer site only hosts a few /24s and the SP would be the default >> > route as >> > the customer is colocating a firewall at the SP's colo. ?Any experience >> > or >> > opinions would be greatly appreciated. >> > >> > Thanks >> > DC >> > _______________________________________________ >> > cisco-nsp mailing list ?cisco-nsp at puck.nether.net >> > https://puck.nether.net/mailman/listinfo/cisco-nsp >> > archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > > From spinthiras.mario at gmail.com Fri Aug 14 15:17:57 2009 From: spinthiras.mario at gmail.com (Mario Spinthiras) Date: Fri, 14 Aug 2009 22:17:57 +0300 Subject: [c-nsp] Network related postgraduate Message-ID: <4f890e580908141217p40bb8c7bv32cce4800a26bb61@mail.gmail.com> Dear all, I understand this isn't the usual topic found in this mailing list however I felt more answers and hints would come out of here than anywhere else. I am looking for a networking related university within the EU (preferably U.K) for postgraduate studies. I am currently a Computer Networks student in London. Particularly I am aiming on an MSc with a research project at the end of it. As far as grades are concerned, I don't think that would be an issue. Any ideas/suggestions are more than welcome. Anyone? Regards, Mario From cisco at peakpeak.com Fri Aug 14 15:26:21 2009 From: cisco at peakpeak.com (Security Team) Date: Fri, 14 Aug 2009 13:26:21 -0600 Subject: [c-nsp] Question for PA OC3 guru? In-Reply-To: Message-ID: I have a telco that wants to hand me an OC3 on which there will be 3 DS3's, all doing different things. One will be a clear channel (pt-pt) DS3, one will contain 28 T1's in the DS1 time slots of the DS3, and one will be unused for the time being. I want to buy a PA card to use in a 7200VXR and found the single-mode fiber one PA-POS-OC3SMI. My question is will this card allow me to take the T1 timeslots of the #2 DS3 and use them like I do elsewhere in a PC-MC-T3 card? Ala: ! ! 1 Channelized T3 port(s) ! controller T3 1/0/0 t1 1 channel-group 0 timeslots 1-24 t1 2 channel-group 0 timeslots 1-24 t1 3 channel-group 0 timeslots 1-24 Etc.etc. If I can use DS3 #1 as a pt-pt serial interface and DS3 #2 as a Chan. DS3 for T1's that would be awesome, that's what I'm looking for. I want to stay away from getting a separate MUX to break the OC3 down into DS3's to feed to separate PA cards if I can help it. Thanks, CJ From ross at wtccommunications.ca Fri Aug 14 14:53:23 2009 From: ross at wtccommunications.ca (Ross Halliday) Date: Fri, 14 Aug 2009 14:53:23 -0400 Subject: [c-nsp] Bridge devices - ARP takeover References: <20090813144152.xzep12cjc0kg48s4@webmail.iamforeverme.com> Message-ID: <151BC03492E46E4CB8D479E42CEF7890A77D61@exchange.wtc.local> I see this happening all the time with cheaper wireless gear. A lot of 802.11-based stuff (Tranzeo comes to mind...) will take over ARP and sometimes even do MAC NAT, which as you can imagine really breaks PPPoE and makes troubleshooting a pain. As a poor man's wireless backhaul the Tranzeo junk has a "PxP" mode of operation which disables this behaviour and turns it from an AP & CPE pair into a PTP link that just passes frames all day. Perhaps this is applicable to your equipment as well? Cheers --- Ross Halliday Network Operations WTC Communications Office: 613-547-6939 x203 Helpdesk: 866-547-6939 option 2 http://www.wtccommunications.ca -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Graham Wooden Sent: Thursday, August 13, 2009 2:42 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Bridge devices - ARP takeover Hi there, I have a customer hanging off of my edge router (6509/Sup32/12.2.33SXI), doing a Point-to-Point wireless shot from the DC to another site. On myside, it's a L3 VLAN doing a /30 to a smaller Cisco router on the other end. I am then statically routing some additional subnets to the far end router. After about 30 minutes of the link being powered up, the MAC address of local Radio appears to take over the /30, and hence all routing breaks. To fix this, seems to that if I hardcode the MAC that belongs to the Cisco router on the far, all seems good and traffic keeps on trucking. The other fix that was being done until the hardcode went into affect, was power cycling the local radio. My question is this: While the hardcoding seems to be the trick to solve this, is there another command, maybe on the interface to achieve this fix too? I have yet to find out from the customer if there are any MAC/ARP settings in his radios and that could be doing take over on purpose. I am hoping that I can curb this type of behaviour without getting him involved. Thoughts to this? Thanks, -graham _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From mulitskiy at acedsl.com Fri Aug 14 16:04:42 2009 From: mulitskiy at acedsl.com (Michael Ulitskiy) Date: Fri, 14 Aug 2009 16:04:42 -0400 Subject: [c-nsp] Multiple power supply failures. Advise needed Message-ID: <200908141604.42069.mulitskiy@acedsl.com> Hello, We have a very strange problem. We have recently changed colo-space provider and since that we had 4 power supply failures in all kind of cisco equipment within 2 month period. According to colo provider we're receiving "clean" power backed up by UPSes and generator. We're currently have 4 20-amps circuits with APC managed PDUs in them and power supply failures happened in 3 of them, so I can't blame it to one specific circuit or PDU. There was no environmental warning in the logs of any cisco devices. I'm completely out of the clues. I'm going to bring it up with our colo-space provider, but I'm afraid they'll need some proof or pointers. Does anybody have any ideas what could be causing this and how I can monitor the specific conditions? Thanks, Michael From bgoulet at harris.com Fri Aug 14 15:20:11 2009 From: bgoulet at harris.com (Goulet, Brian) Date: Fri, 14 Aug 2009 15:20:11 -0400 Subject: [c-nsp] Etherchannel between 2x2960 and 1x7600 In-Reply-To: References: Message-ID: >There is perhaps another possibility if you are looking for simple >physical layer redundancy. Since you have one router and two switches I >assume that you're looking to do just that. You could use IRB and create >a bridge group on the router and do your layer 3 config on the bvi. >I'm only throwing this out as a possibility as I've never actually used >this in a production environment. Don't see why it won't work though. >Vijay Ramcharan i have used this in production and it does work. it was pretty easy to configure. i realize this is a little stale. email que is a bit backed up. Brian From tvarriale at comcast.net Fri Aug 14 16:28:35 2009 From: tvarriale at comcast.net (Tony Varriale) Date: Fri, 14 Aug 2009 15:28:35 -0500 Subject: [c-nsp] Question for PA OC3 guru? References: Message-ID: <2123B2F6BA8B46CDBE731A2FC0AFDBED@flamdt01> Can't do it. You'll have to look at another platform for channelized OC3. tv ----- Original Message ----- From: "Security Team" To: Sent: Friday, August 14, 2009 2:26 PM Subject: [c-nsp] Question for PA OC3 guru? >I have a telco that wants to hand me an OC3 on which there will be 3 DS3's, > all doing different things. One will be a clear channel (pt-pt) DS3, one > will contain 28 T1's in the DS1 time slots of the DS3, and one will be > unused for the time being. > > I want to buy a PA card to use in a 7200VXR and found the single-mode > fiber > one PA-POS-OC3SMI. My question is will this card allow me to take the T1 > timeslots of the #2 DS3 and use them like I do elsewhere in a PC-MC-T3 > card? > Ala: > ! > ! 1 Channelized T3 port(s) > ! > controller T3 1/0/0 > t1 1 channel-group 0 timeslots 1-24 > t1 2 channel-group 0 timeslots 1-24 > t1 3 channel-group 0 timeslots 1-24 > Etc.etc. > > If I can use DS3 #1 as a pt-pt serial interface and DS3 #2 as a Chan. DS3 > for T1's that would be awesome, that's what I'm looking for. I want to > stay > away from getting a separate MUX to break the OC3 down into DS3's to feed > to > separate PA cards if I can help it. > > Thanks, > CJ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From david at davidcoulson.net Fri Aug 14 16:40:03 2009 From: david at davidcoulson.net (David Coulson) Date: Fri, 14 Aug 2009 16:40:03 -0400 Subject: [c-nsp] Question for PA OC3 guru? In-Reply-To: <2123B2F6BA8B46CDBE731A2FC0AFDBED@flamdt01> References: <2123B2F6BA8B46CDBE731A2FC0AFDBED@flamdt01> Message-ID: <4A85CBA3.3020202@davidcoulson.net> It's probably cheaper to pick up an Adtran OC-3 Mux (Opti-3 or something) and use a traditional PA-MC-T3 and a PA-T3 card in a 7200, than it is to find a whole new router to do it :) Tony Varriale wrote: > Can't do it. You'll have to look at another platform for channelized > OC3. From ler762 at gmail.com Fri Aug 14 17:37:54 2009 From: ler762 at gmail.com (Lee) Date: Fri, 14 Aug 2009 17:37:54 -0400 Subject: [c-nsp] Monitoring Nexus 7000 platform In-Reply-To: <97229F86-6C23-4BC0-92E3-F4AFA54C7855@cisco.com> References: <896a291f0908131007s218f5489rf466cd0ed6e7eb7@mail.gmail.com> <352D947C-7CAC-4322-9BAC-830E489CB070@arbor.net> <896a291f0908131401q2d32fdden198fd5f500ce2052@mail.gmail.com> <4A848F2F.8090502@usgs.gov> <97229F86-6C23-4BC0-92E3-F4AFA54C7855@cisco.com> Message-ID: On 8/14/09, Lincoln Dale wrote: .. snip lots of really cool examples .. > why one would ever touch SNMP willingly after using the above is > beyond me. :) Is there an XML equivalent to the Net-SNMP package? For example, finding devices that haven't had their config saved is easy with SNMP: chgTime=`snmpget -OqUtv $DEV ccmHistoryRunningLastChanged.0` savTime=`snmpget -OqUtv $DEV ccmHistoryStartupLastChanged.0` if [ $savTime -lt $chgTime ]; then printf "%-14s config needs to be saved\n" $DEV fi how do you do that with Netconf/XML? Regards, Lee From gert at greenie.muc.de Fri Aug 14 17:39:23 2009 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 14 Aug 2009 23:39:23 +0200 Subject: [c-nsp] instabilities with SXI2? Message-ID: <20090814213923.GB29143@greenie.muc.de> Hi, I'm wondering if one of you is running SXI2 non-modular code and has had negative experiences? We run it on a 7604/Sup720 with no problems at all, and on a 7603/Sup32-10G that is a bit unhappy with us these days - it's spontaneously reloading every few days (twice so far), and after the reload, it claims System returned to ROM by power on at 11:35:27 MET Fri Nov 10 2000 (SP by power on) ... which I'm reasonably sure is a blatant lie (redundant PSUs, connected to different power distribution strips, no works at that time, yadda yadda). (And it was *not* there in the year 2000 either...) After the first crash, I hooked up a console, to see whether it would print anything funny - nothing. Just the normal "configured by..." messages (last line as of 3 days ago), and then the "System Bootstrap" line that the boot ROM prints as the very first line. Nothing in the bootflash, no crashinfo, etc. So, it's either: - SXI2 is bad, and the Sup720 box has been lucky - SXI2 doesn't like the Sup32-10G (or the 7603) - SXI2 is fine, and this specific hardware is flakey TAC case has been opened, but since the box is refusing to give meaningful statements on *why* it's unhappy, this is not proceeding - which is why I hope to hear from you "yes, we've seen that as well" or "no, SXI2 is rock solid for us" evidence. (I won't go in the details of the box's configuration - there is nothing really different from what other boxes do in our network, IPv4, IPv6, MPLS, BGP [with ~500 prefixes only], the full program - but I don't really think this is relevant here, *those* crashes usually look different) thanks, gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 303 bytes Desc: not available URL: From A.L.M.Buxey at lboro.ac.uk Fri Aug 14 18:15:07 2009 From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey) Date: Fri, 14 Aug 2009 23:15:07 +0100 Subject: [c-nsp] instabilities with SXI2? In-Reply-To: <20090814213923.GB29143@greenie.muc.de> References: <20090814213923.GB29143@greenie.muc.de> Message-ID: <20090814221507.GB17986@lboro.ac.uk> hi, we only have 1 box running SXI2 right now, with all the others still on SXI1 and a special debug SXI1 - so far, touch wood, no wierdness or problem on that SXI2 box - we're running the normal IPv4, IPv6, HSRP, SSH etc on non modular. (the debug is because of an SXI1 thing which we're hoping isnt in SXI2 anyway....) alan From jay at west.net Fri Aug 14 18:25:54 2009 From: jay at west.net (Jay Hennigan) Date: Fri, 14 Aug 2009 15:25:54 -0700 Subject: [c-nsp] Question for PA OC3 guru? In-Reply-To: References: Message-ID: <4A85E472.7070202@west.net> Security Team wrote: > I have a telco that wants to hand me an OC3 on which there will be 3 DS3's, > all doing different things. One will be a clear channel (pt-pt) DS3, one > will contain 28 T1's in the DS1 time slots of the DS3, and one will be > unused for the time being. > > I want to buy a PA card to use in a 7200VXR and found the single-mode fiber > one PA-POS-OC3SMI. My question is will this card allow me to take the T1 > timeslots of the #2 DS3 and use them like I do elsewhere in a PC-MC-T3 card? > Ala: > ! > ! 1 Channelized T3 port(s) > ! > controller T3 1/0/0 > t1 1 channel-group 0 timeslots 1-24 > t1 2 channel-group 0 timeslots 1-24 > t1 3 channel-group 0 timeslots 1-24 No such PA. Your best bet is a mux of some sort such as Adtran Optimux, and a then use a PA-T3 and a PA-MC-T3 in the router. I believe that the latest versions of the PA-MC-2T3 are capable of supporting both a clear channel T3 and a channelized one, but if you have an extra PA slot you'll find that the cost of a PA-T3 and a PA-MC-T3 will be a lot less than using one circuit of a dual PA-MC-T3 for a clear channel circuit. -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV From booloo at ucsc.edu Fri Aug 14 17:55:10 2009 From: booloo at ucsc.edu (Mark Boolootian) Date: Fri, 14 Aug 2009 14:55:10 -0700 Subject: [c-nsp] instabilities with SXI2? In-Reply-To: <20090814213923.GB29143@greenie.muc.de> References: <20090814213923.GB29143@greenie.muc.de> Message-ID: <20090814215510.GA72987@root.ucsc.edu> Hi Gert, > I'm wondering if one of you is running SXI2 non-modular code and has had > negative experiences? No negative experiences here so far, though we've only got a couple of weeks of runtime. We've got it loaded on four boxes, all with Sup720-3B/3BXLs. mark From BBlackford at nwresd.k12.or.us Fri Aug 14 20:57:40 2009 From: BBlackford at nwresd.k12.or.us (Bill Blackford) Date: Fri, 14 Aug 2009 17:57:40 -0700 Subject: [c-n