From tvarriale at comcast.net  Tue Dec  1 01:51:22 2009
From: tvarriale at comcast.net (Tony Varriale)
Date: Tue, 1 Dec 2009 00:51:22 -0600
Subject: [c-nsp] Cisco AIRONET WPA-Enterprise w/Windows question..
References: <006b01ca7059$814ce160$83e6a420$@net><C829208A0A564991BDDD2B1A8D525AA5@flamdt01>
	<4B141341.3070903@fas.harvard.edu>
Message-ID: <DE7276774AA4465A916D9EC36B92BDD5@flamdt01>

It doesn't help me as I already know.  That's why I was responding to the 
original poster.

Maybe you could try that?

tv
----- Original Message ----- 
From: "Scott McGrath" <mcgrath at fas.harvard.edu>
To: "'cisco-nsp'" <cisco-nsp at puck.nether.net>
Sent: Monday, November 30, 2009 12:47 PM
Subject: Re: [c-nsp] Cisco AIRONET WPA-Enterprise w/Windows question..


> Since there is WPA-PSK and WPA2 often known as Enterprise,
>
> The real difference is that WPA-PSK uses a fixed 'pre-shared' key to 
> encrypt the link between the AP and the supplicant,   Enterprise assumes 
> that a RADIUS server is available to authenticate the session and set the 
> key for the session.    What has not been discussed is what protocol is 
> being used for these PEAP and/or EAP-TTLS are valid choices,
>
> The encryption scheme is 'better' on enterprise as the key is not known 
> before session instantiation,   But WPA-PSK (aka Personal) and WPA2 both 
> use the same cipher set to protect the session so the link is as secure 
> but if the key is disclosed to unauthorized users the wireless network 
> effectively has no security whereas WPA2 uses a user database and if the 
> user's credentials are disclosed the endpoint can be deauthenticated and 
> the users credentials changed.   Whereas WPA-PSK requires reconfiguration 
> of the AP(s) and supplicant reconfiguration,
>
> Hope this helps
>
> - Scott
>
> Tony Varriale wrote:
>> What type of "enterprise" are you interested in?  What's your user 
>> database?
>>
>> tv
>> ----- Original Message ----- 
>> From: "Howard Leadmon" <howard at leadmon.net>
>> To: "'cisco-nsp'" <cisco-nsp at puck.nether.net>
>> Sent: Saturday, November 28, 2009 12:35 PM
>> Subject: [c-nsp] Cisco AIRONET WPA-Enterprise w/Windows question..
>>
>>
>>
>>>  I have a question hopefully someone can give me a pointer or shed some
>>> light on..
>>>
>>>
>>>
>>> I have both an Aironet 1242AG and now a 1252AG access point, which are
>>> working fine.   I have WPA2-Personal with a shared key setup and running
>>> great as well.   As it was my impression that Vista and Win7 both 
>>> supported
>>> Enterprise authentication, which I figured would be better and more 
>>> secure
>>> than using the personal shared key stuff.
>>>
>>>
>>>
>>> I have tried, and googled, and I for the life of me just can't seem to 
>>> get
>>> Enterprise auth going..   Does anyone have any docs on getting the 
>>> Aironet
>>> and Windows to play together, configs, or links to info that will help?
>>> Just FYI, I am trying to use the radius server built into the AP, as I
>>> figured that would be simple enough, hopefully doing that is ok..
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> ---
>>>
>>> Howard Leadmon
>>>
>>>
>>>
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 


From rodunn at cisco.com  Tue Dec  1 13:49:01 2009
From: rodunn at cisco.com (Rodney Dunn)
Date: Tue, 01 Dec 2009 13:49:01 -0500
Subject: [c-nsp] 2821 spurious reload
In-Reply-To: <4B1426F7.5050604@whole-uk.com>
References: <4B1426F7.5050604@whole-uk.com>
Message-ID: <4B15651D.400@cisco.com>

Post a 'sh stack'.

Rodney



Pete Barnwell wrote:
> I've had a 2821 reload unexpectedly -sh ver shows a bus error as below
> 
> Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version
> 12.4(22)T1, RELEASE SOFTWARE (fc5)
> Technical Support: http://www.cisco.com/techsupport
> Copyright (c) 1986-2009 by Cisco Systems, Inc.
> Compiled Thu 26-Feb-09 19:47 by prod_rel_team
> 
> ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
> 
>  uptime is 1 hour, 7 minutes
> System returned to ROM by bus error at PC 0x4224F26C, address 0x1E at
> 18:56:16 GMT Mon Nov 30 2009
> System restarted at 18:43:38 GMT Mon Nov 30 2009
> 
> 
> #sh region address  0x4224F26C
> Address 0x4224F26C is located physically in :
> 
>   Name  : text
>   Class : IText
>   Media : R/O
>   Start : 0x4000F000
>   End   : 0x43F7FFFF
>   Size  : 0x03F71000
> 
> This suggests to me hardware rather than software from Googling?
> 
> The routers got its original 256Mb  and an additional 512Mb stick in it
> - is it possible to tell if this is a memory error from this, and if so
> which stick might be the problem?
> 
> I have no Smartnet on this, so can't ask TAC :(
> 
> Thanks
> 
> Pete
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From harbor235 at gmail.com  Tue Dec  1 14:25:50 2009
From: harbor235 at gmail.com (harbor235)
Date: Tue, 1 Dec 2009 14:25:50 -0500
Subject: [c-nsp] MPLS - collapsed P PE
Message-ID: <836bf1f90912011125g6b22286ejf0d5f903cf19362b@mail.gmail.com>

Is anyone out there utilizing a collapsed P/PE in thier MPLS networks?
Do you regret deploying the architecture and what are the problem areas if
any?

I assume it's a dollar issue and as long as you have minimal PE to CE
aggregation
this is the way to go. However, if you need to scale this solution then the
price per CE port
can get costly on the single platform. Adding PE is cheaper than adding a P
!!
Can you migrate to a seperate P and PE easily ?


thanx

Mike

From jsahala at gmail.com  Tue Dec  1 15:27:39 2009
From: jsahala at gmail.com (joshua sahala)
Date: Tue, 1 Dec 2009 13:27:39 -0700
Subject: [c-nsp] BGP soft-reconfiguration inbound impact
In-Reply-To: <alpine.DEB.1.10.0911271709560.14550@uplift.swm.pp.se>
References: <4B0FE3EA.7010305@renater.fr> <4B0FEFA3.9050008@imperial.ac.uk>
	<alpine.DEB.1.10.0911271709560.14550@uplift.swm.pp.se>
Message-ID: <4b8f66d70912011227s11e4b736wf7ff1ac5946dc9f2@mail.gmail.com>

On Fri, Nov 27, 2009 at 9:11 AM, Mikael Abrahamsson <swmike at swm.pp.se> wrote:
> On Fri, 27 Nov 2009, Phil Mayers wrote:
>
>> It depends on how many routes you have I think. If you've got the full
>> feed, then I'd say you're going to pay a heavy price for soft-reconfig.
>
> Only if you modify the routes a lot via routemap or alike. This code has
> been much tweaked the past 5 years, so in some cases soft-reconfig inbound
> takes no extra memory at all.

memory isn't my problem currently...cpu utilisation on a 'clear ip bgp
$neighbour soft in' is

if you are heavily filtered and are relaxing the filters (increasing
the prefixes accepted), you should be fine.

if on the other hand, you are trying to restrict/depreference what you
are/were accepting, be prepared for a potentially massive cpu hit on
SR(B|C|D) (100% for 5-10+ mins - no *current* bug id, yet)...this of
course may cause other bgp sessions to flap, your igp adjacencies to
drop, and your 76xx swouter to be unusable.  admin'ing down the
neighbour you tried to soft clear may be your only resolution.

/joshua
-- 
A common mistake that people make when trying to design something
completely foolproof is to underestimate the ingenuity of complete
fools.
        - Douglas Adams -

From pshem.k at gmail.com  Tue Dec  1 15:43:59 2009
From: pshem.k at gmail.com (Pshem Kowalczyk)
Date: Wed, 2 Dec 2009 09:43:59 +1300
Subject: [c-nsp] MPLS - collapsed P PE
In-Reply-To: <836bf1f90912011125g6b22286ejf0d5f903cf19362b@mail.gmail.com>
References: <836bf1f90912011125g6b22286ejf0d5f903cf19362b@mail.gmail.com>
Message-ID: <20fe625b0912011243qfb86e4x65d5134e9224ce00@mail.gmail.com>

Hi,

We have quite a setup with P/PE collapsed routers in quite a few
places. There where at lease a few  reasons, for going that way:
1. Lack of physical space in some locations to deploy full P and PE routers
2. Not enough customers in particular location to justify more equipment
3. Architectural decisions that we've made (i.e. standard setup
templates that we deploy).

For denser locations in many cases we decided to use a big L2-only
switch and still terminate the L2/L3 services on the P/PE.
I think that having a full P-only network can be only justified in a
very specific scenarios.
In our case migration to separate P and PE is not very difficult, but
requires some re-work. For example all our PEs have to be multi-homed
to two Ps. If we can't achieve that we leave them in the P/PE state.

kind regards
Pshem


2009/12/2 harbor235 <harbor235 at gmail.com>:
> Is anyone out there utilizing a collapsed P/PE in thier MPLS networks?
> Do you regret deploying the architecture and what are the problem areas if
> any?
>
> I assume it's a dollar issue and as long as you have minimal PE to CE
> aggregation
> this is the way to go. However, if you need to scale this solution then the
> price per CE port
> can get costly on the single platform. Adding PE is cheaper than adding a P
> !!
> Can you migrate to a seperate P and PE easily ?
>
>
> thanx
>
> Mike
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From gsgranados at comcast.net  Tue Dec  1 17:34:26 2009
From: gsgranados at comcast.net (Scott Granados)
Date: Tue, 1 Dec 2009 14:34:26 -0800
Subject: [c-nsp] ASA authentication using a self signed cert?
Message-ID: <00d701ca72d6$7415bd30$2608120a@am.thmulti.com>

Hi all,
    I'm using a pair of ASA 5520 devices to provide VPN services to end 
users using the Cisco VPN client on mostly Windows XP and Mac laptops. I've 
been using the following link as a starting point.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008092d8f1.shtml

I'm not sure how to make this work with self signed certs though.  I did 
some googling but nothing seemed to match my needs.  Does anyone have a good 
pointer for configuring certificate authentication using a self-signed cert? 
Is it as simple as executing the steps in the Cisco doc and using openssl to 
self sign my own certificate request?

Any pointers would be appreciated.

Thanks
Scott


From vijay.ramcharan at verizonbusiness.com  Tue Dec  1 18:15:34 2009
From: vijay.ramcharan at verizonbusiness.com (Ramcharan, Vijay A)
Date: Tue, 01 Dec 2009 23:15:34 +0000
Subject: [c-nsp] Import VRF routes then change next-hop
In-Reply-To: <00d701ca72d6$7415bd30$2608120a@am.thmulti.com>
References: <00d701ca72d6$7415bd30$2608120a@am.thmulti.com>
Message-ID: <8171C8272CE8FE4A8F5BFF8A97CE6AB3021AA159@ASHEVS006.mcilink.com>

Hi all, 

I have a couple of switches (6509E, Sup 720 3CXL, 12.2.33 SXI1) that are
running VRF lite for a couple of VRFs. 
One of the VRFs connects to a pair of external routers and receives a
number of routes via iBGP. 
Sandwiched between that external VRF and the other VRF is a firewall. 

I needed to import the routes from the external VRF into the other VRF
that sits behind that firewall. 
I set the proper import targets in my firewalled VRF and the routes are
imported. 
I now need to change the next hop of those imported routes so that the
firewalled VRF uses the firewall as its next-hop for those imported
routes. 

The only solution I've found that actually works is the following
route-map used as an "import map" in the firewalled VRF.  

route-map import_mpls_to_firewall_vrf permit 10
  Match clauses:
    extcommunity (extcommunity-list filter):77 
  Set clauses:
    ip vrf firewall_vrf next-hop 10.10.10.1
    ip next-hop 10.10.10.1

I tried reading some documentation but I'm not making much headway into
understanding why I need both of those "set" commands. 

If I just use the "set ip vrf <blah>" clause the routes are imported but
the next hop is not changed at which point I need to statically point
the next hop at the firewall for the routes to become valid. 

If I just use the "set ip next-hop" command, the next hop is changed but
traffic isn't forwarded out of the firewall VRF. 

Once I use both commands, the next-hop is changed and traffic is
properly forwarded. 
Is my setup above correct or am I doing something wrong? 

Thanks much. 

Vijay Ramcharan 

From moua0100 at umn.edu  Tue Dec  1 20:21:29 2009
From: moua0100 at umn.edu (Ge Moua)
Date: Tue, 01 Dec 2009 19:21:29 -0600
Subject: [c-nsp] ASA authentication using a self signed cert?
In-Reply-To: <00d701ca72d6$7415bd30$2608120a@am.thmulti.com>
References: <00d701ca72d6$7415bd30$2608120a@am.thmulti.com>
Message-ID: <4B15C119.4080905@umn.edu>

I was just looking at something like this today:

ASA 8.x : VPN Access with the AnyConnect VPN Client Using Self-Signed 
Certificate Configuration Example

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml



Regards,
Ge Moua | Email: moua0100 at umn.edu

Network Design Engineer
University of Minnesota | Networking & Telecommunications Services



Scott Granados wrote:
> Hi all,
>    I'm using a pair of ASA 5520 devices to provide VPN services to end 
> users using the Cisco VPN client on mostly Windows XP and Mac laptops. 
> I've been using the following link as a starting point.
>
> http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008092d8f1.shtml 
>
>
> I'm not sure how to make this work with self signed certs though.  I 
> did some googling but nothing seemed to match my needs.  Does anyone 
> have a good pointer for configuring certificate authentication using a 
> self-signed cert? Is it as simple as executing the steps in the Cisco 
> doc and using openssl to self sign my own certificate request?
>
> Any pointers would be appreciated.
>
> Thanks
> Scott
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From graham at g-rock.net  Tue Dec  1 21:08:45 2009
From: graham at g-rock.net (Graham Wooden)
Date: Tue, 01 Dec 2009 20:08:45 -0600
Subject: [c-nsp] Level3 Routes - sizing up an edge device
Message-ID: <C73B284D.124D5%graham@g-rock.net>

Can anyone tell me what the current 'local routes' count is from Level3?

As I am patiently awaiting my turn up of my Level3 connection, I want to
make sure I size up a good edge router handling their routes plus a
less-preferred default.

Thanks,

-graham



From p.mayers at imperial.ac.uk  Wed Dec  2 04:31:24 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Wed, 02 Dec 2009 09:31:24 +0000
Subject: [c-nsp] MPLS - collapsed P PE
In-Reply-To: <836bf1f90912011125g6b22286ejf0d5f903cf19362b@mail.gmail.com>
References: <836bf1f90912011125g6b22286ejf0d5f903cf19362b@mail.gmail.com>
Message-ID: <4B1633EC.90206@imperial.ac.uk>

harbor235 wrote:
> Is anyone out there utilizing a collapsed P/PE in thier MPLS networks?

Yes. Every router in our network is a PE, though we an run enterprise 
rather than SP-size network (it is more like SP than enterprise in 
architecture though).

> Do you regret deploying the architecture and what are the problem areas if
> any?

No regrets, no problems. We've a relatively small routing table and 
almost all of the CE adjacencies are "connected" subnets rather than 
dynamic routing neighbours. In that situation, separate P buys you 
nothing, and the rest of our network architecture doesn't need it.



> 
> I assume it's a dollar issue and as long as you have minimal PE to CE
> aggregation
> this is the way to go. However, if you need to scale this solution then the
> price per CE port
> can get costly on the single platform. Adding PE is cheaper than adding a P
> !!
> Can you migrate to a seperate P and PE easily ?
> 
> 
> thanx
> 
> Mike
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From mtinka at globaltransit.net  Wed Dec  2 04:16:49 2009
From: mtinka at globaltransit.net (Mark Tinka)
Date: Wed, 2 Dec 2009 17:16:49 +0800
Subject: [c-nsp] MPLS - collapsed P PE
In-Reply-To: <836bf1f90912011125g6b22286ejf0d5f903cf19362b@mail.gmail.com>
References: <836bf1f90912011125g6b22286ejf0d5f903cf19362b@mail.gmail.com>
Message-ID: <200912021716.53933.mtinka@globaltransit.net>

On Wednesday 02 December 2009 03:25:50 am harbor235 wrote:

> Is anyone out there utilizing a collapsed P/PE in thier
>  MPLS networks?

We have a number of these, particularly in smaller PoP's.

We have designated specific key locations in the business 
district or country as major core PoP's. These have P 
routers as well as some others to support customers and 
production services.

In smaller PoP's, we deploy collapsed P/PE boxes that haul 
back to our P routers.

It's a design that works well, doesn't break the bank, and 
can easily be upgraded if a P function needs to be separated 
from the PE function, in the future.

>  Do you regret deploying the architecture

Nope!

>  and what are the problem areas if any?

None, it just works. Again, the architecture is such that 
the functions can be separated at any time, if needed.

> I assume it's a dollar issue...

Yes. No use having a CRS-1 next to an ASR1002 in a small PoP 
just to serve customers there, when you can get an ASR1006 
and use it for both functions, if you don't need to push 
more than 20Gbps of aggregated capacity :-).

> and as long as you have
>  minimal PE to CE aggregation
> this is the way to go.

Like Pshem, all our P/PE-based PoP's aggregate customers on 
regular Ethernet switches purely forwarding on Layer 2 
Ethernet alone. 802.1Q trunks + LACP give you uplink 
capacity and redundancy.

You can take this one step further and include aggregation 
in your P/PE setup, but this means a slightly bigger box, 
which may or may not make sense, e.g., Juniper's new MX80 
vs. Cisco's 7604 vs. Brocade's NetIron CES/CER 2000, 
depending on the depth of your pockets and how important the 
PoP is.

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20091202/0b3641d4/attachment.bin>

From listacct at genhex.net  Wed Dec  2 07:47:57 2009
From: listacct at genhex.net (Jeff Crowe)
Date: Wed, 2 Dec 2009 07:47:57 -0500
Subject: [c-nsp] Level3 Routes - sizing up an edge device
In-Reply-To: <C73B284D.124D5%graham@g-rock.net>
References: <C73B284D.124D5%graham@g-rock.net>
Message-ID: <000001ca734d$ac3019f0$04904dd0$@net>

Hi Graha,

We are currently seeing 297902 routes from L3.

Cheers,
Jeff


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Graham Wooden
Sent: Tuesday, December 01, 2009 9:09 PM
To: cisco-nsp
Subject: [c-nsp] Level3 Routes - sizing up an edge device

Can anyone tell me what the current 'local routes' count is from Level3?

As I am patiently awaiting my turn up of my Level3 connection, I want to
make sure I size up a good edge router handling their routes plus a
less-preferred default.

Thanks,

-graham


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From graham at g-rock.net  Wed Dec  2 07:55:59 2009
From: graham at g-rock.net (Graham Wooden)
Date: Wed, 02 Dec 2009 06:55:59 -0600
Subject: [c-nsp] VPN Tunneling question
In-Reply-To: <C73802E0.12289%graham@g-rock.net>
Message-ID: <C73BBFFF.12521%graham@g-rock.net>

Seems like my other email on Sunday (hairpinning VPN client) probably
answered this as well.  In this case, already have the 525 with the v7.x
code on it.

-graham


On 11/29/09 10:52 AM, "Graham Wooden" <graham at g-rock.net> wrote:

> Hi all,
> 
> I am bringing up a new remote location that is currently being served by a
> DSL line. This site will ultimately be served with my own PtP solution, but
> in the time being and to help with the migration, I want to deploy a
> routable subnet at the location using a VPN solution between two PIX
> firewalls. I drew up a diagram depicting this, and can be found at:
>     http://www.iamforeverme.com/VPN_Issue_diagram.pdf
> 
> Other than the some routing statements that need to be put in at my edge and
> core routers, anything I need to do on the main site's firewall to
> facilitate traffic coming in/out on the outside interface? The 525 is
> currently running v7.0.2.
> 
> I was thinking about doing a GRE tunnel but since I have an extra 506e
> (v6.3.5) that I would just use that and do a IPSEC tunnel to my 525 at my
> main site. I want all the traffic at the remote site to transverse the VPN
> tunnel, since it's source addressing will be a public subnet originating at
> the main site.
> 
> Seems like a common setup, no?  Any thing else I need to consider?
> Thanks all,
> 
> -graham
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



From asturluismi at gmail.com  Wed Dec  2 09:26:36 2009
From: asturluismi at gmail.com (luismi)
Date: Wed, 02 Dec 2009 15:26:36 +0100
Subject: [c-nsp] menu at cisco with arguments
Message-ID: <1259763996.1984.1.camel@hal9000>

Hi there, is possible to create menus in the Cisco IOS and ask for an
argument?

I would like to see is there any option to see something like this in
the IOS:


-----------------
1 - Ping

Select option: 1
Enter IPv4 address to do ping:
-----------------


Regards.


From Eddie.Lindsay at synetrix.co.uk  Wed Dec  2 09:39:10 2009
From: Eddie.Lindsay at synetrix.co.uk (Eddie.Lindsay at synetrix.co.uk)
Date: Wed, 2 Dec 2009 14:39:10 +0000
Subject: [c-nsp] menu at cisco with arguments
In-Reply-To: <1259763996.1984.1.camel@hal9000>
References: <1259763996.1984.1.camel@hal9000>
Message-ID: <C8CC3652-2A62-4958-8C3F-5FC2781AF5B9@synetrix.co.uk>

Hi,

There are a couple of ways of doing this with IOS, including Embedded Menu Manager and writing a tcl script.  The Embedded Menu Manager has an XML based language to setup the menu and it is very flexible, only problem I could see being that it wasn't available in all IOS feature sets I tried.

Regards,

Eddie

On 2 Dec 2009, at 14:26, luismi wrote:

> Hi there, is possible to create menus in the Cisco IOS and ask for an
> argument?
> 
> I would like to see is there any option to see something like this in
> the IOS:
> 
> 
> -----------------
> 1 - Ping
> 
> Select option: 1
> Enter IPv4 address to do ping:
> -----------------
> 
> 
> Regards.
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

----------------------------------------------------------------------------------------------------------
Synetrix Holdings Limited
Tel: +44 (0)1252 405 600
www.synetrix.co.uk

Synetrix (Holdings) Limited is a limited company registered in England and Wales. Registered number: 0349 1956. VAT number: GB776 1259 07. Registered office: Synetrix House, 49-51 Victoria Road, Farnborough, Hampshire, GU14 7PA.

IMPORTANT NOTICE:
This message is intended solely for the use of the Individual or organisation to whom it is addressed. It may contain privileged or confidential information. If you have received this message in error, please notify the originator immediately. If you are not the intended recipient, you should not use, copy, alter, or disclose the contents of this message. All information or opinions expressed in this message and/or any attachments are those of the author and are not necessarily those of Synetrix Holdings Limited. Synetrix Holdings Limited accepts no responsibility for loss or damage arising from its use, including damage from virus. 

From jeff-kell at utc.edu  Wed Dec  2 09:43:16 2009
From: jeff-kell at utc.edu (Jeff Kell)
Date: Wed, 02 Dec 2009 09:43:16 -0500
Subject: [c-nsp] menu at cisco with arguments
In-Reply-To: <1259763996.1984.1.camel@hal9000>
References: <1259763996.1984.1.camel@hal9000>
Message-ID: <4B167D04.5000809@utc.edu>

luismi wrote:
> Hi there, is possible to create menus in the Cisco IOS and ask for an
> argument?

Sure.  Search on eBay for some legacy [pre-CLI] 1900s :-)

Jeff

From avayner at cisco.com  Wed Dec  2 10:15:01 2009
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Wed, 2 Dec 2009 16:15:01 +0100
Subject: [c-nsp] menu at cisco with arguments
In-Reply-To: <C8CC3652-2A62-4958-8C3F-5FC2781AF5B9@synetrix.co.uk>
References: <1259763996.1984.1.camel@hal9000>
	<C8CC3652-2A62-4958-8C3F-5FC2781AF5B9@synetrix.co.uk>
Message-ID: <FDD1CDB3FB499E4087CC7670BBCA22C6C498F2@XMB-AMS-101.cisco.com>

This is the config guide for EMM:
https://ciscosales.webex.com/ciscosales/k2/j.php?ED=128360782&UID=120573
6437&RT=MiMyMw%3D%3D

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
Eddie.Lindsay at synetrix.co.uk
Sent: Wednesday, December 02, 2009 16:39
To: asturluismi at gmail.com
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] menu at cisco with arguments

Hi,

There are a couple of ways of doing this with IOS, including Embedded
Menu Manager and writing a tcl script.  The Embedded Menu Manager has an
XML based language to setup the menu and it is very flexible, only
problem I could see being that it wasn't available in all IOS feature
sets I tried.

Regards,

Eddie

On 2 Dec 2009, at 14:26, luismi wrote:

> Hi there, is possible to create menus in the Cisco IOS and ask for an
> argument?
> 
> I would like to see is there any option to see something like this in
> the IOS:
> 
> 
> -----------------
> 1 - Ping
> 
> Select option: 1
> Enter IPv4 address to do ping:
> -----------------
> 
> 
> Regards.
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

------------------------------------------------------------------------
----------------------------------
Synetrix Holdings Limited
Tel: +44 (0)1252 405 600
www.synetrix.co.uk

Synetrix (Holdings) Limited is a limited company registered in England
and Wales. Registered number: 0349 1956. VAT number: GB776 1259 07.
Registered office: Synetrix House, 49-51 Victoria Road, Farnborough,
Hampshire, GU14 7PA.

IMPORTANT NOTICE:
This message is intended solely for the use of the Individual or
organisation to whom it is addressed. It may contain privileged or
confidential information. If you have received this message in error,
please notify the originator immediately. If you are not the intended
recipient, you should not use, copy, alter, or disclose the contents of
this message. All information or opinions expressed in this message
and/or any attachments are those of the author and are not necessarily
those of Synetrix Holdings Limited. Synetrix Holdings Limited accepts no
responsibility for loss or damage arising from its use, including damage
from virus. 
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From kamen.georgiev at yahoo.com  Wed Dec  2 09:28:18 2009
From: kamen.georgiev at yahoo.com (Kamen Georgiev)
Date: Wed, 2 Dec 2009 06:28:18 -0800 (PST)
Subject: [c-nsp] VWIC-2MFT-E1 issue on 2621
Message-ID: <281194.94373.qm@web112416.mail.gq1.yahoo.com>

Hello Gents,

I have a 2621 with VWIC-2MFT-E1 module. In "sh ip int br" under the serial interface I have protocol status "reset".?Under "show controllers E1" I have "Receiver is getting AIS" but?on the transmission equipment I see an error "loss of signal" which indicates problem with the patch. The?field engineer checked the patch, looped it and the port?went up?but as soon as we connect it back?to the ADM it goes to reset. 

Regards,
Kamen


      

From rodunn at cisco.com  Wed Dec  2 11:18:05 2009
From: rodunn at cisco.com (Rodney Dunn)
Date: Wed, 02 Dec 2009 11:18:05 -0500
Subject: [c-nsp] 2821 spurious reload
In-Reply-To: <4B15651D.400@cisco.com>
References: <4B1426F7.5050604@whole-uk.com> <4B15651D.400@cisco.com>
Message-ID: <4B16933D.60702@cisco.com>

 From the 'sh stack' you posted offline it *appears* that this may be a 
result of:

CSCsv85009  fixed in 12.4(22)T2.

I didn't spend a lot of time analyzing it but the code tracebacks you 
sent me offline match up pretty closely.

Rodney



Rodney Dunn wrote:
> Post a 'sh stack'.
> 
> Rodney
> 
> 
> 
> Pete Barnwell wrote:
>> I've had a 2821 reload unexpectedly -sh ver shows a bus error as below
>>
>> Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version
>> 12.4(22)T1, RELEASE SOFTWARE (fc5)
>> Technical Support: http://www.cisco.com/techsupport
>> Copyright (c) 1986-2009 by Cisco Systems, Inc.
>> Compiled Thu 26-Feb-09 19:47 by prod_rel_team
>>
>> ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
>>
>>  uptime is 1 hour, 7 minutes
>> System returned to ROM by bus error at PC 0x4224F26C, address 0x1E at
>> 18:56:16 GMT Mon Nov 30 2009
>> System restarted at 18:43:38 GMT Mon Nov 30 2009
>>
>>
>> #sh region address  0x4224F26C
>> Address 0x4224F26C is located physically in :
>>
>>   Name  : text
>>   Class : IText
>>   Media : R/O
>>   Start : 0x4000F000
>>   End   : 0x43F7FFFF
>>   Size  : 0x03F71000
>>
>> This suggests to me hardware rather than software from Googling?
>>
>> The routers got its original 256Mb  and an additional 512Mb stick in it
>> - is it possible to tell if this is a memory error from this, and if so
>> which stick might be the problem?
>>
>> I have no Smartnet on this, so can't ask TAC :(
>>
>> Thanks
>>
>> Pete
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

From peter at whole-uk.com  Wed Dec  2 11:36:58 2009
From: peter at whole-uk.com (Pete Barnwell)
Date: Wed, 02 Dec 2009 16:36:58 +0000
Subject: [c-nsp] 2821 spurious reload
In-Reply-To: <4B16933D.60702@cisco.com>
References: <4B1426F7.5050604@whole-uk.com> <4B15651D.400@cisco.com>
	<4B16933D.60702@cisco.com>
Message-ID: <4B1697AA.1040302@whole-uk.com>



Rodney Dunn wrote:
> From the 'sh stack' you posted offline it *appears* that this may be a
> result of:
> 
> CSCsv85009  fixed in 12.4(22)T2.
> 
> I didn't spend a lot of time analyzing it but the code tracebacks you
> sent me offline match up pretty closely.
> 
> Rodney
> 

Thanks - I'm going to try upgrading it to 12.4(22)T2 and see if that
fixes the problem.

Regards

Pete

From pslund at gmail.com  Wed Dec  2 11:49:12 2009
From: pslund at gmail.com (=?ISO-8859-1?Q?P=E4r_=C5slund?=)
Date: Wed, 2 Dec 2009 17:49:12 +0100
Subject: [c-nsp] Downgrade from 12.2(33)SXI2a to 122-18.SXF17
Message-ID: <89b664f30912020849y58d8f577t62c9916fb9658164@mail.gmail.com>

Hi,

I'm going to downgrade a Cisco 6500 with Sup-720 from 12.2(33)SXI2a to
1.22(18)SXF17 for hardware issue.

I think I have checked everything,

Configuration issues (all commands available)
Hardware support (all modules supported)
Bootloader (not needed on sup-720 for 1.22(18)SXF17 according to Cisco
documentation)

Anyone got any more pointers I might have missed?

Hard to find good documentation about downgrading. If anyone knows
good dokumentation about this, feel free to share it.

My experience after missed some configuration differences (Switch went
berserk back then, several years ago) makes me a bit at unease with
downgrading IOS versions.

best regards,
pelle

From p.mayers at imperial.ac.uk  Wed Dec  2 12:18:51 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Wed, 02 Dec 2009 17:18:51 +0000
Subject: [c-nsp] Downgrade from 12.2(33)SXI2a to 122-18.SXF17
In-Reply-To: <89b664f30912020849y58d8f577t62c9916fb9658164@mail.gmail.com>
References: <89b664f30912020849y58d8f577t62c9916fb9658164@mail.gmail.com>
Message-ID: <4B16A17B.1010400@imperial.ac.uk>

P?r ?slund wrote:
> Hi,
> 
> I'm going to downgrade a Cisco 6500 with Sup-720 from 12.2(33)SXI2a to
> 1.22(18)SXF17 for hardware issue.
> 
> I think I have checked everything,
> 
> Configuration issues (all commands available)
> Hardware support (all modules supported)
> Bootloader (not needed on sup-720 for 1.22(18)SXF17 according to Cisco
> documentation)
> 
> Anyone got any more pointers I might have missed?

I tested this for SXI (not 2a) when we upgraded, and from my notes:

  * If you're using VRFs and have converted the config to new-style "vrf 
definition", you need to backport config

  * If you've re-formatted the flash disk under SXI you should probably 
(to be safe) format it under SXF before downgrade

...but other than that, if you're sure the IOS config & hardware is 
compatible it should be fine - we frequently put our test/lab box back 
into SXF.

From walter.keen at RainierConnect.net  Wed Dec  2 11:48:33 2009
From: walter.keen at RainierConnect.net (Walter Keen)
Date: Wed, 02 Dec 2009 08:48:33 -0800
Subject: [c-nsp] CompactFlash card compatibility
Message-ID: <4B169A61.6090002@rainierconnect.net>

Wondering if anyone has any insight on CF card compatibility  on 
sup720-3b's.  Getting parts from Cisco can sometimes have a significant 
lead time, but I need to install a larger image very soon.

-- 



From cluestore at gmail.com  Wed Dec  2 12:38:41 2009
From: cluestore at gmail.com (Clue Store)
Date: Wed, 2 Dec 2009 11:38:41 -0600
Subject: [c-nsp] CompactFlash card compatibility
In-Reply-To: <4B169A61.6090002@rainierconnect.net>
References: <4B169A61.6090002@rainierconnect.net>
Message-ID: <580af3b90912020938g30415dbbk9e121d5dda02c63a@mail.gmail.com>

We've been using Sandisk Ultra 2 CF 2gb cards from Staples. No issues so
far. We have these running on 6 different 720-3BXL's.

HTH,
Clue

On Wed, Dec 2, 2009 at 10:48 AM, Walter Keen <walter.keen at rainierconnect.net
> wrote:

> Wondering if anyone has any insight on CF card compatibility  on
> sup720-3b's.  Getting parts from Cisco can sometimes have a significant lead
> time, but I need to install a larger image very soon.
>
> --
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From rsm at fast-serv.com  Wed Dec  2 13:02:15 2009
From: rsm at fast-serv.com (Randy McAnally)
Date: Wed, 2 Dec 2009 13:02:15 -0500
Subject: [c-nsp] CompactFlash card compatibility
In-Reply-To: <580af3b90912020938g30415dbbk9e121d5dda02c63a@mail.gmail.com>
References: <4B169A61.6090002@rainierconnect.net>
	<580af3b90912020938g30415dbbk9e121d5dda02c63a@mail.gmail.com>
Message-ID: <20091202180144.M44964@fast-serv.com>

> We've been using Sandisk Ultra 2 CF 2gb cards from Staples. No 
> issues so far. We have these running on 6 different 720-3BXL's.

Same here.  Just be sure to format them with the sup or they won't boot.

--
Randy


From fitzgeraldb at camosun.bc.ca  Wed Dec  2 13:07:28 2009
From: fitzgeraldb at camosun.bc.ca (Brian Fitzgerald)
Date: Wed, 02 Dec 2009 10:07:28 -0800
Subject: [c-nsp] CompactFlash card compatibility
In-Reply-To: <20091202180144.M44964@fast-serv.com>
Message-ID: <C73BECE0.2601%fitzgeraldb@camosun.bc.ca>

We have been using the Kingston CF/4GB Type I - they work fine, with same
caveat as Randy posted - format them in the Sup first.

One other note - no matter what brand, stick to the slower cards (type I or
II) as the faster access-time cards do NOT work - they do not format or read
correctly.

Good news is the slower ones are a lot cheaper...

Brian


On 09-12-02 10:02 AM, "Randy McAnally" <rsm at fast-serv.com> wrote:

>> We've been using Sandisk Ultra 2 CF 2gb cards from Staples. No
>> issues so far. We have these running on 6 different 720-3BXL's.
> 
> Same here.  Just be sure to format them with the sup or they won't boot.
> 
> --
> Randy
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From eninja at gmail.com  Wed Dec  2 14:24:40 2009
From: eninja at gmail.com (Eninja)
Date: Wed, 2 Dec 2009 20:24:40 +0100
Subject: [c-nsp] 2821 spurious reload
Message-ID: <B67DF2A7-4349-4767-8504-5B1892BA925C@gmail.com>

Pete,

Get off the T train to 15.0. T train is too unstable to be run in  
_any_ production network and should _only_ be used when there is  
absolutely no alternative.

Eninja

PS. Rodney, feel free to post the release notes of sv85009 so others  
can be enlightened about its cause and effect. Tx



On Dec 2, 2009, at 5:36 PM, Pete Barnwell <peter at whole-uk.com> wrote:

>
>
> Rodney Dunn wrote:
>> From the 'sh stack' you posted offline it *appears* that this may  
>> be a
>> result of:
>>
>> CSCsv85009  fixed in 12.4(22)T2.
>>
>> I didn't spend a lot of time analyzing it but the code tracebacks you
>> sent me offline match up pretty closely.
>>
>> Rodney
>>
>
> Thanks - I'm going to try upgrading it to 12.4(22)T2 and see if that
> fixes the problem.
>
> Regards
>
> Pete
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From jared.a.gillis at gmail.com  Wed Dec  2 15:12:13 2009
From: jared.a.gillis at gmail.com (Jared Gillis)
Date: Wed, 02 Dec 2009 12:12:13 -0800
Subject: [c-nsp] Problem disabling proxy-arp
Message-ID: <4B16CA1D.9020602@gmail.com>

Hello,

I'm running some 3750s that are providing IP aggregation for customers of mine. One of the customers reported that his gateway (the 3750) was responding to ARP for his local LAN addresses. Taking a look, I realized that I forgot to disable proxy-arp on that 3750. I disabled it via the global "ip proxy arp disable" command, but it doesn't seem to have worked; the customer still says he is seeing ARP responses from the gateway, but only on PCs that have just booted. Also, "show ip int xxx" reports that proxy-arp is still live on the interface:
#show ip int vlan101
Vlan101 is up, line protocol is up
  Internet address is 70.36.146.1/24
  Broadcast address is 255.255.255.255
  Address determined by setup command
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing access list is not set
  Inbound  access list is 100
  Proxy ARP is enabled
  Local Proxy ARP is disabled

I've confirmed that if I go into the interface and issue "no ip proxy-arp", then the "show ip int xxx" output also shows that it is disabled.
What am I missing here to make sure that proxy-arp is globally disabled for every L3 interface on my 3750s? Do I really have to put the "no ip proxy-arp" command on each and every interface?

-Jared

From lists at hojmark.org  Wed Dec  2 15:23:43 2009
From: lists at hojmark.org (Asbjorn Hojmark - Lists)
Date: Wed, 02 Dec 2009 21:23:43 +0100
Subject: [c-nsp] Problem disabling proxy-arp
In-Reply-To: <4B16CA1D.9020602@gmail.com>
References: <4B16CA1D.9020602@gmail.com>
Message-ID: <96jdh558724otpe2uhhnhv5n78vuav0q19@hojmark.net>

On Wed, 02 Dec 2009 12:12:13 -0800, you wrote:

> Do I really have to put the "no ip proxy-arp" command on each
> and every interface?

Yes.

-A

From pslund at gmail.com  Wed Dec  2 15:36:40 2009
From: pslund at gmail.com (=?ISO-8859-1?Q?P=E4r_=C5slund?=)
Date: Wed, 2 Dec 2009 21:36:40 +0100
Subject: [c-nsp] Downgrade from 12.2(33)SXI2a to 122-18.SXF17
In-Reply-To: <4B16A17B.1010400@imperial.ac.uk>
References: <89b664f30912020849y58d8f577t62c9916fb9658164@mail.gmail.com>
	<4B16A17B.1010400@imperial.ac.uk>
Message-ID: <89b664f30912021236n30442ce5w86b50022986718d@mail.gmail.com>

On Wed, Dec 2, 2009 at 6:18 PM, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> P?r ?slund wrote:
>>
>> Hi,
>>
>> I'm going to downgrade a Cisco 6500 with Sup-720 from 12.2(33)SXI2a to
>> 1.22(18)SXF17 for hardware issue.
>>
>> I think I have checked everything,
>>
>> Configuration issues (all commands available)
>> Hardware support (all modules supported)
>> Bootloader (not needed on sup-720 for 1.22(18)SXF17 according to Cisco
>> documentation)
>>
>> Anyone got any more pointers I might have missed?
>
> I tested this for SXI (not 2a) when we upgraded, and from my notes:
>
> ?* If you're using VRFs and have converted the config to new-style "vrf
> definition", you need to backport config
>
> ?* If you've re-formatted the flash disk under SXI you should probably (to
> be safe) format it under SXF before downgrade
>
> ...but other than that, if you're sure the IOS config & hardware is
> compatible it should be fine - we frequently put our test/lab box back into
> SXF.
>

Hi Phil,

Thanks for the pointers.

No VRF configuration is used at all.

Didn't know about the format flash disk, will check that.

.pelle

From lukasz at bromirski.net  Wed Dec  2 16:14:26 2009
From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=)
Date: Wed, 02 Dec 2009 22:14:26 +0100
Subject: [c-nsp] 2821 spurious reload
In-Reply-To: <B67DF2A7-4349-4767-8504-5B1892BA925C@gmail.com>
References: <B67DF2A7-4349-4767-8504-5B1892BA925C@gmail.com>
Message-ID: <4B16D8B2.6060509@bromirski.net>

On 2009-12-02 20:24, Eninja wrote:
> Pete,
>
> Get off the T train to 15.0. T train is too unstable to be run in _any_
> production network and should _only_ be used when there is absolutely no
> alternative.

Actually, the 15.0M *is* the 12.4T train after branching off the
12.4(24)T. Along with many fixes and enhancements, but technically
speaking that's the continuation.

-- 
"Everything will be okay in the end. |                  ?ukasz Bromirski
  If it's not okay, it's not the end. |       http://lukasz.bromirski.net

From aptgetd at gmail.com  Wed Dec  2 17:22:37 2009
From: aptgetd at gmail.com (sky vader)
Date: Wed, 02 Dec 2009 14:22:37 -0800
Subject: [c-nsp] Bandwidth Statement - Tunnel Interface
Message-ID: <4B16E8AD.6060403@gmail.com>

Hi,

Just curious, since the default bandwidth for tunnel interface is 9k
(cisco platform), does that mean the maximum bandwidth I can have is 9k?

What's the purpose of setting bandwidth statement on a tunnel interface?
Does that mean I get bandwidth that is set or what the router will
report via snmp?

Insight will be appreciated.


regards,
sky

From jay at west.net  Wed Dec  2 17:55:46 2009
From: jay at west.net (Jay Hennigan)
Date: Wed, 02 Dec 2009 14:55:46 -0800
Subject: [c-nsp] Bandwidth Statement - Tunnel Interface
In-Reply-To: <4B16E8AD.6060403@gmail.com>
References: <4B16E8AD.6060403@gmail.com>
Message-ID: <4B16F072.4040405@west.net>

sky vader wrote:
> Hi,
> 
> Just curious, since the default bandwidth for tunnel interface is 9k
> (cisco platform), does that mean the maximum bandwidth I can have is 9k?

No.

> What's the purpose of setting bandwidth statement on a tunnel interface?
> Does that mean I get bandwidth that is set or what the router will
> report via snmp?

Three things come to mind, there are likely other subtle ones...

1.  Dynamic routing protocols use the interface bandwidth for path 
selection.  Manually specifying the bandwidth to something sane for the 
physical path over which the tunnel rides may be needed for proper route 
selection.

2.  MRTG and similar tools will use the configured bandwidth as the 
default maximum for graphing and analysis purposes.  Leaving it at 9K is 
likely to result in graphs topped at that value.  SNMP of the actual 
traffic counts will be accurate, but configuration tools of graphing 
software will get the configured bandwidth on setup and may behave as if 
this is the physical limit.

3.  QoS and traffic shaping applied to the interface will use the 
configured bandwidth for percentage calculations and the like.  This 
will almost certainly cause results that aren't what you expect unless 
the tunnel is running over a dialup link.

If you are doing none of these, then the configured bandwidth statement 
really doesn't affect anything in terms of operation that I've noticed.

--
Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

From ayourtch at cisco.com  Wed Dec  2 18:06:57 2009
From: ayourtch at cisco.com (Andrew Yourtchenko)
Date: Thu, 3 Dec 2009 00:06:57 +0100 (CET)
Subject: [c-nsp] Problem disabling proxy-arp
In-Reply-To: <4B16CA1D.9020602@gmail.com>
References: <4B16CA1D.9020602@gmail.com>
Message-ID: <alpine.DEB.2.00.0912022351590.12419@ayourtch-lnx.stdio.be>



On Wed, 2 Dec 2009, Jared Gillis wrote:

> Hello,
>
> I'm running some 3750s that are providing IP aggregation for customers of mine. One of the customers reported that his gateway (the 3750) was responding to ARP for his local LAN addresses. Taking a look, I realized that I forgot to disable proxy-arp on that 3750. I disabled it via the global "ip proxy arp disable" command, but it doesn't seem to have worked; the customer still says he is seeing ARP responses from the gateway, but only on PCs that have just booted. Also, "show ip int xxx" reports that proxy-arp is still live on the interface:
> #show ip int vlan101
> Vlan101 is up, line protocol is up
>  Internet address is 70.36.146.1/24
>  Broadcast address is 255.255.255.255
>  Address determined by setup command
>  MTU is 1500 bytes
>  Helper address is not set
>  Directed broadcast forwarding is disabled
>  Outgoing access list is not set
>  Inbound  access list is 100
>  Proxy ARP is enabled
>  Local Proxy ARP is disabled

This might be the result of CSCsl75648, which does not reflect the global 
state of the proxy arp in the per-interface output.

I'd suggest to double-check with the sniffer trace how exactly the ARP 
traffic between the newly booted PCs and the gateway looks like, and see 
if you can correlate with anything with the config. Maybe there is more 
than one contributor to the overall issue - and disabling proxy-arp 
globally on the gateway solved only a part of it.

(Of course, checking if explicitly disabling proxy-arp on the interface 
would not hurt either - but even if it helps, the sniffer traces will 
very useful to find the root cause).

thanks,
andrew


From rudal at online.rudal.com  Wed Dec  2 23:28:33 2009
From: rudal at online.rudal.com (Rudy Setiawan)
Date: Thu, 3 Dec 2009 11:28:33 +0700
Subject: [c-nsp] Error message on 6500s
Message-ID: <79b6f8780912022028r11605d79ud0d6e31a430ebc7f@mail.gmail.com>

Hi all,

I received this error message:

Dec  2 19:54:10.874: %SCP-SP-3-SCP_HA_FAIL: SCP HA Seq Set - Module: 3
failed 0 times

I read about the error and it said it's not good for the module not to
receive the HA sequence but it does say about "failed 0 times". Does this
mean module 3 received the Sequence set? or does it mean it failed once
only?

Thank you

regards,
rudy

From eninja at gmail.com  Wed Dec  2 23:42:22 2009
From: eninja at gmail.com (Eninja)
Date: Thu, 3 Dec 2009 05:42:22 +0100
Subject: [c-nsp] 2821 spurious reload
In-Reply-To: <4B16D8B2.6060509@bromirski.net>
References: <B67DF2A7-4349-4767-8504-5B1892BA925C@gmail.com>
	<4B16D8B2.6060509@bromirski.net>
Message-ID: <2C807981-39BC-4BDD-ACF6-F30FB7E83C99@gmail.com>


On Dec 2, 2009, at 10:14 PM, ?ukasz Bromirski <lukasz at bromirski.net>  
wrote:

> On 2009-12-02 20:24, Eninja wrote:
>> Pete,
>>
>> Get off the T train to 15.0. T train is too unstable to be run in  
>> _any_
>> production network and should _only_ be used when there is  
>> absolutely no
>> alternative.
>
> Actually, the 15.0M *is* the 12.4T train after branching off the
> 12.4(24)T. Along with many fixes and enhancements, but technically
> speaking that's the continuation.
>

Yes, 12.4T became 15.0 mainline thus it contains all the features in  
12.4T but now only enjoys bug fixes with no new features added. This  
is why maniline releases are more 'reliable'.

New feature implemention is the primary cause of T-train instability.

eninja

From sethm at rollernet.us  Wed Dec  2 23:50:04 2009
From: sethm at rollernet.us (Seth Mattinen)
Date: Wed, 02 Dec 2009 20:50:04 -0800
Subject: [c-nsp] 2821 spurious reload
In-Reply-To: <2C807981-39BC-4BDD-ACF6-F30FB7E83C99@gmail.com>
References: <B67DF2A7-4349-4767-8504-5B1892BA925C@gmail.com>	<4B16D8B2.6060509@bromirski.net>
	<2C807981-39BC-4BDD-ACF6-F30FB7E83C99@gmail.com>
Message-ID: <4B17437C.3030407@rollernet.us>

Eninja wrote:
> 
> On Dec 2, 2009, at 10:14 PM, ?ukasz Bromirski <lukasz at bromirski.net> wrote:
> 
>> On 2009-12-02 20:24, Eninja wrote:
>>> Pete,
>>>
>>> Get off the T train to 15.0. T train is too unstable to be run in _any_
>>> production network and should _only_ be used when there is absolutely no
>>> alternative.
>>
>> Actually, the 15.0M *is* the 12.4T train after branching off the
>> 12.4(24)T. Along with many fixes and enhancements, but technically
>> speaking that's the continuation.
>>
> 
> Yes, 12.4T became 15.0 mainline thus it contains all the features in 
> 12.4T but now only enjoys bug fixes with no new features added. This is 
> why maniline releases are more 'reliable'.
> 
> New feature implemention is the primary cause of T-train instability.
> 

Especially in the case of using 12.4T because you need a feature in it, 
that feature is certainly in 15 and there's no reason to stick with (the 
potentially more buggy) 12.4T.

~Seth

From peter at whole-uk.com  Thu Dec  3 02:45:17 2009
From: peter at whole-uk.com (Pete Barnwell)
Date: Thu, 03 Dec 2009 07:45:17 +0000
Subject: [c-nsp] 2821 spurious reload
In-Reply-To: <4B17437C.3030407@rollernet.us>
References: <B67DF2A7-4349-4767-8504-5B1892BA925C@gmail.com>	<4B16D8B2.6060509@bromirski.net>	<2C807981-39BC-4BDD-ACF6-F30FB7E83C99@gmail.com>
	<4B17437C.3030407@rollernet.us>
Message-ID: <4B176C8D.3040109@whole-uk.com>

Seth Mattinen wrote:

> 
> Especially in the case of using 12.4T because you need a feature in it,
> that feature is certainly in 15 and there's no reason to stick with (the
> potentially more buggy) 12.4T.

Flashcard size - I can't get access to this router at all easily, so
anything that won't fit on a 64Mb flash isn't a good option - T train
was the only option that supported the cards in this router (ignoring XJ
which I tried  and had a horrible L2TP bug...)

Regards

Pete

From ecables at gmail.com  Thu Dec  3 05:04:24 2009
From: ecables at gmail.com (Eric Cables)
Date: Thu, 3 Dec 2009 02:04:24 -0800
Subject: [c-nsp] Centralized OOB Server / Appliance
Message-ID: <d5c7ccac0912030204q16d51d6v3d11bdc9d045b3f@mail.gmail.com>

Hi all,

I am researching ideas/solutions for building a centralized/redundant OOB
management/dialer system.  The purpose will be to provide a couple of
geographically distributed systems with a modem (or more) attached
(preferably logically attached) for connecting to remote offices when their
primary WAN link is down.  The remote offices have a standard terminal
server with a modem.

The current solution deployed is a single server with a single modem
physically attached, using a shared minicom dialing directory as the
dialer.  Obviously another system at another geographic location is
preferred, but that leads to the next hurdle -- virtualization.  Not only
are systems quickly being virtualized, but once virtualized VMotion and the
lack of physical serial/USB ports makes physically connecting modems to a
single host server a non-option.

Here's the basic concept in a perfect world:
 - Site A has a Guest OS and a modem connected to a Serial/USB over IP
device
 - Site B has a Guest OS and a modem connected to a Serial/USB over IP
device
 - The Guest OS at both Sites A & B share a dialing directory and emulate
their local modem over IP.

Avocent has a seemingly good product (
http://www.connectivity.avocent.com/products/network-based/), but the
proposed OS is FreeBSD, which doesn't appear to be supported.

 - Has anyone used the Avocent product, or another similar product, with
success?
 - Any FreeBSD experts out there know whether or not their Linux drivers
would be able to emulate a serial device to FreeBSD using Linux "emulation?"
 - Are there any "purpose built" systems that function as a centralized
dialer?
 - Are there any suggestions for a dialer other than Minicom?

Thanks,

-- Eric Cables

From ziliomarcelo at gmail.com  Thu Dec  3 06:46:29 2009
From: ziliomarcelo at gmail.com (Marcelo Zilio)
Date: Thu, 3 Dec 2009 09:46:29 -0200
Subject: [c-nsp] Ethernet WAN Links question
Message-ID: <62f79b510912030346s2539c1d7n69053d7fb4675c5e@mail.gmail.com>

Hi,

I'm facing a new situation. We are exchanging our Service Provider for MPLS
and Internet links.
We have requested them redundant MPLS and Internet connections. At the HQ
site they gave us Ethernet interfaces as media access. So far so good.

The problem is that this Service Provider gave us two Ethernet cables
configured with 802.1q being the first cable the "main" Internet and MPLS
and the second the "backup" Internet and MPLS.

They ask us to connect these cables to our LAN switches, create VLANs and
connect to our layer 3 devices so we could use four cables being two for
Internet and two for MPLS. A simple scheme

SP (802.1q main Internet and MPLS) ----- LAN Switch -----> Internet VLAN 10
   (802.1q backup Internet and MPLS)-----------|    -----> Internet VLAN 11
                                                    -----> MPLS VLAN 20
                                                    -----> MPLS VLAN 30
There is an option they supply the switch too.
The first thing that came to mind is security issues since we are connecting
Internet and Local Network to the same switch inside the network.

The question is: Is this a common practice? How do you handle with this
scenario?

Any input will be helpfull

Thanks

From swmike at swm.pp.se  Thu Dec  3 08:02:27 2009
From: swmike at swm.pp.se (Mikael Abrahamsson)
Date: Thu, 3 Dec 2009 14:02:27 +0100 (CET)
Subject: [c-nsp] Ethernet WAN Links question
In-Reply-To: <62f79b510912030346s2539c1d7n69053d7fb4675c5e@mail.gmail.com>
References: <62f79b510912030346s2539c1d7n69053d7fb4675c5e@mail.gmail.com>
Message-ID: <alpine.DEB.1.10.0912031400520.23464@uplift.swm.pp.se>

On Thu, 3 Dec 2009, Marcelo Zilio wrote:

> There is an option they supply the switch too.
> The first thing that came to mind is security issues since we are connecting
> Internet and Local Network to the same switch inside the network.

That's like saying there is a security risk in running two phonecalls in 
the same T1/E1. They're logically separated, it's commonly done.

> The question is: Is this a common practice? How do you handle with this 
> scenario?

Usually I'd say that the ISP will solve the handoff by having a switch or 
media converter to give you one port per service, but using vlans for 
logical separation has been pretty much standard procedure for 10 years in 
a lot of places.

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se

From chrisjscott at gmail.com  Thu Dec  3 08:19:39 2009
From: chrisjscott at gmail.com (Chris Scott)
Date: Thu, 3 Dec 2009 13:19:39 +0000
Subject: [c-nsp] CompactFlash card compatibility
In-Reply-To: <C73BECE0.2601%fitzgeraldb@camosun.bc.ca>
References: <20091202180144.M44964@fast-serv.com>
	<C73BECE0.2601%fitzgeraldb@camosun.bc.ca>
Message-ID: <9fcc08fd0912030519l4010d032s202f1448150cd84b@mail.gmail.com>

2009/12/2 Brian Fitzgerald <fitzgeraldb at camosun.bc.ca>:
> We have been using the Kingston CF/4GB Type I - they work fine, with same
> caveat as Randy posted - format them in the Sup first.

I have a 2-week old Sup720-3B running 12.2(33)SXI3 that formats and
can use a Kingston CF/1GB no probs.  My other Sup720-3B is 4 years old
running 12.2(18)SXD3.  It gives me "device not found" when trying to
dir or format the same card.  Don't know if this is a HW or SW
difference.  Newer Sup has 512MB sup-bootflash, older has a mere 64MB.
 Won't be able to empirically test until I take the plunge and do the
IOS update on the Sup that's been up for 4 years :-/  The older Sup
takes SanDisk 256MB CF II card ok so that's enough for today's current
and rollback image needs.

Only Cisco reference I've found seems quited dated and wildly incomplete:
http://www.cisco.com/en/US/products/hw/switches/ps663/products_tech_note09186a00801a5d58.shtml

-- 
Chris

From NMaio at guesswho.com  Thu Dec  3 08:32:00 2009
From: NMaio at guesswho.com (NMaio at guesswho.com)
Date: Thu, 3 Dec 2009 08:32:00 -0500
Subject: [c-nsp] CompactFlash card compatibility
In-Reply-To: <9fcc08fd0912030519l4010d032s202f1448150cd84b@mail.gmail.com>
References: <20091202180144.M44964@fast-serv.com>
	<C73BECE0.2601%fitzgeraldb@camosun.bc.ca>
	<9fcc08fd0912030519l4010d032s202f1448150cd84b@mail.gmail.com>
Message-ID: <2AA600764E54964491083B1E0EC81A302F875C378E@EXCLUS.nationala-1advertising.com>

Chris,
Is it possible that you need the WS-CF-UPG aka CF-ADAPTER-SP for your older SUP.  I think it is included in the newer 720s
Nick


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Chris Scott
Sent: Thursday, December 03, 2009 8:20 AM
To: Brian Fitzgerald; Walter Keen; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] CompactFlash card compatibility

2009/12/2 Brian Fitzgerald <fitzgeraldb at camosun.bc.ca>:
> We have been using the Kingston CF/4GB Type I - they work fine, with same
> caveat as Randy posted - format them in the Sup first.

I have a 2-week old Sup720-3B running 12.2(33)SXI3 that formats and
can use a Kingston CF/1GB no probs.  My other Sup720-3B is 4 years old
running 12.2(18)SXD3.  It gives me "device not found" when trying to
dir or format the same card.  Don't know if this is a HW or SW
difference.  Newer Sup has 512MB sup-bootflash, older has a mere 64MB.
 Won't be able to empirically test until I take the plunge and do the
IOS update on the Sup that's been up for 4 years :-/  The older Sup
takes SanDisk 256MB CF II card ok so that's enough for today's current
and rollback image needs.

Only Cisco reference I've found seems quited dated and wildly incomplete:
http://www.cisco.com/en/US/products/hw/switches/ps663/products_tech_note09186a00801a5d58.shtml

-- 
Chris
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From chrisjscott at gmail.com  Thu Dec  3 08:57:08 2009
From: chrisjscott at gmail.com (Chris Scott)
Date: Thu, 3 Dec 2009 13:57:08 +0000
Subject: [c-nsp] CompactFlash card compatibility
In-Reply-To: <2AA600764E54964491083B1E0EC81A302F875C378E@EXCLUS.nationala-1advertising.com>
References: <20091202180144.M44964@fast-serv.com>
	<C73BECE0.2601%fitzgeraldb@camosun.bc.ca>
	<9fcc08fd0912030519l4010d032s202f1448150cd84b@mail.gmail.com>
	<2AA600764E54964491083B1E0EC81A302F875C378E@EXCLUS.nationala-1advertising.com>
Message-ID: <9fcc08fd0912030557v245c6a55md0de6b16e860a8d4@mail.gmail.com>

2009/12/3  <NMaio at guesswho.com>:
> Chris,
> Is it possible that you need the WS-CF-UPG aka CF-ADAPTER-SP for your older SUP. ?I think it is included in the newer 720s
> Nick
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Chris Scott
> Sent: Thursday, December 03, 2009 8:20 AM
> To: Brian Fitzgerald; Walter Keen; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] CompactFlash card compatibility
>
> 2009/12/2 Brian Fitzgerald <fitzgeraldb at camosun.bc.ca>:
>> We have been using the Kingston CF/4GB Type I - they work fine, with same
>> caveat as Randy posted - format them in the Sup first.
>
> I have a 2-week old Sup720-3B running 12.2(33)SXI3 that formats and
> can use a Kingston CF/1GB no probs. ?My other Sup720-3B is 4 years old
> running 12.2(18)SXD3. ?It gives me "device not found" when trying to
> dir or format the same card. ?Don't know if this is a HW or SW
> difference. ?Newer Sup has 512MB sup-bootflash, older has a mere 64MB.
> ?Won't be able to empirically test until I take the plunge and do the
> IOS update on the Sup that's been up for 4 years :-/ ?The older Sup
> takes SanDisk 256MB CF II card ok so that's enough for today's current
> and rollback image needs.

Hi Nick

I'd glanced that doc before but disregarded it too quickly because I
don't want to pay any money right now :)  It was well worth mentioning
as now that I've read it properly I can see that there's HW, ROMMON
and SW interaction all involved to support the larger sizes.  I guess
if I upgrade the SP ROMMON on the older Sup720 it might read the 1GB
CF card.  If I'm really keen, it may also be possible to find
reference to this in some IOS release notes.  Ideally, I'd buy that
kit so that no random person with access to my DC can push "eject" and
sabotage my boot.  I'd been looking into the CF support as I came into
possession of a handful of 1GB CF II cards that are too slow and weeny
for pics and tunes but right on par with the Sup720 model of storage.

Cheers
-- 
Chris

From rsm at fast-serv.com  Thu Dec  3 09:07:17 2009
From: rsm at fast-serv.com (Randy McAnally)
Date: Thu, 3 Dec 2009 09:07:17 -0500
Subject: [c-nsp] CompactFlash card compatibility
In-Reply-To: <9fcc08fd0912030557v245c6a55md0de6b16e860a8d4@mail.gmail.com>
References: <20091202180144.M44964@fast-serv.com>
	<C73BECE0.2601%fitzgeraldb@camosun.bc.ca>
	<9fcc08fd0912030519l4010d032s202f1448150cd84b@mail.gmail.com>
	<2AA600764E54964491083B1E0EC81A302F875C378E@EXCLUS.nationala-1advertising.com>
	<9fcc08fd0912030557v245c6a55md0de6b16e860a8d4@mail.gmail.com>
Message-ID: <20091203140559.M78365@fast-serv.com>

Definitely upgrade your software before anything else.

--
Randy

---------- Original Message -----------
From: Chris Scott <chrisjscott at gmail.com>
To: NMaio at guesswho.com, cisco-nsp at puck.nether.net
Sent: Thu, 3 Dec 2009 13:57:08 +0000
Subject: Re: [c-nsp] CompactFlash card compatibility

> 2009/12/3  <NMaio at guesswho.com>:
> > Chris,
> > Is it possible that you need the WS-CF-UPG aka CF-ADAPTER-SP for your
older SUP. ?I think it is included in the newer 720s
> > Nick
> >
> >
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Chris Scott
> > Sent: Thursday, December 03, 2009 8:20 AM
> > To: Brian Fitzgerald; Walter Keen; cisco-nsp at puck.nether.net
> > Subject: Re: [c-nsp] CompactFlash card compatibility
> >
> > 2009/12/2 Brian Fitzgerald <fitzgeraldb at camosun.bc.ca>:
> >> We have been using the Kingston CF/4GB Type I - they work fine, with same
> >> caveat as Randy posted - format them in the Sup first.
> >
> > I have a 2-week old Sup720-3B running 12.2(33)SXI3 that formats and
> > can use a Kingston CF/1GB no probs. ?My other Sup720-3B is 4 years old
> > running 12.2(18)SXD3. ?It gives me "device not found" when trying to
> > dir or format the same card. ?Don't know if this is a HW or SW
> > difference. ?Newer Sup has 512MB sup-bootflash, older has a mere 64MB.
> > ?Won't be able to empirically test until I take the plunge and do the
> > IOS update on the Sup that's been up for 4 years :-/ ?The older Sup
> > takes SanDisk 256MB CF II card ok so that's enough for today's current
> > and rollback image needs.
> 
> Hi Nick
> 
> I'd glanced that doc before but disregarded it too quickly because I
> don't want to pay any money right now :)  It was well worth 
> mentioning as now that I've read it properly I can see that there's 
> HW, ROMMON and SW interaction all involved to support the larger 
> sizes.  I guess if I upgrade the SP ROMMON on the older Sup720 it 
> might read the 1GB CF card.  If I'm really keen, it may also be 
> possible to find reference to this in some IOS release notes.  
> Ideally, I'd buy that kit so that no random person with access to my 
> DC can push "eject" and sabotage my boot.  I'd been looking into the 
> CF support as I came into possession of a handful of 1GB CF II cards 
> that are too slow and weeny for pics and tunes but right on par with 
> the Sup720 model of storage.
> 
> Cheers
> -- 
> Chris
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
------- End of Original Message -------


From mcgrath at fas.harvard.edu  Thu Dec  3 09:18:24 2009
From: mcgrath at fas.harvard.edu (Scott McGrath)
Date: Thu, 3 Dec 2009 09:18:24 -0500
Subject: [c-nsp] CompactFlash card compatibility
In-Reply-To: <20091203140559.M78365@fast-serv.com>
References: <20091202180144.M44964@fast-serv.com>	<C73BECE0.2601%fitzgeraldb@camosun.bc.ca>	<9fcc08fd0912030519l4010d032s202f1448150cd84b@mail.gmail.com>	<2AA600764E54964491083B1E0EC81A302F875C378E@EXCLUS.nationala-1advertising.com>	<9fcc08fd0912030557v245c6a55md0de6b16e860a8d4@mail.gmail.com>
	<20091203140559.M78365@fast-serv.com>
Message-ID: <4B17C8B0.1090806@fas.harvard.edu>

For a LONG time there was a 512MB limitation on filesystem size i.e. the 
Sup720's would recognize a 512MB CF card but not a 1Gb
card.    Until this thread we were not aware that the limitation had 
been lifted on newer code.   

This is helpful as we have been scouring the universe for old 512Mb CF 
so as not to pay Cisco's outrageous prices for a commodity
product.  esp since you can get a Toshiba 1Gb type I CF card at Sams 
Club for $15.00.

- Scott




Randy McAnally wrote:
> Definitely upgrade your software before anything else.
>
> --
> Randy
>
> ---------- Original Message -----------
> From: Chris Scott <chrisjscott at gmail.com>
> To: NMaio at guesswho.com, cisco-nsp at puck.nether.net
> Sent: Thu, 3 Dec 2009 13:57:08 +0000
> Subject: Re: [c-nsp] CompactFlash card compatibility
>
>   
>> 2009/12/3  <NMaio at guesswho.com>:
>>     
>>> Chris,
>>> Is it possible that you need the WS-CF-UPG aka CF-ADAPTER-SP for your
>>>       
> older SUP.  I think it is included in the newer 720s
>   
>>> Nick
>>>
>>>
>>> -----Original Message-----
>>> From: cisco-nsp-bounces at puck.nether.net
>>>       
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Chris Scott
>   
>>> Sent: Thursday, December 03, 2009 8:20 AM
>>> To: Brian Fitzgerald; Walter Keen; cisco-nsp at puck.nether.net
>>> Subject: Re: [c-nsp] CompactFlash card compatibility
>>>
>>> 2009/12/2 Brian Fitzgerald <fitzgeraldb at camosun.bc.ca>:
>>>       
>>>> We have been using the Kingston CF/4GB Type I - they work fine, with same
>>>> caveat as Randy posted - format them in the Sup first.
>>>>         
>>> I have a 2-week old Sup720-3B running 12.2(33)SXI3 that formats and
>>> can use a Kingston CF/1GB no probs.  My other Sup720-3B is 4 years old
>>> running 12.2(18)SXD3.  It gives me "device not found" when trying to
>>> dir or format the same card.  Don't know if this is a HW or SW
>>> difference.  Newer Sup has 512MB sup-bootflash, older has a mere 64MB.
>>>  Won't be able to empirically test until I take the plunge and do the
>>> IOS update on the Sup that's been up for 4 years :-/  The older Sup
>>> takes SanDisk 256MB CF II card ok so that's enough for today's current
>>> and rollback image needs.
>>>       
>> Hi Nick
>>
>> I'd glanced that doc before but disregarded it too quickly because I
>> don't want to pay any money right now :)  It was well worth 
>> mentioning as now that I've read it properly I can see that there's 
>> HW, ROMMON and SW interaction all involved to support the larger 
>> sizes.  I guess if I upgrade the SP ROMMON on the older Sup720 it 
>> might read the 1GB CF card.  If I'm really keen, it may also be 
>> possible to find reference to this in some IOS release notes.  
>> Ideally, I'd buy that kit so that no random person with access to my 
>> DC can push "eject" and sabotage my boot.  I'd been looking into the 
>> CF support as I came into possession of a handful of 1GB CF II cards 
>> that are too slow and weeny for pics and tunes but right on par with 
>> the Sup720 model of storage.
>>
>> Cheers
>> -- 
>> Chris
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>     
> ------- End of Original Message -------
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   


From howie at thingy.com  Thu Dec  3 09:29:54 2009
From: howie at thingy.com (Howard Jones)
Date: Thu, 03 Dec 2009 14:29:54 +0000
Subject: [c-nsp] bpduguard and trunks?
Message-ID: <4B17CB62.1020203@thingy.com>

I've just run into an odd problem, and was wondering if anyone else
could clarify this for me.

[c1]---[Sw1]----------[Sw2]---[c2]

c1 and c2 are client devices. Sw1 and Sw2 are 3750Gs with a trunk
between them. c1 has a trunk to Sw1. One of the vlans in that trunk as
passed along the sw1-sw2 trunk to c2.

The port facing c1 has bpduguard enabled. Halfway through adding vlans,
Sw2 complains about inconsistent BPDUs, and the root bridge mac address
is that of c1. It shuts down the trunk port, which is kind of annoying.

Does bpduguard only affect access ports and not trunks? That's the only
explanation I can see for what is going on. The manual doesn't exactly
say either way: "At the interface level, you enable BPDU guard on any
interface by using the spanning-tree bpduguard enable interface
configuration command without also enabling the Port Fast feature.". Sw1
also has '|no spanning-tree vlan 1-4090|' - will that help or hinder, here?

I think the real answer is to stop using switches to ship stuff between
sites like this, but that is a battle for another day.

Thanks in advance for any illumination...

Howie

From ivan at ig.sk  Thu Dec  3 09:43:47 2009
From: ivan at ig.sk (Ivan Gasparik)
Date: Thu, 3 Dec 2009 15:43:47 +0100
Subject: [c-nsp] 3750 High cpu
In-Reply-To: <2e1cd850911161314m73648331n2dec465ae3bbe36a@mail.gmail.com>
References: <2e1cd850911161314m73648331n2dec465ae3bbe36a@mail.gmail.com>
Message-ID: <200912031543.47713.ivan@ig.sk>

The 'Adjust Regions' process is not an issue here. The real problem is the 
interrupt part of the load (49%). That means your switch handles large 
amount of traffic in software. Do you use IPv6 or other features that are 
not supported by hardware in you current SDM profile?

Ivan


On Monday 16 November 2009 22:14:33 Chris Lane wrote:
> Not sure what Adjust regions is. After a google search nothing turns up.
> here is my cpu output:
> 
> sh proc cpu sorted | e 0.00
> CPU utilization for five seconds: 72%/49%; one minute: 69%; five
>  minutes: 69%
>  PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process
>   56  1458890966   8848611     164876  7.50%  4.92%  4.59%   0 Adjust
> Regions
> 
> 
> Following another thread suggested looking at mac address table:
> sh mac-address-table count | i Space
> Total Mac Address Space Available: 4968
> -- 
> sh platform tcam utilization
> 
> CAM Utilization for ASIC# 0                      Max            Used
>                                              Masks/Values    Masks/value
> s
> 
>  Unicast mac addresses:                        784/6272         81/582
>  IPv4 IGMP groups + multicast routes:          144/1152          6/26
>  IPv4 unicast directly-connected routes:       784/6272         81/582
>  IPv4 unicast indirectly-connected routes:     272/2176        146/1072
>  IPv4 policy based routing aces:                 0/0             0/0
>  IPv4 qos aces:                                528/528          18/18
>  IPv4 security aces:                          1024/1024         57/57
> 
> Note: Allocation of TCAM entries per feature uses
> a complex algorithm. The above information is meant
> to provide an abstract view of the current TCAM utilization
> 
> Any help would be appreciated
> Chris
> //CL
> 

From gert at greenie.muc.de  Thu Dec  3 10:28:12 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Thu, 3 Dec 2009 16:28:12 +0100
Subject: [c-nsp] Ethernet WAN Links question
In-Reply-To: <alpine.DEB.1.10.0912031400520.23464@uplift.swm.pp.se>
References: <62f79b510912030346s2539c1d7n69053d7fb4675c5e@mail.gmail.com>
	<alpine.DEB.1.10.0912031400520.23464@uplift.swm.pp.se>
Message-ID: <20091203152812.GQ163@greenie.muc.de>

Hi,

On Thu, Dec 03, 2009 at 02:02:27PM +0100, Mikael Abrahamsson wrote:
> >There is an option they supply the switch too.
> >The first thing that came to mind is security issues since we are 
> >connecting
> >Internet and Local Network to the same switch inside the network.
[..]
> Usually I'd say that the ISP will solve the handoff by having a switch or 
> media converter to give you one port per service, but using vlans for 
> logical separation has been pretty much standard procedure for 10 years in 
> a lot of places.

But still, the underlying argument "if you connect your internal network
to the ISPs MPLS network, you need to trust your ISP" remains true.

So the question is not only separation of VLANs (which I would trust, on
sufficient recent switch gear) but also "trust towards the ISP".

Otherwise, crypto gear on top of the MPLS link is needed.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20091203/63b5df61/attachment-0001.bin>

From ziliomarcelo at gmail.com  Thu Dec  3 10:44:52 2009
From: ziliomarcelo at gmail.com (Marcelo Zilio)
Date: Thu, 3 Dec 2009 13:44:52 -0200
Subject: [c-nsp] Ethernet WAN Links question
In-Reply-To: <alpine.DEB.1.10.0912031400520.23464@uplift.swm.pp.se>
References: <62f79b510912030346s2539c1d7n69053d7fb4675c5e@mail.gmail.com>
	<alpine.DEB.1.10.0912031400520.23464@uplift.swm.pp.se>
Message-ID: <62f79b510912030744v66ff8e04od6f078eabe2a34fc@mail.gmail.com>

By security issues I was thinking something like a MAC flooding or any kind
of denial of service which could compromise the switch access so I would
have the internal LAN exposed. Is this make sense?




On Thu, Dec 3, 2009 at 11:02 AM, Mikael Abrahamsson <swmike at swm.pp.se>wrote:

> On Thu, 3 Dec 2009, Marcelo Zilio wrote:
>
> There is an option they supply the switch too.
>> The first thing that came to mind is security issues since we are
>> connecting
>> Internet and Local Network to the same switch inside the network.
>>
>
> That's like saying there is a security risk in running two phonecalls in
> the same T1/E1. They're logically separated, it's commonly done.
>
>
> The question is: Is this a common practice? How do you handle with this
>> scenario?
>>
>
> Usually I'd say that the ISP will solve the handoff by having a switch or
> media converter to give you one port per service, but using vlans for
> logical separation has been pretty much standard procedure for 10 years in a
> lot of places.
>
> --
> Mikael Abrahamsson    email: swmike at swm.pp.se
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From jeff-kell at utc.edu  Thu Dec  3 10:48:49 2009
From: jeff-kell at utc.edu (Jeff Kell)
Date: Thu, 03 Dec 2009 10:48:49 -0500
Subject: [c-nsp] Quick 6500/Sup2/MSFC2 question...
Message-ID: <4B17DDE1.4090309@utc.edu>

Can you determine the MSFC2 RAM size in a standby supervisor?

All of the "remote command" options I've tried seem to be giving me the
PFC, not MSFC2; and any typical session/console to the standby sup of
course gives me the 'standby console disabled' message.

The active Sup2 was replaced awhile back and has a newer serial number,
apparently part of the "factory-supplied 512Mb" series.  The standby is
older and not sure if it shipped with 256 or 512...   Would rather not
failover at the moment to find out for certain...

Jeff

From aptgetd at gmail.com  Thu Dec  3 10:55:19 2009
From: aptgetd at gmail.com (sky vader)
Date: Thu, 03 Dec 2009 07:55:19 -0800
Subject: [c-nsp] Bandwidth Statement - Tunnel Interface
In-Reply-To: <4B16F072.4040405@west.net>
References: <4B16E8AD.6060403@gmail.com> <4B16F072.4040405@west.net>
Message-ID: <4B17DF67.3010108@gmail.com>

see in-line:


Jay Hennigan wrote:
> sky vader wrote:
>> Hi,
>>
>> Just curious, since the default bandwidth for tunnel interface is 9k
>> (cisco platform), does that mean the maximum bandwidth I can have is 9k?
> 
> No.
-------------------------
So what does tunnel "bandwidth transmit / receive" statement under
tunnel interface do? For example:

interface tunnel0
bandwidth 40000
ip address 192.169.0.1 255.255.255.252
tunnel destination x.x.x.x
tunnel bandwidth transmit 40000
tunnel bandwidth receive 40000


thanks,
sky

> 
>> What's the purpose of setting bandwidth statement on a tunnel interface?
>> Does that mean I get bandwidth that is set or what the router will
>> report via snmp?
> 
> Three things come to mind, there are likely other subtle ones...
> 
> 1.  Dynamic routing protocols use the interface bandwidth for path
> selection.  Manually specifying the bandwidth to something sane for the
> physical path over which the tunnel rides may be needed for proper route
> selection.
> 
> 2.  MRTG and similar tools will use the configured bandwidth as the
> default maximum for graphing and analysis purposes.  Leaving it at 9K is
> likely to result in graphs topped at that value.  SNMP of the actual
> traffic counts will be accurate, but configuration tools of graphing
> software will get the configured bandwidth on setup and may behave as if
> this is the physical limit.
> 
> 3.  QoS and traffic shaping applied to the interface will use the
> configured bandwidth for percentage calculations and the like.  This
> will almost certainly cause results that aren't what you expect unless
> the tunnel is running over a dialup link.
> 
> If you are doing none of these, then the configured bandwidth statement
> really doesn't affect anything in terms of operation that I've noticed.
> 
> -- 
> Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
> Impulse Internet Service  -  http://www.impulse.net/
> Your local telephone and internet company - 805 884-6323 - WB6RDV
> 

From dwcarder at wisc.edu  Thu Dec  3 10:15:52 2009
From: dwcarder at wisc.edu (Dale W. Carder)
Date: Thu, 03 Dec 2009 09:15:52 -0600
Subject: [c-nsp] bpduguard and trunks?
In-Reply-To: <4B17CB62.1020203@thingy.com>
References: <4B17CB62.1020203@thingy.com>
Message-ID: <CB85550E-887E-4FA9-8462-F7B58FEFEEE7@wisc.edu>


Hi Howie,

Check out the command
"errdisable detect cause bpduguard shutdown vlan"

Dale

On Dec 3, 2009, at 8:29 AM, Howard Jones wrote:

> I've just run into an odd problem, and was wondering if anyone else
> could clarify this for me.
> 
> [c1]---[Sw1]----------[Sw2]---[c2]
> 
> c1 and c2 are client devices. Sw1 and Sw2 are 3750Gs with a trunk
> between them. c1 has a trunk to Sw1. One of the vlans in that trunk as
> passed along the sw1-sw2 trunk to c2.
> 
> The port facing c1 has bpduguard enabled. Halfway through adding vlans,
> Sw2 complains about inconsistent BPDUs, and the root bridge mac address
> is that of c1. It shuts down the trunk port, which is kind of annoying.
> 
> Does bpduguard only affect access ports and not trunks? That's the only
> explanation I can see for what is going on. The manual doesn't exactly
> say either way: "At the interface level, you enable BPDU guard on any
> interface by using the spanning-tree bpduguard enable interface
> configuration command without also enabling the Port Fast feature.". Sw1
> also has '|no spanning-tree vlan 1-4090|' - will that help or hinder, here?
> 
> I think the real answer is to stop using switches to ship stuff between
> sites like this, but that is a battle for another day.
> 
> Thanks in advance for any illumination...
> 
> Howie
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From chrisjscott at gmail.com  Thu Dec  3 11:17:59 2009
From: chrisjscott at gmail.com (Chris Scott)
Date: Thu, 3 Dec 2009 16:17:59 +0000
Subject: [c-nsp] CompactFlash card compatibility
In-Reply-To: <4B17C8B0.1090806@fas.harvard.edu>
References: <20091202180144.M44964@fast-serv.com>
	<C73BECE0.2601%fitzgeraldb@camosun.bc.ca>
	<9fcc08fd0912030519l4010d032s202f1448150cd84b@mail.gmail.com>
	<2AA600764E54964491083B1E0EC81A302F875C378E@EXCLUS.nationala-1advertising.com>
	<9fcc08fd0912030557v245c6a55md0de6b16e860a8d4@mail.gmail.com>
	<20091203140559.M78365@fast-serv.com>
	<4B17C8B0.1090806@fas.harvard.edu>
Message-ID: <9fcc08fd0912030817j3b5229cfv5fdd8af42d82a1af@mail.gmail.com>

2009/12/3 Scott McGrath <mcgrath at fas.harvard.edu>:
> For a LONG time there was a 512MB limitation on filesystem size i.e. the
> Sup720's would recognize a 512MB CF card but not a 1Gb
> card. ? ?Until this thread we were not aware that the limitation had been
> lifted on newer code.
> This is helpful as we have been scouring the universe for old 512Mb CF so as
> not to pay Cisco's outrageous prices for a commodity
> product. ?esp since you can get a Toshiba 1Gb type I CF card at Sams Club
> for $15.00.
>
> - Scott
>
>
>
>
> Randy McAnally wrote:
>>
>> Definitely upgrade your software before anything else.
>>
>> --
>> Randy
>>

The link Nick posted before mentions that the sup-bootflash upgrade
kit ships with 12.2(18)SXE5 or greater.  On reading the release notes,
the "New Hardware Features in Release 12.2(18)SXE5" section notes
"CompactFlash adapter with 512 MB CompactFlash card that replaces the
bootflash device.".  Reality suggests it's wider than just internal
slot capability and hardware support for 512MB and 1GB as the docs
indicate.  I guess honest documentation would harm the magnificent
margin with customers fortunate enough to afford list price Cisco
cards.

Summary so far seems to be:
Up to 4GB CF Type II card requires minimum SP ROMMON Release 8.4(2)
and IOS 12.2(18)SXE5.  Earlier versions than that and you're stuck
with <512MB cards.

--
Chris

From chrisjscott at gmail.com  Thu Dec  3 12:03:48 2009
From: chrisjscott at gmail.com (Chris Scott)
Date: Thu, 3 Dec 2009 17:03:48 +0000
Subject: [c-nsp] Quick 6500/Sup2/MSFC2 question...
In-Reply-To: <4B17DDE1.4090309@utc.edu>
References: <4B17DDE1.4090309@utc.edu>
Message-ID: <9fcc08fd0912030903w2287f6d1t12fac97c3bed9ff@mail.gmail.com>

Hi Jeff

2009/12/3 Jeff Kell <jeff-kell at utc.edu>:
> Can you determine the MSFC2 RAM size in a standby supervisor?

On my mix of Sup2/MSFC2s running 12.2(18)SXD7b and 12.2(18)SXF15a I
have "remote command standby-rp sho ver" that does the trick.

> All of the "remote command" options I've tried seem to be giving me the
> PFC, not MSFC2; and any typical session/console to the standby sup of
> course gives me the 'standby console disabled' message.

IIRC "remote command mod 2 sho ver" (mod 1 active, mod 2 standby hot
for SSO) gives me the standby SP RAM.

> The active Sup2 was replaced awhile back and has a newer serial number,
> apparently part of the "factory-supplied 512Mb" series. ?The standby is
> older and not sure if it shipped with 256 or 512... ? Would rather not
> failover at the moment to find out for certain...

Definitely.  Failover to satisfy curiosity on a production system is a
bit far.  The fact they're running in failover suggests their spec
can't be too different or IOS *hopefully* would have moaned :)

Cheers
-- 
Chris

From jeff-kell at utc.edu  Thu Dec  3 12:17:18 2009
From: jeff-kell at utc.edu (Jeff Kell)
Date: Thu, 03 Dec 2009 12:17:18 -0500
Subject: [c-nsp] Quick 6500/Sup2/MSFC2 question...
In-Reply-To: <9fcc08fd0912030903w2287f6d1t12fac97c3bed9ff@mail.gmail.com>
References: <4B17DDE1.4090309@utc.edu>
	<9fcc08fd0912030903w2287f6d1t12fac97c3bed9ff@mail.gmail.com>
Message-ID: <4B17F29E.9030107@utc.edu>

Chris Scott wrote:
> Definitely.  Failover to satisfy curiosity on a production system is a
> bit far.  The fact they're running in failover suggests their spec
> can't be too different or IOS *hopefully* would have moaned :)

Both of your remote command examples tell me 256M.  The active
supervisor 'show ver' has 512M.  And as someone else pointed out, I
don't think it would be running redundancy if the two didn't match up. 
But it is...

> #sho redundancy states
>        my state = 13 -ACTIVE
>      peer state = 8  -STANDBY HOT

And appears they may not (or these are the wrong commands)...

"show ver" says cisco WS-C6509 (R7000) processor (revision 3.0) with
458752K/65536K bytes of memory.

"remote command standby-rp show ver" says cisco WS-C6509 (R7000)
processor (revision 3.0) with 227328K/34816K bytes of memory.

"remote command mod 2 show ver" says cisco WS-C6509 (R7000) processor
(revision 3.0) with 227328K/34816K bytes of memory.

And the "show boot" says the standby only has 256M... but don't know if
that is relevant to the MSFC2 or PFC2.

> UTC-6509#show boot
> BOOT variable =
> disk0:s222-ipservicesk9-mz.122-18.SXF17.bin,1;disk0:c6sup22-jk2s-mz.121-26.E7.bin,1;
> CONFIG_FILE variable does not exist
> BOOTLDR variable =
> Configuration register is 0x2102
>
> Standby is up
> Standby has 227328K/34816K bytes of memory.





From rodunn at cisco.com  Thu Dec  3 14:37:57 2009
From: rodunn at cisco.com (Rodney Dunn)
Date: Thu, 03 Dec 2009 14:37:57 -0500
Subject: [c-nsp] 2821 spurious reload
In-Reply-To: <B67DF2A7-4349-4767-8504-5B1892BA925C@gmail.com>
References: <B67DF2A7-4349-4767-8504-5B1892BA925C@gmail.com>
Message-ID: <4B181395.4020006@cisco.com>

I looked at it again and noticed it's a combination of Netflow being 
enabled and ACL Based RBSCP.

It's hard for me to tell without more data if it's an exact match or if 
the fix is more generic.

The general recommendation for code direction in regards to 12.4T/15.0 is:

12.4(15)T as it will live a long time if you don't need newer features/hw.

15.0(1)M if you are on between 12.4(20)-(24)T.

Rodney



Eninja wrote:
> Pete,
> 
> Get off the T train to 15.0. T train is too unstable to be run in _any_ 
> production network and should _only_ be used when there is absolutely no 
> alternative.
> 
> Eninja
> 
> PS. Rodney, feel free to post the release notes of sv85009 so others can 
> be enlightened about its cause and effect. Tx
> 
> 
> 
> On Dec 2, 2009, at 5:36 PM, Pete Barnwell <peter at whole-uk.com> wrote:
> 
>>
>>
>> Rodney Dunn wrote:
>>> From the 'sh stack' you posted offline it *appears* that this may be a
>>> result of:
>>>
>>> CSCsv85009  fixed in 12.4(22)T2.
>>>
>>> I didn't spend a lot of time analyzing it but the code tracebacks you
>>> sent me offline match up pretty closely.
>>>
>>> Rodney
>>>
>>
>> Thanks - I'm going to try upgrading it to 12.4(22)T2 and see if that
>> fixes the problem.
>>
>> Regards
>>
>> Pete
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/

From chrisjscott at gmail.com  Thu Dec  3 15:37:18 2009
From: chrisjscott at gmail.com (Chris Scott)
Date: Thu, 3 Dec 2009 20:37:18 +0000
Subject: [c-nsp] Quick 6500/Sup2/MSFC2 question...
In-Reply-To: <4B17F29E.9030107@utc.edu>
References: <4B17DDE1.4090309@utc.edu>
	<9fcc08fd0912030903w2287f6d1t12fac97c3bed9ff@mail.gmail.com>
	<4B17F29E.9030107@utc.edu>
Message-ID: <9fcc08fd0912031237s7bd76d8eh32cf0dcbaec21531@mail.gmail.com>

2009/12/3 Jeff Kell <jeff-kell at utc.edu>:
> Both of your remote command examples tell me 256M. ?The active
> supervisor 'show ver' has 512M. ?And as someone else pointed out, I
> don't think it would be running redundancy if the two didn't match up.
> But it is...
>
>> #sho redundancy states
>> ? ? ? ?my state = 13 -ACTIVE
>> ? ? ?peer state = 8 ?-STANDBY HOT
>
> And appears they may not (or these are the wrong commands)...
>
> "show ver" says cisco WS-C6509 (R7000) processor (revision 3.0) with
> 458752K/65536K bytes of memory.
>
> "remote command standby-rp show ver" says cisco WS-C6509 (R7000)
> processor (revision 3.0) with 227328K/34816K bytes of memory.
>
> "remote command mod 2 show ver" says cisco WS-C6509 (R7000) processor
> (revision 3.0) with 227328K/34816K bytes of memory.
>
> And the "show boot" says the standby only has 256M... but don't know if
> that is relevant to the MSFC2 or PFC2.
>
>> UTC-6509#show boot
>> BOOT variable =
>> disk0:s222-ipservicesk9-mz.122-18.SXF17.bin,1;disk0:c6sup22-jk2s-mz.121-26.E7.bin,1;
>> CONFIG_FILE variable does not exist
>> BOOTLDR variable =
>> Configuration register is 0x2102
>>
>> Standby is up
>> Standby has 227328K/34816K bytes of memory.

This is definitely cause for concern.  This prompted me to check the docs:
http://cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/nsfsso.html#wp1095529

"If they are not identical, one will boot first and become active and
hold the other supervisor engine and MSFC in a reset condition."
"Each supervisor engine must have the resources to run the switch on
its own, which means all supervisor engine resources are
duplicated..."

STANDBY HOT and the standby console prompt don't suggest a reset
condition.  AFAIR when I had mixed IOS versions, the incompatible 2nd
Sup2 was kicked out to SP ROMMON or went round and round in the
boot... fail... loop.  Seems Sup2 doesn't consider RAM a resource.
Might wanna set your NMS for 240MB usage alerts :)

-- 
Chris

From globichen at gmail.com  Thu Dec  3 16:31:58 2009
From: globichen at gmail.com (Andy B.)
Date: Thu, 3 Dec 2009 22:31:58 +0100
Subject: [c-nsp] 6504-E crash after bringing up lots of BGP sessions
Message-ID: <d626d8700912031331s13a4c711s5d7fb845014fbc7f@mail.gmail.com>

Hi,

I am facing semi-random reloads of one of my routers when it is under
heavy load while receiving lots of routes from its BGP peers.

I run several 6504-E in my backbone, all with the very same IOS and
all interconnected for the same purpose: Edge Routers for BGP peering
/ customers and transit.

All routers are fully meshed (next-hop-self) and there is also a route
reflector (quagga) talking to every router.

Every BGP peer has its own route-maps for various reasons like
communities, prepends, ...

Recently I had a fiber cut to one of these routers and it had lost
connectivty to all other inernal routers. When the fiber cut was fixed
the routers started to reannounce their prefixes to each other. After
a while being at 100% CPU, the router reloaded itself without giving
any piece of information.

This happened more than once and it seems to happen when there is a
massive flood of prefixes coming in. I am not sure how to explain this
otherwise. I have other routers with much more peers and customer
links and they don't appear to have this reload issue. I am aware that
lots of route-maps will cause the CPU to remain at 100% for several
minutes and I can live with that, but I cannot live with random
reloads.

More information about the router:

#sh ver
Cisco Internetwork Operating System Software
IOS (tm) s72033_rp Software (s72033_rp-IPSERVICESK9-M), Version
12.2(18)SXF15a, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by cisco Systems, Inc.
Compiled Tue 21-Oct-08 01:14 by kellythw
Image text-base: 0x40101040, data-base: 0x42DD70D0

Changing to a different IOS (tried SXI3) did not change anything - in
fact it caused the router to give up even faster.

Could this be a memory issue? How would I be able to find that out?


Thank you for any help.

Andy

From pc50000 at gmail.com  Thu Dec  3 17:46:37 2009
From: pc50000 at gmail.com (P C)
Date: Thu, 3 Dec 2009 17:46:37 -0500
Subject: [c-nsp] DSL Aggregation equipment and sizing
	questions/recommendations?
Message-ID: <47b527130912031446udb1e022u4ae2fbac4b5344d4@mail.gmail.com>

I need to terminate 2,000 DSL circuits delievered to me from a telco over a
an ATM DS3.  I was hoping someone here could offer some equipment
recommendations that they feel are suitable for terminating this traffic, as
I'm having trouble understanding all the IDB and PVC limits offered by the
different platforms.  I anticipate I'll be running PPPoX and terminating all
the sessions including PPP on a single router, but I am open to options.

I know the following will occur:
* Each site will have a routable IP block
* This network will have to support extremely low-bitrate multicast traffic.
* Each site will be running PIM-SM.
* This deployment will have an unusual traffic loading.  I expect unicast
traffic to never exceed 5mbps for all sites combined.  If multicast traffic
is included, I always expect the loading to remain under 15 megabit, even
after it is replicated out down each PVC.
* This is not an ISP scenario, nor will it carry any internet traffic.

I was thinking something in the 7200 product lines or the ASR series
(probably no way a 3900 can handle the PVCS, even if the traffic is ok?) but
ultimately I would like something that would both keep costs down, and
likely to remain on vendor support for the better part of a decade.

I'd appreciate any suggestions.

Thanks,
Paul

From eninja at gmail.com  Thu Dec  3 17:54:34 2009
From: eninja at gmail.com (Eninja)
Date: Thu, 3 Dec 2009 23:54:34 +0100
Subject: [c-nsp] 6504-E crash after bringing up lots of BGP sessions
In-Reply-To: <d626d8700912031331s13a4c711s5d7fb845014fbc7f@mail.gmail.com>
References: <d626d8700912031331s13a4c711s5d7fb845014fbc7f@mail.gmail.com>
Message-ID: <BC498D8B-5DC5-4158-AB9F-73C50C3034B4@gmail.com>

Andy,

Your snipped 'sh ver' post is inadequate to understand the root cause  
of this problem.

Unicast or broadcast a full 'sh ver' (prior to a reload), 'sh stack',  
and crashinfo files from both SP and RP if available.

eninja



On Dec 3, 2009, at 10:31 PM, "Andy B." <globichen at gmail.com> wrote:

> Hi,
>
> I am facing semi-random reloads of one of my routers when it is under
> heavy load while receiving lots of routes from its BGP peers.
>
> I run several 6504-E in my backbone, all with the very same IOS and
> all interconnected for the same purpose: Edge Routers for BGP peering
> / customers and transit.
>
> All routers are fully meshed (next-hop-self) and there is also a route
> reflector (quagga) talking to every router.
>
> Every BGP peer has its own route-maps for various reasons like
> communities, prepends, ...
>
> Recently I had a fiber cut to one of these routers and it had lost
> connectivty to all other inernal routers. When the fiber cut was fixed
> the routers started to reannounce their prefixes to each other. After
> a while being at 100% CPU, the router reloaded itself without giving
> any piece of information.
>
> This happened more than once and it seems to happen when there is a
> massive flood of prefixes coming in. I am not sure how to explain this
> otherwise. I have other routers with much more peers and customer
> links and they don't appear to have this reload issue. I am aware that
> lots of route-maps will cause the CPU to remain at 100% for several
> minutes and I can live with that, but I cannot live with random
> reloads.
>
> More information about the router:
>
> #sh ver
> Cisco Internetwork Operating System Software
> IOS (tm) s72033_rp Software (s72033_rp-IPSERVICESK9-M), Version
> 12.2(18)SXF15a, RELEASE SOFTWARE (fc1)
> Technical Support: http://www.cisco.com/techsupport
> Copyright (c) 1986-2008 by cisco Systems, Inc.
> Compiled Tue 21-Oct-08 01:14 by kellythw
> Image text-base: 0x40101040, data-base: 0x42DD70D0
>
> Changing to a different IOS (tried SXI3) did not change anything - in
> fact it caused the router to give up even faster.
>
> Could this be a memory issue? How would I be able to find that out?
>
>
> Thank you for any help.
>
> Andy
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From globichen at gmail.com  Thu Dec  3 18:32:12 2009
From: globichen at gmail.com (Andy B.)
Date: Fri, 4 Dec 2009 00:32:12 +0100
Subject: [c-nsp] 6504-E crash after bringing up lots of BGP sessions
In-Reply-To: <BC498D8B-5DC5-4158-AB9F-73C50C3034B4@gmail.com>
References: <d626d8700912031331s13a4c711s5d7fb845014fbc7f@mail.gmail.com>
	<BC498D8B-5DC5-4158-AB9F-73C50C3034B4@gmail.com>
Message-ID: <d626d8700912031532m5cbe7222wa801e0671a229e31@mail.gmail.com>

On Thu, Dec 3, 2009 at 11:54 PM, Eninja <eninja at gmail.com> wrote:
> Andy,
>
> Your snipped 'sh ver' post is inadequate to understand the root cause of
> this problem.
>
> Unicast or broadcast a full 'sh ver' (prior to a reload), 'sh stack', and
> crashinfo files from both SP and RP if available.
>
> eninja
>

Unfortunately that's all the information I've got. No crashinfo has
been generated and while being live inside the console, it did nothing
but reload and the output was:


System Bootstrap, Version 12.2(17r)SX5, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2006 by cisco Systems, Inc.

System Bootstrap, Version 8.5(2)
Copyright (c) 1994-2007 by cisco Systems, Inc.
Cat6k-Sup720/SP processor with 1048576 Kbytes of main memory

and really nothing before, except showing lots of BGP "Up" messages
from the other routers inside the same AS.


#sh stacks
Minimum process stacks:
 Free/Size   Name
 5704/6000   OIR IOS Process
 5536/6000   IPC Zone Manager
 5688/6000   ICC Retry Q
 4480/6000   IPC delayed init
 5704/6000   CDP BLOB
 5648/6000   FM HA Sync
 5656/6000   L3 Manager HA
 5632/6000   Draco FIB process
 4536/6000   Delayed Init Late Reg
 3528/6000   eobc_init_process
 5208/6000   ICC Slave Comp. Up
 5584/6000   PM MP Process
 2008/3000   EARL INFO CAPABILITY process
 5568/6000   DHCPD Receive
 5480/6000   C6K ENV RP init
 5024/6000   SPAN Subsystem
 5416/6000   PostOfficeNet
11464/12000  Router Init
10896/12000  CDP Protocol
11704/12000  cdp init process
 8320/12000  Init
 5112/6000   Draco DFS Port Registation Proc
 4880/6000   IPC LC Port Opener
 3864/6000   Update prst
 5392/6000   RADIUS INITCONFIG
 4856/6000   LCC Configure
 4984/6000   SLB RF Active Proc
 4688/6000   CEF Reloader
 4144/6000   draco-oir-process:slot 1
 4224/6000   draco-oir-process:slot 3
 4808/6000   BGP Accepter
 4272/6000   BGP Open
 3992/6000   draco-oir-process:slot 4
 2704/3000   Rom Random Update Process
 4800/6000   TFTP Read Process
34824/36000  TCP Command
 5552/6000   Link Status process
 8528/12000  Virtual Exec
 8432/12000  SSH Process
 8016/12000  Exec

Interrupt level stacks:
Level    Called Unused/Size  Name
  1     1289528   7632/9000  Inband Interrupt
  2      379375   7592/9000  EOBC Interrupt
  3       10555   8456/9000  Management Interrupt
  4     1579543   8600/9000  Console Uart
  5           0   9000/9000  Mistral Error Interrupt
  7     2637841   8584/9000  NMI Interrupt Handler

***************************************************
******* Information of Last System Crash **********
***************************************************


Using bootflash:crashinfo.

%Error opening bootflash:crashinfo (File not found)

***************************************************
****** Information of Last System Crash - SP ******
***************************************************


The last crashinfo failed to be written.
Please verify the exception crashinfo configuration
the filesytem devices, and the free space on the
filesystem devices.
Using crashinfo_FAILED.

%Error opening crashinfo_FAILED (File not found)
#



Weeks ago, when the same crash happened, I caught this error message
from the console:


*** System received a Software forced crash ***
signal= 0x17, code= 0x24, context= 0x42352a54
PC = 0x402d1e6c, Cause = 0x3020, Status Reg = 0x34008002

System Bootstrap, Version 8.5(2)
Copyright (c) 1994-2007 by cisco Systems, Inc.
Cat6k-Sup720/SP processor with 1048576 Kbytes of main memory


I only saw it once. It never came back on other crashes. A little
research told me that this error does not make sense, because all I
could find was a password reset issue. Nobody has physical access to
this router but me.

I should mention that this router worked fine for more than 15 months.
We are constantly adding new peers and customers to it, so the
workload is growing. But as I said, this is not the busiest router in
my network.

As of now I really have no idea where to look or how I could at least
narrow down the problem.


Andy

From globichen at gmail.com  Thu Dec  3 19:01:15 2009
From: globichen at gmail.com (Andy B.)
Date: Fri, 4 Dec 2009 01:01:15 +0100
Subject: [c-nsp] 6504-E crash after bringing up lots of BGP sessions
In-Reply-To: <d626d8700912031532m5cbe7222wa801e0671a229e31@mail.gmail.com>
References: <d626d8700912031331s13a4c711s5d7fb845014fbc7f@mail.gmail.com>
	<BC498D8B-5DC5-4158-AB9F-73C50C3034B4@gmail.com>
	<d626d8700912031532m5cbe7222wa801e0671a229e31@mail.gmail.com>
Message-ID: <d626d8700912031601i3d71fc27s5e8afbbf882dd2a4@mail.gmail.com>

Just to be complete, here is what's in the box:

cisco WS-C6504-E (R7000) processor (revision 2.0) with 983008K/65536K
bytes of memory.
Processor board ID FOX11460P4W
SR71000 CPU at 600Mhz, Implementation 0x504, Rev 1.2, 512KB L2 Cache
Last reset from s/w reset
SuperLAT software (copyright 1990 by Meridian Technology Corp).
X.25 software, Version 3.0.0.
Bridging software.
TN3270 Emulation software.
3 Virtual Ethernet/IEEE 802.3 interfaces
26 Gigabit Ethernet/IEEE 802.3 interfaces
4 Ten Gigabit Ethernet/IEEE 802.3 interfaces
1917K bytes of non-volatile configuration memory.
8192K bytes of packet buffer memory.

65536K bytes of Flash internal SIMM (Sector size 512K).
Configuration register is 0x2102



#sh mod
Mod Ports Card Type                              Model              Serial No.
--- ----- -------------------------------------- ------------------ -----------
  1    2  Supervisor Engine 720 (Active)         WS-SUP720-3BXL     SAL104148SR
  3   24  CEF720 24 port 1000mb SFP              WS-X6724-SFP       SAL08486FVA
  4    4  CEF720 4 port 10-Gigabit Ethernet      WS-X6704-10GE      SAL10019AL9

Mod MAC addresses                       Hw    Fw           Sw           Status
--- ---------------------------------- ------ ------------ ------------ -------
  1  0016.9df6.7f08 to 0016.9df6.7f0b   5.2   8.5(2)       12.2(18)SXF1 Ok
  3  0012.01fd.0410 to 0012.01fd.0427   2.1   12.2(14r)S5  12.2(18)SXF1 Ok
  4  001c.585c.80c8 to 001c.585c.80cb   2.6   12.2(14r)S5  12.2(18)SXF1 Ok

Mod  Sub-Module                  Model              Serial       Hw     Status
---- --------------------------- ------------------ ----------- ------- -------
  1  Policy Feature Card 3       WS-F6K-PFC3BXL     SAL1104EZUQ  1.8    Ok
  1  MSFC3 Daughterboard         WS-SUP720          SAL1103E2L1  2.6    Ok
  3  Centralized Forwarding Card WS-F6700-CFC       SAD084500GV  2.0    Ok
  4  Centralized Forwarding Card WS-F6700-CFC       SAL1212K1FG  4.0    Ok

Mod  Online Diag Status
---- -------------------
  1  Pass
  3  Pass
  4  Pass


If there is anything else that I could provide, let me know...

Andy


On Fri, Dec 4, 2009 at 12:32 AM, Andy B. <globichen at gmail.com> wrote:
>
> As of now I really have no idea where to look or how I could at least
> narrow down the problem.
>

From ltd at cisco.com  Thu Dec  3 22:43:42 2009
From: ltd at cisco.com (Lincoln Dale)
Date: Fri, 4 Dec 2009 14:43:42 +1100
Subject: [c-nsp] bpduguard and trunks?
In-Reply-To: <4B17CB62.1020203@thingy.com>
References: <4B17CB62.1020203@thingy.com>
Message-ID: <7861D5B8-44CE-42BA-9634-E7D78060BD13@cisco.com>

On 04/12/2009, at 1:29 AM, Howard Jones wrote:

> I've just run into an odd problem, and was wondering if anyone else
> could clarify this for me.
> 
> [c1]---[Sw1]----------[Sw2]---[c2]
> 
> c1 and c2 are client devices. Sw1 and Sw2 are 3750Gs with a trunk
> between them. c1 has a trunk to Sw1. One of the vlans in that trunk as
> passed along the sw1-sw2 trunk to c2.
> 
> The port facing c1 has bpduguard enabled. Halfway through adding vlans,
> Sw2 complains about inconsistent BPDUs, and the root bridge mac address
> is that of c1. It shuts down the trunk port, which is kind of annoying.

sounds like C1 did something silly.


> Does bpduguard only affect access ports and not trunks? That's the only
> explanation I can see for what is going on. The manual doesn't exactly
> say either way: "At the interface level, you enable BPDU guard on any
> interface by using the spanning-tree bpduguard enable interface
> configuration command without also enabling the Port Fast feature.". Sw1
> also has '|no spanning-tree vlan 1-4090|' - will that help or hinder, here?

disabling spanning-tree?  that doesn't sound like a very smart move.


> I think the real answer is to stop using switches to ship stuff between
> sites like this, but that is a battle for another day.

nothing wrong with using L2.


i think the issue here may relate to your knowledge of switching - and what spanning-tree is there for, and what its meant to do.
its there to prevent loops.

make use of it.

all 'edge' ports should be running with BPDU guard enabled.  'edge ports' (those facing hosts) should NEVER send BPDUs out.  BPDU guard is there to detect if they do - and if they do, its a sign that they have caused a loop in the network.


cheers,

lincoln.


From satz.sm at gmail.com  Fri Dec  4 00:48:57 2009
From: satz.sm at gmail.com (Satyam Mathura)
Date: Fri, 4 Dec 2009 01:48:57 -0400
Subject: [c-nsp] Cisco Client VPN and Downloadable Access List
Message-ID: <7ea146250912032148heed1f25k41cd0d93551eefea@mail.gmail.com>

Guys,
I currently have FreeRadius working with a MySQL back-end to authenticate
VPN users on my 2811 Cisco router. I have been trying to get the
download-able access list feature working but am hitting a brick wall. If i
enable cisco-avpair:=ipsec:inacl=185 i can see the radius server responding
with the access-list but it does not get applied on the connecting vpn
client which is then unable to successfully connect.
My router config and radius debug are below. Your help is greatly
appreciated.

Router Config:
aaa authentication login default group radius local
aaa authentication login vpnauth group radius local
aaa authorization exec default group radius local
aaa authorization network vpnautho local
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group test
 key test
 dns 200.12.240.9
 domain greendottt.net
 pool ippool
!
!
crypto ipsec transform-set MD5_3DES esp-3des esp-md5-hmac
!
crypto dynamic-map VPNClientMap 1
 set transform-set MD5_3DES
 reverse-route
!
!
crypto map Remoteusers client authentication list vpnauth
crypto map Remoteusers isakmp authorization list vpnautho
crypto map Remoteusers client configuration address respond
crypto map Remoteusers 10 ipsec-isakmp dynamic VPNClientMap
!
!
!
!
interface FastEthernet0/0
 description External
 ip address 192.168.74.46 255.255.255.0
 duplex auto
 speed auto
 crypto map Remoteusers

radius-server host 192.168.74.45 auth-port 1812 acct-port 1813 key cisco

access-list 185 permit ip any any


Router debug:
*Feb 28 23:00:35.791: AAA/BIND(0000006B): Bind i/f
*Feb 28 23:00:36.039: AAA/AUTHOR (0x6B): Pick method list 'vpnautho'
*Feb 28 23:00:36.103: AAA/BIND(0000006C): Bind i/f
RouterB#
*Feb 28 23:00:39.147: RADIUS/ENCODE(0000006C):Orig. component type =
VPN_IPSEC
*Feb 28 23:00:39.151: RADIUS:  AAA Unsupported Attr: interface         [157]
13
*Feb 28 23:00:39.155: RADIUS:   31 39 32 2E 31 36 38 2E 37 34
2E                 [192.168.74.]
*Feb 28 23:00:39.155: RADIUS/ENCODE(0000006C): dropping service type,
"radius-server attribute 6 on-for-login-auth" is off
*Feb 28 23:00:39.159: RADIUS(0000006C): Config NAS IP: 0.0.0.0
*Feb 28 23:00:39.163: RADIUS/ENCODE(0000006C): acct_session_id: 108
*Feb 28 23:00:39.163: RADIUS(0000006C): sending
*Feb 28 23:00:39.171: RADIUS/ENCODE: Best Local IP-Address 192.168.74.46 for
Radius-Server 192.168.74.45
*Feb 28 23:00:39.179: RADIUS(0000006C): Send Access-Request to
192.168.74.45:1812 id 1645/56, len 96
*Feb 28 23:00:39.183: RADIUS:  authenticator 39 23 30 9E 12 B5 1A 85 - E8 FF
5E 4D 13 99 6C 73
*Feb 28 23:00:39.183: RADIUS:  User-Name           [1]   10  "smathura"
*Feb 28 23:00:39.187: RADIUS:  User-Password       [2]
RouterB#  18  *
*Feb 28 23:00:39.187: RADIUS:  Calling-Station-Id  [31]  15  "192.168.74.43"
*Feb 28 23:00:39.191: RADIUS:  NAS-Port-Type       [61]  6
Virtual                   [5]
*Feb 28 23:00:39.195: RADIUS:  NAS-Port            [5]   6
0
*Feb 28 23:00:39.195: RADIUS:  NAS-Port-Id         [87]  15  "192.168.74.46"
*Feb 28 23:00:39.199: RADIUS:  NAS-IP-Address      [4]   6
192.168.74.46
*Feb 28 23:00:39.383: RADIUS: Received from id 1645/56 192.168.74.45:1812,
Access-Accept, len 49
*Feb 28 23:00:39.387: RADIUS:  authenticator 28 AB B2 01 8C 17 3C E2 - AD 2C
98 DD 91 0D CF 6D
*Feb 28 23:00:39.387: RADIUS:  Service-Type        [6]   6   NAS
Prompt                [7]
*Feb 28 23:00:39.391: RADIUS:  Vendor, Cisco       [26]  23
*Feb 28 23:00:39.391: RADIUS:   Cisco AVpair       [1]   17
"ipsec:inacl=185"
*Feb 28 23:00:39.399: RADIUS(0000006C): Received from id 1645/56


FreeRadius Response:

Sending Access-Accept of id 56 to 192.168.74.46 port 1645
        Service-Type := NAS-Prompt-User
        Cisco-AVPair := "ipsec:inacl=185"
Finished request 15.

From ssrigha at gmail.com  Fri Dec  4 07:17:08 2009
From: ssrigha at gmail.com (shake righa)
Date: Fri, 4 Dec 2009 15:17:08 +0300
Subject: [c-nsp] Route Target Rewrite
Message-ID: <73439e5a0912040417u43a5321ds1308b4a9320878fd@mail.gmail.com>

Hi,

Am getting the following error when setting up route target rewrite.


"used as BGP inbound route-map, set extcommunity rt not supported"

Regards,
Shake Righa

From p.mayers at imperial.ac.uk  Fri Dec  4 07:20:19 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Fri, 04 Dec 2009 12:20:19 +0000
Subject: [c-nsp] 6504-E crash after bringing up lots of BGP sessions
In-Reply-To: <d626d8700912031532m5cbe7222wa801e0671a229e31@mail.gmail.com>
References: <d626d8700912031331s13a4c711s5d7fb845014fbc7f@mail.gmail.com>	<BC498D8B-5DC5-4158-AB9F-73C50C3034B4@gmail.com>
	<d626d8700912031532m5cbe7222wa801e0671a229e31@mail.gmail.com>
Message-ID: <4B18FE83.7000506@imperial.ac.uk>

> Unfortunately that's all the information I've got. No crashinfo has
> been generated and while being live inside the console, it did nothing
> but reload and the output was:

Are you sure about that?

> %Error opening bootflash:crashinfo (File not found)
> 

Huh. The crashinfo files are not normally called that. Try:

dir sup-bootflash:
dir bootflash:
dir slavesup-bootflash:
dir slave-bootflash:

...you're looking for a file called:

crashinfo_20090112-083919

...or similar, timestamped for the crash. Are the bootflash full?

> Weeks ago, when the same crash happened, I caught this error message
> from the console:
> 
> 
> *** System received a Software forced crash ***
> signal= 0x17, code= 0x24, context= 0x42352a54
> PC = 0x402d1e6c, Cause = 0x3020, Status Reg = 0x34008002
> 
> System Bootstrap, Version 8.5(2)
> Copyright (c) 1994-2007 by cisco Systems, Inc.
> Cat6k-Sup720/SP processor with 1048576 Kbytes of main memory

...I'd be surprised and a little bit concerned if such a crash generated 
no crashinfo. Literally every time I've seen a 6500 crash, under 
multiple boxes and multiple IOS versions, a crashinfo has been generated.

Without a crashinfo, you're not going to be able to proceed.

> I should mention that this router worked fine for more than 15 months.
> We are constantly adding new peers and customers to it, so the
> workload is growing. But as I said, this is not the busiest router in
> my network.

Well, when you get IOS crashes, an IOS upgrade is usually the outcome. I 
have seen routers which were fine below a certain workload, then went 
bad - in several cases, related to memory corruption under increasing 
memory use.

From peter.hicks at poggs.co.uk  Fri Dec  4 07:42:59 2009
From: peter.hicks at poggs.co.uk (Peter Hicks)
Date: Fri, 04 Dec 2009 12:42:59 +0000
Subject: [c-nsp] Centralized OOB Server / Appliance
In-Reply-To: <d5c7ccac0912030204q16d51d6v3d11bdc9d045b3f@mail.gmail.com>
References: <d5c7ccac0912030204q16d51d6v3d11bdc9d045b3f@mail.gmail.com>
Message-ID: <4B1903D3.8090606@poggs.co.uk>

Eric Cables wrote:

> The current solution deployed is a single server with a single modem
> physically attached, using a shared minicom dialing directory as the
> dialer.  Obviously another system at another geographic location is
> preferred, but that leads to the next hurdle -- virtualization.  Not only
> are systems quickly being virtualized, but once virtualized VMotion and the
> lack of physical serial/USB ports makes physically connecting modems to a
> single host server a non-option.

Have you looked at OpenGear?  Pop a modem or two on the 8-port version, 
script something to dial a site, and ta-da.  They also support RFC2217, 
although I've never used it.

Alternatively, and I've used this before - a modem on the AUX port of a 
Cisco router, and reverse telnet to access it.


Peter

From joseph at burford.me  Fri Dec  4 10:18:52 2009
From: joseph at burford.me (Joseph Burford)
Date: Sat, 5 Dec 2009 01:48:52 +1030
Subject: [c-nsp] Bandwidth Statement - Tunnel Interface
In-Reply-To: <4B17DF67.3010108@gmail.com>
References: <4B16E8AD.6060403@gmail.com> <4B16F072.4040405@west.net>
	<4B17DF67.3010108@gmail.com>
Message-ID: <c295529d0912040718g752d092cr7cb0a87da71a637f@mail.gmail.com>

> So what does tunnel "bandwidth transmit / receive" statement under
> tunnel interface do? For example:

http://www.cisco.com/en/US/docs/ios/12_3t/inter/command/reference/int_t1gt.html#wp1161607

To set the transmit bandwidth used by the tunnel interface, use the
tunnel bandwidth command in interface configuration mode.

Cheers,

Joseph

From vijay.ramcharan at verizonbusiness.com  Fri Dec  4 10:08:07 2009
From: vijay.ramcharan at verizonbusiness.com (Ramcharan, Vijay A)
Date: Fri, 04 Dec 2009 15:08:07 +0000
Subject: [c-nsp] Import VRF routes then change next-hop
In-Reply-To: <8171C8272CE8FE4A8F5BFF8A97CE6AB3021AA159@ASHEVS006.mcilink.com>
References: <00d701ca72d6$7415bd30$2608120a@am.thmulti.com>
	<8171C8272CE8FE4A8F5BFF8A97CE6AB3021AA159@ASHEVS006.mcilink.com>
Message-ID: <8171C8272CE8FE4A8F5BFF8A97CE6AB3022009AE@ASHEVS006.mcilink.com>

It broke in a bad way. I.e Trying to set the next hop via an import map
is not reliable and does strange things like singling out a a particular
subnet and removing it from the BGP table, even though that subnet is
directly connected in that VRF. 

Vijay Ramcharan 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ramcharan, Vijay
A
Sent: Tuesday, December 01, 2009 3:16 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Import VRF routes then change next-hop

Hi all, 

I have a couple of switches (6509E, Sup 720 3CXL, 12.2.33 SXI1) that are
running VRF lite for a couple of VRFs. 
One of the VRFs connects to a pair of external routers and receives a
number of routes via iBGP. 
Sandwiched between that external VRF and the other VRF is a firewall. 

I needed to import the routes from the external VRF into the other VRF
that sits behind that firewall. 
I set the proper import targets in my firewalled VRF and the routes are
imported. 
I now need to change the next hop of those imported routes so that the
firewalled VRF uses the firewall as its next-hop for those imported
routes. 

The only solution I've found that actually works is the following
route-map used as an "import map" in the firewalled VRF.  

route-map import_mpls_to_firewall_vrf permit 10
  Match clauses:
    extcommunity (extcommunity-list filter):77
  Set clauses:
    ip vrf firewall_vrf next-hop 10.10.10.1
    ip next-hop 10.10.10.1

I tried reading some documentation but I'm not making much headway into
understanding why I need both of those "set" commands. 

If I just use the "set ip vrf <blah>" clause the routes are imported but
the next hop is not changed at which point I need to statically point
the next hop at the firewall for the routes to become valid. 

If I just use the "set ip next-hop" command, the next hop is changed but
traffic isn't forwarded out of the firewall VRF. 

Once I use both commands, the next-hop is changed and traffic is
properly forwarded. 
Is my setup above correct or am I doing something wrong? 

Thanks much. 

Vijay Ramcharan
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

______________________________________________________________________
This e-mail has been scanned by Verizon Managed Email Content Service,
using Skeptic(tm) technology powered by MessageLabs. For more
information on Verizon Managed Email Content Service, visit
http://www.verizonbusiness.com.
______________________________________________________________________

______________________________________________________________________
This e-mail has been scanned by Verizon Managed Email Content Service,
using Skeptic(tm) technology powered by MessageLabs. For more
information on Verizon Managed Email Content Service, visit
http://www.verizonbusiness.com.
______________________________________________________________________

From amsoares at netcabo.pt  Fri Dec  4 11:14:55 2009
From: amsoares at netcabo.pt (Antonio Soares)
Date: Fri, 4 Dec 2009 16:14:55 -0000
Subject: [c-nsp] Route Target Rewrite
In-Reply-To: <73439e5a0912040417u43a5321ds1308b4a9320878fd@mail.gmail.com>
References: <73439e5a0912040417u43a5321ds1308b4a9320878fd@mail.gmail.com>
Message-ID: <F03B653FFFD747EAB4E0459EB5C201EE@int.convex.pt>

Are you doing it under VPNv4 Address Family ? What hw/sw combination do you have ? 


Regards,
 
Antonio Soares, CCIE #18473 (R&S)
amsoares at netcabo.pt

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of shake righa
Sent: sexta-feira, 4 de Dezembro de 2009 12:17
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Route Target Rewrite

Hi,

Am getting the following error when setting up route target rewrite.


"used as BGP inbound route-map, set extcommunity rt not supported"

Regards,
Shake Righa
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From bitkraft at gmail.com  Fri Dec  4 13:39:26 2009
From: bitkraft at gmail.com (Brian Spade)
Date: Fri, 4 Dec 2009 10:39:26 -0800
Subject: [c-nsp] OSPF clarification
In-Reply-To: <20091130.171112.74680153.sthaug@nethelp.no>
References: <F3318834F1F89D46857972DD4B411D700180980B5C@EXCHANGE.thenap.com>
	<BLU130-DS4D0410641C8E3137B6D76A5970@phx.gbl>
	<20091130.171112.74680153.sthaug@nethelp.no>
Message-ID: <505b616c0912041039r236c7f45wfdd964632ee0c5a6@mail.gmail.com>

Hi Steinar,


On Mon, Nov 30, 2009 at 8:11 AM, <sthaug at nethelp.no> wrote:

>
> Or put them in IBGP.
>
> Steinar Haug, Nethelp consulting, sthaug at nethelp.no
>
>
Can you elaborate?  Why would one want to put edge VLANs into IBGP?  Thanks
for clarifying.

/bs

From p.mayers at imperial.ac.uk  Fri Dec  4 13:50:30 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Fri, 04 Dec 2009 18:50:30 +0000
Subject: [c-nsp] OSPF clarification
In-Reply-To: <505b616c0912041039r236c7f45wfdd964632ee0c5a6@mail.gmail.com>
References: <F3318834F1F89D46857972DD4B411D700180980B5C@EXCHANGE.thenap.com>	<BLU130-DS4D0410641C8E3137B6D76A5970@phx.gbl>	<20091130.171112.74680153.sthaug@nethelp.no>
	<505b616c0912041039r236c7f45wfdd964632ee0c5a6@mail.gmail.com>
Message-ID: <4B1959F6.2040902@imperial.ac.uk>

Brian Spade wrote:
> Hi Steinar,
> 
> 
> On Mon, Nov 30, 2009 at 8:11 AM, <sthaug at nethelp.no> wrote:
> 
>> Or put them in IBGP.
>>
>> Steinar Haug, Nethelp consulting, sthaug at nethelp.no
>>
>>
> Can you elaborate?  Why would one want to put edge VLANs into IBGP?  Thanks
> for clarifying.

The general advice is:

  * Put only the very bare minimum into OSPF; this means the p2p network 
between your routers, and their loopbacks i.e. anything which is needed 
to resolve next-hops

  * Put everything else (including edge vlans) into iBGP


The reasoning is that changes to p2p/loopbacks usually means a 
convergence event, and you want this to propagate as fast as possible, 
so smaller OSPF database is the aim.

There are other reasons; BGP has far superior (not to mention safer) 
filtering abilities, better policy controls (e.g. communities), arguably 
superior incremental updates, and so forth.

It's a very common model, which people often move to after finding their 
network doesn't work well with thousands or tens of thousands of LSAs. 
We ourselves moved from having edge networks in OSPF Extern's to iBGP, 
and I'm very happy with the results.

There are reasons to ignore this model, but it's a sensible starting 
point for advice, and fits a large number of people.

From sthaug at nethelp.no  Fri Dec  4 13:45:55 2009
From: sthaug at nethelp.no (sthaug at nethelp.no)
Date: Fri, 04 Dec 2009 19:45:55 +0100 (CET)
Subject: [c-nsp] OSPF clarification
In-Reply-To: <505b616c0912041039r236c7f45wfdd964632ee0c5a6@mail.gmail.com>
References: <BLU130-DS4D0410641C8E3137B6D76A5970@phx.gbl>
	<20091130.171112.74680153.sthaug@nethelp.no>
	<505b616c0912041039r236c7f45wfdd964632ee0c5a6@mail.gmail.com>
Message-ID: <20091204.194555.74656322.sthaug@nethelp.no>

> > Or put them in IBGP.
> >
> Can you elaborate?  Why would one want to put edge VLANs into IBGP?  Thanks
> for clarifying.

If the alternative is to have them in your IGP, IBGP is probably a
better alternative. You *really* want your IGP to be as stable as
possible. BGP can handle many more prefixes, and also handles prefix
instability better than your IGP.

Steinar Haug, Nethelp consulting, sthaug at nethelp.no

From andy at xecu.net  Fri Dec  4 13:05:45 2009
From: andy at xecu.net (Andy Dills)
Date: Fri, 4 Dec 2009 13:05:45 -0500 (EST)
Subject: [c-nsp] IOS Version for 7206VXR
Message-ID: <20091204124828.Y85373@shell.xecu.net>


We just picked up a 7206VXR w/NPE-G2.

It currently has 12.4(15)T1, which looks pretty old.

This won't be used for anything crazy...bgp, ospf, access lists. It's a 
box full of ethernet interfaces that will push packets.

The router its replacing runs 12.0(31)S, to give you an idea of the goals 
involved: Stability, PPS, stability, stability.

What would people suggest for a nice, stable IOS?

Thanks,
Andy

---
Andy Dills
Xecunet, Inc.
www.xecu.net
301-682-9972
---

From bitkraft at gmail.com  Fri Dec  4 14:13:29 2009
From: bitkraft at gmail.com (Brian Spade)
Date: Fri, 4 Dec 2009 11:13:29 -0800
Subject: [c-nsp] OSPF clarification
In-Reply-To: <20091204.194555.74656322.sthaug@nethelp.no>
References: <BLU130-DS4D0410641C8E3137B6D76A5970@phx.gbl>
	<20091130.171112.74680153.sthaug@nethelp.no>
	<505b616c0912041039r236c7f45wfdd964632ee0c5a6@mail.gmail.com>
	<20091204.194555.74656322.sthaug@nethelp.no>
Message-ID: <505b616c0912041113x7e67a64bx1de0587721b60f2@mail.gmail.com>

Thank you Phil and Steinar for clarifying.  This is a very interesting
approach that I plan to investigate more on my network.  Thanks!!

/bs

On Fri, Dec 4, 2009 at 10:45 AM, <sthaug at nethelp.no> wrote:

> > > Or put them in IBGP.
> > >
> > Can you elaborate?  Why would one want to put edge VLANs into IBGP?
>  Thanks
> > for clarifying.
>
> If the alternative is to have them in your IGP, IBGP is probably a
> better alternative. You *really* want your IGP to be as stable as
> possible. BGP can handle many more prefixes, and also handles prefix
> instability better than your IGP.
>
> Steinar Haug, Nethelp consulting, sthaug at nethelp.no
>

From pc50000 at gmail.com  Fri Dec  4 14:15:29 2009
From: pc50000 at gmail.com (P C)
Date: Fri, 4 Dec 2009 14:15:29 -0500
Subject: [c-nsp] IOS Version for 7206VXR
In-Reply-To: <20091204124828.Y85373@shell.xecu.net>
References: <20091204124828.Y85373@shell.xecu.net>
Message-ID: <47b527130912041115h4cca3fdaq5373d19378ce5c3c@mail.gmail.com>

Latest 12.4 mainline if it supports everything you need and runs on your
platform -- it's pretty mature at this point.

If you need a 12.4"T" feature, then the latest rebuild of 12.4(15)T are very
stable releases.  They are on something like T9 or T10 right now.



On Fri, Dec 4, 2009 at 1:05 PM, Andy Dills <andy at xecu.net> wrote:

>
> We just picked up a 7206VXR w/NPE-G2.
>
> It currently has 12.4(15)T1, which looks pretty old.
>
> This won't be used for anything crazy...bgp, ospf, access lists. It's a
> box full of ethernet interfaces that will push packets.
>
> The router its replacing runs 12.0(31)S, to give you an idea of the goals
> involved: Stability, PPS, stability, stability.
>
> What would people suggest for a nice, stable IOS?
>
> Thanks,
> Andy
>
> ---
> Andy Dills
> Xecunet, Inc.
> www.xecu.net
> 301-682-9972
> ---
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From mhuff at ox.com  Fri Dec  4 14:21:12 2009
From: mhuff at ox.com (Matthew Huff)
Date: Fri, 4 Dec 2009 14:21:12 -0500
Subject: [c-nsp] IOS Version for 7206VXR
In-Reply-To: <20091204124828.Y85373@shell.xecu.net>
References: <20091204124828.Y85373@shell.xecu.net>
Message-ID: <483E6B0272B0284BA86D7596C40D29F9D775E7EE49@PUR-EXCH07.ox.com>

I've been pretty happy with 12.4(24)T2. We are doing bgp, access-list, etc...but not ospf..

12.4(24)T fixed a lot of bugs in bgp and T2 seems stable.




----
Matthew Huff?????? | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
http://www.ox.com  | Phone: 914-460-4039
aim: matthewbhuff? | Fax:?? 914-460-4139



> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Andy
> Dills
> Sent: Friday, December 04, 2009 1:06 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] IOS Version for 7206VXR
> 
> 
> We just picked up a 7206VXR w/NPE-G2.
> 
> It currently has 12.4(15)T1, which looks pretty old.
> 
> This won't be used for anything crazy...bgp, ospf, access lists. It's a
> box full of ethernet interfaces that will push packets.
> 
> The router its replacing runs 12.0(31)S, to give you an idea of the goals
> involved: Stability, PPS, stability, stability.
> 
> What would people suggest for a nice, stable IOS?
> 
> Thanks,
> Andy
> 
> ---
> Andy Dills
> Xecunet, Inc.
> www.xecu.net
> 301-682-9972
> ---
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4229 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20091204/4adab0d6/attachment.bin>

From rodunn at cisco.com  Fri Dec  4 14:58:59 2009
From: rodunn at cisco.com (Rodney Dunn)
Date: Fri, 04 Dec 2009 14:58:59 -0500
Subject: [c-nsp] Using SNMP to monitor NAT usage...
Message-ID: <4B196A03.8050602@cisco.com>

How many of you are doing or have attempted/wanted to do it?

Rodney


From drew.weaver at thenap.com  Fri Dec  4 15:16:53 2009
From: drew.weaver at thenap.com (Drew Weaver)
Date: Fri, 4 Dec 2009 15:16:53 -0500
Subject: [c-nsp] 6500 (Sup7203-bxl / 6724-SFP) Input queue drops
Message-ID: <F3318834F1F89D46857972DD4B411D700180980C42@EXCHANGE.thenap.com>

Hi there, I've been slowly working through some issues with our new 6500 deployment and I've noticed something a little strange.

I'm noticing input queue drops on a few of the port-channels that go between the Core -> Border, the queue drops do not show up on the physical ports, only on the Port-Channel interface itself and they do not show up on our Border Internet Routers (GSRs) only on these two core routers (6500s).

I'm noticing that almost constantly there is Protocol 17 (UDP), TTL 1 traffic in the buffer:

Sw#sh buffers input po6 header

Buffer information for Small buffer at 0x44ED8868
  data_area 0x804E4C4, refcount 1, next 0x0, flags 0x200
  linktype 7 (IP), enctype 1 (ARPA), encsize 14, rxtype 1
  if_input 0x50F110A8 (Port-channel6), if_output 0x0 (None)
  inputtime 1d02h (elapsed 00:07:31.632)
  outputtime 1d02h (elapsed 00:03:48.208), oqnumber 65535
  datagramstart 0x804E53A, datagramsize 90, maximum size 308
  mac_start 0x804E53A, addr_start 0x804E53A, info_start 0x0
  network_start 0x804E548, transport_start 0x804E55C, caller_pc 0x41714A8C

  source: x.x.100.34, destination: x.x.129.209, id: 0x39B6, ttl: 1,
  TOS: 0 prot: 17, source port 1805, destination port 1808

Buffer information for Small buffer at 0x44EE8110
  data_area 0x805BFC4, refcount 1, next 0x0, flags 0x200
  linktype 7 (IP), enctype 1 (ARPA), encsize 14, rxtype 1
  if_input 0x50F110A8 (Port-channel6), if_output 0x0 (None)
  inputtime 1d02h (elapsed 00:01:29.912)
  outputtime 1d02h (elapsed 00:02:25.964), oqnumber 65535
  datagramstart 0x805C03A, datagramsize 102, maximum size 308
  mac_start 0x805C03A, addr_start 0x805C03A, info_start 0x0
  network_start 0x805C048, transport_start 0x805C05C, caller_pc 0x41714A8C

  source: x.x.16.178, destination: x.x.129.222, id: 0x789C, ttl: 1,
  TOS: 0 prot: 17, source port 8728, destination port 16438

The sources so far have always been a local host downstream from the core and the destination is always a host on the Internet.

Although if this is in the Input buffer, the source and destination could be reversed.

-Drew

From geert.nijs at gmail.com  Fri Dec  4 15:18:21 2009
From: geert.nijs at gmail.com (Geert Nijs)
Date: Fri, 4 Dec 2009 21:18:21 +0100
Subject: [c-nsp] bpduguard and trunks?
In-Reply-To: <7861D5B8-44CE-42BA-9634-E7D78060BD13@cisco.com>
References: <4B17CB62.1020203@thingy.com>
	<7861D5B8-44CE-42BA-9634-E7D78060BD13@cisco.com>
Message-ID: <d79a45fa0912041218k55f4a821k3876b38ecedc41bc@mail.gmail.com>

Lincoln,

Just to be clear:

>>all 'edge' ports should be running with BPDU guard enabled.  'edge ports'
(those facing >>hosts) should NEVER send BPDUs out.  BPDU guard is there to
detect if they do - and if >>they do, its a sign that they have caused a
loop in the network.

ports with BPDU guard configured still send out BPDUs, but they will
*not *allow
incoming
BDPUs
if you also want to stop sending out BPDUs (not recommended), you configure
the port additionally with BPDU filter

regards,
Geert


2009/12/4 Lincoln Dale <ltd at cisco.com>

> On 04/12/2009, at 1:29 AM, Howard Jones wrote:
>
> > I've just run into an odd problem, and was wondering if anyone else
> > could clarify this for me.
> >
> > [c1]---[Sw1]----------[Sw2]---[c2]
> >
> > c1 and c2 are client devices. Sw1 and Sw2 are 3750Gs with a trunk
> > between them. c1 has a trunk to Sw1. One of the vlans in that trunk as
> > passed along the sw1-sw2 trunk to c2.
> >
> > The port facing c1 has bpduguard enabled. Halfway through adding vlans,
> > Sw2 complains about inconsistent BPDUs, and the root bridge mac address
> > is that of c1. It shuts down the trunk port, which is kind of annoying.
>
> sounds like C1 did something silly.
>
>
> > Does bpduguard only affect access ports and not trunks? That's the only
> > explanation I can see for what is going on. The manual doesn't exactly
> > say either way: "At the interface level, you enable BPDU guard on any
> > interface by using the spanning-tree bpduguard enable interface
> > configuration command without also enabling the Port Fast feature.". Sw1
> > also has '|no spanning-tree vlan 1-4090|' - will that help or hinder,
> here?
>
> disabling spanning-tree?  that doesn't sound like a very smart move.
>
>
> > I think the real answer is to stop using switches to ship stuff between
> > sites like this, but that is a battle for another day.
>
> nothing wrong with using L2.
>
>
> i think the issue here may relate to your knowledge of switching - and what
> spanning-tree is there for, and what its meant to do.
> its there to prevent loops.
>
> make use of it.
>
> all 'edge' ports should be running with BPDU guard enabled.  'edge ports'
> (those facing hosts) should NEVER send BPDUs out.  BPDU guard is there to
> detect if they do - and if they do, its a sign that they have caused a loop
> in the network.
>
>
> cheers,
>
> lincoln.
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From chip.gwyn at gmail.com  Fri Dec  4 15:34:53 2009
From: chip.gwyn at gmail.com (chip)
Date: Fri, 4 Dec 2009 15:34:53 -0500
Subject: [c-nsp] Network Configuration and Generation Management
Message-ID: <64a8ad980912041234k199b39d2je6a998966686cc5b@mail.gmail.com>

Hi all,

I'm looking for input on applications to generate configuration and manage
network devices for a fairly large base of devices (>2000).  Specifically
for routers and switches, not so much linux or windows hosts.  There seems
to be a great number of apps to backup and manage the configs of devices,
help you track changes and what-not.  I'm looking more for something to help
generate configuration based on templates, tags, or some such and then push
changes out to devices.  Whether the change will be to 1 router for a
customer config or to 50 routers for ACL updates.

What do you folks use?  Homegrown apps, commercial products, lots of
individual tools?  Big or small, I'd like to hear about it.

Thanks!

--chip

-- 
Just my $.02, your mileage may vary,  batteries not included, etc....

From asturluismi at gmail.com  Fri Dec  4 15:41:39 2009
From: asturluismi at gmail.com (luismi)
Date: Fri, 04 Dec 2009 21:41:39 +0100
Subject: [c-nsp] IOS Version for 7206VXR
In-Reply-To: <483E6B0272B0284BA86D7596C40D29F9D775E7EE49@PUR-EXCH07.ox.com>
References: <20091204124828.Y85373@shell.xecu.net>
	<483E6B0272B0284BA86D7596C40D29F9D775E7EE49@PUR-EXCH07.ox.com>
Message-ID: <1259959299.22042.1.camel@hal9000>

12.2SRC5 here, so far so good 

El vie, 04-12-2009 a las 14:21 -0500, Matthew Huff escribi?:
> I've been pretty happy with 12.4(24)T2. We are doing bgp, access-list, etc...but not ospf..
> 
> 12.4(24)T fixed a lot of bugs in bgp and T2 seems stable.
> 
> 
> 
> 
> ----
> Matthew Huff       | One Manhattanville Rd
> OTA Management LLC | Purchase, NY 10577
> http://www.ox.com  | Phone: 914-460-4039
> aim: matthewbhuff  | Fax:   914-460-4139
> 
> 
> 
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Andy
> > Dills
> > Sent: Friday, December 04, 2009 1:06 PM
> > To: cisco-nsp at puck.nether.net
> > Subject: [c-nsp] IOS Version for 7206VXR
> > 
> > 
> > We just picked up a 7206VXR w/NPE-G2.
> > 
> > It currently has 12.4(15)T1, which looks pretty old.
> > 
> > This won't be used for anything crazy...bgp, ospf, access lists. It's a
> > box full of ethernet interfaces that will push packets.
> > 
> > The router its replacing runs 12.0(31)S, to give you an idea of the goals
> > involved: Stability, PPS, stability, stability.
> > 
> > What would people suggest for a nice, stable IOS?
> > 
> > Thanks,
> > Andy
> > 
> > ---
> > Andy Dills
> > Xecunet, Inc.
> > www.xecu.net
> > 301-682-9972
> > ---
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



From asturluismi at gmail.com  Fri Dec  4 15:43:13 2009
From: asturluismi at gmail.com (luismi)
Date: Fri, 04 Dec 2009 21:43:13 +0100
Subject: [c-nsp] Using SNMP to monitor NAT usage...
In-Reply-To: <4B196A03.8050602@cisco.com>
References: <4B196A03.8050602@cisco.com>
Message-ID: <1259959393.22042.3.camel@hal9000>

It could very interesting to have historic RRD files with the behaviour
of the NAT and, try to cross info with issues or customer problems.
Do you know if it is possible to count over snmp the "nat exhausted"
problems?

El vie, 04-12-2009 a las 14:58 -0500, Rodney Dunn escribi?:
> How many of you are doing or have attempted/wanted to do it?
> 
> Rodney
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



From asturluismi at gmail.com  Fri Dec  4 15:44:23 2009
From: asturluismi at gmail.com (luismi)
Date: Fri, 04 Dec 2009 21:44:23 +0100
Subject: [c-nsp] Network Configuration and Generation Management
In-Reply-To: <64a8ad980912041234k199b39d2je6a998966686cc5b@mail.gmail.com>
References: <64a8ad980912041234k199b39d2je6a998966686cc5b@mail.gmail.com>
Message-ID: <1259959463.22042.4.camel@hal9000>

www.ziptie.org could help you

El vie, 04-12-2009 a las 15:34 -0500, chip escribi?:
> Hi all,
> 
> I'm looking for input on applications to generate configuration and manage
> network devices for a fairly large base of devices (>2000).  Specifically
> for routers and switches, not so much linux or windows hosts.  There seems
> to be a great number of apps to backup and manage the configs of devices,
> help you track changes and what-not.  I'm looking more for something to help
> generate configuration based on templates, tags, or some such and then push
> changes out to devices.  Whether the change will be to 1 router for a
> customer config or to 50 routers for ACL updates.
> 
> What do you folks use?  Homegrown apps, commercial products, lots of
> individual tools?  Big or small, I'd like to hear about it.
> 
> Thanks!
> 
> --chip
> 



From cconn at b2b2c.ca  Fri Dec  4 16:34:13 2009
From: cconn at b2b2c.ca (Chris Conn)
Date: Fri, 04 Dec 2009 16:34:13 -0500
Subject: [c-nsp] Cisco 871/881 "peer default ip address" command broken?
Message-ID: <4B198055.5090604@b2b2c.ca>

Hello,

We have upgraded a number of devices to the lastest IOS 
"c870-advsecurityk9-mz.124-24.T2.bin", and for some reason, the command 
"peer default ip address" seems broken.

interface Dialer1
  ip address negotiated
  ip mtu 1492
  ip nat outside
  no ip virtual-reassembly
  encapsulation ppp
  load-interval 30
  dialer pool 1
  dialer idle-timeout 0
  dialer persistent
  dialer-group 1
  peer default ip address 10.10.10.10
  no cdp enable
  ppp authentication pap callin
  ppp pap sent-username user password 0 password
  ppp ipcp route default
end

For reasons too long to explain here, we require in this type of config 
that the 871/881 device force the use of a particular IP address even if 
  the PPP server reports a different one.  This has worked up to and 
including 124-15.T2.bin.    124-24.T2.bin no longer allows for this, the 
connection is made but the IP address of the PPP server is missing in 
the interface.  The PPP link is established however no data can be sent 
or received.  The default route is also not installed.

With 124-15.T2.bin:

  Interface    User               Mode         Idle     Peer Address
   Vi1                             PPPoE        00:18:42 11.11.11.11


router>show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
        D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
        E1 - OSPF external type 1, E2 - OSPF external type 2
        i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS 
level-2
        ia - IS-IS inter area, * - candidate default, U - per-user 
static route
        o - ODR, P - periodic downloaded static route

Gateway of last resort is 11.11.11.11 to network 0.0.0.0

      66.0.0.0/29 is subnetted, 1 subnets
C       66.1.1.88 is directly connected, FastEthernet4
      11.0.0.0/32 is subnetted, x subnets
C       11.11.11.11 is directly connected, Dialer1
C       11.1.1.88 is directly connected, Dialer1
S*   0.0.0.0/0 [1/0] via 11.11.11.11


With 124-24.T2.bin

     Line       User       Host(s)              Idle       Location
*  0 con 0                idle                 00:00:00

   Interface    User               Mode         Idle     Peer Address
   Vi1                             PPPoE        00:00:39


telefax-test#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
        D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
        E1 - OSPF external type 1, E2 - OSPF external type 2
        i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS 
level-2
        ia - IS-IS inter area, * - candidate default, U - per-user 
static route
        o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

      11.0.0.0/32 is subnetted, 3 subnets
C       11.1.1.88 is directly connected, Dialer1

If I remove the peer default IP address, I connect, however the real IP 
of the PPP server is accepted as the next hop and this is undesireable 
in this config.

I am hoping somebody can tell me this is an oversight and not a 
permanent "feature"?

Sincerely,

Chris Conn

From dale.shaw+cisco-nsp at gmail.com  Fri Dec  4 16:58:53 2009
From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw)
Date: Sat, 5 Dec 2009 08:58:53 +1100
Subject: [c-nsp] Bandwidth Statement - Tunnel Interface
In-Reply-To: <4B17DF67.3010108@gmail.com>
References: <4B16E8AD.6060403@gmail.com> <4B16F072.4040405@west.net>
	<4B17DF67.3010108@gmail.com>
Message-ID: <3329cbb40912041358s6044e614lc0626e7214c87d6d@mail.gmail.com>

Hi,

On Fri, Dec 4, 2009 at 2:55 AM, sky vader <aptgetd at gmail.com> wrote:
> So what does tunnel "bandwidth transmit / receive" statement under
> tunnel interface do? For example:

I guess it could be useful if the underlying physical transmission was
asymmetric in nature, e.g. ADSL. Ultimately, though, the "bandwidth
transmit/receive" statements achieve the same things as just
"bandwidth". Jay covered this well.

cheers,
Dale

From peter.hicks at poggs.co.uk  Fri Dec  4 20:21:32 2009
From: peter.hicks at poggs.co.uk (Peter Hicks)
Date: Sat, 05 Dec 2009 01:21:32 +0000
Subject: [c-nsp] Using SNMP to monitor NAT usage...
In-Reply-To: <4B196A03.8050602@cisco.com>
References: <4B196A03.8050602@cisco.com>
Message-ID: <4B19B59C.8070007@poggs.co.uk>

Rodney Dunn wrote:

> How many of you are doing or have attempted/wanted to do it?

Done it in $JOB-1.  Very useful as one indicator of Windows machined 
infected by malware.


Peter

From peter at rathlev.dk  Fri Dec  4 20:06:35 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Sat, 05 Dec 2009 02:06:35 +0100
Subject: [c-nsp] Using SNMP to monitor NAT usage...
In-Reply-To: <4B196A03.8050602@cisco.com>
References: <4B196A03.8050602@cisco.com>
Message-ID: <1259975195.2551.1.camel@localhost>

On Fri, 2009-12-04 at 14:58 -0500, Rodney Dunn wrote:
> How many of you are doing or have attempted/wanted to do it?

On firewalls (FWSM/ASA) we would very much like to monitor "xlates"
which we can't right now AFAIK. :-)

-- 
Peter



From dwhitejr at cisco.com  Fri Dec  4 21:46:56 2009
From: dwhitejr at cisco.com (David White, Jr. (dwhitejr))
Date: Fri, 04 Dec 2009 21:46:56 -0500
Subject: [c-nsp] Using SNMP to monitor NAT usage...
In-Reply-To: <1259975195.2551.1.camel@localhost>
References: <4B196A03.8050602@cisco.com> <1259975195.2551.1.camel@localhost>
Message-ID: <4B19C9A0.2030302@cisco.com>

FWSM version 3.2 added support to monitor the NAT/PAT xlates:

NAT Xlates --> 1.3.6.1.2.1.123.1.6(natAddrBindTable)
PAT Xlates --> 1.3.6.1.2.1.123.1.8(natAddrPortBindTable)


Also see:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/monitr_f.html#wp1104519

Sincerely,

David.

Peter Rathlev wrote:
> On Fri, 2009-12-04 at 14:58 -0500, Rodney Dunn wrote:
>   
>> How many of you are doing or have attempted/wanted to do it?
>>     
>
> On firewalls (FWSM/ASA) we would very much like to monitor "xlates"
> which we can't right now AFAIK. :-)
>
>   

From cayers at ena.com  Fri Dec  4 21:44:35 2009
From: cayers at ena.com (Cory Ayers)
Date: Fri, 4 Dec 2009 20:44:35 -0600
Subject: [c-nsp] Using SNMP to monitor NAT usage...
In-Reply-To: <4B196A03.8050602@cisco.com>
References: <4B196A03.8050602@cisco.com>
Message-ID: <A7B0A9F02975A74A845FE85D0B95B8FA0DD0B35C@misex01.ena.com>

> How many of you are doing or have attempted/wanted to do it?
> 
> Rodney
> 

It would be more efficient than the PERL script we are currently using to import the data into RRDs, but we wouldn't upgrade IOS strictly for the feature since we have a working model.

From ltd at cisco.com  Sat Dec  5 05:12:37 2009
From: ltd at cisco.com (Lincoln Dale)
Date: Sat, 5 Dec 2009 21:12:37 +1100
Subject: [c-nsp] bpduguard and trunks?
In-Reply-To: <d79a45fa0912041218k55f4a821k3876b38ecedc41bc@mail.gmail.com>
References: <4B17CB62.1020203@thingy.com>
	<7861D5B8-44CE-42BA-9634-E7D78060BD13@cisco.com>
	<d79a45fa0912041218k55f4a821k3876b38ecedc41bc@mail.gmail.com>
Message-ID: <353B6C2F-CCB4-48F5-AE5E-809EBC1CE3B4@cisco.com>

On 05/12/2009, at 7:18 AM, Geert Nijs wrote:

> Lincoln,
> 
> Just to be clear:
> 
> >>all 'edge' ports should be running with BPDU guard enabled.  'edge ports' (those facing >>hosts) should NEVER send BPDUs out.  BPDU guard is there to detect if they do - and if >>they do, its a sign that they have caused a loop in the network.
> 
> ports with BPDU guard configured still send out BPDUs, but they will not allow incoming
> BDPUs
> if you also want to stop sending out BPDUs (not recommended), you configure the port additionally with BPDU filter

i'm well aware of what BPDU Guard is and how it works.

> On 04/12/2009, at 1:29 AM, Howard Jones wrote:

> > [c1]---[Sw1]----------[Sw2]---[c2]

in this problem case, "sw2" complains that an inconistent BPDU is received seemingly originating from "c1".  i'd say that points to a likely case of c1 causing a loop.

BPDU Guard would normally pick this up, however probably isn't, since "sw1" also has 'no spanning-tree 1-4090', so would not be issuing BPDUs on its own.
"edge" ports (portfast w/ BPDU Guard enabled) will periodically transmit BPDUs out those edge ports too - so if there is a loop and they come back, it has the trigger to detect them with.


that "c1" is seemingly doing something is not good.
but disabling STP on "sw1" is perhaps the real issue here.  STP is there to build a loop free topology.  disabling STP and you no longer have any guarantee of switch-to-switch there aren't any loops.


cheers,

lincoln.



From peter at rathlev.dk  Sat Dec  5 07:07:06 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Sat, 05 Dec 2009 13:07:06 +0100
Subject: [c-nsp] Using SNMP to monitor NAT usage...
In-Reply-To: <4B19C9A0.2030302@cisco.com>
References: <4B196A03.8050602@cisco.com> <1259975195.2551.1.camel@localhost>
	<4B19C9A0.2030302@cisco.com>
Message-ID: <1260014826.6838.8.camel@localhost>

On Fri, 2009-12-04 at 21:46 -0500, David White, Jr. (dwhitejr) wrote:
> Peter Rathlev wrote: 
> > On firewalls (FWSM/ASA) we would very much like to monitor "xlates"
> > which we can't right now AFAIK. :-)
> 
> FWSM version 3.2 added support to monitor the NAT/PAT xlates:
> 
> NAT Xlates --> 1.3.6.1.2.1.123.1.6(natAddrBindTable)
> PAT Xlates --> 1.3.6.1.2.1.123.1.8(natAddrPortBindTable)
> 
> Also see:
> http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/monitr_f.html#wp1104519

Excellent, one more reason to upgrade along with the "xlate-bypass"
feature. We're on 3.1 now, so we'll have to wait.

-- 
Peter



From sony.scaria at gmail.com  Sat Dec  5 07:36:32 2009
From: sony.scaria at gmail.com (Sony Scaria)
Date: Sat, 5 Dec 2009 18:06:32 +0530
Subject: [c-nsp] Rmon checksum failed on WS-C4006
Message-ID: <4b1a53d6.9513f30a.3e8c.6714@mx.google.com>

Hi All,

 

I've observed "Rmon checksum failed" when I run sh ver on one of my catos
switch. The system is stable for a long time and I did not observe any
related logs. I had done some research , but couldn't gather any info on
"Rmon checksum".

 

 

cat4013 > (enable) sh ver

WS-C4006 Software, Version NmpSW: 8.4(5)GLX

Copyright (c) 1995-2005 by Cisco Systems, Inc.

NMP S/W compiled on Jan 12 2005, 12:30:16

GSP S/W compiled on Jan 12 2005, 11:47:47

 

System Bootstrap Version: 5.4(1)

 

Hardware Version: 3.2  Model: WS-C4006  Serial #: FOXXXXXXX

 

Mod Port Model              Serial #              Versions

--- ---- ------------------ --------------------
---------------------------------

1   2    WS-X4013           JABXXXXXXXX          Hw : 3.2

                                                 Gsp: 8.4(5.0)

                                                 Nmp: 8.4(5)GLX

2   48   WS-X4148-RJ        JABXXXXXXX          Hw : 3.0

3   48   WS-X4148-RJ        JABXXXXXXX          Hw : 3.0

4   48   WS-X4148-RJ        JABXXXXXXX          Hw : 3.0

5   48   WS-X4148-RJ        JABXXXXXXX          Hw : 3.0

6   48   WS-X4148-RJ        JAEXXXXXXX          Hw : 2.3

 

       DRAM                    FLASH                   NVRAM

Module Total   Used    Free    Total   Used    Free    Total Used  Free

------ ------- ------- ------- ------- ------- ------- ----- ----- -----

1       65536K  40542K  24994K  16384K   5760K  10624K  480K  402K   78K

 

Rmon checksum failed.

 

Uptime is 323 days, 10 hours, 34 minutes

 

 

----------------------------------------------------------------------------
-------------------------------

 

cat4013> (enable) sh test

 

Diagnostic mode (mode at next reset:) complete

 

Environmental Status (. = Pass, F = Fail, U = Unknown, N = Not Present)

  PS1: .    PS2: .   PS3: .

  PS1 Fan: .    PS2 Fan: .   PS3 Fan: .

  PEM: N   Fan Tray: .

  Temperature: .        Chassis Temperature: 43 degC (110 degF)

                  Over Temperature Threshold: 75 degC (167 degF)

              Critical Temperature Threshold: 95 degC (203 degF)

 

Module 1 : 2-port 1000BaseX Supervisor

 POST Results

 Network Management Processor (NMP) Status: (. = Pass, F = Fail, U =
Unknown)

 Galaxy Supervisor Status : .

 CPU Components Status

   Processor              : .

   DRAM                   : .

   RTC                    : .

   EEPROM                 : .

   FLASH                  : .

   NVRAM                  : .

   Temperature Sensor     : .

 Uplink Port 1            : .

 Uplink Port 2            : .

 Me1  Status              : .

 EOBC Status              : .

 

 SCX1000 - 0

   Register               : .

   Switch Sram            : .

   Switch Gigaports

    0: .   1: .   2: .   3: .

    4: .   5: .   6: .   7: .

    8: .   9: .  10: .  11: .

 SCX1000 - 1

   Register               : .

   Switch Sram            : .

   Switch Gigaports

    0: .   1: .   2: .   3: .

    4: .   5: .   6: .   7: .

    8: .   9: .  10: .  11: .

 SCX1000 - 2

   Register               : .

   Switch Sram            : .

   Switch Gigaports

    0: .   1: .   2: .   3: .

    4: .   5: .   6: .   7: .

    8: .   9: .  10: .  11: .

 

 

  GBIC Status: (. = Pass, F = Fail, N = No Gbic, X = Non-Gbic Port)

 

   Ports  1  2

         ------

          .  .

 

cat4013> (enable)

 

 

Sony.

 


From Charles.Church at harris.com  Sat Dec  5 10:38:07 2009
From: Charles.Church at harris.com (Church, Charles)
Date: Sat, 5 Dec 2009 10:38:07 -0500
Subject: [c-nsp] [Suspected Spam] Rmon checksum failed on WS-C4006
In-Reply-To: <4b1a53d6.9513f30a.3e8c.6714@mx.google.com>
References: <4b1a53d6.9513f30a.3e8c.6714@mx.google.com>
Message-ID: <290EF89F13F04F4E924BB235A46D18F1043B725C50@MLBMXUS2.cs.myharris.net>

I seem to remember CatOS 7.x and above needing a ROMMON version of 6.x or above.  I don't think your 5.4(1) will do it.  It's a downloadable upgrade.

Chuck 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Sony Scaria
Sent: Saturday, December 05, 2009 7:37 AM
To: cisco-nsp at puck.nether.net
Subject: [Suspected Spam][c-nsp] Rmon checksum failed on WS-C4006


Hi All,

 

I've observed "Rmon checksum failed" when I run sh ver on one of my catos
switch. The system is stable for a long time and I did not observe any
related logs. I had done some research , but couldn't gather any info on
"Rmon checksum".

 

 

cat4013 > (enable) sh ver

WS-C4006 Software, Version NmpSW: 8.4(5)GLX

Copyright (c) 1995-2005 by Cisco Systems, Inc.

NMP S/W compiled on Jan 12 2005, 12:30:16

GSP S/W compiled on Jan 12 2005, 11:47:47

 

System Bootstrap Version: 5.4(1)

 

Hardware Version: 3.2  Model: WS-C4006  Serial #: FOXXXXXXX

 

Mod Port Model              Serial #              Versions

--- ---- ------------------ --------------------
---------------------------------

1   2    WS-X4013           JABXXXXXXXX          Hw : 3.2

                                                 Gsp: 8.4(5.0)

                                                 Nmp: 8.4(5)GLX

2   48   WS-X4148-RJ        JABXXXXXXX          Hw : 3.0

3   48   WS-X4148-RJ        JABXXXXXXX          Hw : 3.0

4   48   WS-X4148-RJ        JABXXXXXXX          Hw : 3.0

5   48   WS-X4148-RJ        JABXXXXXXX          Hw : 3.0

6   48   WS-X4148-RJ        JAEXXXXXXX          Hw : 2.3

 

       DRAM                    FLASH                   NVRAM

Module Total   Used    Free    Total   Used    Free    Total Used  Free

------ ------- ------- ------- ------- ------- ------- ----- ----- -----

1       65536K  40542K  24994K  16384K   5760K  10624K  480K  402K   78K

 

Rmon checksum failed.

 

Uptime is 323 days, 10 hours, 34 minutes

 

 

----------------------------------------------------------------------------
-------------------------------

 

cat4013> (enable) sh test

 

Diagnostic mode (mode at next reset:) complete

 

Environmental Status (. = Pass, F = Fail, U = Unknown, N = Not Present)

  PS1: .    PS2: .   PS3: .

  PS1 Fan: .    PS2 Fan: .   PS3 Fan: .

  PEM: N   Fan Tray: .

  Temperature: .        Chassis Temperature: 43 degC (110 degF)

                  Over Temperature Threshold: 75 degC (167 degF)

              Critical Temperature Threshold: 95 degC (203 degF)

 

Module 1 : 2-port 1000BaseX Supervisor

 POST Results

 Network Management Processor (NMP) Status: (. = Pass, F = Fail, U =
Unknown)

 Galaxy Supervisor Status : .

 CPU Components Status

   Processor              : .

   DRAM                   : .

   RTC                    : .

   EEPROM                 : .

   FLASH                  : .

   NVRAM                  : .

   Temperature Sensor     : .

 Uplink Port 1            : .

 Uplink Port 2            : .

 Me1  Status              : .

 EOBC Status              : .

 

 SCX1000 - 0

   Register               : .

   Switch Sram            : .

   Switch Gigaports

    0: .   1: .   2: .   3: .

    4: .   5: .   6: .   7: .

    8: .   9: .  10: .  11: .

 SCX1000 - 1

   Register               : .

   Switch Sram            : .

   Switch Gigaports

    0: .   1: .   2: .   3: .

    4: .   5: .   6: .   7: .

    8: .   9: .  10: .  11: .

 SCX1000 - 2

   Register               : .

   Switch Sram            : .

   Switch Gigaports

    0: .   1: .   2: .   3: .

    4: .   5: .   6: .   7: .

    8: .   9: .  10: .  11: .

 

 

  GBIC Status: (. = Pass, F = Fail, N = No Gbic, X = Non-Gbic Port)

 

   Ports  1  2

         ------

          .  .

 

cat4013> (enable)

 

 

Sony.

 

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From lists at quux.de  Sat Dec  5 12:02:53 2009
From: lists at quux.de (Jens Link)
Date: Sat, 05 Dec 2009 18:02:53 +0100
Subject: [c-nsp] Network Configuration and Generation Management
In-Reply-To: <64a8ad980912041234k199b39d2je6a998966686cc5b@mail.gmail.com>
	(chip's message of "Fri\, 4 Dec 2009 15\:34\:53 -0500")
References: <64a8ad980912041234k199b39d2je6a998966686cc5b@mail.gmail.com>
Message-ID: <87638lz742.fsf@laphroiag.quux.de>

chip <chip.gwyn at gmail.com> writes:


> I'm looking more for something to help generate configuration based on
> templates, tags, or some such and then push changes out to devices.
> Whether the change will be to 1 router for a customer config or to 50
> routers for ACL updates.

You might want to take a look at <http://www.netomata.com/products/ncg>. 
I haven't worked with it but it high on my list of things to test.

cheers,

Jens
-- 
-------------------------------------------------------------------------
| Foelderichstr. 40  | 13595 Berlin, Germany | +49-151-18721264         |
| http://www.quux.de | http://blog.quux.de   | jabber: jenslink at guug.de |
-------------------------------------------------------------------------

From mtinka at globaltransit.net  Sat Dec  5 13:19:44 2009
From: mtinka at globaltransit.net (Mark Tinka)
Date: Sun, 6 Dec 2009 02:19:44 +0800
Subject: [c-nsp] IOS Version for 7206VXR
In-Reply-To: <1259959299.22042.1.camel@hal9000>
References: <20091204124828.Y85373@shell.xecu.net>
	<483E6B0272B0284BA86D7596C40D29F9D775E7EE49@PUR-EXCH07.ox.com>
	<1259959299.22042.1.camel@hal9000>
Message-ID: <200912060220.03619.mtinka@globaltransit.net>

On Saturday 05 December 2009 04:41:39 am luismi wrote:

> 12.2SRC5 here, so far so good

+1 - SRC5 is very stable, even for BFD :-), and fully-
featured, too.

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20091206/536808e8/attachment.bin>

From clinton at scripty.com  Sat Dec  5 13:44:46 2009
From: clinton at scripty.com (Clinton Work)
Date: Sat, 05 Dec 2009 11:44:46 -0700
Subject: [c-nsp] Rmon checksum failed on WS-C4006
In-Reply-To: <4b1a53d6.9513f30a.3e8c.6714@mx.google.com>
References: <4b1a53d6.9513f30a.3e8c.6714@mx.google.com>
Message-ID: <4B1AAA1E.3020505@scripty.com>


I have seen this problem many times on Catalyst 5000 and 6500 boxes.  
The cause is NVRAM corruption which can often be resolved by rebooting 
the Supervisor in order to clear the issue. During reboot some of the 
NVRAM configuration can be lost so make sure you have a proper backup to 
compare with.   The other cause could be a faulty NVRAM chip on the 
Supervisor so having a spare handy during the reboot would be a good 
idea as well. 

Clinton. 

Sony Scaria wrote:
> Hi All,
>
>  
>
> I've observed "Rmon checksum failed" when I run sh ver on one of my catos
> switch. The system is stable for a long time and I did not observe any
> related logs. I had done some research , but couldn't gather any info on
> "Rmon checksum".
>
>  
>
>   

-- 
==================================================================
Clinton Work
Airdrie, AB



From frnkblk at iname.com  Sat Dec  5 13:35:59 2009
From: frnkblk at iname.com (Frank Bulk)
Date: Sat, 5 Dec 2009 12:35:59 -0600
Subject: [c-nsp] Using SNMP to monitor NAT usage...
In-Reply-To: <1259975195.2551.1.camel@localhost>
References: <4B196A03.8050602@cisco.com> <1259975195.2551.1.camel@localhost>
Message-ID: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAAB3hApY+JiTQ7IdkNLc8KPmAQAAAAA=@iname.com>

Same here.  I would need to screen scrape to do that in Cacti....

Frank

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Peter Rathlev
Sent: Friday, December 04, 2009 7:07 PM
To: rodunn at cisco.com
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Using SNMP to monitor NAT usage...

On Fri, 2009-12-04 at 14:58 -0500, Rodney Dunn wrote:
> How many of you are doing or have attempted/wanted to do it?

On firewalls (FWSM/ASA) we would very much like to monitor "xlates"
which we can't right now AFAIK. :-)

-- 
Peter


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From eng_mssk at hotmail.com  Sun Dec  6 08:34:04 2009
From: eng_mssk at hotmail.com (Mohammad Khalil)
Date: Sun, 6 Dec 2009 15:34:04 +0200
Subject: [c-nsp] Cisco L2 QoS
Message-ID: <BLU102-W29E8761F74F35C3F3F0BA2FA910@phx.gbl>


hi all

i have cisco metroethernet switches 3750

i have some customers connected to some ports (the ports are access ports , layer2 ports)

i am trying to apply rate limit on the bandwidth each customers consume 

rate limit command applies for layer 3 interfaces which does not match my case

what should i do to achieve this ??

even though applying rate limit on the logical interface (interface vlan) does not work

as well as the MQC model does not apply


 		 	   		  
_________________________________________________________________
Windows Live: Friends get your Flickr, Yelp, and Digg updates when they e-mail you.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3:092010

From avayner at cisco.com  Sun Dec  6 09:51:02 2009
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Sun, 6 Dec 2009 15:51:02 +0100
Subject: [c-nsp] Cisco L2 QoS
In-Reply-To: <BLU102-W29E8761F74F35C3F3F0BA2FA910@phx.gbl>
References: <BLU102-W29E8761F74F35C3F3F0BA2FA910@phx.gbl>
Message-ID: <FDD1CDB3FB499E4087CC7670BBCA22C6CB5114@XMB-AMS-101.cisco.com>

Mohammad,

Not sure why MQC does not apply...

Please take a look:
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/relea
se/12.2_52_se/configuration/guide/swqos.html#wp1408392
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/relea
se/12.2_52_se/configuration/guide/swqos.html#wp1426834
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/relea
se/12.2_52_se/configuration/guide/swqos.html#wp1044737
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/relea
se/12.2_52_se/configuration/guide/swqos.html#wp1767120
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/relea
se/12.2_52_se/configuration/guide/swqos.html#wp1048656

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil
Sent: Sunday, December 06, 2009 15:34
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Cisco L2 QoS


hi all

i have cisco metroethernet switches 3750

i have some customers connected to some ports (the ports are access
ports , layer2 ports)

i am trying to apply rate limit on the bandwidth each customers consume 

rate limit command applies for layer 3 interfaces which does not match
my case

what should i do to achieve this ??

even though applying rate limit on the logical interface (interface
vlan) does not work

as well as the MQC model does not apply


 		 	   		  
_________________________________________________________________
Windows Live: Friends get your Flickr, Yelp, and Digg updates when they
e-mail you.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action
/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3
:092010
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From rjs at eng.gxn.net  Sun Dec  6 09:03:38 2009
From: rjs at eng.gxn.net (Rob Shakir)
Date: Sun, 6 Dec 2009 14:03:38 +0000
Subject: [c-nsp] IOS Version for 7206VXR
In-Reply-To: <200912060220.03619.mtinka@globaltransit.net>
References: <20091204124828.Y85373@shell.xecu.net>
	<483E6B0272B0284BA86D7596C40D29F9D775E7EE49@PUR-EXCH07.ox.com>
	<1259959299.22042.1.camel@hal9000>
	<200912060220.03619.mtinka@globaltransit.net>
Message-ID: <FF1B9650-431E-46C1-A1F9-10544511CA51@eng.gxn.net>


On 5 Dec 2009, at 18:19, Mark Tinka wrote:

> On Saturday 05 December 2009 04:41:39 am luismi wrote:
>
>> 12.2SRC5 here, so far so good
>
> +1 - SRC5 is very stable, even for BFD :-), and fully-
> featured, too.

Since 12.2(33)SRC5 will be the last release in the SRC branch  
according to TAC, for new deployments, I would recommend investigating  
12.2(33)SRD3 - our current testing is pretty positive.

Kind regards,
Rob

-- 
Rob Shakir                      <rjs at eng.gxn.net>
Network Development Engineer    GX Networks/Vialtus Solutions
ddi: +44208 587 6077            mob: +44797 155 4098
pgp: 0xc07e6deb                 nic-hdl: RJS-RIPE

This email is subject to: http://www.vialtus.com/disclaimer.html




From paul at paulstewart.org  Sun Dec  6 10:07:22 2009
From: paul at paulstewart.org (Paul Stewart)
Date: Sun, 6 Dec 2009 10:07:22 -0500
Subject: [c-nsp] IOS Version for 7206VXR
In-Reply-To: <FF1B9650-431E-46C1-A1F9-10544511CA51@eng.gxn.net>
References: <20091204124828.Y85373@shell.xecu.net>	<483E6B0272B0284BA86D7596C40D29F9D775E7EE49@PUR-EXCH07.ox.com>	<1259959299.22042.1.camel@hal9000>	<200912060220.03619.mtinka@globaltransit.net>
	<FF1B9650-431E-46C1-A1F9-10544511CA51@eng.gxn.net>
Message-ID: <002a01ca7685$d08f2350$71ad69f0$@org>

Good point.. we've been running 12.2(33)SRD1 on several 7206VXR's both G1
and G2 since March and been pretty solid ... YMMV...

Paul


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rob Shakir
Sent: December-06-09 9:04 AM
To: mtinka at globaltransit.net; Andy Dills
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] IOS Version for 7206VXR


On 5 Dec 2009, at 18:19, Mark Tinka wrote:

> On Saturday 05 December 2009 04:41:39 am luismi wrote:
>
>> 12.2SRC5 here, so far so good
>
> +1 - SRC5 is very stable, even for BFD :-), and fully-
> featured, too.

Since 12.2(33)SRC5 will be the last release in the SRC branch  
according to TAC, for new deployments, I would recommend investigating  
12.2(33)SRD3 - our current testing is pretty positive.

Kind regards,
Rob

-- 
Rob Shakir                      <rjs at eng.gxn.net>
Network Development Engineer    GX Networks/Vialtus Solutions
ddi: +44208 587 6077            mob: +44797 155 4098
pgp: 0xc07e6deb                 nic-hdl: RJS-RIPE

This email is subject to: http://www.vialtus.com/disclaimer.html



_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



From mtinka at globaltransit.net  Sun Dec  6 10:45:02 2009
From: mtinka at globaltransit.net (Mark Tinka)
Date: Sun, 6 Dec 2009 23:45:02 +0800
Subject: [c-nsp] IOS Version for 7206VXR
In-Reply-To: <FF1B9650-431E-46C1-A1F9-10544511CA51@eng.gxn.net>
References: <20091204124828.Y85373@shell.xecu.net>
	<200912060220.03619.mtinka@globaltransit.net>
	<FF1B9650-431E-46C1-A1F9-10544511CA51@eng.gxn.net>
Message-ID: <200912062345.06717.mtinka@globaltransit.net>

On Sunday 06 December 2009 10:03:38 pm Rob Shakir wrote:

> Since 12.2(33)SRC5 will be the last release in the SRC
>  branch according to TAC, for new deployments, I would
>  recommend investigating 12.2(33)SRD3 - our current
>  testing is pretty positive.

Well, eventually, we'll all have to move to SRE to enable 4-
byte ASN support on this platform using the SR* branch :-).

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20091206/f24a62e6/attachment.bin>

From mtinka at globaltransit.net  Sun Dec  6 10:47:14 2009
From: mtinka at globaltransit.net (Mark Tinka)
Date: Sun, 6 Dec 2009 23:47:14 +0800
Subject: [c-nsp] IOS Version for 7206VXR
In-Reply-To: <002a01ca7685$d08f2350$71ad69f0$@org>
References: <20091204124828.Y85373@shell.xecu.net>
	<FF1B9650-431E-46C1-A1F9-10544511CA51@eng.gxn.net>
	<002a01ca7685$d08f2350$71ad69f0$@org>
Message-ID: <200912062347.15721.mtinka@globaltransit.net>

On Sunday 06 December 2009 11:07:22 pm Paul Stewart wrote:

> Good point.. we've been running 12.2(33)SRD1 on several
>  7206VXR's both G1 and G2 since March and been pretty
>  solid ... YMMV...

At this time, we like SRD3 because it supports route 
reflection of VPLS BGP NLRI.

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20091206/4cbcbd4d/attachment-0001.bin>

From sony.scaria at gmail.com  Sun Dec  6 10:54:40 2009
From: sony.scaria at gmail.com (Sony Scaria)
Date: Sun, 6 Dec 2009 21:24:40 +0530
Subject: [c-nsp] Rmon checksum failed on WS-C4006
In-Reply-To: <4B1AAA1E.3020505@scripty.com>
References: <4b1a53d6.9513f30a.3e8c.6714@mx.google.com>
	<4B1AAA1E.3020505@scripty.com>
Message-ID: <4b1bd3c5.9613f30a.2526.ffffcb1a@mx.google.com>

Thanks Clinton. My Cisco TAC rep also recommends the same.

Sony.

-----Original Message-----
From: Clinton Work [mailto:clinton at scripty.com] 
Sent: 06 December 2009 00:15
To: Sony Scaria
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Rmon checksum failed on WS-C4006


I have seen this problem many times on Catalyst 5000 and 6500 boxes.  
The cause is NVRAM corruption which can often be resolved by rebooting 
the Supervisor in order to clear the issue. During reboot some of the 
NVRAM configuration can be lost so make sure you have a proper backup to 
compare with.   The other cause could be a faulty NVRAM chip on the 
Supervisor so having a spare handy during the reboot would be a good 
idea as well. 

Clinton. 

Sony Scaria wrote:
> Hi All,
>
>  
>
> I've observed "Rmon checksum failed" when I run sh ver on one of my catos
> switch. The system is stable for a long time and I did not observe any
> related logs. I had done some research , but couldn't gather any info on
> "Rmon checksum".
>
>  
>
>   

-- 
==================================================================
Clinton Work
Airdrie, AB



From ssrigha at gmail.com  Sun Dec  6 11:04:50 2009
From: ssrigha at gmail.com (shake righa)
Date: Sun, 6 Dec 2009 19:04:50 +0300
Subject: [c-nsp] Route Target Rewrite
In-Reply-To: <F03B653FFFD747EAB4E0459EB5C201EE@int.convex.pt>
References: <73439e5a0912040417u43a5321ds1308b4a9320878fd@mail.gmail.com>
	<F03B653FFFD747EAB4E0459EB5C201EE@int.convex.pt>
Message-ID: <73439e5a0912060804h61e378d4g19a6c9b0a6fff1f5@mail.gmail.com>

Am using cisco routers and doing it under VPNv4 address family.

Regards,
Shake Righa

On Fri, Dec 4, 2009 at 7:14 PM, Antonio Soares <amsoares at netcabo.pt> wrote:

> Are you doing it under VPNv4 Address Family ? What hw/sw combination do you
> have ?
>
>
> Regards,
>
> Antonio Soares, CCIE #18473 (R&S)
> amsoares at netcabo.pt
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:
> cisco-nsp-bounces at puck.nether.net] On Behalf Of shake righa
> Sent: sexta-feira, 4 de Dezembro de 2009 12:17
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Route Target Rewrite
>
> Hi,
>
> Am getting the following error when setting up route target rewrite.
>
>
> "used as BGP inbound route-map, set extcommunity rt not supported"
>
> Regards,
> Shake Righa
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>

From avayner at cisco.com  Sun Dec  6 12:40:05 2009
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Sun, 6 Dec 2009 18:40:05 +0100
Subject: [c-nsp] Cisco 871/881 "peer default ip address" command broken?
In-Reply-To: <4B198055.5090604@b2b2c.ca>
References: <4B198055.5090604@b2b2c.ca>
Message-ID: <FDD1CDB3FB499E4087CC7670BBCA22C6CB5134@XMB-AMS-101.cisco.com>

Chris,

Can you share the "debug ppp nego"?

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Chris Conn
Sent: Friday, December 04, 2009 23:34
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Cisco 871/881 "peer default ip address" command broken?

Hello,

We have upgraded a number of devices to the lastest IOS 
"c870-advsecurityk9-mz.124-24.T2.bin", and for some reason, the command 
"peer default ip address" seems broken.

interface Dialer1
  ip address negotiated
  ip mtu 1492
  ip nat outside
  no ip virtual-reassembly
  encapsulation ppp
  load-interval 30
  dialer pool 1
  dialer idle-timeout 0
  dialer persistent
  dialer-group 1
  peer default ip address 10.10.10.10
  no cdp enable
  ppp authentication pap callin
  ppp pap sent-username user password 0 password
  ppp ipcp route default
end

For reasons too long to explain here, we require in this type of config 
that the 871/881 device force the use of a particular IP address even if

  the PPP server reports a different one.  This has worked up to and 
including 124-15.T2.bin.    124-24.T2.bin no longer allows for this, the

connection is made but the IP address of the PPP server is missing in 
the interface.  The PPP link is established however no data can be sent 
or received.  The default route is also not installed.

With 124-15.T2.bin:

  Interface    User               Mode         Idle     Peer Address
   Vi1                             PPPoE        00:18:42 11.11.11.11


router>show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
        D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
        E1 - OSPF external type 1, E2 - OSPF external type 2
        i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS 
level-2
        ia - IS-IS inter area, * - candidate default, U - per-user 
static route
        o - ODR, P - periodic downloaded static route

Gateway of last resort is 11.11.11.11 to network 0.0.0.0

      66.0.0.0/29 is subnetted, 1 subnets
C       66.1.1.88 is directly connected, FastEthernet4
      11.0.0.0/32 is subnetted, x subnets
C       11.11.11.11 is directly connected, Dialer1
C       11.1.1.88 is directly connected, Dialer1
S*   0.0.0.0/0 [1/0] via 11.11.11.11


With 124-24.T2.bin

     Line       User       Host(s)              Idle       Location
*  0 con 0                idle                 00:00:00

   Interface    User               Mode         Idle     Peer Address
   Vi1                             PPPoE        00:00:39


telefax-test#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
        D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
        E1 - OSPF external type 1, E2 - OSPF external type 2
        i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS 
level-2
        ia - IS-IS inter area, * - candidate default, U - per-user 
static route
        o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

      11.0.0.0/32 is subnetted, 3 subnets
C       11.1.1.88 is directly connected, Dialer1

If I remove the peer default IP address, I connect, however the real IP 
of the PPP server is accepted as the next hop and this is undesireable 
in this config.

I am hoping somebody can tell me this is an oversight and not a 
permanent "feature"?

Sincerely,

Chris Conn
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From pshem.k at gmail.com  Sun Dec  6 14:16:39 2009
From: pshem.k at gmail.com (Pshem Kowalczyk)
Date: Mon, 7 Dec 2009 08:16:39 +1300
Subject: [c-nsp] Route Target Rewrite
In-Reply-To: <73439e5a0912040417u43a5321ds1308b4a9320878fd@mail.gmail.com>
References: <73439e5a0912040417u43a5321ds1308b4a9320878fd@mail.gmail.com>
Message-ID: <20fe625b0912061116t3f3608d0p606b59d708dea898@mail.gmail.com>

Hi,

What are you trying to achieve with the rewrite? I presume, that you
want to modify the RTs, so you can import them with a single statement
later (in vrfs)? If so - what are the drawbacks of importing the RTs
directly?

kind regards
pshem

2009/12/5 shake righa <ssrigha at gmail.com>:
> Hi,
>
> Am getting the following error when setting up route target rewrite.
>
>
> "used as BGP inbound route-map, set extcommunity rt not supported"
>
> Regards,
> Shake Righa
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From jeffeloy at yahoo.com  Sun Dec  6 17:37:27 2009
From: jeffeloy at yahoo.com (Jeff)
Date: Sun, 6 Dec 2009 14:37:27 -0800 (PST)
Subject: [c-nsp] Mixing Cat4500 Power Supplies
Message-ID: <268020.2710.qm@web111103.mail.gq1.yahoo.com>

In order to get PoE for a future VoIP rollout, we are replacing our
Cat4506 with a Cat4506-E with PoE blades and a 2800W PoE power supply. 
Unfortunately, I only purchased one 2800W PoE power supply for the new
switch.  The old switch has two 1000W (non-PoE) power supplies.  Can I take one of the old 1000W power supplies and put it in the redundant power supply slot of the new Cat4506-E?  Obviously, this secondary power supply
would not do PoE if the primary failed, but would it otherwise work?  I
plan on getting another 2800W power supply in the spring anyway, just
wondering if I can mix the new 2800W PoE power supply with the older
1000W non-PoE power supply for the time being.

Thanks!


      

From peter.hicks at poggs.co.uk  Sun Dec  6 19:14:12 2009
From: peter.hicks at poggs.co.uk (Peter Hicks)
Date: Mon, 07 Dec 2009 00:14:12 +0000
Subject: [c-nsp] 6500 (Sup7203-bxl / 6724-SFP) Input queue drops
In-Reply-To: <F3318834F1F89D46857972DD4B411D700180980C42@EXCHANGE.thenap.com>
References: <F3318834F1F89D46857972DD4B411D700180980C42@EXCHANGE.thenap.com>
Message-ID: <4B1C48D4.9080905@poggs.co.uk>

Drew Weaver wrote:

> I'm noticing that almost constantly there is Protocol 17 (UDP), TTL 1 traffic in the buffer:
...
> The sources so far have always been a local host downstream from the core and the destination is always a host on the Internet.

Has somebody left an mtr running set to use UDP rather than ICMP?


Poggs

From frnkblk at iname.com  Sun Dec  6 22:58:27 2009
From: frnkblk at iname.com (Frank Bulk)
Date: Sun, 6 Dec 2009 21:58:27 -0600
Subject: [c-nsp] Cisco L2 QoS
In-Reply-To: <BLU102-W29E8761F74F35C3F3F0BA2FA910@phx.gbl>
References: <BLU102-W29E8761F74F35C3F3F0BA2FA910@phx.gbl>
Message-ID: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADnB/Wy7bWKRJJsxVCb4AVSAQAAAAA=@iname.com>

Don't forget that there's two enhanced ports on that unit....they have more
QoS capabilities.

Frank

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil
Sent: Sunday, December 06, 2009 7:34 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Cisco L2 QoS


hi all

i have cisco metroethernet switches 3750

i have some customers connected to some ports (the ports are access ports ,
layer2 ports)

i am trying to apply rate limit on the bandwidth each customers consume 

rate limit command applies for layer 3 interfaces which does not match my
case

what should i do to achieve this ??

even though applying rate limit on the logical interface (interface vlan)
does not work

as well as the MQC model does not apply


                      
_________________________________________________________________
Windows Live: Friends get your Flickr, Yelp, and Digg updates when they
e-mail you.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/soc
ial-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3:092010
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From rudal at online.rudal.com  Mon Dec  7 01:18:38 2009
From: rudal at online.rudal.com (Rudy Setiawan)
Date: Mon, 7 Dec 2009 13:18:38 +0700
Subject: [c-nsp] Cisco SNMP: Get interface VLAN based on IP address
Message-ID: <79b6f8780912062218u796db680t5452775a09e4f525@mail.gmail.com>

Hello all,

Is there a way that we can get the interface vlan information based on IP
address that is attached to that interface vlan via snmp?

Interface Vlan100
ip address 192.168.10.1 255.255.255.0
!

So if I search for 192.168.10.1, I can get the interface vlan?

Thank you

Regards,
Rudy

From kamlesh1181 at gmail.com  Mon Dec  7 02:33:47 2009
From: kamlesh1181 at gmail.com (Kamlesh Sharma)
Date: Mon, 7 Dec 2009 13:03:47 +0530
Subject: [c-nsp] tech-support not working for IPv6 ospf v3
In-Reply-To: <mailman.6874.1260170902.2123.cisco-nsp@puck.nether.net>
References: <mailman.6874.1260170902.2123.cisco-nsp@puck.nether.net>
Message-ID: <fa672eef0912062333l3d367f6dtd42b3efc346aba4f@mail.gmail.com>

show tech-support ospf does not work for IPV6 ospf v3. Cisco may need to
revisit the tech-support command to support ospf v3 and IPv6
at the end it says : %OSPF is not running

even though i am running ospf v3 and ipv6

Thanks

From ssrigha at gmail.com  Mon Dec  7 03:08:56 2009
From: ssrigha at gmail.com (shake righa)
Date: Mon, 7 Dec 2009 11:08:56 +0300
Subject: [c-nsp] Route Target Rewrite
In-Reply-To: <20fe625b0912061116t3f3608d0p606b59d708dea898@mail.gmail.com>
References: <73439e5a0912040417u43a5321ds1308b4a9320878fd@mail.gmail.com>
	<20fe625b0912061116t3f3608d0p606b59d708dea898@mail.gmail.com>
Message-ID: <73439e5a0912070008s62441e24mdabadd32e2625d4@mail.gmail.com>

Hi,

There are no draw backs in importing the route targets direcly as it
woks very well.
However would like to use the rewrite method.

Regards,
Shake Righa

Regards
On 12/6/09, Pshem Kowalczyk <pshem.k at gmail.com> wrote:
> Hi,
>
> What are you trying to achieve with the rewrite? I presume, that you
> want to modify the RTs, so you can import them with a single statement
> later (in vrfs)? If so - what are the drawbacks of importing the RTs
> directly?
>
> kind regards
> pshem
>
> 2009/12/5 shake righa <ssrigha at gmail.com>:
>> Hi,
>>
>> Am getting the following error when setting up route target rewrite.
>>
>>
>> "used as BGP inbound route-map, set extcommunity rt not supported"
>>
>> Regards,
>> Shake Righa
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>

From eng_mssk at hotmail.com  Mon Dec  7 04:15:12 2009
From: eng_mssk at hotmail.com (Mohammad Khalil)
Date: Mon, 7 Dec 2009 11:15:12 +0200
Subject: [c-nsp] Cisco L2 QoS
In-Reply-To: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADnB/Wy7bWKRJJsxVCb4AVSAQAAAAA=@iname.com>
References: <BLU102-W29E8761F74F35C3F3F0BA2FA910@phx.gbl>,
	<!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADnB/Wy7bWKRJJsxVCb4AVSAQAAAAA=@iname.com>
Message-ID: <BLU102-W19BEA9928D3DA245C68039FA900@phx.gbl>


the problem is that the customers are connected to the 24 Fast Ethernet ports

> From: frnkblk at iname.com
> To: eng_mssk at hotmail.com; cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] Cisco L2 QoS
> Date: Sun, 6 Dec 2009 21:58:27 -0600
> 
> Don't forget that there's two enhanced ports on that unit....they have more
> QoS capabilities.
> 
> Frank
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil
> Sent: Sunday, December 06, 2009 7:34 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Cisco L2 QoS
> 
> 
> hi all
> 
> i have cisco metroethernet switches 3750
> 
> i have some customers connected to some ports (the ports are access ports ,
> layer2 ports)
> 
> i am trying to apply rate limit on the bandwidth each customers consume 
> 
> rate limit command applies for layer 3 interfaces which does not match my
> case
> 
> what should i do to achieve this ??
> 
> even though applying rate limit on the logical interface (interface vlan)
> does not work
> 
> as well as the MQC model does not apply
> 
> 
>                       
> _________________________________________________________________
> Windows Live: Friends get your Flickr, Yelp, and Digg updates when they
> e-mail you.
> http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/soc
> ial-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3:092010
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
 		 	   		  
_________________________________________________________________
Windows Live: Make it easier for your friends to see what you?re up to on Facebook.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009

From hntourneur at autempspourmoi.be  Mon Dec  7 04:44:22 2009
From: hntourneur at autempspourmoi.be (Henry-Nicolas Tourneur)
Date: Mon, 07 Dec 2009 10:44:22 +0100
Subject: [c-nsp] Cisco logging commands
Message-ID: <1260179062.3216.0.camel@Optiplex745>

Hi,

We are currently changing our servers and we are going to get rid of our
old Tacacs+ server. The new AAA server is based on Radius
(freeradius/debian). 

The problem is that IOS can't log commands (enable and configure) into
Radius.
I found that functionality to work around that problem :
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_46_se/configuration/guide/swlog.html

But the problem is that it's only logging configure commands to syslog,
not enable, that's not enough for me.

So the question is : any idea about how to get IOS to log enable
commands into syslog ? or how to use Radius accounting for commands ?
What are the possibilities without Tacacs+ ?

TIA.

-- 
Henry-Nicolas Tourneur



From Ian.Mackinnon at atosorigin.com  Mon Dec  7 05:31:24 2009
From: Ian.Mackinnon at atosorigin.com (Mackinnon, Ian)
Date: Mon, 7 Dec 2009 10:31:24 +0000
Subject: [c-nsp] Cisco logging commands
In-Reply-To: <1260179062.3216.0.camel@Optiplex745>
References: <1260179062.3216.0.camel@Optiplex745>
Message-ID: <61D4116B957C2843AACB49664C8AB22303861879@UKCWRX004.uk.int.atosorigin.com>

Archive commands?
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtconlog.
html


SUMMARY STEPS

1. enable

2. configure terminal

3. archive

4. log config

5. logging enable

6. logging size entries

7. hidekeys

8. notify syslog

9. end

Needs an IOS that supports it.

Ian

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Henry-Nicolas Tourneur
> Sent: 07 December 2009 09:44
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Cisco logging commands
> 
> Hi,
> 
> We are currently changing our servers and we are going to get rid of
> our
> old Tacacs+ server. The new AAA server is based on Radius
> (freeradius/debian).
> 
> The problem is that IOS can't log commands (enable and configure) into
> Radius.
> I found that functionality to work around that problem :
>
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/rele
> ase/12.2_46_se/configuration/guide/swlog.html
> 
> But the problem is that it's only logging configure commands to
syslog,
> not enable, that's not enough for me.
> 
> So the question is : any idea about how to get IOS to log enable
> commands into syslog ? or how to use Radius accounting for commands ?
> What are the possibilities without Tacacs+ ?
> 
> TIA.
> 
> --
> Henry-Nicolas Tourneur
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


_______________________________________________________

Atos Origin and Atos Consulting are trading names used by the Atos Origin group.  The following trading entities are registered in England and Wales:  Atos Origin IT Services UK Limited (registered number 01245534) and Atos Consulting Limited (registered number 04312380).  The registered office for each is at 4 Triton Square, Regents Place, London, NW1 3HG.The VAT No. for each is: GB232327983

This e-mail and the documents attached are confidential and intended solely for the addressee, and may contain confidential or privileged information.  If you receive this e-mail in error, you are not authorised to copy, disclose, use or retain it.  Please notify the sender immediately and delete this email from your systems.   As emails may be intercepted, amended or lost, they are not secure.  Atos Origin therefore can accept no liability for any errors or their content.  Although Atos Origin endeavours to maintain a virus-free network, we do not warrant that this transmission is virus-free and can accept no liability for any damages resulting from any virus transmitted.   The risks are deemed to be accepted by everyone who communicates with Atos Origin by email. 
_______________________________________________________



From avayner at cisco.com  Mon Dec  7 05:44:32 2009
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Mon, 7 Dec 2009 11:44:32 +0100
Subject: [c-nsp] Cisco L2 QoS
In-Reply-To: <BLU102-W19BEA9928D3DA245C68039FA900@phx.gbl>
References: <BLU102-W29E8761F74F35C3F3F0BA2FA910@phx.gbl>,
	<!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADnB/Wy7bWKRJJsxVCb4AVSAQAAAAA=@iname.com>
	<BLU102-W19BEA9928D3DA245C68039FA900@phx.gbl>
Message-ID: <FDD1CDB3FB499E4087CC7670BBCA22C6CB5328@XMB-AMS-101.cisco.com>

Mohammad,

Did you try to apply ingress policers per:
http://www.cisco.com/en/US/docs/switches/metro/catalyst3750m/software/re
lease/12.2_52_se/configuration/guide/swqos.html#wp1024977
http://www.cisco.com/en/US/docs/switches/metro/catalyst3750m/software/re
lease/12.2_52_se/configuration/guide/swqos.html#wp1044737

(previous links were for the non-Metro version of 3750...)

Thanks
Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil
Sent: Monday, December 07, 2009 11:15
To: frnkblk at iname.com; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco L2 QoS


the problem is that the customers are connected to the 24 Fast Ethernet
ports

> From: frnkblk at iname.com
> To: eng_mssk at hotmail.com; cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] Cisco L2 QoS
> Date: Sun, 6 Dec 2009 21:58:27 -0600
> 
> Don't forget that there's two enhanced ports on that unit....they have
more
> QoS capabilities.
> 
> Frank
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad
Khalil
> Sent: Sunday, December 06, 2009 7:34 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Cisco L2 QoS
> 
> 
> hi all
> 
> i have cisco metroethernet switches 3750
> 
> i have some customers connected to some ports (the ports are access
ports ,
> layer2 ports)
> 
> i am trying to apply rate limit on the bandwidth each customers
consume 
> 
> rate limit command applies for layer 3 interfaces which does not match
my
> case
> 
> what should i do to achieve this ??
> 
> even though applying rate limit on the logical interface (interface
vlan)
> does not work
> 
> as well as the MQC model does not apply
> 
> 
>                       
> _________________________________________________________________
> Windows Live: Friends get your Flickr, Yelp, and Digg updates when
they
> e-mail you.
>
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action
/soc
>
ial-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3:092
010
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
 		 	   		  
_________________________________________________________________
Windows Live: Make it easier for your friends to see what you're up to
on Facebook.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action
/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2
:092009
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From hntourneur at autempspourmoi.be  Mon Dec  7 05:45:58 2009
From: hntourneur at autempspourmoi.be (Henry-Nicolas Tourneur)
Date: Mon, 07 Dec 2009 11:45:58 +0100
Subject: [c-nsp] Cisco logging commands
In-Reply-To: <61D4116B957C2843AACB49664C8AB22303861879@UKCWRX004.uk.int.atosorigin.com>
References: <1260179062.3216.0.camel@Optiplex745>
	<61D4116B957C2843AACB49664C8AB22303861879@UKCWRX004.uk.int.atosorigin.com>
Message-ID: <1260182758.3216.14.camel@Optiplex745>

With that command, I only log commands used in configure mode (or that's
why I got as a result, using the same config as you typed below), 
I also would like to log command used in enable mode.

Any idea ?

Le lundi 07 d?cembre 2009 ? 10:31 +0000, Mackinnon, Ian a ?crit :

> Archive commands?
> http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtconlog.
> html
> 
> 
> SUMMARY STEPS
> 
> 1. enable
> 
> 2. configure terminal
> 
> 3. archive
> 
> 4. log config
> 
> 5. logging enable
> 
> 6. logging size entries
> 
> 7. hidekeys
> 
> 8. notify syslog
> 
> 9. end
> 
> Needs an IOS that supports it.
> 
> Ian
> 
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> > bounces at puck.nether.net] On Behalf Of Henry-Nicolas Tourneur
> > Sent: 07 December 2009 09:44
> > To: cisco-nsp at puck.nether.net
> > Subject: [c-nsp] Cisco logging commands
> > 
> > Hi,
> > 
> > We are currently changing our servers and we are going to get rid of
> > our
> > old Tacacs+ server. The new AAA server is based on Radius
> > (freeradius/debian).
> > 
> > The problem is that IOS can't log commands (enable and configure) into
> > Radius.
> > I found that functionality to work around that problem :
> >
> http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/rele
> > ase/12.2_46_se/configuration/guide/swlog.html
> > 
> > But the problem is that it's only logging configure commands to
> syslog,
> > not enable, that's not enough for me.
> > 
> > So the question is : any idea about how to get IOS to log enable
> > commands into syslog ? or how to use Radius accounting for commands ?
> > What are the possibilities without Tacacs+ ?
> > 
> > TIA.
> > 
> > --
> > Henry-Nicolas Tourneur
> > 
> > 
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> _______________________________________________________
> 
> Atos Origin and Atos Consulting are trading names used by the Atos Origin group.  The following trading entities are registered in England and Wales:  Atos Origin IT Services UK Limited (registered number 01245534) and Atos Consulting Limited (registered number 04312380).  The registered office for each is at 4 Triton Square, Regents Place, London, NW1 3HG.The VAT No. for each is: GB232327983
> 
> This e-mail and the documents attached are confidential and intended solely for the addressee, and may contain confidential or privileged information.  If you receive this e-mail in error, you are not authorised to copy, disclose, use or retain it.  Please notify the sender immediately and delete this email from your systems.   As emails may be intercepted, amended or lost, they are not secure.  Atos Origin therefore can accept no liability for any errors or their content.  Although Atos Origin endeavours to maintain a virus-free network, we do not warrant that this transmission is virus-free and can accept no liability for any damages resulting from any virus transmitted.   The risks are deemed to be accepted by everyone who communicates with Atos Origin by email. 
> _______________________________________________________
> 
> 



From Ian.Mackinnon at atosorigin.com  Mon Dec  7 06:00:03 2009
From: Ian.Mackinnon at atosorigin.com (Mackinnon, Ian)
Date: Mon, 7 Dec 2009 11:00:03 +0000
Subject: [c-nsp] Cisco logging commands
In-Reply-To: <1260182758.3216.14.camel@Optiplex745>
References: <1260179062.3216.0.camel@Optiplex745>
	<61D4116B957C2843AACB49664C8AB22303861879@UKCWRX004.uk.int.atosorigin.com>
	<1260182758.3216.14.camel@Optiplex745>
Message-ID: <61D4116B957C2843AACB49664C8AB223038618CE@UKCWRX004.uk.int.atosorigin.com>

Ah OK I understand you now.

 

Try

http://blog.ioshints.info/2006/11/cli-command-logging-without-tacacs.html

 

Not used it myself.

 

Ian

 

From: Henry-Nicolas Tourneur [mailto:hntourneur at autempspourmoi.be] 
Sent: 07 December 2009 10:46
To: Mackinnon, Ian
Cc: cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Cisco logging commands

 

With that command, I only log commands used in configure mode (or that's why I got as a result, using the same config as you typed below), 
I also would like to log command used in enable mode.

Any idea ?

Le lundi 07 d?cembre 2009 ? 10:31 +0000, Mackinnon, Ian a ?crit : 

 
Archive commands?
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtconlog.
html
 
 
SUMMARY STEPS
 
1. enable
 
2. configure terminal
 
3. archive
 
4. log config
 
5. logging enable
 
6. logging size entries
 
7. hidekeys
 
8. notify syslog
 
9. end
 
Needs an IOS that supports it.
 
Ian
 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Henry-Nicolas Tourneur
> Sent: 07 December 2009 09:44
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Cisco logging commands
> 
> Hi,
> 
> We are currently changing our servers and we are going to get rid of
> our
> old Tacacs+ server. The new AAA server is based on Radius
> (freeradius/debian).
> 
> The problem is that IOS can't log commands (enable and configure) into
> Radius.
> I found that functionality to work around that problem :
> 
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/rele
> ase/12.2_46_se/configuration/guide/swlog.html
> 
> But the problem is that it's only logging configure commands to
syslog,
> not enable, that's not enough for me.
> 
> So the question is : any idea about how to get IOS to log enable
> commands into syslog ? or how to use Radius accounting for commands ?
> What are the possibilities without Tacacs+ ?
> 
> TIA.
> 
> --
> Henry-Nicolas Tourneur
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
 
 
_______________________________________________________
 
Atos Origin and Atos Consulting are trading names used by the Atos Origin group.  The following trading entities are registered in England and Wales:  Atos Origin IT Services UK Limited (registered number 01245534) and Atos Consulting Limited (registered number 04312380).  The registered office for each is at 4 Triton Square, Regents Place, London, NW1 3HG.The VAT No. for each is: GB232327983
 
This e-mail and the documents attached are confidential and intended solely for the addressee, and may contain confidential or privileged information.  If you receive this e-mail in error, you are not authorised to copy, disclose, use or retain it.  Please notify the sender immediately and delete this email from your systems.   As emails may be intercepted, amended or lost, they are not secure.  Atos Origin therefore can accept no liability for any errors or their content.  Although Atos Origin endeavours to maintain a virus-free network, we do not warrant that this transmission is virus-free and can accept no liability for any damages resulting from any virus transmitted.   The risks are deemed to be accepted by everyone who communicates with Atos Origin by email. 
_______________________________________________________
 
 

 


From hntourneur at autempspourmoi.be  Mon Dec  7 06:30:22 2009
From: hntourneur at autempspourmoi.be (Henry-Nicolas Tourneur)
Date: Mon, 07 Dec 2009 12:30:22 +0100
Subject: [c-nsp] Cisco logging commands
In-Reply-To: <61D4116B957C2843AACB49664C8AB223038618CE@UKCWRX004.uk.int.atosorigin.com>
References: <1260179062.3216.0.camel@Optiplex745>
	<61D4116B957C2843AACB49664C8AB22303861879@UKCWRX004.uk.int.atosorigin.com>
	<1260182758.3216.14.camel@Optiplex745>
	<61D4116B957C2843AACB49664C8AB223038618CE@UKCWRX004.uk.int.atosorigin.com>
Message-ID: <1260185422.3216.24.camel@Optiplex745>

Indeed, that's what I need but I got some issues with that setup :

1? event manager isn't available on the switches where I'm trying to do
that, 
so I guess that I need to upgrade the IOS, don't want to do that for
hundreds of switches
(also I guess that a lot of switches just won't have a large enough
flash memory to store
that kind of big IOS with lots of functionalities).

2? the given pattern doesn't log the user id, I need that (I guess it's
feasible to add it).
3? Obi-Wan Kenobi

Am I damned ?

Le lundi 07 d?cembre 2009 ? 11:00 +0000, Mackinnon, Ian a ?crit :
> Ah OK I understand you now.
> 
>  
> 
> Try
> 
> http://blog.ioshints.info/2006/11/cli-command-logging-without-tacacs.html
> 
>  
> 
> Not used it myself.
> 
>  
> 
> Ian
> 
>  
> 
> 
> From: Henry-Nicolas Tourneur [mailto:hntourneur at autempspourmoi.be] 
> Sent: 07 December 2009 10:46
> To: Mackinnon, Ian
> Cc: cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] Cisco logging commands
> 
> 
> 
>  
> 
> With that command, I only log commands used in configure mode (or
> that's why I got as a result, using the same config as you typed
> below), 
> I also would like to log command used in enable mode.
> 
> Any idea ?
> 
> Le lundi 07 d?cembre 2009 ? 10:31 +0000, Mackinnon, Ian a ?crit : 
> 
> 
>  
> Archive commands?
> http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtconlog.
> html
>  
>  
> SUMMARY STEPS
>  
> 1. enable
>  
> 2. configure terminal
>  
> 3. archive
>  
> 4. log config
>  
> 5. logging enable
>  
> 6. logging size entries
>  
> 7. hidekeys
>  
> 8. notify syslog
>  
> 9. end
>  
> Needs an IOS that supports it.
>  
> Ian
>  
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> > bounces at puck.nether.net] On Behalf Of Henry-Nicolas Tourneur
> > Sent: 07 December 2009 09:44
> > To: cisco-nsp at puck.nether.net
> > Subject: [c-nsp] Cisco logging commands
> > 
> > Hi,
> > 
> > We are currently changing our servers and we are going to get rid of
> > our
> > old Tacacs+ server. The new AAA server is based on Radius
> > (freeradius/debian).
> > 
> > The problem is that IOS can't log commands (enable and configure) into
> > Radius.
> > I found that functionality to work around that problem :
> > 
> http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/rele
> > ase/12.2_46_se/configuration/guide/swlog.html
> > 
> > But the problem is that it's only logging configure commands to
> syslog,
> > not enable, that's not enough for me.
> > 
> > So the question is : any idea about how to get IOS to log enable
> > commands into syslog ? or how to use Radius accounting for commands ?
> > What are the possibilities without Tacacs+ ?
> > 
> > TIA.
> > 
> > --
> > Henry-Nicolas Tourneur
> > 
> > 
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>  
>  
> _______________________________________________________
>  
> Atos Origin and Atos Consulting are trading names used by the Atos Origin group.  The following trading entities are registered in England and Wales:  Atos Origin IT Services UK Limited (registered number 01245534) and Atos Consulting Limited (registered number 04312380).  The registered office for each is at 4 Triton Square, Regents Place, London, NW1 3HG.The VAT No. for each is: GB232327983
>  
> This e-mail and the documents attached are confidential and intended solely for the addressee, and may contain confidential or privileged information.  If you receive this e-mail in error, you are not authorised to copy, disclose, use or retain it.  Please notify the sender immediately and delete this email from your systems.   As emails may be intercepted, amended or lost, they are not secure.  Atos Origin therefore can accept no liability for any errors or their content.  Although Atos Origin endeavours to maintain a virus-free network, we do not warrant that this transmission is virus-free and can accept no liability for any damages resulting from any virus transmitted.   The risks are deemed to be accepted by everyone who communicates with Atos Origin by email. 
> _______________________________________________________
>  
>  
> 
> 
>  
> 
> 


From drew.weaver at thenap.com  Mon Dec  7 08:33:56 2009
From: drew.weaver at thenap.com (Drew Weaver)
Date: Mon, 7 Dec 2009 08:33:56 -0500
Subject: [c-nsp] 6500 (Sup7203-bxl / 6724-SFP) Input queue drops
In-Reply-To: <4B1C48D4.9080905@poggs.co.uk>
References: <F3318834F1F89D46857972DD4B411D700180980C42@EXCHANGE.thenap.com>
	<4B1C48D4.9080905@poggs.co.uk>
Message-ID: <F3318834F1F89D46857972DD4B411D700180980C5C@EXCHANGE.thenap.com>

Hi,

It is possible.

We're a co-location style facility where we do not have direct control over what the end systems do.

I would think that a system like the 6500 should be able to handle a little UDP traffic without losing its mind but i've been wrong about things in the past =)

-Drew
-----Original Message-----
From: Peter Hicks [mailto:peter.hicks at poggs.co.uk] 
Sent: Sunday, December 06, 2009 7:14 PM
To: Drew Weaver
Cc: Cisco-nsp
Subject: Re: [c-nsp] 6500 (Sup7203-bxl / 6724-SFP) Input queue drops

Drew Weaver wrote:

> I'm noticing that almost constantly there is Protocol 17 (UDP), TTL 1 traffic in the buffer:
...
> The sources so far have always been a local host downstream from the core and the destination is always a host on the Internet.

Has somebody left an mtr running set to use UDP rather than ICMP?


Poggs

From p.mayers at imperial.ac.uk  Mon Dec  7 09:01:17 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Mon, 07 Dec 2009 14:01:17 +0000
Subject: [c-nsp] 6500 (Sup7203-bxl / 6724-SFP) Input queue drops
In-Reply-To: <F3318834F1F89D46857972DD4B411D700180980C5C@EXCHANGE.thenap.com>
References: <F3318834F1F89D46857972DD4B411D700180980C42@EXCHANGE.thenap.com>	<4B1C48D4.9080905@poggs.co.uk>
	<F3318834F1F89D46857972DD4B411D700180980C5C@EXCHANGE.thenap.com>
Message-ID: <4B1D0AAD.50406@imperial.ac.uk>

Drew Weaver wrote:
> Hi,
> 
> It is possible.
> 
> We're a co-location style facility where we do not have direct
> control over what the end systems do.
> 
> I would think that a system like the 6500 should be able to handle a
> little UDP traffic without losing its mind but i've been wrong about
> things in the past =)

Well, mtr is a traceroute style program, and one that can be quite 
aggressive at that (though useful). If it's sending a lot of packets at 
your router which have TTL=1 when they arrive, then that's a lot of CPU 
punts.

You didn't specify whether anything was *wrong* here; are you 
experiencing problems, or just counter anomalies?

I take it the port-channel is in routed mode, rather than switchport?

From drew.weaver at thenap.com  Mon Dec  7 09:36:47 2009
From: drew.weaver at thenap.com (Drew Weaver)
Date: Mon, 7 Dec 2009 09:36:47 -0500
Subject: [c-nsp] 6500 (Sup7203-bxl / 6724-SFP) Input queue drops
In-Reply-To: <4B1D0AAD.50406@imperial.ac.uk>
References: <F3318834F1F89D46857972DD4B411D700180980C42@EXCHANGE.thenap.com>
	<4B1C48D4.9080905@poggs.co.uk>
	<F3318834F1F89D46857972DD4B411D700180980C5C@EXCHANGE.thenap.com>
	<4B1D0AAD.50406@imperial.ac.uk>
Message-ID: <F3318834F1F89D46857972DD4B411D700180980C62@EXCHANGE.thenap.com>

Drew Weaver wrote:
> Hi,
> 
> It is possible.
> 
> We're a co-location style facility where we do not have direct
> control over what the end systems do.
> 
> I would think that a system like the 6500 should be able to handle a
> little UDP traffic without losing its mind but i've been wrong about
> things in the past =)

Well, mtr is a traceroute style program, and one that can be quite 
aggressive at that (though useful). If it's sending a lot of packets at 
your router which have TTL=1 when they arrive, then that's a lot of CPU 
punts.

You didn't specify whether anything was *wrong* here; are you 
experiencing problems, or just counter anomalies?

I take it the port-channel is in routed mode, rather than switchport?
--------------

The problem is I'm seeing queue drops, so my first reaction to that was to see what kind of packets were being queued.

You are correct the interface is not a switchport and has an IP assigned to it.

thanks,
-Drew




From kamlesh1181 at gmail.com  Mon Dec  7 09:42:44 2009
From: kamlesh1181 at gmail.com (Kamlesh Sharma)
Date: Mon, 7 Dec 2009 20:12:44 +0530
Subject: [c-nsp] 6500 (Sup7203-bxl / 6724-SFP) Input queue drops
In-Reply-To: <F3318834F1F89D46857972DD4B411D700180980C62@EXCHANGE.thenap.com>
References: <F3318834F1F89D46857972DD4B411D700180980C42@EXCHANGE.thenap.com>
	<4B1C48D4.9080905@poggs.co.uk>
	<F3318834F1F89D46857972DD4B411D700180980C5C@EXCHANGE.thenap.com>
	<4B1D0AAD.50406@imperial.ac.uk>
	<F3318834F1F89D46857972DD4B411D700180980C62@EXCHANGE.thenap.com>
Message-ID: <fa672eef0912070642l295f392ar35c0a2423c30049b@mail.gmail.com>

try this command which will tell what packet and source are sending the
traffic with ttl of 1
show buffer input-interface <> header/packet

On Mon, Dec 7, 2009 at 8:06 PM, Drew Weaver <drew.weaver at thenap.com> wrote:

> Drew Weaver wrote:
> > Hi,
> >
> > It is possible.
> >
> > We're a co-location style facility where we do not have direct
> > control over what the end systems do.
> >
> > I would think that a system like the 6500 should be able to handle a
> > little UDP traffic without losing its mind but i've been wrong about
> > things in the past =)
>
> Well, mtr is a traceroute style program, and one that can be quite
> aggressive at that (though useful). If it's sending a lot of packets at
> your router which have TTL=1 when they arrive, then that's a lot of CPU
> punts.
>
> You didn't specify whether anything was *wrong* here; are you
> experiencing problems, or just counter anomalies?
>
> I take it the port-channel is in routed mode, rather than switchport?
> --------------
>
> The problem is I'm seeing queue drops, so my first reaction to that was to
> see what kind of packets were being queued.
>
> You are correct the interface is not a switchport and has an IP assigned to
> it.
>
> thanks,
> -Drew
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
Thanks
Kamlesh Sharma

From dmitry at dmitry.net  Mon Dec  7 09:13:56 2009
From: dmitry at dmitry.net (Dmitry Kiselev)
Date: Mon, 7 Dec 2009 16:13:56 +0200
Subject: [c-nsp] 7600/Cat6500 LAN Card QoS
Message-ID: <20091207141356.GE9397@f17.dmitry.net>

Hello!

Could somebody in the list explain me egress QoS nuances for
C7600/Cat6500 LAN Cards? Lets assume I have t1/1 port on 6708 card
connected to my ISP. According to SLA, ISP sell me 500M CIR with
tail droping all above. To prioritize most important traffic with
some DSCP markings I should place it to port priority queue
using  "wrr-queue dscp-map 7" and of couse enable dscp mapings
using "mls qos queue-mode mode-dscp".  To tell the router/switch
use only 500M and queue/schedule all congested traffic I should
apply service-policy with police 500M command. (I don't know how
it could be done in any other supported way).  According to
several 7600/6500 QoS presentations available in the net, policing
is done in PFC (DFC, if ingress card equiped with) and queueing/
scheduling is doen in Port ASIC on egress card. So, all my traffic
will be policed and tail droped before priority queue and all other
queueing things like WRED come in play.

Is it true or I miss something important and initialy went in
wrong direction?

P.S. My question regarging C7600, 6708 and 12.2(33)SRC, but
seems hardware concept is the same for Cat6500/C7600 with PFC3/DFC3
and any modern IOS.

Thanks!

-- 
Dmitry Kiselev

From panocisco77 at gmail.com  Mon Dec  7 10:30:39 2009
From: panocisco77 at gmail.com (Renelson Panosky)
Date: Mon, 7 Dec 2009 10:30:39 -0500
Subject: [c-nsp] Cisco 4948-10GE
Message-ID: <16e2ac180912070730y435abd27j9966a59e50d298e2@mail.gmail.com>

I am trying to configure this trunk ports  between two Cisco 4948-10GE, the
ports would not come up here is an example of the error i got in one of the
ports


Take a look at port gi1/11 on each switch tell me what you think this error
mean:



On switch 1 it said not connect but on switch 2 it said (err-disabled)



Switch_1#sho int gi1/11

GigabitEthernet1/11 is down, line protocol is down (notconnect)

  Hardware is Gigabit Ethernet Port, address is 0027.0df3.0c8a (bia
0027.0df3.0c8a)

  MTU 9198 bytes, BW 1000000 Kbit, DLY 10 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation ARPA, loopback not set

  Keepalive set (10 sec)

  Auto-duplex, Auto-speed, link type is auto, media type is 10/100/1000-TX

  input flow-control is off, output flow-control is off

  ARP type: ARPA, ARP Timeout 04:00:00

  Last input 4d00h, output never, output hang never

  Last clearing of "show interface" counters never

  Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 0 bits/sec, 0 packets/sec

  5 minute output rate 0 bits/sec, 0 packets/sec

     1 packets input, 64 bytes, 0 no buffer

     Received 1 broadcasts (1 multicasts)

     0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

     0 input packets with dribble condition detected

     1 packets output, 64 bytes, 0 underruns

     0 output errors, 0 collisions, 2 interface resets

     0 babbles, 0 late collision, 0 deferred

     0 lost carrier, 0 no carrier

     0 output buffer failures, 0 output buffers swapped out





Switch_2#sho int gi1/11

GigabitEthernet1/11 is down, line protocol is down (err-disabled)

  Hardware is Gigabit Ethernet Port, address is 0027.0db3.67ca (bia
0027.0db3.67ca)

  MTU 9198 bytes, BW 1000000 Kbit, DLY 10 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation ARPA, loopback not set

  Keepalive set (10 sec)

  Auto-duplex, 1000Mb/s, link type is auto, media type is 10/100/1000-TX

  input flow-control is off, output flow-control is off

  ARP type: ARPA, ARP Timeout 04:00:00

  Last input 4d00h, output never, output hang never

  Last clearing of "show interface" counters never

  Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 0 bits/sec, 0 packets/sec

  5 minute output rate 0 bits/sec, 0 packets/sec

     0 packets input, 0 bytes, 0 no buffer

     Received 0 broadcasts (0 multicasts)

     0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

     0 input packets with dribble condition detected

     0 packets output, 0 bytes, 0 underruns

     0 output errors, 0 collisions, 0 interface resets

     0 babbles, 0 late collision, 0 deferred

     0 lost carrier, 0 no carrier

     0 output buffer failures, 0 output buffers swapped out



I tried shut and no shut on the interface





Please help

From MatlockK at exempla.org  Mon Dec  7 10:38:22 2009
From: MatlockK at exempla.org (Matlock, Kenneth L)
Date: Mon, 7 Dec 2009 08:38:22 -0700
Subject: [c-nsp] Cisco SNMP: Get interface VLAN based on IP address
In-Reply-To: <79b6f8780912062218u796db680t5452775a09e4f525@mail.gmail.com>
References: <79b6f8780912062218u796db680t5452775a09e4f525@mail.gmail.com>
Message-ID: <4288131ED5E3024C9CD4782CECCAD2C7065D3CCA@LMC-MAIL2.exempla.org>

You'll have to do it via 2 snmp calls, but here it is.

First, you need to find the IP in the 'ipNettoMediaNetAddress' table:

snmpwalk -c <community> <switchIP> ipNettoMediaNetAddress | grep <ip
you're searching for>

So if I'm looking for 170.188.71.1, I get the following line:

IP-MIB::ipNetToMediaNetAddress.180.170.188.71.1 = IpAddress:
170.188.71.1
                               ^^^
The interface index is ---------

So once you have the interface index, then you do a 

snmpwalk -c <community> <switchip> ifName.<ifindex>

And in my case, that gives:

IF-MIB::ifName.180 = STRING: Vl71

The 'Vl71' is the name for Vlan 71.

I'll leave it as an exercise to the reader to figure out a script to do
it (my scripts are not anything I'm proud of enough to show the world)
:)


Ken Matlock
Network Analyst
Exempla Healthcare
(303) 467-4671
matlockk at exempla.org


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rudy Setiawan
Sent: Sunday, December 06, 2009 11:19 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Cisco SNMP: Get interface VLAN based on IP address

Hello all,

Is there a way that we can get the interface vlan information based on
IP
address that is attached to that interface vlan via snmp?

Interface Vlan100
ip address 192.168.10.1 255.255.255.0
!

So if I search for 192.168.10.1, I can get the interface vlan?

Thank you

Regards,
Rudy
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From MatlockK at exempla.org  Mon Dec  7 10:40:20 2009
From: MatlockK at exempla.org (Matlock, Kenneth L)
Date: Mon, 7 Dec 2009 08:40:20 -0700
Subject: [c-nsp] Level3 Routes - sizing up an edge device
In-Reply-To: <C73B284D.124D5%graham@g-rock.net>
References: <C73B284D.124D5%graham@g-rock.net>
Message-ID: <4288131ED5E3024C9CD4782CECCAD2C7065D3CCB@LMC-MAIL2.exempla.org>

Here's what we currently have. We get default + Level3 customer routes.

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down
State/PfxRcd
4.53.xx.xx      4  3356  721574   36194  2983061    0    0 2w6d
158022

Ken Matlock
Network Analyst
Exempla Healthcare
(303) 467-4671
matlockk at exempla.org



-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Graham Wooden
Sent: Tuesday, December 01, 2009 7:09 PM
To: cisco-nsp
Subject: [c-nsp] Level3 Routes - sizing up an edge device

Can anyone tell me what the current 'local routes' count is from Level3?

As I am patiently awaiting my turn up of my Level3 connection, I want to
make sure I size up a good edge router handling their routes plus a
less-preferred default.

Thanks,

-graham


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From pavel.skovajsa at gmail.com  Mon Dec  7 10:53:06 2009
From: pavel.skovajsa at gmail.com (Pavel Skovajsa)
Date: Mon, 7 Dec 2009 16:53:06 +0100
Subject: [c-nsp] Cisco 4948-10GE
In-Reply-To: <16e2ac180912070730y435abd27j9966a59e50d298e2@mail.gmail.com>
References: <16e2ac180912070730y435abd27j9966a59e50d298e2@mail.gmail.com>
Message-ID: <323aca890912070753w5794f1faqb511000d83aa740f@mail.gmail.com>

Hi Renelson,

do a show log after shutting/unshutting the ports it will most probably tell
you the reason. Usual reason is UDLD, Loopguard, BPDUguard, Etherchannel
misconfig etc. etc.

When the port is already disabled you can see the reason why it got into
that state using command 'show errdisable recovery'.


-pavel

On Mon, Dec 7, 2009 at 4:30 PM, Renelson Panosky <panocisco77 at gmail.com>wrote:

> I am trying to configure this trunk ports  between two Cisco 4948-10GE, the
> ports would not come up here is an example of the error i got in one of the
> ports
>
>
> Take a look at port gi1/11 on each switch tell me what you think this error
> mean:
>
>
>
> On switch 1 it said not connect but on switch 2 it said (err-disabled)
>
>
>
> Switch_1#sho int gi1/11
>
> GigabitEthernet1/11 is down, line protocol is down (notconnect)
>
>  Hardware is Gigabit Ethernet Port, address is 0027.0df3.0c8a (bia
> 0027.0df3.0c8a)
>
>  MTU 9198 bytes, BW 1000000 Kbit, DLY 10 usec,
>
>     reliability 255/255, txload 1/255, rxload 1/255
>
>  Encapsulation ARPA, loopback not set
>
>  Keepalive set (10 sec)
>
>  Auto-duplex, Auto-speed, link type is auto, media type is 10/100/1000-TX
>
>  input flow-control is off, output flow-control is off
>
>  ARP type: ARPA, ARP Timeout 04:00:00
>
>  Last input 4d00h, output never, output hang never
>
>  Last clearing of "show interface" counters never
>
>  Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0
>
>  Queueing strategy: fifo
>
>  Output queue: 0/40 (size/max)
>
>  5 minute input rate 0 bits/sec, 0 packets/sec
>
>  5 minute output rate 0 bits/sec, 0 packets/sec
>
>     1 packets input, 64 bytes, 0 no buffer
>
>     Received 1 broadcasts (1 multicasts)
>
>     0 runts, 0 giants, 0 throttles
>
>     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
>
>     0 input packets with dribble condition detected
>
>     1 packets output, 64 bytes, 0 underruns
>
>     0 output errors, 0 collisions, 2 interface resets
>
>     0 babbles, 0 late collision, 0 deferred
>
>     0 lost carrier, 0 no carrier
>
>     0 output buffer failures, 0 output buffers swapped out
>
>
>
>
>
> Switch_2#sho int gi1/11
>
> GigabitEthernet1/11 is down, line protocol is down (err-disabled)
>
>  Hardware is Gigabit Ethernet Port, address is 0027.0db3.67ca (bia
> 0027.0db3.67ca)
>
>  MTU 9198 bytes, BW 1000000 Kbit, DLY 10 usec,
>
>     reliability 255/255, txload 1/255, rxload 1/255
>
>  Encapsulation ARPA, loopback not set
>
>  Keepalive set (10 sec)
>
>  Auto-duplex, 1000Mb/s, link type is auto, media type is 10/100/1000-TX
>
>  input flow-control is off, output flow-control is off
>
>  ARP type: ARPA, ARP Timeout 04:00:00
>
>  Last input 4d00h, output never, output hang never
>
>  Last clearing of "show interface" counters never
>
>  Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0
>
>  Queueing strategy: fifo
>
>  Output queue: 0/40 (size/max)
>
>  5 minute input rate 0 bits/sec, 0 packets/sec
>
>  5 minute output rate 0 bits/sec, 0 packets/sec
>
>     0 packets input, 0 bytes, 0 no buffer
>
>     Received 0 broadcasts (0 multicasts)
>
>     0 runts, 0 giants, 0 throttles
>
>     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
>
>     0 input packets with dribble condition detected
>
>     0 packets output, 0 bytes, 0 underruns
>
>     0 output errors, 0 collisions, 0 interface resets
>
>     0 babbles, 0 late collision, 0 deferred
>
>     0 lost carrier, 0 no carrier
>
>     0 output buffer failures, 0 output buffers swapped out
>
>
>
> I tried shut and no shut on the interface
>
>
>
>
>
> Please help
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From kloch at kl.net  Mon Dec  7 11:13:13 2009
From: kloch at kl.net (Kevin Loch)
Date: Mon, 07 Dec 2009 11:13:13 -0500
Subject: [c-nsp] Rmon checksum failed on WS-C4006
In-Reply-To: <4b1bd3c5.9613f30a.2526.ffffcb1a@mx.google.com>
References: <4b1a53d6.9513f30a.3e8c.6714@mx.google.com>	<4B1AAA1E.3020505@scripty.com>
	<4b1bd3c5.9613f30a.2526.ffffcb1a@mx.google.com>
Message-ID: <4B1D2999.7000700@kl.net>

I had this problem recently on a sup720, the lithium
battery was dead.  Fortunately it was socketed unlike
on many of the sup2's.

- Kevin


Sony Scaria wrote:
> Thanks Clinton. My Cisco TAC rep also recommends the same.
> 
> Sony.
> 
> -----Original Message-----
> From: Clinton Work [mailto:clinton at scripty.com] 
> Sent: 06 December 2009 00:15
> To: Sony Scaria
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Rmon checksum failed on WS-C4006
> 
> 
> I have seen this problem many times on Catalyst 5000 and 6500 boxes.  
> The cause is NVRAM corruption which can often be resolved by rebooting 
> the Supervisor in order to clear the issue. During reboot some of the 
> NVRAM configuration can be lost so make sure you have a proper backup to 
> compare with.   The other cause could be a faulty NVRAM chip on the 
> Supervisor so having a spare handy during the reboot would be a good 
> idea as well. 
> 
> Clinton. 
> 
> Sony Scaria wrote:
>> Hi All,
>>
>>  
>>
>> I've observed "Rmon checksum failed" when I run sh ver on one of my catos
>> switch. The system is stable for a long time and I did not observe any
>> related logs. I had done some research , but couldn't gather any info on
>> "Rmon checksum".
>>
>>  
>>
>>   
> 


From paulg087 at gmail.com  Mon Dec  7 11:14:28 2009
From: paulg087 at gmail.com (Paul G)
Date: Mon, 7 Dec 2009 10:14:28 -0600
Subject: [c-nsp] cisco-nsp Digest, Vol 85, Issue 19
Message-ID: <4b1d29d6.0504c00a.3b29.ffffd831@mx.google.com>



-----Original Message-----
From: cisco-nsp-request at puck.nether.net
Sent: Monday, December 07, 2009 9:53 AM
To: cisco-nsp at puck.nether.net
Subject: cisco-nsp Digest, Vol 85, Issue 19

Send cisco-nsp mailing list submissions to
	cisco-nsp at puck.nether.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://puck.nether.net/mailman/listinfo/cisco-nsp
or, via email, send a message with subject or body 'help' to
	cisco-nsp-request at puck.nether.net

You can reach the person managing the list at
	cisco-nsp-owner at puck.nether.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of cisco-nsp digest..."


From mkiefer74 at hotmail.com  Mon Dec  7 11:23:08 2009
From: mkiefer74 at hotmail.com (Mike Kiefer)
Date: Mon, 7 Dec 2009 10:23:08 -0600
Subject: [c-nsp] VRF Limitations/OSPF Process Limitations on 3550/3560
Message-ID: <COL107-W8EABF474269765B583D0BB7900@phx.gbl>


Are there currently any limitations on running VRF lite with an OSPF process per VRF on this hardware? I was told by a coworker that 3550/3560's have an extremely low limit. Something like 4 or 5 vrfs/OSPF processes. This doesn't seem right. 

The only thing I could find that references this was this article: http://wiki.nil.com/VRF_routing_process_limitations

Per the article, it seems like the only limitation is CPU and RAM since OSPF shares a protocol ID.

Is this a problem that Cisco had in the past or just a complete falsehood?
 		 	   		  
_________________________________________________________________
Windows 7: Unclutter your desktop. Learn more.
http://www.microsoft.com/windows/windows-7/videos-tours.aspx?h=7sec&slideid=1&media=aero-shake-7second&listid=1&stop=1&ocid=PID24727::T:WLMTAGL:ON:WL:en-US:WWL_WIN_7secdemo:122009

From panocisco77 at gmail.com  Mon Dec  7 11:37:05 2009
From: panocisco77 at gmail.com (Renelson Panosky)
Date: Mon, 7 Dec 2009 11:37:05 -0500
Subject: [c-nsp] Cisco 4948-10GE
In-Reply-To: <323aca890912070753w5794f1faqb511000d83aa740f@mail.gmail.com>
References: <16e2ac180912070730y435abd27j9966a59e50d298e2@mail.gmail.com>
	<323aca890912070753w5794f1faqb511000d83aa740f@mail.gmail.com>
Message-ID: <16e2ac180912070837g915b052h33a7dc773b2214c1@mail.gmail.com>

Hey Pivel

You are right, i just had to disable BPDUguard on each port and do shut and
no shut.

thank you very much i greatly appreciate that.

Renelson

On Mon, Dec 7, 2009 at 10:53 AM, Pavel Skovajsa <pavel.skovajsa at gmail.com>wrote:

> Hi Renelson,
>
> do a show log after shutting/unshutting the ports it will most probably
> tell you the reason. Usual reason is UDLD, Loopguard, BPDUguard,
> Etherchannel misconfig etc. etc.
>
> When the port is already disabled you can see the reason why it got into
> that state using command 'show errdisable recovery'.
>
>
> -pavel
>
>   On Mon, Dec 7, 2009 at 4:30 PM, Renelson Panosky <panocisco77 at gmail.com>wrote:
>
>>  I am trying to configure this trunk ports  between two Cisco 4948-10GE,
>> the
>> ports would not come up here is an example of the error i got in one of
>> the
>> ports
>>
>>
>> Take a look at port gi1/11 on each switch tell me what you think this
>> error
>> mean:
>>
>>
>>
>> On switch 1 it said not connect but on switch 2 it said (err-disabled)
>>
>>
>>
>> Switch_1#sho int gi1/11
>>
>> GigabitEthernet1/11 is down, line protocol is down (notconnect)
>>
>>  Hardware is Gigabit Ethernet Port, address is 0027.0df3.0c8a (bia
>> 0027.0df3.0c8a)
>>
>>  MTU 9198 bytes, BW 1000000 Kbit, DLY 10 usec,
>>
>>     reliability 255/255, txload 1/255, rxload 1/255
>>
>>  Encapsulation ARPA, loopback not set
>>
>>  Keepalive set (10 sec)
>>
>>  Auto-duplex, Auto-speed, link type is auto, media type is 10/100/1000-TX
>>
>>  input flow-control is off, output flow-control is off
>>
>>  ARP type: ARPA, ARP Timeout 04:00:00
>>
>>  Last input 4d00h, output never, output hang never
>>
>>  Last clearing of "show interface" counters never
>>
>>  Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0
>>
>>  Queueing strategy: fifo
>>
>>  Output queue: 0/40 (size/max)
>>
>>  5 minute input rate 0 bits/sec, 0 packets/sec
>>
>>  5 minute output rate 0 bits/sec, 0 packets/sec
>>
>>     1 packets input, 64 bytes, 0 no buffer
>>
>>     Received 1 broadcasts (1 multicasts)
>>
>>     0 runts, 0 giants, 0 throttles
>>
>>     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
>>
>>     0 input packets with dribble condition detected
>>
>>     1 packets output, 64 bytes, 0 underruns
>>
>>     0 output errors, 0 collisions, 2 interface resets
>>
>>     0 babbles, 0 late collision, 0 deferred
>>
>>     0 lost carrier, 0 no carrier
>>
>>     0 output buffer failures, 0 output buffers swapped out
>>
>>
>>
>>
>>
>> Switch_2#sho int gi1/11
>>
>> GigabitEthernet1/11 is down, line protocol is down (err-disabled)
>>
>>  Hardware is Gigabit Ethernet Port, address is 0027.0db3.67ca (bia
>> 0027.0db3.67ca)
>>
>>  MTU 9198 bytes, BW 1000000 Kbit, DLY 10 usec,
>>
>>     reliability 255/255, txload 1/255, rxload 1/255
>>
>>  Encapsulation ARPA, loopback not set
>>
>>  Keepalive set (10 sec)
>>
>>  Auto-duplex, 1000Mb/s, link type is auto, media type is 10/100/1000-TX
>>
>>  input flow-control is off, output flow-control is off
>>
>>  ARP type: ARPA, ARP Timeout 04:00:00
>>
>>  Last input 4d00h, output never, output hang never
>>
>>  Last clearing of "show interface" counters never
>>
>>  Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0
>>
>>  Queueing strategy: fifo
>>
>>  Output queue: 0/40 (size/max)
>>
>>  5 minute input rate 0 bits/sec, 0 packets/sec
>>
>>  5 minute output rate 0 bits/sec, 0 packets/sec
>>
>>     0 packets input, 0 bytes, 0 no buffer
>>
>>     Received 0 broadcasts (0 multicasts)
>>
>>     0 runts, 0 giants, 0 throttles
>>
>>     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
>>
>>     0 input packets with dribble condition detected
>>
>>     0 packets output, 0 bytes, 0 underruns
>>
>>     0 output errors, 0 collisions, 0 interface resets
>>
>>     0 babbles, 0 late collision, 0 deferred
>>
>>     0 lost carrier, 0 no carrier
>>
>>     0 output buffer failures, 0 output buffers swapped out
>>
>>
>>
>> I tried shut and no shut on the interface
>>
>>
>>
>>
>>
>> Please help
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>

From saxon.jones at gmail.com  Mon Dec  7 11:39:11 2009
From: saxon.jones at gmail.com (Saxon Jones)
Date: Mon, 7 Dec 2009 09:39:11 -0700
Subject: [c-nsp] VRF Limitations/OSPF Process Limitations on 3550/3560
In-Reply-To: <COL107-W8EABF474269765B583D0BB7900@phx.gbl>
References: <COL107-W8EABF474269765B583D0BB7900@phx.gbl>
Message-ID: <86b512c30912070839sf7153f7l1d62cec63458550d@mail.gmail.com>

I think the 3550's have a limit of 7 (my guess is the limit is 8 and they
have one for their purposes), at least that's what our provider tells us.
I've personally created over 20 VRF's on a 3560-E (this was a test, I can't
remember exactly how high I got, and I don't think I created OSPF processes
for those). But the point is that there are definitely limits on the number
of VRF instances you can create.

-saxon


2009/12/7 Mike Kiefer <mkiefer74 at hotmail.com>

>
> Are there currently any limitations on running VRF lite with an OSPF
> process per VRF on this hardware? I was told by a coworker that 3550/3560's
> have an extremely low limit. Something like 4 or 5 vrfs/OSPF processes. This
> doesn't seem right.
>
> The only thing I could find that references this was this article:
> http://wiki.nil.com/VRF_routing_process_limitations
>
> Per the article, it seems like the only limitation is CPU and RAM since
> OSPF shares a protocol ID.
>
> Is this a problem that Cisco had in the past or just a complete falsehood?
>
> _________________________________________________________________
> Windows 7: Unclutter your desktop. Learn more.
>
> http://www.microsoft.com/windows/windows-7/videos-tours.aspx?h=7sec&slideid=1&media=aero-shake-7second&listid=1&stop=1&ocid=PID24727::T:WLMTAGL:ON:WL:en-US:WWL_WIN_7secdemo:122009
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From globichen at gmail.com  Mon Dec  7 12:33:25 2009
From: globichen at gmail.com (Andy B.)
Date: Mon, 7 Dec 2009 18:33:25 +0100
Subject: [c-nsp] 6504-E crash after bringing up lots of BGP sessions
In-Reply-To: <4B18FE83.7000506@imperial.ac.uk>
References: <d626d8700912031331s13a4c711s5d7fb845014fbc7f@mail.gmail.com>
	<BC498D8B-5DC5-4158-AB9F-73C50C3034B4@gmail.com>
	<d626d8700912031532m5cbe7222wa801e0671a229e31@mail.gmail.com>
	<4B18FE83.7000506@imperial.ac.uk>
Message-ID: <d626d8700912070933x21b0c502k4c2c3cd38a4fa8ab@mail.gmail.com>

On Fri, Dec 4, 2009 at 1:20 PM, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
>
> Without a crashinfo, you're not going to be able to proceed.
>

Just had a new crash, due to a peer leaking the full BGP table and
flapping at the same time.

I managed to get something back from "sh version", but still no
crashinfo file on any flash device, and there is enough space
available :-/

Here the error:

System returned to ROM by s/w reset at 19:50:52 CEST Thu Dec 3 2009
(SP by bus error at PC 0x402DF304, address 0x0)


Any clues?


Andy

From peter at rathlev.dk  Mon Dec  7 13:07:56 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Mon, 07 Dec 2009 19:07:56 +0100
Subject: [c-nsp] VRF Limitations/OSPF Process Limitations on 3550/3560
In-Reply-To: <COL107-W8EABF474269765B583D0BB7900@phx.gbl>
References: <COL107-W8EABF474269765B583D0BB7900@phx.gbl>
Message-ID: <1260209276.23687.9.camel@localhost>

On Mon, 2009-12-07 at 10:23 -0600, Mike Kiefer wrote:
> Are there currently any limitations on running VRF lite with an OSPF
> process per VRF on this hardware? I was told by a coworker that
> 3550/3560's have an extremely low limit. Something like 4 or 5
> vrfs/OSPF processes. This doesn't seem right. 

The 3550 can handle 7 VRFs. The 3560 can handle 26 VRFs.

When trying to create #8 on a 3550 it logs this:

 %L3TCAM-3-TOO_MANY_VRF: The maximum number of VRFs allowed has been exceeded

It will still create the VRF but no let you assign an RD and it won't
work.

On a 3560 running the CLI will not let you create more that 26 VRFs;
attempting to create the 27th results in a CLI error:

 [...]
 Switch(config)#ip vrf test27
 % Can't create VRF test27
 Switch(config)#

The limitation seems to lie in the TCAM programming.

-- 
Peter



From eninja at gmail.com  Mon Dec  7 13:38:05 2009
From: eninja at gmail.com (Eninja)
Date: Mon, 7 Dec 2009 19:38:05 +0100
Subject: [c-nsp] 6504-E crash after bringing up lots of BGP sessions
In-Reply-To: <d626d8700912070933x21b0c502k4c2c3cd38a4fa8ab@mail.gmail.com>
References: <d626d8700912031331s13a4c711s5d7fb845014fbc7f@mail.gmail.com>
	<BC498D8B-5DC5-4158-AB9F-73C50C3034B4@gmail.com>
	<d626d8700912031532m5cbe7222wa801e0671a229e31@mail.gmail.com>
	<4B18FE83.7000506@imperial.ac.uk>
	<d626d8700912070933x21b0c502k4c2c3cd38a4fa8ab@mail.gmail.com>
Message-ID: <921FBB5A-9ED5-4CA7-BA22-29C51C63FBAB@gmail.com>

Much better, SP crashed with a bus error.

Can you broad/unicast a 'sh tech' and logs?

Eninja



On Dec 7, 2009, at 6:33 PM, "Andy B." <globichen at gmail.com> wrote:

> On Fri, Dec 4, 2009 at 1:20 PM, Phil Mayers  
> <p.mayers at imperial.ac.uk> wrote:
>>
>> Without a crashinfo, you're not going to be able to proceed.
>>
>
> Just had a new crash, due to a peer leaking the full BGP table and
> flapping at the same time.
>
> I managed to get something back from "sh version", but still no
> crashinfo file on any flash device, and there is enough space
> available :-/
>
> Here the error:
>
> System returned to ROM by s/w reset at 19:50:52 CEST Thu Dec 3 2009
> (SP by bus error at PC 0x402DF304, address 0x0)
>
>
> Any clues?
>
>
> Andy

From mack.mcbride at viawest.com  Mon Dec  7 14:29:48 2009
From: mack.mcbride at viawest.com (Mack McBride)
Date: Mon, 7 Dec 2009 11:29:48 -0800
Subject: [c-nsp] 7600/Cat6500 LAN Card QoS
In-Reply-To: <20091207141356.GE9397@f17.dmitry.net>
References: <20091207141356.GE9397@f17.dmitry.net>
Message-ID: <CCD664821F7A144CBE712A1DD4E6D9472671CDD171@EXVMBX017-1.exch017.msoutlookonline.net>

If you have policing enabled it is unlikely you will queue packets.
The input and output queues are handled by port asics.
The policing is handled on the PFC/DFC and ignores CoS/DSCP so queues 
are not relevant for policing.  

SIP/SPAs handle congestion differently and offer highly improved 
queue management but they cost a lot more.

Most ISPs reset DSCP/COS so they are ignored.
Check with your specific provider but this is general policy.

LR Mack McBride
Network Architect
Viawest, Inc.

*** Opinions offered are my own and do not reflect policies or opinions
of my employer ***

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dmitry Kiselev
Sent: Monday, December 07, 2009 7:14 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] 7600/Cat6500 LAN Card QoS

Hello!

Could somebody in the list explain me egress QoS nuances for
C7600/Cat6500 LAN Cards? Lets assume I have t1/1 port on 6708 card
connected to my ISP. According to SLA, ISP sell me 500M CIR with
tail droping all above. To prioritize most important traffic with
some DSCP markings I should place it to port priority queue
using  "wrr-queue dscp-map 7" and of couse enable dscp mapings
using "mls qos queue-mode mode-dscp".  To tell the router/switch
use only 500M and queue/schedule all congested traffic I should
apply service-policy with police 500M command. (I don't know how
it could be done in any other supported way).  According to
several 7600/6500 QoS presentations available in the net, policing
is done in PFC (DFC, if ingress card equiped with) and queueing/
scheduling is doen in Port ASIC on egress card. So, all my traffic
will be policed and tail droped before priority queue and all other
queueing things like WRED come in play.

Is it true or I miss something important and initialy went in
wrong direction?

P.S. My question regarging C7600, 6708 and 12.2(33)SRC, but
seems hardware concept is the same for Cat6500/C7600 with PFC3/DFC3
and any modern IOS.

Thanks!

-- 
Dmitry Kiselev
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From gert at greenie.muc.de  Mon Dec  7 14:32:32 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Mon, 7 Dec 2009 20:32:32 +0100
Subject: [c-nsp] Cisco logging commands
In-Reply-To: <1260185422.3216.24.camel@Optiplex745>
References: <1260179062.3216.0.camel@Optiplex745>
	<61D4116B957C2843AACB49664C8AB22303861879@UKCWRX004.uk.int.atosorigin.com>
	<1260182758.3216.14.camel@Optiplex745>
	<61D4116B957C2843AACB49664C8AB223038618CE@UKCWRX004.uk.int.atosorigin.com>
	<1260185422.3216.24.camel@Optiplex745>
Message-ID: <20091207193232.GM163@greenie.muc.de>

Hi,

On Mon, Dec 07, 2009 at 12:30:22PM +0100, Henry-Nicolas Tourneur wrote:
> Indeed, that's what I need but I got some issues with that setup :

... so why not just "stay with TACACS"?

For router cli access (as opposed to "dial-in usage"), I can't see any
reason to go for Radius, and lots of reasons to stick to TACACS.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20091207/5c54745f/attachment.bin>

From achatz at forthnet.gr  Mon Dec  7 15:08:48 2009
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Mon, 07 Dec 2009 22:08:48 +0200
Subject: [c-nsp] Cisco logging commands
In-Reply-To: <1260179062.3216.0.camel@Optiplex745>
References: <1260179062.3216.0.camel@Optiplex745>
Message-ID: <4B1D60D0.2070509@forthnet.gr>

In case you're interested for another radius server, Radiator (you have to pay for it) 
supports a lot of tacacs functionality too.

-- 
Tassos

Henry-Nicolas Tourneur wrote on 07/12/2009 11:44:
> Hi,
> 
> We are currently changing our servers and we are going to get rid of our
> old Tacacs+ server. The new AAA server is based on Radius
> (freeradius/debian). 
> 
> The problem is that IOS can't log commands (enable and configure) into
> Radius.
> I found that functionality to work around that problem :
> http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_46_se/configuration/guide/swlog.html
> 
> But the problem is that it's only logging configure commands to syslog,
> not enable, that's not enough for me.
> 
> So the question is : any idea about how to get IOS to log enable
> commands into syslog ? or how to use Radius accounting for commands ?
> What are the possibilities without Tacacs+ ?
> 
> TIA.
> 



From howard at leadmon.net  Mon Dec  7 15:13:08 2009
From: howard at leadmon.net (Howard Leadmon)
Date: Mon, 7 Dec 2009 15:13:08 -0500
Subject: [c-nsp] Cisco AIRONET WPA-Enterprise w/Windows question..
In-Reply-To: <DE7276774AA4465A916D9EC36B92BDD5@flamdt01>
References: <006b01ca7059$814ce160$83e6a420$@net><C829208A0A564991BDDD2B1A8D	525AA5@flamdt01><4B141341.3070903@fas.harvard.edu>
	<DE7276774AA4465A916D9EC36B92BDD5@flamdt01>
Message-ID: <035801ca7779$b3437090$19ca51b0$@net>

  Sorry for following up to my own posting slowly, but have been kind of
under the weather for a bit here..  :(

 Anyway I was saying that WPA-PSK was working fine, but I was trying to
figure out how to just use the radius server in the AP to do WPA-Enterprise
using the PEAP support in Windows 7/Vista.   Someone did respond to me
privately and stated that the Radius server in the AP does NOT support PEAP,
only LEAP, so that could easily explain why I just can't make WPA using PEAP
work.  Seems I need to use the M$ radius server, or some other radius option
to make it work with PEAP.  I may do that, or just stick with WPA2-PSK, as
that is working like a charm, and I only need to support it for about a half
dozen logins..

 So I guess in closing, it seems the Cisco AP wants to use LEAP/EAP-TTLS,
and M$ wants to use PEAP, and they don't support each others protocol.  So I
need a supplicant to add the support to windows, or I need a Radius server
that will support PEAP, then AP can talk to..   So much for simple..  LOL


---
Howard Leadmon 


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Tony Varriale
> Sent: Tuesday, December 01, 2009 1:51 AM
> To: 'cisco-nsp'
> Subject: Re: [c-nsp] Cisco AIRONET WPA-Enterprise w/Windows question..
> 
> It doesn't help me as I already know.  That's why I was responding to the
> original poster.
> 
> Maybe you could try that?
> 
> tv
> ----- Original Message -----
> From: "Scott McGrath" <mcgrath at fas.harvard.edu>
> To: "'cisco-nsp'" <cisco-nsp at puck.nether.net>
> Sent: Monday, November 30, 2009 12:47 PM
> Subject: Re: [c-nsp] Cisco AIRONET WPA-Enterprise w/Windows question..
> 
> 
> > Since there is WPA-PSK and WPA2 often known as Enterprise,
> >
> > The real difference is that WPA-PSK uses a fixed 'pre-shared' key to
> > encrypt the link between the AP and the supplicant,   Enterprise assumes
> > that a RADIUS server is available to authenticate the session and set
> the
> > key for the session.    What has not been discussed is what protocol is
> > being used for these PEAP and/or EAP-TTLS are valid choices,
> >
> > The encryption scheme is 'better' on enterprise as the key is not known
> > before session instantiation,   But WPA-PSK (aka Personal) and WPA2 both
> > use the same cipher set to protect the session so the link is as secure
> > but if the key is disclosed to unauthorized users the wireless network
> > effectively has no security whereas WPA2 uses a user database and if the
> > user's credentials are disclosed the endpoint can be deauthenticated and
> > the users credentials changed.   Whereas WPA-PSK requires
> reconfiguration
> > of the AP(s) and supplicant reconfiguration,
> >
> > Hope this helps
> >
> > - Scott
> >
> > Tony Varriale wrote:
> >> What type of "enterprise" are you interested in?  What's your user
> >> database?
> >>
> >> tv
> >> ----- Original Message -----
> >> From: "Howard Leadmon" <howard at leadmon.net>
> >> To: "'cisco-nsp'" <cisco-nsp at puck.nether.net>
> >> Sent: Saturday, November 28, 2009 12:35 PM
> >> Subject: [c-nsp] Cisco AIRONET WPA-Enterprise w/Windows question..
> >>
> >>
> >>
> >>>  I have a question hopefully someone can give me a pointer or shed
> some
> >>> light on..
> >>>
> >>>
> >>>
> >>> I have both an Aironet 1242AG and now a 1252AG access point, which are
> >>> working fine.   I have WPA2-Personal with a shared key setup and
> running
> >>> great as well.   As it was my impression that Vista and Win7 both
> >>> supported
> >>> Enterprise authentication, which I figured would be better and more
> >>> secure
> >>> than using the personal shared key stuff.
> >>>
> >>>
> >>>
> >>> I have tried, and googled, and I for the life of me just can't seem to
> >>> get
> >>> Enterprise auth going..   Does anyone have any docs on getting the
> >>> Aironet
> >>> and Windows to play together, configs, or links to info that will
> help?
> >>> Just FYI, I am trying to use the radius server built into the AP, as I
> >>> figured that would be simple enough, hopefully doing that is ok..
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> ---
> >>>
> >>> Howard Leadmon
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >>> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From frnkblk at iname.com  Mon Dec  7 15:57:42 2009
From: frnkblk at iname.com (Frank Bulk - iName.com)
Date: Mon, 7 Dec 2009 14:57:42 -0600
Subject: [c-nsp] Does the entire BGP routing table for IPv6 fit on a Cisco
	2600 with 64 MB of DRAM?
Message-ID: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADVrn7K0C9STZfhjRp7ysXtAQAAAAA=@iname.com>

Does the entire BGP routing table for IPv6 (almost 2500 entries) fit on a
Cisco 2600 with 64 MB of DRAM running 12.3(26)?  I am planning to use this
box for an IPv6-in-IPv4 tunneling appliance, but not sure if it can hold the
whole table.

Regards,

Frank



From frnkblk at iname.com  Mon Dec  7 15:49:45 2009
From: frnkblk at iname.com (Frank Bulk - iName.com)
Date: Mon, 7 Dec 2009 14:49:45 -0600
Subject: [c-nsp] Cisco L2 QoS
In-Reply-To: <BLU102-W19BEA9928D3DA245C68039FA900@phx.gbl>
References: <BLU102-W29E8761F74F35C3F3F0BA2FA910@phx.gbl>,
	<!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADnB/Wy7bWKRJJsxVCb4AVSAQAAAAA=@iname.com>
	<BLU102-W19BEA9928D3DA245C68039FA900@phx.gbl>
Message-ID: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAAAxmFgShgzoT4z7I+Zgl7vmAQAAAAA=@iname.com>

If you need to egress policing on those 24 ports, and those 24 ports don't
talk to each other, try ingress policing on the uplink by using the enhanced
port as the uplink..

 

Frank

 

From: Mohammad Khalil [mailto:eng_mssk at hotmail.com] 
Sent: Monday, December 07, 2009 3:15 AM
To: frnkblk at iname.com; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Cisco L2 QoS

 

the problem is that the customers are connected to the 24 Fast Ethernet
ports

> From: frnkblk at iname.com
> To: eng_mssk at hotmail.com; cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] Cisco L2 QoS
> Date: Sun, 6 Dec 2009 21:58:27 -0600
> 
> Don't forget that there's two enhanced ports on that unit....they have
more
> QoS capabilities.
> 
> Frank
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil
> Sent: Sunday, December 06, 2009 7:34 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Cisco L2 QoS
> 
> 
> hi all
> 
> i have cisco metroethernet switches 3750
> 
> i have some customers connected to some ports (the ports are access ports
,
> layer2 ports)
> 
> i am trying to apply rate limit on the bandwidth each customers consume 
> 
> rate limit command applies for layer 3 interfaces which does not match my
> case
> 
> what should i do to achieve this ??
> 
> even though applying rate limit on the logical interface (interface vlan)
> does not work
> 
> as well as the MQC model does not apply
> 
> 
> 
> _________________________________________________________________
> Windows Live: Friends get your Flickr, Yelp, and Digg updates when they
> e-mail you.
>
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/soc
>
ial-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3:092010
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

  _____  

Windows Live: Make it easier for your friends to see what you
<http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/so
cial-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009
> 're up to on Facebook.


From gert at greenie.muc.de  Mon Dec  7 16:29:42 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Mon, 7 Dec 2009 22:29:42 +0100
Subject: [c-nsp] Does the entire BGP routing table for IPv6 fit on a
	Cisco 2600 with 64 MB of DRAM?
In-Reply-To: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADVrn7K0C9STZfhjRp7ysXtAQAAAAA=@iname.com>
References: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADVrn7K0C9STZfhjRp7ysXtAQAAAAA=@iname.com>
Message-ID: <20091207212942.GP163@greenie.muc.de>

Hi,

On Mon, Dec 07, 2009 at 02:57:42PM -0600, Frank Bulk - iName.com wrote:
> Does the entire BGP routing table for IPv6 (almost 2500 entries) fit on a
> Cisco 2600 with 64 MB of DRAM running 12.3(26)?  

This is a bit tight.  On my good old 4700M, the "BGP router" process,
which is carrying all of IPv6, needs 6.5 Mbyte of RAM.  64 Mb total, 17 Mb
free.

*But*: "12.3 IP Plus" IOS for 2600 will likely eat much more RAM to start
with, so it might already be tight.

> I am planning to use this
> box for an IPv6-in-IPv4 tunneling appliance, but not sure if it can hold the
> whole table.

... and that will be a bigger problem.  The 2600 is *slow*, so chances
are you won't be able to tunnel enough IPv6 through it to even satisfy 
a single 16M ADSL link...  and you won't be happy with "proof-of-existance-
but quite slow" IPv6.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20091207/24945ea9/attachment.bin>

From todd at onenet.net  Mon Dec  7 15:52:46 2009
From: todd at onenet.net (Linder, Todd)
Date: Mon, 7 Dec 2009 14:52:46 -0600
Subject: [c-nsp] Cisco AIRONET WPA-Enterprise w/Windows 		question..
In-Reply-To: <035801ca7779$b3437090$19ca51b0$@net>
References: <006b01ca7059$814ce160$83e6a420$@net> <"C829208A0A564991BDDD2B1A8D
	525AA5"@flamdt01> <4B141341.3070903@fas.harvard.edu> 
	<DE7276774AA4465A916D9EC36B92BDD5@flamdt01> 
	<035801ca7779$b3437090$19ca51b0$@net>
Message-ID: <EDE59A89FBE07E4481CBAC1AA2E97EEC9063C4@postman1.osrhe.edu>

Hey Howard, A Cisco Secure Access Control Server (typically referred to
as Cisco ACS) can be used to hand off authentication to Windows Active
Directory. Second, the Cisco ACS supports all EAP methods, PEAP-MSCHAPv2
being one of them directly on the server with no need for handoff to
Windows A/D. The nice thing about the Cisco ACS is that in addition to
supporting RADIUS functionality, it will also support TACACS. In other
words, it can do more than just support authentication for you wireless
needs. Another option is Free radius server which can be found at
http://freeradius.org/. Free radius is an open source radius server
software that supports multiple EAP methods and can also hand off
authentication to Windows Active Directory. I hope this information is
helpful.


Todd Linder
 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Howard Leadmon
Sent: Monday, December 07, 2009 2:13 PM
To: 'Tony Varriale'; 'cisco-nsp'
Subject: Re: [c-nsp] Cisco AIRONET WPA-Enterprise w/Windows question..


  Sorry for following up to my own posting slowly, but have been kind of
under the weather for a bit here..  :(

 Anyway I was saying that WPA-PSK was working fine, but I was trying to
figure out how to just use the radius server in the AP to do
WPA-Enterprise
using the PEAP support in Windows 7/Vista.   Someone did respond to me
privately and stated that the Radius server in the AP does NOT support
PEAP, only LEAP, so that could easily explain why I just can't make WPA
using PEAP work.  Seems I need to use the M$ radius server, or some
other radius option to make it work with PEAP.  I may do that, or just
stick with WPA2-PSK, as that is working like a charm, and I only need to
support it for about a half dozen logins..

 So I guess in closing, it seems the Cisco AP wants to use
LEAP/EAP-TTLS, and M$ wants to use PEAP, and they don't support each
others protocol.  So I need a supplicant to add the support to windows,
or I need a Radius server
that will support PEAP, then AP can talk to..   So much for simple..
LOL


---
Howard Leadmon 


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- 
> bounces at puck.nether.net] On Behalf Of Tony Varriale
> Sent: Tuesday, December 01, 2009 1:51 AM
> To: 'cisco-nsp'
> Subject: Re: [c-nsp] Cisco AIRONET WPA-Enterprise w/Windows question..
> 
> It doesn't help me as I already know.  That's why I was responding to 
> the original poster.
> 
> Maybe you could try that?
> 
> tv
> ----- Original Message -----
> From: "Scott McGrath" <mcgrath at fas.harvard.edu>
> To: "'cisco-nsp'" <cisco-nsp at puck.nether.net>
> Sent: Monday, November 30, 2009 12:47 PM
> Subject: Re: [c-nsp] Cisco AIRONET WPA-Enterprise w/Windows question..
> 
> 
> > Since there is WPA-PSK and WPA2 often known as Enterprise,
> >
> > The real difference is that WPA-PSK uses a fixed 'pre-shared' key to
> > encrypt the link between the AP and the supplicant,   Enterprise
assumes
> > that a RADIUS server is available to authenticate the session and 
> > set
> the
> > key for the session.    What has not been discussed is what protocol
is
> > being used for these PEAP and/or EAP-TTLS are valid choices,
> >
> > The encryption scheme is 'better' on enterprise as the key is not
known
> > before session instantiation,   But WPA-PSK (aka Personal) and WPA2
both
> > use the same cipher set to protect the session so the link is as 
> > secure but if the key is disclosed to unauthorized users the 
> > wireless network effectively has no security whereas WPA2 uses a 
> > user database and if the user's credentials are disclosed the
endpoint can be deauthenticated and
> > the users credentials changed.   Whereas WPA-PSK requires
> reconfiguration
> > of the AP(s) and supplicant reconfiguration,
> >
> > Hope this helps
> >
> > - Scott
> >
> > Tony Varriale wrote:
> >> What type of "enterprise" are you interested in?  What's your user 
> >> database?
> >>
> >> tv
> >> ----- Original Message -----
> >> From: "Howard Leadmon" <howard at leadmon.net>
> >> To: "'cisco-nsp'" <cisco-nsp at puck.nether.net>
> >> Sent: Saturday, November 28, 2009 12:35 PM
> >> Subject: [c-nsp] Cisco AIRONET WPA-Enterprise w/Windows question..
> >>
> >>
> >>
> >>>  I have a question hopefully someone can give me a pointer or shed
> some
> >>> light on..
> >>>
> >>>
> >>>
> >>> I have both an Aironet 1242AG and now a 1252AG access point, which
are
> >>> working fine.   I have WPA2-Personal with a shared key setup and
> running
> >>> great as well.   As it was my impression that Vista and Win7 both
> >>> supported
> >>> Enterprise authentication, which I figured would be better and 
> >>> more secure than using the personal shared key stuff.
> >>>
> >>>
> >>>
> >>> I have tried, and googled, and I for the life of me just can't 
> >>> seem to get
> >>> Enterprise auth going..   Does anyone have any docs on getting the
> >>> Aironet
> >>> and Windows to play together, configs, or links to info that will
> help?
> >>> Just FYI, I am trying to use the radius server built into the AP, 
> >>> as I figured that would be simple enough, hopefully doing that is
ok..
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> ---
> >>>
> >>> Howard Leadmon
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> >>> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From jasonleblanc at gmail.com  Mon Dec  7 16:38:12 2009
From: jasonleblanc at gmail.com (Jason LeBlanc)
Date: Mon, 7 Dec 2009 14:38:12 -0700
Subject: [c-nsp]  Cisco 7206VXR/NPE-G1 <--> Cisco WS-C6506 (R7000)
In-Reply-To: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAAAxmFgShgzoT4z7I+Zgl7vmAQAAAAA=@iname.com>
References: <BLU102-W29E8761F74F35C3F3F0BA2FA910@phx.gbl>,
	<!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADnB/Wy7bWKRJJsxVCb4AVSAQAAAAA=@iname.com>
	<BLU102-W19BEA9928D3DA245C68039FA900@phx.gbl>
	<!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAAAxmFgShgzoT4z7I+Zgl7vmAQAAAAA=@iname.com>
Message-ID: <3D0ED4EC-8980-4C3D-A359-A3885AA4F885@gmail.com>

We have a 7206 that is getting lots of input errors and overrun errors  
on the LAN side without CRC errors.  On the WAN side we are getting  
all 3 but on a much smaller scale.  Every couple of weeks the CPU goes  
through the roof but the box has never rebooted.  Can anyone give me a  
detailed breakdown of what I should be looking for here?

The 7200 runs:

BGP for 200Mb/s provider MPLS circuit (not full BGP table)
OSPF
IP CEF
QoS


and you can see the two circuits below....

GigabitEthernet0/1 is up, line protocol is up
   Hardware is BCM1250 Internal MAC, address is 000c.8651.a41b (bia  
000c.8651.a41b)
   Description: /* MPLS Cloud 200Mb Circuit */
   Internet address is 192.168.0.1/30
   MTU 1500 bytes, BW 200000 Kbit, DLY 10 usec,
      reliability 255/255, txload 96/255, rxload 51/255
   Encapsulation ARPA, loopback not set
   Keepalive set (10 sec)
   Full-duplex, 1000Mb/s, link type is force-up, media type is SX
   output flow-control is unsupported, input flow-control is unsupported
   ARP type: ARPA, ARP Timeout 04:00:00
   Last input 00:00:00, output 00:00:00, output hang never
   Last clearing of "show interface" counters 3w4d
   Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
   Queueing strategy: fifo
   Output queue: 0/40 (size/max)
   5 minute input rate 40680000 bits/sec, 24149 packets/sec
   5 minute output rate 75723000 bits/sec, 17103 packets/sec
      22332749957 packets input, 4830970628076 bytes, 0 no buffer
      Received 1469 broadcasts, 0 runts, 145 giants, 0 throttles
      2369 input errors, 145 CRC, 0 frame, 2079 overrun, 0 ignored
      0 watchdog, 1098953 multicast, 0 pause input
      0 input packets with dribble condition detected
      16281373526 packets output, 10005249755343 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collision, 0 deferred
      0 lost carrier, 0 no carrier, 0 pause output
      0 output buffer failures, 0 output buffers swapped out


GigabitEthernet0/2 is up, line protocol is up
   Hardware is BCM1250 Internal MAC, address is 000c.8651.a41a (bia  
000c.8651.a41a)
   Description: /* LAN --> 6506 G1/14 */
   Internet address is 10.1.1.2/30
   MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
      reliability 255/255, txload 10/255, rxload 19/255
   Encapsulation ARPA, loopback not set
   Keepalive set (10 sec)
   Full-duplex, 1000Mb/s, link type is force-up, media type is SX
   output flow-control is unsupported, input flow-control is unsupported
   ARP type: ARPA, ARP Timeout 04:00:00
   Last input 00:00:00, output 00:00:00, output hang never
   Last clearing of "show interface" counters 4d07h
   Input queue: 1/75/0/0 (size/max/drops/flushes); Total output drops: 0
   Queueing strategy: fifo
   Output queue: 0/40 (size/max)
   5 minute input rate 74788000 bits/sec, 17119 packets/sec
   5 minute output rate 40998000 bits/sec, 24119 packets/sec
      2828864945 packets input, 1765438465449 bytes, 0 no buffer
      Received 114406 broadcasts, 0 runts, 0 giants, 0 throttles
      74552 input errors, 0 CRC, 0 frame, 74552 overrun, 0 ignored
      0 watchdog, 114406 multicast, 0 pause input
      0 input packets with dribble condition detected
      3789379333 packets output, 884796178660 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collision, 0 deferred
      0 lost carrier, 0 no carrier, 0 pause output
      0 output buffer failures, 0 output buffers swapped out

Thanks in advance for your help!

Jason


From frnkblk at iname.com  Mon Dec  7 16:52:49 2009
From: frnkblk at iname.com (Frank Bulk - iName.com)
Date: Mon, 7 Dec 2009 15:52:49 -0600
Subject: [c-nsp] Does the entire BGP routing table for IPv6 fit on a
	Cisco 2600 with 64 MB of DRAM?
In-Reply-To: <20091207212942.GP163@greenie.muc.de>
References: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADVrn7K0C9STZfhjRp7ysXtAQAAAAA=@iname.com>
	<20091207212942.GP163@greenie.muc.de>
Message-ID: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADz9zRv9BEgRp05CdxKJmHVAQAAAAA=@iname.com>

Good to know in advance that the 2600 doesn't have a lot of horsepower for
this kind of work.  

What's a good IPv6-based speed test site I can to test against?  Maybe I'll
have to resort to iperf, if it's IPv6 ready.

Frank

-----Original Message-----
From: Gert Doering [mailto:gert at greenie.muc.de] 
Sent: Monday, December 07, 2009 3:30 PM
To: Frank Bulk - iName.com
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Does the entire BGP routing table for IPv6 fit on a
Cisco 2600 with 64 MB of DRAM?

Hi,

On Mon, Dec 07, 2009 at 02:57:42PM -0600, Frank Bulk - iName.com wrote:
> Does the entire BGP routing table for IPv6 (almost 2500 entries) fit on a
> Cisco 2600 with 64 MB of DRAM running 12.3(26)?  

This is a bit tight.  On my good old 4700M, the "BGP router" process,
which is carrying all of IPv6, needs 6.5 Mbyte of RAM.  64 Mb total, 17 Mb
free.

*But*: "12.3 IP Plus" IOS for 2600 will likely eat much more RAM to start
with, so it might already be tight.

> I am planning to use this
> box for an IPv6-in-IPv4 tunneling appliance, but not sure if it can hold
the
> whole table.

... and that will be a bigger problem.  The 2600 is *slow*, so chances
are you won't be able to tunnel enough IPv6 through it to even satisfy 
a single 16M ADSL link...  and you won't be happy with "proof-of-existance-
but quite slow" IPv6.

gert
-- 
USENET is *not* the non-clickable part of WWW!
 
//www.muc.de/~gert/
Gert Doering - Munich, Germany
gert at greenie.muc.de
fax: +49-89-35655025
gert at net.informatik.tu-muenchen.de


From synack at live.com  Mon Dec  7 16:57:42 2009
From: synack at live.com (Darin Herteen)
Date: Mon, 7 Dec 2009 15:57:42 -0600
Subject: [c-nsp] Does the entire BGP routing table for IPv6 fit on
	a	Cisco 2600 with 64 MB of DRAM?
In-Reply-To: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADz9zRv9BEgRp05CdxKJmHVAQAAAAA=@iname.com>
References: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADVrn7K0C9STZfhjRp7ysXtAQAAAAA=@iname.com>,
	<20091207212942.GP163@greenie.muc.de>,
	<!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADz9zRv9BEgRp05CdxKJmHVAQAAAAA=@iname.com>
Message-ID: <BLU129-W1722613827B8131D76DE69AE900@phx.gbl>


I've been using the following for v6 traffic generation:

http://www.grid.unina.it/software/ITG/download.php

> From: frnkblk at iname.com
> To: gert at greenie.muc.de; cisco-nsp at puck.nether.net
> Date: Mon, 7 Dec 2009 15:52:49 -0600
> Subject: Re: [c-nsp] Does the entire BGP routing table for IPv6 fit on a	Cisco 2600 with 64 MB of DRAM?
> 
> Good to know in advance that the 2600 doesn't have a lot of horsepower for
> this kind of work.  
> 
> What's a good IPv6-based speed test site I can to test against?  Maybe I'll
> have to resort to iperf, if it's IPv6 ready.
> 
> Frank
> 
> -----Original Message-----
> From: Gert Doering [mailto:gert at greenie.muc.de] 
> Sent: Monday, December 07, 2009 3:30 PM
> To: Frank Bulk - iName.com
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Does the entire BGP routing table for IPv6 fit on a
> Cisco 2600 with 64 MB of DRAM?
> 
> Hi,
> 
> On Mon, Dec 07, 2009 at 02:57:42PM -0600, Frank Bulk - iName.com wrote:
> > Does the entire BGP routing table for IPv6 (almost 2500 entries) fit on a
> > Cisco 2600 with 64 MB of DRAM running 12.3(26)?  
> 
> This is a bit tight.  On my good old 4700M, the "BGP router" process,
> which is carrying all of IPv6, needs 6.5 Mbyte of RAM.  64 Mb total, 17 Mb
> free.
> 
> *But*: "12.3 IP Plus" IOS for 2600 will likely eat much more RAM to start
> with, so it might already be tight.
> 
> > I am planning to use this
> > box for an IPv6-in-IPv4 tunneling appliance, but not sure if it can hold
> the
> > whole table.
> 
> ... and that will be a bigger problem.  The 2600 is *slow*, so chances
> are you won't be able to tunnel enough IPv6 through it to even satisfy 
> a single 16M ADSL link...  and you won't be happy with "proof-of-existance-
> but quite slow" IPv6.
> 
> gert
> -- 
> USENET is *not* the non-clickable part of WWW!
>  
> //www.muc.de/~gert/
> Gert Doering - Munich, Germany
> gert at greenie.muc.de
> fax: +49-89-35655025
> gert at net.informatik.tu-muenchen.de
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
 		 	   		  
_________________________________________________________________
Chat with Messenger straight from your Hotmail inbox.
http://www.microsoft.com/windows/windowslive/hotmail_bl1/hotmail_bl1.aspx?ocid=PID23879::T:WLMTAGL:ON:WL:en-ww:WM_IMHM_4:092009

From dstorandt at teljet.com  Mon Dec  7 17:41:09 2009
From: dstorandt at teljet.com (David Storandt)
Date: Mon, 7 Dec 2009 17:41:09 -0500
Subject: [c-nsp] Cisco 7206VXR/NPE-G1 <--> Cisco WS-C6506 (R7000)
Message-ID: <f52f476c0912071441q4a1ca43bs4fcf46b9910024ff@mail.gmail.com>

The CPU may be freaking out as interfaces and routing protocols think
as errors stack up quickly the link is flapping, causing a lot of SPF
calculations or BGP table re-syncs. Once the errors die off the
interfaces appear stable.

With both interfaces receiving the same garbled packets, it's unlikely
a set of optics have gone bad and impacted both the transmitter and
receivers. So it sounds like you have dirty patch interfaces or a
mangled patch cable. Clean each with >95% isopropyl alcohol and
lint-free wipes and/or replace the patch cable(s). If that doesn't
clear it up, swap GBICs.

Are you using newer 1300nm GBICs with older 62.5/125um patch cables?

-D


++++++++++++++++++++++++++++++++++++

We have a 7206 that is getting lots of input errors and overrun errors
on the LAN side without CRC errors.  On the WAN side we are getting
all 3 but on a much smaller scale.  Every couple of weeks the CPU goes
through the roof but the box has never rebooted.  Can anyone give me a
detailed breakdown of what I should be looking for here?

From nick at inex.ie  Mon Dec  7 18:06:24 2009
From: nick at inex.ie (Nick Hilliard)
Date: Mon, 07 Dec 2009 23:06:24 +0000
Subject: [c-nsp] Cisco logging commands
In-Reply-To: <20091207193232.GM163@greenie.muc.de>
References: <1260179062.3216.0.camel@Optiplex745>	<61D4116B957C2843AACB49664C8AB22303861879@UKCWRX004.uk.int.atosorigin.com>	<1260182758.3216.14.camel@Optiplex745>	<61D4116B957C2843AACB49664C8AB223038618CE@UKCWRX004.uk.int.atosorigin.com>	<1260185422.3216.24.camel@Optiplex745>
	<20091207193232.GM163@greenie.muc.de>
Message-ID: <4B1D8A70.6050005@inex.ie>

On 07/12/2009 19:32, Gert Doering wrote:
> For router cli access (as opposed to "dial-in usage"), I can't see any
> reason to go for Radius, and lots of reasons to stick to TACACS.

This is exactly what was going through my mind.  One of my preferred
reasons for sticking with tacacs+ is that to access more advanced aaa
functionality using radius, you still need to use tacacs+ av pairs.  IOW,
there's hackery going on which you can directly avoid if you just stick to
tacacs+.

Nick

From cboyd at gizmopartners.com  Mon Dec  7 17:37:32 2009
From: cboyd at gizmopartners.com (Chris Boyd)
Date: Mon, 7 Dec 2009 16:37:32 -0600
Subject: [c-nsp] Circuit emulation over IP
Message-ID: <E07A60D0-0BFE-4BDF-A8DF-05DECD4B170C@gizmopartners.com>

Can't seem to find if Cisco has a card or box for this.

I'd like to pick up T-1s using something like a MWR2941 and backhaul those over an IP network, but have a virtual mux function at the other end that can drop the T-1s into a DS-3 or OC3.

Anyone know of a Cisco box that can do that?

Thanks!

--Chris


From philxor at gmail.com  Mon Dec  7 19:46:29 2009
From: philxor at gmail.com (Phil Bedard)
Date: Mon, 7 Dec 2009 19:46:29 -0500
Subject: [c-nsp] Circuit emulation over IP
In-Reply-To: <E07A60D0-0BFE-4BDF-A8DF-05DECD4B170C@gizmopartners.com>
References: <E07A60D0-0BFE-4BDF-A8DF-05DECD4B170C@gizmopartners.com>
Message-ID: <44F026C2-0B2F-48D6-A712-FD0572212085@gmail.com>

Cisco 7600 with a CEoP SPA.  They come in channelized T3 or OC3 varieties.  

Phil 

On Dec 7, 2009, at 5:37 PM, Chris Boyd wrote:

> Can't seem to find if Cisco has a card or box for this.
> 
> I'd like to pick up T-1s using something like a MWR2941 and backhaul those over an IP network, but have a virtual mux function at the other end that can drop the T-1s into a DS-3 or OC3.
> 
> Anyone know of a Cisco box that can do that?
> 
> Thanks!
> 
> --Chris
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From bbasler at cisco.com  Mon Dec  7 20:34:38 2009
From: bbasler at cisco.com (Ben Basler (bbasler))
Date: Mon, 7 Dec 2009 17:34:38 -0800
Subject: [c-nsp] VRF Limitations/OSPF Process Limitations on 3550/3560
In-Reply-To: <1260209276.23687.9.camel@localhost>
References: <COL107-W8EABF474269765B583D0BB7900@phx.gbl>
	<1260209276.23687.9.camel@localhost>
Message-ID: <CDAC1B8268BBD34582332CE9183D6FD30A4B6C65@xmb-sjc-21a.amer.cisco.com>

Mike,

Here's a nice summary:
http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps2425
/white_paper_c11-541238-00.html#wp9000264 

As for limitations there are two things to consider:

- HW resources (you're hitting this for both platforms you mention)
- SW limits - there used to be a 28 process limit but this has gone a
long time ago (for Catalyst 6500 this got lifted as of the 12.2(18)SXE
release).
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/na
tive/release/notes/OL_4164.html#wp2087620 

Cheers,
Ben

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Peter Rathlev
> Sent: Monday, December 07, 2009 10:08 AM
> To: Mike Kiefer
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] VRF Limitations/OSPF Process Limitations on
3550/3560
> 
> On Mon, 2009-12-07 at 10:23 -0600, Mike Kiefer wrote:
> > Are there currently any limitations on running VRF lite with an OSPF
> > process per VRF on this hardware? I was told by a coworker that
> > 3550/3560's have an extremely low limit. Something like 4 or 5
> > vrfs/OSPF processes. This doesn't seem right.
> 
> The 3550 can handle 7 VRFs. The 3560 can handle 26 VRFs.
> 
> When trying to create #8 on a 3550 it logs this:
> 
>  %L3TCAM-3-TOO_MANY_VRF: The maximum number of VRFs allowed has been
exceeded
> 
> It will still create the VRF but no let you assign an RD and it won't
> work.
> 
> On a 3560 running the CLI will not let you create more that 26 VRFs;
> attempting to create the 27th results in a CLI error:
> 
>  [...]
>  Switch(config)#ip vrf test27
>  % Can't create VRF test27
>  Switch(config)#
> 
> The limitation seems to lie in the TCAM programming.
> 
> --
> Peter
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From cboyd at gizmopartners.com  Mon Dec  7 22:57:43 2009
From: cboyd at gizmopartners.com (Chris Boyd)
Date: Mon, 07 Dec 2009 21:57:43 -0600
Subject: [c-nsp] Circuit emulation over IP
In-Reply-To: <44F026C2-0B2F-48D6-A712-FD0572212085@gmail.com>
References: <E07A60D0-0BFE-4BDF-A8DF-05DECD4B170C@gizmopartners.com>
	<44F026C2-0B2F-48D6-A712-FD0572212085@gmail.com>
Message-ID: <1260244663.6033.17.camel@butters>

On Mon, 2009-12-07 at 19:46 -0500, Phil Bedard wrote:
> Cisco 7600 with a CEoP SPA.  They come in channelized T3 or OC3 varieties.  

Thanks!  I owe you a beer.

--Chris



From oboehmer at cisco.com  Tue Dec  8 01:53:45 2009
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Tue, 8 Dec 2009 07:53:45 +0100
Subject: [c-nsp] Cisco logging commands
In-Reply-To: <4B1D8A70.6050005@inex.ie>
References: <1260179062.3216.0.camel@Optiplex745>	<61D4116B957C2843AACB49664C8AB22303861879@UKCWRX004.uk.int.atosorigin.com>	<1260182758.3216.14.camel@Optiplex745>	<61D4116B957C2843AACB49664C8AB223038618CE@UKCWRX004.uk.int.atosorigin.com>	<1260185422.3216.24.camel@Optiplex745><20091207193232.GM163@greenie.muc.de>
	<4B1D8A70.6050005@inex.ie>
Message-ID: <6E4D2678AC543844917CA081C9D6B33FD33F4B@XMB-AMS-103.cisco.com>

 
> 
> On 07/12/2009 19:32, Gert Doering wrote:
> > For router cli access (as opposed to "dial-in usage"), I can't see
any
> > reason to go for Radius, and lots of reasons to stick to TACACS.
> 
> This is exactly what was going through my mind.  One of my preferred
> reasons for sticking with tacacs+ is that to access more advanced aaa
> functionality using radius, you still need to use tacacs+ av pairs.   

hmm, this doesn't sound right. If your specific AAA need is supported by
Radius (for example network authorization), any "Tacacs" av-pair should
be supported within the Radius reply (using Cisco-avpair attribute).
Do you have a specific example in mind?

	oli

From gert at greenie.muc.de  Tue Dec  8 02:28:58 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Tue, 8 Dec 2009 08:28:58 +0100
Subject: [c-nsp] Does the entire BGP routing table for IPv6 fit on a
	Cisco 2600 with 64 MB of DRAM?
In-Reply-To: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADz9zRv9BEgRp05CdxKJmHVAQAAAAA=@iname.com>
References: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADVrn7K0C9STZfhjRp7ysXtAQAAAAA=@iname.com>
	<20091207212942.GP163@greenie.muc.de>
	<!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADz9zRv9BEgRp05CdxKJmHVAQAAAAA=@iname.com>
Message-ID: <20091208072858.GQ163@greenie.muc.de>

Hi,

On Mon, Dec 07, 2009 at 03:52:49PM -0600, Frank Bulk - iName.com wrote:
> Good to know in advance that the 2600 doesn't have a lot of horsepower for
> this kind of work.  
> 
> What's a good IPv6-based speed test site I can to test against?  Maybe I'll
> have to resort to iperf, if it's IPv6 ready.

I don't know about speed test sites, but a number of WWW and FTP servers
are IPv6-enabled already - www.isc.org, ftp.isc.org, for example.  So you
can just use FTP to check download speed IPv4 vs. download speed IPv6.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20091208/2506559a/attachment.bin>

From p.mayers at imperial.ac.uk  Tue Dec  8 05:38:12 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Tue, 08 Dec 2009 10:38:12 +0000
Subject: [c-nsp] Cisco logging commands
In-Reply-To: <1260179062.3216.0.camel@Optiplex745>
References: <1260179062.3216.0.camel@Optiplex745>
Message-ID: <4B1E2C94.4010900@imperial.ac.uk>

> So the question is : any idea about how to get IOS to log enable
> commands into syslog ? or how to use Radius accounting for commands ?
> What are the possibilities without Tacacs+ ?

Slim. Use Tacacs+

From masood at nexlinx.net.pk  Tue Dec  8 06:03:02 2009
From: masood at nexlinx.net.pk (masood at nexlinx.net.pk)
Date: Tue, 8 Dec 2009 16:03:02 +0500 (PKT)
Subject: [c-nsp] Cisco logging commands
In-Reply-To: <4B1E2C94.4010900@imperial.ac.uk>
References: <1260179062.3216.0.camel@Optiplex745>
	<4B1E2C94.4010900@imperial.ac.uk>
Message-ID: <13460.196.46.241.57.1260270182.squirrel@nexmail1.nexlinx.net.pk>

if you insist on logging commands on the router itself, then vendor J is
the way to go..which can log everything on the box itself.. :)

Why don't you use Tacacs+ for Cisco? If you can't afford to go commercial
software lke Cisco ACS, you can use Tacacs+ open source product. A normal
Unix machine running Tacacs+ would serve the purpose.

Regards,
Masood
Blog: http://weblogs.com.pk/jahil/

>> So the question is : any idea about how to get IOS to log enable
>> commands into syslog ? or how to use Radius accounting for commands ?
>> What are the possibilities without Tacacs+ ?
>
> Slim. Use Tacacs+
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



From hntourneur at autempspourmoi.be  Tue Dec  8 06:14:58 2009
From: hntourneur at autempspourmoi.be (Henry-Nicolas Tourneur)
Date: Tue, 08 Dec 2009 12:14:58 +0100
Subject: [c-nsp] Cisco logging commands
In-Reply-To: <13460.196.46.241.57.1260270182.squirrel@nexmail1.nexlinx.net.pk>
References: <1260179062.3216.0.camel@Optiplex745>
	<4B1E2C94.4010900@imperial.ac.uk>
	<13460.196.46.241.57.1260270182.squirrel@nexmail1.nexlinx.net.pk>
Message-ID: <1260270898.30062.10.camel@Optiplex745>

I'm not willing to use Tacacs+ because I'm setting-up a new server
environment and I don't want
to need to manually compile tac-plus and get broken dependencies after
an upgrade.

Using tac-plus from the APT would be far more easier, unfortunately,
it's not available any more.
And, we are not interested in purchasing a Cisco ACS product just for
doing what tac-plus does.

Le mardi 08 d?cembre 2009 ? 16:03 +0500, masood at nexlinx.net.pk a ?crit :

> if you insist on logging commands on the router itself, then vendor J is
> the way to go..which can log everything on the box itself.. :)
> 
> Why don't you use Tacacs+ for Cisco? If you can't afford to go commercial
> software lke Cisco ACS, you can use Tacacs+ open source product. A normal
> Unix machine running Tacacs+ would serve the purpose.
> 
> Regards,
> Masood
> Blog: http://weblogs.com.pk/jahil/
> 
> >> So the question is : any idea about how to get IOS to log enable
> >> commands into syslog ? or how to use Radius accounting for commands ?
> >> What are the possibilities without Tacacs+ ?
> >
> > Slim. Use Tacacs+
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> 
> 



From A.L.M.Buxey at lboro.ac.uk  Tue Dec  8 06:28:28 2009
From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey)
Date: Tue, 8 Dec 2009 11:28:28 +0000
Subject: [c-nsp] Cisco logging commands
In-Reply-To: <13460.196.46.241.57.1260270182.squirrel@nexmail1.nexlinx.net.pk>
References: <1260179062.3216.0.camel@Optiplex745>
	<4B1E2C94.4010900@imperial.ac.uk>
	<13460.196.46.241.57.1260270182.squirrel@nexmail1.nexlinx.net.pk>
Message-ID: <20091208112828.GB3350@lboro.ac.uk>

Hi,

> Why don't you use Tacacs+ for Cisco? If you can't afford to go commercial
> software lke Cisco ACS, you can use Tacacs+ open source product. A normal
> Unix machine running Tacacs+ would serve the purpose.

basic route is Shrubbery tac_plus - very easy to configure and run.

alan

From p.mayers at imperial.ac.uk  Tue Dec  8 06:28:49 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Tue, 08 Dec 2009 11:28:49 +0000
Subject: [c-nsp] Cisco logging commands
In-Reply-To: <1260270898.30062.10.camel@Optiplex745>
References: <1260179062.3216.0.camel@Optiplex745>	
	<4B1E2C94.4010900@imperial.ac.uk>	
	<13460.196.46.241.57.1260270182.squirrel@nexmail1.nexlinx.net.pk>
	<1260270898.30062.10.camel@Optiplex745>
Message-ID: <4B1E3871.3040409@imperial.ac.uk>

Henry-Nicolas Tourneur wrote:
> I'm not willing to use Tacacs+ because I'm setting-up a new server 
> environment and I don't want
> to need to manually compile tac-plus and get broken dependencies after 
> an upgrade.

Statically compile it?

> 
> Using tac-plus from the APT would be far more easier, unfortunately, 
> it's not available any more.
> And, we are not interested in purchasing a Cisco ACS product just for 
> doing what tac-plus does.

Cisco IOS *DOES NOT SUPPORT* radius for per-command authorization so a 
radius server will not do what you want.

Tacacs is your only option.

From mtinka at globaltransit.net  Tue Dec  8 10:54:50 2009
From: mtinka at globaltransit.net (Mark Tinka)
Date: Tue, 8 Dec 2009 23:54:50 +0800
Subject: [c-nsp] Cisco logging commands
In-Reply-To: <1260270898.30062.10.camel@Optiplex745>
References: <1260179062.3216.0.camel@Optiplex745>
	<13460.196.46.241.57.1260270182.squirrel@nexmail1.nexlinx.net.pk>
	<1260270898.30062.10.camel@Optiplex745>
Message-ID: <200912082354.51497.mtinka@globaltransit.net>

On Tuesday 08 December 2009 07:14:58 pm Henry-Nicolas 
Tourneur wrote:

> I'm not willing to use Tacacs+ because I'm setting-up a
>  new server environment and I don't want
> to need to manually compile tac-plus and get broken
>  dependencies after an upgrade.

This is why I love FreeBSD (although I realize this could 
start a war of the UNIX'es - not my intention, so please 
don't :-)).

Compiling and upgrading TACACS+ from the FreeBSD ports has 
always been a breeze. All dependencies taken care of.

I'm sure it's just as easy for other UNIX/Linux 
distributions.

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20091208/9a6c4f6d/attachment.bin>

From david.freedman at uk.clara.net  Tue Dec  8 11:21:25 2009
From: david.freedman at uk.clara.net (David Freedman)
Date: Tue, 08 Dec 2009 16:21:25 +0000
Subject: [c-nsp] Cisco logging commands
In-Reply-To: <4B1D60D0.2070509@forthnet.gr>
References: <1260179062.3216.0.camel@Optiplex745>
	<4B1D60D0.2070509@forthnet.gr>
Message-ID: <hflue5$sa0$1@ger.gmane.org>


Tassos Chatzithomaoglou wrote:
> In case you're interested for another radius server, Radiator (you have
> to pay for it) supports a lot of tacacs functionality too.
> 

Must say Radiator++, written in Perl and source made available, what it
may lack in performance is more than made up for in functionality and as
such can act as a tacacs<->radius gateway or even tacacs<->tacacs
gateway if you so desire (all extensively user configurable)

Dave.


From frogmanclay at gmail.com  Tue Dec  8 12:59:20 2009
From: frogmanclay at gmail.com (Clay Hoy)
Date: Tue, 8 Dec 2009 11:59:20 -0600
Subject: [c-nsp] ASA - Easy VPN server - # of SAs
Message-ID: <d7206fc80912080959h1c9db5cfub03c6d605c57f28b@mail.gmail.com>

I am looking at an asa5580-20 and it shows the SSL limit at 10k and the VPN
peer limit at 10k.  However, when using both you can not go over a combined
total of 10k connections.  That is per the datasheet:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd80402e3f.html

Now, I am going to be using it as an Easy VPN server.  Knowing the ASA only
supports legacy Easy VPN and each routed subnet on the remote side uses an
SA, is the real limit 10k SAs?  That is how I read it, but I can't seem to
get a straight answer from anyone at Cisco.  If I have 2000 remote sites,
with 5 routed subnets each, am I at the limit of the box?  I know I can
cluster these boxes, but I need to know that I am going to have to up front
in order to request the proper budget and do all the right testing in the
lab.

Also, does anyone know of any series problems using the ASA55xx series as an
Easy VPN server?

Thank you everyone for your time,
Clay

From panocisco77 at gmail.com  Tue Dec  8 14:02:43 2009
From: panocisco77 at gmail.com (Renelson Panosky)
Date: Tue, 8 Dec 2009 14:02:43 -0500
Subject: [c-nsp] bpduguard and trunks?
In-Reply-To: <4B17CB62.1020203@thingy.com>
References: <4B17CB62.1020203@thingy.com>
Message-ID: <16e2ac180912081102w1920289fra734e322568cd89@mail.gmail.com>

I had a similar problem and yes BPDUGUARD effects trunk port, i think you
have to disable bpduguard on both side and make sure you're running rpst
mode.

On Thu, Dec 3, 2009 at 9:29 AM, Howard Jones <howie at thingy.com> wrote:

> I've just run into an odd problem, and was wondering if anyone else
> could clarify this for me.
>
> [c1]---[Sw1]----------[Sw2]---[c2]
>
> c1 and c2 are client devices. Sw1 and Sw2 are 3750Gs with a trunk
> between them. c1 has a trunk to Sw1. One of the vlans in that trunk as
> passed along the sw1-sw2 trunk to c2.
>
> The port facing c1 has bpduguard enabled. Halfway through adding vlans,
> Sw2 complains about inconsistent BPDUs, and the root bridge mac address
> is that of c1. It shuts down the trunk port, which is kind of annoying.
>
> Does bpduguard only affect access ports and not trunks? That's the only
> explanation I can see for what is going on. The manual doesn't exactly
> say either way: "At the interface level, you enable BPDU guard on any
> interface by using the spanning-tree bpduguard enable interface
> configuration command without also enabling the Port Fast feature.". Sw1
> also has '|no spanning-tree vlan 1-4090|' - will that help or hinder, here?
>
> I think the real answer is to stop using switches to ship stuff between
> sites like this, but that is a battle for another day.
>
> Thanks in advance for any illumination...
>
> Howie
>  _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From SPfister at dps.k12.oh.us  Tue Dec  8 15:11:54 2009
From: SPfister at dps.k12.oh.us (Steven Pfister)
Date: Tue, 08 Dec 2009 15:11:54 -0500
Subject: [c-nsp] Need some help on figuring out bandwidth management
Message-ID: <4B1E6CB9.9E6F.00B8.0@dps.k12.oh.us>

I've got a remote site connected to the central site for Internet access via 2 T1s to an ATM network. Voice has been allocated 800k of this bandwidth, and the rest is data. Network usage at this particular site has been growing within the past couple of months and at times bandwidth has been maxed out. I need some way to make sure bandwidth is allocated fairly. I'd like to be able to add more capacity, but that's not going to be possible right now.

One of the first things I thought of was unicast storm-control. If I went this route, I'm not sure what parameters to use. Right now, some ports are set to an upper limit of 5%, and some are set to 5k pps (the default value, I believe). This was all set up before I started here, and I've never really given it much though until this project came along. It looks like the upstream connection for that site rarely gets over 450 pps to the central site.

Questions:
- Is unicast storm-control a good option here, or should I look at others?
- If I do use it, can someone point me to where I can find some help on the best settings to use in this particular environment?


Steve Pfister
Technical Coordinator, 
The Office of Information Technology
Dayton Public Schools
115 S. Ludlow St. 
Dayton, OH 45402
 
Office (937) 542-3149
Cell (937) 673-6779
Direct Connect: 137*131747*8
Email spfister at dps.k12.oh.us



From jared at puck.nether.net  Tue Dec  8 15:47:15 2009
From: jared at puck.nether.net (Jared Mauch)
Date: Tue, 8 Dec 2009 15:47:15 -0500
Subject: [c-nsp] Looking for GPON experience
Message-ID: <152C3AB4-BE71-4FA2-BB10-8E9606760E54@puck.nether.net>

I'm looking at building a small GPON network and am looking for feedback for those that have built similar solutions.

Vendors, ease of use both for ONT and related information is of use to me.

Here's hoping someone here has experience with it they are willing to share.

Please direct follow-ups to me and I can summarize if there is interest.

- Jared


From justin at justinshore.com  Tue Dec  8 18:20:22 2009
From: justin at justinshore.com (Justin Shore)
Date: Tue, 08 Dec 2009 17:20:22 -0600
Subject: [c-nsp] Cisco logging commands
In-Reply-To: <1260270898.30062.10.camel@Optiplex745>
References: <1260179062.3216.0.camel@Optiplex745>	<4B1E2C94.4010900@imperial.ac.uk>	<13460.196.46.241.57.1260270182.squirrel@nexmail1.nexlinx.net.pk>
	<1260270898.30062.10.camel@Optiplex745>
Message-ID: <4B1EDF36.5050507@justinshore.com>

Henry-Nicolas Tourneur wrote:
> I'm not willing to use Tacacs+ because I'm setting-up a new server
> environment and I don't want
> to need to manually compile tac-plus and get broken dependencies after
> an upgrade.

I've been using OSS tacacs+ daemons for nearly a decade and have yet to 
run into a situation where it suddenly broke due to a dependency issue 
created when I upgraded something else.  This is coming from a person 
that compiles nearly everything on his servers from source including 
core libraries glibc, OpenSSL, etc.  Static linking is the simple answer 
if that's your concern anyway just like with any other OSS tool.

> Using tac-plus from the APT would be far more easier, unfortunately,
> it's not available any more.
> And, we are not interested in purchasing a Cisco ACS product just for
> doing what tac-plus does.

I vote for the Shrubbery.net version.  Worked perfectly for me for many 
years.

Also, here's some AAA config you'll need for tacacs to log ANYTHING that 
gets typed on the CLI in ANY privilege level, including typos:

aaa accounting delay-start
aaa accounting exec NETACC
  action-type start-stop
  group tacacs+
!
aaa accounting commands 0 NETACC
  action-type stop-only
  group tacacs+
!
aaa accounting commands 1 NETACC
  action-type stop-only
  group tacacs+
!
aaa accounting commands 2 NETACC
  action-type stop-only
  group tacacs+
!
aaa accounting commands 3 NETACC
  action-type stop-only
  group tacacs+
!
aaa accounting commands 4 NETACC
  action-type stop-only
  group tacacs+
!
aaa accounting commands 5 NETACC
  action-type stop-only
  group tacacs+
!
aaa accounting commands 6 NETACC
  action-type stop-only
  group tacacs+
!
aaa accounting commands 7 NETACC
  action-type stop-only
  group tacacs+
!
aaa accounting commands 8 NETACC
  action-type stop-only
  group tacacs+
!
aaa accounting commands 9 NETACC
  action-type stop-only
  group tacacs+
!
aaa accounting commands 10 NETACC
  action-type stop-only
  group tacacs+
!
aaa accounting commands 11 NETACC
  action-type stop-only
  group tacacs+
!
aaa accounting commands 12 NETACC
  action-type stop-only
  group tacacs+
!
aaa accounting commands 13 NETACC
  action-type stop-only
  group tacacs+
!
aaa accounting commands 14 NETACC
  action-type stop-only
  group tacacs+
!
aaa accounting commands 15 NETACC
  action-type stop-only
  group tacacs+
!
aaa accounting connection NETACC
  action-type stop-only
  group tacacs+
!
line vty 0 15
  accounting connection NETACC
  accounting commands 0 NETACC
  accounting commands 1 NETACC
  accounting commands 2 NETACC
  accounting commands 3 NETACC
  accounting commands 4 NETACC
  accounting commands 5 NETACC
  accounting commands 6 NETACC
  accounting commands 7 NETACC
  accounting commands 8 NETACC
  accounting commands 9 NETACC
  accounting commands 10 NETACC
  accounting commands 11 NETACC
  accounting commands 12 NETACC
  accounting commands 13 NETACC
  accounting commands 14 NETACC
  accounting commands 15 NETACC
  accounting exec NETACC


The syntax is new beginning with 12.4(24)T or thereabouts but the gist 
of it is the same.  Just rewrite the 'aaa accounting commands' lines if 
you're using an older IOS rev.  Couple that with your normal tacacs 
config and you'll log every single thing typed on the VTYs.  Don't 
forget your other lines though.

Justin


From alenwong+cisconsp at gmail.com  Tue Dec  8 23:22:31 2009
From: alenwong+cisconsp at gmail.com (Alen)
Date: Wed, 9 Dec 2009 12:22:31 +0800
Subject: [c-nsp] Checking GBIC vendor name,
	part no. and serial no. on Cisco 2950
Message-ID: <763cba560912082022na904177ye9a7df552939242d@mail.gmail.com>

Hi,

We are currently checking on the vendor name, part no and serial no. of the
GBICs being used in production switches, For switches like 4948 and 4503, we
can use "show idprom int g1/1" to display the above wanted information. But
such command seems does not exist in catalyst 2950.

Any thoughts on this?

Thanks.

Alen

From asad747 at cyber.net.pk  Wed Dec  9 01:08:21 2009
From: asad747 at cyber.net.pk (Asad Ul-Islam)
Date: Wed, 09 Dec 2009 11:08:21 +0500
Subject: [c-nsp] QoS on Metro Ethernet!
Message-ID: <001501ca7896$027cc7c0$07765740$@net.pk>

Dear friends,

 

I am running Metro Ethernet based network (Multi Vendor) providing various
services including ELANE & ELINE.  I would like to monitor QoS on network
per customer EVC. Can someone tell me how can I achieve that?? Which
parameters should be monitored? 

 

Please list down some products (Commercial/Free) which monitor QoS at this
level (Specially for ELINE/ELANE) and can also provide SLA reports.

 

Best Regards,

 

Asad.


From uvh at siemens.com  Wed Dec  9 07:33:47 2009
From: uvh at siemens.com (Hansen, Ulrich Vestergaard B. (E R WP EN 342))
Date: Wed, 9 Dec 2009 13:33:47 +0100
Subject: [c-nsp] Cisco Pagent IOS
Message-ID: <5FD7A7EC774B114092B1603D69E42C9B02F5778F@BDKB1EEA.ww007.siemens.net>

Dear Friends
 
Does anybody know whether Cisco Pagent TG IOS is available to the public
through your account manager - has anyone worked with it or can
recommend another alternative Colasoft TG..?
 
 
Med venlig hilsen / Best Regards 

Ulrich Vestergaard B. Hansen 
Network Engineer 

Please consider the environment before printing this e-mail 


 

From rdobbins at arbor.net  Wed Dec  9 07:48:31 2009
From: rdobbins at arbor.net (Dobbins, Roland)
Date: Wed, 9 Dec 2009 12:48:31 +0000
Subject: [c-nsp] Cisco Pagent IOS
In-Reply-To: <5FD7A7EC774B114092B1603D69E42C9B02F5778F@BDKB1EEA.ww007.siemens.net>
References: <5FD7A7EC774B114092B1603D69E42C9B02F5778F@BDKB1EEA.ww007.siemens.net>
Message-ID: <8426DA48-B179-4865-A88E-4E460BD29555@arbor.net>


On Dec 9, 2009, at 7:33 PM, Hansen, Ulrich Vestergaard B. (E R WP EN 342) wrote:

> Does anybody know whether Cisco Pagent TG IOS is available to the public
> through your account manager 

No, it isn't.

> - has anyone worked with it or can recommend another alternative


There are lots of commercial and open-source packet-generation tools available, which can be found by making use of Your Search Engine of Choice.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken




From david.freedman at uk.clara.net  Wed Dec  9 08:01:21 2009
From: david.freedman at uk.clara.net (David Freedman)
Date: Wed, 09 Dec 2009 13:01:21 +0000
Subject: [c-nsp] Cisco Pagent IOS
In-Reply-To: <5FD7A7EC774B114092B1603D69E42C9B02F5778F@BDKB1EEA.ww007.siemens.net>
References: <5FD7A7EC774B114092B1603D69E42C9B02F5778F@BDKB1EEA.ww007.siemens.net>
Message-ID: <hfo731$vp4$1@ger.gmane.org>

Contact your SE, most of them (I believe) have access to the internal
form to submit to get it release to you (which you used to get sent a
link to the special-file-access portal)

There is also a big document to read about the TG commands and how to
use them.

Dave.

Hansen, Ulrich Vestergaard B. (E R WP EN 342) wrote:
> Dear Friends
>  
> Does anybody know whether Cisco Pagent TG IOS is available to the public
> through your account manager - has anyone worked with it or can
> recommend another alternative Colasoft TG..?
>  
>  
> Med venlig hilsen / Best Regards 
> 
> Ulrich Vestergaard B. Hansen 
> Network Engineer 
> 
> Please consider the environment before printing this e-mail 
> 
> 
>  
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


From uvh at siemens.com  Wed Dec  9 09:07:33 2009
From: uvh at siemens.com (Hansen, Ulrich Vestergaard B. (E R WP EN 342))
Date: Wed, 9 Dec 2009 15:07:33 +0100
Subject: [c-nsp] Cisco Pagent IOS
In-Reply-To: <8426DA48-B179-4865-A88E-4E460BD29555@arbor.net>
References: <5FD7A7EC774B114092B1603D69E42C9B02F5778F@BDKB1EEA.ww007.siemens.net>
	<8426DA48-B179-4865-A88E-4E460BD29555@arbor.net>
Message-ID: <5FD7A7EC774B114092B1603D69E42C9B02F5784E@BDKB1EEA.ww007.siemens.net>

Roland,

As it is with Search Engines - there are both 'good' and 'bad' engines available, i'm just looking for recommendations on TGN software :o)

// Ulrich
 

-----Oprindelig meddelelse-----
Fra: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] P? vegne af Dobbins, Roland
Sendt: 9. december 2009 13:49
Til: Cisco-nsp
Emne: Re: [c-nsp] Cisco Pagent IOS


On Dec 9, 2009, at 7:33 PM, Hansen, Ulrich Vestergaard B. (E R WP EN 342) wrote:

> Does anybody know whether Cisco Pagent TG IOS is available to the public
> through your account manager 

No, it isn't.

> - has anyone worked with it or can recommend another alternative


There are lots of commercial and open-source packet-generation tools available, which can be found by making use of Your Search Engine of Choice.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken



_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From rens at autempspourmoi.be  Wed Dec  9 09:53:49 2009
From: rens at autempspourmoi.be (Rens)
Date: Wed, 9 Dec 2009 15:53:49 +0100
Subject: [c-nsp] SMARTnet question
Message-ID: <6C247E774EEB4C27A5BCF24A93266343@EU.corp.clearwire.com>

Hi all,

 

I was wondering what the difference is between some SMARTnet options.

For example if I want to buy an ASR1002-Fixed with IP base software:

 

If I only want the software only updates I only have to buy the CON-SW for
the software?

CON-SW-SASR1R1

 

Do I also have to buy the CON-SW-ASR1002 option? I don't see the point for
it.

 

Regards,

 

Rens

 

 

 

 

 

 


From ex_art at mail.ru  Wed Dec  9 09:59:48 2009
From: ex_art at mail.ru (Teslenko)
Date: Wed, 09 Dec 2009 16:59:48 +0200
Subject: [c-nsp] Problem with dscp packets marking on 76th platform.
In-Reply-To: <alpine.DEB.1.10.0911262001350.28281@red.crap.retrofitta.se>
References: <4B0D1075.50601@mail.ru>
	<d66601480911250549v1a680959gc9989b735278f0e5@mail.gmail.com>
	<4B0D5293.7090604@mail.ru>
	<alpine.DEB.1.10.0911252102550.27871@red.crap.retrofitta.se>
	<d66601480911260348v32d71acfyf1d7757e1e6a6034@mail.gmail.com>
	<alpine.DEB.1.10.0911262001350.28281@red.crap.retrofitta.se>
Message-ID: <4B1FBB64.5030800@mail.ru>

 We resolved this problem
 when we changed MPLS DiffServ mode from Short Pipe to Uniform mode

It will work if we will apply  next command in global configuration mode 

#mls mpls qos input uniform-mode



Thomas Habets ?????:
> On Thu, 26 Nov 2009, selamat pagi wrote:
>> When you did your first test, CE-PE1-P-PE2 where there still vrf's
>> configured. That would explain why you did not see DSCP-values, you
>> would
>> have seen EXP-values. You still would have 1 label (vpn-label).
>
> No, I had multiple P routers in a row where I matched on EXP and saw
> this. And I think this was also an issue outgoing from the egress PE
> when there is no label (only DSCP) and I matched on DSCP.
>
> Really, the show-policy-map-interface counters don't work unless you
> set something in the matching class on 6500/7600.
>
> Yes. Really.
>
>> To prove this, could you change your policy to match EXP 4 instead of
>> DSCP
>> 39 ?
>
> That's what I did. Since as you say, only the outer label is popped by
> PHP.
>
> Like I said: sniff the traffic if you think things aren't being tagged.
> They may well be tagged properly. Also you can try traceroute through
> the network with a traceroute that understands EXP in the TTL expired
> messages (where the traceroute probes ought to be tagged). Doesn't
> work all that well if you have no-propagate-ttl though.
>
> ---------
> typedef struct me_s {
>   char name[]      = { "Thomas Habets" };
>   char email[]     = { "thomas at habets.pp.se" };
>   char kernel[]    = { "Linux" };
>   char *pgpKey[]   = { "http://www.habets.pp.se/pubkey.txt" };
>   char pgp[] = { "A8A3 D1DD 4AE0 8467 7FDE  0945 286A E90A AD48 E854" };
>   char coolcmd[]   = { "echo '. ./_&. ./_'>_;. ./_" };
> } me_t;
>
>


From mh+cisco-nsp at zugschlus.de  Wed Dec  9 10:20:08 2009
From: mh+cisco-nsp at zugschlus.de (Marc Haber)
Date: Wed, 9 Dec 2009 16:20:08 +0100
Subject: [c-nsp] Cisco VPN and 64 bit Windows
Message-ID: <20091209152008.GG20617@torres.zugschlus.de>

Hi,

at a number of customer sites, we run a VPN service for mobile users.
Since we usually are not in charge of the firewall that is in place
there, we have the following construction


  Internet
      |
 ----------         ------------
 |Firewall|---------|VPN Router|
 ----------         ------------
      |
 internal network

The VPN router is usually an 1841, and the mobile users have the
"standard" Cisco VPN client for IPSEC (the one with the nice .pcf
files and which is currently shipping as version 5.0.04.0300). This
works just fine, and we would really like to stay with this setup for
some time.

Unfortunately, Cisco seems to have decided to not ship the "standard"
VPN client for 64 bit Windows variants, which are increasingly often
used out in the wild. They refer to the AnyConnect VPN Client which,
to my "knowledge", can only connect to an ASA and not to an IOS device.

Can anybody here tell me whether there will be a possibility available
to connect from 64 bit Windows to an IOS device? Any hints will be
appreciated.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190

From jonvoip at gmail.com  Wed Dec  9 11:20:27 2009
From: jonvoip at gmail.com (Jonathan Charles)
Date: Wed, 9 Dec 2009 10:20:27 -0600
Subject: [c-nsp] Cisco VPN and 64 bit Windows
In-Reply-To: <20091209152008.GG20617@torres.zugschlus.de>
References: <20091209152008.GG20617@torres.zugschlus.de>
Message-ID: <5d093f9a0912090820r3fcb910ds99d5eab7f16b98dd@mail.gmail.com>

The short answer is... no.

Cisco said they will never release a 64-bit version of their VPN Client.

However, Anyconnect has a 64-bit variant, however, this requires a
separate license for the ASA...

There is a third-party VPN client for 64-bit that works fine:

http://www.ncp-e.com/en.html



Jonathan

On Wed, Dec 9, 2009 at 9:20 AM, Marc Haber <mh+cisco-nsp at zugschlus.de> wrote:
> Hi,
>
> at a number of customer sites, we run a VPN service for mobile users.
> Since we usually are not in charge of the firewall that is in place
> there, we have the following construction
>
>
> ?Internet
> ? ? ?|
> ?---------- ? ? ? ? ------------
> ?|Firewall|---------|VPN Router|
> ?---------- ? ? ? ? ------------
> ? ? ?|
> ?internal network
>
> The VPN router is usually an 1841, and the mobile users have the
> "standard" Cisco VPN client for IPSEC (the one with the nice .pcf
> files and which is currently shipping as version 5.0.04.0300). This
> works just fine, and we would really like to stay with this setup for
> some time.
>
> Unfortunately, Cisco seems to have decided to not ship the "standard"
> VPN client for 64 bit Windows variants, which are increasingly often
> used out in the wild. They refer to the AnyConnect VPN Client which,
> to my "knowledge", can only connect to an ASA and not to an IOS device.
>
> Can anybody here tell me whether there will be a possibility available
> to connect from 64 bit Windows to an IOS device? Any hints will be
> appreciated.
>
> Greetings
> Marc
>
> --
> -----------------------------------------------------------------------------
> Marc Haber ? ? ? ? | "I don't trust Computers. They | Mailadresse im Header
> Mannheim, Germany ?| ?lose things." ? ?Winona Ryder | Fon: *49 621 72739834
> Nordisch by Nature | ?How to make an American Quilt | Fax: *49 3221 2323190
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From moua0100 at umn.edu  Wed Dec  9 11:34:22 2009
From: moua0100 at umn.edu (Ge Moua)
Date: Wed, 09 Dec 2009 10:34:22 -0600
Subject: [c-nsp] Cisco VPN and 64 bit Windows
In-Reply-To: <5d093f9a0912090820r3fcb910ds99d5eab7f16b98dd@mail.gmail.com>
References: <20091209152008.GG20617@torres.zugschlus.de>
	<5d093f9a0912090820r3fcb910ds99d5eab7f16b98dd@mail.gmail.com>
Message-ID: <4B1FD18E.5000501@umn.edu>

this one is free:
www.shrewsoft.com


Regards,
Ge Moua | Email: moua0100 at umn.edu

Network Design Engineer
University of Minnesota | Networking & Telecommunications Services



Jonathan Charles wrote:
> The short answer is... no.
>
> Cisco said they will never release a 64-bit version of their VPN Client.
>
> However, Anyconnect has a 64-bit variant, however, this requires a
> separate license for the ASA...
>
> There is a third-party VPN client for 64-bit that works fine:
>
> http://www.ncp-e.com/en.html
>
>
>
> Jonathan
>
> On Wed, Dec 9, 2009 at 9:20 AM, Marc Haber <mh+cisco-nsp at zugschlus.de> wrote:
>   
>> Hi,
>>
>> at a number of customer sites, we run a VPN service for mobile users.
>> Since we usually are not in charge of the firewall that is in place
>> there, we have the following construction
>>
>>
>>  Internet
>>      |
>>  ----------         ------------
>>  |Firewall|---------|VPN Router|
>>  ----------         ------------
>>      |
>>  internal network
>>
>> The VPN router is usually an 1841, and the mobile users have the
>> "standard" Cisco VPN client for IPSEC (the one with the nice .pcf
>> files and which is currently shipping as version 5.0.04.0300). This
>> works just fine, and we would really like to stay with this setup for
>> some time.
>>
>> Unfortunately, Cisco seems to have decided to not ship the "standard"
>> VPN client for 64 bit Windows variants, which are increasingly often
>> used out in the wild. They refer to the AnyConnect VPN Client which,
>> to my "knowledge", can only connect to an ASA and not to an IOS device.
>>
>> Can anybody here tell me whether there will be a possibility available
>> to connect from 64 bit Windows to an IOS device? Any hints will be
>> appreciated.
>>
>> Greetings
>> Marc
>>
>> --
>> -----------------------------------------------------------------------------
>> Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
>> Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
>> Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>     
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   

From cnsp at shreddedmail.com  Wed Dec  9 11:41:12 2009
From: cnsp at shreddedmail.com (Rick Ernst)
Date: Wed, 9 Dec 2009 08:41:12 -0800
Subject: [c-nsp] eBGP multihop, link failure, and multi-path IGP (OSPF)
In-Reply-To: <007401ca5c04$655786e0$300694a0$@com>
References: <d066472f0911021304j41432c13paef3706eea060f50@mail.gmail.com>
	<007401ca5c04$655786e0$300694a0$@com>
Message-ID: <d066472f0912090841g4db95a95s161bbf362d507604@mail.gmail.com>

FWIW, disabling fast-failover worked fine with no apparent downside.

On Mon, Nov 2, 2009 at 1:34 PM, David Prall <dcp at dcptech.com> wrote:

> Turn on PIC-Core
> cef table output-chain build favor convergence-speed ! please be wary of
> platform specific caveats
>
> ip routing protocol purge interface ! purges interface routes and not
> routes
> that followed the interface, this will leave the BGP routes untouched.
>
> This is the only thing I could find discussing it:
>
> http://www.cisco.com/en/US/docs/routers/10000/10008/configuration/guides/bro
> adband/dffsrv.html#wp1191135<http://www.cisco.com/en/US/docs/routers/10000/10008/configuration/guides/bro%0Aadband/dffsrv.html#wp1191135>
>
> It is available on other platforms as well.
>
> David
>
> --
> http://dcp.dcptech.com
>
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> > bounces at puck.nether.net] On Behalf Of Rick Ernst
> > Sent: Monday, November 02, 2009 4:04 PM
> > To: cisco-nsp at puck.nether.net
> > Subject: [c-nsp] eBGP multihop, link failure, and multi-path IGP (OSPF)
> >
> > We have some eBGP neighbors that have their peering session reset in
> > the
> > case of link failure (root-cause analysis and problem resolution as a
> > separate subject).  The peers are connected via loopback interfaces and
> > multi-path OSPF.
> >
> > bgp fast-external-failover is supposed to be used for directly
> > connected
> > eBGP peers, but it seems like a link failure on a pair of redundant
> > (layer-3) links is also causing the peer to go down:
> > Nov  1 11:33:12 10.56.205.1 %OSPF-5-ADJCHG: Process 1, Nbr a.b.c.d on
> > FastEthernet8/0/0 from EXSTART to DOWN, Neighbor Down: Interface down
> > or
> > detached
> > Nov  1 11:33:12 10.56.205.1 %BGP-5-ADJCHANGE: neighbor w.x.y.z Down
> > Interface flap
> >
> > The destination to the peer is still in the FIB, and the peer comes
> > back up
> > almost immediately (in this case, about 15 seconds).
> >
> > I'm considering disabling fast-external-failover, but want to better
> > understand the event.  The eBGP peer is not "directly connected" on the
> > interface. It is reachable via a loopback peering IP with multi-path
> > OSPF.
> > Is this expected behavior (any link with a route to the destination
> > going
> > down will cause the session to go down)?
> >
> >
> > Any gotchas with disabling fast-failover?
> >
> > Thanks,
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>

From NMaio at guesswho.com  Wed Dec  9 12:11:30 2009
From: NMaio at guesswho.com (NMaio at guesswho.com)
Date: Wed, 9 Dec 2009 12:11:30 -0500
Subject: [c-nsp] Cisco VPN and 64 bit Windows
In-Reply-To: <4B1FD18E.5000501@umn.edu>
References: <20091209152008.GG20617@torres.zugschlus.de>
	<5d093f9a0912090820r3fcb910ds99d5eab7f16b98dd@mail.gmail.com>
	<4B1FD18E.5000501@umn.edu>
Message-ID: <2AA600764E54964491083B1E0EC81A302F87724360@EXCLUS.nationala-1advertising.com>

Does anyone know of a way or if it is possible to have the Shrew client send its client type and version.  I use client access rules so I would like to restrict this to specific versions.  Currently it doesn't send anything.
Thanks,
Nick


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ge Moua
Sent: Wednesday, December 09, 2009 11:34 AM
To: Jonathan Charles
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco VPN and 64 bit Windows

this one is free:
www.shrewsoft.com


Regards,
Ge Moua | Email: moua0100 at umn.edu

Network Design Engineer
University of Minnesota | Networking & Telecommunications Services



Jonathan Charles wrote:
> The short answer is... no.
>
> Cisco said they will never release a 64-bit version of their VPN Client.
>
> However, Anyconnect has a 64-bit variant, however, this requires a
> separate license for the ASA...
>
> There is a third-party VPN client for 64-bit that works fine:
>
> http://www.ncp-e.com/en.html
>
>
>
> Jonathan
>
> On Wed, Dec 9, 2009 at 9:20 AM, Marc Haber <mh+cisco-nsp at zugschlus.de> wrote:
>   
>> Hi,
>>
>> at a number of customer sites, we run a VPN service for mobile users.
>> Since we usually are not in charge of the firewall that is in place
>> there, we have the following construction
>>
>>
>>  Internet
>>      |
>>  ----------         ------------
>>  |Firewall|---------|VPN Router|
>>  ----------         ------------
>>      |
>>  internal network
>>
>> The VPN router is usually an 1841, and the mobile users have the
>> "standard" Cisco VPN client for IPSEC (the one with the nice .pcf
>> files and which is currently shipping as version 5.0.04.0300). This
>> works just fine, and we would really like to stay with this setup for
>> some time.
>>
>> Unfortunately, Cisco seems to have decided to not ship the "standard"
>> VPN client for 64 bit Windows variants, which are increasingly often
>> used out in the wild. They refer to the AnyConnect VPN Client which,
>> to my "knowledge", can only connect to an ASA and not to an IOS device.
>>
>> Can anybody here tell me whether there will be a possibility available
>> to connect from 64 bit Windows to an IOS device? Any hints will be
>> appreciated.
>>
>> Greetings
>> Marc
>>
>> --
>> -----------------------------------------------------------------------------
>> Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
>> Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
>> Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>     
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From Bryan at bryanfields.net  Wed Dec  9 11:44:02 2009
From: Bryan at bryanfields.net (Bryan Fields)
Date: Wed, 09 Dec 2009 11:44:02 -0500
Subject: [c-nsp] Cisco VPN and 64 bit Windows
In-Reply-To: <5d093f9a0912090820r3fcb910ds99d5eab7f16b98dd@mail.gmail.com>
References: <20091209152008.GG20617@torres.zugschlus.de>
	<5d093f9a0912090820r3fcb910ds99d5eab7f16b98dd@mail.gmail.com>
Message-ID: <4B1FD3D2.3070607@bryanfields.net>

Jonathan Charles wrote:
> The short answer is... no.
> 
> Cisco said they will never release a 64-bit version of their VPN Client.

So how does the cisco solution work on new systems going forward?
-- 
Bryan Fields

727-409-1194 - Voice
727-214-2508 - Fax
http://bryanfields.net

From gulerozgur at yahoo.co.uk  Wed Dec  9 12:30:23 2009
From: gulerozgur at yahoo.co.uk (Ozgur Guler)
Date: Wed, 9 Dec 2009 17:30:23 +0000 (GMT)
Subject: [c-nsp] Cisco VPN and 64 bit Windows
In-Reply-To: <5d093f9a0912090820r3fcb910ds99d5eab7f16b98dd@mail.gmail.com>
Message-ID: <521357.1535.qm@web25508.mail.ukl.yahoo.com>

NCP Client triggered the below in our case.
Make sure your local pool does not leak IPs.

CSCtd63032 Bug Details
IOS EzVPN server leaking local IP pool

Symptom:
IOS EzVPN server leak local pool addresses under some conditions with some 3rd party VPN clients

Make sure your local pool does not leak IPs.

Thanks,
Ozgur


--- On Wed, 9/12/09, Jonathan Charles <jonvoip at gmail.com> wrote:

> From: Jonathan Charles <jonvoip at gmail.com>
> Subject: Re: [c-nsp] Cisco VPN and 64 bit Windows
> To: "Marc Haber" <mh+cisco-nsp at zugschlus.de>
> Cc: cisco-nsp at puck.nether.net
> Date: Wednesday, 9 December, 2009, 16:20
> The short answer is... no.
> 
> Cisco said they will never release a 64-bit version of
> their VPN Client.
> 
> However, Anyconnect has a 64-bit variant, however, this
> requires a
> separate license for the ASA...
> 
> There is a third-party VPN client for 64-bit that works
> fine:
> 
> http://www.ncp-e.com/en.html
> 
> 
> 
> Jonathan
> 
> On Wed, Dec 9, 2009 at 9:20 AM, Marc Haber <mh+cisco-nsp at zugschlus.de>
> wrote:
> > Hi,
> >
> > at a number of customer sites, we run a VPN service
> for mobile users.
> > Since we usually are not in charge of the firewall
> that is in place
> > there, we have the following construction
> >
> >
> > ?Internet
> > ? ? ?|
> > ?---------- ? ? ? ? ------------
> > ?|Firewall|---------|VPN Router|
> > ?---------- ? ? ? ? ------------
> > ? ? ?|
> > ?internal network
> >
> > The VPN router is usually an 1841, and the mobile
> users have the
> > "standard" Cisco VPN client for IPSEC (the one with
> the nice .pcf
> > files and which is currently shipping as version
> 5.0.04.0300). This
> > works just fine, and we would really like to stay with
> this setup for
> > some time.
> >
> > Unfortunately, Cisco seems to have decided to not ship
> the "standard"
> > VPN client for 64 bit Windows variants, which are
> increasingly often
> > used out in the wild. They refer to the AnyConnect VPN
> Client which,
> > to my "knowledge", can only connect to an ASA and not
> to an IOS device.
> >
> > Can anybody here tell me whether there will be a
> possibility available
> > to connect from 64 bit Windows to an IOS device? Any
> hints will be
> > appreciated.
> >
> > Greetings
> > Marc
> >
> > --
> >
> -----------------------------------------------------------------------------
> > Marc Haber ? ? ? ? | "I don't trust Computers.
> They | Mailadresse im Header
> > Mannheim, Germany ?| ?lose things." ? ?Winona
> Ryder | Fon: *49 621 72739834
> > Nordisch by Nature | ?How to make an American Quilt |
> Fax: *49 3221 2323190
> > _______________________________________________
> > cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list? cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


      

From gsgranados at comcast.net  Wed Dec  9 12:43:22 2009
From: gsgranados at comcast.net (Scott Granados)
Date: Wed, 9 Dec 2009 09:43:22 -0800
Subject: [c-nsp] Cisco VPN and 64 bit Windows
References: <20091209152008.GG20617@torres.zugschlus.de><5d093f9a0912090820r3fcb910ds99d5eab7f16b98dd@mail.gmail.com>
	<4B1FD3D2.3070607@bryanfields.net>
Message-ID: <001301ca78f7$20705b50$2608120a@am.thmulti.com>

Really, the best solution here is to run a 3rd party VPN client.


This is the best plan unless you want to migrate to anyconnect.  We use VPNC 
with Linux and the built in Mac VPN support and there are several decent 
free 64 bit windows options.


----- Original Message ----- 
From: "Bryan Fields" <Bryan at bryanfields.net>
To: <cisco-nsp at puck.nether.net>
Sent: Wednesday, December 09, 2009 8:44 AM
Subject: Re: [c-nsp] Cisco VPN and 64 bit Windows


> Jonathan Charles wrote:
>> The short answer is... no.
>>
>> Cisco said they will never release a 64-bit version of their VPN Client.
>
> So how does the cisco solution work on new systems going forward?
> -- 
> Bryan Fields
>
> 727-409-1194 - Voice
> 727-214-2508 - Fax
> http://bryanfields.net
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 


From mh+cisco-nsp at zugschlus.de  Wed Dec  9 12:54:18 2009
From: mh+cisco-nsp at zugschlus.de (Marc Haber)
Date: Wed, 9 Dec 2009 18:54:18 +0100
Subject: [c-nsp] Cisco VPN and 64 bit Windows
In-Reply-To: <5d093f9a0912090820r3fcb910ds99d5eab7f16b98dd@mail.gmail.com>
References: <20091209152008.GG20617@torres.zugschlus.de>
	<5d093f9a0912090820r3fcb910ds99d5eab7f16b98dd@mail.gmail.com>
Message-ID: <20091209175418.GI20617@torres.zugschlus.de>

Hi,

On Wed, Dec 09, 2009 at 10:20:27AM -0600, Jonathan Charles wrote:
> The short answer is... no.

So, IPSEC with a dedicated out-of-browser software is dead?

> However, Anyconnect has a 64-bit variant, however, this requires a
> separate license for the ASA...

I don't have ASAs, and I don't want them.

> There is a third-party VPN client for 64-bit that works fine:
> 
> http://www.ncp-e.com/en.html

Very very expensive. I am not sure whether the clients will shell out
that kind of money.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190

From gert at greenie.muc.de  Wed Dec  9 13:17:36 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Wed, 9 Dec 2009 19:17:36 +0100
Subject: [c-nsp] Cisco VPN and 64 bit Windows
In-Reply-To: <4B1FD3D2.3070607@bryanfields.net>
References: <20091209152008.GG20617@torres.zugschlus.de>
	<5d093f9a0912090820r3fcb910ds99d5eab7f16b98dd@mail.gmail.com>
	<4B1FD3D2.3070607@bryanfields.net>
Message-ID: <20091209181736.GI163@greenie.muc.de>

Hi,

On Wed, Dec 09, 2009 at 11:44:02AM -0500, Bryan Fields wrote:
> Jonathan Charles wrote:
> > The short answer is... no.
> > 
> > Cisco said they will never release a 64-bit version of their VPN Client.
> 
> So how does the cisco solution work on new systems going forward?

"Give money to Cisco and buy new boxes".

Does that surprise anyone?

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20091209/d7ba855e/attachment.bin>

From James.LITTLEFIELD at 3ds.com  Wed Dec  9 13:32:27 2009
From: James.LITTLEFIELD at 3ds.com (LITTLEFIELD James)
Date: Wed, 9 Dec 2009 13:32:27 -0500
Subject: [c-nsp] Cisco VPN and 64 bit Windows
In-Reply-To: <20091209181736.GI163@greenie.muc.de>
References: <20091209152008.GG20617@torres.zugschlus.de><5d093f9a0912090820r3fcb910ds99d5eab7f16b98dd@mail.gmail.com><4B1FD3D2.3070607@bryanfields.net>
	<20091209181736.GI163@greenie.muc.de>
Message-ID: <1CDE4CAD0B3D5A40827FFD8275E50F86A2C7C6@CORP-CLT-EXB01.ds>


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Gert Doering
> Sent: Wednesday, December 09, 2009 1:18 PM
> To: Bryan Fields
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Cisco VPN and 64 bit Windows
> 
> Hi,
> 
> On Wed, Dec 09, 2009 at 11:44:02AM -0500, Bryan Fields wrote:
> > Jonathan Charles wrote:
> > > The short answer is... no.
> > >
> > > Cisco said they will never release a 64-bit version of their VPN
> Client.
> >
> > So how does the cisco solution work on new systems going forward?
> 
> "Give money to Cisco and buy new boxes".
> 
> Does that surprise anyone?

Which is why we opted to migrate all of our VPN to Juniper :-)


Best regards, 

Jim LITTLEFIELD
Information Technology
Office: +1 401 276 4457
James.LITTLEFIELD at 3ds.com


This email and any attachments are intended solely for the use of the individual or entity to whom it is addressed and may be confidential and/or privileged.  If you are not one of the named recipients or have received this email in error, (i) you should not read, disclose, or copy it, (ii) please notify sender of your receipt by reply email and delete this email and all attachments, (iii) Dassault Systemes does not accept or assume any liability or responsibility for any use of or reliance on this email.For other languages, go to http://www.3ds.com/terms/email-disclaimer.

From bms314 at gmail.com  Wed Dec  9 13:39:26 2009
From: bms314 at gmail.com (Brian Schultz)
Date: Wed, 9 Dec 2009 12:39:26 -0600
Subject: [c-nsp] Cisco VPN and 64 bit Windows
In-Reply-To: <20091209152008.GG20617@torres.zugschlus.de>
References: <20091209152008.GG20617@torres.zugschlus.de>
Message-ID: <7aaaf7f0912091039t388a787cyc1af72f291d3579c@mail.gmail.com>

Have you looked into IOS SSL VPN?  AnyConnect will work on IOS and supports
64 bit OS.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6657/product_data_sheet0900aecd80405e25.html


Brian

On Wed, Dec 9, 2009 at 9:20 AM, Marc Haber
<mh+cisco-nsp at zugschlus.de<mh%2Bcisco-nsp at zugschlus.de>
> wrote:

> Hi,
>
> at a number of customer sites, we run a VPN service for mobile users.
> Since we usually are not in charge of the firewall that is in place
> there, we have the following construction
>
>
>  Internet
>      |
>  ----------         ------------
>  |Firewall|---------|VPN Router|
>  ----------         ------------
>      |
>  internal network
>
> The VPN router is usually an 1841, and the mobile users have the
> "standard" Cisco VPN client for IPSEC (the one with the nice .pcf
> files and which is currently shipping as version 5.0.04.0300). This
> works just fine, and we would really like to stay with this setup for
> some time.
>
> Unfortunately, Cisco seems to have decided to not ship the "standard"
> VPN client for 64 bit Windows variants, which are increasingly often
> used out in the wild. They refer to the AnyConnect VPN Client which,
> to my "knowledge", can only connect to an ASA and not to an IOS device.
>
> Can anybody here tell me whether there will be a possibility available
> to connect from 64 bit Windows to an IOS device? Any hints will be
> appreciated.
>
> Greetings
> Marc
>
> --
>
> -----------------------------------------------------------------------------
> Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
> Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
> Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From gkg at gmx.de  Wed Dec  9 13:24:04 2009
From: gkg at gmx.de (Garry)
Date: Wed, 09 Dec 2009 19:24:04 +0100
Subject: [c-nsp] Cisco VPN and 64 bit Windows
In-Reply-To: <20091209152008.GG20617@torres.zugschlus.de>
References: <20091209152008.GG20617@torres.zugschlus.de>
Message-ID: <4B1FEB44.7050903@gmx.de>

On 09.12.2009 16:20, Marc Haber wrote:
> Unfortunately, Cisco seems to have decided to not ship the "standard"
> VPN client for 64 bit Windows variants, which are increasingly often
> used out in the wild. They refer to the AnyConnect VPN Client which,
> to my "knowledge", can only connect to an ASA and not to an IOS device.
>   

I just checked with our Cisco distributor, who after a week was finally
able to inform me that there are in fact SSL VPN licenses for IOS
routers like the 1841 ... e.g. article ID "FL-WEBVPN-10-K9" ... haven't
tried it out yet, though ...

-garry

From me at falz.net  Wed Dec  9 13:59:10 2009
From: me at falz.net (Chris Wopat)
Date: Wed, 9 Dec 2009 12:59:10 -0600
Subject: [c-nsp]  Cisco VPN and 64 bit Windows
Message-ID: <a62d17300912091059w174fad7cqdac48a15c5534283@mail.gmail.com>

Anyconnect Essentials was mentioned a few months ago on this thread.
It will let you use SSLVPN with Anyconnect so you can have client
VPNs. A 250 user license is only about $100. The downfall is that it
requires an ASA requiring 8.2.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-527494.html

--Chris

From mh+cisco-nsp at zugschlus.de  Wed Dec  9 14:16:40 2009
From: mh+cisco-nsp at zugschlus.de (Marc Haber)
Date: Wed, 9 Dec 2009 20:16:40 +0100
Subject: [c-nsp] Cisco VPN and 64 bit Windows
In-Reply-To: <001301ca78f7$20705b50$2608120a@am.thmulti.com>
References: <4B1FD3D2.3070607@bryanfields.net>
	<001301ca78f7$20705b50$2608120a@am.thmulti.com>
Message-ID: <20091209191640.GK20617@torres.zugschlus.de>

Hi,

On Wed, Dec 09, 2009 at 09:43:22AM -0800, Scott Granados wrote:
> This is the best plan unless you want to migrate to anyconnect.

What are the (dis)advantages of anyconnect?

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190

From jsahala at gmail.com  Wed Dec  9 15:07:14 2009
From: jsahala at gmail.com (joshua sahala)
Date: Wed, 9 Dec 2009 13:07:14 -0700
Subject: [c-nsp] 6500 (Sup7203-bxl / 6724-SFP) Input queue drops
In-Reply-To: <fa672eef0912070642l295f392ar35c0a2423c30049b@mail.gmail.com>
References: <F3318834F1F89D46857972DD4B411D700180980C42@EXCHANGE.thenap.com>
	<4B1C48D4.9080905@poggs.co.uk>
	<F3318834F1F89D46857972DD4B411D700180980C5C@EXCHANGE.thenap.com>
	<4B1D0AAD.50406@imperial.ac.uk>
	<F3318834F1F89D46857972DD4B411D700180980C62@EXCHANGE.thenap.com>
	<fa672eef0912070642l295f392ar35c0a2423c30049b@mail.gmail.com>
Message-ID: <4b8f66d70912091207j39a4adb4td5c2ea9287dd51c3@mail.gmail.com>

drew,

it may or may not be related, but...check the output of 'sh counter
int <int> [delta]' and look at the qos[1-21][In|Out]lost counters.

i was experiencing various drops due to the default interface (qos)
buffer allocation:  basically, all of my traffic was hitting the 76xx
swouter in the q0 buffer and overrunning it (there were no drops in
any of the other qos queues because no traffic was ever hitting them).
 i ended up having to rewrite the buffer mapping to allocate
everything to q0 and the random discards stopped (at least the ones
caused by this issue).

hth,
/joshua
-- 
A common mistake that people make when trying to design something
completely foolproof is to underestimate the ingenuity of complete
fools.
        - Douglas Adams -

From gert at greenie.muc.de  Wed Dec  9 15:16:35 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Wed, 9 Dec 2009 21:16:35 +0100
Subject: [c-nsp] Cisco VPN and 64 bit Windows
In-Reply-To: <20091209191640.GK20617@torres.zugschlus.de>
References: <4B1FD3D2.3070607@bryanfields.net>
	<001301ca78f7$20705b50$2608120a@am.thmulti.com>
	<20091209191640.GK20617@torres.zugschlus.de>
Message-ID: <20091209201635.GL163@greenie.muc.de>

Hi,

On Wed, Dec 09, 2009 at 08:16:40PM +0100, Marc Haber wrote:
> On Wed, Dec 09, 2009 at 09:43:22AM -0800, Scott Granados wrote:
> > This is the best plan unless you want to migrate to anyconnect.
> 
> What are the (dis)advantages of anyconnect?

Extra license cost, vendor lock-in, no open standard.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20091209/ffe22f51/attachment.bin>

From gert at greenie.muc.de  Wed Dec  9 15:17:45 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Wed, 9 Dec 2009 21:17:45 +0100
Subject: [c-nsp] Cisco VPN and 64 bit Windows
In-Reply-To: <1CDE4CAD0B3D5A40827FFD8275E50F86A2C7C6@CORP-CLT-EXB01.ds>
References: <20091209181736.GI163@greenie.muc.de>
	<1CDE4CAD0B3D5A40827FFD8275E50F86A2C7C6@CORP-CLT-EXB01.ds>
Message-ID: <20091209201745.GM163@greenie.muc.de>

Hi,

On Wed, Dec 09, 2009 at 01:32:27PM -0500, LITTLEFIELD James wrote:
> Which is why we opted to migrate all of our VPN to Juniper :-)

Not that they are willing to ship an IPSEC VPN client for 64 bit windows...

"But you can buy our SSL VPN appliance!!!"  (which isn't even a proper
Junos box).

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20091209/0a21fadb/attachment.bin>

From sandreas at cisco.com  Wed Dec  9 15:21:36 2009
From: sandreas at cisco.com (sandreas)
Date: Wed, 09 Dec 2009 21:21:36 +0100
Subject: [c-nsp] Cisco Pagent IOS
In-Reply-To: <mailman.7254.1260363045.2123.cisco-nsp@puck.nether.net>
Message-ID: <C745C560.3A34F%sandreas@cisco.com>

Hi Ulrich

This is from the Cisco Internal FAQ on Pagent

Customer Use of Pagent :
> Pagent has been made available to a very limited number of customers. The
> Pagent group does not have the bandwidth to support customers so all support
> has to be provided by a local support rep; a SE or equivalent Cisco employee.
> Before getting access to the Pagent images, the customer is required to sign a
> pre-release software license agreement.
> 
> Pagent documentation has been written for use by Cisco employees only and was
> not intended for outside use. Pagent documentation is not to be given to
> customers. All Pagent training, answering customer questions, obtaining images
> and license keys is the responsibility of the local support rep.
> 
> If you need to support Pagent for a customer, start by emailing pagent-support
> to get a copy of the pre-release software license agreement that needs to be
> signed by the customer.

>From your name you sound Danish, if so send me an email and we can discuss
if pagent is the right tool for you.
If you are not Danish let me know and I will find a SE in you local country
that can assist (well, I will try to)

Best regards
Soren



> From: <cisco-nsp-request at puck.nether.net>
> Reply-To: <cisco-nsp at puck.nether.net>
> Date: Wed, 09 Dec 2009 07:50:45 -0500
> To: <cisco-nsp at puck.nether.net>
> Subject: cisco-nsp Digest, Vol 85, Issue 25
> 
> Send cisco-nsp mailing list submissions to
> cisco-nsp at puck.nether.net
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> or, via email, send a message with subject or body 'help' to
> cisco-nsp-request at puck.nether.net
> 
> You can reach the person managing the list at
> cisco-nsp-owner at puck.nether.net
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of cisco-nsp digest..."
> 
> 
> Today's Topics:
> 
>    1. ASA - Easy VPN server - # of SAs (Clay Hoy)
>    2. Re: bpduguard and trunks? (Renelson Panosky)
>    3. Need some help on figuring out bandwidth management
>       (Steven Pfister)
>    4. Looking for GPON experience (Jared Mauch)
>    5. Re: Cisco logging commands (Justin Shore)
>    6. Checking GBIC vendor name, part no. and serial no. on Cisco
>       2950 (Alen)
>    7. QoS on Metro Ethernet! (Asad Ul-Islam)
>    8. Cisco Pagent IOS (Hansen, Ulrich Vestergaard B. (E R WP EN 342))
>    9. Re: Cisco Pagent IOS (Dobbins, Roland)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Tue, 8 Dec 2009 11:59:20 -0600
> From: Clay Hoy <frogmanclay at gmail.com>
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] ASA - Easy VPN server - # of SAs
> Message-ID:
> <d7206fc80912080959h1c9db5cfub03c6d605c57f28b at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> I am looking at an asa5580-20 and it shows the SSL limit at 10k and the VPN
> peer limit at 10k.  However, when using both you can not go over a combined
> total of 10k connections.  That is per the datasheet:
> http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/produc
> t_data_sheet0900aecd80402e3f.html
> 
> Now, I am going to be using it as an Easy VPN server.  Knowing the ASA only
> supports legacy Easy VPN and each routed subnet on the remote side uses an
> SA, is the real limit 10k SAs?  That is how I read it, but I can't seem to
> get a straight answer from anyone at Cisco.  If I have 2000 remote sites,
> with 5 routed subnets each, am I at the limit of the box?  I know I can
> cluster these boxes, but I need to know that I am going to have to up front
> in order to request the proper budget and do all the right testing in the
> lab.
> 
> Also, does anyone know of any series problems using the ASA55xx series as an
> Easy VPN server?
> 
> Thank you everyone for your time,
> Clay
> 
> 
> ------------------------------
> 
> Message: 2
> Date: Tue, 8 Dec 2009 14:02:43 -0500
> From: Renelson Panosky <panocisco77 at gmail.com>
> To: Howard Jones <howie at thingy.com>
> Cc: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
> Subject: Re: [c-nsp] bpduguard and trunks?
> Message-ID:
> <16e2ac180912081102w1920289fra734e322568cd89 at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> I had a similar problem and yes BPDUGUARD effects trunk port, i think you
> have to disable bpduguard on both side and make sure you're running rpst
> mode.
> 
> On Thu, Dec 3, 2009 at 9:29 AM, Howard Jones <howie at thingy.com> wrote:
> 
>> I've just run into an odd problem, and was wondering if anyone else
>> could clarify this for me.
>> 
>> [c1]---[Sw1]----------[Sw2]---[c2]
>> 
>> c1 and c2 are client devices. Sw1 and Sw2 are 3750Gs with a trunk
>> between them. c1 has a trunk to Sw1. One of the vlans in that trunk as
>> passed along the sw1-sw2 trunk to c2.
>> 
>> The port facing c1 has bpduguard enabled. Halfway through adding vlans,
>> Sw2 complains about inconsistent BPDUs, and the root bridge mac address
>> is that of c1. It shuts down the trunk port, which is kind of annoying.
>> 
>> Does bpduguard only affect access ports and not trunks? That's the only
>> explanation I can see for what is going on. The manual doesn't exactly
>> say either way: "At the interface level, you enable BPDU guard on any
>> interface by using the spanning-tree bpduguard enable interface
>> configuration command without also enabling the Port Fast feature.". Sw1
>> also has '|no spanning-tree vlan 1-4090|' - will that help or hinder, here?
>> 
>> I think the real answer is to stop using switches to ship stuff between
>> sites like this, but that is a battle for another day.
>> 
>> Thanks in advance for any illumination...
>> 
>> Howie
>>  _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> 
> 
> 
> ------------------------------
> 
> Message: 3
> Date: Tue, 08 Dec 2009 15:11:54 -0500
> From: "Steven Pfister" <SPfister at dps.k12.oh.us>
> To: <cisco-nsp at puck.nether.net>
> Subject: [c-nsp] Need some help on figuring out bandwidth management
> Message-ID: <4B1E6CB9.9E6F.00B8.0 at dps.k12.oh.us>
> Content-Type: text/plain; charset=US-ASCII
> 
> I've got a remote site connected to the central site for Internet access via 2
> T1s to an ATM network. Voice has been allocated 800k of this bandwidth, and
> the rest is data. Network usage at this particular site has been growing
> within the past couple of months and at times bandwidth has been maxed out. I
> need some way to make sure bandwidth is allocated fairly. I'd like to be able
> to add more capacity, but that's not going to be possible right now.
> 
> One of the first things I thought of was unicast storm-control. If I went this
> route, I'm not sure what parameters to use. Right now, some ports are set to
> an upper limit of 5%, and some are set to 5k pps (the default value, I
> believe). This was all set up before I started here, and I've never really
> given it much though until this project came along. It looks like the upstream
> connection for that site rarely gets over 450 pps to the central site.
> 
> Questions:
> - Is unicast storm-control a good option here, or should I look at others?
> - If I do use it, can someone point me to where I can find some help on the
> best settings to use in this particular environment?
> 
> 
> Steve Pfister
> Technical Coordinator,
> The Office of Information Technology
> Dayton Public Schools
> 115 S. Ludlow St.
> Dayton, OH 45402
>  
> Office (937) 542-3149
> Cell (937) 673-6779
> Direct Connect: 137*131747*8
> Email spfister at dps.k12.oh.us
> 
> 
> 
> 
> ------------------------------
> 
> Message: 4
> Date: Tue, 8 Dec 2009 15:47:15 -0500
> From: Jared Mauch <jared at puck.nether.net>
> To: "cisco-nsp at puck.nether.net List" <cisco-nsp at puck.nether.net>
> Subject: [c-nsp] Looking for GPON experience
> Message-ID: <152C3AB4-BE71-4FA2-BB10-8E9606760E54 at puck.nether.net>
> Content-Type: text/plain; charset=us-ascii
> 
> I'm looking at building a small GPON network and am looking for feedback for
> those that have built similar solutions.
> 
> Vendors, ease of use both for ONT and related information is of use to me.
> 
> Here's hoping someone here has experience with it they are willing to share.
> 
> Please direct follow-ups to me and I can summarize if there is interest.
> 
> - Jared
> 
> 
> 
> ------------------------------
> 
> Message: 5
> Date: Tue, 08 Dec 2009 17:20:22 -0600
> From: Justin Shore <justin at justinshore.com>
> To: Henry-Nicolas Tourneur <hntourneur at autempspourmoi.be>
> Cc: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
> Subject: Re: [c-nsp] Cisco logging commands
> Message-ID: <4B1EDF36.5050507 at justinshore.com>
> Content-Type: text/plain; charset=UTF-8; format=flowed
> 
> Henry-Nicolas Tourneur wrote:
>> I'm not willing to use Tacacs+ because I'm setting-up a new server
>> environment and I don't want
>> to need to manually compile tac-plus and get broken dependencies after
>> an upgrade.
> 
> I've been using OSS tacacs+ daemons for nearly a decade and have yet to
> run into a situation where it suddenly broke due to a dependency issue
> created when I upgraded something else.  This is coming from a person
> that compiles nearly everything on his servers from source including
> core libraries glibc, OpenSSL, etc.  Static linking is the simple answer
> if that's your concern anyway just like with any other OSS tool.
> 
>> Using tac-plus from the APT would be far more easier, unfortunately,
>> it's not available any more.
>> And, we are not interested in purchasing a Cisco ACS product just for
>> doing what tac-plus does.
> 
> I vote for the Shrubbery.net version.  Worked perfectly for me for many
> years.
> 
> Also, here's some AAA config you'll need for tacacs to log ANYTHING that
> gets typed on the CLI in ANY privilege level, including typos:
> 
> aaa accounting delay-start
> aaa accounting exec NETACC
>   action-type start-stop
>   group tacacs+
> !
> aaa accounting commands 0 NETACC
>   action-type stop-only
>   group tacacs+
> !
> aaa accounting commands 1 NETACC
>   action-type stop-only
>   group tacacs+
> !
> aaa accounting commands 2 NETACC
>   action-type stop-only
>   group tacacs+
> !
> aaa accounting commands 3 NETACC
>   action-type stop-only
>   group tacacs+
> !
> aaa accounting commands 4 NETACC
>   action-type stop-only
>   group tacacs+
> !
> aaa accounting commands 5 NETACC
>   action-type stop-only
>   group tacacs+
> !
> aaa accounting commands 6 NETACC
>   action-type stop-only
>   group tacacs+
> !
> aaa accounting commands 7 NETACC
>   action-type stop-only
>   group tacacs+
> !
> aaa accounting commands 8 NETACC
>   action-type stop-only
>   group tacacs+
> !
> aaa accounting commands 9 NETACC
>   action-type stop-only
>   group tacacs+
> !
> aaa accounting commands 10 NETACC
>   action-type stop-only
>   group tacacs+
> !
> aaa accounting commands 11 NETACC
>   action-type stop-only
>   group tacacs+
> !
> aaa accounting commands 12 NETACC
>   action-type stop-only
>   group tacacs+
> !
> aaa accounting commands 13 NETACC
>   action-type stop-only
>   group tacacs+
> !
> aaa accounting commands 14 NETACC
>   action-type stop-only
>   group tacacs+
> !
> aaa accounting commands 15 NETACC
>   action-type stop-only
>   group tacacs+
> !
> aaa accounting connection NETACC
>   action-type stop-only
>   group tacacs+
> !
> line vty 0 15
>   accounting connection NETACC
>   accounting commands 0 NETACC
>   accounting commands 1 NETACC
>   accounting commands 2 NETACC
>   accounting commands 3 NETACC
>   accounting commands 4 NETACC
>   accounting commands 5 NETACC
>   accounting commands 6 NETACC
>   accounting commands 7 NETACC
>   accounting commands 8 NETACC
>   accounting commands 9 NETACC
>   accounting commands 10 NETACC
>   accounting commands 11 NETACC
>   accounting commands 12 NETACC
>   accounting commands 13 NETACC
>   accounting commands 14 NETACC
>   accounting commands 15 NETACC
>   accounting exec NETACC
> 
> 
> The syntax is new beginning with 12.4(24)T or thereabouts but the gist
> of it is the same.  Just rewrite the 'aaa accounting commands' lines if
> you're using an older IOS rev.  Couple that with your normal tacacs
> config and you'll log every single thing typed on the VTYs.  Don't
> forget your other lines though.
> 
> Justin
> 
> 
> 
> ------------------------------
> 
> Message: 6
> Date: Wed, 9 Dec 2009 12:22:31 +0800
> From: Alen <alenwong+cisconsp at gmail.com>
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Checking GBIC vendor name, part no. and serial no. on
> Cisco 2950
> Message-ID:
> <763cba560912082022na904177ye9a7df552939242d at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> Hi,
> 
> We are currently checking on the vendor name, part no and serial no. of the
> GBICs being used in production switches, For switches like 4948 and 4503, we
> can use "show idprom int g1/1" to display the above wanted information. But
> such command seems does not exist in catalyst 2950.
> 
> Any thoughts on this?
> 
> Thanks.
> 
> Alen
> 
> 
> ------------------------------
> 
> Message: 7
> Date: Wed, 09 Dec 2009 11:08:21 +0500
> From: Asad Ul-Islam <asad747 at cyber.net.pk>
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] QoS on Metro Ethernet!
> Message-ID: <001501ca7896$027cc7c0$07765740$@net.pk>
> Content-Type: text/plain; charset=US-ASCII
> 
> Dear friends,
> 
>  
> 
> I am running Metro Ethernet based network (Multi Vendor) providing various
> services including ELANE & ELINE.  I would like to monitor QoS on network
> per customer EVC. Can someone tell me how can I achieve that?? Which
> parameters should be monitored?
> 
>  
> 
> Please list down some products (Commercial/Free) which monitor QoS at this
> level (Specially for ELINE/ELANE) and can also provide SLA reports.
> 
>  
> 
> Best Regards,
> 
>  
> 
> Asad.
> 
> 
> 
> ------------------------------
> 
> Message: 8
> Date: Wed, 9 Dec 2009 13:33:47 +0100
> From: "Hansen, Ulrich Vestergaard B. (E R WP EN 342)"
> <uvh at siemens.com>
> To: <cisco-nsp at puck.nether.net>
> Subject: [c-nsp] Cisco Pagent IOS
> Message-ID:
> <5FD7A7EC774B114092B1603D69E42C9B02F5778F at BDKB1EEA.ww007.siemens.net>
> Content-Type: text/plain; charset="us-ascii"
> 
> Dear Friends
>  
> Does anybody know whether Cisco Pagent TG IOS is available to the public
> through your account manager - has anyone worked with it or can
> recommend another alternative Colasoft TG..?
>  
>  
> Med venlig hilsen / Best Regards
> 
> Ulrich Vestergaard B. Hansen
> Network Engineer 
> 
> Please consider the environment before printing this e-mail
> 
> 
>  
> 
> 
> ------------------------------
> 
> Message: 9
> Date: Wed, 9 Dec 2009 12:48:31 +0000
> From: "Dobbins, Roland" <rdobbins at arbor.net>
> To: Cisco-nsp <cisco-nsp at puck.nether.net>
> Subject: Re: [c-nsp] Cisco Pagent IOS
> Message-ID: <8426DA48-B179-4865-A88E-4E460BD29555 at arbor.net>
> Content-Type: text/plain; charset="us-ascii"
> 
> 
> On Dec 9, 2009, at 7:33 PM, Hansen, Ulrich Vestergaard B. (E R WP EN 342)
> wrote:
> 
>> Does anybody know whether Cisco Pagent TG IOS is available to the public
>> through your account manager
> 
> No, it isn't.
> 
>> - has anyone worked with it or can recommend another alternative
> 
> 
> There are lots of commercial and open-source packet-generation tools
> available, which can be found by making use of Your Search Engine of Choice.
> 
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
> 
>     Injustice is relatively easy to bear; what stings is justice.
> 
>                         -- H.L. Mencken
> 
> 
> 
> 
> 
> ------------------------------
> 
> _______________________________________________
> cisco-nsp mailing list
> cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> 
> End of cisco-nsp Digest, Vol 85, Issue 25
> *****************************************


From mh+cisco-nsp at zugschlus.de  Wed Dec  9 15:36:53 2009
From: mh+cisco-nsp at zugschlus.de (Marc Haber)
Date: Wed, 9 Dec 2009 21:36:53 +0100
Subject: [c-nsp] Cisco VPN and 64 bit Windows
In-Reply-To: <20091209201635.GL163@greenie.muc.de>
References: <4B1FD3D2.3070607@bryanfields.net>
	<001301ca78f7$20705b50$2608120a@am.thmulti.com>
	<20091209191640.GK20617@torres.zugschlus.de>
	<20091209201635.GL163@greenie.muc.de>
Message-ID: <20091209203653.GM20617@torres.zugschlus.de>

On Wed, Dec 09, 2009 at 09:16:35PM +0100, Gert Doering wrote:
> On Wed, Dec 09, 2009 at 08:16:40PM +0100, Marc Haber wrote:
> > On Wed, Dec 09, 2009 at 09:43:22AM -0800, Scott Granados wrote:
> > > This is the best plan unless you want to migrate to anyconnect.
> > 
> > What are the (dis)advantages of anyconnect?
> 
> Extra license cost, vendor lock-in, no open standard.

As if Cisco's IPSEC was particularly interoperable. Any alternatives?

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190

From sethm at rollernet.us  Wed Dec  9 15:39:18 2009
From: sethm at rollernet.us (Seth Mattinen)
Date: Wed, 09 Dec 2009 12:39:18 -0800
Subject: [c-nsp] Cisco VPN and 64 bit Windows
In-Reply-To: <20091209203653.GM20617@torres.zugschlus.de>
References: <4B1FD3D2.3070607@bryanfields.net>	<001301ca78f7$20705b50$2608120a@am.thmulti.com>	<20091209191640.GK20617@torres.zugschlus.de>	<20091209201635.GL163@greenie.muc.de>
	<20091209203653.GM20617@torres.zugschlus.de>
Message-ID: <4B200AF6.6010606@rollernet.us>

Marc Haber wrote:
> On Wed, Dec 09, 2009 at 09:16:35PM +0100, Gert Doering wrote:
>> On Wed, Dec 09, 2009 at 08:16:40PM +0100, Marc Haber wrote:
>>> On Wed, Dec 09, 2009 at 09:43:22AM -0800, Scott Granados wrote:
>>>> This is the best plan unless you want to migrate to anyconnect.
>>> What are the (dis)advantages of anyconnect?
>> Extra license cost, vendor lock-in, no open standard.
> 
> As if Cisco's IPSEC was particularly interoperable. Any alternatives?
> 

Well, there's always the "don't use Cisco" option. I think all of the 
Cisco options have already been covered.

~Seth

From gert at greenie.muc.de  Wed Dec  9 15:47:54 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Wed, 9 Dec 2009 21:47:54 +0100
Subject: [c-nsp] Cisco VPN and 64 bit Windows
In-Reply-To: <20091209203653.GM20617@torres.zugschlus.de>
References: <4B1FD3D2.3070607@bryanfields.net>
	<001301ca78f7$20705b50$2608120a@am.thmulti.com>
	<20091209191640.GK20617@torres.zugschlus.de>
	<20091209201635.GL163@greenie.muc.de>
	<20091209203653.GM20617@torres.zugschlus.de>
Message-ID: <20091209204754.GO163@greenie.muc.de>

Hi,

On Wed, Dec 09, 2009 at 09:36:53PM +0100, Marc Haber wrote:
> As if Cisco's IPSEC was particularly interoperable. 

Now that's the basic problem with IPSEC.  IPSEC as it is is not really
suited for road-warrior auto-conf type setups, and as such, vendors had
to improve it...

> Any alternatives?

OpenVPN.  Also sucks, especially on Windows, but regarding portability
and configuration magic, I'm a big fan of it :-)

(Linksys WRT54GL + OpenWRT makes a really nice OpenVPN server... but
yes, this not easy to roll out in a commercial environment)

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20091209/4ad9cfbb/attachment.bin>

From mh+cisco-nsp at zugschlus.de  Wed Dec  9 15:55:01 2009
From: mh+cisco-nsp at zugschlus.de (Marc Haber)
Date: Wed, 9 Dec 2009 21:55:01 +0100
Subject: [c-nsp] Cisco VPN and 64 bit Windows
In-Reply-To: <1CDE4CAD0B3D5A40827FFD8275E50F86A2C7C6@CORP-CLT-EXB01.ds>
References: <20091209181736.GI163@greenie.muc.de>
	<1CDE4CAD0B3D5A40827FFD8275E50F86A2C7C6@CORP-CLT-EXB01.ds>
Message-ID: <20091209205501.GN20617@torres.zugschlus.de>

Hi,

On Wed, Dec 09, 2009 at 01:32:27PM -0500, LITTLEFIELD James wrote:
> Which is why we opted to migrate all of our VPN to Juniper :-)

We migrated from Netscreen to Cisco a few years ago after the XP SP2
desaster of the Juniper NSR Client. Additionally, the VPN connections
with the Cisco gear are _much_ more stable than Netscreen ever was.
This is sad, as I really like the Netscreen stuff[1], but true.

Greetings
Marc

[1] Juniper is making it really hard to sell and support Netscreens
for a small shop in the last months, so we might to ditch them for
Firewalls as well

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190

From gsgranados at comcast.net  Wed Dec  9 15:58:06 2009
From: gsgranados at comcast.net (Scott Granados)
Date: Wed, 9 Dec 2009 12:58:06 -0800
Subject: [c-nsp] Cisco VPN and 64 bit Windows
References: <4B1FD3D2.3070607@bryanfields.net><001301ca78f7$20705b50$2608120a@am.thmulti.com><20091209191640.GK20617@torres.zugschlus.de><20091209201635.GL163@greenie.muc.de>
	<20091209203653.GM20617@torres.zugschlus.de>
Message-ID: <020c01ca7912$542a9710$2608120a@am.thmulti.com>

You can also have accessibility concerns if you use some of the SSL VPN 
offerings.  If you have low vision users it's something to consider.


----- Original Message ----- 
From: "Marc Haber" <mh+cisco-nsp at zugschlus.de>
To: <cisco-nsp at puck.nether.net>
Sent: Wednesday, December 09, 2009 12:36 PM
Subject: Re: [c-nsp] Cisco VPN and 64 bit Windows


> On Wed, Dec 09, 2009 at 09:16:35PM +0100, Gert Doering wrote:
>> On Wed, Dec 09, 2009 at 08:16:40PM +0100, Marc Haber wrote:
>> > On Wed, Dec 09, 2009 at 09:43:22AM -0800, Scott Granados wrote:
>> > > This is the best plan unless you want to migrate to anyconnect.
>> >
>> > What are the (dis)advantages of anyconnect?
>>
>> Extra license cost, vendor lock-in, no open standard.
>
> As if Cisco's IPSEC was particularly interoperable. Any alternatives?
>
> Greetings
> Marc
>
> -- 
> -----------------------------------------------------------------------------
> Marc Haber         | "I don't trust Computers. They | Mailadresse im 
> Header
> Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 
> 72739834
> Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 
> 2323190
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 


From benny+usenet at amorsen.dk  Wed Dec  9 15:54:45 2009
From: benny+usenet at amorsen.dk (Benny Amorsen)
Date: Wed, 09 Dec 2009 21:54:45 +0100
Subject: [c-nsp] Cisco VPN and 64 bit Windows
In-Reply-To: <20091209201745.GM163@greenie.muc.de> (Gert Doering's message of
	"Wed, 9 Dec 2009 21:17:45 +0100")
References: <20091209181736.GI163@greenie.muc.de>
	<1CDE4CAD0B3D5A40827FFD8275E50F86A2C7C6@CORP-CLT-EXB01.ds>
	<20091209201745.GM163@greenie.muc.de>
Message-ID: <m38wdbhnqi.fsf@ursa.amorsen.dk>

Gert Doering <gert at greenie.muc.de> writes:

> Not that they are willing to ship an IPSEC VPN client for 64 bit windows...

There are vendors other than C and J, and one of them recently lowered
the price for its basic PC client software (available for 64-bit Windows
as well) to 0...


/Benny


From gsgranados at comcast.net  Wed Dec  9 18:37:19 2009
From: gsgranados at comcast.net (Scott Granados)
Date: Wed, 9 Dec 2009 15:37:19 -0800
Subject: [c-nsp] Cisco VPN Client 5.x certificate import question
Message-ID: <001601ca7928$90bf0150$2608120a@am.thmulti.com>

Hi All,
I'm trying to configure certificate based authentication using ASA 5520 
hardware and the 5.x VPN client.
I select import, point to the file and click ok which gives me the 
successfully installed message.  Next, I restart the client, select the 
certificates tab and show certs and I see my cert as option 4.  However, 
when I try to create the connection I do not see the cert appear in the 
list.  When I click on the cert in the show certs display and select verify 
I get an error 32 and when I try to connect I receive an error 31 although 
it does look like it imported.  Have I missed a step?

I'm using the example documentation at
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008092d8f1.shtml
I also am using a Microsoft CA that we're testing internally.  What am I 
missing?  Any pointers would be appreciated.

Thanks
Scott


From rdobbins at arbor.net  Wed Dec  9 20:50:35 2009
From: rdobbins at arbor.net (Dobbins, Roland)
Date: Thu, 10 Dec 2009 01:50:35 +0000
Subject: [c-nsp] Cisco Pagent IOS
In-Reply-To: <C745C560.3A34F%sandreas@cisco.com>
References: <C745C560.3A34F%sandreas@cisco.com>
Message-ID: <416061BD-C028-4EE5-A581-665330CB2CB5@arbor.net>


On Dec 10, 2009, at 3:21 AM, sandreas wrote:

> Customer Use of Pagent :

If this is true (which I'm unsure it is), it's quite a change in policy.

Plus, there are far better packet-generation tools out there, anyways, both commercial and open source.


-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken




From rintrum at gmail.com  Wed Dec  9 21:02:11 2009
From: rintrum at gmail.com (Rin)
Date: Thu, 10 Dec 2009 09:02:11 +0700
Subject: [c-nsp] Cisco 10008 %IDMGR-3-INVALID_ID: bad id in id_get
Message-ID: <003501ca793c$d4f42850$7edc78f0$@com>

Hi group, 

 

I currently facing a problem on Cisco 10008 with following logging output: 

Dec  9 02:03:56.669: %IDMGR-3-INVALID_ID: bad id in id_get (Out of IDs!)
(id: 0x5514A038)

-Traceback= 40796DA0 407972E4 407B1090 40710290 41ECB96C 414DDAF0 41EE5770
41EE59A8 41ECFC68 41ECFFE4 41ED01BC

Dec  9 02:03:57.341: %IDMGR-3-INVALID_ID: bad id in id_get (Out of IDs!)
(id: 0xD4AA415C)

-Traceback= 40796DA0 407972E4 407B1090 40710290 41ECB96C 414DDAF0 41EE5770
41EE59A8 41ECFC68 41ECFFE4 41ED01BC

Dec  9 02:03:57.353: %IDMGR-3-INVALID_ID: bad id in id_get (Out of IDs!)
(id: 0x5514A038)

-Traceback= 40796DA0 407972E4 407B1090 40710290 41ECB96C 414DDAF0 41EE5770
41EE59A8 41ECFC68 41ECFFE4 41ED01BC

 

This causes high CPU utilization on the device: 

BRAS#sho process cpu

CPU utilization for five seconds: 92%/80%; one minute: 77%; five minutes:
75%

 PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process 

   1         440      8825         49  0.00%  0.00%  0.00%   0 Chunk Manager


   2      410708   2921477        140  0.07%  0.01%  0.00%   0 Load Meter


   3           0         3          0  0.00%  0.00%  0.00%   0 OBFL Cfg
Dispatc 

   4     3912208  67345954         58  0.00%  0.01%  0.00%   0 C10K Card
Event  

   5           0        51          0  0.00%  0.00%  0.00%   0
Retransmission o 

   6           0         2          0  0.00%  0.00%  0.00%   0 IPC ISSU
Dispatc 

   7    41321232   3022609      13670  0.00%  0.53%  0.63%   0 Check heaps


   8        1204      6488        185  0.00%  0.00%  0.00%   0 Pool Manager


   9           0         2          0  0.00%  0.00%  0.00%   0 Timers


  10           0         2          0  0.00%  0.00%  0.00%   0 Serial
Backgroun 

  11        4388   2911625          1  0.00%  0.00%  0.00%   0
ALARM_TRIGGER_SC

 

It seems that this problem is bug CSCsl28246 with IOS 12.2(33)SB, but the
workaround from Cisco is not clear for me: 

CSCsl28246 

Symptoms: Not able to bring up more than 32768 TC Sessions and Out of IDs
AAA trace back message is displayed. 

Conditions: This symptom occurs under TC sessions. 

Impact: Traceback preventing scale of ISG PPP Traffic Class. Scalability
issue. 

Trigger: While running ISG sessions with PPPoL2TP LAC/LNS on Cisco 10000,
unable to bring up more than 32768 TC sessions because of the following Out
of IDs AAA trace back message: 

Nov 13 11:00:56.696 EST: %IDMGR-3-INVALID_ID: bad id in id_get (Out of IDs!)


AAA is allocating only 1024*32 = 32768 IDs. Not able to bring up any more
sessions because of accounting flow id allocation failure. 

Workaround: Increase the number to number of sessions/flows required on the
platform. 

Can anyone elaborate more on this workaround? Thanks a lot. 

FYI, I'm running IOS c10k3-p11-mz.122-33.SB2.bin on this platform.

Rin


From ianh at ianh.net.au  Wed Dec  9 23:13:31 2009
From: ianh at ianh.net.au (Ian Henderson)
Date: Thu, 10 Dec 2009 12:13:31 +0800 (WST)
Subject: [c-nsp] Cisco VPN and 64 bit Windows
In-Reply-To: <20091209191640.GK20617@torres.zugschlus.de>
References: <4B1FD3D2.3070607@bryanfields.net>
	<001301ca78f7$20705b50$2608120a@am.thmulti.com>
	<20091209191640.GK20617@torres.zugschlus.de>
Message-ID: <alpine.DEB.2.00.0912101208030.5413@highball.ianh.net.au>

On Wed, 9 Dec 2009, Marc Haber wrote:

> What are the (dis)advantages of anyconnect?

- It works in more places than IPSec - mostly hotels with dodgy firewalls.

- Its easier to configure for the user. Send them to a URL, enter username 
and password, client downloads, installs, configures itself.

- I'm not 100% keen on the Mac client. Its clunky and obtrusive. Apple 
only just got around to including IPSec under Snow Leopard, and have had 
it on the iPhone for ages. But getting the Apples of the world to include 
Cisco SSL? By then we'll have yet another VPN technology. The Windows 
client is a bit better.

- Modifying VPN filter lists using the IPSec client on the ASA was 
instant. Anyconnect/SSL requires a reconnect for access-list changes to 
apply.

Rgds,



- I.

From aivars at ml.lv  Thu Dec 10 01:41:03 2009
From: aivars at ml.lv (Aivars)
Date: Thu, 10 Dec 2009 08:41:03 +0200
Subject: [c-nsp] Cisco VPN and 64 bit Windows
In-Reply-To: <m38wdbhnqi.fsf@ursa.amorsen.dk>
References: <20091209181736.GI163@greenie.muc.de>
	<1CDE4CAD0B3D5A40827FFD8275E50F86A2C7C6@CORP-CLT-EXB01.ds>
	<20091209201745.GM163@greenie.muc.de>
	<m38wdbhnqi.fsf@ursa.amorsen.dk>
Message-ID: <1496939047.20091210084103@ml.lv>

I was just wondering, what kind of VPN software people use for Windows
mobile to connect to Cisco. I know, Anyconnecy is one option. But what
about IPSEC?


 Aivars

> Gert Doering <gert at greenie.muc.de> writes:

>> Not that they are willing to ship an IPSEC VPN client for 64 bit windows...

> There are vendors other than C and J, and one of them recently lowered
> the price for its basic PC client software (available for 64-bit Windows
> as well) to 0...


> /Benny

> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From mefystofel at gmail.com  Thu Dec 10 03:54:08 2009
From: mefystofel at gmail.com (Roman Serbski)
Date: Thu, 10 Dec 2009 09:54:08 +0100
Subject: [c-nsp] Catalyst 6509 and 802.1p
Message-ID: <cca5083b0912100054w66235f34sf0dad46a0f0b895b@mail.gmail.com>

Hi list-

Appreciate your guidance on the following question.

We have two Catalyst 6509 interconnected over fiber with a number of
VLANs shared between two switches.  I setup another VLAN with two
ports in total (one port on each switch) and would like to give the
highest priority to traffic traversing between two ports.  I searched
archives for mls-qos and policy map but it seems that most responses
are related to 35xx switches.  Could someone advise me on
documentation I should read in order to implement 802.1p on 65xx
Catalyst switches?

Thank you for your time.

From uvh at siemens.com  Thu Dec 10 04:01:22 2009
From: uvh at siemens.com (Hansen, Ulrich Vestergaard B. (E R WP EN 342))
Date: Thu, 10 Dec 2009 10:01:22 +0100
Subject: [c-nsp] Cisco Pagent IOS
In-Reply-To: <416061BD-C028-4EE5-A581-665330CB2CB5@arbor.net>
References: <C745C560.3A34F%sandreas@cisco.com>
	<416061BD-C028-4EE5-A581-665330CB2CB5@arbor.net>
Message-ID: <5FD7A7EC774B114092B1603D69E42C9B02F8A627@BDKB1EEA.ww007.siemens.net>

Can you recommend some good ones?

Freeware/Opensource is no requirement.

Testing req:

Http sessions
Tcp sessions
Udp strams
Multicast
Voice (QoS)

Utilization test
Failover response times (should be done in hw)

(( Ulrich 

-----Oprindelig meddelelse-----
Fra: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] P? vegne af Dobbins, Roland
Sendt: 10. december 2009 02:51
Til: Cisco-nsp
Emne: Re: [c-nsp] Cisco Pagent IOS


On Dec 10, 2009, at 3:21 AM, sandreas wrote:

> Customer Use of Pagent :

If this is true (which I'm unsure it is), it's quite a change in policy.

Plus, there are far better packet-generation tools out there, anyways, both commercial and open source.


-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken



_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From p.mayers at imperial.ac.uk  Thu Dec 10 06:03:12 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Thu, 10 Dec 2009 11:03:12 +0000
Subject: [c-nsp] Cisco Pagent IOS
In-Reply-To: <5FD7A7EC774B114092B1603D69E42C9B02F8A627@BDKB1EEA.ww007.siemens.net>
References: <C745C560.3A34F%sandreas@cisco.com>	<416061BD-C028-4EE5-A581-665330CB2CB5@arbor.net>
	<5FD7A7EC774B114092B1603D69E42C9B02F8A627@BDKB1EEA.ww007.siemens.net>
Message-ID: <4B20D570.9090607@imperial.ac.uk>

Hansen, Ulrich Vestergaard B. (E R WP EN 342) wrote:
> Can you recommend some good ones?
> 
> Freeware/Opensource is no requirement.
> 
> Testing req:
> 
> Http sessions
> Tcp sessions
> Udp strams
> Multicast
> Voice (QoS)

I mostly have used open source tools in the past; a brief rundown...

iperf is a nice simple tool; it does TCP and UDP including multicast, 
and the UDP can be made to report jitter & loss in e.g. 1 second intervals.

rude and crude are pretty good for very low-level UDP testing, including 
programmable traffic profiles. Don't be fooled by the fact they haven't 
been updated in years - the problem is fundamentally no different:

http://rude.sourceforge.net/

There are about a zillion HTTP tools, but something simple like "ab" 
might suffice.

If you're interested in multicast, "dbeacon" can be left running 
indefinitely and generates nice web pages & delay, jitter & loss stats 
including nice RRD graphs - e.g. http://external.net.ic.ac.uk/matrix

I've successfully used used iperf to load a link, then wireshark to 
capture the VoIP traffic (SIP, RTP & RTCP) and dump out the RTCP stats. 
It's also gained an RTP analyzer in the meantime, but I've never had 
cause to use that.

The linux kernel has a in-built packet generator:

http://www.mjmwired.net/kernel/Documentation/networking/pktgen.txt

Google lists loads more e.g.

http://www.grid.unina.it/software/ITG/sdescr.php


...as well as commercial (and very pricey) products like Smartbits and 
so forth.

It's a big field.

From kajtzu at a51.org  Thu Dec 10 07:03:12 2009
From: kajtzu at a51.org (Kaj Niemi)
Date: Thu, 10 Dec 2009 04:03:12 -0800
Subject: [c-nsp] Cisco VPN and 64 bit Windows
In-Reply-To: <alpine.DEB.2.00.0912101208030.5413@highball.ianh.net.au>
Message-ID: <C746B020.48418%kajtzu@a51.org>

Hi,


Agreed. The Cisco IPSec Client on OS X is notorious causing kernel panics.
;-(


Kaj



> From: Ian Henderson <ianh at ianh.net.au>
> Date: Wed, 9 Dec 2009 20:13:31 -0800
> To: Marc Haber <mh+cisco-nsp at zugschlus.de>
> Cc: <cisco-nsp at puck.nether.net>
> Subject: Re: [c-nsp] Cisco VPN and 64 bit Windows
> 
> - I'm not 100% keen on the Mac client. Its clunky and obtrusive. Apple
> only just got around to including IPSec under Snow Leopard, and have had
> it on the iPhone for ages. But getting the Apples of the world to include
> Cisco SSL? By then we'll have yet another VPN technology. The Windows
> client is a bit better.

From avayner at cisco.com  Thu Dec 10 07:24:58 2009
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Thu, 10 Dec 2009 13:24:58 +0100
Subject: [c-nsp] Catalyst 6509 and 802.1p
In-Reply-To: <cca5083b0912100054w66235f34sf0dad46a0f0b895b@mail.gmail.com>
References: <cca5083b0912100054w66235f34sf0dad46a0f0b895b@mail.gmail.com>
Message-ID: <FDD1CDB3FB499E4087CC7670BBCA22C6D27B03@XMB-AMS-101.cisco.com>

This is the document:
http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst6500/ios/12
.2SX/configuration/guide/qos.html


As you most likely want to apply a policy for a specific VLAN on a
trunk, you should look at:
http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst6500/ios/12
.2SX/configuration/guide/qos.html#wp1726124

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Roman Serbski
Sent: Thursday, December 10, 2009 10:54
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Catalyst 6509 and 802.1p

Hi list-

Appreciate your guidance on the following question.

We have two Catalyst 6509 interconnected over fiber with a number of
VLANs shared between two switches.  I setup another VLAN with two
ports in total (one port on each switch) and would like to give the
highest priority to traffic traversing between two ports.  I searched
archives for mls-qos and policy map but it seems that most responses
are related to 35xx switches.  Could someone advise me on
documentation I should read in order to implement 802.1p on 65xx
Catalyst switches?

Thank you for your time.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From zisko.nsp at gmail.com  Thu Dec 10 09:52:32 2009
From: zisko.nsp at gmail.com (Zisko)
Date: Thu, 10 Dec 2009 15:52:32 +0100
Subject: [c-nsp] Cisco VPN and 64 bit Windows
In-Reply-To: <C746B020.48418%kajtzu@a51.org>
References: <alpine.DEB.2.00.0912101208030.5413@highball.ianh.net.au>
	<C746B020.48418%kajtzu@a51.org>
Message-ID: <81ab0f960912100652x38af36bevbb5129a437435e2a@mail.gmail.com>

What is about the built in vpn-client from windows? Connect to a Cisco ASA
should be possible? Any experiances, someone?

From ATolstykh at integrysgroup.com  Thu Dec 10 10:04:07 2009
From: ATolstykh at integrysgroup.com (Tolstykh, Andrew)
Date: Thu, 10 Dec 2009 09:04:07 -0600
Subject: [c-nsp] Cisco VPN and 64 bit Windows
In-Reply-To: <C746B020.48418%kajtzu@a51.org>
References: <alpine.DEB.2.00.0912101208030.5413@highball.ianh.net.au>
	<C746B020.48418%kajtzu@a51.org>
Message-ID: <3F3802329EC1534FBCEAB6DDC0BD807C01E67551@DOB-BXVS3.integrysgroup.net>

Never had one in the last two years (10.5 through 10.6.2), connected
pretty much constantly.

TIA,
Andrew

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Kaj Niemi
Sent: Thursday, December 10, 2009 6:03 AM
To: Ian Henderson; Marc Haber
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco VPN and 64 bit Windows

Hi,


Agreed. The Cisco IPSec Client on OS X is notorious causing kernel
panics.
;-(


Kaj



> From: Ian Henderson <ianh at ianh.net.au>
> Date: Wed, 9 Dec 2009 20:13:31 -0800
> To: Marc Haber <mh+cisco-nsp at zugschlus.de>
> Cc: <cisco-nsp at puck.nether.net>
> Subject: Re: [c-nsp] Cisco VPN and 64 bit Windows
> 
> - I'm not 100% keen on the Mac client. Its clunky and obtrusive. Apple

> only just got around to including IPSec under Snow Leopard, and have 
> had it on the iPhone for ages. But getting the Apples of the world to 
> include Cisco SSL? By then we'll have yet another VPN technology. The 
> Windows client is a bit better.

From pc50000 at gmail.com  Thu Dec 10 11:35:59 2009
From: pc50000 at gmail.com (P C)
Date: Thu, 10 Dec 2009 09:35:59 -0700
Subject: [c-nsp] Cisco VPN and 64 bit Windows
In-Reply-To: <81ab0f960912100652x38af36bevbb5129a437435e2a@mail.gmail.com>
References: <alpine.DEB.2.00.0912101208030.5413@highball.ianh.net.au>
	<C746B020.48418%kajtzu@a51.org>
	<81ab0f960912100652x38af36bevbb5129a437435e2a@mail.gmail.com>
Message-ID: <47b527130912100835g3069ab41h54e49956d6269fd4@mail.gmail.com>

Yes (at least cisco ASA, not sure about IOS) will works fine with the built
in Windows client.  (particularly useful for windows mobile devices without
begin extorted for a SSL vpn license, and then a mobile license on top of
it!).  The only issue is without using certs, there's no tunnel-group
targeting/switching available.

Not a big deal, just use the "defaultRAgroup" or whatever it was called.

Be aware of the strange crypto algorithms Windows supports.  The Windows AES
implementation is a different algorithm than the Cisco device supports, so
it's usually easiest just to use 3des than try to get normal aes-128 or 256
installed and working on the windows box.

As for the 64 bit realm, VPNC works fine.

http://hdc.tamu.edu/reference/documentation/?section_id=892

It can also completely disobey many of your group-policy features on
split-tunneling and password storage :).

Anyconnect does work on IOS now, but it's still a bit buggy for my liking,
will likely requires a memory/flash upgrade on many 18xx, and currently does
NOT support DTLS (or whatever the UDP-encapsulated SSL vpn technology is
called) on IOS platforms.  Due to the lack of hardware acceleration
capability of some of these tasks on this platform and the heavy dependence
on Cisco platforms for hardware acceleration of common tasks due to slow CPU
architectures, I don't know if it ever will.  If you're not doing voice,
this doesn't matter to you.  TCP encapsulating voice over SSL is terrible
though.

With ASA on the other hand, Anyconnect is full-featured and works great!

Personally, I think Cisco did drop the ball here by not having a "64 bit"
vpn solution on IOS until just recently...  But I'm sure it was for
"Business reasons"...

On Thu, Dec 10, 2009 at 7:52 AM, Zisko <zisko.nsp at gmail.com> wrote:

> What is about the built in vpn-client from windows? Connect to a Cisco ASA
> should be possible? Any experiances, someone?
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From kajtzu at a51.org  Thu Dec 10 15:53:36 2009
From: kajtzu at a51.org (Kaj Niemi)
Date: Thu, 10 Dec 2009 12:53:36 -0800
Subject: [c-nsp] Cisco VPN and 64 bit Windows
In-Reply-To: <3F3802329EC1534FBCEAB6DDC0BD807C01E67551@DOB-BXVS3.integrysgroup.net>
Message-ID: <C7472C70.48467%kajtzu@a51.org>

My experiences are quite the opposite, pretty much a crash once every two
weeks on macbook pros for the last 4 years.



Kaj



> From: "Tolstykh, Andrew" <ATolstykh at integrysgroup.com>
> Date: Thu, 10 Dec 2009 07:04:07 -0800
> To: Kaj Niemi <kajtzu at a51.org>, Ian Henderson <ianh at ianh.net.au>, Marc Haber
> <mh+cisco-nsp at zugschlus.de>
> Cc: <cisco-nsp at puck.nether.net>
> Subject: RE: [c-nsp] Cisco VPN and 64 bit Windows
> 
> Never had one in the last two years (10.5 through 10.6.2), connected
> pretty much constantly.
> 
> TIA,
> Andrew
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Kaj Niemi
> Sent: Thursday, December 10, 2009 6:03 AM
> To: Ian Henderson; Marc Haber
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Cisco VPN and 64 bit Windows
> 
> Hi,
> 
> 
> Agreed. The Cisco IPSec Client on OS X is notorious causing kernel
> panics.
> ;-(
> 
> 
> Kaj
> 
> 
> 
>> From: Ian Henderson <ianh at ianh.net.au>
>> Date: Wed, 9 Dec 2009 20:13:31 -0800
>> To: Marc Haber <mh+cisco-nsp at zugschlus.de>
>> Cc: <cisco-nsp at puck.nether.net>
>> Subject: Re: [c-nsp] Cisco VPN and 64 bit Windows
>> 
>> - I'm not 100% keen on the Mac client. Its clunky and obtrusive. Apple
> 
>> only just got around to including IPSec under Snow Leopard, and have
>> had it on the iPhone for ages. But getting the Apples of the world to
>> include Cisco SSL? By then we'll have yet another VPN technology. The
>> Windows client is a bit better.
> 

From yuribank at gmail.com  Thu Dec 10 23:48:27 2009
From: yuribank at gmail.com (Yuri Bank)
Date: Thu, 10 Dec 2009 20:48:27 -0800
Subject: [c-nsp] DSL signals vs DOCSIS
Message-ID: <2e38d2400912102048t5f0c672co508fec41cc78e81e@mail.gmail.com>

Why can't DSL signals pass through fiber optics, yet we have HFC networks
that obviously have no issues going from copper to fiber.
The modulation techniques DOCSIS and DSL use are similar, so what prevents
this from working with DSL? Is it that the RF is to weak and the conversion
process messes up the signal?

From dmitry at dmitry.net  Fri Dec 11 02:41:44 2009
From: dmitry at dmitry.net (Dmitry Kiselev)
Date: Fri, 11 Dec 2009 09:41:44 +0200
Subject: [c-nsp] DSL signals vs DOCSIS
In-Reply-To: <2e38d2400912102048t5f0c672co508fec41cc78e81e@mail.gmail.com>
References: <2e38d2400912102048t5f0c672co508fec41cc78e81e@mail.gmail.com>
Message-ID: <20091211074144.GF9397@f17.dmitry.net>

Hello!

On Thu, Dec 10, 2009 at 08:48:27PM -0800, Yuri Bank wrote:

> Why can't DSL signals pass through fiber optics, yet we have HFC networks
> that obviously have no issues going from copper to fiber.
> The modulation techniques DOCSIS and DSL use are similar, so what prevents
> this from working with DSL? Is it that the RF is to weak and the conversion
> process messes up the signal?

It is becouse very different frequency ranges:
DSL   0.02-1.1 MHz for both up and downstreams
DOCSIS   16-30 MHz for upstream 
         50-800 MHz for downstream

-- 
Dmitry Kiselev

From david.roy at orange-ftgroup.com  Fri Dec 11 05:31:57 2009
From: david.roy at orange-ftgroup.com (david.roy at orange-ftgroup.com)
Date: Fri, 11 Dec 2009 11:31:57 +0100
Subject: [c-nsp] Default DSCP/EXP mapping
Message-ID: <17542_1260527518_4B221F9E_17542_532190_1_69C922E192C3A54C988E52730CCD9F9902FDF5DF@PUEXCBE0.nanterre.francetelecom.fr>

Hi all,
 
On 7600 router what is the default mapping DSCP / EXP when there is no
qos configured (no mls qos) ?
 
Thank you
Regards
 
 
 
David Roy
Orange France - RBCI IP Technical Assistance Center
Tel.   +33(0)299876472
Mob. +33(0)685522213
Email. david.roy at orange-ftgroup.com
<mailto:david.roy at orange-ftgroup.com> 
 
 

*********************************
This message and any attachments (the "message") are confidential and intended solely for the addressees. 
Any unauthorised use or dissemination is prohibited.
Messages are susceptible to alteration. 
France Telecom Group shall not be liable for the message if altered, changed or falsified.
If you are not the intended addressee of this message, please cancel it immediately and inform the sender.
********************************


From zoe-nsp at complicity.co.uk  Fri Dec 11 05:19:40 2009
From: zoe-nsp at complicity.co.uk (Zoe O'Connell)
Date: Fri, 11 Dec 2009 10:19:40 +0000
Subject: [c-nsp] Idle sessions on 12.2(33)SR cause high CPU
Message-ID: <4B221CBC.6020009@complicity.co.uk>

Hi,

As a result of issues at an exchange point over the last few days, a
number of us (ISPs) have noticed an issue with BGP sessions sitting in
the "Idle" state, because the other end is shut down.

Basically, it appears that on Sup720s at least, once you reach a
critical number of sessions in Idle (More than 5, less than 20) the CPU
usage increases to 30%, all down to the BGP Router process. 30ish
sessions down and it's up to 50% - we've had ours up to 70% as a result
of this, although I don't know how many sessions were down at that
point. This behaviour has been confirmed on 12.2(33)SRC4 and
12.2(33)SRD2, with other possible reports on SXF, SRC3, SRC5 and also on
CRS-1s. Has anyone seen this before and know if it's a known issue with
a BugID associated?

A workaround is to apply "neigh x.x.x.x transport connection passive"
but this clearly isn't optimal.

From Daniel.Holme at kcom.com  Fri Dec 11 06:52:21 2009
From: Daniel.Holme at kcom.com (Daniel Holme)
Date: Fri, 11 Dec 2009 11:52:21 -0000
Subject: [c-nsp] Idle sessions on 12.2(33)SR cause high CPU
In-Reply-To: <4B221CBC.6020009@complicity.co.uk>
References: <4B221CBC.6020009@complicity.co.uk>
Message-ID: <343531E7E6E6104AA786C757DAAC5B3B0C80C3CD@KOSI.kcom.com>

Yes I've experienced this on a 7600 running 12.2(33)SRC3.

I have experienced it a number of times too, one of which was the XP
issue you mention.

You don't want too many people configuring passive sessions as having
that on both ends is equally as bad as shutting down the session.

--Dan 

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Zoe O'Connell
> Sent: 11 December 2009 10:20
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Idle sessions on 12.2(33)SR cause high CPU
> 
> Hi,
> 
> As a result of issues at an exchange point over the last few days, a
> number of us (ISPs) have noticed an issue with BGP sessions sitting in
> the "Idle" state, because the other end is shut down.
> 
> Basically, it appears that on Sup720s at least, once you reach a
> critical number of sessions in Idle (More than 5, less than 20) the
CPU
> usage increases to 30%, all down to the BGP Router process. 30ish
> sessions down and it's up to 50% - we've had ours up to 70% as a
result
> of this, although I don't know how many sessions were down at that
> point. This behaviour has been confirmed on 12.2(33)SRC4 and
> 12.2(33)SRD2, with other possible reports on SXF, SRC3, SRC5 and also
on
> CRS-1s. Has anyone seen this before and know if it's a known issue
with
> a BugID associated?
> 
> A workaround is to apply "neigh x.x.x.x transport connection passive"
> but this clearly isn't optimal.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> ______________________________________________________________________
This email has been scanned for all viruses.

Please consider the environment before printing this email.

The content of this email and any attachment is private and may be privileged. If you are not the intended recipient, any use, disclosure, copying or forwarding of this email and/or its attachments is unauthorised. If you have received this email in error please notify the sender by email and delete this message and any attachments immediately. Nothing in this email shall bind the Company or any of its subsidiaries or businesses in any contract or obligation, unless we have specifically agreed to be bound.

KCOM Group PLC is a public limited company incorporated in England and Wales, company number 02150618 and whose registered office is at 37 Carr Lane, Hull, HU1 3RE.

118288 - KCOM Group UK Directory Enquiries. Calls will cost no more than 49p connection + 14p per minute including VAT from a KC or BT landline. Call charges from mobiles and other networks may vary. If you are calling from a mobile you will now receive your requested number via text message. You will not be charged for the text message.


From asturluismi at gmail.com  Fri Dec 11 07:40:37 2009
From: asturluismi at gmail.com (luismi)
Date: Fri, 11 Dec 2009 13:40:37 +0100
Subject: [c-nsp] Cisco Pagent IOS
In-Reply-To: <4B20D570.9090607@imperial.ac.uk>
References: <C745C560.3A34F%sandreas@cisco.com>
	<416061BD-C028-4EE5-A581-665330CB2CB5@arbor.net>
	<5FD7A7EC774B114092B1603D69E42C9B02F8A627@BDKB1EEA.ww007.siemens.net>
	<4B20D570.9090607@imperial.ac.uk>
Message-ID: <1260535237.22332.0.camel@hal9000>

Not Found
The requested URL /matrix was not found on this server.


________________________________________________________________________
Apache/2.2.3 (Red Hat) Server at external.net.ic.ac.uk Port 80




El jue, 10-12-2009 a las 11:03 +0000, Phil Mayers escribi?:
> Hansen, Ulrich Vestergaard B. (E R WP EN 342) wrote:
> > Can you recommend some good ones?
> > 
> > Freeware/Opensource is no requirement.
> > 
> > Testing req:
> > 
> > Http sessions
> > Tcp sessions
> > Udp strams
> > Multicast
> > Voice (QoS)
> 
> I mostly have used open source tools in the past; a brief rundown...
> 
> iperf is a nice simple tool; it does TCP and UDP including multicast, 
> and the UDP can be made to report jitter & loss in e.g. 1 second intervals.
> 
> rude and crude are pretty good for very low-level UDP testing, including 
> programmable traffic profiles. Don't be fooled by the fact they haven't 
> been updated in years - the problem is fundamentally no different:
> 
> http://rude.sourceforge.net/
> 
> There are about a zillion HTTP tools, but something simple like "ab" 
> might suffice.
> 
> If you're interested in multicast, "dbeacon" can be left running 
> indefinitely and generates nice web pages & delay, jitter & loss stats 
> including nice RRD graphs - e.g. http://external.net.ic.ac.uk/matrix
> 
> I've successfully used used iperf to load a link, then wireshark to 
> capture the VoIP traffic (SIP, RTP & RTCP) and dump out the RTCP stats. 
> It's also gained an RTP analyzer in the meantime, but I've never had 
> cause to use that.
> 
> The linux kernel has a in-built packet generator:
> 
> http://www.mjmwired.net/kernel/Documentation/networking/pktgen.txt
> 
> Google lists loads more e.g.
> 
> http://www.grid.unina.it/software/ITG/sdescr.php
> 
> 
> ...as well as commercial (and very pricey) products like Smartbits and 
> so forth.
> 
> It's a big field.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



From p.mayers at imperial.ac.uk  Fri Dec 11 07:42:44 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Fri, 11 Dec 2009 12:42:44 +0000
Subject: [c-nsp] Cisco Pagent IOS
In-Reply-To: <1260535237.22332.0.camel@hal9000>
References: <C745C560.3A34F%sandreas@cisco.com>	
	<416061BD-C028-4EE5-A581-665330CB2CB5@arbor.net>	
	<5FD7A7EC774B114092B1603D69E42C9B02F8A627@BDKB1EEA.ww007.siemens.net>	
	<4B20D570.9090607@imperial.ac.uk>
	<1260535237.22332.0.camel@hal9000>
Message-ID: <4B223E44.3040101@imperial.ac.uk>

luismi wrote:
> Not Found
> The requested URL /matrix was not found on this server.

Bah. Stupid apache...

http://external.net.ic.ac.uk/matrix/

It's really nothing special, just an example of a running dbeacon 
install. The dbeacon homepage is here:

http://fivebits.net/proj/dbeacon/

From yuribank at gmail.com  Fri Dec 11 07:46:24 2009
From: yuribank at gmail.com (Yuri Bank)
Date: Fri, 11 Dec 2009 04:46:24 -0800
Subject: [c-nsp] DSL signals vs DOCSIS
In-Reply-To: <20091211074144.GF9397@f17.dmitry.net>
References: <2e38d2400912102048t5f0c672co508fec41cc78e81e@mail.gmail.com>
	<20091211074144.GF9397@f17.dmitry.net>
Message-ID: <2e38d2400912110446t333b11a0r10357517b23504f1@mail.gmail.com>

I understand that they use different frequency ranges, but why can't the DSL
freqencies be converted and sent over fiber somewhere between the CPE and
the DSLAM ?

On Thu, Dec 10, 2009 at 11:41 PM, Dmitry Kiselev <dmitry at dmitry.net> wrote:

> Hello!
>
> On Thu, Dec 10, 2009 at 08:48:27PM -0800, Yuri Bank wrote:
>
> > Why can't DSL signals pass through fiber optics, yet we have HFC networks
> > that obviously have no issues going from copper to fiber.
> > The modulation techniques DOCSIS and DSL use are similar, so what
> prevents
> > this from working with DSL? Is it that the RF is to weak and the
> conversion
> > process messes up the signal?
>
> It is becouse very different frequency ranges:
> DSL   0.02-1.1 MHz for both up and downstreams
> DOCSIS   16-30 MHz for upstream
>         50-800 MHz for downstream
>
> --
> Dmitry Kiselev
>

From swmike at swm.pp.se  Fri Dec 11 07:55:40 2009
From: swmike at swm.pp.se (Mikael Abrahamsson)
Date: Fri, 11 Dec 2009 13:55:40 +0100 (CET)
Subject: [c-nsp] DSL signals vs DOCSIS
In-Reply-To: <2e38d2400912110446t333b11a0r10357517b23504f1@mail.gmail.com>
References: <2e38d2400912102048t5f0c672co508fec41cc78e81e@mail.gmail.com>
	<20091211074144.GF9397@f17.dmitry.net>
	<2e38d2400912110446t333b11a0r10357517b23504f1@mail.gmail.com>
Message-ID: <alpine.DEB.1.10.0912111355020.23464@uplift.swm.pp.se>

On Fri, 11 Dec 2009, Yuri Bank wrote:

> I understand that they use different frequency ranges, but why can't the DSL
> freqencies be converted and sent over fiber somewhere between the CPE and
> the DSLAM ?

Why would you want to run DSL when you have fiber?

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se

From asturluismi at gmail.com  Fri Dec 11 07:57:27 2009
From: asturluismi at gmail.com (luismi)
Date: Fri, 11 Dec 2009 13:57:27 +0100
Subject: [c-nsp] "ip verify header drop-tiny-fragment" command
Message-ID: <1260536247.22332.6.camel@hal9000>

Hi all,

Can anyone tell me the impact of configure "ip verify header
drop-tiny-fragment" in a router running 12.2src5?

The routers is running several VRFs, and I don't if this command applies
to all vrfs.

Neither I found documentation how can I see that the command is doing
what is expected, or if it has dependencies...

Any idea?


From asturluismi at gmail.com  Fri Dec 11 08:23:25 2009
From: asturluismi at gmail.com (luismi)
Date: Fri, 11 Dec 2009 14:23:25 +0100
Subject: [c-nsp] "ip verify header drop-tiny-fragment" command
In-Reply-To: <1260536247.22332.6.camel@hal9000>
References: <1260536247.22332.6.camel@hal9000>
Message-ID: <1260537805.22332.8.camel@hal9000>

It is 7200 :]

El vie, 11-12-2009 a las 13:57 +0100, luismi escribi?:
> Hi all,
> 
> Can anyone tell me the impact of configure "ip verify header
> drop-tiny-fragment" in a router running 12.2src5?
> 
> The routers is running several VRFs, and I don't if this command applies
> to all vrfs.
> 
> Neither I found documentation how can I see that the command is doing
> what is expected, or if it has dependencies...
> 
> Any idea?
> 



From avayner at cisco.com  Fri Dec 11 08:59:44 2009
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Fri, 11 Dec 2009 14:59:44 +0100
Subject: [c-nsp] DSL signals vs DOCSIS
In-Reply-To: <2e38d2400912110446t333b11a0r10357517b23504f1@mail.gmail.com>
References: <2e38d2400912102048t5f0c672co508fec41cc78e81e@mail.gmail.com><20091211074144.GF9397@f17.dmitry.net>
	<2e38d2400912110446t333b11a0r10357517b23504f1@mail.gmail.com>
Message-ID: <FDD1CDB3FB499E4087CC7670BBCA22C6D2800A@XMB-AMS-101.cisco.com>

Yuri,

If you have fiber between the CPE and the "DSLAM", then you do not need
DSL... You just deliver FTTH (Fiber to the Home).
If you have fiber for only part of the way, then you deploy a mini-DSLAM
(which is what is being done in many places), and then use the fiber for
upstream connectivity for the the mini-DSLAM.

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Yuri Bank
Sent: Friday, December 11, 2009 14:46
To: Yuri Bank; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] DSL signals vs DOCSIS

I understand that they use different frequency ranges, but why can't the
DSL
freqencies be converted and sent over fiber somewhere between the CPE
and
the DSLAM ?

On Thu, Dec 10, 2009 at 11:41 PM, Dmitry Kiselev <dmitry at dmitry.net>
wrote:

> Hello!
>
> On Thu, Dec 10, 2009 at 08:48:27PM -0800, Yuri Bank wrote:
>
> > Why can't DSL signals pass through fiber optics, yet we have HFC
networks
> > that obviously have no issues going from copper to fiber.
> > The modulation techniques DOCSIS and DSL use are similar, so what
> prevents
> > this from working with DSL? Is it that the RF is to weak and the
> conversion
> > process messes up the signal?
>
> It is becouse very different frequency ranges:
> DSL   0.02-1.1 MHz for both up and downstreams
> DOCSIS   16-30 MHz for upstream
>         50-800 MHz for downstream
>
> --
> Dmitry Kiselev
>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From rbf+cisco-nsp at panix.com  Fri Dec 11 10:07:25 2009
From: rbf+cisco-nsp at panix.com (Brett Frankenberger)
Date: Fri, 11 Dec 2009 09:07:25 -0600
Subject: [c-nsp] DSL signals vs DOCSIS
In-Reply-To: <2e38d2400912110446t333b11a0r10357517b23504f1@mail.gmail.com>
References: <2e38d2400912102048t5f0c672co508fec41cc78e81e@mail.gmail.com>
	<20091211074144.GF9397@f17.dmitry.net>
	<2e38d2400912110446t333b11a0r10357517b23504f1@mail.gmail.com>
Message-ID: <20091211150725.GA20202@panix.com>


On Fri, Dec 11, 2009 at 04:46:24AM -0800, Yuri Bank wrote:
> I understand that they use different frequency ranges, but why can't the DSL
> freqencies be converted and sent over fiber somewhere between the CPE and
> the DSLAM ?

They could be.  Do you think installing devices to do that at the point
where the fiber meets the copper would be cheaper or better than
installing small DSLAMs at the point where the fiber meets the copper? 
If so, why?

     -- Brett

From nbautista at cts.ucla.edu  Fri Dec 11 10:44:56 2009
From: nbautista at cts.ucla.edu (Bautista, Noel)
Date: Fri, 11 Dec 2009 07:44:56 -0800
Subject: [c-nsp] IOS Upgrade to SXI3
Message-ID: <E44AF588902937448285BC553C1F5E97128FCB9B0C@EM10.ad.ucla.edu>

We're contemplating on upgrading our SUP 720 3BXL from 12.2(18)SXF15a native IOS to 12.2(33)SXI3 modular IOS but I read from the releasenotes that the "Install" command has been deprecated.  On Cisco's Safe Harbor IOS Release, they have tested and recommend upgrading to modular 12.2(33)SXI3.  There's no explanation on why they deprecated the "install" command and I'm waiting for our Cisco SE response.   I'd appreciate any feedback from those people who have upgraded to SXI3, in modular or otherwise.

Thanks,

Noel

From Michael.Robson at manchester.ac.uk  Fri Dec 11 10:52:09 2009
From: Michael.Robson at manchester.ac.uk (Michael Robson)
Date: Fri, 11 Dec 2009 15:52:09 +0000
Subject: [c-nsp] IPV6
Message-ID: <B38CA5FA-7974-4B36-B675-D08DA48A76BF@manchester.ac.uk>

It's been a while since I worked with IPV6 and I am now once again plunging myself into this feckless world and was wondering if a couple of holes had now been plugged. What is the accepted way in IPV6 land to dish out IPV6 DNS server addresses (am I correct in saying that if you make use of NDP, you would still have to manually configure DNS servers)? The other hole, as was, is the lack of IPV6 help address functionality on Cisco routers (well 6500s at least): if I were to go down the route of using DHCP for IPV6, how could I use a central server without this helper functionality?

Ta.


Michael
-- 



From Ian.Mackinnon at atosorigin.com  Fri Dec 11 10:52:54 2009
From: Ian.Mackinnon at atosorigin.com (Mackinnon, Ian)
Date: Fri, 11 Dec 2009 15:52:54 +0000
Subject: [c-nsp] IOS Upgrade to SXI3
In-Reply-To: <E44AF588902937448285BC553C1F5E97128FCB9B0C@EM10.ad.ucla.edu>
References: <E44AF588902937448285BC553C1F5E97128FCB9B0C@EM10.ad.ucla.edu>
Message-ID: <61D4116B957C2843AACB49664C8AB223038C36DD@UKCWRX004.uk.int.atosorigin.com>

Hi Noel,

>From what I remember of recent discussions on here, modular is to be
avoided.
It has no benefit (there have not been any patches) and is not used as
much so not tested by real life use.

Ian

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Bautista, Noel
> Sent: 11 December 2009 15:45
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] IOS Upgrade to SXI3
> 
> We're contemplating on upgrading our SUP 720 3BXL from 12.2(18)SXF15a
> native IOS to 12.2(33)SXI3 modular IOS but I read from the
releasenotes
> that the "Install" command has been deprecated.  On Cisco's Safe
Harbor
> IOS Release, they have tested and recommend upgrading to modular
> 12.2(33)SXI3.  There's no explanation on why they deprecated the
> "install" command and I'm waiting for our Cisco SE response.   I'd
> appreciate any feedback from those people who have upgraded to SXI3,
in
> modular or otherwise.
> 
> Thanks,
> 
> Noel
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


_______________________________________________________

Atos Origin and Atos Consulting are trading names used by the Atos Origin group.  The following trading entities are registered in England and Wales:  Atos Origin IT Services UK Limited (registered number 01245534) and Atos Consulting Limited (registered number 04312380).  The registered office for each is at 4 Triton Square, Regents Place, London, NW1 3HG.The VAT No. for each is: GB232327983

This e-mail and the documents attached are confidential and intended solely for the addressee, and may contain confidential or privileged information.  If you receive this e-mail in error, you are not authorised to copy, disclose, use or retain it.  Please notify the sender immediately and delete this email from your systems.   As emails may be intercepted, amended or lost, they are not secure.  Atos Origin therefore can accept no liability for any errors or their content.  Although Atos Origin endeavours to maintain a virus-free network, we do not warrant that this transmission is virus-free and can accept no liability for any damages resulting from any virus transmitted.   The risks are deemed to be accepted by everyone who communicates with Atos Origin by email. 
_______________________________________________________



From synack at live.com  Fri Dec 11 11:03:32 2009
From: synack at live.com (Darin Herteen)
Date: Fri, 11 Dec 2009 10:03:32 -0600
Subject: [c-nsp] IPV6
In-Reply-To: <B38CA5FA-7974-4B36-B675-D08DA48A76BF@manchester.ac.uk>
References: <B38CA5FA-7974-4B36-B675-D08DA48A76BF@manchester.ac.uk>
Message-ID: <BLU129-W888434C293FE35178BBA9AE8C0@phx.gbl>


Well you can use Stateless DHCP for handing out DNS,SIP,NTP,etc.. , and there is the following command for DHCP relay services under the interface config:

 ipv6 dhcp relay destination X:X:X:X::X


> From: Michael.Robson at manchester.ac.uk
> Date: Fri, 11 Dec 2009 15:52:09 +0000
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] IPV6
> 
> It's been a while since I worked with IPV6 and I am now once again plunging myself into this feckless world and was wondering if a couple of holes had now been plugged. What is the accepted way in IPV6 land to dish out IPV6 DNS server addresses (am I correct in saying that if you make use of NDP, you would still have to manually configure DNS servers)? The other hole, as was, is the lack of IPV6 help address functionality on Cisco routers (well 6500s at least): if I were to go down the route of using DHCP for IPV6, how could I use a central server without this helper functionality?
> 
> Ta.
> 
> 
> Michael
> -- 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
 		 	   		  
_________________________________________________________________
Hotmail: Free, trusted and rich email service.
http://clk.atdmt.com/GBL/go/171222984/direct/01/

From gert at greenie.muc.de  Fri Dec 11 11:06:50 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Fri, 11 Dec 2009 17:06:50 +0100
Subject: [c-nsp] IOS Upgrade to SXI3
In-Reply-To: <61D4116B957C2843AACB49664C8AB223038C36DD@UKCWRX004.uk.int.atosorigin.com>
References: <E44AF588902937448285BC553C1F5E97128FCB9B0C@EM10.ad.ucla.edu>
	<61D4116B957C2843AACB49664C8AB223038C36DD@UKCWRX004.uk.int.atosorigin.com>
Message-ID: <20091211160650.GG163@greenie.muc.de>

Hi

On Fri, Dec 11, 2009 at 03:52:54PM +0000, Mackinnon, Ian wrote:
> >From what I remember of recent discussions on here, modular is to be
> avoided.
> It has no benefit (there have not been any patches) and is not used as
> much so not tested by real life use.

Well, in theory it should at least have the benefit of proper memory
protection between processes, and thus, less likely to crash the whole
box if a process does stupid things.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20091211/841e9603/attachment-0001.bin>

From chrisjscott at gmail.com  Fri Dec 11 11:10:56 2009
From: chrisjscott at gmail.com (Chris Scott)
Date: Fri, 11 Dec 2009 16:10:56 +0000
Subject: [c-nsp] IOS Upgrade to SXI3
In-Reply-To: <E44AF588902937448285BC553C1F5E97128FCB9B0C@EM10.ad.ucla.edu>
References: <E44AF588902937448285BC553C1F5E97128FCB9B0C@EM10.ad.ucla.edu>
Message-ID: <9fcc08fd0912110810l79902404g6d107c6525b0f21f@mail.gmail.com>

2009/12/11 Bautista, Noel <nbautista at cts.ucla.edu>:
> I'd appreciate any feedback from those people who have upgraded to SXI3, in modular or otherwise.

Death of a Sup720-3B prompted me to jump from SXD3 to SXI3 on the
replacement.  Took my config and retained desired function with no
issues.  Running EIGRP to my distribution, OSPF with some very HA
servers, FWSM on 3.2(13) and one VRF-Lite instance to separate the L3
across the FWSM.  Will be running BGP in the VRF in the new year.
We're a Campus network and are seldom bitten by bugs as our change
delta is small by comparison to SPs that turn up and down customers
regularly.

I'll 2nd Ian in saying that the collective wisdom of this list has
made me disregard modular IOS as a production-ready technology.

Cheers

-- 
Chris

From Ian.Mackinnon at atosorigin.com  Fri Dec 11 11:12:59 2009
From: Ian.Mackinnon at atosorigin.com (Mackinnon, Ian)
Date: Fri, 11 Dec 2009 16:12:59 +0000
Subject: [c-nsp] IOS Upgrade to SXI3
In-Reply-To: <20091211160650.GG163@greenie.muc.de>
References: <E44AF588902937448285BC553C1F5E97128FCB9B0C@EM10.ad.ucla.edu> 
	<61D4116B957C2843AACB49664C8AB223038C36DD@UKCWRX004.uk.int.atosorigin.com>
	<20091211160650.GG163@greenie.muc.de>
Message-ID: <61D4116B957C2843AACB49664C8AB223038C36F8@UKCWRX004.uk.int.atosorigin.com>



> -----Original Message-----
> From: Gert Doering [mailto:gert at greenie.muc.de]
> Sent: 11 December 2009 16:07
> To: Mackinnon, Ian
> Cc: Bautista, Noel; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] IOS Upgrade to SXI3
> 
> Hi
> 
> On Fri, Dec 11, 2009 at 03:52:54PM +0000, Mackinnon, Ian wrote:
> > >From what I remember of recent discussions on here, modular is to
be
> > avoided.
> > It has no benefit (there have not been any patches) and is not used
> as
> > much so not tested by real life use.
> 
> Well, in theory it should at least have the benefit of proper memory
> protection between processes, and thus, less likely to crash the whole
> box if a process does stupid things.
> 
Interesting, so given the email earlier today by somebody experiencing
BGP problems at a well known IX with lots of sessions where the other
end is shut down, would this have still been an issue?

It's been a while since I looked at modular, but is there not a large
"IOS" process that is most things in one place anyway?

Ian

_______________________________________________________

Atos Origin and Atos Consulting are trading names used by the Atos Origin group.  The following trading entities are registered in England and Wales:  Atos Origin IT Services UK Limited (registered number 01245534) and Atos Consulting Limited (registered number 04312380).  The registered office for each is at 4 Triton Square, Regents Place, London, NW1 3HG.The VAT No. for each is: GB232327983

This e-mail and the documents attached are confidential and intended solely for the addressee, and may contain confidential or privileged information.  If you receive this e-mail in error, you are not authorised to copy, disclose, use or retain it.  Please notify the sender immediately and delete this email from your systems.   As emails may be intercepted, amended or lost, they are not secure.  Atos Origin therefore can accept no liability for any errors or their content.  Although Atos Origin endeavours to maintain a virus-free network, we do not warrant that this transmission is virus-free and can accept no liability for any damages resulting from any virus transmitted.   The risks are deemed to be accepted by everyone who communicates with Atos Origin by email. 
_______________________________________________________



From drew.weaver at thenap.com  Fri Dec 11 11:22:19 2009
From: drew.weaver at thenap.com (Drew Weaver)
Date: Fri, 11 Dec 2009 11:22:19 -0500
Subject: [c-nsp] BGP Hold time expired/ospf dropping 6500 Sup720-3BXL
Message-ID: <F3318834F1F89D46857972DD4B411D700181FF00DB@EXCHANGE.thenap.com>

Howdy all,

Last night I had an interesting encounter on one of my 6509s /w SUP7203-BXL.

This switch has 3x iBGP sessions with full internet tables and is also running OSPF.

Two of the three iBGP sessions randomly dropped with: 

%BGP-3-NOTIFICATION: sent to neighbor x.x.x.3 4/0 (hold time expired) 0 bytes, I also noticed that during this period OSPF dropped with Neighbor Down: Dead timer expired

and then re-established, and then failed again, and re-established, and failed again, and so-on, and so-on.

I checked the physical interfaces between this 6500 and the two GSR 12000s it peers with and there were no errors, there was also no obvious spike in traffic that would account for latency that might cause the hold timers to expire. I remember when this system first came online it took a really long time for it to download the full internet tables from the upstream GSRs and also during that time there was a lot of CPU time being eaten up, I am wondering if maybe the first session failing caused sort of a 'performance' domino effect which then caused everything else to fail, the issue eventually corrected itself and stabilized.

This particular box is running 12.2(18)SXF17 so I am less likely to believe it is a software bug.

Does anyone have any tips on both how I can avoid the hold timer issue altogether and also how I can make it so that if a session does go down and re-establish it doesn't totally nail the CPU while it's trying to re-establish/download the routes? A long time ago I also read that increasing the MTU on both ends of a circuit can make BGP tables download faster, I don't know if that's true or not, has anyone else found that?

thanks,
-Drew



From nilesh5555in at yahoo.com  Fri Dec 11 10:25:45 2009
From: nilesh5555in at yahoo.com (Nilesh Sawant)
Date: Fri, 11 Dec 2009 07:25:45 -0800 (PST)
Subject: [c-nsp] 3560g PoE issue
In-Reply-To: <20091211150725.GA20202@panix.com>
Message-ID: <818538.99529.qm@web52105.mail.re2.yahoo.com>

Hi,

I am observing the problem with 48 ports 3560G in LAN infrastructure. We have alcatel IP phone which are connected to 3560G switches. Sometimes these IP phone are not getting power up , after restarting the switch IP phone gets power up. As per cisco theory it's deliver average 7.7w on all 48 ports or 15.4 w on 24 ports.

i tried shut, no shut after IP phones gets power down, also tries to allocate 10-14w power on that particular interface, but no use.


What could be the issue ?

Regards,
Nilesh


      

From mhuff at ox.com  Fri Dec 11 11:35:34 2009
From: mhuff at ox.com (Matthew Huff)
Date: Fri, 11 Dec 2009 11:35:34 -0500
Subject: [c-nsp] EIGRP route knob tuning
Message-ID: <483E6B0272B0284BA86D7596C40D29F9DA83F32DB9@PUR-EXCH07.ox.com>

Anyone know what Cisco's plans for the metrics in EIGRP? 10GE has the bandwidth set at max and the delay set to minimum, so how are they going to handle 40GB and 100GB? Is there any whitepapers posted?

I ran into this a while looking at our core routing. The SVI on a 6500 is set to a bandwidth equal to a gig-e interface, so we had some inefficient routing given that we had 10GE layer 3 connections to our distribution. Some routes were heading to the distribution and back rather than across the Layer 2 trunk because the Layer 2 trunk SVI had lower bandwidth. Adjusting the SVI to the max (same as a 10GB interface) fixed the problem. What happens when 100GB uplinks appear?



----
Matthew Huff?????? | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
http://www.ox.com? | Phone: 914-460-4039
aim: matthewbhuff? | Fax:?? 914-460-4139



From gert at greenie.muc.de  Fri Dec 11 11:40:20 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Fri, 11 Dec 2009 17:40:20 +0100
Subject: [c-nsp] IOS Upgrade to SXI3
In-Reply-To: <61D4116B957C2843AACB49664C8AB223038C36F8@UKCWRX004.uk.int.atosorigin.com>
References: <E44AF588902937448285BC553C1F5E97128FCB9B0C@EM10.ad.ucla.edu>
	<61D4116B957C2843AACB49664C8AB223038C36DD@UKCWRX004.uk.int.atosorigin.com>
	<20091211160650.GG163@greenie.muc.de>
	<61D4116B957C2843AACB49664C8AB223038C36F8@UKCWRX004.uk.int.atosorigin.com>
Message-ID: <20091211164020.GH163@greenie.muc.de>

Hi,

On Fri, Dec 11, 2009 at 04:12:59PM +0000, Mackinnon, Ian wrote:
> > Well, in theory it should at least have the benefit of proper memory
> > protection between processes, and thus, less likely to crash the whole
> > box if a process does stupid things.
> > 
> Interesting, so given the email earlier today by somebody experiencing
> BGP problems at a well known IX with lots of sessions where the other
> end is shut down, would this have still been an issue?

I'm not really sure what is happening there - but I doubt that modular
would help much with "a process is burning CPU needlessly".

> It's been a while since I looked at modular, but is there not a large
> "IOS" process that is most things in one place anyway?

I'm not exactly sure how it works.  There's different kinds of processes,
some of them having "sub-processes".

The one that has BGP in it is "iprouting.iosproc".  All the "old IOS stuff"
seems to be "ios-base".

gert


-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20091211/1fb3b68b/attachment.bin>

From p.mayers at imperial.ac.uk  Fri Dec 11 11:41:16 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Fri, 11 Dec 2009 16:41:16 +0000
Subject: [c-nsp] IPV6
In-Reply-To: <B38CA5FA-7974-4B36-B675-D08DA48A76BF@manchester.ac.uk>
References: <B38CA5FA-7974-4B36-B675-D08DA48A76BF@manchester.ac.uk>
Message-ID: <4B22762C.4050008@imperial.ac.uk>

Michael Robson wrote:
> It's been a while since I worked with IPV6 and I am now once again
> plunging myself into this feckless world and was wondering if a
> couple of holes had now been plugged. What is the accepted way in
> IPV6 land to dish out IPV6 DNS server addresses (am I correct in
> saying that if you make use of NDP, you would still have to manually
> configure DNS servers)? The other hole, as was, is the lack of IPV6

There are 4 methods:

  * Don't use IPv6 DNS - use IPv4 DNS servers (via DHCPv4 or other). I 
believe this is pretty common

  * Static config of IPv6 DNS servers, possibly using an anycast address 
(I seem to recall there are products which try a well-known DNSv6 
address, but I can't remember what products, and what address)

  * Advertisment in RA packets - RFC 5006. I think support for this on 
IOS is pretty thin - I'm fairly sure 6500s don't support it and don't 
have it roadmapped (sigh)

  * DHCPv6

> help address functionality on Cisco routers (well 6500s at least): if
> I were to go down the route of using DHCP for IPV6, how could I use a
> central server without this helper functionality?

6500s running SXI have gained the DHCPv6 relay support. Sadly, it 
doesn't interoperate with 6vPE (which we use) so I've only tested it 
lightly, but it more or less worked.

Of course, many clients don't support DHCPv6 (e.g. WinXP) so you may 
still need a solution for those.

From mohacsi at niif.hu  Fri Dec 11 11:06:23 2009
From: mohacsi at niif.hu (Mohacsi Janos)
Date: Fri, 11 Dec 2009 17:06:23 +0100 (CET)
Subject: [c-nsp] IPV6
In-Reply-To: <B38CA5FA-7974-4B36-B675-D08DA48A76BF@manchester.ac.uk>
References: <B38CA5FA-7974-4B36-B675-D08DA48A76BF@manchester.ac.uk>
Message-ID: <alpine.BSF.2.00.0912111701350.66001@mignon.ki.iif.hu>




On Fri, 11 Dec 2009, Michael Robson wrote:

> It's been a while since I worked with IPV6 and I am now once again 
> plunging myself into this feckless world and was wondering if a couple 
> of holes had now been plugged. What is the accepted way in IPV6 land to 
> dish out IPV6 DNS server addresses (am I correct in saying that if you 
> make use of NDP, you would still have to manually configure DNS 
> servers)?

Use DHCPv6 or if your clients are supporting you can distibute DNS 
information via RAs. Support for adding DNS info to RA is not implemented 
on cisco routers yet.

> The other hole, as was, is the lack of IPV6 help address 
> functionality on Cisco routers (well 6500s at least): if I were to go 
> down the route of using DHCP for IPV6, how could I use a central server 
> without this helper functionality?

No DHCPv6 helper functionality, but DHCPv6 relay functionality, however I 
don't know the implementation status on various cisco boxes.


Regards,
 		Janos Mohacsi

From will at collier-byrd.net  Fri Dec 11 10:21:22 2009
From: will at collier-byrd.net (Byrd, William)
Date: Fri, 11 Dec 2009 10:21:22 -0500
Subject: [c-nsp] Idle sessions on 12.2(33)SR cause high CPU
In-Reply-To: <343531E7E6E6104AA786C757DAAC5B3B0C80C3CD@KOSI.kcom.com>
References: <4B221CBC.6020009@complicity.co.uk>
	<343531E7E6E6104AA786C757DAAC5B3B0C80C3CD@KOSI.kcom.com>
Message-ID: <1ebb7fa90912110721t7039899cna4d9bc143a49f134@mail.gmail.com>

Yes, SRC3 has a known bug related to memory leaks on idle/active BGP peers:

CSCsy58115 Bug Details Continuous BGP mem increase with non established
neighbors

Symptom:

In a router running BGP the BGP Router process may hold increased amounts of
memory over time without freeing any memory. This may also be seen from the
output of "show proc mem sort" and in the output of "show ip bgp sum" or
"show ip bgp vpnv4 all sum" and looking at the number of BGP attributes
which may be increasing over time in relation to the BGP prefixes and paths
which may remain roughly the same.

Conditions:

Some BGP neighbors are not in established state and exchanging prefixes. The
issue is observed on all platforms running 12.2(31)SB14 12.2(33)SB1b
12.2(33)SB2 12.2(33.05.14)SRB 12.2(33.02.09)SRC 12.2(33)SRC3 12.4(20)T2
12.4(22)T1
12.2(33)SXI or later releases.

Workaround:

Remove the configuration lines related to the inactive neighbors (neighbors
in Idle or Active states).

On Fri, Dec 11, 2009 at 6:52 AM, Daniel Holme <Daniel.Holme at kcom.com> wrote:

> Yes I've experienced this on a 7600 running 12.2(33)SRC3.
>
> I have experienced it a number of times too, one of which was the XP
> issue you mention.
>
> You don't want too many people configuring passive sessions as having
> that on both ends is equally as bad as shutting down the session.
>
> --Dan
>
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> > bounces at puck.nether.net] On Behalf Of Zoe O'Connell
> > Sent: 11 December 2009 10:20
> > To: cisco-nsp at puck.nether.net
> > Subject: [c-nsp] Idle sessions on 12.2(33)SR cause high CPU
> >
> > Hi,
> >
> > As a result of issues at an exchange point over the last few days, a
> > number of us (ISPs) have noticed an issue with BGP sessions sitting in
> > the "Idle" state, because the other end is shut down.
> >
> > Basically, it appears that on Sup720s at least, once you reach a
> > critical number of sessions in Idle (More than 5, less than 20) the
> CPU
> > usage increases to 30%, all down to the BGP Router process. 30ish
> > sessions down and it's up to 50% - we've had ours up to 70% as a
> result
> > of this, although I don't know how many sessions were down at that
> > point. This behaviour has been confirmed on 12.2(33)SRC4 and
> > 12.2(33)SRD2, with other possible reports on SXF, SRC3, SRC5 and also
> on
> > CRS-1s. Has anyone seen this before and know if it's a known issue
> with
> > a BugID associated?
> >
> > A workaround is to apply "neigh x.x.x.x transport connection passive"
> > but this clearly isn't optimal.
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> > ______________________________________________________________________
> > This email has been scanned by the MessageLabs Email Security System.
> > For more information please visit http://www.messagelabs.com/email
> > ______________________________________________________________________
> This email has been scanned for all viruses.
>
> Please consider the environment before printing this email.
>
> The content of this email and any attachment is private and may be
> privileged. If you are not the intended recipient, any use, disclosure,
> copying or forwarding of this email and/or its attachments is unauthorised.
> If you have received this email in error please notify the sender by email
> and delete this message and any attachments immediately. Nothing in this
> email shall bind the Company or any of its subsidiaries or businesses in any
> contract or obligation, unless we have specifically agreed to be bound.
>
> KCOM Group PLC is a public limited company incorporated in England and
> Wales, company number 02150618 and whose registered office is at 37 Carr
> Lane, Hull, HU1 3RE.
>
> 118288 - KCOM Group UK Directory Enquiries. Calls will cost no more than
> 49p connection + 14p per minute including VAT from a KC or BT landline. Call
> charges from mobiles and other networks may vary. If you are calling from a
> mobile you will now receive your requested number via text message. You will
> not be charged for the text message.
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From William.Murphy at uth.tmc.edu  Fri Dec 11 12:42:20 2009
From: William.Murphy at uth.tmc.edu (Murphy, William)
Date: Fri, 11 Dec 2009 11:42:20 -0600
Subject: [c-nsp] EIGRP route knob tuning
In-Reply-To: <483E6B0272B0284BA86D7596C40D29F9DA83F32DB9@PUR-EXCH07.ox.com>
References: <483E6B0272B0284BA86D7596C40D29F9DA83F32DB9@PUR-EXCH07.ox.com>
Message-ID: <F2DF7BEF9FB81F4997B7AE7191A14F6603EE7AB3CA@UTHCMS3.uthouston.edu>

We encountered same thing as we deployed 10G links.  It was definitely an
EIGRP learning experience.  We found docs out there that describe changing K
values to ignore bandwidth and then manipulate delay in order to achieve
optimal routing.  When you do this the protocol is supposed to be more OSPF
like in the sense that the only value factoring into the equation is a
cumulative cost of sorts.  This sounded scary to me so we opted for your
solution.  We set the edge SVI's to maximum bandwidth so they would never be
considered in the minimum bandwidth calculation, and then we make sure the
SVI's on our L2 trunks are set to the same BW as the underlying link 1G or
10G...


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Matthew Huff
Sent: Friday, December 11, 2009 10:36 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] EIGRP route knob tuning

Anyone know what Cisco's plans for the metrics in EIGRP? 10GE has the
bandwidth set at max and the delay set to minimum, so how are they going to
handle 40GB and 100GB? Is there any whitepapers posted?

I ran into this a while looking at our core routing. The SVI on a 6500 is
set to a bandwidth equal to a gig-e interface, so we had some inefficient
routing given that we had 10GE layer 3 connections to our distribution. Some
routes were heading to the distribution and back rather than across the
Layer 2 trunk because the Layer 2 trunk SVI had lower bandwidth. Adjusting
the SVI to the max (same as a 10GB interface) fixed the problem. What
happens when 100GB uplinks appear?



----
Matthew Huff?????? | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
http://www.ox.com? | Phone: 914-460-4039
aim: matthewbhuff? | Fax:?? 914-460-4139


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4327 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20091211/b95e2ce2/attachment.bin>

From ibrahim.abozaid at gmail.com  Fri Dec 11 12:49:41 2009
From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid)
Date: Fri, 11 Dec 2009 19:49:41 +0200
Subject: [c-nsp] MPLS T.E Autoroute problem
Message-ID: <a48927f70912110949n23d2bfa6pc4a3fef98a4295b8@mail.gmail.com>

Hi All

I have strange behaviour with MPLS T.E with autoroute

Topology

R4 (AS100)
|
|
R1-------R2-------R3-------R5 -----> (AS 200)
|-----Tun13---------|

both AS200 runs OSPF (single area) and Tunnel13 on R1 is between R1-Lo0 and
R3-Lo0 and as shown R5 is reachable from R3

the problem is when enabling autoroute

and in LFIB , R5-Lo0 is reachable over the tunnel with untagged label and
R3-Lo0 has Pop label so any VPN traffic sourced on R4 and destinted to CE
connected to R5 will be routed to R1 which removes ALL  labels and forward
it out the tunnel and it will be dropped on R3 and never reaches it is
destination

by disabling autoroute

R5 is still reachable via R3 BUT LFIB has label assigned other than untag
and traffic flow seamlessly

enabling MPLS over the tunnel didn't fix the problem

is there any feature or command i can use so routes reachable over tunnel
and behind tunnel tailend can have a label other than untag ?

configuration

R1

mpls label protocol ldp
mpls traffic-eng tunnels
mpls ldp router-id Loopback0
mpls label range 100 199
!
interface Loopback0
 ip address 20.1.1.1 255.255.255.255
!
interface Tunnel13
 ip unnumbered Loopback0
 tunnel destination 20.1.3.3
 tunnel mode mpls traffic-eng
 tunnel mpls traffic-eng autoroute announce
 tunnel mpls traffic-eng priority 0 0
 tunnel mpls traffic-eng bandwidth  1000
 tunnel mpls traffic-eng path-option 1 dynamic
 no routing dynamic
!
interface FastEthernet0/0.12
 encapsulation dot1Q 12
 ip address 20.1.12.1 255.255.255.0
 mpls ip
 mpls traffic-eng tunnels
 ip rsvp bandwidth 10000 10000
!
interface Serial2/0
 ip address 20.1.14.1 255.255.255.0
 encapsulation frame-relay
 serial restart-delay 0
 frame-relay map ip 20.1.14.4 104 broadcast
 no frame-relay inverse-arp
!
router ospf 1
 mpls traffic-eng router-id Loopback0
 mpls traffic-eng area 0
 router-id 20.1.1.1
 log-adjacency-changes
 redistribute bgp 200 subnets route-map bgp-to-ospf
 network 20.1.1.1 0.0.0.0 area 0
 network 20.1.12.1 0.0.0.0 area 0
!
router bgp 200
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 neighbor 20.1.3.3 remote-as 200
 neighbor 20.1.3.3 update-source Loopback0
 neighbor 20.1.14.4 remote-as 100
 !
 address-family ipv4
  neighbor 20.1.14.4 activate
  neighbor 20.1.14.4 send-community both
  neighbor 20.1.14.4 send-label
  no auto-summary
  no synchronization
  network 20.1.1.1 mask 255.255.255.255
  network 20.1.2.2 mask 255.255.255.255
  network 20.1.3.3 mask 255.255.255.255
  network 20.1.5.5 mask 255.255.255.255
 exit-address-family
 !
 address-family vpnv4
  neighbor 20.1.3.3 activate
  neighbor 20.1.3.3 send-community extended
 exit-address-family
 !



R2
===
mpls label protocol ldp
mpls traffic-eng tunnels
mpls ldp router-id Loopback0
mpls label range 200 299
!
interface Loopback0
 ip address 20.1.2.2 255.255.255.255
!
interface FastEthernet0/0.12
 encapsulation dot1Q 12
 ip address 20.1.12.2 255.255.255.0
 mpls ip
 mpls traffic-eng tunnels
 ip rsvp bandwidth 10000 10000
!
interface Serial2/1
 ip address 20.1.23.2 255.255.255.0
 encapsulation ppp
 mpls ip
 mpls traffic-eng tunnels
 ip rsvp bandwidth 10000 10000
!
router ospf 1
 mpls traffic-eng router-id Loopback0
 mpls traffic-eng area 0
 router-id 20.1.2.2
 log-adjacency-changes
 summary-address 217.1.0.0 255.255.252.0
 redistribute bgp 200 subnets route-map bgp-to-ospf
 network 20.1.2.2 0.0.0.0 area 0
 network 20.1.12.2 0.0.0.0 area 0
 network 20.1.23.2 0.0.0.0 area 0
!


R3
===
mpls label protocol ldp
mpls traffic-eng tunnels
mpls ldp router-id Loopback0
mpls label range 300 399
!
interface Loopback0
 ip address 20.1.3.3 255.255.255.255
!
interface Ethernet1/1
 ip address 20.1.35.3 255.255.255.0
 full-duplex
 tag-switching ip
!
interface Serial2/2
 ip address 20.1.23.3 255.255.255.0
 encapsulation ppp
 mpls traffic-eng tunnels
 tag-switching ip
 serial restart-delay 0
 no dce-terminal-timing-enable
 ip rsvp bandwidth 10000 10000
!
router ospf 1
 mpls traffic-eng router-id Loopback0
 mpls traffic-eng area 0
 router-id 20.1.3.3
 log-adjacency-changes
 network 20.1.3.3 0.0.0.0 area 0
 network 20.1.13.3 0.0.0.0 area 0
 network 20.1.23.3 0.0.0.0 area 0
 network 20.1.35.3 0.0.0.0 area 0
!
router bgp 200
 no bgp default route-target filter
 bgp log-neighbor-changes
 neighbor 20.1.1.1 remote-as 200
 neighbor 20.1.1.1 update-source Loopback0
 neighbor 20.1.5.5 remote-as 200
 neighbor 20.1.5.5 update-source Loopback0
 !
 address-family vpnv4
 neighbor 20.1.1.1 activate
 neighbor 20.1.1.1 send-community extended
 neighbor 20.1.1.1 route-reflector-client
 neighbor 20.1.5.5 activate
 neighbor 20.1.5.5 send-community extended
 neighbor 20.1.5.5 route-reflector-client
 exit-address-family
 !



R5
===
mpls label protocol ldp
mpls traffic-eng tunnels
mpls ldp router-id Loopback0
mpls label range 500 599
!
interface Loopback0
 ip address 20.1.5.5 255.255.255.255
!
interface Ethernet1/0
 ip address 20.1.35.5 255.255.255.0
 full-duplex
 tag-switching ip
!
router ospf 1
 router-id 20.1.5.5
 log-adjacency-changes
 network 20.1.5.5 0.0.0.0 area 0
 network 20.1.35.5 0.0.0.0 area 0
!
outer bgp 200
 no synchronization
 bgp log-neighbor-changes
 neighbor 20.1.3.3 remote-as 200
 neighbor 20.1.3.3 update-source Loopback0
 no auto-summary
 !
 address-family vpnv4
 neighbor 20.1.3.3 activate
 neighbor 20.1.3.3 send-community extended
 exit-address-family



show commands

when autoroute enabled

R1#sh mpls forwarding-table 20.1.5.5
Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop
tag    tag or VC   or Tunnel Id      switched   interface
115    Untagged[T] 20.1.5.5/32       0          Tu13       point2point
[T]     Forwarding through a TSP tunnel.
        View additional tagging info with the 'detail' option
R1#
R1#sh mpls forwarding-table 20.1.3.3
Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop
tag    tag or VC   or Tunnel Id      switched   interface
101    Pop tag [T] 20.1.3.3/32       2226       Tu13       point2point
[T]     Forwarding through a TSP tunnel.
        View additional tagging info with the 'detail' option


by disbaling autorouet and use static route to R3-Lo0 instead

R1#sh ip route 20.1.3.3
Routing entry for 20.1.3.3/32
  Known via "static", distance 1, metric 0 (connected)
  Redistributing via ospf 1
  Advertised by ospf 1
                bgp 200
  Routing Descriptor Blocks:
  * directly connected, via Tunnel13
      Route metric is 0, traffic share count is 1
R1#sh ip route 20.1.5.5
Routing entry for 20.1.5.5/32
  Known via "ospf 1", distance 110, metric 76, type intra area
  Advertised by bgp 200
  Last update from 20.1.12.2 on FastEthernet0/0.12, 00:00:50 ago
  Routing Descriptor Blocks:
  * 20.1.12.2, from 20.1.5.5, 00:00:50 ago, via FastEthernet0/0.12
      Route metric is 76, traffic share count is 1
R1#
R1#sh mpls forwarding-table 20.1.3.3
Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop
tag    tag or VC   or Tunnel Id      switched   interface
101    Pop tag [T] 20.1.3.3/32       62         Tu13       point2point
[T]     Forwarding through a TSP tunnel.
        View additional tagging info with the 'detail' option
R1#sh mpls forwarding-table 20.1.5.5
Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop
tag    tag or VC   or Tunnel Id      switched   interface
115    211         20.1.5.5/32       0          Fa0/0.12   20.1.12.2



best regards
--Ibrahim

From tdurack at gmail.com  Fri Dec 11 13:04:16 2009
From: tdurack at gmail.com (Tim Durack)
Date: Fri, 11 Dec 2009 13:04:16 -0500
Subject: [c-nsp] IOS Upgrade to SXI3
In-Reply-To: <20091211164020.GH163@greenie.muc.de>
References: <E44AF588902937448285BC553C1F5E97128FCB9B0C@EM10.ad.ucla.edu>
	<61D4116B957C2843AACB49664C8AB223038C36DD@UKCWRX004.uk.int.atosorigin.com>
	<20091211160650.GG163@greenie.muc.de>
	<61D4116B957C2843AACB49664C8AB223038C36F8@UKCWRX004.uk.int.atosorigin.com>
	<20091211164020.GH163@greenie.muc.de>
Message-ID: <9e246b4d0912111004x28d1935ehb74317f0c02960c2@mail.gmail.com>

On Fri, Dec 11, 2009 at 11:40 AM, Gert Doering <gert at greenie.muc.de> wrote:
> Hi,
>
> On Fri, Dec 11, 2009 at 04:12:59PM +0000, Mackinnon, Ian wrote:
>> > Well, in theory it should at least have the benefit of proper memory
>> > protection between processes, and thus, less likely to crash the whole
>> > box if a process does stupid things.
>> >
>> Interesting, so given the email earlier today by somebody experiencing
>> BGP problems at a well known IX with lots of sessions where the other
>> end is shut down, would this have still been an issue?
>
> I'm not really sure what is happening there - but I doubt that modular
> would help much with "a process is burning CPU needlessly".
>
>> It's been a while since I looked at modular, but is there not a large
>> "IOS" process that is most things in one place anyway?
>
> I'm not exactly sure how it works. ?There's different kinds of processes,
> some of them having "sub-processes".
>
> The one that has BGP in it is "iprouting.iosproc". ?All the "old IOS stuff"
> seems to be "ios-base".

We've been running 12.2SX Modular IOS on a set of SUP720s for over a
year. It hasn't done us any good. Still suffer from memory/cpu issues.
Modular will burn at least an extra 10% cpu, and won't give any
observable benefits. With the removal of install/patching in SXI3, we
have decided to move back to monolithic.

Cisco doesn't appear to have the engineering resources and/or
will-power to move IOS into the 20th Century (pre-emptive multitasking
with memory and process containment.) It is more beneficial for them
to sell you new products with "better" versions of IOS.

Tim:>

From mhuff at ox.com  Fri Dec 11 13:21:17 2009
From: mhuff at ox.com (Matthew Huff)
Date: Fri, 11 Dec 2009 13:21:17 -0500
Subject: [c-nsp] EIGRP route knob tuning
In-Reply-To: <F2DF7BEF9FB81F4997B7AE7191A14F6603EE7AB3CA@UTHCMS3.uthouston.edu>
References: <483E6B0272B0284BA86D7596C40D29F9DA83F32DB9@PUR-EXCH07.ox.com>
	<F2DF7BEF9FB81F4997B7AE7191A14F6603EE7AB3CA@UTHCMS3.uthouston.edu>
Message-ID: <483E6B0272B0284BA86D7596C40D29F9DA83F32DBB@PUR-EXCH07.ox.com>

It makes perfect sense, but was quite a shock when it dawned on me what was happening. I made about the same changes you described and everything works fine now. However, it won't work at all when 40GB/100GB interfaces begin shipping. Or even if you wanted to make the bandwidth correct on aggregated 10gb trunks. I assume Cisco will have to come up with some new EIGRP version that's backward compatible which will encapsulate the old metrics within a new larger field. Anyone here anything about this yet from Cisco?


----
Matthew Huff?????? | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
http://www.ox.com? | Phone: 914-460-4039
aim: matthewbhuff? | Fax:?? 914-460-4139

-----Original Message-----
From: Murphy, William [mailto:William.Murphy at uth.tmc.edu] 
Sent: Friday, December 11, 2009 12:42 PM
To: Matthew Huff; cisco-nsp at puck.nether.net
Subject: RE: EIGRP route knob tuning

We encountered same thing as we deployed 10G links.  It was definitely an
EIGRP learning experience.  We found docs out there that describe changing K
values to ignore bandwidth and then manipulate delay in order to achieve
optimal routing.  When you do this the protocol is supposed to be more OSPF
like in the sense that the only value factoring into the equation is a
cumulative cost of sorts.  This sounded scary to me so we opted for your
solution.  We set the edge SVI's to maximum bandwidth so they would never be
considered in the minimum bandwidth calculation, and then we make sure the
SVI's on our L2 trunks are set to the same BW as the underlying link 1G or
10G...


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Matthew Huff
Sent: Friday, December 11, 2009 10:36 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] EIGRP route knob tuning

Anyone know what Cisco's plans for the metrics in EIGRP? 10GE has the
bandwidth set at max and the delay set to minimum, so how are they going to
handle 40GB and 100GB? Is there any whitepapers posted?

I ran into this a while looking at our core routing. The SVI on a 6500 is
set to a bandwidth equal to a gig-e interface, so we had some inefficient
routing given that we had 10GE layer 3 connections to our distribution. Some
routes were heading to the distribution and back rather than across the
Layer 2 trunk because the Layer 2 trunk SVI had lower bandwidth. Adjusting
the SVI to the max (same as a 10GB interface) fixed the problem. What
happens when 100GB uplinks appear?



----
Matthew Huff?????? | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
http://www.ox.com? | Phone: 914-460-4039
aim: matthewbhuff? | Fax:?? 914-460-4139


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From nbautista at cts.ucla.edu  Fri Dec 11 13:37:33 2009
From: nbautista at cts.ucla.edu (Bautista, Noel)
Date: Fri, 11 Dec 2009 10:37:33 -0800
Subject: [c-nsp] IOS Upgrade to SXI3
In-Reply-To: <61D4116B957C2843AACB49664C8AB223038C36DD@UKCWRX004.uk.int.atosorigin.com>
References: <E44AF588902937448285BC553C1F5E97128FCB9B0C@EM10.ad.ucla.edu>
	<61D4116B957C2843AACB49664C8AB223038C36DD@UKCWRX004.uk.int.atosorigin.com>
Message-ID: <E44AF588902937448285BC553C1F5E97128FCB9B86@EM10.ad.ucla.edu>

We normally try to use Safe Harbor Recommended IOS and for quite some time Cisco has recommended to upgrade to a modular Release.  We first tried the modular in 12.2(18)SXF7 but we backed out because of numerous problems.  

A Cisco SE mentioned in his presentation that at some point Cisco will only be releasing modular IOS.  Safe Harbor seems to indicate this direction since they stopped testing Native IOS and recommending Modular IOS as shown from the link below. Which is why I'm looking at modular SXI3 but the "install" command has been deprecated.  Now, it seems that Cisco is going away from Modular??

I've been testing Native IOS 12.2(33)SXI3 in our lab network running OSPF and BGP in v4 and v6 and so far it seems stable.

Thanks,
Noel


Safe Harbor Release
http://www.cisco.com/en/US/customer/solutions/ns340/ns414/ns504/networking_solutions_products_genericcontent0900aecd80694a2a.html


-----Original Message-----
From: Mackinnon, Ian [mailto:Ian.Mackinnon at atosorigin.com] 
Sent: Friday, December 11, 2009 7:53 AM
To: Bautista, Noel; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] IOS Upgrade to SXI3

Hi Noel,

>From what I remember of recent discussions on here, modular is to be
avoided.
It has no benefit (there have not been any patches) and is not used as
much so not tested by real life use.

Ian

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Bautista, Noel
> Sent: 11 December 2009 15:45
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] IOS Upgrade to SXI3
> 
> We're contemplating on upgrading our SUP 720 3BXL from 12.2(18)SXF15a
> native IOS to 12.2(33)SXI3 modular IOS but I read from the
releasenotes
> that the "Install" command has been deprecated.  On Cisco's Safe
Harbor
> IOS Release, they have tested and recommend upgrading to modular
> 12.2(33)SXI3.  There's no explanation on why they deprecated the
> "install" command and I'm waiting for our Cisco SE response.   I'd
> appreciate any feedback from those people who have upgraded to SXI3,
in
> modular or otherwise.
> 
> Thanks,
> 
> Noel
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


_______________________________________________________

Atos Origin and Atos Consulting are trading names used by the Atos Origin group.  The following trading entities are registered in England and Wales:  Atos Origin IT Services UK Limited (registered number 01245534) and Atos Consulting Limited (registered number 04312380).  The registered office for each is at 4 Triton Square, Regents Place, London, NW1 3HG.The VAT No. for each is: GB232327983

This e-mail and the documents attached are confidential and intended solely for the addressee, and may contain confidential or privileged information.  If you receive this e-mail in error, you are not authorised to copy, disclose, use or retain it.  Please notify the sender immediately and delete this email from your systems.   As emails may be intercepted, amended or lost, they are not secure.  Atos Origin therefore can accept no liability for any errors or their content.  Although Atos Origin endeavours to maintain a virus-free network, we do not warrant that this transmission is virus-free and can accept no liability for any damages resulting from any virus transmitted.   The risks are deemed to be accepted by everyone who communicates with Atos Origin by email. 
_______________________________________________________



From marco at networkgeek.de  Fri Dec 11 13:46:48 2009
From: marco at networkgeek.de (Marco Eulenfeld)
Date: Fri, 11 Dec 2009 19:46:48 +0100
Subject: [c-nsp] Idle sessions on 12.2(33)SR cause high CPU
In-Reply-To: <20091211112745.GK12335@alpha.dark-ice.net>
References: <4B221CBC.6020009@complicity.co.uk>
	<20091211112745.GK12335@alpha.dark-ice.net>
Message-ID: <20091211184648.GL12335@alpha.dark-ice.net>

Hi,
 
On Fri, Dec 11, 2009 at 10:19:40AM +0000, Zoe O'Connell wrote:
> critical number of sessions in Idle (More than 5, less than 20) the CPU

we even saw it with 2 IDLE sessions (after a reboot) where the CPU
went to 50% permanently. only a shutdown of that IDLE session
helped. 
 
> point. This behaviour has been confirmed on 12.2(33)SRC4 and
> 12.2(33)SRD2, with other possible reports on SXF, SRC3, SRC5 and also on
 
12.2(33)SRA4 was/ is on that box.
 
br

 marco

From gsgranados at comcast.net  Fri Dec 11 16:12:22 2009
From: gsgranados at comcast.net (Scott Granados)
Date: Fri, 11 Dec 2009 13:12:22 -0800
Subject: [c-nsp] ASA 5520,
	unable to find matching cert with digital key usage
Message-ID: <024201ca7aa6$a6fdef60$2608120a@am.thmulti.com>

Hi, I'm getting the following error and I've popped it in to do a search but 
I'm not finding much and not understanding what I did find.

    The background: I am using ASA 5520 hardware.  I am trying to create a 
trust point for certificate based authentication.  I create the enrollment 
request with out issue, submit it to our CA server and receive the new cert. 
I've generated the keys and everything happens error free until I go to 
import the new cert.  I first authenticate the trust point with the CA cert 
which seems to be error free but when I do a
#crypto ca import "trust-point-name" certificate
and paste the cert I receive the "can't find certificate with digital key 
usage" error.  When googling all it says is to set key options but doesn't 
explain what that means or what options.  What am I missing?  Any pointers 
would be greatly appreciated.

Thank you
Scott


From amrozek at cisco.com  Fri Dec 11 18:24:51 2009
From: amrozek at cisco.com (Andy Mrozek (amrozek))
Date: Fri, 11 Dec 2009 15:24:51 -0800
Subject: [c-nsp] ASA 5520,
	unable to find matching cert with digital key usage
In-Reply-To: <024201ca7aa6$a6fdef60$2608120a@am.thmulti.com>
References: <024201ca7aa6$a6fdef60$2608120a@am.thmulti.com>
Message-ID: <F9A367B9F8C4F247A53BA512662A44160330D888@xmb-sjc-23c.amer.cisco.com>

Scott,

Does your trustpoint have the key you generated the CSR with defined as
follows:

crypto ca trustpoint samplecompany
 enrollment terminal
 fqdn asa.samplecompany.com
 subject-name CN=asa,O=sample.com,C=US,St=California,L=SanFran
 keypair mykeypairname
 ignore-ipsec-keyusag
 ignore-ssl-keyusage
 crl configure


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Granados
Sent: Friday, December 11, 2009 1:12 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] ASA 5520,unable to find matching cert with digital key
usage

Hi, I'm getting the following error and I've popped it in to do a search
but

I'm not finding much and not understanding what I did find.

    The background: I am using ASA 5520 hardware.  I am trying to create
a 
trust point for certificate based authentication.  I create the
enrollment 
request with out issue, submit it to our CA server and receive the new
cert.

I've generated the keys and everything happens error free until I go to 
import the new cert.  I first authenticate the trust point with the CA
cert 
which seems to be error free but when I do a
#crypto ca import "trust-point-name" certificate
and paste the cert I receive the "can't find certificate with digital
key 
usage" error.  When googling all it says is to set key options but
doesn't 
explain what that means or what options.  What am I missing?  Any
pointers 
would be greatly appreciated.

Thank you
Scott

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From gsgranados at comcast.net  Fri Dec 11 18:37:26 2009
From: gsgranados at comcast.net (Scott Granados)
Date: Fri, 11 Dec 2009 15:37:26 -0800
Subject: [c-nsp] ASA 5520,
	unable to find matching cert with digital key usage
References: <024201ca7aa6$a6fdef60$2608120a@am.thmulti.com>
	<8441E7947FF142C089D0B95E8A382056@AMROZEK>
Message-ID: <000b01ca7aba$eafe98e0$2608120a@am.thmulti.com>

Hi, I only have the items as far as keypair=name.key.  I used the 
configuring ASA with microsoft CA and digital certs example on the Cisco 
site.  Didn't list any of the other options.  I did figure out this error 
though, the problem was with the CA server.  It was injecting my username in 
instead of the fqdn and the data I provided in the request.  Now I'm 
struggling with a group 1 configured for group 2 error but I think I 
understand what that is.

Thanks for the response

Scott



----- Original Message ----- 
From: <andymrozek at yahoo.com>
To: "'Scott Granados'" <gsgranados at comcast.net>; <cisco-nsp at puck.nether.net>
Sent: Friday, December 11, 2009 3:21 PM
Subject: RE: [c-nsp] ASA 5520,unable to find matching cert with digital key 
usage


> Scott,
>
> Does your trustpoint have the key you generated the CSR with defined as
> follows:
>
> crypto ca trustpoint samplecompany
> enrollment terminal
> fqdn asa.samplecompany.com
> subject-name CN=asa,O=sample.com,C=US,St=California,L=SanFran
> keypair mykeypairname
> ignore-ipsec-keyusag
> ignore-ssl-keyusage
> crl configure
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Granados
> Sent: Friday, December 11, 2009 1:12 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] ASA 5520,unable to find matching cert with digital key
> usage
>
> Hi, I'm getting the following error and I've popped it in to do a search 
> but
>
> I'm not finding much and not understanding what I did find.
>
>    The background: I am using ASA 5520 hardware.  I am trying to create a
> trust point for certificate based authentication.  I create the enrollment
> request with out issue, submit it to our CA server and receive the new 
> cert.
>
> I've generated the keys and everything happens error free until I go to
> import the new cert.  I first authenticate the trust point with the CA 
> cert
> which seems to be error free but when I do a
> #crypto ca import "trust-point-name" certificate
> and paste the cert I receive the "can't find certificate with digital key
> usage" error.  When googling all it says is to set key options but doesn't
> explain what that means or what options.  What am I missing?  Any pointers
> would be greatly appreciated.
>
> Thank you
> Scott
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


From mumetahh at yahoo.co.id  Fri Dec 11 22:05:25 2009
From: mumetahh at yahoo.co.id (==N==)
Date: Sat, 12 Dec 2009 11:05:25 +0800 (SGT)
Subject: [c-nsp] vlan access-map
Message-ID: <180700.95946.qm@web76302.mail.sg1.yahoo.com>

Dear All,

currently, I need make a lab for my BSMSN, since I use dynamips with C3640 are limited command for switch. I need your oppinion.
does anyone know? vlan access-map under c3640 in dynamips/dynagen?

Thanks for help

Regards ,



-Suryantofang-

" Fly Higher - Run Faster "
http://suryantofang.wordpress.com



      Akses email lebih cepat. Yahoo! menyarankan Anda meng-upgrade browser ke Internet Explorer 8 baru yang dioptimalkan untuk Yahoo! Dapatkan di sini! 
http://downloads.yahoo.com/id/internetexplorer

From jay at west.net  Fri Dec 11 22:53:45 2009
From: jay at west.net (Jay Hennigan)
Date: Fri, 11 Dec 2009 19:53:45 -0800
Subject: [c-nsp] 3560g PoE issue
In-Reply-To: <818538.99529.qm@web52105.mail.re2.yahoo.com>
References: <818538.99529.qm@web52105.mail.re2.yahoo.com>
Message-ID: <4B2313C9.8060206@west.net>

Nilesh Sawant wrote:
> Hi,
> 
> I am observing the problem with 48 ports 3560G in LAN infrastructure. We have alcatel IP phone which are connected to 3560G switches. Sometimes these IP phone are not getting power up , after restarting the switch IP phone gets power up. As per cisco theory it's deliver average 7.7w on all 48 ports or 15.4 w on 24 ports.
> 
> i tried shut, no shut after IP phones gets power down, also tries to allocate 10-14w power on that particular interface, but no use.
> 
> What could be the issue ?

Not sure about Alcatel, but we have seen a similar issue with some 
Polycom phones.  The Polycom phones have the capability of adding 
"sidecar" units with additional display and buttons for DSS/BLF and the 
like.

Even with no sidecars installed, the phones default to having the 
sidecar power enabled and as such request the full 15.4 watts from the 
switch.  The Cisco switch will detect the requested power as 15.4 and 
deny power to additional phones once the aggregate power limit is 
reached based on this calculation.

A configuration setting on the phone allows one to disable sidecar power 
and once this is done the phone requests a more reasonable six watts. 
In this mode all ports can be used.

Keep in mind that TTBOMK power calculations in the switch are done by 
layer 2 messages indicating desired power from the connected device and 
not by an ammeter in the switch measuring actual power consumption.

Check your Alcatel phones and see if they are capable of powering 
accessories that you aren't using.  If so and you can disable this 
capability the phones may then negotiate with the switch to deliver less 
power and allow the use of more/all ports.

--
Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

From nilesh5555in at yahoo.com  Sat Dec 12 02:12:22 2009
From: nilesh5555in at yahoo.com (Nilesh Sawant)
Date: Fri, 11 Dec 2009 23:12:22 -0800 (PST)
Subject: [c-nsp] 3560g PoE issue
In-Reply-To: <6F51B50ECF32084788B9B3A8469A71B52917D5421C@EXCHCLUSTER1-02.win.slac.stanford.edu>
Message-ID: <763480.15689.qm@web52104.mail.re2.yahoo.com>

Hi Gary,

As i seen in sh power inline o/p few alcatel IP phones are class 0 while others class 2. Is this creating the problem ?
Also as per my observation all phones are working but suddenly after an hour or day few phones gets power-off while others are working. So after restarting the switch, all IP Phones starts working.

O/P of " sh power inline" is below


Sales>sh power inline 
Available:370.0(w)  Used:224.0(w)  Remaining:146.0(w)

Interface Admin  Oper       Power   Device              Class Max
                            (Watts)                            
--------- ------ ---------- ------- ------------------- ----- ----
Gi0/1     auto   off        0.0     n/a                 n/a   15.4 
Gi0/2     auto   on         7.0     Ieee PD             2     15.4 
Gi0/3     auto   off        0.0     n/a                 n/a   15.4 
Gi0/4     auto   on         7.0     Ieee PD             2     15.4 
Gi0/5     auto   off        0.0     n/a                 n/a   15.4 
Gi0/6     auto   on         7.0     Ieee PD             2     15.4 
Gi0/7     auto   off        0.0     n/a                 n/a   15.4 
Gi0/8     auto   on         7.0     Ieee PD             2     15.4 
Gi0/9     auto   off        0.0     n/a                 n/a   15.4 
Gi0/10    auto   on         7.0     Ieee PD             2     15.4 
Gi0/11    auto   on         7.0     Ieee PD             2     15.4 
Gi0/12    auto   on         7.0     Ieee PD             2     15.4 
Gi0/13    auto   off        0.0     n/a                 n/a   15.4 
Gi0/14    auto   on         15.4    Ieee PD             0     15.4 
Gi0/15    auto   on         15.4    Ieee PD             0     15.4 
Gi0/16    auto   off        0.0     n/a                 n/a   15.4 
Gi0/17    auto   on         7.0     Ieee PD             2     15.4 
Gi0/18    auto   off        0.0     n/a                 n/a   15.4 
Gi0/19    auto   off        0.0     n/a                 n/a   15.4 
Interface Admin  Oper       Power   Device              Class Max
                            (Watts)                            
--------- ------ ---------- ------- ------------------- ----- ----
Gi0/20    auto   on         7.0     Ieee PD             2     15.4 
Gi0/21    auto   off        0.0     n/a                 n/a   15.4 
Gi0/22    auto   off        0.0     n/a                 n/a   15.4 
Gi0/23    auto   on         7.0     Ieee PD             2     15.4 
Gi0/24    auto   off        0.0     n/a                 n/a   15.4 
Gi0/25    auto   off        0.0     n/a                 n/a   15.4 
Gi0/26    auto   off        0.0     n/a                 n/a   15.4 
Gi0/27    auto   on         7.0     Ieee PD             2     15.4 
Gi0/28    auto   off        0.0     n/a                 n/a   15.4 
Gi0/29    auto   off        0.0     n/a                 n/a   15.4 
Gi0/30    auto   on         7.0     Ieee PD             2     15.4 
Gi0/31    auto   on         7.0     Ieee PD             2     15.4 
Gi0/32    auto   off        0.0     n/a                 n/a   15.4 
Gi0/33    auto   off        0.0     n/a                 n/a   15.4 
Gi0/34    auto   on         15.4    Ieee PD             0     15.4 
Gi0/35    auto   on         7.0     Ieee PD             2     15.4 
Gi0/36    auto   on         7.0     Ieee PD             2     15.4 
Gi0/37    auto   on         15.4    Ieee PD             0     15.4 
Gi0/38    auto   on         7.0     Ieee PD             2     15.4 
Gi0/39    auto   on         7.0     Ieee PD             2     15.4 
Gi0/40    auto   off        0.0     n/a                 n/a   15.4 
Gi0/41    auto   off        0.0     n/a                 n/a   15.4 
nterface Admin  Oper       Power   Device              Class Max
                            (Watts)                            
--------- ------ ---------- ------- ------------------- ----- ----
Gi0/42    auto   on         7.0     Ieee PD             2     15.4 
Gi0/43    auto   on         7.0     Ieee PD             2     15.4 
Gi0/44    auto   on         15.4    Ieee PD             0     15.4 
Gi0/45    auto   off        0.0     n/a                 n/a   15.4 
Gi0/46    auto   on         7.0     Ieee PD             2     15.4 
Gi0/47    auto   off        0.0     n/a                 n/a   15.4 
Gi0/48    auto   on         7.0     Ieee PD             2     15.4 

--- On Sat, 12/12/09, Buhrmaster, Gary <gtb at slac.stanford.edu> wrote:

> From: Buhrmaster, Gary <gtb at slac.stanford.edu>
> Subject: RE: [c-nsp] 3560g PoE issue
> To: "'Nilesh Sawant'" <nilesh5555in at yahoo.com>
> Date: Saturday, December 12, 2009, 5:12 AM
> > What could be the issue ?
> 
> If all of the devices on that switch are class 3, you are
> only
> going to get 24 active PoE ports.? If all the phones
> are 
> class 3, any phone connected after the first 24 will fail
> to
> power on (and if some are class 2, and some class 3, you
> will
> get something between 24 and 48).? Some Alcatel phones
> (the
> new, nicer ones) are class 3.
> 
> 


      

From oboehmer at cisco.com  Sat Dec 12 03:43:57 2009
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Sat, 12 Dec 2009 09:43:57 +0100
Subject: [c-nsp] MPLS T.E Autoroute problem
In-Reply-To: <a48927f70912110949n23d2bfa6pc4a3fef98a4295b8@mail.gmail.com>
References: <a48927f70912110949n23d2bfa6pc4a3fef98a4295b8@mail.gmail.com>
Message-ID: <6E4D2678AC543844917CA081C9D6B33FD8BA8B@XMB-AMS-103.cisco.com>

> 
> I have strange behaviour with MPLS T.E with autoroute
> 
> Topology
> 
> R4 (AS100)
> |
> |
> R1-------R2-------R3-------R5 -----> (AS 200)
> |-----Tun13---------|
> 
> both AS200 runs OSPF (single area) and Tunnel13 on R1 is between
R1-Lo0 and
> R3-Lo0 and as shown R5 is reachable from R3
> 
> the problem is when enabling autoroute
> 
> and in LFIB , R5-Lo0 is reachable over the tunnel with untagged label
and
> R3-Lo0 has Pop label so any VPN traffic sourced on R4 and destinted to
CE
> connected to R5 will be routed to R1 which removes ALL  labels and
forward
> it out the tunnel and it will be dropped on R3 and never reaches it is
> destination
> 
> by disabling autoroute
> 
> R5 is still reachable via R3 BUT LFIB has label assigned other than
untag
> and traffic flow seamlessly
> 
> enabling MPLS over the tunnel didn't fix the problem
> 
> is there any feature or command i can use so routes reachable over
tunnel
> and behind tunnel tailend can have a label other than untag ?
 
well, first of all you absolutely need LDP/MPLS enabled on the tunnel,
otherwise R1 (head) has no information about R3's label advertised to
reach R5. So please enable LDP on the tunnel and check the LDP adjacency
between R1 and R3, as well as the label bindings. You should see a label
for R5's lo0 on R1. Haven't looked at it in a while, but you might need
"mpls ldp discovery targeted-hello accept" on R3 for R1's directed
request to be accepted.

BTW: When you disable autoroute, R1 will NOT reach R5 via the tunnel, it
will use the LDP-built LSP across R2, as seen by

> R1#sh mpls forwarding-table 20.1.5.5
> Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop
> tag    tag or VC   or Tunnel Id      switched   interface
> 115    211         20.1.5.5/32       0          Fa0/0.12   20.1.12.2

no [T] in the output.

	oli


From arla at rn.dk  Sat Dec 12 09:15:19 2009
From: arla at rn.dk (Arne Larsen / Region Nordjylland)
Date: Sat, 12 Dec 2009 15:15:19 +0100
Subject: [c-nsp] tacacs+ restrictions
Message-ID: <8D68760F464FFD40A01BF2FB374E4A2802156A9AEF3A@SRVEXC02.aas.its.nja.dk>

Hi all.

I know it's a bit of topic, but anyway.
I'm trying to get tacacs+ to restrict access and commands for users.
I can't seem to get it right. Whatever I do, I ether get no configurations commands rejected or all get rejected.
I would like to make a user that only can change vlan tag under interfaces configuration This is what I tried to configure..

user = at {
        default service = deny
        login = cleartext "gt"
        enable = cleartext "go"
        name = "testing"
        service = exec {
        priv-lvl = 1
        idletime = 10
        }
        cmd = show  {
        permit .*
        }
        cmd = configure {
        permit terminal.interface
        permit interface.vlan*
        deny .*
   }
}


Have anyone of you tried to do something similar, any input would be appreciated very much.
Or does someone know where I can seek help.

/Arne 

From ewitkop at gmail.com  Sat Dec 12 10:52:08 2009
From: ewitkop at gmail.com (Erik Witkop)
Date: Sat, 12 Dec 2009 10:52:08 -0500
Subject: [c-nsp] tacacs+ restrictions
In-Reply-To: <8D68760F464FFD40A01BF2FB374E4A2802156A9AEF3A@SRVEXC02.aas.its.nja.dk>
References: <8D68760F464FFD40A01BF2FB374E4A2802156A9AEF3A@SRVEXC02.aas.its.nja.dk>
Message-ID: <c55ff8400912120752t3850e4a4s75ca38823d067bd6@mail.gmail.com>

I think your problem is that 'configure' is not a priv 1 level command.
Debug tacacs will show you what is happening.  Change the user to priv 15
and see what you get.

On Dec 12, 2009 9:24 AM, "Arne Larsen / Region Nordjylland" <arla at rn.dk>
wrote:

Hi all.

I know it's a bit of topic, but anyway.
I'm trying to get tacacs+ to restrict access and commands for users.
I can't seem to get it right. Whatever I do, I ether get no configurations
commands rejected or all get rejected.
I would like to make a user that only can change vlan tag under interfaces
configuration This is what I tried to configure..

user = at {
       default service = deny
       login = cleartext "gt"
       enable = cleartext "go"
       name = "testing"
       service = exec {
       priv-lvl = 1
       idletime = 10
       }
       cmd = show  {
       permit .*
       }
       cmd = configure {
       permit terminal.interface
       permit interface.vlan*
       deny .*
  }
}


Have anyone of you tried to do something similar, any input would be
appreciated very much.
Or does someone know where I can seek help.

/Arne
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From peter at rathlev.dk  Sat Dec 12 10:59:16 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Sat, 12 Dec 2009 16:59:16 +0100
Subject: [c-nsp] tacacs+ restrictions
In-Reply-To: <8D68760F464FFD40A01BF2FB374E4A2802156A9AEF3A@SRVEXC02.aas.its.nja.dk>
References: <8D68760F464FFD40A01BF2FB374E4A2802156A9AEF3A@SRVEXC02.aas.its.nja.dk>
Message-ID: <1260633556.16468.4.camel@localhost>

On Sat, 2009-12-12 at 15:15 +0100, Arne Larsen wrote:
> Hi all.
> 
> I know it's a bit of topic, but anyway.
> I'm trying to get tacacs+ to restrict access and commands for users.
> I can't seem to get it right. Whatever I do, I ether get no
> configurations commands rejected or all get rejected.
> I would like to make a user that only can change vlan tag under
> interfaces configuration This is what I tried to configure..
> 
[...]
> 
> Have anyone of you tried to do something similar, any input would be
> appreciated very much.
> Or does someone know where I can seek help.

We have an "operator" group with limited access to some datacenter
switches, configured like this:

acl = access-sw-only {
        permit = ^10\.77\.24[456]\.
}

group = operator {
        default service = deny
        login = PAM
        service = exec {
                priv-lvl = 15
        }
        #### Exec level commands ####
        cmd = show {
                permit "."
        }
        cmd = exit {
                permit "<cr>$"
        }
        cmd = quit {
                permit "<cr>$"
        }
        cmd = write {
                permit "terminal <cr>$"
                permit "memory <cr>$"
        }
        #### Configure commands ####
        cmd = configure {
                permit "^terminal <cr>$"
        }
        #--- Allow the exec level commands from configure mode ---#
        cmd = do {
                permit "^show .*"
        }
        #--- Allow entering interfaces ---#
        cmd = interface {
                #--- Disallow configuring uplinks ---#
                deny "^GigabitEthernet [12]/0/2[34] <cr>$"
                #--- Allow configuring physical interfaces ---#
                permit "^(Gigabit|Fast)Ethernet.*"
        }
        #--- Allow a range of specific interface conf commands ---#
        cmd = switchport {
                permit "^access vlan [128][0-9][0-9] <cr>$"
                permit "^mode access <cr>$"
        }
        cmd = description {
                permit "."
        }
        cmd = shutdown {
                permit "^$"
                permit "^<cr>$"
        }
        cmd = spanning-tree {
                permit "^portfast <cr>$"
                permit "^bpduguard enable <cr>$"
        }
        cmd = mls {
                permit "^qos cos 3 <cr>$"
                permit "^qos cos override <cr>$"
        }
        #--- Allow creation and naming of VLANs 100-299 + 800-899 ---#
        cmd = vlan {
                permit "^[128][0-9][0-9] <cr>$"
        }
        cmd = name {
                permit "."
        }
        #--- Allow unshutting interfaces, and clearing descriptions ---#
        cmd = no {
                permit "^shutdown <cr>$"
                permit "^description .*"
        }
        acl = access-sw-only
}

You can enable debugging for the tac_plus daemon to see exactly what the
device asks to have accepted/rejected.

-- 
Peter




From thilak.t at gmail.com  Sat Dec 12 14:44:39 2009
From: thilak.t at gmail.com (Thilak T)
Date: Sat, 12 Dec 2009 11:44:39 -0800
Subject: [c-nsp] Is annual reloads of Cisco 6500 necessary
Message-ID: <1d11fbf80912121144h471a9ed4s46cb675b69d3ba3d@mail.gmail.com>

Hello Fourm ,

How important or significant is to schedule reloads of Data Center /Campus
switches with uptime over 1 year ? What is the logic/reason behind this
advice from Cisco.

From gtb at slac.stanford.edu  Sat Dec 12 15:13:23 2009
From: gtb at slac.stanford.edu (Buhrmaster, Gary)
Date: Sat, 12 Dec 2009 12:13:23 -0800
Subject: [c-nsp] 3560g PoE issue
In-Reply-To: <763480.15689.qm@web52104.mail.re2.yahoo.com>
References: <6F51B50ECF32084788B9B3A8469A71B52917D5421C@EXCHCLUSTER1-02.win.slac.stanford.edu>
	<763480.15689.qm@web52104.mail.re2.yahoo.com>
Message-ID: <6F51B50ECF32084788B9B3A8469A71B52918E23003@EXCHCLUSTER1-02.win.slac.stanford.edu>

> As i seen in sh power inline o/p few alcatel IP phones are class 0
> while others class 2. Is this creating the problem ?

Note that all of your class '0' (unrecognized?) devices are
being allocated 15.4 watts.  That reduces the number of
other devices you can use.  When your failures occur, look
at the total power allocated and I suspect you will find
you are simply out of allocatable power.  The power supply
of that switch is not capable of providing a full 15.4 watts
to every port at the same time.

From jackson.tim at gmail.com  Sat Dec 12 15:31:22 2009
From: jackson.tim at gmail.com (Tim Jackson)
Date: Sat, 12 Dec 2009 14:31:22 -0600
Subject: [c-nsp] 3560g PoE issue
In-Reply-To: <6F51B50ECF32084788B9B3A8469A71B52918E23003@EXCHCLUSTER1-02.win.slac.stanford.edu>
References: <6F51B50ECF32084788B9B3A8469A71B52917D5421C@EXCHCLUSTER1-02.win.slac.stanford.edu>
	<763480.15689.qm@web52104.mail.re2.yahoo.com>
	<6F51B50ECF32084788B9B3A8469A71B52918E23003@EXCHCLUSTER1-02.win.slac.stanford.edu>
Message-ID: <4407932e0912121231r717ac464j77cc5007a0d38b24@mail.gmail.com>

Also, if you *KNOW* that those phones are not using 15.4watts you can
setup the power consumption on each port:

int range gi0/1 - 48
 power inline consumption 7700

--
Tim

On Sat, Dec 12, 2009 at 2:13 PM, Buhrmaster, Gary <gtb at slac.stanford.edu> wrote:
>> As i seen in sh power inline o/p few alcatel IP phones are class 0
>> while others class 2. Is this creating the problem ?
>
> Note that all of your class '0' (unrecognized?) devices are
> being allocated 15.4 watts. ?That reduces the number of
> other devices you can use. ?When your failures occur, look
> at the total power allocated and I suspect you will find
> you are simply out of allocatable power. ?The power supply
> of that switch is not capable of providing a full 15.4 watts
> to every port at the same time.
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From jared at puck.nether.net  Sat Dec 12 15:34:58 2009
From: jared at puck.nether.net (Jared Mauch)
Date: Sat, 12 Dec 2009 15:34:58 -0500
Subject: [c-nsp] Is annual reloads of Cisco 6500 necessary
In-Reply-To: <1d11fbf80912121144h471a9ed4s46cb675b69d3ba3d@mail.gmail.com>
References: <1d11fbf80912121144h471a9ed4s46cb675b69d3ba3d@mail.gmail.com>
Message-ID: <3B9A639F-D1C8-4B70-90FD-39B96D63375F@puck.nether.net>


On Dec 12, 2009, at 2:44 PM, Thilak T wrote:

> Hello Fourm ,
> 
> How important or significant is to schedule reloads of Data Center /Campus
> switches with uptime over 1 year ? What is the logic/reason behind this
> advice from Cisco.


Really?  This is official advice?  Do you have a url/cite?

Honestly, there's a few things I would say about this:

1) You likely need to reload 1-2x a year to cover PSIRT related items
	www.cisco.com/go/psirt
2) If you are doing anything other than layer-2 switching, you may need to watch for memory fragmentation or other issues.  Since it's unlikely you are running modular, having a large block of memory free is more important.  You are stuck in the 80's and early 90's with technology similar to LOADHI and HIMEM.SYS still.
3) Maintaining your devices is important, just like your car, house, etc.. You may want to upgrade to the latest rebuild of your current train, eg: SXI3, SXF16, etc. The PSIRT reason alone is good enough for me, not sure about your environment.  You also don't want to get too far away from the latest code, it will make it harder to get support as cisco will not easily support older software, the "shut-up and reload", "shut-up and upgrade" is lower cost than actually getting a clued engineer to diagnose your problem.

For these reasons, I suggest tracking the latest code, it will help save you some trouble if something major comes up, like a real attack against your devices.  You don't want to be jumping from SXE to SXI just to get [useful] support.

	- Jared


From gert at greenie.muc.de  Sat Dec 12 16:00:01 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Sat, 12 Dec 2009 22:00:01 +0100
Subject: [c-nsp] Is annual reloads of Cisco 6500 necessary
In-Reply-To: <1d11fbf80912121144h471a9ed4s46cb675b69d3ba3d@mail.gmail.com>
References: <1d11fbf80912121144h471a9ed4s46cb675b69d3ba3d@mail.gmail.com>
Message-ID: <20091212210001.GU163@greenie.muc.de>

Hi,

On Sat, Dec 12, 2009 at 11:44:39AM -0800, Thilak T wrote:
> How important or significant is to schedule reloads of Data Center /Campus
> switches with uptime over 1 year ? What is the logic/reason behind this
> advice from Cisco.

We never reload anything, unless a *specific* reason exists - e.g. "software
update unavoidable" or "device misbehaving and we can't find any non-reload
way to mitigate".

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20091212/c566a520/attachment.bin>

From tvarriale at comcast.net  Sat Dec 12 20:11:17 2009
From: tvarriale at comcast.net (Tony Varriale)
Date: Sat, 12 Dec 2009 19:11:17 -0600
Subject: [c-nsp] Is annual reloads of Cisco 6500 necessary
References: <1d11fbf80912121144h471a9ed4s46cb675b69d3ba3d@mail.gmail.com>
Message-ID: <AD664EAC4BA7446EB300FD331D4075C3@flamdt01>

Assuming you are on a stable release for your feature requirements, that's 
not a reason to reload.

tv
----- Original Message ----- 
From: "Thilak T" <thilak.t at gmail.com>
To: <cisco-nsp at puck.nether.net>
Sent: Saturday, December 12, 2009 1:44 PM
Subject: [c-nsp] Is annual reloads of Cisco 6500 necessary


> Hello Fourm ,
>
> How important or significant is to schedule reloads of Data Center /Campus
> switches with uptime over 1 year ? What is the logic/reason behind this
> advice from Cisco.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 


From peter.hicks at poggs.co.uk  Sat Dec 12 20:32:38 2009
From: peter.hicks at poggs.co.uk (Peter Hicks)
Date: Sun, 13 Dec 2009 01:32:38 +0000
Subject: [c-nsp] Is annual reloads of Cisco 6500 necessary
In-Reply-To: <1d11fbf80912121144h471a9ed4s46cb675b69d3ba3d@mail.gmail.com>
References: <1d11fbf80912121144h471a9ed4s46cb675b69d3ba3d@mail.gmail.com>
Message-ID: <4B244436.5000903@poggs.co.uk>

Thilak T wrote:

> How important or significant is to schedule reloads of Data Center /Campus
> switches with uptime over 1 year ? What is the logic/reason behind this
> advice from Cisco.

I've had switch and routers up for anything between 2 and 5 years with 
absolutely no problems.  If an upgrade is required, we carry out an 
upgrade.  If not, we don't reboot kit unless it's part of scheduled work 
- e.g. moving racks.

Where did you hear this advice from Cisco?


Peter




From lukasz at bromirski.net  Sat Dec 12 20:45:08 2009
From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=)
Date: Sun, 13 Dec 2009 02:45:08 +0100
Subject: [c-nsp] Is annual reloads of Cisco 6500 necessary
In-Reply-To: <1d11fbf80912121144h471a9ed4s46cb675b69d3ba3d@mail.gmail.com>
References: <1d11fbf80912121144h471a9ed4s46cb675b69d3ba3d@mail.gmail.com>
Message-ID: <4B244724.8060002@bromirski.net>

On 2009-12-12 20:44, Thilak T wrote:
> Hello Fourm ,
>
> How important or significant is to schedule reloads of Data Center /Campus
> switches with uptime over 1 year ? What is the logic/reason behind this
> advice from Cisco.

There is no such advice. There is a sort of "urban legend", but
in reality, a misquoted Cisco document for one of the customers, that
if under specific circumstances the devices working as a pair were
to be kept under the same revision of software that was known to
be buggy (but customer accepted it), the switches were to be rebooted
before the agreed amount of memory was lost by a dead process.

It was later quoted as an official advice from Cisco that specific
Catalyst models or specific router models (depends on what version of
the legend you've heard) were meant to be rebooted after X days of
operation.

-- 
"Everything will be okay in the end. |                  ?ukasz Bromirski
  If it's not okay, it's not the end. |       http://lukasz.bromirski.net

From lukasz at bromirski.net  Sat Dec 12 20:48:00 2009
From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=)
Date: Sun, 13 Dec 2009 02:48:00 +0100
Subject: [c-nsp] Is annual reloads of Cisco 6500 necessary
In-Reply-To: <4B244436.5000903@poggs.co.uk>
References: <1d11fbf80912121144h471a9ed4s46cb675b69d3ba3d@mail.gmail.com>
	<4B244436.5000903@poggs.co.uk>
Message-ID: <4B2447D0.4000608@bromirski.net>

On 2009-12-13 02:32, Peter Hicks wrote:
> Thilak T wrote:
>
>> How important or significant is to schedule reloads of Data Center
>> /Campus
>> switches with uptime over 1 year ? What is the logic/reason behind this
>> advice from Cisco.

...ah, and I've forgot about the other instance I saw it - another
case, where the device was working as a edge BGP-peering device, and
has constantly allocated/deallocated memory. IOS doesn't defragment
free space, so it was an assumption that after X days of operation
within this specific environment the customer may choose to reboot
the device to refragment the memory - if I remember correctly it
was just like about the one year quoted.

-- 
"Everything will be okay in the end. |                  ?ukasz Bromirski
  If it's not okay, it's not the end. |       http://lukasz.bromirski.net

From mtinka at globaltransit.net  Sat Dec 12 22:20:21 2009
From: mtinka at globaltransit.net (Mark Tinka)
Date: Sun, 13 Dec 2009 11:20:21 +0800
Subject: [c-nsp] Is annual reloads of Cisco 6500 necessary
In-Reply-To: <20091212210001.GU163@greenie.muc.de>
References: <1d11fbf80912121144h471a9ed4s46cb675b69d3ba3d@mail.gmail.com>
	<20091212210001.GU163@greenie.muc.de>
Message-ID: <200912131120.26291.mtinka@globaltransit.net>

On Sunday 13 December 2009 05:00:01 am Gert Doering wrote:

> We never reload anything, unless a *specific* reason
>  exists - e.g. "software update unavoidable" or "device
>  misbehaving and we can't find any non-reload way to
>  mitigate".

Same here.

In most cases, for us, reasons for reload will be driven by 
software upgrades. These software upgrades would be driven 
by needing to support:

	* new hardware, e.g., newer line cards, newer optical
	  modules, e.t.c. 

	* fixing terrible bugs for features that we have turned on
	  (if a bug exists for a feature we haven't enabled or
	  don't plan to enable, and the bug doesn't "play" when
	  the affected feature is disabled, we don't upgrade).

	* introducing new features, although for this, we'd
	  normally prefer to wait at least for another 2 or 3
	  rebuilds of the code base following the initial release
	  of the feature, just to work out any issues that could
	  have arisen from early deployment of the feature.

Apart from that, we're happy. For instance, we run SXI2a on 
our 6500's, and that's fine with us, even though SXI3 is 
out. With just Layer 2 Ethernet switching going on, we don't 
need much else, unless of course, SXI5 fixes something 
really terrible in a core function.

However, we've seen a number of upgrades in the past year 
going on for IOS 12.2(33)SRC due to bugs, as well as JUNOS 
9.x due to bugs also. But this seems to be stabilizing now, 
on both fronts.

One reason where I'll see most (if not all) service 
providers needing to upgrade code is to introduce 4-byte ASN 
support. Yes, you could work around it by supporting 
AS23456, but if you're looking to keep the NOC folk happy, 
we may not be able to run away from moving some or all of 
our boxes to later code just for this.

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20091213/dc442bfc/attachment-0001.bin>

From rdobbins at arbor.net  Sat Dec 12 23:14:42 2009
From: rdobbins at arbor.net (Dobbins, Roland)
Date: Sun, 13 Dec 2009 04:14:42 +0000
Subject: [c-nsp] Is annual reloads of Cisco 6500 necessary
In-Reply-To: <AD664EAC4BA7446EB300FD331D4075C3@flamdt01>
References: <1d11fbf80912121144h471a9ed4s46cb675b69d3ba3d@mail.gmail.com>
	<AD664EAC4BA7446EB300FD331D4075C3@flamdt01>
Message-ID: <9CBED2BA-D964-4202-AC5B-1C09ED4D5A1A@arbor.net>



> What is the logic/reason behind this advice from Cisco.

It's just pure nonsense.  Any Cisco personnel who spout this are grossly mistaken, and lack actual operational experience.

I tried to get the deeply flawed Cisco document which 'recommends' this illogical and operationally unsound practice destroyed and reputidated several times, but because of internal politics, I wasn't able to get it killed; some egos and even promotions were tied up in producing the document in question (the factual accuracy of the document didn't matter, just the fact that it was 'finished' according to the planned production schedule).

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken




From yuribank at gmail.com  Sun Dec 13 04:57:58 2009
From: yuribank at gmail.com (Yuri Bank)
Date: Sun, 13 Dec 2009 01:57:58 -0800
Subject: [c-nsp] vlan access-map
In-Reply-To: <180700.95946.qm@web76302.mail.sg1.yahoo.com>
References: <180700.95946.qm@web76302.mail.sg1.yahoo.com>
Message-ID: <2e38d2400912130157wc52444cp79a49ead9820d932@mail.gmail.com>

A 3640 with the NM-16ESW is pretty limited for vlan features. I would look
into getting a Catalyst 3550 which supports pretty much all the features
needed for the BCMSN. ( Except private-vlans ). They go for about $200 on
ebay.

-yuri

On Fri, Dec 11, 2009 at 7:05 PM, ==N== <mumetahh at yahoo.co.id> wrote:

> Dear All,
>
> currently, I need make a lab for my BSMSN, since I use dynamips with C3640
> are limited command for switch. I need your oppinion.
> does anyone know  vlan access-map under c3640 in dynamips/dynagen?
>
> Thanks for help
>
> Regards ,
>
>
>
> -Suryantofang-
>
> " Fly Higher - Run Faster "
> http://suryantofang.wordpress.com
>
>
>
>      Akses email lebih cepat. Yahoo! menyarankan Anda meng-upgrade browser
> ke Internet Explorer 8 baru yang dioptimalkan untuk Yahoo! Dapatkan di sini!
> http://downloads.yahoo.com/id/internetexplorer
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From jckdaniels12 at gmail.com  Sun Dec 13 10:36:33 2009
From: jckdaniels12 at gmail.com (jack daniels)
Date: Sun, 13 Dec 2009 21:06:33 +0530
Subject: [c-nsp] Application issue over ISP
Message-ID: <8bb137f40912130736n222424cfu55b88ceebd428594@mail.gmail.com>

Hi Guys,

I have a scenario -


CE -------ISP1
|
|
|
ISP2


users behind CE connect to remote application ,
Now issue is if ISP1 LINK or ISP1 goes down I have times less than 4 sec
for application to go via other link so that users are not imacted.
So can there be any solution for traffic to converge before 2 request
timeouts , so that my application users are not impacted.


Regards

From mtinka at globaltransit.net  Sun Dec 13 10:54:50 2009
From: mtinka at globaltransit.net (Mark Tinka)
Date: Sun, 13 Dec 2009 23:54:50 +0800
Subject: [c-nsp] Application issue over ISP
In-Reply-To: <8bb137f40912130736n222424cfu55b88ceebd428594@mail.gmail.com>
References: <8bb137f40912130736n222424cfu55b88ceebd428594@mail.gmail.com>
Message-ID: <200912132354.55058.mtinka@globaltransit.net>

On Sunday 13 December 2009 11:36:33 pm jack daniels wrote:

> users behind CE connect to remote application ,
> Now issue is if ISP1 LINK or ISP1 goes down I have times
>  less than 4 sec for application to go via other link so
>  that users are not imacted. So can there be any solution
>  for traffic to converge before 2 request timeouts , so
>  that my application users are not impacted.

Just to clarify, are you running BGP with either ISP (using 
your own address space)?

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20091213/a417b531/attachment.bin>

From v.jones at networkingunlimited.com  Sun Dec 13 11:53:28 2009
From: v.jones at networkingunlimited.com (Vincent C Jones)
Date: Sun, 13 Dec 2009 11:53:28 -0500
Subject: [c-nsp] Application issue over ISP
In-Reply-To: <8bb137f40912130736n222424cfu55b88ceebd428594@mail.gmail.com>
References: <8bb137f40912130736n222424cfu55b88ceebd428594@mail.gmail.com>
Message-ID: <1260723208.5287.6.camel@X61.NetworkingUnlimited.nul>

On Sun, 2009-12-13 at 21:06 +0530, jack daniels wrote:
> I have a scenario -
> 
> CE -------ISP1
> |
> |
> |
> ISP2
> 
> users behind CE connect to remote application ,
> Now issue is if ISP1 LINK or ISP1 goes down I have times less than 4 sec
> for application to go via other link so that users are not imacted.
> So can there be any solution for traffic to converge before 2 request
> timeouts , so that my application users are not impacted.

There are a wide variety of solutions, but whether or not they will work
for you depends very much on both the specifics of the application and
how you connect to your ISPs. Classic dual-homed BGP is not one of the
solutions given your timeout requirements. "Ping based routing" may do
the job if your user application can tolerate changing public IP
addresses. If you have a presence at both ends of the public internet
connection, you could also look at tunnel based solutions.

-- 
Vincent C. Jones
Networking Unlimited, Inc.
Phone: +1 201 568-7810
V.Jones at NetworkingUnlimited.com



From eninja at gmail.com  Sun Dec 13 15:01:48 2009
From: eninja at gmail.com (e ninja)
Date: Sun, 13 Dec 2009 12:01:48 -0800
Subject: [c-nsp] Is annual reloads of Cisco 6500 necessary
In-Reply-To: <20091212210001.GU163@greenie.muc.de>
References: <1d11fbf80912121144h471a9ed4s46cb675b69d3ba3d@mail.gmail.com>
	<20091212210001.GU163@greenie.muc.de>
Message-ID: <e8590f60912131201s60495dddj7ff8bd38a1c4158c@mail.gmail.com>

Totally concur. If it's not broken, don't fix it.

*All* new bugs are introduced into software inadvertently while fixing
existing bugs or implementing new features.

/eninja



On Sat, Dec 12, 2009 at 1:00 PM, Gert Doering <gert at greenie.muc.de> wrote:

> Hi,
>
> On Sat, Dec 12, 2009 at 11:44:39AM -0800, Thilak T wrote:
> > How important or significant is to schedule reloads of Data Center
> /Campus
> > switches with uptime over 1 year ? What is the logic/reason behind this
> > advice from Cisco.
>
> We never reload anything, unless a *specific* reason exists - e.g.
> "software
> update unavoidable" or "device misbehaving and we can't find any non-reload
> way to mitigate".
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
>                                                           //
> www.muc.de/~gert/ <http://www.muc.de/%7Egert/>
> Gert Doering - Munich, Germany
> gert at greenie.muc.de
> fax: +49-89-35655025
> gert at net.informatik.tu-muenchen.de
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From jckdaniels12 at gmail.com  Mon Dec 14 01:02:39 2009
From: jckdaniels12 at gmail.com (jack daniels)
Date: Mon, 14 Dec 2009 11:32:39 +0530
Subject: [c-nsp] Application issue over ISP
In-Reply-To: <1260723208.5287.6.camel@X61.NetworkingUnlimited.nul>
References: <8bb137f40912130736n222424cfu55b88ceebd428594@mail.gmail.com>
	<1260723208.5287.6.camel@X61.NetworkingUnlimited.nul>
Message-ID: <8bb137f40912132202m55194f1j49e3a23b7b929ca5@mail.gmail.com>

Hi ,

I can run any protocol , cant run tunnel as other side is client who cant
make changes




On Sun, Dec 13, 2009 at 10:23 PM, Vincent C Jones <
v.jones at networkingunlimited.com> wrote:

>  On Sun, 2009-12-13 at 21:06 +0530, jack daniels wrote:
> > I have a scenario -
> >
> > CE -------ISP1
> > |
> > |
> > |
> > ISP2
> >
> > users behind CE connect to remote application ,
> > Now issue is if ISP1 LINK or ISP1 goes down I have times less than 4 sec
> > for application to go via other link so that users are not imacted.
> > So can there be any solution for traffic to converge before 2 request
> > timeouts , so that my application users are not impacted.
>
> There are a wide variety of solutions, but whether or not they will work
> for you depends very much on both the specifics of the application and
> how you connect to your ISPs. Classic dual-homed BGP is not one of the
> solutions given your timeout requirements. "Ping based routing" may do
> the job if your user application can tolerate changing public IP
> addresses. If you have a presence at both ends of the public internet
> connection, you could also look at tunnel based solutions.
>
> --
> Vincent C. Jones
> Networking Unlimited, Inc.
> Phone: +1 201 568-7810
> V.Jones at NetworkingUnlimited.com
>
>
>

From nalcomis at gmail.com  Mon Dec 14 05:57:48 2009
From: nalcomis at gmail.com (Erik Fairbanks)
Date: Mon, 14 Dec 2009 19:57:48 +0900
Subject: [c-nsp] Application issue over ISP
In-Reply-To: <8bb137f40912132202m55194f1j49e3a23b7b929ca5@mail.gmail.com>
References: <8bb137f40912130736n222424cfu55b88ceebd428594@mail.gmail.com>
	<1260723208.5287.6.camel@X61.NetworkingUnlimited.nul>
	<8bb137f40912132202m55194f1j49e3a23b7b929ca5@mail.gmail.com>
Message-ID: <3133f8630912140257s604e8c05x9353ffc388e78a15@mail.gmail.com>

Out of curiosity, what is ping based routing?

02 PM, jack daniels <jckdaniels12 at gmail.com> wrote:

> Hi ,
>
> I can run any protocol , cant run tunnel as other side is client who cant
> make changes
>
>
>
>
> On Sun, Dec 13, 2009 at 10:23 PM, Vincent C Jones <
> v.jones at networkingunlimited.com> wrote:
>
> >  On Sun, 2009-12-13 at 21:06 +0530, jack daniels wrote:
> > > I have a scenario -
> > >
> > > CE -------ISP1
> > > |
> > > |
> > > |
> > > ISP2
> > >
> > > users behind CE connect to remote application ,
> > > Now issue is if ISP1 LINK or ISP1 goes down I have times less than 4
> sec
> > > for application to go via other link so that users are not imacted.
> > > So can there be any solution for traffic to converge before 2 request
> > > timeouts , so that my application users are not impacted.
> >
> > There are a wide variety of solutions, but whether or not they will work
> > for you depends very much on both the specifics of the application and
> > how you connect to your ISPs. Classic dual-homed BGP is not one of the
> > solutions given your timeout requirements. "Ping based routing" may do
> > the job if your user application can tolerate changing public IP
> > addresses. If you have a presence at both ends of the public internet
> > connection, you could also look at tunnel based solutions.
> >
> > --
> > Vincent C. Jones
> > Networking Unlimited, Inc.
> > Phone: +1 201 568-7810
> > V.Jones at NetworkingUnlimited.com
> >
> >
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From peter at rathlev.dk  Mon Dec 14 06:44:44 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Mon, 14 Dec 2009 12:44:44 +0100
Subject: [c-nsp] Application issue over ISP
In-Reply-To: <3133f8630912140257s604e8c05x9353ffc388e78a15@mail.gmail.com>
References: <8bb137f40912130736n222424cfu55b88ceebd428594@mail.gmail.com>
	<1260723208.5287.6.camel@X61.NetworkingUnlimited.nul>
	<8bb137f40912132202m55194f1j49e3a23b7b929ca5@mail.gmail.com>
	<3133f8630912140257s604e8c05x9353ffc388e78a15@mail.gmail.com>
Message-ID: <1260791084.11066.6.camel@localhost>

On Mon, 2009-12-14 at 19:57 +0900, Erik Fairbanks wrote:
> On Sun, 2009-12-13 at 11:53 -0500, Vincent C Jones wrote:
> > "Ping based routing" may do the job if your user application can
> > tolerate changing public IP addresses.
>
> Out of curiosity, what is ping based routing?

I think Vincent means static routing with RTR/IP SLA tracking to
invalidate a route if the next hop is unreachable. Cisco calls it
"Reliable Static Routing Backup Using Object Tracking".

http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xe/feature/guide/dbackupx.html

-- 
Peter



From masood at nexlinx.net.pk  Mon Dec 14 06:52:00 2009
From: masood at nexlinx.net.pk (masood at nexlinx.net.pk)
Date: Mon, 14 Dec 2009 16:52:00 +0500 (PKT)
Subject: [c-nsp] Application issue over ISP
In-Reply-To: <3133f8630912140257s604e8c05x9353ffc388e78a15@mail.gmail.com>
References: <8bb137f40912130736n222424cfu55b88ceebd428594@mail.gmail.com>
	<1260723208.5287.6.camel@X61.NetworkingUnlimited.nul>
	<8bb137f40912132202m55194f1j49e3a23b7b929ca5@mail.gmail.com>
	<3133f8630912140257s604e8c05x9353ffc388e78a15@mail.gmail.com>
Message-ID: <41250.196.46.241.57.1260791520.squirrel@nexmail1.nexlinx.net.pk>

have a look at the following URL..

http://www.ciscoblog.com/archives/2008/08/dynamic_failove.html

Kind Regards,
Masood
Blogs: http://weblogs.com.pk/jahil/


> Out of curiosity, what is ping based routing?
>
> 02 PM, jack daniels <jckdaniels12 at gmail.com> wrote:
>
>> Hi ,
>>
>> I can run any protocol , cant run tunnel as other side is client who
>> cant
>> make changes
>>
>>
>>
>>
>> On Sun, Dec 13, 2009 at 10:23 PM, Vincent C Jones <
>> v.jones at networkingunlimited.com> wrote:
>>
>> >  On Sun, 2009-12-13 at 21:06 +0530, jack daniels wrote:
>> > > I have a scenario -
>> > >
>> > > CE -------ISP1
>> > > |
>> > > |
>> > > |
>> > > ISP2
>> > >
>> > > users behind CE connect to remote application ,
>> > > Now issue is if ISP1 LINK or ISP1 goes down I have times less than 4
>> sec
>> > > for application to go via other link so that users are not imacted.
>> > > So can there be any solution for traffic to converge before 2
>> request
>> > > timeouts , so that my application users are not impacted.
>> >
>> > There are a wide variety of solutions, but whether or not they will
>> work
>> > for you depends very much on both the specifics of the application and
>> > how you connect to your ISPs. Classic dual-homed BGP is not one of the
>> > solutions given your timeout requirements. "Ping based routing" may do
>> > the job if your user application can tolerate changing public IP
>> > addresses. If you have a presence at both ends of the public internet
>> > connection, you could also look at tunnel based solutions.
>> >
>> > --
>> > Vincent C. Jones
>> > Networking Unlimited, Inc.
>> > Phone: +1 201 568-7810
>> > V.Jones at NetworkingUnlimited.com
>> >
>> >
>> >
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



From sami.joseph at gmail.com  Mon Dec 14 06:57:01 2009
From: sami.joseph at gmail.com (Sami Joseph)
Date: Mon, 14 Dec 2009 13:57:01 +0200
Subject: [c-nsp] OT : Are we forced to have bad communication skills because
	of what we do
Message-ID: <9da37ec40912140357i54edfc6dl5ef54ac01880dc31@mail.gmail.com>

Sorry if this is really off topic but you guys would know if its not only me
seeing this.

I've spend years working with Machines (routers, switches, servers) and i
want to ask you guys if its a must to feel change in how i communicate with
people around me (face to face conversations)?

Did anyone experience something and reached out for professional help? i
want to know if too many computers will really affect me?

IF yes, what should be done about this?

thanks,
Sam

From nalcomis at gmail.com  Mon Dec 14 07:07:02 2009
From: nalcomis at gmail.com (Erik Fairbanks)
Date: Mon, 14 Dec 2009 21:07:02 +0900
Subject: [c-nsp] Application issue over ISP
In-Reply-To: <41250.196.46.241.57.1260791520.squirrel@nexmail1.nexlinx.net.pk>
References: <8bb137f40912130736n222424cfu55b88ceebd428594@mail.gmail.com>
	<1260723208.5287.6.camel@X61.NetworkingUnlimited.nul>
	<8bb137f40912132202m55194f1j49e3a23b7b929ca5@mail.gmail.com>
	<3133f8630912140257s604e8c05x9353ffc388e78a15@mail.gmail.com>
	<41250.196.46.241.57.1260791520.squirrel@nexmail1.nexlinx.net.pk>
Message-ID: <3133f8630912140407v5fd876c1u9192ac7cf99d2531@mail.gmail.com>

Gotcha.  I am familiar with using SLA to track a route, but there is still
the issue of convergence within the ISPs.  We implemented a similar
configuration in my environment using AS prepend on the least favored link,
but it takes several minutes to converge "globally."

Thanks for the link.

On Mon, Dec 14, 2009 at 8:52 PM, <masood at nexlinx.net.pk> wrote:

> have a look at the following URL..
>
> http://www.ciscoblog.com/archives/2008/08/dynamic_failove.html
>
> Kind Regards,
> Masood
> Blogs: http://weblogs.com.pk/jahil/
>
>
> > Out of curiosity, what is ping based routing?
> >
> > 02 PM, jack daniels <jckdaniels12 at gmail.com> wrote:
> >
> >> Hi ,
> >>
> >> I can run any protocol , cant run tunnel as other side is client who
> >> cant
> >> make changes
> >>
> >>
> >>
> >>
> >> On Sun, Dec 13, 2009 at 10:23 PM, Vincent C Jones <
> >> v.jones at networkingunlimited.com> wrote:
> >>
> >> >  On Sun, 2009-12-13 at 21:06 +0530, jack daniels wrote:
> >> > > I have a scenario -
> >> > >
> >> > > CE -------ISP1
> >> > > |
> >> > > |
> >> > > |
> >> > > ISP2
> >> > >
> >> > > users behind CE connect to remote application ,
> >> > > Now issue is if ISP1 LINK or ISP1 goes down I have times less than 4
> >> sec
> >> > > for application to go via other link so that users are not imacted.
> >> > > So can there be any solution for traffic to converge before 2
> >> request
> >> > > timeouts , so that my application users are not impacted.
> >> >
> >> > There are a wide variety of solutions, but whether or not they will
> >> work
> >> > for you depends very much on both the specifics of the application and
> >> > how you connect to your ISPs. Classic dual-homed BGP is not one of the
> >> > solutions given your timeout requirements. "Ping based routing" may do
> >> > the job if your user application can tolerate changing public IP
> >> > addresses. If you have a presence at both ends of the public internet
> >> > connection, you could also look at tunnel based solutions.
> >> >
> >> > --
> >> > Vincent C. Jones
> >> > Networking Unlimited, Inc.
> >> > Phone: +1 201 568-7810
> >> > V.Jones at NetworkingUnlimited.com
> >> >
> >> >
> >> >
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
>
>

From nalcomis at gmail.com  Mon Dec 14 07:11:23 2009
From: nalcomis at gmail.com (Erik Fairbanks)
Date: Mon, 14 Dec 2009 21:11:23 +0900
Subject: [c-nsp] Is annual reloads of Cisco 6500 necessary
In-Reply-To: <e8590f60912131201s60495dddj7ff8bd38a1c4158c@mail.gmail.com>
References: <1d11fbf80912121144h471a9ed4s46cb675b69d3ba3d@mail.gmail.com>
	<20091212210001.GU163@greenie.muc.de>
	<e8590f60912131201s60495dddj7ff8bd38a1c4158c@mail.gmail.com>
Message-ID: <3133f8630912140411p4ebd3a76i5b4c2f7314aca6a9@mail.gmail.com>

Similar to how a light bulb doesn't break until it is turned off and turned
back on :)

On Mon, Dec 14, 2009 at 5:01 AM, e ninja <eninja at gmail.com> wrote:

> Totally concur. If it's not broken, don't fix it.
>
> *All* new bugs are introduced into software inadvertently while fixing
> existing bugs or implementing new features.
>
> /eninja
>
>
>
> On Sat, Dec 12, 2009 at 1:00 PM, Gert Doering <gert at greenie.muc.de> wrote:
>
> > Hi,
> >
> > On Sat, Dec 12, 2009 at 11:44:39AM -0800, Thilak T wrote:
> > > How important or significant is to schedule reloads of Data Center
> > /Campus
> > > switches with uptime over 1 year ? What is the logic/reason behind this
> > > advice from Cisco.
> >
> > We never reload anything, unless a *specific* reason exists - e.g.
> > "software
> > update unavoidable" or "device misbehaving and we can't find any
> non-reload
> > way to mitigate".
> >
> > gert
> > --
> > USENET is *not* the non-clickable part of WWW!
> >                                                           //
> > www.muc.de/~gert/ <http://www.muc.de/%7Egert/> <
> http://www.muc.de/%7Egert/>
> > Gert Doering - Munich, Germany
> > gert at greenie.muc.de
> > fax: +49-89-35655025
> > gert at net.informatik.tu-muenchen.de
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From masood at nexlinx.net.pk  Mon Dec 14 07:17:39 2009
From: masood at nexlinx.net.pk (masood at nexlinx.net.pk)
Date: Mon, 14 Dec 2009 17:17:39 +0500 (PKT)
Subject: [c-nsp] Application issue over ISP
In-Reply-To: <3133f8630912140407v5fd876c1u9192ac7cf99d2531@mail.gmail.com>
References: <8bb137f40912130736n222424cfu55b88ceebd428594@mail.gmail.com>
	<1260723208.5287.6.camel@X61.NetworkingUnlimited.nul>
	<8bb137f40912132202m55194f1j49e3a23b7b929ca5@mail.gmail.com>
	<3133f8630912140257s604e8c05x9353ffc388e78a15@mail.gmail.com>
	<41250.196.46.241.57.1260791520.squirrel@nexmail1.nexlinx.net.pk>
	<3133f8630912140407v5fd876c1u9192ac7cf99d2531@mail.gmail.com>
Message-ID: <40743.196.46.241.57.1260793059.squirrel@nexmail1.nexlinx.net.pk>

Ivan has this similar article with an working example applicable in
real-life: http://www.nil.com/ipcorner/SmallSiteMultiHoming/

pelase read this article properly. might help you :)

If the above article does not work for you; could you please b more
specific about the issue like what is causing delay and what is the
precise topology of the logical network like protocols, media and
transmission.

Kind Regards,
Masood
Blogs: http://weblogs.com.pk/jahil/


> Gotcha.  I am familiar with using SLA to track a route, but there is still
> the issue of convergence within the ISPs.  We implemented a similar
> configuration in my environment using AS prepend on the least favored
> link,
> but it takes several minutes to converge "globally."
>
> Thanks for the link.
>
> On Mon, Dec 14, 2009 at 8:52 PM, <masood at nexlinx.net.pk> wrote:
>
>> have a look at the following URL..
>>
>> http://www.ciscoblog.com/archives/2008/08/dynamic_failove.html
>>
>> Kind Regards,
>> Masood
>> Blogs: http://weblogs.com.pk/jahil/
>>
>>
>> > Out of curiosity, what is ping based routing?
>> >
>> > 02 PM, jack daniels <jckdaniels12 at gmail.com> wrote:
>> >
>> >> Hi ,
>> >>
>> >> I can run any protocol , cant run tunnel as other side is client who
>> >> cant
>> >> make changes
>> >>
>> >>
>> >>
>> >>
>> >> On Sun, Dec 13, 2009 at 10:23 PM, Vincent C Jones <
>> >> v.jones at networkingunlimited.com> wrote:
>> >>
>> >> >  On Sun, 2009-12-13 at 21:06 +0530, jack daniels wrote:
>> >> > > I have a scenario -
>> >> > >
>> >> > > CE -------ISP1
>> >> > > |
>> >> > > |
>> >> > > |
>> >> > > ISP2
>> >> > >
>> >> > > users behind CE connect to remote application ,
>> >> > > Now issue is if ISP1 LINK or ISP1 goes down I have times less
>> than 4
>> >> sec
>> >> > > for application to go via other link so that users are not
>> imacted.
>> >> > > So can there be any solution for traffic to converge before 2
>> >> request
>> >> > > timeouts , so that my application users are not impacted.
>> >> >
>> >> > There are a wide variety of solutions, but whether or not they will
>> >> work
>> >> > for you depends very much on both the specifics of the application
>> and
>> >> > how you connect to your ISPs. Classic dual-homed BGP is not one of
>> the
>> >> > solutions given your timeout requirements. "Ping based routing" may
>> do
>> >> > the job if your user application can tolerate changing public IP
>> >> > addresses. If you have a presence at both ends of the public
>> internet
>> >> > connection, you could also look at tunnel based solutions.
>> >> >
>> >> > --
>> >> > Vincent C. Jones
>> >> > Networking Unlimited, Inc.
>> >> > Phone: +1 201 568-7810
>> >> > V.Jones at NetworkingUnlimited.com
>> >> >
>> >> >
>> >> >
>> >> _______________________________________________
>> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> >>
>> > _______________________________________________
>> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> > https://puck.nether.net/mailman/listinfo/cisco-nsp
>> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>> >
>>
>>
>>
>



From jckdaniels12 at gmail.com  Mon Dec 14 08:04:50 2009
From: jckdaniels12 at gmail.com (jack daniels)
Date: Mon, 14 Dec 2009 18:34:50 +0530
Subject: [c-nsp] Design issue for customer with dual MPLS links
Message-ID: <8bb137f40912140504r75a5da15k4487e5f3d9cf1e44@mail.gmail.com>

Hi Guys,

This is a paticular design issue I'm facing with customer where I have a lot
of constrainits .

Topology


MPLS CLOUD (ISP1)
MPLS CLOUD (ISP2)
|
|
|
|
|
|
CE1
CE2
|
                    |
|--------------------------------PIX525
(CLUSTER)---------------------------------
                                    |
                                    |
                                    |
                                  LAN ( 6509 catalyst switch - runnning
HSRP)


Issue - I want  to go out via ISP1 and come back via ISP1 ......Backup is
CE2

When traffic reaches PIX cluster how will it decide whether ISP1 is UP and
traffic is not blackholed......How will PIX cluster decide to FWD traffic to
ISP2.

Now for this solution , constraints are -

1) I cant run HSRP on CE1 and CE2
2) Cant run run dynamic routing on PIX
3) IP SLA also can't also be used on PIX cluster

Regards

From p.mayers at imperial.ac.uk  Mon Dec 14 08:33:34 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Mon, 14 Dec 2009 13:33:34 +0000
Subject: [c-nsp] Design issue for customer with dual MPLS links
In-Reply-To: <8bb137f40912140504r75a5da15k4487e5f3d9cf1e44@mail.gmail.com>
References: <8bb137f40912140504r75a5da15k4487e5f3d9cf1e44@mail.gmail.com>
Message-ID: <4B263EAE.6010903@imperial.ac.uk>

jack daniels wrote:
> Hi Guys,
> 
> This is a paticular design issue I'm facing with customer where I have a lot
> of constrainits .
> 
> Topology
> 

The diagram is a bit mangled, at least for me...

> 
> MPLS CLOUD (ISP1)
> MPLS CLOUD (ISP2)
> |
> |
> |
> |
> |
> |
> CE1
> CE2
> |
>                     |
> |--------------------------------PIX525
> (CLUSTER)---------------------------------
>                                     |
>                                     |
>                                     |
>                                   LAN ( 6509 catalyst switch - runnning
> HSRP)
> 
> 
> Issue - I want  to go out via ISP1 and come back via ISP1 ......Backup is
> CE2
> 
> When traffic reaches PIX cluster how will it decide whether ISP1 is UP and
> traffic is not blackholed......How will PIX cluster decide to FWD traffic to
> ISP2.
> 
> Now for this solution , constraints are -
> 
> 1) I cant run HSRP on CE1 and CE2
> 2) Cant run run dynamic routing on PIX
> 3) IP SLA also can't also be used on PIX cluster

Oh good. An easy question </sarcasm>

Seriously - go back to the customer and re-negotiate the constraints.

Failing that - use something like EEM on CE1 to drop the physical link 
from CE1->PIX if the internet goes away, and on the PIX, have two static 
default routes - a low-cost one pointing to CE1 and a high-cost pointing 
to CE2.

This assumes the link from CE1->PIX is an actual physical link. It 
obviously won't work if it goes via a layer2 switch.

But HSRP or routing are the "best" ways to solve this.

From avayner at cisco.com  Mon Dec 14 08:35:10 2009
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Mon, 14 Dec 2009 14:35:10 +0100
Subject: [c-nsp] Design issue for customer with dual MPLS links
In-Reply-To: <8bb137f40912140504r75a5da15k4487e5f3d9cf1e44@mail.gmail.com>
References: <8bb137f40912140504r75a5da15k4487e5f3d9cf1e44@mail.gmail.com>
Message-ID: <FDD1CDB3FB499E4087CC7670BBCA22C6D9A61A@XMB-AMS-101.cisco.com>

Jack,

I think you should take a look at PfR (used to be called OER):
http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/Transpo
rt_diversity/Transport_Diversity_PfR.html
http://www.cisco.com/en/US/products/ps8787/products_ios_protocol_option_
home.html
http://www.cisco.com/en/US/docs/ios/oer/configuration/guide/15_0/oer_15_
0_book.html

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of jack daniels
Sent: Monday, December 14, 2009 15:05
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Design issue for customer with dual MPLS links

Hi Guys,

This is a paticular design issue I'm facing with customer where I have a
lot
of constrainits .

Topology


MPLS CLOUD (ISP1)
MPLS CLOUD (ISP2)
|
|
|
|
|
|
CE1
CE2
|
                    |
|--------------------------------PIX525
(CLUSTER)---------------------------------
                                    |
                                    |
                                    |
                                  LAN ( 6509 catalyst switch - runnning
HSRP)


Issue - I want  to go out via ISP1 and come back via ISP1 ......Backup
is
CE2

When traffic reaches PIX cluster how will it decide whether ISP1 is UP
and
traffic is not blackholed......How will PIX cluster decide to FWD
traffic to
ISP2.

Now for this solution , constraints are -

1) I cant run HSRP on CE1 and CE2
2) Cant run run dynamic routing on PIX
3) IP SLA also can't also be used on PIX cluster

Regards
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From david.freedman at uk.clara.net  Mon Dec 14 08:42:32 2009
From: david.freedman at uk.clara.net (David Freedman)
Date: Mon, 14 Dec 2009 13:42:32 +0000
Subject: [c-nsp] Design issue for customer with dual MPLS links
In-Reply-To: <8bb137f40912140504r75a5da15k4487e5f3d9cf1e44@mail.gmail.com>
References: <8bb137f40912140504r75a5da15k4487e5f3d9cf1e44@mail.gmail.com>
Message-ID: <hg5fc7$f1e$1@ger.gmane.org>

jack daniels wrote:
> Hi Guys,
> 
> This is a paticular design issue I'm facing with customer where I have a lot
> of constrainits .
> 
> Topology
> 
> 
> MPLS CLOUD (ISP1)
> MPLS CLOUD (ISP2)
> |
> |
> |
> |
> |
> |
> CE1
> CE2
> |
>                     |
> |--------------------------------PIX525
> (CLUSTER)---------------------------------
>                                     |
>                                     |
>                                     |
>                                   LAN ( 6509 catalyst switch - runnning
> HSRP)
> 
> 
> Issue - I want  to go out via ISP1 and come back via ISP1 ......Backup is
> CE2
> 
> When traffic reaches PIX cluster how will it decide whether ISP1 is UP and
> traffic is not blackholed......How will PIX cluster decide to FWD traffic to
> ISP2.
> 
> Now for this solution , constraints are -
> 
> 1) I cant run HSRP on CE1 and CE2

Do you manage CE1/2 ? if not, how about getting the two ISPs to
co-operate and do HSRP/VRRP between eachother? this situation is not
impossible and I know of many examples (at least in Europe) where this
takes place.

> 2) Cant run run dynamic routing on PIX

PIX does RIP and I think some BGP now, no?

Even so if you don't manage CE1/2 you would have to get both managing
parties to enable this.

> 3) IP SLA also can't also be used on PIX cluster

Are the pix in L2 or L3 mode?
if in L2 could you not do IPSLA from the 6509 such to decide which CE
for egress?

If the pix are in L3 I suppose you could subdivide them into contexts
for ISP1/2 and have each of these statically tied to CE1/2 and then use
IPSLA on 6509 to fail between these? (yes, it would be messy and painful
managing both sets of rules)

Dave.


> 
> Regards
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


From livio.zanol.puppim at gmail.com  Mon Dec 14 10:05:58 2009
From: livio.zanol.puppim at gmail.com (Livio Zanol Puppim)
Date: Mon, 14 Dec 2009 13:05:58 -0200
Subject: [c-nsp] tacacs+ restrictions
In-Reply-To: <1260633556.16468.4.camel@localhost>
References: <8D68760F464FFD40A01BF2FB374E4A2802156A9AEF3A@SRVEXC02.aas.its.nja.dk>
	<1260633556.16468.4.camel@localhost>
Message-ID: <fa1469130912140705k16c0d155xcb4e9b70dd01339e@mail.gmail.com>

Have you  added "aaa authorization config-commands" to the configuration at
the router?

2009/12/12 Peter Rathlev <peter at rathlev.dk>

> On Sat, 2009-12-12 at 15:15 +0100, Arne Larsen wrote:
> > Hi all.
> >
> > I know it's a bit of topic, but anyway.
> > I'm trying to get tacacs+ to restrict access and commands for users.
> > I can't seem to get it right. Whatever I do, I ether get no
> > configurations commands rejected or all get rejected.
> > I would like to make a user that only can change vlan tag under
> > interfaces configuration This is what I tried to configure..
> >
> [...]
> >
> > Have anyone of you tried to do something similar, any input would be
> > appreciated very much.
> > Or does someone know where I can seek help.
>
> We have an "operator" group with limited access to some datacenter
> switches, configured like this:
>
> acl = access-sw-only {
>        permit = ^10\.77\.24[456]\.
> }
>
> group = operator {
>        default service = deny
>        login = PAM
>        service = exec {
>                priv-lvl = 15
>        }
>        #### Exec level commands ####
>        cmd = show {
>                permit "."
>        }
>        cmd = exit {
>                permit "<cr>$"
>        }
>        cmd = quit {
>                permit "<cr>$"
>        }
>        cmd = write {
>                permit "terminal <cr>$"
>                permit "memory <cr>$"
>        }
>        #### Configure commands ####
>        cmd = configure {
>                permit "^terminal <cr>$"
>        }
>        #--- Allow the exec level commands from configure mode ---#
>        cmd = do {
>                permit "^show .*"
>        }
>        #--- Allow entering interfaces ---#
>        cmd = interface {
>                #--- Disallow configuring uplinks ---#
>                deny "^GigabitEthernet [12]/0/2[34] <cr>$"
>                #--- Allow configuring physical interfaces ---#
>                permit "^(Gigabit|Fast)Ethernet.*"
>        }
>        #--- Allow a range of specific interface conf commands ---#
>        cmd = switchport {
>                permit "^access vlan [128][0-9][0-9] <cr>$"
>                permit "^mode access <cr>$"
>        }
>        cmd = description {
>                permit "."
>        }
>        cmd = shutdown {
>                permit "^$"
>                permit "^<cr>$"
>        }
>        cmd = spanning-tree {
>                permit "^portfast <cr>$"
>                permit "^bpduguard enable <cr>$"
>        }
>        cmd = mls {
>                permit "^qos cos 3 <cr>$"
>                permit "^qos cos override <cr>$"
>        }
>        #--- Allow creation and naming of VLANs 100-299 + 800-899 ---#
>        cmd = vlan {
>                permit "^[128][0-9][0-9] <cr>$"
>        }
>        cmd = name {
>                permit "."
>        }
>        #--- Allow unshutting interfaces, and clearing descriptions ---#
>        cmd = no {
>                permit "^shutdown <cr>$"
>                permit "^description .*"
>        }
>        acl = access-sw-only
> }
>
> You can enable debugging for the tac_plus daemon to see exactly what the
> device asks to have accepted/rejected.
>
> --
> Peter
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
[]'s

L?vio Zanol Puppim

From v.jones at networkingunlimited.com  Mon Dec 14 10:29:48 2009
From: v.jones at networkingunlimited.com (Vincent C Jones)
Date: Mon, 14 Dec 2009 10:29:48 -0500
Subject: [c-nsp] Design issue for customer with dual MPLS links
In-Reply-To: <8bb137f40912140504r75a5da15k4487e5f3d9cf1e44@mail.gmail.com>
References: <8bb137f40912140504r75a5da15k4487e5f3d9cf1e44@mail.gmail.com>
Message-ID: <1260804588.5287.31.camel@X61.NetworkingUnlimited.nul>

On Mon, 2009-12-14 at 18:34 +0530, jack daniels wrote:
> Hi Guys,
> 
> This is a paticular design issue I'm facing with customer where I have a lot
> of constrainits .
> 
> Topology
> 
> 
> MPLS CLOUD (ISP1)
> MPLS CLOUD (ISP2)
> |
> |
> |
> |
> |
> |
> CE1
> CE2
> |
>                     |
> |--------------------------------PIX525
> (CLUSTER)---------------------------------
>                                     |
>                                     |
>                                     |
>                                   LAN ( 6509 catalyst switch - runnning
> HSRP)
> 
> 
> Issue - I want  to go out via ISP1 and come back via ISP1 ......Backup is
> CE2
> 
> When traffic reaches PIX cluster how will it decide whether ISP1 is UP and
> traffic is not blackholed......How will PIX cluster decide to FWD traffic to
> ISP2.
> 
> Now for this solution , constraints are -
> 
> 1) I cant run HSRP on CE1 and CE2
> 2) Cant run run dynamic routing on PIX
> 3) IP SLA also can't also be used on PIX cluster
> 
> Regards

Just checking... is this a second design problem you are presenting or a
followup to your earlier post "[c-nsp] Application issue over ISP"? In
either case, both are missing critical information required to provide
useful feedback...

1 - Any use of NAT? Any failover in place today?
2 - Constraints on far end (can you put any hardware/software there)?
3 - Constraints on application(s) (e.g.independent transactions,
maintenance of TCP connection state, failover time allowed, end to end
response time, bandwidth constraints, etc.)?
4 - Budget? (Can you throw additional hardware at the problem)?
5 - Timeframe to deployment? (Do you have time to learn all the ways
redundancy doesn't work, in particular distinguishing between what
"should work" and what "does work")?

Also keep in mind that you are posting this to the cisco-nsp mailing
list -- a "list for people using cisco in a NSP (Network service
provider) environment" (quoted from the sign-up page), yet you are
looking for a solution which explicit does not involve your ISPs, the
very people who are most likely to read this list. A mailing list or
other forum targeted at end users of Cisco, such as those at
supportforums.cisco.com might get you quicker, more relevant results. 

Good luck and have fun!

-- 
Vincent C. Jones
Networking Unlimited, Inc.
Phone: +1 201 568-7810
V.Jones at NetworkingUnlimited.com


From v.jones at networkingunlimited.com  Mon Dec 14 10:49:55 2009
From: v.jones at networkingunlimited.com (Vincent C Jones)
Date: Mon, 14 Dec 2009 10:49:55 -0500
Subject: [c-nsp] Application issue over ISP
In-Reply-To: <1260791084.11066.6.camel@localhost>
References: <8bb137f40912130736n222424cfu55b88ceebd428594@mail.gmail.com>
	<1260723208.5287.6.camel@X61.NetworkingUnlimited.nul>
	<8bb137f40912132202m55194f1j49e3a23b7b929ca5@mail.gmail.com>
	<3133f8630912140257s604e8c05x9353ffc388e78a15@mail.gmail.com>
	<1260791084.11066.6.camel@localhost>
Message-ID: <1260805795.5287.48.camel@X61.NetworkingUnlimited.nul>


On Mon, 2009-12-14 at 12:44 +0100, Peter Rathlev wrote:
> On Mon, 2009-12-14 at 19:57 +0900, Erik Fairbanks wrote:
> > On Sun, 2009-12-13 at 11:53 -0500, Vincent C Jones wrote:
> > > "Ping based routing" may do the job if your user application can
> > > tolerate changing public IP addresses.
> >
> > Out of curiosity, what is ping based routing?
> 
> I think Vincent means static routing with RTR/IP SLA tracking to
> invalidate a route if the next hop is unreachable. Cisco calls it
> "Reliable Static Routing Backup Using Object Tracking".
> 
> http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xe/feature/guide/dbackupx.html

Correct. It has been marketed under a variety of names over the years by
Cisco and others. 

DISCLAIMER: I have not had a client with a need for this in years, but I
recommend testing carefully before putting any solution into production.
The last time I took serious look at using ping based routing (back when
Cisco had it under the "Response Time Recorder" umbrella) I found wide
variations in reliability and robustness between implementations,
including between releases from the same vendor, and we gave up on the
idea.

-- 
Dr. Vincent C. Jones, PE
Networking Unlimited, Inc.
Phone: +1 201 568-7810
V.Jones at NetworkingUnlimited.com


From trejrco at gmail.com  Mon Dec 14 10:55:47 2009
From: trejrco at gmail.com (TJ)
Date: Mon, 14 Dec 2009 10:55:47 -0500
Subject: [c-nsp] IPV6
In-Reply-To: <4B22762C.4050008@imperial.ac.uk>
References: <B38CA5FA-7974-4B36-B675-D08DA48A76BF@manchester.ac.uk>
	<4B22762C.4050008@imperial.ac.uk>
Message-ID: <00f401ca7cd5$e93edd90$bbbc98b0$@com>

Just minor added comments ... 

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Phil Mayers
> Sent: Friday, December 11, 2009 11:41
> 
> Michael Robson wrote:
> > It's been a while since I worked with IPV6 and I am now once again
> > plunging myself into this feckless world and was wondering if a
> > couple of holes had now been plugged. What is the accepted way in
> > IPV6 land to dish out IPV6 DNS server addresses (am I correct in
> > saying that if you make use of NDP, you would still have to manually
> > configure DNS servers)? The other hole, as was, is the lack of IPV6
> 
> There are 4 methods:
> 
>   * Don't use IPv6 DNS - use IPv4 DNS servers (via DHCPv4 or other). I
> believe this is pretty common

This is how WinXP does it, both IPv4 and IPv6 (A and AAAA) queries being
sent over IPv4.  I like to call it "cheating" :).


>   * Static config of IPv6 DNS servers, possibly using an anycast address
> (I seem to recall there are products which try a well-known DNSv6
> address, but I can't remember what products, and what address)

If you are thinking of the fec0:0:0:ffff::1 (and ::2 and ::3) style
addresses those died along with Site-Local Addressing. (But you will still
see those entries in every IPv6-enabled Win* platform ... )

(Automagic DNS -->
http://tools.ietf.org/html/draft-ietf-ipv6-dns-discovery-07 
 SLAs deprecated --> http://tools.ietf.org/html/rfc3879
)


>   * Advertisment in RA packets - RFC 5006. I think support for this on
> IOS is pretty thin - I'm fairly sure 6500s don't support it and don't
> have it roadmapped (sigh)

Also waiting for client-side support.  (sigh+=1)


>   * DHCPv6
> 
> > help address functionality on Cisco routers (well 6500s at least): if
> > I were to go down the route of using DHCP for IPV6, how could I use a
> > central server without this helper functionality?
> 
> 6500s running SXI have gained the DHCPv6 relay support. Sadly, it
> doesn't interoperate with 6vPE (which we use) so I've only tested it
> lightly, but it more or less worked.
> 
> Of course, many clients don't support DHCPv6 (e.g. WinXP) so you may
> still need a solution for those.


... baby steps ... tiny, agonizingly slow, sometimes wobbly baby steps.
/TJ


From gsgranados at comcast.net  Mon Dec 14 11:01:11 2009
From: gsgranados at comcast.net (Scott Granados)
Date: Mon, 14 Dec 2009 08:01:11 -0800
Subject: [c-nsp] OT : Are we forced to have bad communication skills
	becauseof what we do
References: <9da37ec40912140357i54edfc6dl5ef54ac01880dc31@mail.gmail.com>
Message-ID: <007501ca7cd6$aee8ac10$29ca0046@am.thmulti.com>

I think the phrase is "go out side and play"
;)

----- Original Message ----- 
From: "Sami Joseph" <sami.joseph at gmail.com>
To: "Cisco-nsp" <cisco-nsp at puck.nether.net>
Sent: Monday, December 14, 2009 3:57 AM
Subject: [c-nsp] OT : Are we forced to have bad communication skills 
becauseof what we do


> Sorry if this is really off topic but you guys would know if its not only 
> me
> seeing this.
>
> I've spend years working with Machines (routers, switches, servers) and i
> want to ask you guys if its a must to feel change in how i communicate 
> with
> people around me (face to face conversations)?
>
> Did anyone experience something and reached out for professional help? i
> want to know if too many computers will really affect me?
>
> IF yes, what should be done about this?
>
> thanks,
> Sam
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 


From rdobbins at arbor.net  Mon Dec 14 11:06:08 2009
From: rdobbins at arbor.net (Dobbins, Roland)
Date: Mon, 14 Dec 2009 16:06:08 +0000
Subject: [c-nsp] OT : Are we forced to have bad communication
	skills	becauseof what we do
In-Reply-To: <007501ca7cd6$aee8ac10$29ca0046@am.thmulti.com>
References: <9da37ec40912140357i54edfc6dl5ef54ac01880dc31@mail.gmail.com>
	<007501ca7cd6$aee8ac10$29ca0046@am.thmulti.com>
Message-ID: <EDFD59F0-DBDA-4E60-A81D-B930FF01463C@arbor.net>


On Dec 14, 2009, at 11:01 PM, Scott Granados wrote:

> I think the phrase is "go out side and play"

Or, "Don't feed the trolls."

;>

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken




From aptgetd at gmail.com  Mon Dec 14 15:42:50 2009
From: aptgetd at gmail.com (sky vader)
Date: Mon, 14 Dec 2009 12:42:50 -0800
Subject: [c-nsp] 12.4 IOS recommendation for 7206
Message-ID: <4B26A34A.8010802@gmail.com>

Hi -

Any recommendation for a stable enterprise IOS supporting following
feature set.

The role of this box is edge device, two ds3 feeds, bri (isdn) for
backup, supporting,

* voice
* mpls
* qos
* ipsec 3des
* ssh
* netflow / ipsla
* bgp / ospf
* no memory leaks :-)

Any personal experience from the trenches would be appreciated.

regards,
sky

From dale.shaw+cisco-nsp at gmail.com  Mon Dec 14 16:03:43 2009
From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw)
Date: Tue, 15 Dec 2009 08:03:43 +1100
Subject: [c-nsp] 12.4 IOS recommendation for 7206
In-Reply-To: <4B26A34A.8010802@gmail.com>
References: <4B26A34A.8010802@gmail.com>
Message-ID: <3329cbb40912141303g6aa2ebaeqfae6f12101550150@mail.gmail.com>

Hi,

On Tue, Dec 15, 2009 at 7:42 AM, sky vader <aptgetd at gmail.com> wrote:
>
> Any recommendation for a stable enterprise IOS [for 7200]
> supporting following feature set.

[...]

There was a thread on this in the last week or so.

I'm personally happy with 12.4(15)T - we run it on 12 or so 7200s
(NPE-400s, NPE-G1s and NPE-G2s) and it's pretty solid. We don't run
MPLS, BGP or OSPF on them (we're an EIGRP shop), but all your other
boxes are ticked.

cheers,
Dale

From thilak.t at gmail.com  Mon Dec 14 20:45:43 2009
From: thilak.t at gmail.com (Thilak T)
Date: Mon, 14 Dec 2009 17:45:43 -0800
Subject: [c-nsp] Is annual reloads of Cisco 6500 necessary
In-Reply-To: <20091212210001.GU163@greenie.muc.de>
References: <1d11fbf80912121144h471a9ed4s46cb675b69d3ba3d@mail.gmail.com>
	<20091212210001.GU163@greenie.muc.de>
Message-ID: <1d11fbf80912141745t4d67dback8414f66b89ced76e@mail.gmail.com>

Thanks all of you folks . I neither read any official documents suggesting
reloads if there is not code upgrade or maintenance activity. However few
customers does this "annual device reloads" . Was trying to figure what is
the need for it.



On Sat, Dec 12, 2009 at 1:00 PM, Gert Doering <gert at greenie.muc.de> wrote:

> Hi,
>
> On Sat, Dec 12, 2009 at 11:44:39AM -0800, Thilak T wrote:
> > How important or significant is to schedule reloads of Data Center
> /Campus
> > switches with uptime over 1 year ? What is the logic/reason behind this
> > advice from Cisco.
>
> We never reload anything, unless a *specific* reason exists - e.g.
> "software
> update unavoidable" or "device misbehaving and we can't find any non-reload
> way to mitigate".
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
>                                                           //
> www.muc.de/~gert/ <http://www.muc.de/%7Egert/>
> Gert Doering - Munich, Germany
> gert at greenie.muc.de
> fax: +49-89-35655025
> gert at net.informatik.tu-muenchen.de
>

From dwinkworth at att.net  Mon Dec 14 19:49:11 2009
From: dwinkworth at att.net (Derick Winkworth)
Date: Mon, 14 Dec 2009 16:49:11 -0800 (PST)
Subject: [c-nsp] 12.4 IOS recommendation for 7206
In-Reply-To: <3329cbb40912141303g6aa2ebaeqfae6f12101550150@mail.gmail.com>
References: <4B26A34A.8010802@gmail.com>
	<3329cbb40912141303g6aa2ebaeqfae6f12101550150@mail.gmail.com>
Message-ID: <299413.80594.qm@web180003.mail.gq1.yahoo.com>

Agreed on the 12.4(15)T train.  Pick the latest release of this.  

No new features have been introduced in this "train" since T7 or T8 I believe.  Going forward, all releases will be bug-fix only.  As I understand it.  






________________________________
From: Dale Shaw <dale.shaw+cisco-nsp at gmail.com>
To: aptgetd at gmail.com
Cc: cisco-nsp at puck.nether.net
Sent: Mon, December 14, 2009 3:03:43 PM
Subject: Re: [c-nsp] 12.4 IOS recommendation for 7206

Hi,

On Tue, Dec 15, 2009 at 7:42 AM, sky vader <aptgetd at gmail.com> wrote:
>
> Any recommendation for a stable enterprise IOS [for 7200]
> supporting following feature set.

[...]

There was a thread on this in the last week or so.

I'm personally happy with 12.4(15)T - we run it on 12 or so 7200s
(NPE-400s, NPE-G1s and NPE-G2s) and it's pretty solid. We don't run
MPLS, BGP or OSPF on them (we're an EIGRP shop), but all your other
boxes are ticked.

cheers,
Dale
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From David at Hughes.com.au  Mon Dec 14 20:59:26 2009
From: David at Hughes.com.au (David Hughes)
Date: Tue, 15 Dec 2009 11:59:26 +1000
Subject: [c-nsp] Port channel bug in SXI3
Message-ID: <94503B54-1DD5-4B99-A788-3CBB4FE849D1@Hughes.com.au>

Hi

Since moving to SXI3 we've seen issues with port channels.  Problems such as the physical interfaces and port channel config getting out of sync.  A "sh run int" on a member of the Po will say it's shutdown but a "sh run int" on the Po itself shows it's up (and a "sh int" does too).  It's not impacting on the operation of the box but it's confusing the hell out of some of the engineers having to work on them.

We are seeing this on 2 pairs of 6500's with Sup720-3B's.  We are working with TAC on this but thought I'd ping the list to see if anyone else has seen this problem.


Thanks

David
...

From bitkraft at gmail.com  Mon Dec 14 21:00:05 2009
From: bitkraft at gmail.com (Brian Spade)
Date: Mon, 14 Dec 2009 18:00:05 -0800
Subject: [c-nsp] 6509 OIR logging for transceivers
Message-ID: <505b616c0912141800s60e3c54dj991ef411cf87549e@mail.gmail.com>

Hi,

I am doing some testing and can't seem to get the Catalyst 6509 to log an
insertion or removal of a SFP.  Is this supported?  I have 'logging buffered
20000' configured but don't get a log when I insert/remove an SFP on a
SUP-720-3B.

Thanks,
/bs

From dave.kruger at mtnbusiness.co.za  Tue Dec 15 03:27:45 2009
From: dave.kruger at mtnbusiness.co.za (Dave Kruger)
Date: Tue, 15 Dec 2009 10:27:45 +0200
Subject: [c-nsp] BGP Hold time expired/ospf dropping 6500 Sup720-3BXL
In-Reply-To: <F3318834F1F89D46857972DD4B411D700181FF00DB@EXCHANGE.thenap.com>
References: <F3318834F1F89D46857972DD4B411D700181FF00DB@EXCHANGE.thenap.com>
Message-ID: <4B274881.6030209@mtnbusiness.co.za>

Drew Weaver wrote:
> Howdy all,
>
> Last night I had an interesting encounter on one of my 6509s /w SUP7203-BXL.
>
> This switch has 3x iBGP sessions with full internet tables and is also running OSPF.
>
> Two of the three iBGP sessions randomly dropped with: 
>
> %BGP-3-NOTIFICATION: sent to neighbor x.x.x.3 4/0 (hold time expired) 0 bytes, I also noticed that during this period OSPF dropped with Neighbor Down: Dead timer expired
>
>   
> and then re-established, and then failed again, and re-established, and failed again, and so-on, and so-on.
>
> I checked the physical interfaces between this 6500 and the two GSR 12000s it peers with and there were no errors, there was also no obvious spike in traffic that would account for latency that might cause the hold timers to expire. I remember when this system first came online it took a really long time for it to download the full internet tables from the upstream GSRs and also during that time there was a lot of CPU time being eaten up, I am wondering if maybe the first session failing caused sort of a 'performance' domino effect which then caused everything else to fail, the issue eventually corrected itself and stabilized.
>
> This particular box is running 12.2(18)SXF17 so I am less likely to believe it is a software bug.
>
> Does anyone have any tips on both how I can avoid the hold timer issue altogether 

I dont think your issue is bgp and it's hold time - if ospf session
drops then so will BGP session. Are you sure your upstream GSR's did not
fail-over? If so NSF might help you
http://www.cisco.com/en/US/partner/docs/ios/iproute/configuration/guide/irp_bgp_adv_features_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1056241

If you have unstable IGP, try to figure out why, if you cant, dampen. If
that doesnt help, disable next-hop address tracking
http://www.cisco.com/en/US/partner/docs/ios/iproute/configuration/guide/irp_bgp_adv_features_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1056441

Regards
Dave

> and also how I can make it so that if a session does go down and re-establish it doesn't totally nail the CPU while it's trying to re-establish/download the routes? A long time ago I also read that increasing the MTU on both ends of a circuit can make BGP tables download faster, I don't know if that's true or not, has anyone else found that?
>
> thanks,
> -Drew
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   


From pslund at gmail.com  Tue Dec 15 06:46:24 2009
From: pslund at gmail.com (=?ISO-8859-1?Q?P=E4r_=C5slund?=)
Date: Tue, 15 Dec 2009 12:46:24 +0100
Subject: [c-nsp] 6500 with WS-SVC-IPSEC-1, traffic not reaching module.
Message-ID: <89b664f30912150346g1e664373xb223fa864ffb6d41@mail.gmail.com>

Hi,

I have problems with a WS-SVC-IPSEC-1 where I'm trying to setup a
site-to-site tunnel.

Last night, I got the tunnel up. But after applying a acl to the 6500,
the tunnel went down and stayed down. Removing configuration just to
get the tunnel up again and continue trying to get the interesting
traffic through as intended, the tunnel never comes up. The remote
device is a ASA 5505, where I haven't touched anything since this
failure started. From what I can get out of all this, looking at logs
and crypto statistics. The traffic never gets to the module in slot 8.

show crypto sessions - nothing
show crypto isakmp sa - nothing
show crypto ipsec sa - nothing

I can still use packet-tracer on the asa as I could before and the
flow is created, but nothing ends up in the 6500 logs. debug crypto
isakmp and debug crypto ipsec is both enabled without anything being
logged. Any ideas are most welcome. Guess I have missed something
obvious but right now I just can't figure out what it is.

This it the configuration from the 6500.

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key <SECRETKEY> address <peer ip> no-xauth
!
crypto isakmp client configuration group GROUP1
 key <KEY>
 dns 172.16.9.2
 domain i.company.com
 pool vpn
 acl 101
crypto isakmp profile ikepro
   match identity group GROUP1
   client authentication list userlist
   isakmp authorization list grouplist
   client configuration address respond
   client configuration group GROUP1
crypto isakmp profile site-to-site
   keyring default
   match identity address <peer ip> 255.255.255.255
   keepalive 60 retry 5
!
!
crypto ipsec transform-set 3dessha esp-3des esp-sha-hmac
!
crypto ipsec profile ipsecpro
 set transform-set 3dessha
!
!
crypto dynamic-map dynmap 10
 set transform-set 3dessha
 set isakmp-profile ikepro
crypto dynamic-map dynmap 15
 set peer 76.238.146.205
 set transform-set 3dessha
 set isakmp-profile site-to-site
crypto dynamic-map dynmap 20
 set transform-set 3dessha
 set isakmp-profile ikepro
!
!
crypto map vpnmap engine slot 8
crypto map vpnmap 10 ipsec-isakmp dynamic dynmap


and then on VLAN 8 where the traffic is suppose to come in:
interface Vlan8
 ip address <ip> 255.255.255.248
 ip nat outside
 standby 8 ip <standby ip>
 standby 8 priority 115
 standby 8 preempt
 standby 8 name <standby name>
 crypto map vpnmap redundancy <standby name>
end

Best regards,
.pelle

From r.tahina at moov.mg  Tue Dec 15 07:19:41 2009
From: r.tahina at moov.mg (RAZAFINDRATSIFA Rivo Tahina)
Date: Tue, 15 Dec 2009 15:19:41 +0300
Subject: [c-nsp] 7200 for BGP
Message-ID: <7.0.1.0.2.20091215151213.02223318@moov.mg>

Hi all,

I use the 3 7200 to connect to upstreams

Cisco 7206VXR (NPE-G1) processor (revision B) with 229376K/32768K 
bytes of memory.

Max CPU usage:28%

Cisco 7204VXR (NPE-G2) processor (revision A) with 917504K/65536K 
bytes of memory.
Max CPU usage: 75%

Cisco 7206VXR (NPE400) processor (revision A) with 229376K/32768K 
bytes of memory.
Max CPU usage: 45%

BGP is used with upstreams but I don't receive full BGP table.

Do these boxes have enough resources to handle the full BGP table?

Regards.

From pavel.skovajsa at gmail.com  Tue Dec 15 07:20:25 2009
From: pavel.skovajsa at gmail.com (Pavel Skovajsa)
Date: Tue, 15 Dec 2009 13:20:25 +0100
Subject: [c-nsp] 6509 OIR logging for transceivers
In-Reply-To: <505b616c0912141800s60e3c54dj991ef411cf87549e@mail.gmail.com>
References: <505b616c0912141800s60e3c54dj991ef411cf87549e@mail.gmail.com>
Message-ID: <323aca890912150420x3b6036c9m27d801699823825a@mail.gmail.com>

Hi Brian,

I have never seen any event (OIR or any other kind) generated when
plugging/unplugging the SFPs on any Cisco switches. The way I check this is
with usual 'show int status' or simply 'show int x/y' after making the
physical change.

Of course if the interface is up, then you will get normal
LINEPROTO-5-UPDOWN and LINK-3-UPDOWN message provided you have the 'logging
event link-status' command under interface config. This is specific to 6500
though, all other switch models log LINK UP/DOWN by default.

-pavel skovajsa

On Tue, Dec 15, 2009 at 3:00 AM, Brian Spade <bitkraft at gmail.com> wrote:

> Hi,
>
> I am doing some testing and can't seem to get the Catalyst 6509 to log an
> insertion or removal of a SFP.  Is this supported?  I have 'logging
> buffered
> 20000' configured but don't get a log when I insert/remove an SFP on a
> SUP-720-3B.
>
> Thanks,
> /bs
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From ler762 at gmail.com  Tue Dec 15 07:30:11 2009
From: ler762 at gmail.com (Lee)
Date: Tue, 15 Dec 2009 07:30:11 -0500
Subject: [c-nsp] 6500 with WS-SVC-IPSEC-1, traffic not reaching module.
In-Reply-To: <89b664f30912150346g1e664373xb223fa864ffb6d41@mail.gmail.com>
References: <89b664f30912150346g1e664373xb223fa864ffb6d41@mail.gmail.com>
Message-ID: <dd5f2deb0912150430v6b07e560xb7dbedfe2d9f0551@mail.gmail.com>

Do you have the inside and outside vlan for your ipsec traffic configured
with a crypto connect? eg

interface Vlan7
  description outside:encrypted traffic
  no ip address
  crypto engine subslot 8/0
  crypto connect vlan8
!
interface Vlan8
  description inside:cleartext traffic
  ip address xxx
  crypto map xxx
  crypto engine subslot 8/0

Regards,
Lee


On Tue, Dec 15, 2009 at 6:46 AM, P?r ?slund <pslund at gmail.com> wrote:

> Hi,
>
> I have problems with a WS-SVC-IPSEC-1 where I'm trying to setup a
> site-to-site tunnel.
>
> Last night, I got the tunnel up. But after applying a acl to the 6500,
> the tunnel went down and stayed down. Removing configuration just to
> get the tunnel up again and continue trying to get the interesting
> traffic through as intended, the tunnel never comes up. The remote
> device is a ASA 5505, where I haven't touched anything since this
> failure started. From what I can get out of all this, looking at logs
> and crypto statistics. The traffic never gets to the module in slot 8.
>
> show crypto sessions - nothing
> show crypto isakmp sa - nothing
> show crypto ipsec sa - nothing
>
> I can still use packet-tracer on the asa as I could before and the
> flow is created, but nothing ends up in the 6500 logs. debug crypto
> isakmp and debug crypto ipsec is both enabled without anything being
> logged. Any ideas are most welcome. Guess I have missed something
> obvious but right now I just can't figure out what it is.
>
> This it the configuration from the 6500.
>
> crypto isakmp policy 1
>  encr 3des
>  authentication pre-share
>  group 2
> crypto isakmp key <SECRETKEY> address <peer ip> no-xauth
> !
> crypto isakmp client configuration group GROUP1
>  key <KEY>
>  dns 172.16.9.2
>  domain i.company.com
>  pool vpn
>  acl 101
> crypto isakmp profile ikepro
>   match identity group GROUP1
>   client authentication list userlist
>   isakmp authorization list grouplist
>   client configuration address respond
>   client configuration group GROUP1
> crypto isakmp profile site-to-site
>   keyring default
>   match identity address <peer ip> 255.255.255.255
>   keepalive 60 retry 5
> !
> !
> crypto ipsec transform-set 3dessha esp-3des esp-sha-hmac
> !
> crypto ipsec profile ipsecpro
>  set transform-set 3dessha
> !
> !
> crypto dynamic-map dynmap 10
>  set transform-set 3dessha
>  set isakmp-profile ikepro
> crypto dynamic-map dynmap 15
>  set peer 76.238.146.205
>  set transform-set 3dessha
>  set isakmp-profile site-to-site
> crypto dynamic-map dynmap 20
>  set transform-set 3dessha
>  set isakmp-profile ikepro
> !
> !
> crypto map vpnmap engine slot 8
> crypto map vpnmap 10 ipsec-isakmp dynamic dynmap
>
>
> and then on VLAN 8 where the traffic is suppose to come in:
> interface Vlan8
>  ip address <ip> 255.255.255.248
>  ip nat outside
>  standby 8 ip <standby ip>
>  standby 8 priority 115
>  standby 8 preempt
>  standby 8 name <standby name>
>  crypto map vpnmap redundancy <standby name>
> end
>
> Best regards,
> .pelle
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From pavel.skovajsa at gmail.com  Tue Dec 15 07:38:49 2009
From: pavel.skovajsa at gmail.com (Pavel Skovajsa)
Date: Tue, 15 Dec 2009 13:38:49 +0100
Subject: [c-nsp] 7200 for BGP
In-Reply-To: <7.0.1.0.2.20091215151213.02223318@moov.mg>
References: <7.0.1.0.2.20091215151213.02223318@moov.mg>
Message-ID: <323aca890912150438p29bc1dcfq2a6129801dae0563@mail.gmail.com>

hi R.

The G2 will certainly handle it, but I would look into the reason for having
75%, that sounds really bad.

For the G1 and NPE400, I'd say you definitely need more memory - 512 MB or
1G to be fine.

This is what Cisco says:
The amount of memory required to store BGP routes depends on many factors,
such as the router, the number of alternate paths available, route
dampening, community, the number of maximum paths configured, BGP
attributes, and VPN configurations. Without knowledge of these parameters it
is difficult to calculate the amount of memory required to store a certain
number of BGP routes. Cisco typically recommends a minimum of 512 MB of RAM
in the router to store a complete global BGP routing table from one BGP
peer. However, it is important to understand ways to reduce memory
consumption and achieve optimal routing without the need to receive the
complete Internet routing table.

See this document for the details about the memory consumpsion -
http://www.cisco.com/en/US/customer/tech/tk365/technologies_tech_note09186a0080094a83.shtml

The rule of thumb is 1k of prefixes = 1M of RAM, but this is too generic and
little conservative.




On Tue, Dec 15, 2009 at 1:19 PM, RAZAFINDRATSIFA Rivo Tahina <
r.tahina at moov.mg> wrote:

> Hi all,
>
> I use the 3 7200 to connect to upstreams
>
> Cisco 7206VXR (NPE-G1) processor (revision B) with 229376K/32768K bytes of
> memory.
>
> Max CPU usage:28%
>
> Cisco 7204VXR (NPE-G2) processor (revision A) with 917504K/65536K bytes of
> memory.
> Max CPU usage: 75%
>
> Cisco 7206VXR (NPE400) processor (revision A) with 229376K/32768K bytes of
> memory.
> Max CPU usage: 45%
>
> BGP is used with upstreams but I don't receive full BGP table.
>
> Do these boxes have enough resources to handle the full BGP table?
>
> Regards.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From jackson.tim at gmail.com  Tue Dec 15 07:38:53 2009
From: jackson.tim at gmail.com (Tim Jackson)
Date: Tue, 15 Dec 2009 06:38:53 -0600
Subject: [c-nsp] 6509 OIR logging for transceivers
In-Reply-To: <505b616c0912141800s60e3c54dj991ef411cf87549e@mail.gmail.com>
References: <505b616c0912141800s60e3c54dj991ef411cf87549e@mail.gmail.com>
Message-ID: <4407932e0912150438v13ba2757n53a46c576565e6c5@mail.gmail.com>

We use rancid and "show inentory raw" command 2x an hour to log approx
when an SFP was inserted/removed...

Best way I've found to do it... It also nabs your serial numbers.
--
Tim

On Mon, Dec 14, 2009 at 8:00 PM, Brian Spade <bitkraft at gmail.com> wrote:
> Hi,
>
> I am doing some testing and can't seem to get the Catalyst 6509 to log an
> insertion or removal of a SFP. ?Is this supported? ?I have 'logging buffered
> 20000' configured but don't get a log when I insert/remove an SFP on a
> SUP-720-3B.
>
> Thanks,
> /bs
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From cayers at ena.com  Tue Dec 15 07:58:43 2009
From: cayers at ena.com (Cory Ayers)
Date: Tue, 15 Dec 2009 06:58:43 -0600
Subject: [c-nsp] 7200 for BGP
In-Reply-To: <7.0.1.0.2.20091215151213.02223318@moov.mg>
References: <7.0.1.0.2.20091215151213.02223318@moov.mg>
Message-ID: <A7B0A9F02975A74A845FE85D0B95B8FA0DD0B3CD@misex01.ena.com>


> I use the 3 7200 to connect to upstreams
> 
> Cisco 7206VXR (NPE-G1) processor (revision B) with 229376K/32768K
> bytes of memory.
> 
> Max CPU usage:28%
> 
> Cisco 7204VXR (NPE-G2) processor (revision A) with 917504K/65536K
> bytes of memory.
> Max CPU usage: 75%
> 
> Cisco 7206VXR (NPE400) processor (revision A) with 229376K/32768K
> bytes of memory.
> Max CPU usage: 45%
> 
> BGP is used with upstreams but I don't receive full BGP table.
> 
> Do these boxes have enough resources to handle the full BGP table?

Definitely not with 256M RAM nowadays...

Here is a 7200 with 256M RAM and iomem set to 32.  It's doing _nothing_ but holding BGP (even CEF is disabled) and even that required filtering some networks.

7200bgp#show ver | i memory|image
System image file is "disk0:c7200-ik9s-mz.124-12c.bin"
Cisco 7206VXR (NPE300) processor (revision D) with 262144K/32768K bytes of memory.

7200bgp#show ip bgp summ | b ^N
Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.1.3.55       4 65500  531667    9430  1238583    0    0 6d13h      297067

7200bgp#show ip cef
%CEF not running

7200bgp#show mem summ
                Head    Total(b)     Used(b)     Free(b)   Lowest(b)  Largest(b)
Processor   6412F210   183306880   182614184      692696      688748      252588
      I/O   20000000    33554432     3220256    30334176    26702384    26239804
Transient   6F000000    16777216       17436    16759780    16694224    16752696

Filter applied to make it fit in memory but get as close to full memory utilization:
ip prefix-list dropnets seq 5 permit 128.0.0.0/4 le 32
!
route-map rs65500-in deny 5
 match ip address prefix-list dropnets
!
route-map rs65500-in permit 10

HTH,
Cory

From pslund at gmail.com  Tue Dec 15 08:45:56 2009
From: pslund at gmail.com (=?ISO-8859-1?Q?P=E4r_=C5slund?=)
Date: Tue, 15 Dec 2009 14:45:56 +0100
Subject: [c-nsp] 6500 with WS-SVC-IPSEC-1, traffic not reaching module.
In-Reply-To: <dd5f2deb0912150430v6b07e560xb7dbedfe2d9f0551@mail.gmail.com>
References: <89b664f30912150346g1e664373xb223fa864ffb6d41@mail.gmail.com>
	<dd5f2deb0912150430v6b07e560xb7dbedfe2d9f0551@mail.gmail.com>
Message-ID: <89b664f30912150545i1f873db7ib8213d42b3931f58@mail.gmail.com>

Hi Lee,

No, I don't have it configured with crypto connect. From what I read
so far, I don't need that for site-to-site ipsec?

The asa in the remote office can ping the remote peer ip configured on
the 6500. Just seems like bad magic for me right now that for some
reason the traffic doesn't seem to reach the IPSEC module.


Extra, forgot to show the configuration of the interfaces on module 8
- WS-SVC-IPSEC-1

Current configuration : 243 bytes
!
interface GigabitEthernet8/1
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 8
 switchport mode trunk
 mtu 4500
 no ip address
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
end

interface GigabitEthernet8/2
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan none
 switchport mode trunk
 mtu 4500
 no ip address
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
end

Best regards,
.pelle

On Tue, Dec 15, 2009 at 1:30 PM, Lee <ler762 at gmail.com> wrote:
> Do you have the inside and outside vlan for your ipsec traffic configured
> with a crypto connect? eg
>
> interface Vlan7
> ? description outside:encrypted traffic
> ? no ip address
> ? crypto engine subslot 8/0
> ? crypto connect vlan8
> !
> interface Vlan8
> ? description inside:cleartext traffic
> ? ip address xxx
> ? crypto map xxx
> ? crypto engine subslot 8/0
>
> Regards,
> Lee
>
>
> On Tue, Dec 15, 2009 at 6:46 AM, P?r ?slund <pslund at gmail.com> wrote:
>>
>> Hi,
>>
>> I have problems with a WS-SVC-IPSEC-1 where I'm trying to setup a
>> site-to-site tunnel.
>>
>> Last night, I got the tunnel up. But after applying a acl to the 6500,
>> the tunnel went down and stayed down. Removing configuration just to
>> get the tunnel up again and continue trying to get the interesting
>> traffic through as intended, the tunnel never comes up. The remote
>> device is a ASA 5505, where I haven't touched anything since this
>> failure started. From what I can get out of all this, looking at logs
>> and crypto statistics. The traffic never gets to the module in slot 8.
>>
>> show crypto sessions - nothing
>> show crypto isakmp sa - nothing
>> show crypto ipsec sa - nothing
>>
>> I can still use packet-tracer on the asa as I could before and the
>> flow is created, but nothing ends up in the 6500 logs. debug crypto
>> isakmp and debug crypto ipsec is both enabled without anything being
>> logged. Any ideas are most welcome. Guess I have missed something
>> obvious but right now I just can't figure out what it is.
>>
>> This it the configuration from the 6500.
>>
>> crypto isakmp policy 1
>> ?encr 3des
>> ?authentication pre-share
>> ?group 2
>> crypto isakmp key <SECRETKEY> address <peer ip> no-xauth
>> !
>> crypto isakmp client configuration group GROUP1
>> ?key <KEY>
>> ?dns 172.16.9.2
>> ?domain i.company.com
>> ?pool vpn
>> ?acl 101
>> crypto isakmp profile ikepro
>> ? match identity group GROUP1
>> ? client authentication list userlist
>> ? isakmp authorization list grouplist
>> ? client configuration address respond
>> ? client configuration group GROUP1
>> crypto isakmp profile site-to-site
>> ? keyring default
>> ? match identity address <peer ip> 255.255.255.255
>> ? keepalive 60 retry 5
>> !
>> !
>> crypto ipsec transform-set 3dessha esp-3des esp-sha-hmac
>> !
>> crypto ipsec profile ipsecpro
>> ?set transform-set 3dessha
>> !
>> !
>> crypto dynamic-map dynmap 10
>> ?set transform-set 3dessha
>> ?set isakmp-profile ikepro
>> crypto dynamic-map dynmap 15
>> ?set peer 76.238.146.205
>> ?set transform-set 3dessha
>> ?set isakmp-profile site-to-site
>> crypto dynamic-map dynmap 20
>> ?set transform-set 3dessha
>> ?set isakmp-profile ikepro
>> !
>> !
>> crypto map vpnmap engine slot 8
>> crypto map vpnmap 10 ipsec-isakmp dynamic dynmap
>>
>>
>> and then on VLAN 8 where the traffic is suppose to come in:
>> interface Vlan8
>> ?ip address <ip> 255.255.255.248
>> ?ip nat outside
>> ?standby 8 ip <standby ip>
>> ?standby 8 priority 115
>> ?standby 8 preempt
>> ?standby 8 name <standby name>
>> ?crypto map vpnmap redundancy <standby name>
>> end
>>
>> Best regards,
>> .pelle
>> _______________________________________________
>> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>

From tomas at soitron.com  Tue Dec 15 08:46:35 2009
From: tomas at soitron.com (Daniska, Tomas)
Date: Tue, 15 Dec 2009 14:46:35 +0100
Subject: [c-nsp] VSS/12.2(33)SXI2a High interrupt load on SP
Message-ID: <6B43981C32F8464CB24CEE209DA32BD30295CC39@kenya.tronet.as>

Hi,

 

wonder if anyone came to this... 

 

XXXXXXXXXX-sp#sh proc cpu

CPU utilization for five seconds: 100%/88%; one minute: 100%; five
minutes: 100%

 

and lasts for a week or two already. It's in ios-base, TID 6

 

XXXXXXXXXX-sp#sh proc cpu det 12311

CPU utilization for five seconds: 99%/82%; one minute: 100%; five
minutes: 100%

PID/TID   5Sec    1Min     5Min Process             Prio  STATE
CPU

12311    96.2%   97.2%    97.0% ios-base
37d06h

          0.0%    1.9%     2.8% [dead threads]

      1   0.0%    0.6%     0.7%                       10  Receive
45.837

      2   0.1%    0.0%     0.0%                        5  Ready
36m47s

      4   0.0%    0.3%     0.8%                       10  Receive
8.353

      5   0.0%    0.0%     0.0%                       11  Nanosleep
5m54s

      6  77.7%   84.2%    84.7%                       21  Intr
20d22h

 

 

I cannot come to any source of this, no log messages indicating an event
that would cause this.

 

The only thing I have noticed is that IBC port on the SP is seeing
unusually high number of inband interrupts:

 

XXXXXXXXXX-sp#sh clock

14:31:51.917 GMT Tue Dec 15 2009

XXXXXXXXXX-sp#sh ibc | i inter

        3699589169 inband interrupts

        1194856 total tx interrupts set

        mistral tx interrupt inconsisteny occured 0 times

        0 total packets dropped on throttled interfaces (0 low, 0
medium, 0 high)

 

XXXXXXXXXX-sp#sh clock        

14:32:04.201 GMT Tue Dec 15 2009

XXXXXXXXXX-sp#sh ibc | i inter

        3700120842 inband interrupts

        1195039 total tx interrupts set

        mistral tx interrupt inconsisteny occured 0 times

        0 total packets dropped on throttled interfaces (0 low, 0
medium, 0 high)

XXXXXXXXXX-sp#   

 

 

which gives >40k interrupts per seconds constantly - no wonder the SP
CPU is that busy. This, however, does not seem being related to IBC
traffic:

 

XXXXXXXXXX-sp#sh ibc load 30

Interface information:

        Interface IBC0/0/0(idb 0x60011A70)

        Hardware is Mistral IBC (revision 5)

        0 minute rx rate 359000 bits/sec, 213 packets/sec

        0 minute tx rate 490000 bits/sec, 466 packets/sec

 

 

and the RP does not seem sending much traffic over IBC as well:

XXXXXXXXXX#sh ibc load 30

Interface information:

        Interface IBC0/0(idb 0x60011A70)

        Hardware is Mistral IBC (revision 5)

        0 minute rx rate 2276000 bits/sec, 523 packets/sec

        0 minute tx rate 100000 bits/sec, 137 packets/sec

 

 

Does anyone have any hints before I proceed to TAC? Getting the SR
queued is complicated for me with this customer as they have support
bought via a different organization and it takes three human hops to
open a ticket. Through India... aww

 

thx!

 

 

--

Tomas Daniska
systems engineer

Soitron, a.s.
Plynarenska 5, 829 75 Bratislava, Slovakia
tel: +421 2 58224111, fax: +421 2 58224199

All generalizations are false, including this one.
-- Mark Twain


From ler762 at gmail.com  Tue Dec 15 10:20:09 2009
From: ler762 at gmail.com (Lee)
Date: Tue, 15 Dec 2009 10:20:09 -0500
Subject: [c-nsp] 6500 with WS-SVC-IPSEC-1, traffic not reaching module.
In-Reply-To: <89b664f30912150545i1f873db7ib8213d42b3931f58@mail.gmail.com>
References: <89b664f30912150346g1e664373xb223fa864ffb6d41@mail.gmail.com>
	<dd5f2deb0912150430v6b07e560xb7dbedfe2d9f0551@mail.gmail.com>
	<89b664f30912150545i1f873db7ib8213d42b3931f58@mail.gmail.com>
Message-ID: <dd5f2deb0912150720y66477c2bg652f570396eb43a2@mail.gmail.com>

On Tue, Dec 15, 2009 at 8:45 AM, P?r ?slund <pslund at gmail.com> wrote:

> Hi Lee,
>
> No, I don't have it configured with crypto connect. From what I read
> so far, I don't need that for site-to-site ipsec?
>

All the docs I read talked about the "bump in the wire" encryption.  Somehow
or other you have to get the traffic going thru the ipsec card & the only
way I know of is to use the 'crypto connect' command or the
much-discouraged-in-the-docs "switchport trunk allowed vlan add NNN" on the
ipsec card ports.  But I never did dynamic crypto maps, so maybe they do
some extra magic?


>
> The asa in the remote office can ping the remote peer ip configured on
> the 6500. Just seems like bad magic for me right now that for some
> reason the traffic doesn't seem to reach the IPSEC module.
>
> A fun thing about the 6500 ipsec card is that traffic not matching the
crypto map goes through unaltered whereas a real router would drop the
traffic.  If your ASA has a 192.168.1.1 address and the 6500 vlan 8 ip
address is 192.168.1.2 it wouldn't surprise me that the asa can ping the
6500.

Another fun thing about the 6500 ipsec card is that routing happens only on
the cleartext traffic.  By the time the traffic comes out of the ipsec card
all the routing decisions have been made :(   For example, say you're
putting traffic for 10.10.10.0/24 in the IPSec tunnel and the tunnel
endpoint is 192.168.1.1.  If the route for 10.10.10.0/24 is out vlan10 and
the route for 192.168.1.1 is out vlan 8 it ain't gonna work.  I ended up
adding a static route for 10.10.10.0/24 pointing to 192.168.1.1 as a
work-around.

Then again, I haven't had anything to do with a 6500 ipsec card for over a
year so maybe they've fixed some of the weirdness that I had to deal with.


> Extra, forgot to show the configuration of the interfaces on module 8
> - WS-SVC-IPSEC-1
>
> Current configuration : 243 bytes
> !
> interface GigabitEthernet8/1
>  switchport
>  switchport trunk encapsulation dot1q
>  switchport trunk allowed vlan 8
>  switchport mode trunk
>  mtu 4500
>  no ip address
>  flowcontrol receive on
>  flowcontrol send off
>  spanning-tree portfast trunk
> end
>
> interface GigabitEthernet8/2
>  switchport
>  switchport trunk encapsulation dot1q
>  switchport trunk allowed vlan none
>  switchport mode trunk
>  mtu 4500
>  no ip address
>  flowcontrol receive on
>  flowcontrol send off
>  spanning-tree portfast trunk
> end
>
>
What I ended up with was

interface GigabitEthernet8/0/1
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 550,551,702
 switchport mode trunk
 mtu 9216
 no ip address
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!
interface GigabitEthernet8/0/2
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 551,703
 switchport mode trunk
 mtu 9216
 no ip address
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
!

Looking at it now, having vlan 551 on G8/0/1 and 2 seems wrong.. but it did
work.  We moved all our ipsec tunnels over to asrs a while back, so nothing
I need to do about it now :)

Regards,
Lee



Best regards,
> .pelle
>
> On Tue, Dec 15, 2009 at 1:30 PM, Lee <ler762 at gmail.com> wrote:
> > Do you have the inside and outside vlan for your ipsec traffic configured
> > with a crypto connect? eg
> >
> > interface Vlan7
> >   description outside:encrypted traffic
> >   no ip address
> >   crypto engine subslot 8/0
> >   crypto connect vlan8
> > !
> > interface Vlan8
> >   description inside:cleartext traffic
> >   ip address xxx
> >   crypto map xxx
> >   crypto engine subslot 8/0
> >
> > Regards,
> > Lee
> >
> >
> > On Tue, Dec 15, 2009 at 6:46 AM, P?r ?slund <pslund at gmail.com> wrote:
> >>
> >> Hi,
> >>
> >> I have problems with a WS-SVC-IPSEC-1 where I'm trying to setup a
> >> site-to-site tunnel.
> >>
> >> Last night, I got the tunnel up. But after applying a acl to the 6500,
> >> the tunnel went down and stayed down. Removing configuration just to
> >> get the tunnel up again and continue trying to get the interesting
> >> traffic through as intended, the tunnel never comes up. The remote
> >> device is a ASA 5505, where I haven't touched anything since this
> >> failure started. From what I can get out of all this, looking at logs
> >> and crypto statistics. The traffic never gets to the module in slot 8.
> >>
> >> show crypto sessions - nothing
> >> show crypto isakmp sa - nothing
> >> show crypto ipsec sa - nothing
> >>
> >> I can still use packet-tracer on the asa as I could before and the
> >> flow is created, but nothing ends up in the 6500 logs. debug crypto
> >> isakmp and debug crypto ipsec is both enabled without anything being
> >> logged. Any ideas are most welcome. Guess I have missed something
> >> obvious but right now I just can't figure out what it is.
> >>
> >> This it the configuration from the 6500.
> >>
> >> crypto isakmp policy 1
> >>  encr 3des
> >>  authentication pre-share
> >>  group 2
> >> crypto isakmp key <SECRETKEY> address <peer ip> no-xauth
> >> !
> >> crypto isakmp client configuration group GROUP1
> >>  key <KEY>
> >>  dns 172.16.9.2
> >>  domain i.company.com
> >>  pool vpn
> >>  acl 101
> >> crypto isakmp profile ikepro
> >>   match identity group GROUP1
> >>   client authentication list userlist
> >>   isakmp authorization list grouplist
> >>   client configuration address respond
> >>   client configuration group GROUP1
> >> crypto isakmp profile site-to-site
> >>   keyring default
> >>   match identity address <peer ip> 255.255.255.255
> >>   keepalive 60 retry 5
> >> !
> >> !
> >> crypto ipsec transform-set 3dessha esp-3des esp-sha-hmac
> >> !
> >> crypto ipsec profile ipsecpro
> >>  set transform-set 3dessha
> >> !
> >> !
> >> crypto dynamic-map dynmap 10
> >>  set transform-set 3dessha
> >>  set isakmp-profile ikepro
> >> crypto dynamic-map dynmap 15
> >>  set peer 76.238.146.205
> >>  set transform-set 3dessha
> >>  set isakmp-profile site-to-site
> >> crypto dynamic-map dynmap 20
> >>  set transform-set 3dessha
> >>  set isakmp-profile ikepro
> >> !
> >> !
> >> crypto map vpnmap engine slot 8
> >> crypto map vpnmap 10 ipsec-isakmp dynamic dynmap
> >>
> >>
> >> and then on VLAN 8 where the traffic is suppose to come in:
> >> interface Vlan8
> >>  ip address <ip> 255.255.255.248
> >>  ip nat outside
> >>  standby 8 ip <standby ip>
> >>  standby 8 priority 115
> >>  standby 8 preempt
> >>  standby 8 name <standby name>
> >>  crypto map vpnmap redundancy <standby name>
> >> end
> >>
> >> Best regards,
> >> .pelle
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> >
>

From JShao at dtcc.com  Tue Dec 15 10:01:52 2009
From: JShao at dtcc.com (Jay Shao)
Date: Tue, 15 Dec 2009 10:01:52 -0500
Subject: [c-nsp] Jay Shao is out of the office.
Message-ID: <OF2D334FB5.A17032A6-ON8525768D.0052918F-8525768D.0052918E@dtcc.com>


I will be out of the office starting  12/15/2009 and will not return until
12/16/2009.

I will respond to your message when I return. Please contact with
NETTCP at DTCC.COM for any production issues

<BR>_____________________________________________________________
<FONT size=2><BR>
DTCC DISCLAIMER: This email and any files transmitted with it are
confidential and intended solely for the use of the individual or
entity to whom they are addressed. If you have received this email
in error, please notify us immediately and delete the email and any
attachments from your system. The recipient should check this email
and any attachments for the presence of viruses.  The company
accepts no liability for any damage caused by any virus transmitted
by this email.</FONT>

From Grzegorz at Janoszka.pl  Tue Dec 15 10:47:56 2009
From: Grzegorz at Janoszka.pl (Grzegorz Janoszka)
Date: Tue, 15 Dec 2009 16:47:56 +0100
Subject: [c-nsp] IPv6 nd ra suppress broken on SXI3?
Message-ID: <4B27AFAC.7090305@Janoszka.pl>


We recently upgraded one of our routers to 12.2(33)SXI3 (from SXF). Soon 
after the upgrade one of our customers complained that he started to see 
RA messages. From the beginning on his interface we have "ipv6 nd ra 
suppress", I added "ipv6 nd ra mtu suppress", but the customer says he 
still sees that.
Has anyone seen broken ra suppression on SXI3?

-- 
Grzegorz Janoszka

From achatz at forthnet.gr  Tue Dec 15 11:49:43 2009
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Tue, 15 Dec 2009 18:49:43 +0200
Subject: [c-nsp] 7600/RSP720 + SIP-400
Message-ID: <4B27BE27.6060101@forthnet.gr>

Can someone with a SIP-400 module execute the "sh platform hardware capacity system" command and send me the output?
I would prefer people with 7600/RSP720.

--
Tassos

From phil.bartlett at comtek.co.uk  Tue Dec 15 11:11:35 2009
From: phil.bartlett at comtek.co.uk (Phil Bartlett)
Date: Tue, 15 Dec 2009 16:11:35 -0000
Subject: [c-nsp] Password Recovery for CISCO IGX
Message-ID: <048801ca7da1$46571800$d3054800$@bartlett@comtek.co.uk>

Hi

Does anyone know of a way to recover/reset the password on a Cisco IGX. I
have found nothing when searching Cisco.com. Any assistance is greatly
appreciated.


Rgds


Phil Bartlett
Comtek Network Systems (UK) Ltd
===========================
DDI: -??? ????????????????+44 1244 283 054
Switchboard: - ? +44 8454 501 626
Fax: - ??????????????????? +44 8454 501 627
SIP/VOIP:-???????????? sip:3054 at comtek.co.uk
AOL: -??????????????????? philatcomtek

Number One For Networking Spares, Repairs & Rentals





From hank at efes.iucc.ac.il  Tue Dec 15 12:07:41 2009
From: hank at efes.iucc.ac.il (Hank Nussbacher)
Date: Tue, 15 Dec 2009 19:07:41 +0200
Subject: [c-nsp] 7600/RSP720 + SIP-400
In-Reply-To: <4B27BE27.6060101@forthnet.gr>
Message-ID: <5.1.0.14.2.20091215190701.056245d0@efes.iucc.ac.il>

At 18:49 15/12/2009 +0200, Tassos Chatzithomaoglou wrote:
>Can someone with a SIP-400 module execute the "sh platform hardware 
>capacity system" command and send me the output?
>I would prefer people with 7600/RSP720.

Not a RSP720 but close:
petach-tikva-gp#sh platform hardware capacity system
System Resources
   PFC operating mode: PFC3BXL
   Supervisor redundancy mode: administratively sso, operationally sso
   Switching resources: Module   Part number               Series      CEF mode
                        1        WS-X6582-2PA              CEF256           CEF
                        2        WS-X6582-2PA              CEF256           CEF
                        3        WS-X6582-2PA              CEF256           CEF
                        4        WS-X6582-2PA              CEF256           CEF
                        7        WS-SUP720-3BXL        supervisor           CEF
                        9        WS-X6748-GE-TX            CEF720          dCEF
                        10       WS-X6704-10GE             CEF720           CEF
                        11       7600-SIP-400              CEF256           CEF
-Hank


>--
>Tassos
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/


From frnkblk at iname.com  Tue Dec 15 13:19:07 2009
From: frnkblk at iname.com (Frank Bulk - iName.com)
Date: Tue, 15 Dec 2009 12:19:07 -0600
Subject: [c-nsp] Loopback/VLAN question
Message-ID: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAACMtoIyIUzcQrWh6euFTkv8AQAAAAA=@iname.com>

I have several uniquely numbered 802.1q tagged links coming into a Cisco
7609-S (12.2(33)SRB3) on a single physical port.  I would like to use the
same group of subnets for each VLAN and I tried using loopbacks but it
doesn't work.  Any ideas on what I'm doing wrong?

interface Loopback 2
 ip dhcp relay information trusted
 ip dhcp relay information option-insert none
 ip dhcp relay information policy-action keep
 ip address a.b.c.1 255.255.255.0
 ip address a.b.d.1 255.255.255.0 secondary
 ip address a.b.e.1 255.255.255.0 secondary
 ip helper-address w.x.y.z
 arp timeout 300

interface Vlan10
 ip unnumbered loopback 2
 ip dhcp relay information trusted
 ip dhcp relay information option-insert none
 ip dhcp relay information policy-action keep
 ip helper-address w.x.y.z

interface Vlan11
 ip unnumbered loopback 2
 ip dhcp relay information trusted
 ip dhcp relay information option-insert none
 ip dhcp relay information policy-action keep
 ip helper-address w.x.y.z

interface GigabitEthernet1/1
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 10, 11
 switchport mode trunk
end


From tony at lava.net  Tue Dec 15 13:30:00 2009
From: tony at lava.net (Antonio Querubin)
Date: Tue, 15 Dec 2009 08:30:00 -1000 (HST)
Subject: [c-nsp] Loopback/VLAN question
In-Reply-To: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAACMtoIyIUzcQrWh6euFTkv8AQAAAAA=@iname.com>
References: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAACMtoIyIUzcQrWh6euFTkv8AQAAAAA=@iname.com>
Message-ID: <alpine.OSX.1.00.0912150828260.1659@cust11794.lava.net>

On Tue, 15 Dec 2009, Frank Bulk - iName.com wrote:

> I have several uniquely numbered 802.1q tagged links coming into a Cisco
> 7609-S (12.2(33)SRB3) on a single physical port.  I would like to use the
> same group of subnets for each VLAN and I tried using loopbacks but it
> doesn't work.  Any ideas on what I'm doing wrong?

Use BVI's, not loopbacks.

Antonio Querubin
808-545-5282 x3003
e-mail/xmpp:  tony at lava.net

From peter at rathlev.dk  Tue Dec 15 13:54:27 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Tue, 15 Dec 2009 19:54:27 +0100
Subject: [c-nsp] Loopback/VLAN question
In-Reply-To: <alpine.OSX.1.00.0912150828260.1659@cust11794.lava.net>
References: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAACMtoIyIUzcQrWh6euFTkv8AQAAAAA=@iname.com>
	<alpine.OSX.1.00.0912150828260.1659@cust11794.lava.net>
Message-ID: <1260903267.5015.2.camel@localhost>

On Tue, 2009-12-15 at 08:30 -1000, Antonio Querubin wrote:
> On Tue, 15 Dec 2009, Frank Bulk - iName.com wrote:
> > I have several uniquely numbered 802.1q tagged links coming into a
> > Cisco 7609-S (12.2(33)SRB3) on a single physical port.  I would like
> > to use the same group of subnets for each VLAN and I tried using
> > loopbacks but it doesn't work.  Any ideas on what I'm doing wrong?
> 
> Use BVI's, not loopbacks.

I don't think using BVIs on a L3 switch will do much good; if it would
work (can they do anything but "fallback bridging"?) it would probably
be very bad performance wise.

As for the original question, I wouldn't have thought a PFC3B could do
such a thing, but one can never know. I suppose it _has_ to work like
that?

-- 
Peter




From avayner at cisco.com  Tue Dec 15 14:32:12 2009
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Tue, 15 Dec 2009 20:32:12 +0100
Subject: [c-nsp] Loopback/VLAN question
In-Reply-To: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAACMtoIyIUzcQrWh6euFTkv8AQAAAAA=@iname.com>
References: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAACMtoIyIUzcQrWh6euFTkv8AQAAAAA=@iname.com>
Message-ID: <FDD1CDB3FB499E4087CC7670BBCA22C6D9AD25@XMB-AMS-101.cisco.com>

Frank,

Can you please explain what do you want to achieve?
I think this should be done in a different way.

Also, what HW do you have?

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Frank Bulk -
iName.com
Sent: Tuesday, December 15, 2009 20:19
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Loopback/VLAN question

I have several uniquely numbered 802.1q tagged links coming into a Cisco
7609-S (12.2(33)SRB3) on a single physical port.  I would like to use
the
same group of subnets for each VLAN and I tried using loopbacks but it
doesn't work.  Any ideas on what I'm doing wrong?

interface Loopback 2
 ip dhcp relay information trusted
 ip dhcp relay information option-insert none
 ip dhcp relay information policy-action keep
 ip address a.b.c.1 255.255.255.0
 ip address a.b.d.1 255.255.255.0 secondary
 ip address a.b.e.1 255.255.255.0 secondary
 ip helper-address w.x.y.z
 arp timeout 300

interface Vlan10
 ip unnumbered loopback 2
 ip dhcp relay information trusted
 ip dhcp relay information option-insert none
 ip dhcp relay information policy-action keep
 ip helper-address w.x.y.z

interface Vlan11
 ip unnumbered loopback 2
 ip dhcp relay information trusted
 ip dhcp relay information option-insert none
 ip dhcp relay information policy-action keep
 ip helper-address w.x.y.z

interface GigabitEthernet1/1
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 10, 11
 switchport mode trunk
end

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From frnkblk at iname.com  Tue Dec 15 14:42:47 2009
From: frnkblk at iname.com (Frank Bulk - iName.com)
Date: Tue, 15 Dec 2009 13:42:47 -0600
Subject: [c-nsp] Loopback/VLAN question
In-Reply-To: <alpine.OSX.1.00.0912150828260.1659@cust11794.lava.net>
References: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAACMtoIyIUzcQrWh6euFTkv8AQAAAAA=@iname.com>
	<alpine.OSX.1.00.0912150828260.1659@cust11794.lava.net>
Message-ID: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADQqv1E8zmPTpLV+6TkwyLxAQAAAAA=@iname.com>

It's my understanding that BVIs on the 7600-platform only bridge non-IP
traffic, so that wouldn't work.

Frank

-----Original Message-----
From: Antonio Querubin [mailto:tony at lava.net] 
Sent: Tuesday, December 15, 2009 12:30 PM
To: Frank Bulk - iName.com
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Loopback/VLAN question

On Tue, 15 Dec 2009, Frank Bulk - iName.com wrote:

> I have several uniquely numbered 802.1q tagged links coming into a Cisco
> 7609-S (12.2(33)SRB3) on a single physical port.  I would like to use the
> same group of subnets for each VLAN and I tried using loopbacks but it
> doesn't work.  Any ideas on what I'm doing wrong?

Use BVI's, not loopbacks.

Antonio Querubin
808-545-5282 x3003
e-mail/xmpp:  tony at lava.net


From frnkblk at iname.com  Tue Dec 15 14:55:40 2009
From: frnkblk at iname.com (Frank Bulk - iName.com)
Date: Tue, 15 Dec 2009 13:55:40 -0600
Subject: [c-nsp] Loopback/VLAN question
In-Reply-To: <FDD1CDB3FB499E4087CC7670BBCA22C6D9AD25@XMB-AMS-101.cisco.com>
References: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAACMtoIyIUzcQrWh6euFTkv8AQAAAAA=@iname.com>
	<FDD1CDB3FB499E4087CC7670BBCA22C6D9AD25@XMB-AMS-101.cisco.com>
Message-ID: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAACU1gX4BTpSS6CPa7aI/RrCAQAAAAA=@iname.com>

I have 5 remote sites where I'm doing FTTH and transporting the traffic over
a third-party transport gear to our HQ.  Each site-HQ link is a separate
VLAN and uniquely numbered.  My preference is to burn up only one port on
the Cisco 7609-S (RSP720-3C with WS-X6748-DFC3C) and transport gear by
trunking the traffic between the two boxes.  But I don't want to have a
separate IP address pool (with associated static IP /24 and web filter /24)
for each remote site.  I would like each remote site to use the same address
pool.  So I'm looking for something like IRB.

SiteA  SiteB  SiteC  SiteD  SiteE
  |      |      |      |      |
VLAN1  VLAN2  VLAN3  VLAN4  VLAN5
  |      |      |      |      |
  =============================
                |
	802.1q tagged (1 thru 5)
                |
             7609-S
                |
	     DHCP server

I could use the transport gear's VLAN-translation and drop off each site
into their own physical port on the 7609-S but have it be the same VLAN, but
that's burning more ports on both boxes than what I would like.

But perhaps I have to use separate IP address pools for each remote site.
That would have the benefit of reducing the L3-broadcast traffic.

Frank

-----Original Message-----
From: Arie Vayner (avayner) [mailto:avayner at cisco.com] 
Sent: Tuesday, December 15, 2009 1:32 PM
To: frnkblk at iname.com; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Loopback/VLAN question

Frank,

Can you please explain what do you want to achieve?
I think this should be done in a different way.

Also, what HW do you have?

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Frank Bulk -
iName.com
Sent: Tuesday, December 15, 2009 20:19
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Loopback/VLAN question

I have several uniquely numbered 802.1q tagged links coming into a Cisco
7609-S (12.2(33)SRB3) on a single physical port.  I would like to use
the
same group of subnets for each VLAN and I tried using loopbacks but it
doesn't work.  Any ideas on what I'm doing wrong?

interface Loopback 2
 ip dhcp relay information trusted
 ip dhcp relay information option-insert none
 ip dhcp relay information policy-action keep
 ip address a.b.c.1 255.255.255.0
 ip address a.b.d.1 255.255.255.0 secondary
 ip address a.b.e.1 255.255.255.0 secondary
 ip helper-address w.x.y.z
 arp timeout 300

interface Vlan10
 ip unnumbered loopback 2
 ip dhcp relay information trusted
 ip dhcp relay information option-insert none
 ip dhcp relay information policy-action keep
 ip helper-address w.x.y.z

interface Vlan11
 ip unnumbered loopback 2
 ip dhcp relay information trusted
 ip dhcp relay information option-insert none
 ip dhcp relay information policy-action keep
 ip helper-address w.x.y.z

interface GigabitEthernet1/1
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 10, 11
 switchport mode trunk
end

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From bitkraft at gmail.com  Tue Dec 15 14:56:58 2009
From: bitkraft at gmail.com (Brian Spade)
Date: Tue, 15 Dec 2009 11:56:58 -0800
Subject: [c-nsp] 6509 OIR logging for transceivers
In-Reply-To: <4407932e0912150438v13ba2757n53a46c576565e6c5@mail.gmail.com>
References: <505b616c0912141800s60e3c54dj991ef411cf87549e@mail.gmail.com>
	<4407932e0912150438v13ba2757n53a46c576565e6c5@mail.gmail.com>
Message-ID: <505b616c0912151156s94bfed4kdd3013a776ddafb9@mail.gmail.com>

Thanks Pavel and Tim for the quick answer.  I must be losing my mind... I
thought I saw this logged before.

/bs

From avayner at cisco.com  Tue Dec 15 15:13:30 2009
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Tue, 15 Dec 2009 21:13:30 +0100
Subject: [c-nsp] Loopback/VLAN question
In-Reply-To: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAACU1gX4BTpSS6CPa7aI/RrCAQAAAAA=@iname.com>
References: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAACMtoIyIUzcQrWh6euFTkv8AQAAAAA=@iname.com>
	<FDD1CDB3FB499E4087CC7670BBCA22C6D9AD25@XMB-AMS-101.cisco.com>
	<!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAACU1gX4BTpSS6CPa7aI/RrCAQAAAAA=@iname.com>
Message-ID: <FDD1CDB3FB499E4087CC7670BBCA22C6D9AD2D@XMB-AMS-101.cisco.com>

Frank,

The right way to solve it would be to use the ES20 (or more actually the
more recent ES+) modules.
This would allow you to create a separate EVC/EFP (service-instance) per
site, using whatever VLAN IDs (even reusing them, or using QinQ) and
then bridge-domain them all to the same central global bridge VLAN,
which would be the Layer 3 service endpoint (for DHCP).

"Use the right tools for the job"

Anyway, with your setup, if this is not becoming a big service (which
would then make sense to invest in new HW), then maybe you should just
break them into separate L3 domains.

Another option is to use the MetroE model of uPE and nPE, where a uPE is
used for some parts of the service. This could be a L2 switch (CPE?
ME3400-2CS) to do the VLAN translation...

Hope this helps.

Arie

-----Original Message-----
From: Frank Bulk - iName.com [mailto:frnkblk at iname.com] 
Sent: Tuesday, December 15, 2009 21:56
To: Arie Vayner (avayner); cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Loopback/VLAN question

I have 5 remote sites where I'm doing FTTH and transporting the traffic
over
a third-party transport gear to our HQ.  Each site-HQ link is a separate
VLAN and uniquely numbered.  My preference is to burn up only one port
on
the Cisco 7609-S (RSP720-3C with WS-X6748-DFC3C) and transport gear by
trunking the traffic between the two boxes.  But I don't want to have a
separate IP address pool (with associated static IP /24 and web filter
/24)
for each remote site.  I would like each remote site to use the same
address
pool.  So I'm looking for something like IRB.

SiteA  SiteB  SiteC  SiteD  SiteE
  |      |      |      |      |
VLAN1  VLAN2  VLAN3  VLAN4  VLAN5
  |      |      |      |      |
  =============================
                |
	802.1q tagged (1 thru 5)
                |
             7609-S
                |
	     DHCP server

I could use the transport gear's VLAN-translation and drop off each site
into their own physical port on the 7609-S but have it be the same VLAN,
but
that's burning more ports on both boxes than what I would like.

But perhaps I have to use separate IP address pools for each remote
site.
That would have the benefit of reducing the L3-broadcast traffic.

Frank

-----Original Message-----
From: Arie Vayner (avayner) [mailto:avayner at cisco.com] 
Sent: Tuesday, December 15, 2009 1:32 PM
To: frnkblk at iname.com; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Loopback/VLAN question

Frank,

Can you please explain what do you want to achieve?
I think this should be done in a different way.

Also, what HW do you have?

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Frank Bulk -
iName.com
Sent: Tuesday, December 15, 2009 20:19
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Loopback/VLAN question

I have several uniquely numbered 802.1q tagged links coming into a Cisco
7609-S (12.2(33)SRB3) on a single physical port.  I would like to use
the
same group of subnets for each VLAN and I tried using loopbacks but it
doesn't work.  Any ideas on what I'm doing wrong?

interface Loopback 2
 ip dhcp relay information trusted
 ip dhcp relay information option-insert none
 ip dhcp relay information policy-action keep
 ip address a.b.c.1 255.255.255.0
 ip address a.b.d.1 255.255.255.0 secondary
 ip address a.b.e.1 255.255.255.0 secondary
 ip helper-address w.x.y.z
 arp timeout 300

interface Vlan10
 ip unnumbered loopback 2
 ip dhcp relay information trusted
 ip dhcp relay information option-insert none
 ip dhcp relay information policy-action keep
 ip helper-address w.x.y.z

interface Vlan11
 ip unnumbered loopback 2
 ip dhcp relay information trusted
 ip dhcp relay information option-insert none
 ip dhcp relay information policy-action keep
 ip helper-address w.x.y.z

interface GigabitEthernet1/1
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 10, 11
 switchport mode trunk
end

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From achatz at forthnet.gr  Tue Dec 15 15:23:11 2009
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Tue, 15 Dec 2009 22:23:11 +0200
Subject: [c-nsp] 6509 OIR logging for transceivers
In-Reply-To: <505b616c0912151156s94bfed4kdd3013a776ddafb9@mail.gmail.com>
References: <505b616c0912141800s60e3c54dj991ef411cf87549e@mail.gmail.com>	<4407932e0912150438v13ba2757n53a46c576565e6c5@mail.gmail.com>
	<505b616c0912151156s94bfed4kdd3013a776ddafb9@mail.gmail.com>
Message-ID: <4B27F02F.6070701@forthnet.gr>

7600 & SRD3 offer it:

%TRANSCEIVER-DFC1-6-INSERTED: transceiver module inserted in GigabitEthernet1/8
%TRANSCEIVER-DFC1-6-REMOVED: Transceiver module removed from GigabitEthernet1/8

-- 
Tassos


Brian Spade wrote on 15/12/2009 21:56:
> Thanks Pavel and Tim for the quick answer.  I must be losing my mind... I
> thought I saw this logged before.
> 
> /bs
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


From lists.james.edwards at gmail.com  Tue Dec 15 15:31:23 2009
From: lists.james.edwards at gmail.com (james edwards)
Date: Tue, 15 Dec 2009 13:31:23 -0700
Subject: [c-nsp] Controllers for a VWIC2-1MFT-T1/E1
Message-ID: <b7f636a60912151231w534f752ds920838194af0caf5@mail.gmail.com>

I have a 2811 which I am trying to set up an ATM T-1 on. T-1 card and AIM
are detected:

Cisco 2811 (revision 49.46) with 249856K/12288K bytes of memory.
2 FastEthernet interfaces
1 Gigabit Ethernet interface
1 Channelized (E1 or T1)/PRI port
1 ATM/Voice AIM

The  VWIC2-1MFT-T1/E1 came in a bundle with the AIM module. I get this when
I boot:

! card type command needed for slot/vwic-slot 0/0,

but the controllers command is not there to configure this card:

yourname(config)#con?
config-register  configuration  connect  control-plane

What am I missing ?

-- 
James H. Edwards
Senior Network Systems Administrator
Judicial Information Division
jedwards at nmcourts.gov

From notrevebr at gmail.com  Tue Dec 15 15:49:15 2009
From: notrevebr at gmail.com (Everton Diniz)
Date: Tue, 15 Dec 2009 17:49:15 -0300
Subject: [c-nsp] Controllers for a VWIC2-1MFT-T1/E1
In-Reply-To: <b7f636a60912151231w534f752ds920838194af0caf5@mail.gmail.com>
References: <b7f636a60912151231w534f752ds920838194af0caf5@mail.gmail.com>
Message-ID: <3cf174360912151249n31e8cf6eh98d1c88b1a5bfa4b@mail.gmail.com>

Hey JAmes,

did you try card type command under global config?

card type {t1 | e1} subslot

http://www.cisco.com/en/US/docs/routers/access/1700/1721/software/feature/guide/t1e11721.html#wp64656

Regards,

On Tue, Dec 15, 2009 at 5:31 PM, james edwards
<lists.james.edwards at gmail.com> wrote:
> I have a 2811 which I am trying to set up an ATM T-1 on. T-1 card and AIM
> are detected:
>
> Cisco 2811 (revision 49.46) with 249856K/12288K bytes of memory.
> 2 FastEthernet interfaces
> 1 Gigabit Ethernet interface
> 1 Channelized (E1 or T1)/PRI port
> 1 ATM/Voice AIM
>
> The ?VWIC2-1MFT-T1/E1 came in a bundle with the AIM module. I get this when
> I boot:
>
> ! card type command needed for slot/vwic-slot 0/0,
>
> but the controllers command is not there to configure this card:
>
> yourname(config)#con?
> config-register ?configuration ?connect ?control-plane
>
> What am I missing ?
>
> --
> James H. Edwards
> Senior Network Systems Administrator
> Judicial Information Division
> jedwards at nmcourts.gov
> _______________________________________________
> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From stephen.gerteisen at baesystems.com  Tue Dec 15 15:52:09 2009
From: stephen.gerteisen at baesystems.com (Gerteisen, Stephen (US SSA) (Contractor))
Date: Tue, 15 Dec 2009 15:52:09 -0500
Subject: [c-nsp] Controllers for a VWIC2-1MFT-T1/E1
In-Reply-To: <b7f636a60912151231w534f752ds920838194af0caf5@mail.gmail.com>
Message-ID: <814i7o$4d8mqf@dmzms99802.na.baesystems.com>

I believe the command you're looking for is...

Router(config)#card type t1 0 0


Steve M. Gerteisen
Senior Network Analyst
BAE Systems? 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of james edwards
Sent: Tuesday, December 15, 2009 2:31 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Controllers for a VWIC2-1MFT-T1/E1

I have a 2811 which I am trying to set up an ATM T-1 on. T-1 card and AIM
are detected:

Cisco 2811 (revision 49.46) with 249856K/12288K bytes of memory.
2 FastEthernet interfaces
1 Gigabit Ethernet interface
1 Channelized (E1 or T1)/PRI port
1 ATM/Voice AIM

The  VWIC2-1MFT-T1/E1 came in a bundle with the AIM module. I get this when
I boot:

! card type command needed for slot/vwic-slot 0/0,

but the controllers command is not there to configure this card:

yourname(config)#con?
config-register  configuration  connect  control-plane

What am I missing ?

-- 
James H. Edwards
Senior Network Systems Administrator
Judicial Information Division
jedwards at nmcourts.gov
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From frnkblk at iname.com  Tue Dec 15 15:47:36 2009
From: frnkblk at iname.com (Frank Bulk - iName.com)
Date: Tue, 15 Dec 2009 14:47:36 -0600
Subject: [c-nsp] Does the entire BGP routing table for IPv6 fit on a
	Cisco 2600 with 64 MB of DRAM?
In-Reply-To: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADVrn7K0C9STZfhjRp7ysXtAQAAAAA=@iname.com>
References: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADVrn7K0C9STZfhjRp7ysXtAQAAAAA=@iname.com>
Message-ID: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAACvPWY7YLzmQ632BM0s9p+kAQAAAAA=@iname.com>

The tunnel is up against HE's TunnelBroker service.  The Cisco 2600 is
reporting just 612 KB in use.

Frank

C2600#sh bgp  summary
BGP router identifier a.b.c.d, local AS number 53347
BGP table version is 2299, main routing table version 2299
2269 network entries using 301777 bytes of memory
2269 path entries using 163368 bytes of memory
1749 BGP path attribute entries using 104940 bytes of memory
1706 BGP AS-PATH entries using 41812 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 611897 total bytes of memory
BGP activity 2271/2 prefixes, 2272/3 paths, scan interval 60 secs

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down
State/PfxRcd
2001:470:1F03:10C::1
                4  6939    1923      26     2299    0    0 00:22:06     2269
C2600#

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Frank Bulk -
iName.com
Sent: Monday, December 07, 2009 2:58 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Does the entire BGP routing table for IPv6 fit on a Cisco
2600 with 64 MB of DRAM?

Does the entire BGP routing table for IPv6 (almost 2500 entries) fit on a
Cisco 2600 with 64 MB of DRAM running 12.3(26)?  I am planning to use this
box for an IPv6-in-IPv4 tunneling appliance, but not sure if it can hold the
whole table.

Regards,

Frank


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From tvarriale at comcast.net  Tue Dec 15 16:10:40 2009
From: tvarriale at comcast.net (Tony Varriale)
Date: Tue, 15 Dec 2009 15:10:40 -0600
Subject: [c-nsp] EEM BGP
Message-ID: <2884C965D7B14FCEB8A99CA67ED2C988@flamdt01>

I've been having some issues with BGP peers dropping/flapping and tried to come up with a little EEM applet that would not only down a peer based on syslog entries but bring it back up.

The bringing down part is easy and tested to work great.  But I'm having a hard time with the bringing up part.

Essentially I want to say, after x minutes, no shut the peer if you see the shut/BGP peer down/another arbitary message in the syslog.

Any ideas?  EEM 2.2 and/or 3.0 are fine.  Thanks!

tv

From tim at tetro.net  Tue Dec 15 15:42:25 2009
From: tim at tetro.net (Tim Utschig)
Date: Tue, 15 Dec 2009 12:42:25 -0800
Subject: [c-nsp] SSL cert for tools.cisco.com revoked?
Message-ID: <20091215204225.GA5205@tetro.net>


Apologies if this is off-topic...

Is anyone else seeing "Peer's Certificate has been revoked."
while attempting to access tools.cisco.com?  Currently using
Firefox.  I found a Windows PC, and it seems that MSIE care even
after enabling CRL checking.  I can only visit the site in
Firefox if I disable OCSP.

I verified the problem using OpenSSL command line tools.
Verisign OCSP server claims the certificate is revoked as of Dec
15 17:43:33 2009 GMT.  Reason "unspecified".

The certificate is valid from 2009-12-08 to 2010-12-08, so maybe
there was some problem while updating the certificate and they
had to throw it out and start over.  Accidental discosure or
compromise of the private key? 


$ openssl s_client -CApath /etc/ssl/certs -showcerts \
> -connect tools.cisco.com:443 < /dev/null > tools-cisco-com.chain
depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary
Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For
authorized use only/OU=VeriSign Trust Network
verify return:1
depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms
of use at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3
Secure Server CA - G2
verify return:1
depth=0 /C=US/ST=California/L=San Jose/O=Cisco
Systems/OU=ATS/CN=tools.cisco.com
verify return:1
DONE

# put the three certs in the chain into separate files

$ cp tools-cisco-com.chain tools-cisco-com.chain.1
$ cp tools-cisco-com.chain tools-cisco-com.chain.2
$ cp tools-cisco-com.chain tools-cisco-com.chain.3
$ vim tools-cisco-com.chain.?

$ openssl ocsp -issuer tools-cisco-com.chain.2 \
> -cert tools-cisco-com.chain.1 -url http://ocsp.verisign.com
WARNING: no nonce in response
Response Verify Failure
8966:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:ocsp_vfy.c:122:Verify error:unable to get local issuer certificate
tools-cisco-com.chain.1: revoked
    This Update: Dec 15 17:47:45 2009 GMT
    Next Update: Jan  8 04:59:50 2010 GMT
    Reason: unspecified
    Revocation Time: Dec 15 17:43:33 2009 GMT


-- 
   - Tim Utschig <tim at tetro.net>

From peter at rathlev.dk  Tue Dec 15 16:29:48 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Tue, 15 Dec 2009 22:29:48 +0100
Subject: [c-nsp] https://tools.cisco.com/ certificate revoked?
Message-ID: <1260912588.5567.10.camel@localhost>

Hi,

Am I the only one hit by the HTTPS certificate for tools.cisco.com
having been revoked? FF 3.5 won't access the pages, instead returning
"sec_error_revoked_certificate". I can connect with OpenSSL s_client
manually.

-- 
Peter



From avayner at cisco.com  Tue Dec 15 16:33:09 2009
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Tue, 15 Dec 2009 22:33:09 +0100
Subject: [c-nsp] EEM BGP
In-Reply-To: <2884C965D7B14FCEB8A99CA67ED2C988@flamdt01>
References: <2884C965D7B14FCEB8A99CA67ED2C988@flamdt01>
Message-ID: <FDD1CDB3FB499E4087CC7670BBCA22C6D9AD46@XMB-AMS-101.cisco.com>

Tony,

An easy trick is to insert a delay in your script that does the shut,
and then after the delay to do the unshut.
As there is no "wait" action in older EEM codes, you can use a trick
with a ping that would never be answered, and a long timeout value.

event manager applet delay
 event syslog pattern "xxx" maxrun 630
 action 1.0 cli command "ping 1.1.1.1 repeat 1 timeout 600"

Does it work for you?

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale
Sent: Tuesday, December 15, 2009 23:11
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] EEM BGP

I've been having some issues with BGP peers dropping/flapping and tried
to come up with a little EEM applet that would not only down a peer
based on syslog entries but bring it back up.

The bringing down part is easy and tested to work great.  But I'm having
a hard time with the bringing up part.

Essentially I want to say, after x minutes, no shut the peer if you see
the shut/BGP peer down/another arbitary message in the syslog.

Any ideas?  EEM 2.2 and/or 3.0 are fine.  Thanks!

tv
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From peter at rathlev.dk  Tue Dec 15 16:38:41 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Tue, 15 Dec 2009 22:38:41 +0100
Subject: [c-nsp] SSL cert for tools.cisco.com revoked?
In-Reply-To: <20091215204225.GA5205@tetro.net>
References: <20091215204225.GA5205@tetro.net>
Message-ID: <1260913121.5567.13.camel@localhost>

On Tue, 2009-12-15 at 12:42 -0800, Tim Utschig wrote:
> Apologies if this is off-topic...
> 
> Is anyone else seeing "Peer's Certificate has been revoked."
> while attempting to access tools.cisco.com?

Hadn't seen your message when I posted mine, but yes I see the exact
same thing.

Thanks for the tip on disabling OCSP; I know it's technically a really
bad idea ("don't do this at home") but I kinda needed to look up a bug.
I'll change my password when the certificate mess is over and hope for
the best. :-)

-- 
Peter



From thegameiam at yahoo.com  Tue Dec 15 15:45:56 2009
From: thegameiam at yahoo.com (David Barak)
Date: Tue, 15 Dec 2009 12:45:56 -0800 (PST)
Subject: [c-nsp] Controllers for a VWIC2-1MFT-T1/E1
In-Reply-To: <b7f636a60912151231w534f752ds920838194af0caf5@mail.gmail.com>
References: <b7f636a60912151231w534f752ds920838194af0caf5@mail.gmail.com>
Message-ID: <300886.96330.qm@web31815.mail.mud.yahoo.com>

you're missing the command

card type?t1 0 0 

Until you do that, the router doesn't know whether it's a T1 or an E1.
?David Barak
Need Geek Rock? Try The Franchise: 
http://www.listentothefranchise.com 



----- Original Message ----
From: james edwards <lists.james.edwards at gmail.com>
To: cisco-nsp at puck.nether.net
Sent: Tue, December 15, 2009 3:31:23 PM
Subject: [c-nsp] Controllers for a VWIC2-1MFT-T1/E1

I have a 2811 which I am trying to set up an ATM T-1 on. T-1 card and AIM
are detected:

Cisco 2811 (revision 49.46) with 249856K/12288K bytes of memory.
2 FastEthernet interfaces
1 Gigabit Ethernet interface
1 Channelized (E1 or T1)/PRI port
1 ATM/Voice AIM

The? VWIC2-1MFT-T1/E1 came in a bundle with the AIM module. I get this when
I boot:

! card type command needed for slot/vwic-slot 0/0,

but the controllers command is not there to configure this card:

yourname(config)#con?
config-register? configuration? connect? control-plane

What am I missing ?

-- 
James H. Edwards
Senior Network Systems Administrator
Judicial Information Division
jedwards at nmcourts.gov
_______________________________________________
cisco-nsp mailing list? cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



      

From tvarriale at comcast.net  Tue Dec 15 16:54:22 2009
From: tvarriale at comcast.net (Tony Varriale)
Date: Tue, 15 Dec 2009 15:54:22 -0600
Subject: [c-nsp] https://tools.cisco.com/ certificate revoked?
References: <1260912588.5567.10.camel@localhost>
Message-ID: <30560F7C3A1A4481BAF6ED85DB26CB78@flamdt01>

I was getting that as well.  Works now.

tv
----- Original Message ----- 
From: "Peter Rathlev" <peter at rathlev.dk>
To: "cisco-nsp" <cisco-nsp at puck.nether.net>
Sent: Tuesday, December 15, 2009 3:29 PM
Subject: [c-nsp] https://tools.cisco.com/ certificate revoked?


> Hi,
> 
> Am I the only one hit by the HTTPS certificate for tools.cisco.com
> having been revoked? FF 3.5 won't access the pages, instead returning
> "sec_error_revoked_certificate". I can connect with OpenSSL s_client
> manually.
> 
> -- 
> Peter
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From tvarriale at comcast.net  Tue Dec 15 16:55:21 2009
From: tvarriale at comcast.net (Tony Varriale)
Date: Tue, 15 Dec 2009 15:55:21 -0600
Subject: [c-nsp] EEM BGP
References: <2884C965D7B14FCEB8A99CA67ED2C988@flamdt01>
	<00e501ca7dcd$f3680a50$da381ef0$@com>
Message-ID: <FC86567EABB14C4FB15BBBDA98B96BC5@flamdt01>

No, I haven't as I couldn't figure out how to get that delay to work.

Let me put this up in the lab and see what happens.

Thanks!

tv
----- Original Message ----- 
From: "Clyde Wildes" <cwildes at progrizon.com>
To: "'Tony Varriale'" <tvarriale at comcast.net>; <cisco-nsp at puck.nether.net>
Sent: Tuesday, December 15, 2009 3:31 PM
Subject: RE: [c-nsp] EEM BGP


> Tony,
>
> Have you considered using EEM multiple event support:
>
> event manager applet t1
> description Test applet to demonstrate event correlation
> event tag e1 syslog pattern "syslog msg 1 pattern"
> event tag e2 syslog pattern "syslog msg 2 pattern"
> trigger delay 10.0
>  correlate event e1 or event e2
> action 001 syslog msg "applet t1 triggered 10 seconds after either of
> syslog message 1 or 2 occur"
> !
>
> Thanks,
>
> Clyde Wildes
> Progrizon, Inc.
> www.progrizon.com
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale
> Sent: Tuesday, December 15, 2009 1:11 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] EEM BGP
>
> I've been having some issues with BGP peers dropping/flapping and tried to
> come up with a little EEM applet that would not only down a peer based on
> syslog entries but bring it back up.
>
> The bringing down part is easy and tested to work great.  But I'm having a
> hard time with the bringing up part.
>
> Essentially I want to say, after x minutes, no shut the peer if you see 
> the
> shut/BGP peer down/another arbitary message in the syslog.
>
> Any ideas?  EEM 2.2 and/or 3.0 are fine.  Thanks!
>
> tv
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


From tim at tetro.net  Tue Dec 15 17:04:37 2009
From: tim at tetro.net (Tim Utschig)
Date: Tue, 15 Dec 2009 14:04:37 -0800
Subject: [c-nsp] SSL cert for tools.cisco.com revoked?
In-Reply-To: <20091215204225.GA5205@tetro.net>
References: <20091215204225.GA5205@tetro.net>
Message-ID: <20091215220437.GA5704@tetro.net>

On Tue, Dec 15, 2009 at 12:42:25PM -0800, Tim Utschig wrote:
> I found a Windows PC, and it seems that MSIE care even after
> enabling CRL checking.


Insert "doesn't" before "care".

MSIE users will not notice this security issue.

Even after checking the box "Check for server certificate
revocation*" under Tools -> Internet Options -> Advanced, and
rebooting, MSIE (7.0.5730.13 at least, I'm not interested in
spending time checking other versions of a browser I avoid using)
still doesn't bother checking Verisign's OCSP server.

-- 
   - Tim Utschig <tim at tetro.net>

From cwildes at progrizon.com  Tue Dec 15 16:31:23 2009
From: cwildes at progrizon.com (Clyde Wildes)
Date: Tue, 15 Dec 2009 13:31:23 -0800
Subject: [c-nsp] EEM BGP
In-Reply-To: <2884C965D7B14FCEB8A99CA67ED2C988@flamdt01>
References: <2884C965D7B14FCEB8A99CA67ED2C988@flamdt01>
Message-ID: <00e501ca7dcd$f3680a50$da381ef0$@com>

Tony,

Have you considered using EEM multiple event support:

event manager applet t1 
 description Test applet to demonstrate event correlation
 event tag e1 syslog pattern "syslog msg 1 pattern"
 event tag e2 syslog pattern "syslog msg 2 pattern"
 trigger delay 10.0
  correlate event e1 or event e2
 action 001 syslog msg "applet t1 triggered 10 seconds after either of
syslog message 1 or 2 occur"
!

Thanks,

Clyde Wildes
Progrizon, Inc.
www.progrizon.com

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale
Sent: Tuesday, December 15, 2009 1:11 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] EEM BGP

I've been having some issues with BGP peers dropping/flapping and tried to
come up with a little EEM applet that would not only down a peer based on
syslog entries but bring it back up.

The bringing down part is easy and tested to work great.  But I'm having a
hard time with the bringing up part.

Essentially I want to say, after x minutes, no shut the peer if you see the
shut/BGP peer down/another arbitary message in the syslog.

Any ideas?  EEM 2.2 and/or 3.0 are fine.  Thanks!

tv
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From frnkblk at iname.com  Tue Dec 15 18:27:20 2009
From: frnkblk at iname.com (Frank Bulk - iName.com)
Date: Tue, 15 Dec 2009 17:27:20 -0600
Subject: [c-nsp] Loopback/VLAN question
In-Reply-To: <FDD1CDB3FB499E4087CC7670BBCA22C6D9AD2D@XMB-AMS-101.cisco.com>
References: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAACMtoIyIUzcQrWh6euFTkv8AQAAAAA=@iname.com>
	<FDD1CDB3FB499E4087CC7670BBCA22C6D9AD25@XMB-AMS-101.cisco.com>
	<!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAACU1gX4BTpSS6CPa7aI/RrCAQAAAAA=@iname.com>
	<FDD1CDB3FB499E4087CC7670BBCA22C6D9AD2D@XMB-AMS-101.cisco.com>
Message-ID: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAAD9vBhp3iBJQ4B23IL7kNnhAQAAAAA=@iname.com>

Looks like I will be creating separate L3 domains. ARIN, here I come.  =)

Thanks again to this group for this helpful information.

Frank

-----Original Message-----
From: Arie Vayner (avayner) [mailto:avayner at cisco.com] 
Sent: Tuesday, December 15, 2009 2:14 PM
To: frnkblk at iname.com; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Loopback/VLAN question

Frank,

The right way to solve it would be to use the ES20 (or more actually the
more recent ES+) modules.
This would allow you to create a separate EVC/EFP (service-instance) per
site, using whatever VLAN IDs (even reusing them, or using QinQ) and
then bridge-domain them all to the same central global bridge VLAN,
which would be the Layer 3 service endpoint (for DHCP).

"Use the right tools for the job"

Anyway, with your setup, if this is not becoming a big service (which
would then make sense to invest in new HW), then maybe you should just
break them into separate L3 domains.

Another option is to use the MetroE model of uPE and nPE, where a uPE is
used for some parts of the service. This could be a L2 switch (CPE?
ME3400-2CS) to do the VLAN translation...

Hope this helps.

Arie

-----Original Message-----
From: Frank Bulk - iName.com [mailto:frnkblk at iname.com] 
Sent: Tuesday, December 15, 2009 21:56
To: Arie Vayner (avayner); cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Loopback/VLAN question

I have 5 remote sites where I'm doing FTTH and transporting the traffic
over
a third-party transport gear to our HQ.  Each site-HQ link is a separate
VLAN and uniquely numbered.  My preference is to burn up only one port
on
the Cisco 7609-S (RSP720-3C with WS-X6748-DFC3C) and transport gear by
trunking the traffic between the two boxes.  But I don't want to have a
separate IP address pool (with associated static IP /24 and web filter
/24)
for each remote site.  I would like each remote site to use the same
address
pool.  So I'm looking for something like IRB.

SiteA  SiteB  SiteC  SiteD  SiteE
  |      |      |      |      |
VLAN1  VLAN2  VLAN3  VLAN4  VLAN5
  |      |      |      |      |
  =============================
                |
    802.1q tagged (1 thru 5)
                |
             7609-S
                |
         DHCP server

I could use the transport gear's VLAN-translation and drop off each site
into their own physical port on the 7609-S but have it be the same VLAN,
but
that's burning more ports on both boxes than what I would like.

But perhaps I have to use separate IP address pools for each remote
site.
That would have the benefit of reducing the L3-broadcast traffic.

Frank

-----Original Message-----
From: Arie Vayner (avayner) [mailto:avayner at cisco.com] 
Sent: Tuesday, December 15, 2009 1:32 PM
To: frnkblk at iname.com; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Loopback/VLAN question

Frank,

Can you please explain what do you want to achieve?
I think this should be done in a different way.

Also, what HW do you have?

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Frank Bulk -
iName.com
Sent: Tuesday, December 15, 2009 20:19
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Loopback/VLAN question

I have several uniquely numbered 802.1q tagged links coming into a Cisco
7609-S (12.2(33)SRB3) on a single physical port.  I would like to use
the
same group of subnets for each VLAN and I tried using loopbacks but it
doesn't work.  Any ideas on what I'm doing wrong?

interface Loopback 2
 ip dhcp relay information trusted
 ip dhcp relay information option-insert none
 ip dhcp relay information policy-action keep
 ip address a.b.c.1 255.255.255.0
 ip address a.b.d.1 255.255.255.0 secondary
 ip address a.b.e.1 255.255.255.0 secondary
 ip helper-address w.x.y.z
 arp timeout 300

interface Vlan10
 ip unnumbered loopback 2
 ip dhcp relay information trusted
 ip dhcp relay information option-insert none
 ip dhcp relay information policy-action keep
 ip helper-address w.x.y.z

interface Vlan11
 ip unnumbered loopback 2
 ip dhcp relay information trusted
 ip dhcp relay information option-insert none
 ip dhcp relay information policy-action keep
 ip helper-address w.x.y.z

interface GigabitEthernet1/1
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 10, 11
 switchport mode trunk
end

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From c.spurgeon at mail.utexas.edu  Tue Dec 15 18:51:18 2009
From: c.spurgeon at mail.utexas.edu (Charles Spurgeon)
Date: Tue, 15 Dec 2009 17:51:18 -0600
Subject: [c-nsp] IOS Upgrade to SXI3
In-Reply-To: <E44AF588902937448285BC553C1F5E97128FCB9B0C@EM10.ad.ucla.edu>
References: <E44AF588902937448285BC553C1F5E97128FCB9B0C@EM10.ad.ucla.edu>
Message-ID: <20091215235118.GA13356@argus.gw.utexas.edu>

On Fri, Dec 11, 2009 at 07:44:33AM -0800, Bautista, Noel wrote:

> We're contemplating on upgrading our SUP 720 3BXL from
> 12.2(18)SXF15a native IOS to 12.2(33)SXI3 modular IOS but I read
> from the releasenotes that the "Install" command has been
> deprecated.  On Cisco's Safe Harbor IOS Release, they have tested
> and recommend upgrading to modular 12.2(33)SXI3.  There's no
> explanation on why they deprecated the "install" command and I'm
> waiting for our Cisco SE response.  I'd appreciate any feedback from
> those people who have upgraded to SXI3, in modular or otherwise.

We upgraded three core routers to monolithic 12.2(33)SXI3 on Sunday,
Dec 13.

One of the upgraded routers started throwing SNMP input queue errors
after several hours of runtime. All three routers are polled by the
same servers asking for the same OIDs, but only one of the upgraded
routers has thrown any SNMP errors: 
"Dec 14 14:19:50: %SNMP-3-INPUT_QFULL_ERR: Packet dropped due to input queue full"

SNMP graphing stopped working coincident with these error msgs.

In an attempt to clear the errors we applied these commands that
were found when looking for info on this error:
snmp-server view public-view iso included
snmp-server view public-view ciscoMemoryPoolMIB excluded

Roughly coincident with applying those snmp config lines the SP CPU
went to 100 percent load, where it has remained stuck ever since. RP
CPU is running normally.

We have opened a TAC case, run a number of debugs, removed all SNMP
commands, etc. But the SP CPU is still pegged and we haven't been able
to find a smoking gun.

The biggest process load on the SP appears to be from an Async write
process:
--------------------
NOCA9-sp#show proc cpu | exc 0.00
Load for five secs: 100%/13%; one minute: 99%; five minutes: 99%
Time source is hardware calendar, 10:46:59.677 CST Mon Dec 14 2009

CPU utilization for five seconds: 100%/13%; one minute: 99%; five minutes: 99%
 PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process 
  42       52936      2280      23217  0.63%  0.07%  0.01%   0 Per-minute Jobs  
  93    51573408   1269609      40621 67.46% 65.15% 64.79%   0 Async write proc 
 111     2197532   3855803        569  1.91%  1.88%  1.91%   0 slcp process   
--------------------

We ran debug on SNMP packets and requests and found that the SNMP
traffic consists of well-behaved SNMP queries from just our set of
servers, polling only the MIB vars needed and there are no high
quantities of requests.

Meanwhile, there are an insane number of VeryBig buffers on the RP and
equally insane numbers of Medium buffers on the SP being created:
--------------------
RP
--------------------
VeryBig buffers, 4520 bytes (total 1013, permanent 10, peak 1016 @ 14:51:06):
     12 in free list (0 min, 100 max allowed)
     584335 hits, 21308 misses, 15077 trims, 16080 created
     14417 failures (0 no memory)

--------------------
SP
--------------------
Medium buffers, 256 bytes (total 30359, permanent 3000, peak 30359 @ 00:00:00):
     66 in free list (64 min, 3000 max allowed)
     1659825 hits, 9193 misses, 33 trims, 27392 created
     0 failures (0 no memory)

Other than this, we have not been able to find any other useful info.

Also, we have been seeing errors on a port-channel associated with one
of the other routers that was upgraded to SXI3. 

There have been bursts of errors received on the upstream router from
the upgraded router on the two 10GigE ints that make up the port
channel. As far as we can tell these ints were running clean until
SXI3 was loaded, but we're still investigating this issue.

-Charles

Charles E. Spurgeon / UTnet
UT Austin ITS / Networking
c.spurgeon at its.utexas.edu / 512.475.9265

From swmike at swm.pp.se  Wed Dec 16 01:59:32 2009
From: swmike at swm.pp.se (Mikael Abrahamsson)
Date: Wed, 16 Dec 2009 07:59:32 +0100 (CET)
Subject: [c-nsp] Loopback/VLAN question
In-Reply-To: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAAD9vBhp3iBJQ4B23IL7kNnhAQAAAAA=@iname.com>
References: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAACMtoIyIUzcQrWh6euFTkv8AQAAAAA=@iname.com>
	<FDD1CDB3FB499E4087CC7670BBCA22C6D9AD25@XMB-AMS-101.cisco.com>
	<!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAACU1gX4BTpSS6CPa7aI/RrCAQAAAAA=@iname.com>
	<FDD1CDB3FB499E4087CC7670BBCA22C6D9AD2D@XMB-AMS-101.cisco.com>
	<!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAAD9vBhp3iBJQ4B23IL7kNnhAQAAAAA=@iname.com>
Message-ID: <alpine.DEB.1.10.0912160754150.23464@uplift.swm.pp.se>

On Tue, 15 Dec 2009, Frank Bulk - iName.com wrote:

> Looks like I will be creating separate L3 domains.

If you can live with knowing what part of the IP pool belongs in what vlan 
then you can (this works with static addresses (no dhcp) anyway) route the 
individual parts of the unnumbered subnets to the vlan interface in 
question.

A static route to an interface means the ARP(s) will be done on that 
interface, so in conjunction with "local-proxy-arp" (which you seem to 
have missed in your conf?) you can do this:

int lo20
ip addr 192.168.1.1 255.255.255.0
int vlan10
ip unnumbered lo20
ip local-proxy-arp
int vlan20
ip unnumbered lo20
ip local-proxy-arp

ip route 192.168.1.0 255.255.255.128 vlan10
ip route 192.168.1.128 255.255.255.128 vlan10

Now you've split this subnet into two vlans and there is still full 
communication between them. How this interacts with dhcp, I don't know. 
You should try your original conf with added "ip local-proxy-arp" anyway.

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se

From amr.ccie at gmail.com  Wed Dec 16 03:01:24 2009
From: amr.ccie at gmail.com (Jason Alex)
Date: Wed, 16 Dec 2009 10:01:24 +0200
Subject: [c-nsp] 7600/RSP720 + SIP-400
In-Reply-To: <5.1.0.14.2.20091215190701.056245d0@efes.iucc.ac.il>
References: <4B27BE27.6060101@forthnet.gr>
	<5.1.0.14.2.20091215190701.056245d0@efes.iucc.ac.il>
Message-ID: <a0ba9d950912160001n26d8d5c3lb876565d4280886b@mail.gmail.com>

HYG



RMS-7606-LB#sh platform hardware capacity system
System Resources
  PFC operating mode: PFC3C
  Supervisor redundancy mode: administratively sso, operationally sso
  Switching resources: Module   Part number               Series      CEF
mode
                       1        7600-SIP-400              CEF256
CEF
                       2        WS-X6724-SFP              CEF720
dCEF
                       3        WS-X6724-SFP              CEF720
dCEF
                       5        RSP720-3C-GE          supervisor
CEF

Regards
Jason
CCIE#24775

On Tue, Dec 15, 2009 at 7:07 PM, Hank Nussbacher <hank at efes.iucc.ac.il>wrote:

> At 18:49 15/12/2009 +0200, Tassos Chatzithomaoglou wrote:
>
>> Can someone with a SIP-400 module execute the "sh platform hardware
>> capacity system" command and send me the output?
>> I would prefer people with 7600/RSP720.
>>
>
> Not a RSP720 but close:
> petach-tikva-gp#sh platform hardware capacity system
> System Resources
>  PFC operating mode: PFC3BXL
>  Supervisor redundancy mode: administratively sso, operationally sso
>  Switching resources: Module   Part number               Series      CEF
> mode
>                       1        WS-X6582-2PA              CEF256
> CEF
>                       2        WS-X6582-2PA              CEF256
> CEF
>                       3        WS-X6582-2PA              CEF256
> CEF
>                       4        WS-X6582-2PA              CEF256
> CEF
>                       7        WS-SUP720-3BXL        supervisor
> CEF
>                       9        WS-X6748-GE-TX            CEF720
>  dCEF
>                       10       WS-X6704-10GE             CEF720
> CEF
>                       11       7600-SIP-400              CEF256
> CEF
> -Hank
>
>
>
> --
>> Tassos
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From jckdaniels12 at gmail.com  Wed Dec 16 04:14:20 2009
From: jckdaniels12 at gmail.com (jack daniels)
Date: Wed, 16 Dec 2009 14:44:20 +0530
Subject: [c-nsp] traffic re-route on FW
Message-ID: <8bb137f40912160114i6aefd2c0raf9609ccaba2c76e@mail.gmail.com>

Hi,


I have a topolgy

MPLS                       INTERNET
|                                 |
|                                 |
CE1
CE2---------------------------------------------------------
(172.16.1.1/30
)                                                                          (
172.16.2.1/30)
|
|
|
|
|-----172.16.1.2/30(FIREWALL CHECKPOINT)(172.16.2.2/30)-------------


MPLS is my primary link and when its down I have a IPSEC TUNNEL from
CHECKPOINT to remote peer (which is backup)..
I'm confused how FW will be aware that MPLS SP is down and route traffic to
Internet IPSEC TUNNEL.<<<<<<<<<<<<<<<<<<<
I don't have licencse for dynamic routing on CHECKPOINT.

Thanks for help
Jack

From pslund at gmail.com  Wed Dec 16 06:27:55 2009
From: pslund at gmail.com (=?ISO-8859-1?Q?P=E4r_=C5slund?=)
Date: Wed, 16 Dec 2009 12:27:55 +0100
Subject: [c-nsp] 6500 with WS-SVC-IPSEC-1, traffic not reaching module.
In-Reply-To: <dd5f2deb0912150720y66477c2bg652f570396eb43a2@mail.gmail.com>
References: <89b664f30912150346g1e664373xb223fa864ffb6d41@mail.gmail.com>
	<dd5f2deb0912150430v6b07e560xb7dbedfe2d9f0551@mail.gmail.com>
	<89b664f30912150545i1f873db7ib8213d42b3931f58@mail.gmail.com>
	<dd5f2deb0912150720y66477c2bg652f570396eb43a2@mail.gmail.com>
Message-ID: <89b664f30912160327y21580a0ayce802cda00ec5933@mail.gmail.com>

Hi Lee,

You're right and I'm wrong. Have to use BITW.

Thanks for the advise, back to reading more documentation for me.

Best regards,
.pelle

On Tue, Dec 15, 2009 at 4:20 PM, Lee <ler762 at gmail.com> wrote:
> On Tue, Dec 15, 2009 at 8:45 AM, P?r ?slund <pslund at gmail.com> wrote:
>>
>> Hi Lee,
>>
>> No, I don't have it configured with crypto connect. From what I read
>> so far, I don't need that for site-to-site ipsec?
>
> All the docs I read talked about the "bump in the wire" encryption.? Somehow
> or other you have to get the traffic going thru the ipsec card & the only
> way I know of is to use the 'crypto connect' command or the
> much-discouraged-in-the-docs "switchport trunk allowed vlan add NNN" on the
> ipsec card ports.? But I never did dynamic crypto maps, so maybe they do
> some extra magic?
>
>>
>> The asa in the remote office can ping the remote peer ip configured on
>> the 6500. Just seems like bad magic for me right now that for some
>> reason the traffic doesn't seem to reach the IPSEC module.
>>
> A fun thing about the 6500 ipsec card is that traffic not matching the
> crypto map goes through unaltered whereas a real router would drop the
> traffic.? If your ASA has a 192.168.1.1 address and the 6500 vlan 8 ip
> address is 192.168.1.2 it wouldn't surprise me that the asa can ping the
> 6500.
>
> Another fun thing about the 6500 ipsec card is that routing happens only on
> the cleartext traffic.? By the time the traffic comes out of the ipsec card
> all the routing decisions have been made :( ? For example, say you're
> putting traffic for 10.10.10.0/24 in the IPSec tunnel and the tunnel
> endpoint is 192.168.1.1.? If the route for 10.10.10.0/24 is out vlan10 and
> the route for 192.168.1.1 is out vlan 8 it ain't gonna work.? I ended up
> adding a static route for 10.10.10.0/24 pointing to 192.168.1.1 as a
> work-around.
>
> Then again, I haven't had anything to do with a 6500 ipsec card for over a
> year so maybe they've fixed some of the weirdness that I had to deal with.
>
>>
>> Extra, forgot to show the configuration of the interfaces on module 8
>> - WS-SVC-IPSEC-1
>>
>> Current configuration : 243 bytes
>> !
>> interface GigabitEthernet8/1
>> ?switchport
>> ?switchport trunk encapsulation dot1q
>> ?switchport trunk allowed vlan 8
>> ?switchport mode trunk
>> ?mtu 4500
>> ?no ip address
>> ?flowcontrol receive on
>> ?flowcontrol send off
>> ?spanning-tree portfast trunk
>> end
>>
>> interface GigabitEthernet8/2
>> ?switchport
>> ?switchport trunk encapsulation dot1q
>> ?switchport trunk allowed vlan none
>> ?switchport mode trunk
>> ?mtu 4500
>> ?no ip address
>> ?flowcontrol receive on
>> ?flowcontrol send off
>> ?spanning-tree portfast trunk
>> end
>>
>
> What I ended up with was
>
> interface GigabitEthernet8/0/1
> ?switchport
> ?switchport trunk encapsulation dot1q
> ?switchport trunk allowed vlan 550,551,702
> ?switchport mode trunk
> ?mtu 9216
> ?no ip address
> ?flowcontrol receive on
> ?flowcontrol send off
> ?spanning-tree portfast trunk
> !
> interface GigabitEthernet8/0/2
> ?switchport
> ?switchport trunk encapsulation dot1q
> ?switchport trunk allowed vlan 551,703
> ?switchport mode trunk
> ?mtu 9216
> ?no ip address
> ?flowcontrol receive on
> ?flowcontrol send off
> ?spanning-tree portfast trunk
> !
>
> Looking at it now, having vlan 551 on G8/0/1 and 2 seems wrong.. but it did
> work.? We moved all our ipsec tunnels over to asrs a while back, so nothing
> I need to do about it now :)
>
> Regards,
> Lee
>
>
>
>> Best regards,
>> .pelle
>>
>> On Tue, Dec 15, 2009 at 1:30 PM, Lee <ler762 at gmail.com> wrote:
>> > Do you have the inside and outside vlan for your ipsec traffic
>> > configured
>> > with a crypto connect? eg
>> >
>> > interface Vlan7
>> > ? description outside:encrypted traffic
>> > ? no ip address
>> > ? crypto engine subslot 8/0
>> > ? crypto connect vlan8
>> > !
>> > interface Vlan8
>> > ? description inside:cleartext traffic
>> > ? ip address xxx
>> > ? crypto map xxx
>> > ? crypto engine subslot 8/0
>> >
>> > Regards,
>> > Lee
>> >
>> >
>> > On Tue, Dec 15, 2009 at 6:46 AM, P?r ?slund <pslund at gmail.com> wrote:
>> >>
>> >> Hi,
>> >>
>> >> I have problems with a WS-SVC-IPSEC-1 where I'm trying to setup a
>> >> site-to-site tunnel.
>> >>
>> >> Last night, I got the tunnel up. But after applying a acl to the 6500,
>> >> the tunnel went down and stayed down. Removing configuration just to
>> >> get the tunnel up again and continue trying to get the interesting
>> >> traffic through as intended, the tunnel never comes up. The remote
>> >> device is a ASA 5505, where I haven't touched anything since this
>> >> failure started. From what I can get out of all this, looking at logs
>> >> and crypto statistics. The traffic never gets to the module in slot 8.
>> >>
>> >> show crypto sessions - nothing
>> >> show crypto isakmp sa - nothing
>> >> show crypto ipsec sa - nothing
>> >>
>> >> I can still use packet-tracer on the asa as I could before and the
>> >> flow is created, but nothing ends up in the 6500 logs. debug crypto
>> >> isakmp and debug crypto ipsec is both enabled without anything being
>> >> logged. Any ideas are most welcome. Guess I have missed something
>> >> obvious but right now I just can't figure out what it is.
>> >>
>> >> This it the configuration from the 6500.
>> >>
>> >> crypto isakmp policy 1
>> >> ?encr 3des
>> >> ?authentication pre-share
>> >> ?group 2
>> >> crypto isakmp key <SECRETKEY> address <peer ip> no-xauth
>> >> !
>> >> crypto isakmp client configuration group GROUP1
>> >> ?key <KEY>
>> >> ?dns 172.16.9.2
>> >> ?domain i.company.com
>> >> ?pool vpn
>> >> ?acl 101
>> >> crypto isakmp profile ikepro
>> >> ? match identity group GROUP1
>> >> ? client authentication list userlist
>> >> ? isakmp authorization list grouplist
>> >> ? client configuration address respond
>> >> ? client configuration group GROUP1
>> >> crypto isakmp profile site-to-site
>> >> ? keyring default
>> >> ? match identity address <peer ip> 255.255.255.255
>> >> ? keepalive 60 retry 5
>> >> !
>> >> !
>> >> crypto ipsec transform-set 3dessha esp-3des esp-sha-hmac
>> >> !
>> >> crypto ipsec profile ipsecpro
>> >> ?set transform-set 3dessha
>> >> !
>> >> !
>> >> crypto dynamic-map dynmap 10
>> >> ?set transform-set 3dessha
>> >> ?set isakmp-profile ikepro
>> >> crypto dynamic-map dynmap 15
>> >> ?set peer 76.238.146.205
>> >> ?set transform-set 3dessha
>> >> ?set isakmp-profile site-to-site
>> >> crypto dynamic-map dynmap 20
>> >> ?set transform-set 3dessha
>> >> ?set isakmp-profile ikepro
>> >> !
>> >> !
>> >> crypto map vpnmap engine slot 8
>> >> crypto map vpnmap 10 ipsec-isakmp dynamic dynmap
>> >>
>> >>
>> >> and then on VLAN 8 where the traffic is suppose to come in:
>> >> interface Vlan8
>> >> ?ip address <ip> 255.255.255.248
>> >> ?ip nat outside
>> >> ?standby 8 ip <standby ip>
>> >> ?standby 8 priority 115
>> >> ?standby 8 preempt
>> >> ?standby 8 name <standby name>
>> >> ?crypto map vpnmap redundancy <standby name>
>> >> end
>> >>
>> >> Best regards,
>> >> .pelle
>> >> _______________________________________________
>> >> cisco-nsp mailing list ?cisco-nsp at puck.nether.net
>> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> >
>> >
>
>

From Dermot.Williams at imaginegroup.ie  Wed Dec 16 06:14:29 2009
From: Dermot.Williams at imaginegroup.ie (Dermot Williams)
Date: Wed, 16 Dec 2009 11:14:29 -0000
Subject: [c-nsp] Weird L2TP Problem
Message-ID: <0B4E432C64EA8B45A001DD6E1F0E1D7204059A85@dubexc01.imagine.local>

Hi List,

 

We've a 7301 running IOS 12.3(4r)T4 acting as an LNS. We've never had
any major problems with it but today it stopped terminating sessions.
When I enabled terminal monitoring (with no additional debug) I started
getting messages like this one:

 

%L2TP-3-ILLEGAL: _____:_____: ERROR: [l2tp_session_get_l2x_cfg::241]
-traceback- (snip)

%L2TP-3-ILLEGAL: _____:_____: ERROR: no config -traceback- (snip)

 

I tried clearing all L2TP tunnels and they immediately came back up with
no sessions. Only a reload worked as far as letting subscribers back on
normally.

 

Does anyone have any idea what these errors mean?

 

Thanks,

 

Dermot Williams

Imagine Communications Ltd.


From bacon at walleyesoftware.com  Wed Dec 16 07:34:36 2009
From: bacon at walleyesoftware.com (Jeff Bacon)
Date: Wed, 16 Dec 2009 06:34:36 -0600
Subject: [c-nsp] ios upgrade to SXI3
In-Reply-To: <mailman.7610.1260554707.2123.cisco-nsp@puck.nether.net>
References: <mailman.7610.1260554707.2123.cisco-nsp@puck.nether.net>
Message-ID: <5A69C25361FED34F83ABF05F50475245072BCAF5@wally.walleyetrading.net>


> Cisco doesn't appear to have the engineering resources and/or
> will-power to move IOS into the 20th Century (pre-emptive multitasking
> with memory and process containment.) It is more beneficial for them
> to sell you new products with "better" versions of IOS.
> 
> Tim:>

That's not really surprising. I'm not even sure it's a great idea to
try, really. IOS is what it is, a coop-multitasking self-mem-managing
embedded OS that operates under various sets of assumptions about how
its world works (e.g. being able to scribble all over itself). There are
God knows how many code branches managed by how many groups running on
all manner of hardware, and some of that hardware uses multiple
processors and dedicated ASICs. I'd argue that at least some of the
hardware doesn't even have the resources to be running a pre-emptive
virtual-memory OS. 

Somehow the idea that they are going to ease this into being a modular
OS just doesn't fly. Spend the effort on something useful, like making
sense of the code base or quality control. 


From thomas at habets.pp.se  Wed Dec 16 07:50:20 2009
From: thomas at habets.pp.se (Thomas Habets)
Date: Wed, 16 Dec 2009 13:50:20 +0100 (CET)
Subject: [c-nsp] Loopback/VLAN question
In-Reply-To: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAACU1gX4BTpSS6CPa7aI/RrCAQAAAAA=@iname.com>
References: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAACMtoIyIUzcQrWh6euFTkv8AQAAAAA=@iname.com>
	<FDD1CDB3FB499E4087CC7670BBCA22C6D9AD25@XMB-AMS-101.cisco.com>
	<!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAACU1gX4BTpSS6CPa7aI/RrCAQAAAAA=@iname.com>
Message-ID: <alpine.DEB.1.10.0912161243590.2899@red.crap.retrofitta.se>

On Tue, 15 Dec 2009, Frank Bulk - iName.com wrote:
> I have 5 remote sites where I'm doing FTTH and transporting the traffic over
> a third-party transport gear to our HQ.  Each site-HQ link is a separate
> VLAN and uniquely numbered.

Have you considered re-tagging the VLANs on a cheaper device before the 
7600 (which I assume you're sparing because of port cost) and re-tagging 
them to the same VLAN, with some private vlan conf on there to keep VLANs 
from talking to each other (assuming you want that)? Then the 7600 will 
just get all sites on one VLAN.

Re-tagging VLANs does take up a few ports on a cheap switch, but it may be 
cheaper than using up more ports in the 7600 and the 3rd party transport.

And I never said it wasn't ugly.

>
> SiteA  SiteB  SiteC  SiteD  SiteE
>  |      |      |      |      |
> VLAN1  VLAN2  VLAN3  VLAN4  VLAN5
>  |      |      |      |      |
>  =============================
>                |
> 	802.1q tagged (1 thru 5)
                  |
                2960
                |||||   <- untagged, one per VLAN
            the same 2960
>                |
>             7609-S
>                |
> 	     DHCP server

---------
typedef struct me_s {
   char name[]      = { "Thomas Habets" };
   char email[]     = { "thomas at habets.pp.se" };
   char kernel[]    = { "Linux" };
   char *pgpKey[]   = { "http://www.habets.pp.se/pubkey.txt" };
   char pgp[] = { "A8A3 D1DD 4AE0 8467 7FDE  0945 286A E90A AD48 E854" };
   char coolcmd[]   = { "echo '. ./_&. ./_'>_;. ./_" };
} me_t;

From andreas.mueller at zdv.uni-tuebingen.de  Wed Dec 16 08:32:07 2009
From: andreas.mueller at zdv.uni-tuebingen.de (Andreas Mueller)
Date: Wed, 16 Dec 2009 14:32:07 +0100
Subject: [c-nsp] NAT-Device with authentication ?
Message-ID: <4B28E157.7030500@zdv.uni-tuebingen.de>


	Hello,

are there any (cisco)-NAT-devices which enable the NAT after the user 
has done some kind of authentication - which is checked against a 
radius-server or an active directory for example ? What I need is like a 
captive portal connected to a NAT-device.
The scenario I try to have is: The user will get its IP-address from a 
private IP-range via DHCP after connecting his computer to the network.. 
With this address he should be able to connect to services within his 
internal network. But to connect to computers outside his network he 
should authenticate himself.

	thanks for hints && greetings,

		Andreas


From lobotiger at gmail.com  Wed Dec 16 08:45:20 2009
From: lobotiger at gmail.com (Lobo)
Date: Wed, 16 Dec 2009 08:45:20 -0500
Subject: [c-nsp] Egress QoS on FE links with less than 100Mbps speeds
Message-ID: <4B28E470.3010300@gmail.com>

We're doing some Catalyst testing to roll out QoS on our Ethernet 
network and have come up against a hurdle.  On most of our backbone 
links in a MAN, the actual bandwidth between one C/O to another C/O is 
not always 100Mbps.  There are times when the link is only capable of 
hitting say 80Mbps (we're a wireless isp) or less.

Since we have to use a FE port for this type of connection, do the 
switches believe that they have 100Mbps of bandwidth to play with when 
putting packets into the appropriate queues?

I'm a bit confused as to how the switches work in this fashion.  If I 
were using CAT5 cables or fiber this would be simple to understand as 
the bandwidth would be fixed.  :)

This is an example of a configuration on a 3550-24 that I'm using:


interface FastEthernet0/x
mls qos trust dscp
wrr-queue bandwidth 40 35 25 1
wrr-queue cos-map 1 0 1
wrr-queue cos-map 2 2
wrr-queue cos-map 3 3 4 6 7
wrr-queue cos-map 4 5
priority-queue out
!

The switches that we use are 2950, 3550, 3750 and 6524s.

With MQC and "layer 3" QoS, I would know how to fix this by simply using 
the "bandwidth" command on the physical interface and basing my output 
policy-map to use "bandwidth percent" for each class.  Layer 2 QoS 
doesn't seem to work this way though.

Any help would be appreciated.

Thanks.

Jose

From braaen at zcorum.com  Wed Dec 16 08:56:08 2009
From: braaen at zcorum.com (Brian Raaen)
Date: Wed, 16 Dec 2009 08:56:08 -0500
Subject: [c-nsp] NAT-Device with authentication ?
In-Reply-To: <4B28E157.7030500@zdv.uni-tuebingen.de>
References: <4B28E157.7030500@zdv.uni-tuebingen.de>
Message-ID: <200912160856.08948.braaen@zcorum.com>

Try searching for Document ID: 13890.  It is about setting up auth-proxy with 
nat.  If you can't find it I can send you a pdf I had downloaded.

-- 

----------------------

Brian Raaen
Network Engineer
braaen at zcorum.com



On Wednesday 16 December 2009, Andreas Mueller wrote:
> 
> 	Hello,
> 
> are there any (cisco)-NAT-devices which enable the NAT after the user 
> has done some kind of authentication - which is checked against a 
> radius-server or an active directory for example ? What I need is like a 
> captive portal connected to a NAT-device.
> The scenario I try to have is: The user will get its IP-address from a 
> private IP-range via DHCP after connecting his computer to the network.. 
> With this address he should be able to connect to services within his 
> internal network. But to connect to computers outside his network he 
> should authenticate himself.
> 
> 	thanks for hints && greetings,
> 
> 		Andreas
> 
> 


From david.freedman at uk.clara.net  Wed Dec 16 09:59:48 2009
From: david.freedman at uk.clara.net (David Freedman)
Date: Wed, 16 Dec 2009 14:59:48 +0000
Subject: [c-nsp] NAT-Device with authentication ?
In-Reply-To: <4B28E157.7030500@zdv.uni-tuebingen.de>
References: <4B28E157.7030500@zdv.uni-tuebingen.de>
Message-ID: <hgasl4$cnf$1@ger.gmane.org>

did you look at VLAN segregation pre/post authentication with either
802.1x (integrated auth) or VMPS (external auth)?

Dave.

Andreas Mueller wrote:
> 
>     Hello,
> 
> are there any (cisco)-NAT-devices which enable the NAT after the user
> has done some kind of authentication - which is checked against a
> radius-server or an active directory for example ? What I need is like a
> captive portal connected to a NAT-device.
> The scenario I try to have is: The user will get its IP-address from a
> private IP-range via DHCP after connecting his computer to the network..
> With this address he should be able to connect to services within his
> internal network. But to connect to computers outside his network he
> should authenticate himself.
> 
>     thanks for hints && greetings,
> 
>         Andreas
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From dwbielawa at liberty.edu  Wed Dec 16 10:04:04 2009
From: dwbielawa at liberty.edu (Bielawa, Daniel W. (NS))
Date: Wed, 16 Dec 2009 10:04:04 -0500
Subject: [c-nsp] Egress QoS on FE links with less than 100Mbps speeds
In-Reply-To: <4B28E470.3010300@gmail.com>
References: <4B28E470.3010300@gmail.com>
Message-ID: <00C0F7C1912DA04585B1ECA7A0CD3CC0040906E48E@LUEMS04VS.University.liberty.edu>

Hello,
	We had the same issue on couple of links. We solved it with the following command. The number on the end is a percentage of link speed in 1 percent increments. This was done on a 3750G running 12.2(44)SE6, this command might or might not work on other platforms.

 srr-queue bandwidth limit (10-90)

Thank You

Daniel Bielawa 
Network Engineer
Liberty University Network Services
Email: dwbielawa at liberty.edu
Phone: 434-592-7987
        

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Lobo
Sent: Wednesday, December 16, 2009 8:45 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Egress QoS on FE links with less than 100Mbps speeds

We're doing some Catalyst testing to roll out QoS on our Ethernet 
network and have come up against a hurdle.  On most of our backbone 
links in a MAN, the actual bandwidth between one C/O to another C/O is 
not always 100Mbps.  There are times when the link is only capable of 
hitting say 80Mbps (we're a wireless isp) or less.

Since we have to use a FE port for this type of connection, do the 
switches believe that they have 100Mbps of bandwidth to play with when 
putting packets into the appropriate queues?

I'm a bit confused as to how the switches work in this fashion.  If I 
were using CAT5 cables or fiber this would be simple to understand as 
the bandwidth would be fixed.  :)

This is an example of a configuration on a 3550-24 that I'm using:


interface FastEthernet0/x
mls qos trust dscp
wrr-queue bandwidth 40 35 25 1
wrr-queue cos-map 1 0 1
wrr-queue cos-map 2 2
wrr-queue cos-map 3 3 4 6 7
wrr-queue cos-map 4 5
priority-queue out
!

The switches that we use are 2950, 3550, 3750 and 6524s.

With MQC and "layer 3" QoS, I would know how to fix this by simply using 
the "bandwidth" command on the physical interface and basing my output 
policy-map to use "bandwidth percent" for each class.  Layer 2 QoS 
doesn't seem to work this way though.

Any help would be appreciated.

Thanks.

Jose
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From osmcruzl at gmail.com  Wed Dec 16 10:46:54 2009
From: osmcruzl at gmail.com (osmcruzl at gmail.com)
Date: Wed, 16 Dec 2009 09:46:54 -0600
Subject: [c-nsp] Help !!
Message-ID: <d85fd600912160746w35f88ea5n4336200c014e2025@mail.gmail.com>

Hi folks

I'm new here and searching for help because i have to prepare a good network
topology in which can stablish a connesction between 5 offices, but now i
dont have any idea about what kind of router and switch do i use. the
scenary is this

main office with 30 pcs 1 dns server, 1 mail server and db server and 5
branches with 20 pcs each one all office with different isp with a satatic
ip. is it work ?

i want to send and receive packets trough a vpn tunnel but i'd like to know
what is the best equipment (models) including firewall, vpn security, and
all features inside.

 please let me know it , any help is welcome


 Thanks in advance and sorry by my ignorance !

From wim.holemans at ua.ac.be  Wed Dec 16 10:44:10 2009
From: wim.holemans at ua.ac.be (Holemans Wim)
Date: Wed, 16 Dec 2009 16:44:10 +0100
Subject: [c-nsp] FWSM logging problem
Message-ID: <A9C0DC3E3383224B83C528B074390E8C262DE7@xmail04.ad.ua.ac.be>

It seems our FWSM doesn't log all denied ACLs. I blocked an IP address
on our FWSM and wanted to see whomever on campus is trying to access
this address (Botnet C&C).

I added the following line in the ACL (even raised priority), you can
see that the rules triggers when I tried to telnet the address :

access-list Internet-out line 24 extended deny ip any host X1.X2.X3.X4
log critical interval 30 (hitcnt=9) 0x6e051e8c

 

There is however no corresponding syslog message on our syslog server or
in the buffered logs on the FWSM.

These are our logging settings  : already raised queue size, some
messages moved to another log level so they don't get send to our syslog
server. ACL log messages are normally of ID 106100 level debugging, I
can find several of them on the syslog server but not for the specifiec
ACE. 

 

 

logging enable

logging timestamp

logging emblem

logging console debugging

logging monitor debugging

logging buffered debugging

logging trap informational

logging asdm informational

logging queue 1024

logging host DA-rt x.x.x.x

logging message 305010 level debugging

logging message 305009 level debugging

logging message 302015 level debugging

logging message 302014 level debugging

logging message 302013 level debugging

logging message 302016 level debugging

logging message 302021 level debugging

 

Anyone has a clue on how to get all syslog messages for the ACE's that
have a log part ?

 

 

Wim Holemans

Netwerkdienst Universiteit Antwerpen

 


From gsgranados at comcast.net  Wed Dec 16 11:37:45 2009
From: gsgranados at comcast.net (Scott Granados)
Date: Wed, 16 Dec 2009 08:37:45 -0800
Subject: [c-nsp] Help !!
References: <d85fd600912160746w35f88ea5n4336200c014e2025@mail.gmail.com>
Message-ID: <002801ca7e6e$1e0707c0$2408120a@am.thmulti.com>

This sounds like a good candidate for VPN.

We personally use the ASA5520 for a concentrator in a similar application 
providing both LAN to LAN (branch office connectivity) and VPN Client access 
for mobile end users and their laptops.  Depending on the pipe size and 
forwarding requirements / branch office sizes you could use Pixes in the 
field or even routers with VPN functionality and use an ASA as the central 
concentrator.

Lots of ways to get from here to there might be a good time to talk to your 
Cisco Rep and sales engineer.


----- Original Message ----- 
From: <osmcruzl at gmail.com>
To: <cisco-nsp at puck.nether.net>
Sent: Wednesday, December 16, 2009 7:46 AM
Subject: [c-nsp] Help !!


> Hi folks
>
> I'm new here and searching for help because i have to prepare a good 
> network
> topology in which can stablish a connesction between 5 offices, but now i
> dont have any idea about what kind of router and switch do i use. the
> scenary is this
>
> main office with 30 pcs 1 dns server, 1 mail server and db server and 5
> branches with 20 pcs each one all office with different isp with a satatic
> ip. is it work ?
>
> i want to send and receive packets trough a vpn tunnel but i'd like to 
> know
> what is the best equipment (models) including firewall, vpn security, and
> all features inside.
>
> please let me know it , any help is welcome
>
>
> Thanks in advance and sorry by my ignorance !
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 


From mawhi at vestas.com  Wed Dec 16 11:47:41 2009
From: mawhi at vestas.com (Matthew White)
Date: Wed, 16 Dec 2009 08:47:41 -0800
Subject: [c-nsp] Help !!
In-Reply-To: <002801ca7e6e$1e0707c0$2408120a@am.thmulti.com>
References: <d85fd600912160746w35f88ea5n4336200c014e2025@mail.gmail.com>
	<002801ca7e6e$1e0707c0$2408120a@am.thmulti.com>
Message-ID: <E222D1E6A503BD4B815A3B6FCC50311B8F05B6B301@USPDXEXC001.vestas.net>


If you need branch to branch communications you might want to consider DMVPN (Dynamic Multipoint VPN).

cf. http://www.cisco.com/en/US/products/ps6658/index.html


-mtw

 

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Granados
> Sent: Wednesday, December 16, 2009 8:38 AM
> To: osmcruzl at gmail.com; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Help !!
> 
> This sounds like a good candidate for VPN.
> 
> We personally use the ASA5520 for a concentrator in a similar 
> application 
> providing both LAN to LAN (branch office connectivity) and 
> VPN Client access 
> for mobile end users and their laptops.  Depending on the 
> pipe size and 
> forwarding requirements / branch office sizes you could use 
> Pixes in the 
> field or even routers with VPN functionality and use an ASA 
> as the central 
> concentrator.
> 
> Lots of ways to get from here to there might be a good time 
> to talk to your 
> Cisco Rep and sales engineer.
> 
> 
> ----- Original Message ----- 
> From: <osmcruzl at gmail.com>
> To: <cisco-nsp at puck.nether.net>
> Sent: Wednesday, December 16, 2009 7:46 AM
> Subject: [c-nsp] Help !!
> 
> 
> > Hi folks
> >
> > I'm new here and searching for help because i have to 
> prepare a good 
> > network
> > topology in which can stablish a connesction between 5 
> offices, but now i
> > dont have any idea about what kind of router and switch do 
> i use. the
> > scenary is this
> >
> > main office with 30 pcs 1 dns server, 1 mail server and db 
> server and 5
> > branches with 20 pcs each one all office with different isp 
> with a satatic
> > ip. is it work ?
> >
> > i want to send and receive packets trough a vpn tunnel but 
> i'd like to 
> > know
> > what is the best equipment (models) including firewall, vpn 
> security, and
> > all features inside.
> >
> > please let me know it , any help is welcome
> >
> >
> > Thanks in advance and sorry by my ignorance !
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/ 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

From psirt at cisco.com  Wed Dec 16 11:55:47 2009
From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team)
Date: Wed, 16 Dec 2009 11:55:47 -0500
Subject: [c-nsp] Cisco Security Advisory: Multiple Cisco WebEx WRF Player
	Vulnerabilities
Message-ID: <200912161155.webex@psirt.cisco.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Advisory: Multiple Cisco WebEx WRF Player Vulnerabilities

Advisory ID: cisco-sa-20091216-webex

http://www.cisco.com/warp/public/707/cisco-sa-20091216-webex.shtml

Revision 1.0

For Public Release 2009 December 16 1600 UTC (GMT)

Summary
=======

Multiple buffer overflow vulnerabilities exist in the Cisco WebEx
Recording Format (WRF) Player. In some cases, exploitation of the
vulnerabilities could allow a remote attacker to execute arbitrary code
on the system of a targeted user.

The Cisco WebEx WRF Player is an application that is used to play back
WebEx meeting recordings that have been recorded on the computer of an
on-line meeting attendee. The WRF Player can be automatically installed
when the user accesses a WRF file that is hosted on a WebEx server. The
WRF Player can also be manually installed for offline playback after
downloading the application from www.webex.com.

If the WRF Player was automatically installed, the WebEx WRF Player
will be automatically upgraded to the latest, non-vulnerable version
when users access a WRF file hosted on a WebEx server. If the WebEx
WRF Player was manually installed, users will need to manually install
a new version of the player after downloading the latest version from
www.webex.com.

Cisco has released free software updates that address these
vulnerabilities.

This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20091216-webex.shtml.

Affected Products
=================

Vulnerable Products
- -------------------

The vulnerabilities disclosed in this advisory affect the Cisco WebEx
WRF Player. Microsoft Windows, Apple Mac OS X, and Linux versions of the
player are affected. Affected versions of the WRF Player are those prior
to the "first fixed" versions, which are shown in the section "Software
Versions and Fixes" of this advisory.

To check if a Cisco WebEx server is running an affected version of the
WebEx client build, users can log in to their Cisco WebEx server and go
to the Support -> Downloads section. The version of the WebEx client
build will be displayed on the right-hand side of the page under "About
Support Center", for example "Client build: 27.11.0.3328".

There is no way to check if a manually installed version of the WRF
Player is affected by these vulnerabilities. Therefore, Cisco recommends
that users upgrade to the most current version of the player that is
available from http://www.webex.com/downloadplayer.html.

Products Confirmed Not Vulnerable
- ---------------------------------

The Cisco WebEx Player for the WebEx Advanced Recording Format (ARF)
file format is not affected by these vulnerabilities.

No other Cisco products are currently known to be affected by these
vulnerabilities.

Details
=======

The WebEx meeting service is a hosted multimedia conferencing solution
that is managed by and maintained by Cisco WebEx. The WebEx Recording
Format (WRF) is a file format that is used to store WebEx meeting
recordings that have been recorded on the computer of an on-line meeting
attendee. The WRF Player is an application that is used to play back
and edit WRF files (files with .wrf extensions). The WRF Player can be
automatically installed when the user accesses a WRF file that is hosted
on a WebEx server (stream playback mode). The WRF Player can also be
manually installed after downloading the application from www.webex.com
to play back WRF files locally (offline playback mode).

Multiple buffer overflow vulnerabilities exist in the WRF Player. The
vulnerabilities may lead to a crash of the WRF Player application, or in
some cases, lead to remote code execution.

To exploit a vulnerability, a malicious WRF file would need to be opened
by the WRF Player application. An attacker may be able to accomplish
this by providing the malicious WRF file directly to users (for example,
via e-mail), or by convincing users to visit a malicious website. The
vulnerability cannot be triggered by users attending a WebEx meeting.

These vulnerabilities have been assigned the following Common
Vulnerabilities and Exposures (CVE) identifiers:

  * CVE-2009-2875
  * CVE-2009-2876
  * CVE-2009-2877
  * CVE-2009-2878
  * CVE-2009-2879
  * CVE-2009-2880

Vulnerability Scoring Details
=============================

Cisco has provided scores for the vulnerabilities in this advisory based
on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in
this Security Advisory is done in accordance with CVSS version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.

Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of the
vulnerability in individual networks.

Cisco has provided an FAQ to answer additional questions regarding CVSS
at:

http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html

Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:

http://intellishield.cisco.com/security/alertmanager/cvss

* Multiple Cisco WebEx Player Buffer Overflow Vulnerabilities (all
vulnerabilities in this advisory)

CVSS Base Score - 9.3
    Access Vector -            Network
    Access Complexity -        Medium
    Authentication -           None
    Confidentiality Impact -   Complete
    Integrity Impact -         Complete
    Availability Impact -      Complete

CVSS Temporal Score - 7.7
    Exploitability -           Functional
    Remediation Level -        Official-Fix
    Report Confidence -        Confirmed

Impact
======

Successful exploitation of the vulnerabilities described in this
document could result in a crash of the Cisco WebEx WRF Player
application, and in some cases, allow a remote attacker to execute
arbitrary code on the targeted system with the privileges of the user
running the WRF Player application.

Software Versions and Fixes
===========================

The table below contains "First Fixed" information for the Cisco WebEx
WRF Player that is automatically downloaded from a WebEx site when a WRF
hosted on a WebEx site is accessed (stream playback mode). Fixes are
cumulative within a major release so for example, if release 27.10.1 is
fixed, then release 27.10.2 will have the fix too.

+------------------------------------------------------------+
| Platform  | Major Release 26.x  | Major Release 27.x       |
|-----------+---------------------+--------------------------|
| Microsoft | 26.49.32; available | 27.10.x; available now   |
| Windows   | now except lockdown | for non-PSO and          |
|           | sites               | non-lockdown sites       |
|-----------+---------------------+--------------------------|
|           | 26.49.35; available | 27.11.8; available now   |
| Mac OS X  | early February 2010 | for non-PSO and          |
|           |                     | non-lockdown sites       |
|-----------+---------------------+--------------------------|
|           | 26.49.35; available | 27.11.8; available now   |
| Linux     | early February 2010 | for non-PSO and          |
|           |                     | non-lockdown sites       |
+------------------------------------------------------------+

PSO and lockdown sites running 27.x will receive the fixes for these
vulnerabilities during the next emergency patching (EP) cycle. This
advisory will be updated to indicate a specific timeline once one is
available.

If the WRF Player was automatically installed, the WebEx WRF Player will
be automatically upgraded to the latest, non-vulnerable version when
users access a WRF file hosted on a WebEx server.

If the WebEx WRF Player was manually installed, users will need to
manually install a new version of the player after downloading the
latest version from www.webex.com.

Workarounds
===========

There are no workarounds for the vulnerabilities disclosed in this
advisory.

Obtaining Fixed Software
========================

Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.

Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.

Do not contact psirt at cisco.com or security-alert at cisco.com for software
upgrades.

Customers that need additional information can contact WebEx Global
Support Services and Technical Support. WebEx Global Support Services
and Technical Support can be reached through the WebEx support site at
http://support.webex.com/support/support-overview.html or by phone at
+1-866-229-3239 or +1-408-435-7088.

Customers outside of the United States can reference the following link
for local support numbers:

http://support.webex.com/support/phone-numbers.html

Exploitation and Public Announcements
=====================================

The Cisco PSIRT is not aware of malicious use of the vulnerabilities
described in this advisory.

These vulnerabilities were discovered and reported to Cisco by Xiaopeng
Zhang and Zhenhua Liu of Fortinet's FortiGuard Labs. The FortiGuard Labs
advisory is available at http://www.fortiguard.com. Cisco would like to
thank FortiGuard Labs for reporting these vulnerabilities to us and for
working with us on a coordinated disclosure.

Status of this Notice: FINAL
============================

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits
the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.

Distribution
============

This advisory is posted on Cisco's worldwide website at:

http://www.cisco.com/warp/public/707/cisco-sa-20091216-webex.shtml

In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients.

  * cust-security-announce at cisco.com
  * first-bulletins at lists.first.org
  * bugtraq at securityfocus.com
  * vulnwatch at vulnwatch.org
  * cisco at spot.colorado.edu
  * cisco-nsp at puck.nether.net
  * full-disclosure at lists.grok.org.uk
  * comp.dcom.sys.cisco at newsgate.cisco.com

Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.

Revision History
================

+------------------------------------------------------------+
| Revision 1.0 | 2009-December-16  | Initial public release  |
+------------------------------------------------------------+

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities in
Cisco products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.

+--------------------------------------------------------------------
Copyright 2008-2009 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------

Updated: Dec 16, 2009                             Document ID: 110946
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkspCQMACgkQ86n/Gc8U/uCn+QCeLaUWmiHsetXDoJsynUbgsmHs
IDgAnRhmTkrcs2NhAQ7Dq8+eJqofkHSh
=KaHv
-----END PGP SIGNATURE-----

From osmcruzl at gmail.com  Wed Dec 16 12:17:12 2009
From: osmcruzl at gmail.com (osmcruzl at gmail.com)
Date: Wed, 16 Dec 2009 11:17:12 -0600
Subject: [c-nsp] Help !!
In-Reply-To: <1260980346.6332.21.camel@Andromeda>
References: <d85fd600912160746w35f88ea5n4336200c014e2025@mail.gmail.com>
	<1260980346.6332.21.camel@Andromeda>
Message-ID: <d85fd600912160917l25eb6da7v111e0071170c16d@mail.gmail.com>

yup our geografic area is relative short no more than 400 km around and all
the branch use an  static ip address and now they arent connected

Please tell me more about it


thanks in advanced



On Wed, Dec 16, 2009 at 10:19 AM, Richard Golodner <
rgolodner at infratection.com> wrote:

> On Wed, 2009-12-16 at 09:46 -0600, osmcruzl at gmail.com wrote:
> >  please let me know it , any help is welcome
> >
>         If you can tell me how your offices are connected it will be a big
> help
> in designing a topology. For example Frame-Relay, MPLS, and how far are
> the office apart? Different countries or within the same geographic
> area?
>         Richard
>
>

From tvarriale at comcast.net  Wed Dec 16 12:30:34 2009
From: tvarriale at comcast.net (Tony Varriale)
Date: Wed, 16 Dec 2009 11:30:34 -0600
Subject: [c-nsp] FWSM logging problem
References: <A9C0DC3E3383224B83C528B074390E8C262DE7@xmail04.ad.ua.ac.be>
Message-ID: <69D440D7BA3B4935811822D9A8F83EA5@flamdt01>

What code are you on?

These types of items have been going on for a while in various iterations of 
code.  There's been so many it's hard for me to keep them straight LOL!

But, if you post your code I'll try and look up my notes.  In the end, 
you'll have to call TAC and they will tell you to upgrade to xyz.

Try to get a bugid and make sure the recommended upgrade fixes your problem. 
I've had a couple logging issues that had no id and TAC just said upgrade.

As a side note, have you had the issue of traffic blowing by an ACE? :)

tv
----- Original Message ----- 
From: "Holemans Wim" <wim.holemans at ua.ac.be>
To: <cisco-nsp at puck.nether.net>
Sent: Wednesday, December 16, 2009 9:44 AM
Subject: [c-nsp] FWSM logging problem


> It seems our FWSM doesn't log all denied ACLs. I blocked an IP address
> on our FWSM and wanted to see whomever on campus is trying to access
> this address (Botnet C&C).
>
> I added the following line in the ACL (even raised priority), you can
> see that the rules triggers when I tried to telnet the address :
>
> access-list Internet-out line 24 extended deny ip any host X1.X2.X3.X4
> log critical interval 30 (hitcnt=9) 0x6e051e8c
>
>
>
> There is however no corresponding syslog message on our syslog server or
> in the buffered logs on the FWSM.
>
> These are our logging settings  : already raised queue size, some
> messages moved to another log level so they don't get send to our syslog
> server. ACL log messages are normally of ID 106100 level debugging, I
> can find several of them on the syslog server but not for the specifiec
> ACE.
>
>
>
>
>
> logging enable
>
> logging timestamp
>
> logging emblem
>
> logging console debugging
>
> logging monitor debugging
>
> logging buffered debugging
>
> logging trap informational
>
> logging asdm informational
>
> logging queue 1024
>
> logging host DA-rt x.x.x.x
>
> logging message 305010 level debugging
>
> logging message 305009 level debugging
>
> logging message 302015 level debugging
>
> logging message 302014 level debugging
>
> logging message 302013 level debugging
>
> logging message 302016 level debugging
>
> logging message 302021 level debugging
>
>
>
> Anyone has a clue on how to get all syslog messages for the ACE's that
> have a log part ?
>
>
>
>
>
> Wim Holemans
>
> Netwerkdienst Universiteit Antwerpen
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 


From tvarriale at comcast.net  Wed Dec 16 12:38:00 2009
From: tvarriale at comcast.net (Tony Varriale)
Date: Wed, 16 Dec 2009 11:38:00 -0600
Subject: [c-nsp] EEM BGP
References: <2884C965D7B14FCEB8A99CA67ED2C988@flamdt01>
	<00e501ca7dcd$f3680a50$da381ef0$@com>
Message-ID: <765B4353E6674BC59F02E05CCAE42F34@flamdt01>

Well, did a bunch of testing and I am still stuck.  So here's the basic idea 
and config.

When the peer is actually shut, I log a message to syslog (info simplified 
and anonymized to protect innocent).

event manager applet BGPADJ_SHUT
 event syslog occurs 2 pattern "%BGP-5-ADJCHANGE: neighbor 172.16.10.3 Down" 
period 600
 action 100 cli command "enable"
 action 110 cli command "configure terminal"
 action 120 cli command "router bgp 666"
 action 130 cli command "neighbor 172.16.10.3 shutdown"
 action 140 syslog msg "Neighbor 172.16.10.3 shutdown by EEM"

This works great.  Notice action 140.

To turn the peer back up, I would like to wait 60 seconds (probably 10 
minutes in real world) and look for the "Neighbor 172.16.10.3 shutdown by 
EEM" in the syslog as this will tell me when I need to start my timer.

event manager applet BGPADJ_NOSHUT
 event tag bgpevent1 syslog pattern "%BGP-5-ADJCHANGE: neighbor 172.16.10.3 
Down"
 event tag bgpevent2 syslog pattern "Neighbor 172.16.10.3 shutdown by EEM"
 trigger delay 60
  correlate event bgpevent1 and event bgpevent2
 action 100 cli command "enable"
 action 110 cli command "configure terminal"
 action 120 cli command "router bgp 666"
 action 130 cli command "no neighbor 172.16.10.3 shutdown"
 action 140 syslog msg "Neighbor 172.16.10.3 noshut by EEM"

This is the part that does not work.  For the correlation, I want to either 
look for event 1 and 2 or just 2.  1 and 2 is really just a self check.

The apparent problem is that EEM doesn't look at the messages that it 
injects into syslog.  So, the trigger never happens.  And as verification, I 
tried it with event1 or event2.  While watching debug it picks up on event1.

Any ideas?  Recommendations?

tv

----- Original Message ----- 
From: "Clyde Wildes" <cwildes at progrizon.com>
To: "'Tony Varriale'" <tvarriale at comcast.net>; <cisco-nsp at puck.nether.net>
Sent: Tuesday, December 15, 2009 3:31 PM
Subject: RE: [c-nsp] EEM BGP 


From harbor235 at gmail.com  Wed Dec 16 13:03:12 2009
From: harbor235 at gmail.com (harbor235)
Date: Wed, 16 Dec 2009 13:03:12 -0500
Subject: [c-nsp] NAT-Device with authentication ?
In-Reply-To: <hgasl4$cnf$1@ger.gmane.org>
References: <4B28E157.7030500@zdv.uni-tuebingen.de>
	<hgasl4$cnf$1@ger.gmane.org>
Message-ID: <836bf1f90912161003s1d32f063hb3751ad2b936fc28@mail.gmail.com>

The cisco ASA proxy authentication would authenticate you prior to being
NAT'd, if that fails you are prevented from gaining external access. Thsi
can be accomplished for any application you wish. I am sure most if not all
enterprise class firewalls have this feature.

Mike




On Wed, Dec 16, 2009 at 9:59 AM, David Freedman <david.freedman at uk.clara.net
> wrote:

> did you look at VLAN segregation pre/post authentication with either
> 802.1x (integrated auth) or VMPS (external auth)?
>
> Dave.
>
> Andreas Mueller wrote:
> >
> >     Hello,
> >
> > are there any (cisco)-NAT-devices which enable the NAT after the user
> > has done some kind of authentication - which is checked against a
> > radius-server or an active directory for example ? What I need is like a
> > captive portal connected to a NAT-device.
> > The scenario I try to have is: The user will get its IP-address from a
> > private IP-range via DHCP after connecting his computer to the network..
> > With this address he should be able to connect to services within his
> > internal network. But to connect to computers outside his network he
> > should authenticate himself.
> >
> >     thanks for hints && greetings,
> >
> >         Andreas
> >
> >
> > ------------------------------------------------------------------------
>  >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From NMaio at guesswho.com  Wed Dec 16 13:03:35 2009
From: NMaio at guesswho.com (NMaio at guesswho.com)
Date: Wed, 16 Dec 2009 13:03:35 -0500
Subject: [c-nsp] FWSM logging problem
In-Reply-To: <69D440D7BA3B4935811822D9A8F83EA5@flamdt01>
References: <A9C0DC3E3383224B83C528B074390E8C262DE7@xmail04.ad.ua.ac.be>
	<69D440D7BA3B4935811822D9A8F83EA5@flamdt01>
Message-ID: <2AA600764E54964491083B1E0EC81A302F878B9699@EXCLUS.nationala-1advertising.com>

Tony,
> As a side note, have you had the issue of traffic blowing by an ACE? :)
What you referring to here?  I run both the FWSM and ACE module.  We have had a plethora of problems with the ACE.  The best is it just stops responding and passing traffic and it doesn't failover when that happens.
Nick


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale
Sent: Wednesday, December 16, 2009 12:31 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] FWSM logging problem

What code are you on?

These types of items have been going on for a while in various iterations of 
code.  There's been so many it's hard for me to keep them straight LOL!

But, if you post your code I'll try and look up my notes.  In the end, 
you'll have to call TAC and they will tell you to upgrade to xyz.

Try to get a bugid and make sure the recommended upgrade fixes your problem. 
I've had a couple logging issues that had no id and TAC just said upgrade.

As a side note, have you had the issue of traffic blowing by an ACE? :)

tv
----- Original Message ----- 
From: "Holemans Wim" <wim.holemans at ua.ac.be>
To: <cisco-nsp at puck.nether.net>
Sent: Wednesday, December 16, 2009 9:44 AM
Subject: [c-nsp] FWSM logging problem


> It seems our FWSM doesn't log all denied ACLs. I blocked an IP address
> on our FWSM and wanted to see whomever on campus is trying to access
> this address (Botnet C&C).
>
> I added the following line in the ACL (even raised priority), you can
> see that the rules triggers when I tried to telnet the address :
>
> access-list Internet-out line 24 extended deny ip any host X1.X2.X3.X4
> log critical interval 30 (hitcnt=9) 0x6e051e8c
>
>
>
> There is however no corresponding syslog message on our syslog server or
> in the buffered logs on the FWSM.
>
> These are our logging settings  : already raised queue size, some
> messages moved to another log level so they don't get send to our syslog
> server. ACL log messages are normally of ID 106100 level debugging, I
> can find several of them on the syslog server but not for the specifiec
> ACE.
>
>
>
>
>
> logging enable
>
> logging timestamp
>
> logging emblem
>
> logging console debugging
>
> logging monitor debugging
>
> logging buffered debugging
>
> logging trap informational
>
> logging asdm informational
>
> logging queue 1024
>
> logging host DA-rt x.x.x.x
>
> logging message 305010 level debugging
>
> logging message 305009 level debugging
>
> logging message 302015 level debugging
>
> logging message 302014 level debugging
>
> logging message 302013 level debugging
>
> logging message 302016 level debugging
>
> logging message 302021 level debugging
>
>
>
> Anyone has a clue on how to get all syslog messages for the ACE's that
> have a log part ?
>
>
>
>
>
> Wim Holemans
>
> Netwerkdienst Universiteit Antwerpen
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From ecables at gmail.com  Wed Dec 16 13:28:32 2009
From: ecables at gmail.com (Eric Cables)
Date: Wed, 16 Dec 2009 10:28:32 -0800
Subject: [c-nsp] FWSM logging problem
In-Reply-To: <2AA600764E54964491083B1E0EC81A302F878B9699@EXCLUS.nationala-1advertising.com>
References: <A9C0DC3E3383224B83C528B074390E8C262DE7@xmail04.ad.ua.ac.be> 
	<69D440D7BA3B4935811822D9A8F83EA5@flamdt01>
	<2AA600764E54964491083B1E0EC81A302F878B9699@EXCLUS.nationala-1advertising.com>
Message-ID: <d5c7ccac0912161028g5d3315f1k1fbbeb86e59f962d@mail.gmail.com>

What does the output of 'show logging queue' look like?  Are msgs being
actively discarded?  How large of a queue depth is too large -- 2048, 4096,
8192?

-- Eric Cables


On Wed, Dec 16, 2009 at 10:03 AM, <NMaio at guesswho.com> wrote:

> Tony,
> > As a side note, have you had the issue of traffic blowing by an ACE? :)
> What you referring to here?  I run both the FWSM and ACE module.  We have
> had a plethora of problems with the ACE.  The best is it just stops
> responding and passing traffic and it doesn't failover when that happens.
> Nick
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:
> cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale
> Sent: Wednesday, December 16, 2009 12:31 PM
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] FWSM logging problem
>
> What code are you on?
>
> These types of items have been going on for a while in various iterations
> of
> code.  There's been so many it's hard for me to keep them straight LOL!
>
> But, if you post your code I'll try and look up my notes.  In the end,
> you'll have to call TAC and they will tell you to upgrade to xyz.
>
> Try to get a bugid and make sure the recommended upgrade fixes your
> problem.
> I've had a couple logging issues that had no id and TAC just said upgrade.
>
> As a side note, have you had the issue of traffic blowing by an ACE? :)
>
> tv
> ----- Original Message -----
> From: "Holemans Wim" <wim.holemans at ua.ac.be>
> To: <cisco-nsp at puck.nether.net>
> Sent: Wednesday, December 16, 2009 9:44 AM
> Subject: [c-nsp] FWSM logging problem
>
>
> > It seems our FWSM doesn't log all denied ACLs. I blocked an IP address
> > on our FWSM and wanted to see whomever on campus is trying to access
> > this address (Botnet C&C).
> >
> > I added the following line in the ACL (even raised priority), you can
> > see that the rules triggers when I tried to telnet the address :
> >
> > access-list Internet-out line 24 extended deny ip any host X1.X2.X3.X4
> > log critical interval 30 (hitcnt=9) 0x6e051e8c
> >
> >
> >
> > There is however no corresponding syslog message on our syslog server or
> > in the buffered logs on the FWSM.
> >
> > These are our logging settings  : already raised queue size, some
> > messages moved to another log level so they don't get send to our syslog
> > server. ACL log messages are normally of ID 106100 level debugging, I
> > can find several of them on the syslog server but not for the specifiec
> > ACE.
> >
> >
> >
> >
> >
> > logging enable
> >
> > logging timestamp
> >
> > logging emblem
> >
> > logging console debugging
> >
> > logging monitor debugging
> >
> > logging buffered debugging
> >
> > logging trap informational
> >
> > logging asdm informational
> >
> > logging queue 1024
> >
> > logging host DA-rt x.x.x.x
> >
> > logging message 305010 level debugging
> >
> > logging message 305009 level debugging
> >
> > logging message 302015 level debugging
> >
> > logging message 302014 level debugging
> >
> > logging message 302013 level debugging
> >
> > logging message 302016 level debugging
> >
> > logging message 302021 level debugging
> >
> >
> >
> > Anyone has a clue on how to get all syslog messages for the ACE's that
> > have a log part ?
> >
> >
> >
> >
> >
> > Wim Holemans
> >
> > Netwerkdienst Universiteit Antwerpen
> >
> >
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From tvarriale at comcast.net  Wed Dec 16 13:33:43 2009
From: tvarriale at comcast.net (Tony Varriale)
Date: Wed, 16 Dec 2009 12:33:43 -0600
Subject: [c-nsp] FWSM logging problem
References: <A9C0DC3E3383224B83C528B074390E8C262DE7@xmail04.ad.ua.ac.be>
	<69D440D7BA3B4935811822D9A8F83EA5@flamdt01>
	<2AA600764E54964491083B1E0EC81A302F878B9699@EXCLUS.nationala-1advertising.com>
Message-ID: <94FF7923B828409EB59BCCD14337190E@flamdt01>

Sorry...Access Control Entry in an ACL on FWSM.

What code are you running on 6500 and ACE that you are having these issues? 
I seen that on the appliances in some early 2.x.

tv


----- Original Message ----- 
From: <NMaio at guesswho.com>
To: <tvarriale at comcast.net>; <cisco-nsp at puck.nether.net>
Sent: Wednesday, December 16, 2009 12:03 PM
Subject: RE: [c-nsp] FWSM logging problem


Tony,
> As a side note, have you had the issue of traffic blowing by an ACE? :)
What you referring to here?  I run both the FWSM and ACE module.  We have 
had a plethora of problems with the ACE.  The best is it just stops 
responding and passing traffic and it doesn't failover when that happens.
Nick


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net 
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale
Sent: Wednesday, December 16, 2009 12:31 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] FWSM logging problem

What code are you on?

These types of items have been going on for a while in various iterations of
code.  There's been so many it's hard for me to keep them straight LOL!

But, if you post your code I'll try and look up my notes.  In the end,
you'll have to call TAC and they will tell you to upgrade to xyz.

Try to get a bugid and make sure the recommended upgrade fixes your problem.
I've had a couple logging issues that had no id and TAC just said upgrade.

As a side note, have you had the issue of traffic blowing by an ACE? :)

tv
----- Original Message ----- 
From: "Holemans Wim" <wim.holemans at ua.ac.be>
To: <cisco-nsp at puck.nether.net>
Sent: Wednesday, December 16, 2009 9:44 AM
Subject: [c-nsp] FWSM logging problem


> It seems our FWSM doesn't log all denied ACLs. I blocked an IP address
> on our FWSM and wanted to see whomever on campus is trying to access
> this address (Botnet C&C).
>
> I added the following line in the ACL (even raised priority), you can
> see that the rules triggers when I tried to telnet the address :
>
> access-list Internet-out line 24 extended deny ip any host X1.X2.X3.X4
> log critical interval 30 (hitcnt=9) 0x6e051e8c
>
>
>
> There is however no corresponding syslog message on our syslog server or
> in the buffered logs on the FWSM.
>
> These are our logging settings  : already raised queue size, some
> messages moved to another log level so they don't get send to our syslog
> server. ACL log messages are normally of ID 106100 level debugging, I
> can find several of them on the syslog server but not for the specifiec
> ACE.
>
>
>
>
>
> logging enable
>
> logging timestamp
>
> logging emblem
>
> logging console debugging
>
> logging monitor debugging
>
> logging buffered debugging
>
> logging trap informational
>
> logging asdm informational
>
> logging queue 1024
>
> logging host DA-rt x.x.x.x
>
> logging message 305010 level debugging
>
> logging message 305009 level debugging
>
> logging message 302015 level debugging
>
> logging message 302014 level debugging
>
> logging message 302013 level debugging
>
> logging message 302016 level debugging
>
> logging message 302021 level debugging
>
>
>
> Anyone has a clue on how to get all syslog messages for the ACE's that
> have a log part ?
>
>
>
>
>
> Wim Holemans
>
> Netwerkdienst Universiteit Antwerpen
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/ 


From v.jones at networkingunlimited.com  Wed Dec 16 13:34:38 2009
From: v.jones at networkingunlimited.com (Vincent C Jones)
Date: Wed, 16 Dec 2009 13:34:38 -0500
Subject: [c-nsp] traffic re-route on FW
In-Reply-To: <8bb137f40912160114i6aefd2c0raf9609ccaba2c76e@mail.gmail.com>
References: <8bb137f40912160114i6aefd2c0raf9609ccaba2c76e@mail.gmail.com>
Message-ID: <1260988478.18237.17.camel@X61.NetworkingUnlimited.nul>

On Wed, 2009-12-16 at 14:44 +0530, jack daniels wrote:
> Hi,
> 
> 
> I have a topolgy
> 
> MPLS                       INTERNET
> |                                 |
> |                                 |
> CE1
> CE2---------------------------------------------------------
> (172.16.1.1/30
> )                                                                          (
> 172.16.2.1/30)
> |
> |
> |
> |
> |-----172.16.1.2/30(FIREWALL CHECKPOINT)(172.16.2.2/30)-------------
> 
> 
> MPLS is my primary link and when its down I have a IPSEC TUNNEL from
> CHECKPOINT to remote peer (which is backup)..
> I'm confused how FW will be aware that MPLS SP is down and route traffic to
> Internet IPSEC TUNNEL.<<<<<<<<<<<<<<<<<<<
> I don't have licencse for dynamic routing on CHECKPOINT.
> 
> Thanks for help
> Jack

The simple answer, since you have a presence at both ends for this
application, is to put a cheap router at each end (inside the firewalls)
and run an routing protocol to select which of two tunnels is used. One
tunnel goes over the MPLS network, the other over your IPSec tunnel. An
1811 or SSG-5 will do the job if you're talking T1 speeds.

See the white paper "Redundant Routes in IPSec VPNs" on my web site
at http://www.networkingunlimited.com/white009.html for some ideas. It
won't provide a cookbook design for you, but it will walk you through
the issues and some of the trade offs that you'll need to make.

Good luck and have fun!
-- 
Vincent C. Jones
Networking Unlimited, Inc.
Phone: +1 201 568-7810
V.Jones at NetworkingUnlimited.com

From ayourtch at cisco.com  Wed Dec 16 13:54:33 2009
From: ayourtch at cisco.com (Andrew Yourtchenko)
Date: Wed, 16 Dec 2009 19:54:33 +0100 (CET)
Subject: [c-nsp] FWSM logging problem
In-Reply-To: <69D440D7BA3B4935811822D9A8F83EA5@flamdt01>
References: <A9C0DC3E3383224B83C528B074390E8C262DE7@xmail04.ad.ua.ac.be>
	<69D440D7BA3B4935811822D9A8F83EA5@flamdt01>
Message-ID: <alpine.DEB.2.00.0912161941240.5292@ayourtch-lnx.stdio.be>



On Wed, 16 Dec 2009, Tony Varriale wrote:

>
> Try to get a bugid and make sure the recommended upgrade fixes your problem.

That's indeed the proper thing to do. And please, after making sure - also 
let the case owner know, that it did fix the problem - it's a step 
sometimes overseen :-)

> I've had a couple logging issues that had no id and TAC just said upgrade.
>

shoot me the case#s unicast, if you still have them. The one I found in a 
quick search did mention the bug ids along with the pretty detailed 
explanations for each, but maybe there were some others where there was 
less info, that I could not find...


> As a side note, have you had the issue of traffic blowing by an ACE? :)

http://www.cisco.com/warp/public/707/cisco-sa-20070214-fwsm.shtml ?

There could be some other scenarios where by tweaking the object group one 
gets the ACL exploded so much that it does not fit into the network 
processors anymore - then the previously compiled version is being used - 
but generally you get a pretty prominent warning about that.

thanks,
andrew


>
> tv
> ----- Original Message ----- From: "Holemans Wim" <wim.holemans at ua.ac.be>
> To: <cisco-nsp at puck.nether.net>
> Sent: Wednesday, December 16, 2009 9:44 AM
> Subject: [c-nsp] FWSM logging problem
>
>
>> It seems our FWSM doesn't log all denied ACLs. I blocked an IP address
>> on our FWSM and wanted to see whomever on campus is trying to access
>> this address (Botnet C&C).
>> 
>> I added the following line in the ACL (even raised priority), you can
>> see that the rules triggers when I tried to telnet the address :
>> 
>> access-list Internet-out line 24 extended deny ip any host X1.X2.X3.X4
>> log critical interval 30 (hitcnt=9) 0x6e051e8c
>> 
>> 
>> 
>> There is however no corresponding syslog message on our syslog server or
>> in the buffered logs on the FWSM.
>> 
>> These are our logging settings  : already raised queue size, some
>> messages moved to another log level so they don't get send to our syslog
>> server. ACL log messages are normally of ID 106100 level debugging, I
>> can find several of them on the syslog server but not for the specifiec
>> ACE.
>> 
>> 
>> 
>> 
>> 
>> logging enable
>> 
>> logging timestamp
>> 
>> logging emblem
>> 
>> logging console debugging
>> 
>> logging monitor debugging
>> 
>> logging buffered debugging
>> 
>> logging trap informational
>> 
>> logging asdm informational
>> 
>> logging queue 1024
>> 
>> logging host DA-rt x.x.x.x
>> 
>> logging message 305010 level debugging
>> 
>> logging message 305009 level debugging
>> 
>> logging message 302015 level debugging
>> 
>> logging message 302014 level debugging
>> 
>> logging message 302013 level debugging
>> 
>> logging message 302016 level debugging
>> 
>> logging message 302021 level debugging
>> 
>> 
>> 
>> Anyone has a clue on how to get all syslog messages for the ACE's that
>> have a log part ?
>> 
>> 
>> 
>> 
>> 
>> Wim Holemans
>> 
>> Netwerkdienst Universiteit Antwerpen
>> 
>> 
>> 
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/ 
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From ayourtch at cisco.com  Wed Dec 16 13:35:26 2009
From: ayourtch at cisco.com (Andrew Yourtchenko)
Date: Wed, 16 Dec 2009 19:35:26 +0100 (CET)
Subject: [c-nsp] FWSM logging problem
In-Reply-To: <A9C0DC3E3383224B83C528B074390E8C262DE7@xmail04.ad.ua.ac.be>
References: <A9C0DC3E3383224B83C528B074390E8C262DE7@xmail04.ad.ua.ac.be>
Message-ID: <alpine.DEB.2.00.0912161900570.5292@ayourtch-lnx.stdio.be>

On Wed, 16 Dec 2009, Holemans Wim wrote:

> It seems our FWSM doesn't log all denied ACLs. I blocked an IP address
> on our FWSM and wanted to see whomever on campus is trying to access
> this address (Botnet C&C).
>
> I added the following line in the ACL (even raised priority), you can
> see that the rules triggers when I tried to telnet the address :
>
> access-list Internet-out line 24 extended deny ip any host X1.X2.X3.X4
> log critical interval 30 (hitcnt=9) 0x6e051e8c
>
>
>
> There is however no corresponding syslog message on our syslog server or
> in the buffered logs on the FWSM.

Any chances you'd have "%FWSM-1-106101: Number of cached deny-flows for 
ACL log has reached limit " somewhere ?

Check on "show access-list" output:

FWSM(config)# sh access-list | inc flows
access-list cached ACL log flows: total 1, denied 1 (deny-flow-max 1)

Here I've configured 1 flow. Once you reach the flow limit, the further 
logs are suppressed (AFAIK, with the logic being, that since the whole 
idea behind the "log" is to decrease the amount of logging messages, if 
we get a lot of hits, we are probably already under stress, so would not 
want to stress further by downgrading the logs to sending them per-packet).

If you have a lot of ACEs that are marked with "log" keyword, this might 
be what you see. Decreasing the interval should help to keep the # of logs 
under max.

>
> These are our logging settings  : already raised queue size, some
> messages moved to another log level so they don't get send to our syslog
> server. ACL log messages are normally of ID 106100 level debugging, I
> can find several of them on the syslog server but not for the specifiec
> ACE.

For the specific ACE, you can remove the "log" keyword. Bit
counter-intuitive as this might seem, it would not stop the logging for 
the denied sessions - just the messages will be different ("firewall-style"):

%FWSM-4-106023: Deny icmp src outside:X.1.1.1 dst inside:Y.1.1.1 (type 
8, code 0) by access-group "foo" [0x17a38302, 0x0]

instead of:

%FWSM-6-106100: access-list foo denied icmp outside/X.1.1.1(0) -> 
inside/Y.1.1.3(8) hit-cnt 1 (first hit) [0xe6aea397, 0x0]

That 106023 will be sent one-message-per-hit.

So I think it should precisely fit what you are looking for.

cheers,
andrew

From NMaio at guesswho.com  Wed Dec 16 14:00:50 2009
From: NMaio at guesswho.com (NMaio at guesswho.com)
Date: Wed, 16 Dec 2009 14:00:50 -0500
Subject: [c-nsp] FWSM logging problem
In-Reply-To: <94FF7923B828409EB59BCCD14337190E@flamdt01>
References: <A9C0DC3E3383224B83C528B074390E8C262DE7@xmail04.ad.ua.ac.be>
	<69D440D7BA3B4935811822D9A8F83EA5@flamdt01>
	<2AA600764E54964491083B1E0EC81A302F878B9699@EXCLUS.nationala-1advertising.com>
	<94FF7923B828409EB59BCCD14337190E@flamdt01>
Message-ID: <2AA600764E54964491083B1E0EC81A302F878B9733@EXCLUS.nationala-1advertising.com>

Oops..sorry for the confusion.  

We are working with TAC and the BU directly with this.  They are aware of the issue and acknowledge that it is happening across all code releases A2(1.x/2.x/3.x)
Unfortunately when this happens you can't even run any diag commands.  I have a plugin from TAC that dumps to the Linux shell of the blade but it looks like whatever process that runs away is dynamic and they don't know what it is yet.  They acknowledge we are not the only customer.  



-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale
Sent: Wednesday, December 16, 2009 1:34 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] FWSM logging problem

Sorry...Access Control Entry in an ACL on FWSM.

What code are you running on 6500 and ACE that you are having these issues? 
I seen that on the appliances in some early 2.x.

tv


----- Original Message ----- 
From: <NMaio at guesswho.com>
To: <tvarriale at comcast.net>; <cisco-nsp at puck.nether.net>
Sent: Wednesday, December 16, 2009 12:03 PM
Subject: RE: [c-nsp] FWSM logging problem


Tony,
> As a side note, have you had the issue of traffic blowing by an ACE? :)
What you referring to here?  I run both the FWSM and ACE module.  We have 
had a plethora of problems with the ACE.  The best is it just stops 
responding and passing traffic and it doesn't failover when that happens.
Nick


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net 
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale
Sent: Wednesday, December 16, 2009 12:31 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] FWSM logging problem

What code are you on?

These types of items have been going on for a while in various iterations of
code.  There's been so many it's hard for me to keep them straight LOL!

But, if you post your code I'll try and look up my notes.  In the end,
you'll have to call TAC and they will tell you to upgrade to xyz.

Try to get a bugid and make sure the recommended upgrade fixes your problem.
I've had a couple logging issues that had no id and TAC just said upgrade.

As a side note, have you had the issue of traffic blowing by an ACE? :)

tv
----- Original Message ----- 
From: "Holemans Wim" <wim.holemans at ua.ac.be>
To: <cisco-nsp at puck.nether.net>
Sent: Wednesday, December 16, 2009 9:44 AM
Subject: [c-nsp] FWSM logging problem


> It seems our FWSM doesn't log all denied ACLs. I blocked an IP address
> on our FWSM and wanted to see whomever on campus is trying to access
> this address (Botnet C&C).
>
> I added the following line in the ACL (even raised priority), you can
> see that the rules triggers when I tried to telnet the address :
>
> access-list Internet-out line 24 extended deny ip any host X1.X2.X3.X4
> log critical interval 30 (hitcnt=9) 0x6e051e8c
>
>
>
> There is however no corresponding syslog message on our syslog server or
> in the buffered logs on the FWSM.
>
> These are our logging settings  : already raised queue size, some
> messages moved to another log level so they don't get send to our syslog
> server. ACL log messages are normally of ID 106100 level debugging, I
> can find several of them on the syslog server but not for the specifiec
> ACE.
>
>
>
>
>
> logging enable
>
> logging timestamp
>
> logging emblem
>
> logging console debugging
>
> logging monitor debugging
>
> logging buffered debugging
>
> logging trap informational
>
> logging asdm informational
>
> logging queue 1024
>
> logging host DA-rt x.x.x.x
>
> logging message 305010 level debugging
>
> logging message 305009 level debugging
>
> logging message 302015 level debugging
>
> logging message 302014 level debugging
>
> logging message 302013 level debugging
>
> logging message 302016 level debugging
>
> logging message 302021 level debugging
>
>
>
> Anyone has a clue on how to get all syslog messages for the ACE's that
> have a log part ?
>
>
>
>
>
> Wim Holemans
>
> Netwerkdienst Universiteit Antwerpen
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/ 

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From tvarriale at comcast.net  Wed Dec 16 14:14:55 2009
From: tvarriale at comcast.net (Tony Varriale)
Date: Wed, 16 Dec 2009 13:14:55 -0600
Subject: [c-nsp] FWSM logging problem
References: <A9C0DC3E3383224B83C528B074390E8C262DE7@xmail04.ad.ua.ac.be>
	<69D440D7BA3B4935811822D9A8F83EA5@flamdt01>
	<alpine.DEB.2.00.0912161941240.5292@ayourtch-lnx.stdio.be>
Message-ID: <C776E11F94BF4E6399E82AA3C95E2B3E@flamdt01>


----- Original Message ----- 
From: "Andrew Yourtchenko" <ayourtch at cisco.com>
To: "Tony Varriale" <tvarriale at comcast.net>
Cc: <cisco-nsp at puck.nether.net>
Sent: Wednesday, December 16, 2009 12:54 PM
Subject: Re: [c-nsp] FWSM logging problem



> That's indeed the proper thing to do. And please, after making sure - also 
> let the case owner know, that it did fix the problem - it's a step 
> sometimes overseen :-)

Yup sure is. :(

> shoot me the case#s unicast, if you still have them. The one I found in a 
> quick search did mention the bug ids along with the pretty detailed 
> explanations for each, but maybe there were some others where there was 
> less info, that I could not find...

I haven't fielded one of these in a little while.  Last one was earlier this 
year.  I'll have to look.

> http://www.cisco.com/warp/public/707/cisco-sa-20070214-fwsm.shtml ?
>
> There could be some other scenarios where by tweaking the object group one 
> gets the ACL exploded so much that it does not fit into the network 
> processors anymore - then the previously compiled version is being used - 
> but generally you get a pretty prominent warning about that.

Nope...NP was fine.  How we found it was the ACE not getting hits.  So, we 
then added an ACE next below the one that was getting passed over and it 
would get hit.  Obviously this actually added to the size :)

> thanks,
> andrew

No problem. :)

tv 


From oboehmer at cisco.com  Wed Dec 16 14:26:50 2009
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Wed, 16 Dec 2009 20:26:50 +0100
Subject: [c-nsp] Weird L2TP Problem
In-Reply-To: <0B4E432C64EA8B45A001DD6E1F0E1D7204059A85@dubexc01.imagine.local>
References: <0B4E432C64EA8B45A001DD6E1F0E1D7204059A85@dubexc01.imagine.local>
Message-ID: <6E4D2678AC543844917CA081C9D6B33FE334B1@XMB-AMS-103.cisco.com>

 
> We've a 7301 running IOS 12.3(4r)T4 acting as an LNS. We've never had
> any major problems with it but today it stopped terminating sessions.
> When I enabled terminal monitoring (with no additional debug) I
started
> getting messages like this one:
> 
> 
> 
> %L2TP-3-ILLEGAL: _____:_____: ERROR: [l2tp_session_get_l2x_cfg::241]
> -traceback- (snip)
> 
> %L2TP-3-ILLEGAL: _____:_____: ERROR: no config -traceback- (snip)

you might have hit CSCsi90461, fixed in 12.4(11)T4 and 12.4(15)T1 (among
others). 

	oli

From felixnkansah at gmail.com  Wed Dec 16 14:31:33 2009
From: felixnkansah at gmail.com (Felix Nkansah)
Date: Wed, 16 Dec 2009 19:31:33 +0000
Subject: [c-nsp] Cisco IPS vs TippingPoint
Message-ID: <18dba4e50912161131s1418b108me741b574033e2d79@mail.gmail.com>

Hi All,

I would like to know how the TippingPoint IPS platform compare with the
Cisco IPS in terms of functionality and effectiveness.

My experience is with the Cisco offering, but I have read some very good
reviews about TippingPoint IPS and wanted to read your experience with it.

Thanks. Felix

From gsgranados at comcast.net  Wed Dec 16 14:53:11 2009
From: gsgranados at comcast.net (Scott Granados)
Date: Wed, 16 Dec 2009 11:53:11 -0800
Subject: [c-nsp] Cisco IPS vs TippingPoint
References: <18dba4e50912161131s1418b108me741b574033e2d79@mail.gmail.com>
Message-ID: <011801ca7e89$6b6968d0$2408120a@am.thmulti.com>

Anything is better than the Cisco IPS in our testing.  The Tipping point is 
quite good as is the Juniper IDP (75, 250, 800, 8200 etc)  I've used the 
tipping point and it was quite good and the reporting functionality was 
superior.  If you're interested in this space also check out Juniper, ISS, 
Source Fire, and don't shoot me but McAfee.  In terms of actual threat 
detection the vendors all did fairly well with the exception of Cisco.  The 
units we tested as well as other 3rd party tests you can find by googling 
show Cisco falls short by about 40% in terms of threats detected.  Get your 
self some hands on demos of all these products if this is an area you're 
seriously interested in.

HTH
Scott



----- Original Message ----- 
From: "Felix Nkansah" <felixnkansah at gmail.com>
To: <cisco-nsp at puck.nether.net>
Sent: Wednesday, December 16, 2009 11:31 AM
Subject: [c-nsp] Cisco IPS vs TippingPoint


> Hi All,
>
> I would like to know how the TippingPoint IPS platform compare with the
> Cisco IPS in terms of functionality and effectiveness.
>
> My experience is with the Cisco offering, but I have read some very good
> reviews about TippingPoint IPS and wanted to read your experience with it.
>
> Thanks. Felix
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 


From peter at rathlev.dk  Wed Dec 16 14:55:58 2009
From: peter at rathlev.dk (Peter Rathlev)
Date: Wed, 16 Dec 2009 20:55:58 +0100
Subject: [c-nsp] Egress QoS on FE links with less than 100Mbps speeds
In-Reply-To: <4B28E470.3010300@gmail.com>
References: <4B28E470.3010300@gmail.com>
Message-ID: <1260993358.2244.39.camel@localhost>

On Wed, 2009-12-16 at 08:45 -0500, Lobo wrote:
[...]
> There are times when the link is only capable of hitting say 80Mbps
> (we're a wireless isp) or less.
> 
> Since we have to use a FE port for this type of connection, do the 
> switches believe that they have 100Mbps of bandwidth to play with when
> putting packets into the appropriate queues?

The interface will take packets from the output queue and send them as
fast as it can, so as long as there are packets to be sent they will be
sent at 100 mbps.

> I'm a bit confused as to how the switches work in this fashion.  If I 
> were using CAT5 cables or fiber this would be simple to understand as 
> the bandwidth would be fixed.  :)

The interesting things happen in the box that converts from 100 mbps to
something less, i.e. the wireless bridge. Why is it sometimes less than
100 mbps? Is it simple loss because of varying signal quality? Does the
wireless bridge compensate for this loss by retransmitting at layer 1,
meaning a little RTT variance and some lost bandwidth? Or does it just
drop and let the overlying protocols handle this? (In short: how do you
measure it? TCP throughput is not a reliable measurement.)

About the switch: The WRR you configure (on a 3550) is "Weighted Round
Robin"; it doesn't define anything relating to how much bandwidth there
actually is, it just defines how many packets from each queue to serve
to the interface tx ring in each turn.

The important bit though is IMHO that you use the priority queueing.
This means that queue 4 (CoS 5) will _always_ be sent first. This should
minimise loss when traffic crosses the wireless bridge.

> The switches that we use are 2950, 3550, 3750 and 6524s.
> 
> With MQC and "layer 3" QoS, I would know how to fix this by simply using 
> the "bandwidth" command on the physical interface and basing my output 
> policy-map to use "bandwidth percent" for each class.  Layer 2 QoS 
> doesn't seem to work this way though.

On the 3750 you can use what Daniel mentioned: "srr-queue bandwidth
limit". AFAIK this just uses a time divisioning on the interface and
throws away unused timeslots. Bear in mind that if the wireless bridge
has a very shallow queue this might not work very well.

This command isn't available on the 2950 or 3550. And even though a few
(10GE) ports one the 6500/7600 platform support SRR, you can't cap the
interface as such like this.

-- 
Peter



From scott at labyrinth.org  Wed Dec 16 15:11:26 2009
From: scott at labyrinth.org (Scott Keoseyan)
Date: Wed, 16 Dec 2009 15:11:26 -0500
Subject: [c-nsp] Cisco IPS vs TippingPoint
In-Reply-To: <18dba4e50912161131s1418b108me741b574033e2d79@mail.gmail.com>
References: <18dba4e50912161131s1418b108me741b574033e2d79@mail.gmail.com>
Message-ID: <007401ca7e8b$f3ae22b0$db0a6810$@org>

Felix, I'd take a look at the recent info from NSS Labs and some of the
responses from TP if you're looking at evaluating them.

http://www.networkworld.com/news/2009/120709-ips-tests.html 
http://nsslabs.blogspot.com/2009/12/tippingpoint-tests.html
http://tippingpointblog.com/2009/12/04/update-on-tippingpoint-third-party-pr
oduct-testing/


Scott

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Felix Nkansah
Sent: Wednesday, December 16, 2009 2:32 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Cisco IPS vs TippingPoint

Hi All,

I would like to know how the TippingPoint IPS platform compare with the
Cisco IPS in terms of functionality and effectiveness.

My experience is with the Cisco offering, but I have read some very good
reviews about TippingPoint IPS and wanted to read your experience with it.

Thanks. Felix
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From avayner at cisco.com  Wed Dec 16 15:13:13 2009
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Wed, 16 Dec 2009 21:13:13 +0100
Subject: [c-nsp] EEM BGP
In-Reply-To: <765B4353E6674BC59F02E05CCAE42F34@flamdt01>
References: <2884C965D7B14FCEB8A99CA67ED2C988@flamdt01><00e501ca7dcd$f3680a50$da381ef0$@com>
	<765B4353E6674BC59F02E05CCAE42F34@flamdt01>
Message-ID: <FDD1CDB3FB499E4087CC7670BBCA22C6DFD8E7@XMB-AMS-101.cisco.com>

Tony,

Why do you want to look for the Syslog event? It would happen anyway
inside your original script, right?

Maybe try something like this:

event manager applet BGPADJ_SHUT
 event syslog occurs 2 pattern "%BGP-5-ADJCHANGE: neighbor 172.16.10.3
Down" period 600 maxrun 700
 action 100 cli command "enable"
 action 110 cli command "configure terminal"
 action 120 cli command "router bgp 666"
 action 130 cli command "neighbor 172.16.10.3 shutdown"
 action 135 syslog msg "Neighbor 172.16.10.3 shutdown by EEM"
 action 140 cli command "do ping 1.1.1.1 repeat 1 timeout 600"
 action 150 cli command "no neighbor 172.16.10.3 shutdown"
 action 155 syslog msg "Neighbor 172.16.10.3 no shutdown by EEM"

(we assume that 1.1.1.1 is not pingable. You can route it to null0 if
you like)


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale
Sent: Wednesday, December 16, 2009 19:38
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] EEM BGP

Well, did a bunch of testing and I am still stuck.  So here's the basic
idea 
and config.

When the peer is actually shut, I log a message to syslog (info
simplified 
and anonymized to protect innocent).

event manager applet BGPADJ_SHUT
 event syslog occurs 2 pattern "%BGP-5-ADJCHANGE: neighbor 172.16.10.3
Down" 
period 600
 action 100 cli command "enable"
 action 110 cli command "configure terminal"
 action 120 cli command "router bgp 666"
 action 130 cli command "neighbor 172.16.10.3 shutdown"
 action 140 syslog msg "Neighbor 172.16.10.3 shutdown by EEM"

This works great.  Notice action 140.

To turn the peer back up, I would like to wait 60 seconds (probably 10 
minutes in real world) and look for the "Neighbor 172.16.10.3 shutdown
by 
EEM" in the syslog as this will tell me when I need to start my timer.

event manager applet BGPADJ_NOSHUT
 event tag bgpevent1 syslog pattern "%BGP-5-ADJCHANGE: neighbor
172.16.10.3 
Down"
 event tag bgpevent2 syslog pattern "Neighbor 172.16.10.3 shutdown by
EEM"
 trigger delay 60
  correlate event bgpevent1 and event bgpevent2
 action 100 cli command "enable"
 action 110 cli command "configure terminal"
 action 120 cli command "router bgp 666"
 action 130 cli command "no neighbor 172.16.10.3 shutdown"
 action 140 syslog msg "Neighbor 172.16.10.3 noshut by EEM"

This is the part that does not work.  For the correlation, I want to
either 
look for event 1 and 2 or just 2.  1 and 2 is really just a self check.

The apparent problem is that EEM doesn't look at the messages that it 
injects into syslog.  So, the trigger never happens.  And as
verification, I 
tried it with event1 or event2.  While watching debug it picks up on
event1.

Any ideas?  Recommendations?

tv

----- Original Message ----- 
From: "Clyde Wildes" <cwildes at progrizon.com>
To: "'Tony Varriale'" <tvarriale at comcast.net>;
<cisco-nsp at puck.nether.net>
Sent: Tuesday, December 15, 2009 3:31 PM
Subject: RE: [c-nsp] EEM BGP 

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From mack.mcbride at viawest.com  Wed Dec 16 16:10:13 2009
From: mack.mcbride at viawest.com (Mack McBride)
Date: Wed, 16 Dec 2009 13:10:13 -0800
Subject: [c-nsp] 7600 SIP-600 w/ SPA-10GE
Message-ID: <CCD664821F7A144CBE712A1DD4E6D94726720D488F@EXVMBX017-1.exch017.msoutlookonline.net>

Does anyone have any experience with the SIP-600 for the 7600/6500 Platform?
The PFC-3CXL/3BXL does not provide TCP flags in netflow data.
We are interested in potentially using the SIP-600 with a 10GE SPA to
work around the limitation of the PFCs on the non-NPU blade we currently use.
Does anyone have any experience with this?

LR Mack McBride
Network Architect
ViaWest, Inc

*** Disclaimer: The above message is strictly my own opinion and does not reflect opinions
or policies of my employer.

From cwildes at progrizon.com  Wed Dec 16 17:06:12 2009
From: cwildes at progrizon.com (Clyde Wildes)
Date: Wed, 16 Dec 2009 14:06:12 -0800
Subject: [c-nsp] EEM BGP
In-Reply-To: <765B4353E6674BC59F02E05CCAE42F34@flamdt01>
References: <2884C965D7B14FCEB8A99CA67ED2C988@flamdt01>	<00e501ca7dcd$f3680a50$da381ef0$@com>
	<765B4353E6674BC59F02E05CCAE42F34@flamdt01>
Message-ID: <001e01ca7e9b$fab61cb0$f0225610$@com>

Tony,

Yes EEM does not screen on the syslog messages that it emits. When we built
the EEM syslog Event Detector the test team insisted that we implement it
this way to prevent recursion. ;-)

You can always use an application specific event to trigger policy B from
policy A. You could use a trigger statement to delay the running of policy B
if desired.

Use the following:

event manager applet BGPADJ_SHUT
 event syslog occurs 2 pattern "%BGP-5-ADJCHANGE: neighbor 172.16.10.3 Down"

period 600
 action 100 cli command "enable"
 action 110 cli command "configure terminal"
 action 120 cli command "router bgp 666"
 action 130 cli command "neighbor 172.16.10.3 shutdown"
 action 140 syslog msg "Neighbor 172.16.10.3 shutdown by EEM"
 action 150 publish-event sub-system 798 type 100 arg1 "shutdown"

event manager applet BGPADJ_NOSHUT
event tag bgpevent2 application sub-system 798 type 100
trigger delay 600
 action 100 cli command "enable"
 action 110 cli command "configure terminal"
 action 120 cli command "router bgp 666"
 action 130 cli command "no neighbor 172.16.10.3 shutdown"
 action 140 syslog msg "Neighbor 172.16.10.3 noshut by EEM"

Thanks,

Clyde
Progrizon, Inc.
www.progrizon.com

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale
Sent: Wednesday, December 16, 2009 9:38 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] EEM BGP

Well, did a bunch of testing and I am still stuck.  So here's the basic idea

and config.

When the peer is actually shut, I log a message to syslog (info simplified 
and anonymized to protect innocent).

event manager applet BGPADJ_SHUT
 event syslog occurs 2 pattern "%BGP-5-ADJCHANGE: neighbor 172.16.10.3 Down"

period 600
 action 100 cli command "enable"
 action 110 cli command "configure terminal"
 action 120 cli command "router bgp 666"
 action 130 cli command "neighbor 172.16.10.3 shutdown"
 action 140 syslog msg "Neighbor 172.16.10.3 shutdown by EEM"

This works great.  Notice action 140.

To turn the peer back up, I would like to wait 60 seconds (probably 10 
minutes in real world) and look for the "Neighbor 172.16.10.3 shutdown by 
EEM" in the syslog as this will tell me when I need to start my timer.

event manager applet BGPADJ_NOSHUT
 event tag bgpevent1 syslog pattern "%BGP-5-ADJCHANGE: neighbor 172.16.10.3 
Down"
 event tag bgpevent2 syslog pattern "Neighbor 172.16.10.3 shutdown by EEM"
 trigger delay 600
  correlate event bgpevent1 and event bgpevent2
 action 100 cli command "enable"
 action 110 cli command "configure terminal"
 action 120 cli command "router bgp 666"
 action 130 cli command "no neighbor 172.16.10.3 shutdown"
 action 140 syslog msg "Neighbor 172.16.10.3 noshut by EEM"

This is the part that does not work.  For the correlation, I want to either 
look for event 1 and 2 or just 2.  1 and 2 is really just a self check.

The apparent problem is that EEM doesn't look at the messages that it 
injects into syslog.  So, the trigger never happens.  And as verification, I

tried it with event1 or event2.  While watching debug it picks up on event1.

Any ideas?  Recommendations?

tv

----- Original Message ----- 
From: "Clyde Wildes" <cwildes at progrizon.com>
To: "'Tony Varriale'" <tvarriale at comcast.net>; <cisco-nsp at puck.nether.net>
Sent: Tuesday, December 15, 2009 3:31 PM
Subject: RE: [c-nsp] EEM BGP 

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From berni at birkenwald.de  Wed Dec 16 18:02:22 2009
From: berni at birkenwald.de (Bernhard Schmidt)
Date: Wed, 16 Dec 2009 23:02:22 +0000 (UTC)
Subject: [c-nsp] IPv6 nd ra suppress broken on SXI3?
References: <4B27AFAC.7090305@Janoszka.pl>
Message-ID: <hgbotu$mus$1@ger.gmane.org>

Grzegorz Janoszka <Grzegorz at Janoszka.pl> wrote:

> We recently upgraded one of our routers to 12.2(33)SXI3 (from SXF). Soon 
> after the upgrade one of our customers complained that he started to see 
> RA messages. From the beginning on his interface we have "ipv6 nd ra 
> suppress", I added "ipv6 nd ra mtu suppress", but the customer says he 
> still sees that.
> Has anyone seen broken ra suppression on SXI3?

I can confirm that for pretty much the whole SXI* series, IIRC even in
SXH*. It seems to disable sending of unsolicited RAs, but it still
answers to router solicitations.

Bernhard


From ayourtch at cisco.com  Wed Dec 16 18:13:31 2009
From: ayourtch at cisco.com (Andrew Yourtchenko)
Date: Thu, 17 Dec 2009 00:13:31 +0100 (CET)
Subject: [c-nsp] FWSM logging problem
In-Reply-To: <C776E11F94BF4E6399E82AA3C95E2B3E@flamdt01>
References: <A9C0DC3E3383224B83C528B074390E8C262DE7@xmail04.ad.ua.ac.be>
	<69D440D7BA3B4935811822D9A8F83EA5@flamdt01>
	<alpine.DEB.2.00.0912161941240.5292@ayourtch-lnx.stdio.be>
	<C776E11F94BF4E6399E82AA3C95E2B3E@flamdt01>
Message-ID: <alpine.DEB.2.00.0912162300140.5292@ayourtch-lnx.stdio.be>


On Wed, 16 Dec 2009, Tony Varriale wrote:

>> gets the ACL exploded so much that it does not fit into the network 
>> processors anymore - then the previously compiled version is being used - 
>> but generally you get a pretty prominent warning about that.
>
> Nope...NP was fine.  How we found it was the ACE not getting hits.  So, we 
> then added an ACE next below the one that was getting passed over and it 
> would get hit.  Obviously this actually added to the size :)

No, if you'd hit the size limitation you'd see a prominent warning.

So got to be something different. If you get this to happen again, that'd 
be a case indeed. (And if it's something new that's something that we 
would need to replicate here in the lab, so the more context details you 
have around it, that might help this effort - the better).

kind regards,
andrew

From brett at looney.id.au  Wed Dec 16 19:15:57 2009
From: brett at looney.id.au (Brett Looney)
Date: Thu, 17 Dec 2009 08:15:57 +0800
Subject: [c-nsp] NAT-Device with authentication ?
In-Reply-To: <4B28E157.7030500@zdv.uni-tuebingen.de>
References: <4B28E157.7030500@zdv.uni-tuebingen.de>
Message-ID: <02ba01ca7eae$218a9520$649fbf60$@id.au>

> are there any (cisco)-NAT-devices which enable the NAT after the user
> has done some kind of authentication - which is checked against a 
> radius-server or an active directory for example ?

You're probably looking for the IOS auth-proxy feature. A configuration
example is here:
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configuration
_example09186a0080094655.shtml

It works well - there is a limit on how big your HTML file can be - I've
gotten around this where a customer wanted to display a large terms and
condition page by putting those in an IFRAME and serving it from an external
web server.

You can also specify hosts that can be reached without authentication by
tweaking the access list.

HTH.

B.



From wim.holemans at ua.ac.be  Thu Dec 17 03:37:00 2009
From: wim.holemans at ua.ac.be (Holemans Wim)
Date: Thu, 17 Dec 2009 09:37:00 +0100
Subject: [c-nsp] FWSM logging problem
In-Reply-To: <alpine.DEB.2.00.0912161900570.5292@ayourtch-lnx.stdio.be>
References: <A9C0DC3E3383224B83C528B074390E8C262DE7@xmail04.ad.ua.ac.be>
	<alpine.DEB.2.00.0912161900570.5292@ayourtch-lnx.stdio.be>
Message-ID: <A9C0DC3E3383224B83C528B074390E8C262DF6@xmail04.ad.ua.ac.be>

To answer all questions about versions e.d.
We are running 3.1(4), not the latest I know, but people here are
'allergic' to network downtime and with semester exams coming up, I
won't be able to upgrade before February. 
I removed the log option from the rule which should have given me 106023
messages in my logs but they don't show up ; the ACE is being hit
however :

access-list Internet-out line 24 extended deny ip any host x.x.x.x
(hitcnt=13) 0x6e051e8c

As far as I can tell, there is no queue problem :
        Logging Queue length limit : 1024 msg(s), 30947037 msg(s)
discarded.
        Current 502 msg on queue, 512 msgs most on queue
I raised the limit to 1024 yesterday and the number of discards stayed
the same since then.

There doesn't seem to be a caching problem either :
fwcdep/fwcdep1# sh access-list | incl cache
access-list cached ACL log flows: total 5, denied 3 (deny-flow-max 4096)

I'll have to live with this until I can upgrade.

Wim


-----Original Message-----
From: Andrew Yourtchenko [mailto:ayourtch at cisco.com] 
Sent: woensdag 16 december 2009 19:35
To: Holemans Wim
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] FWSM logging problem

On Wed, 16 Dec 2009, Holemans Wim wrote:

> It seems our FWSM doesn't log all denied ACLs. I blocked an IP address
> on our FWSM and wanted to see whomever on campus is trying to access
> this address (Botnet C&C).
>
> I added the following line in the ACL (even raised priority), you can
> see that the rules triggers when I tried to telnet the address :
>
> access-list Internet-out line 24 extended deny ip any host X1.X2.X3.X4
> log critical interval 30 (hitcnt=9) 0x6e051e8c
>
>
>
> There is however no corresponding syslog message on our syslog server
or
> in the buffered logs on the FWSM.

Any chances you'd have "%FWSM-1-106101: Number of cached deny-flows for 
ACL log has reached limit " somewhere ?

Check on "show access-list" output:

FWSM(config)# sh access-list | inc flows
access-list cached ACL log flows: total 1, denied 1 (deny-flow-max 1)

Here I've configured 1 flow. Once you reach the flow limit, the further 
logs are suppressed (AFAIK, with the logic being, that since the whole 
idea behind the "log" is to decrease the amount of logging messages, if 
we get a lot of hits, we are probably already under stress, so would not

want to stress further by downgrading the logs to sending them
per-packet).

If you have a lot of ACEs that are marked with "log" keyword, this might

be what you see. Decreasing the interval should help to keep the # of
logs 
under max.

>
> These are our logging settings  : already raised queue size, some
> messages moved to another log level so they don't get send to our
syslog
> server. ACL log messages are normally of ID 106100 level debugging, I
> can find several of them on the syslog server but not for the
specifiec
> ACE.

For the specific ACE, you can remove the "log" keyword. Bit
counter-intuitive as this might seem, it would not stop the logging for 
the denied sessions - just the messages will be different
("firewall-style"):

%FWSM-4-106023: Deny icmp src outside:X.1.1.1 dst inside:Y.1.1.1 (type 
8, code 0) by access-group "foo" [0x17a38302, 0x0]

instead of:

%FWSM-6-106100: access-list foo denied icmp outside/X.1.1.1(0) -> 
inside/Y.1.1.3(8) hit-cnt 1 (first hit) [0xe6aea397, 0x0]

That 106023 will be sent one-message-per-hit.

So I think it should precisely fit what you are looking for.

cheers,
andrew

From j.varaillon at cosmoline.com  Thu Dec 17 05:22:46 2009
From: j.varaillon at cosmoline.com (Varaillon Jean Christophe)
Date: Thu, 17 Dec 2009 12:22:46 +0200
Subject: [c-nsp] NEXUS Family - Success full experience in unified SAN/LAN?
In-Reply-To: <A9C0DC3E3383224B83C528B074390E8C262DF6@xmail04.ad.ua.ac.be>
References: <A9C0DC3E3383224B83C528B074390E8C262DE7@xmail04.ad.ua.ac.be>
	<alpine.DEB.2.00.0912161900570.5292@ayourtch-lnx.stdio.be>
	<A9C0DC3E3383224B83C528B074390E8C262DF6@xmail04.ad.ua.ac.be>
Message-ID: <003401ca7f02$e0d29640$a277c2c0$%varaillon@cosmoline.com>

Hi,


I would like to know if anyone is using NEXUS (7000/5000/2000) in
unification of fiber channel and Ethernet in one network.

Did it allow to save cost?

Is it a major advantage towards traditional isolated equipment LAN/SAN?
 
Was major issues brought up over simple things like LACP, QoS.. ?

Was the local integrator able to push the Cisco TAC/Developpers team as/if
necessary?


Thank you,
Jean-Christophe VARAILLON
-------------------------
Data Network Engineer
Cosmoline - www.cosmoline.co
40th km Attiki Odos
Rest Area Mesogea
190 02 Peania,?Greece
my: phone???? +30 212 212 2211
my: cell??????+30 694 556 4826
my: fax2mail? +30 212 212 9905
my: e-mail? ??j.varaillon at cosmoline.com


?????????? ?????????:  ??  ???????????  ??? ??????????????? ??? ????? ?????
????????????? ??? ???????????? ???????????? ???? ??? ????????? ???
?????????? ????????. ??? ?? ?????? ??? ????????? ??? ??????????? ??? ???,
??? ?????????? ??? ??? ?????????? ??? ????? ???????? ?? ?? ??????????,
???????????,  ??????????  ?  ???????????????  ?? ??????????? ?????.  ???
??????????? ????? ?? ???????????? ?????? ??? ????????? ???? ??????????
??????? ??? ?????????? ? ?? ?????????? e-mail ??? ?? ???????????? ??
?????????.
 

IMPORTANT NOTICE: This email and any of its attachments are intended only
for the recipient(s) named above and are confidential and/or contain trade
secrets. Any unauthorized use, e.g. review, printing, copying or
distribution by other persons,is prohibited and may constitute a criminal
offence. If you have received this email in error, please notify the sender
immediately and delete the original message.
 
 

__________ Information from ESET Smart Security, version of virus signature
database 4694 (20091216) __________

The message was checked by ESET Smart Security.

http://www.eset.com
 

From walter.keen at RainierConnect.net  Thu Dec 17 06:01:29 2009
From: walter.keen at RainierConnect.net (Walter Keen)
Date: Thu, 17 Dec 2009 03:01:29 -0800
Subject: [c-nsp] SNMP check of ospf neighbors in SRD2a?
Message-ID: <4B2A0F89.2030600@rainierconnect.net>


It looks like we lost the ability to check OSPF neighbors via snmp in SRD?

See below

Host xx.xx.222.194 is running 12.2(33r)SRC3
Host xx.xx.208.1 was just upgraded to 12.2(33)SRD2a

(and both checks below really are checking neighbors that ARE in a full 
state, verified from the CLI)

root at tnwx-mntr-1:/usr/lib/nagios/plugins# ./check_ospf.0.1.pl -H 
xx.xx.222.194 -C cacti -p xx.xx.205.3
OK - xx.xx.205.3 (Router ID 74.50.207.81) state is full(8)
root at tnwx-mntr-1:/usr/lib/nagios/plugins# ./check_ospf.0.1.pl -H 
xx.xx.208.1 -C cacti -p xx.xx.221.98
CRITICAL - xx.xx.221.98 is not in neighbor table.
root at tnwx-mntr-1:/usr/lib/nagios/plugins#


I've asked the TAC about this, does anyone here know if this is a known 
issue with SRD2a?
(Hardware is a 7600 with a SUP720-3b)

Worst case I'll schedule another day to downgrade to SRC3, but curious 
if anyone here knows about this.

From lobotiger at gmail.com  Thu Dec 17 08:36:54 2009
From: lobotiger at gmail.com (Lobo)
Date: Thu, 17 Dec 2009 08:36:54 -0500
Subject: [c-nsp] Egress QoS on FE links with less than 100Mbps speeds
In-Reply-To: <00C0F7C1912DA04585B1ECA7A0CD3CC0040906E48E@LUEMS04VS.University.liberty.edu>
References: <4B28E470.3010300@gmail.com>
	<00C0F7C1912DA04585B1ECA7A0CD3CC0040906E48E@LUEMS04VS.University.liberty.edu>
Message-ID: <4B2A33F6.80309@gmail.com>

Wow thanks Daniel that did the trick on the 3750 platform!  Here's a 
sample config in case anyone ever needs it:

interface FastEthernet1/0/23
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 666-670
  switchport mode trunk
  load-interval 30
  srr-queue bandwidth share 1 25 35 40
  srr-queue bandwidth shape  10  0  0  0
  srr-queue bandwidth limit 80
  priority-queue out
  mls qos trust dscp
  spanning-tree portfast

Jose


On 12/16/2009 10:04 AM, Bielawa, Daniel W. (NS) wrote:
> Hello,
> 	We had the same issue on couple of links. We solved it with the following command. The number on the end is a percentage of link speed in 1 percent increments. This was done on a 3750G running 12.2(44)SE6, this command might or might not work on other platforms.
>
>   srr-queue bandwidth limit (10-90)
>
> Thank You
>
> Daniel Bielawa
> Network Engineer
> Liberty University Network Services
> Email: dwbielawa at liberty.edu
> Phone: 434-592-7987
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Lobo
> Sent: Wednesday, December 16, 2009 8:45 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Egress QoS on FE links with less than 100Mbps speeds
>
> We're doing some Catalyst testing to roll out QoS on our Ethernet
> network and have come up against a hurdle.  On most of our backbone
> links in a MAN, the actual bandwidth between one C/O to another C/O is
> not always 100Mbps.  There are times when the link is only capable of
> hitting say 80Mbps (we're a wireless isp) or less.
>
> Since we have to use a FE port for this type of connection, do the
> switches believe that they have 100Mbps of bandwidth to play with when
> putting packets into the appropriate queues?
>
> I'm a bit confused as to how the switches work in this fashion.  If I
> were using CAT5 cables or fiber this would be simple to understand as
> the bandwidth would be fixed.  :)
>
> This is an example of a configuration on a 3550-24 that I'm using:
>
>
> interface FastEthernet0/x
> mls qos trust dscp
> wrr-queue bandwidth 40 35 25 1
> wrr-queue cos-map 1 0 1
> wrr-queue cos-map 2 2
> wrr-queue cos-map 3 3 4 6 7
> wrr-queue cos-map 4 5
> priority-queue out
> !
>
> The switches that we use are 2950, 3550, 3750 and 6524s.
>
> With MQC and "layer 3" QoS, I would know how to fix this by simply using
> the "bandwidth" command on the physical interface and basing my output
> policy-map to use "bandwidth percent" for each class.  Layer 2 QoS
> doesn't seem to work this way though.
>
> Any help would be appreciated.
>
> Thanks.
>
> Jose
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>    

From lobotiger at gmail.com  Thu Dec 17 08:40:10 2009
From: lobotiger at gmail.com (Lobo)
Date: Thu, 17 Dec 2009 08:40:10 -0500
Subject: [c-nsp] Egress QoS on FE links with less than 100Mbps speeds
In-Reply-To: <1260993358.2244.39.camel@localhost>
References: <4B28E470.3010300@gmail.com> <1260993358.2244.39.camel@localhost>
Message-ID: <4B2A34BA.5050005@gmail.com>

Hi Peter.  The reason why the radio only works at less than 100M is 
because that's all the bandwidth it has.  This is licensed based 
wireless technology for point to point shots between buildings.  
Bandwidths can be anywhere from 18M to 400M depending on which frequency 
you use and radio brand.  For that 400M radio we use Gig interfaces so 
we would need to use the bandwidth limit command to make sure that it 
only operates at 40% vs 100%.

So for the 2950s and 3550s it looks like we may not have much wiggle 
room.  My recommendation might be to upgrade those all to 3750s.  :)

Thanks.

Jose


On 12/16/2009 2:55 PM, Peter Rathlev wrote:
> On Wed, 2009-12-16 at 08:45 -0500, Lobo wrote:
> [...]
>    
>> There are times when the link is only capable of hitting say 80Mbps
>> (we're a wireless isp) or less.
>>
>> Since we have to use a FE port for this type of connection, do the
>> switches believe that they have 100Mbps of bandwidth to play with when
>> putting packets into the appropriate queues?
>>      
> The interface will take packets from the output queue and send them as
> fast as it can, so as long as there are packets to be sent they will be
> sent at 100 mbps.
>
>    
>> I'm a bit confused as to how the switches work in this fashion.  If I
>> were using CAT5 cables or fiber this would be simple to understand as
>> the bandwidth would be fixed.  :)
>>      
> The interesting things happen in the box that converts from 100 mbps to
> something less, i.e. the wireless bridge. Why is it sometimes less than
> 100 mbps? Is it simple loss because of varying signal quality? Does the
> wireless bridge compensate for this loss by retransmitting at layer 1,
> meaning a little RTT variance and some lost bandwidth? Or does it just
> drop and let the overlying protocols handle this? (In short: how do you
> measure it? TCP throughput is not a reliable measurement.)
>
> About the switch: The WRR you configure (on a 3550) is "Weighted Round
> Robin"; it doesn't define anything relating to how much bandwidth there
> actually is, it just defines how many packets from each queue to serve
> to the interface tx ring in each turn.
>
> The important bit though is IMHO that you use the priority queueing.
> This means that queue 4 (CoS 5) will _always_ be sent first. This should
> minimise loss when traffic crosses the wireless bridge.
>
>    
>> The switches that we use are 2950, 3550, 3750 and 6524s.
>>
>> With MQC and "layer 3" QoS, I would know how to fix this by simply using
>> the "bandwidth" command on the physical interface and basing my output
>> policy-map to use "bandwidth percent" for each class.  Layer 2 QoS
>> doesn't seem to work this way though.
>>      
> On the 3750 you can use what Daniel mentioned: "srr-queue bandwidth
> limit". AFAIK this just uses a time divisioning on the interface and
> throws away unused timeslots. Bear in mind that if the wireless bridge
> has a very shallow queue this might not work very well.
>
> This command isn't available on the 2950 or 3550. And even though a few
> (10GE) ports one the 6500/7600 platform support SRR, you can't cap the
> interface as such like this.
>
>    

From md at bts.sk  Thu Dec 17 09:31:27 2009
From: md at bts.sk (Marian =?utf-8?B?xI51cmtvdmnEjQ==?=)
Date: Thu, 17 Dec 2009 15:31:27 +0100
Subject: [c-nsp] Egress QoS on FE links with less than 100Mbps speeds
In-Reply-To: <4B2A34BA.5050005@gmail.com>
References: <4B28E470.3010300@gmail.com> <1260993358.2244.39.camel@localhost>
	<4B2A34BA.5050005@gmail.com>
Message-ID: <20091217143127.GA61343@bts.sk>

On Thu, Dec 17, 2009 at 08:40:10AM -0500, Lobo wrote:
> Hi Peter.  The reason why the radio only works at less than 100M is 
> because that's all the bandwidth it has.  This is licensed based 
> wireless technology for point to point shots between buildings.  
> Bandwidths can be anywhere from 18M to 400M depending on which frequency 
> you use and radio brand.  For that 400M radio we use Gig interfaces so 
> we would need to use the bandwidth limit command to make sure that it 
> only operates at 40% vs 100%.
> 
> So for the 2950s and 3550s it looks like we may not have much wiggle 
> room.  My recommendation might be to upgrade those all to 3750s.  :)

In fact a properly implemented sub-rate service should use ethernet
flowcontrol to signal real available bandwidth to the switch.
With flowcontrol working, no such tweaks are necessary.

   With kind regards,

       M.

From amr.ccie at gmail.com  Thu Dec 17 11:11:08 2009
From: amr.ccie at gmail.com (Jason Alex)
Date: Thu, 17 Dec 2009 18:11:08 +0200
Subject: [c-nsp] PE Monitoring Tools
Message-ID: <a0ba9d950912170811y6232f3bbsdfa9a3e778d68316@mail.gmail.com>

Dear All,
             Kindly i am working in a Service Provider environment
We have daily upgrade in the network and moving customer from one PE to
another PE

Is there is any Management tool can check the status of the Customer (VRF)
before and after the migration of the customer to another PE ?

This can be useful in checking the customer's status after moving the
configuration from one PE to another

Any advice ?

Thanks In Advance

Regards
Jason
CCIE#24775

From egeier at nowiressecurity.com  Thu Dec 17 10:18:23 2009
From: egeier at nowiressecurity.com (Eric Geier)
Date: Thu, 17 Dec 2009 10:18:23 -0500
Subject: [c-nsp] Cisco AIRONET WPA-Enterprise w/Windows question..
Message-ID: <000f01ca7f2c$2d98aef0$88ca0cd0$@com>

If you use APs that support PEAP, you might consider using outsourced
services, such as AuthenticateMyWiFi
<http://www.nowiressecurity.com/service.htm> . You don't have to mess with
setting up your own RADIUS server. Plus it works for multiple locations,
unlike traditional servers.

 

------------------------

Eric Geier

NoWiresSecurity, Founder and CEO

www.nowiressecurity.com

 

On Sat, Nov 28, 2009 at 01:35:02PM -0500, Howard Leadmon wrote:

>   I have a question hopefully someone can give me a pointer or shed some

> light on..

> 

>  

> 

>  I have both an Aironet 1242AG and now a 1252AG access point, which are

> working fine.   I have WPA2-Personal with a shared key setup and running

> great as well.   As it was my impression that Vista and Win7 both
supported

> Enterprise authentication, which I figured would be better and more secure

> than using the personal shared key stuff.

> 

>  

> 

>  I have tried, and googled, and I for the life of me just can't seem to
get

> Enterprise auth going..   Does anyone have any docs on getting the Aironet

> and Windows to play together, configs, or links to info that will help?

> Just FYI, I am trying to use the radius server built into the AP, as I

> figured that would be simple enough, hopefully doing that is ok..

> 


From lploteau at hotmail.com  Thu Dec 17 12:41:24 2009
From: lploteau at hotmail.com (Laurent Ploteau)
Date: Thu, 17 Dec 2009 17:41:24 +0000
Subject: [c-nsp] PBR on virtual-access interfaces with easy-vpn
Message-ID: <BLU122-W14DF3411CA25D7B5A3AF5D5860@phx.gbl>


Hello,

 

I am using easy-vpn on my routers. I want to be able to PBR inbound traffic (coming from the IPSec tunnel) to force it down a different path than the one in the routing table.

 

I have applied PBR on the virtual-template, based on the different show commands I issued, it is taken into account. However, I do not see any hits on the route-map (even though I see them on the ACL).

 

Does anyone know if PBR is supported on that kind of interface?

 

Thank you
Laurent
 		 	   		  
_________________________________________________________________
Tchattez en direct en en vid?o avec vos amis !  
http://www.windowslive.fr/messenger/

From ziliomarcelo at gmail.com  Thu Dec 17 13:04:14 2009
From: ziliomarcelo at gmail.com (Marcelo Zilio)
Date: Thu, 17 Dec 2009 16:04:14 -0200
Subject: [c-nsp] Serial link CTS=down link UP
Message-ID: <62f79b510912171004y13a06d48i1c930798bf0c4fbe@mail.gmail.com>

Hi,

Has anyone seen this in serial interfaces before?
Link is UP and traffic is going through, however router shows CTS=down
besides a lot CRCs/Input Errors.
It doesn't make sense to me the parameter which should advise that the link
is "ready to go" is DOWN while there is traffic on it.
Users are complaining some application are slow.

The router is a Cisco 2811 IOS 12.4(15)T10.

Router#sh int s0/1/0
Serial0/1/0 is up, line protocol is up
  Hardware is GT96K Serial
  MTU 1500 bytes, BW 256 Kbit/sec, DLY 20000 usec,
     reliability 255/255, txload 40/255, rxload 42/255
  Encapsulation FRAME-RELAY IETF, loopback not set
  Keepalive set (10 sec)
  CRC checking enabled
  LMI enq sent  48, LMI stat recvd 48, LMI upd recvd 0, DTE LMI up
  LMI enq recvd 0, LMI stat sent  0, LMI upd sent  0
  LMI DLCI 0  LMI type is ANSI Annex D  frame relay DTE  segmentation
inactive
  FR SVC disabled, LAPF state down
  Broadcast queue 0/64, broadcasts sent/dropped 7/0, interface broadcasts 0
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters 00:07:55
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: dual fifo
  Output queue: high size/max/dropped 0/256/0
  Output queue: 0/128 (size/max)
  30 second input rate 43000 bits/sec, 68 packets/sec
  30 second output rate 41000 bits/sec, 78 packets/sec
     34746 packets input, 2956769 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     602 input errors, 602 CRC, 433 frame, 107 overrun, 0 ignored, 323 abort
     43237 packets output, 3308125 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out
     0 carrier transitions
     DCD=up  DSR=up  DTR=up  RTS=up  *CTS=down*

 Thanks,

From mksmith at adhost.com  Thu Dec 17 13:18:53 2009
From: mksmith at adhost.com (Michael K. Smith - Adhost)
Date: Thu, 17 Dec 2009 10:18:53 -0800
Subject: [c-nsp] Serial link CTS=down link UP
In-Reply-To: <62f79b510912171004y13a06d48i1c930798bf0c4fbe@mail.gmail.com>
References: <62f79b510912171004y13a06d48i1c930798bf0c4fbe@mail.gmail.com>
Message-ID: <17838240D9A5544AAA5FF95F8D520316074E727A@ad-exh01.adhost.lan>

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Marcelo Zilio
> Sent: Thursday, December 17, 2009 10:04 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Serial link CTS=down link UP
> 
> Hi,
> 
> Has anyone seen this in serial interfaces before?
> Link is UP and traffic is going through, however router shows CTS=down
> besides a lot CRCs/Input Errors.
> It doesn't make sense to me the parameter which should advise that the
> link
> is "ready to go" is DOWN while there is traffic on it.
> Users are complaining some application are slow.
> 
> The router is a Cisco 2811 IOS 12.4(15)T10.
> 
> Router#sh int s0/1/0
> Serial0/1/0 is up, line protocol is up
>   Hardware is GT96K Serial
>   MTU 1500 bytes, BW 256 Kbit/sec, DLY 20000 usec,
>      reliability 255/255, txload 40/255, rxload 42/255
>   Encapsulation FRAME-RELAY IETF, loopback not set
>   Keepalive set (10 sec)
>   CRC checking enabled
>   LMI enq sent  48, LMI stat recvd 48, LMI upd recvd 0, DTE LMI up
>   LMI enq recvd 0, LMI stat sent  0, LMI upd sent  0
>   LMI DLCI 0  LMI type is ANSI Annex D  frame relay DTE  segmentation
> inactive
>   FR SVC disabled, LAPF state down
>   Broadcast queue 0/64, broadcasts sent/dropped 7/0, interface
> broadcasts 0
>   Last input 00:00:00, output 00:00:00, output hang never
>   Last clearing of "show interface" counters 00:07:55
>   Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops:
0
>   Queueing strategy: dual fifo
>   Output queue: high size/max/dropped 0/256/0
>   Output queue: 0/128 (size/max)
>   30 second input rate 43000 bits/sec, 68 packets/sec
>   30 second output rate 41000 bits/sec, 78 packets/sec
>      34746 packets input, 2956769 bytes, 0 no buffer
>      Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
>      602 input errors, 602 CRC, 433 frame, 107 overrun, 0 ignored, 323
> abort
>      43237 packets output, 3308125 bytes, 0 underruns
>      0 output errors, 0 collisions, 0 interface resets
>      0 unknown protocol drops
>      0 output buffer failures, 0 output buffers swapped out
>      0 carrier transitions
>      DCD=up  DSR=up  DTR=up  RTS=up  *CTS=down*
> 
With all those errors I would say you have a physical layer problem or a
clocking issue.  Perhaps the CTS is flapping between up and down and
you're catching it on the down.  What happens if you debug the
interface?

Regards,

Mike

From ewitkop at gmail.com  Thu Dec 17 13:22:17 2009
From: ewitkop at gmail.com (Erik Witkop)
Date: Thu, 17 Dec 2009 13:22:17 -0500
Subject: [c-nsp] Serial link CTS=down link UP
In-Reply-To: <c55ff8400912171022t64a219cfy1a6a5ace15dc5b83@mail.gmail.com>
References: <62f79b510912171004y13a06d48i1c930798bf0c4fbe@mail.gmail.com>
	<c55ff8400912171020u6ef3e16br5cd705668bcf0648@mail.gmail.com>
	<c55ff8400912171022t64a219cfy1a6a5ace15dc5b83@mail.gmail.com>
Message-ID: <c55ff8400912171022t5589031bob47779542be8111a@mail.gmail.com>

Cts is clear to send. It sounds like you have a physical problem with the
line.

On Dec 17, 2009 1:09 PM, "Marcelo Zilio" <ziliomarcelo at gmail.com> wrote:

Hi,

Has anyone seen this in serial interfaces before?
Link is UP and traffic is going through, however router shows CTS=down
besides a lot CRCs/Input Errors.
It doesn't make sense to me the parameter which should advise that the link
is "ready to go" is DOWN while there is traffic on it.
Users are complaining some application are slow.

The router is a Cisco 2811 IOS 12.4(15)T10.

Router#sh int s0/1/0
Serial0/1/0 is up, line protocol is up
 Hardware is GT96K Serial
 MTU 1500 bytes, BW 256 Kbit/sec, DLY 20000 usec,
    reliability 255/255, txload 40/255, rxload 42/255
 Encapsulation FRAME-RELAY IETF, loopback not set
 Keepalive set (10 sec)
 CRC checking enabled
 LMI enq sent  48, LMI stat recvd 48, LMI upd recvd 0, DTE LMI up
 LMI enq recvd 0, LMI stat sent  0, LMI upd sent  0
 LMI DLCI 0  LMI type is ANSI Annex D  frame relay DTE  segmentation
inactive
 FR SVC disabled, LAPF state down
 Broadcast queue 0/64, broadcasts sent/dropped 7/0, interface broadcasts 0
 Last input 00:00:00, output 00:00:00, output hang never
 Last clearing of "show interface" counters 00:07:55
 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
 Queueing strategy: dual fifo
 Output queue: high size/max/dropped 0/256/0
 Output queue: 0/128 (size/max)
 30 second input rate 43000 bits/sec, 68 packets/sec
 30 second output rate 41000 bits/sec, 78 packets/sec
    34746 packets input, 2956769 bytes, 0 no buffer
    Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
    602 input errors, 602 CRC, 433 frame, 107 overrun, 0 ignored, 323 abort
    43237 packets output, 3308125 bytes, 0 underruns
    0 output errors, 0 collisions, 0 interface resets
    0 unknown protocol drops
    0 output buffer failures, 0 output buffers swapped out
    0 carrier transitions
    DCD=up  DSR=up  DTR=up  RTS=up  *CTS=down*

 Thanks,
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From me at falz.net  Thu Dec 17 13:56:29 2009
From: me at falz.net (Chris Wopat)
Date: Thu, 17 Dec 2009 12:56:29 -0600
Subject: [c-nsp] 12.2SB or 12.2SRC/SRD on 7200?
Message-ID: <a62d17300912171056w61786cc4u23bdb56c9074b748@mail.gmail.com>

I'm enabling MPLS on a network that contains 7200VXR's with NPE-400s
that have PA-FE and IO-FE cards and are currently 12.4 mainline. 12.4
mainline does not support MTU > 1500 for FE interfaces on this
platform (CSCsc62963). I've had one box running SB stable for about
two months. I also tested 12.2SRC and 12.2SRD in dynamips and it is
supported there as well. I'm upgrading several other 7200s soon and am
wondering if there's any specific reasons not to just jump to the
latest SRD. These routers will all be doing BGP, OSPF and MPLS/VRF and
some will have IPv6. I've done a quick comparison of 12.2SB and
12.2SRD in feature navigator and am seeing pretty much what I
expected- more features. Thoughts?

From SPfister at dps.k12.oh.us  Thu Dec 17 13:41:42 2009
From: SPfister at dps.k12.oh.us (Steven Pfister)
Date: Thu, 17 Dec 2009 13:41:42 -0500
Subject: [c-nsp] IP accounting vs. NetFlow
Message-ID: <4B2A350E.9E6F.00B8.0@dps.k12.oh.us>

I'm trying to diagnose some bandwidth problems at one particular remote site. At the moment, I'm concentrating on one particular server (a Novell site server, looking at NCP packets...tcp port 524 outbound from that server to addresses outside of that remote site). 

I turned on ip accounting for that server's address and let it run for about an hour and a half. I also had NetFlow enabled and exporting flows and checked the same interface ip accounting is running on. When I look at the top 10 conversations for both, I'm noticing something I don't understand. The destinations on both sides are pretty much the same, but each conversation on the netflow side is larger by a factor of roughly 8-10x than the corresponding conversation on the ip accounting side. 

I've also done a packet capture with wireshark on a previous day for the same sort of traffic for the same server and interface. The size of the data was more similar to the ip accounting results. I'm wondering if I've misconfigured something on the NetFlow side. Can someone help me figure out what might be going on here?


Steve Pfister
Technical Coordinator, 
The Office of Information Technology
Dayton Public Schools
115 S. Ludlow St. 
Dayton, OH 45402
 
Office (937) 542-3149
Cell (937) 673-6779
Direct Connect: 137*131747*8
Email spfister at dps.k12.oh.us



From SPfister at dps.k12.oh.us  Thu Dec 17 15:02:58 2009
From: SPfister at dps.k12.oh.us (Steven Pfister)
Date: Thu, 17 Dec 2009 15:02:58 -0500
Subject: [c-nsp] IP accounting vs. NetFlow
In-Reply-To: <E756DC02-8F89-41D5-8073-72BEE410B62C@tape.net>
References: <4B2A350E.9E6F.00B8.0@dps.k12.oh.us>
	<E756DC02-8F89-41D5-8073-72BEE410B62C@tape.net>
Message-ID: <4B2A481A.9E6F.00B8.0@dps.k12.oh.us>

*ugh* I really, really need a vacation! I could have sworn the netflow side was set to bytes, but it wasn't... that was the difference. Thanks! Sorry... a little brain damage on my part...

Steve Pfister
Technical Coordinator, 
The Office of Information Technology
Dayton Public Schools
115 S. Ludlow St. 
Dayton, OH 45402
 
Office (937) 542-3149
Cell (937) 673-6779
Direct Connect: 137*131747*8
Email spfister at dps.k12.oh.us


>>> Gerry Boudreaux <gerry at tape.net> 12/17/2009 2:46 PM >>>
is one reporting bits and the other bytes? (Factor of 8)


On Dec 17, 2009, at 12:41 PM, Steven Pfister wrote:

> I'm trying to diagnose some bandwidth problems at one particular remote site. At the moment, I'm concentrating on one particular server (a Novell site server, looking at NCP packets...tcp port 524 outbound from that server to addresses outside of that remote site). 
> 
> I turned on ip accounting for that server's address and let it run for about an hour and a half. I also had NetFlow enabled and exporting flows and checked the same interface ip accounting is running on. When I look at the top 10 conversations for both, I'm noticing something I don't understand. The destinations on both sides are pretty much the same, but each conversation on the netflow side is larger by a factor of roughly 8-10x than the corresponding conversation on the ip accounting side. 
> 
> I've also done a packet capture with wireshark on a previous day for the same sort of traffic for the same server and interface. The size of the data was more similar to the ip accounting results. I'm wondering if I've misconfigured something on the NetFlow side. Can someone help me figure out what might be going on here?
> 
> 
> Steve Pfister
> Technical Coordinator, 
> The Office of Information Technology
> Dayton Public Schools
> 115 S. Ludlow St. 
> Dayton, OH 45402
> 
> Office (937) 542-3149
> Cell (937) 673-6779
> Direct Connect: 137*131747*8
> Email spfister at dps.k12.oh.us 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp 
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 




From tvarriale at comcast.net  Thu Dec 17 15:21:51 2009
From: tvarriale at comcast.net (Tony Varriale)
Date: Thu, 17 Dec 2009 14:21:51 -0600
Subject: [c-nsp] EEM BGP
References: <2884C965D7B14FCEB8A99CA67ED2C988@flamdt01>	<00e501ca7dcd$f3680a50$da381ef0$@com>
	<765B4353E6674BC59F02E05CCAE42F34@flamdt01>
	<001e01ca7e9b$fab61cb0$f0225610$@com>
Message-ID: <C8FFDFC238974340BFA384D5FD5D9A98@flamdt01>

Clyde,

Thanks so much for your help.  This appears to work well.

I did try and map this into a 12.4(15)T/EEM 2.2 and it appears to work.  I'm 
just not sure how.

Here's the 2.2 config:

event manager applet BGPADJ_SHUT
 event syslog occurs 2 pattern "%BGP-5-ADJCHANGE: neighbor 172.16.10.3 Down" 
period 600
 action 100 cli command "enable"
 action 110 cli command "configure terminal"
 action 120 cli command "router bgp 666"
 action 130 cli command "neighbor 172.16.10.3 shutdown"
 action 140 syslog msg "Neighbor 172.16.10.3 shutdown by EEM"
 action 150 publish-event sub-system 798 type 100 arg1 "shutdown"
event manager applet BGPADJ_NOSHUT
 event timer countdown time 120
 action 100 cli command "enable"
 action 110 cli command "configure terminal"
 action 120 cli command "router bgp 666"
 action 130 cli command "no neighbor 172.16.10.3 shutdown"
 action 140 syslog msg "Neighbor 172.16.10.3 noshut by EEM"

The event tag command isn't available in 2.2.

I do not understand how the router knows to unshut.  Is this functionally 
the same as the 3.0 config?

Are there any better docs than the ones on cisco.com?

Thanks!
----- Original Message ----- 
From: "Clyde Wildes" <cwildes at progrizon.com>
To: "'Tony Varriale'" <tvarriale at comcast.net>; <cisco-nsp at puck.nether.net>
Sent: Wednesday, December 16, 2009 4:06 PM
Subject: RE: [c-nsp] EEM BGP


> Tony,
>
> Yes EEM does not screen on the syslog messages that it emits. When we 
> built
> the EEM syslog Event Detector the test team insisted that we implement it
> this way to prevent recursion. ;-)
>
> You can always use an application specific event to trigger policy B from
> policy A. You could use a trigger statement to delay the running of policy 
> B
> if desired.
>
> Use the following:
>
> event manager applet BGPADJ_SHUT
> event syslog occurs 2 pattern "%BGP-5-ADJCHANGE: neighbor 172.16.10.3 
> Down"
>
> period 600
> action 100 cli command "enable"
> action 110 cli command "configure terminal"
> action 120 cli command "router bgp 666"
> action 130 cli command "neighbor 172.16.10.3 shutdown"
> action 140 syslog msg "Neighbor 172.16.10.3 shutdown by EEM"
> action 150 publish-event sub-system 798 type 100 arg1 "shutdown"
>
> event manager applet BGPADJ_NOSHUT
> event tag bgpevent2 application sub-system 798 type 100
> trigger delay 600
> action 100 cli command "enable"
> action 110 cli command "configure terminal"
> action 120 cli command "router bgp 666"
> action 130 cli command "no neighbor 172.16.10.3 shutdown"
> action 140 syslog msg "Neighbor 172.16.10.3 noshut by EEM"
>
> Thanks,
>
> Clyde
> Progrizon, Inc.
> www.progrizon.com
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale
> Sent: Wednesday, December 16, 2009 9:38 AM
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] EEM BGP
>
> Well, did a bunch of testing and I am still stuck.  So here's the basic 
> idea
>
> and config.
>
> When the peer is actually shut, I log a message to syslog (info simplified
> and anonymized to protect innocent).
>
> event manager applet BGPADJ_SHUT
> event syslog occurs 2 pattern "%BGP-5-ADJCHANGE: neighbor 172.16.10.3 
> Down"
>
> period 600
> action 100 cli command "enable"
> action 110 cli command "configure terminal"
> action 120 cli command "router bgp 666"
> action 130 cli command "neighbor 172.16.10.3 shutdown"
> action 140 syslog msg "Neighbor 172.16.10.3 shutdown by EEM"
>
> This works great.  Notice action 140.
>
> To turn the peer back up, I would like to wait 60 seconds (probably 10
> minutes in real world) and look for the "Neighbor 172.16.10.3 shutdown by
> EEM" in the syslog as this will tell me when I need to start my timer.
>
> event manager applet BGPADJ_NOSHUT
> event tag bgpevent1 syslog pattern "%BGP-5-ADJCHANGE: neighbor 172.16.10.3
> Down"
> event tag bgpevent2 syslog pattern "Neighbor 172.16.10.3 shutdown by EEM"
> trigger delay 600
>  correlate event bgpevent1 and event bgpevent2
> action 100 cli command "enable"
> action 110 cli command "configure terminal"
> action 120 cli command "router bgp 666"
> action 130 cli command "no neighbor 172.16.10.3 shutdown"
> action 140 syslog msg "Neighbor 172.16.10.3 noshut by EEM"
>
> This is the part that does not work.  For the correlation, I want to 
> either
> look for event 1 and 2 or just 2.  1 and 2 is really just a self check.
>
> The apparent problem is that EEM doesn't look at the messages that it
> injects into syslog.  So, the trigger never happens.  And as verification, 
> I
>
> tried it with event1 or event2.  While watching debug it picks up on 
> event1.
>
> Any ideas?  Recommendations?
>
> tv
>
> ----- Original Message ----- 
> From: "Clyde Wildes" <cwildes at progrizon.com>
> To: "'Tony Varriale'" <tvarriale at comcast.net>; <cisco-nsp at puck.nether.net>
> Sent: Tuesday, December 15, 2009 3:31 PM
> Subject: RE: [c-nsp] EEM BGP
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


From cwildes at progrizon.com  Thu Dec 17 16:04:28 2009
From: cwildes at progrizon.com (Clyde Wildes)
Date: Thu, 17 Dec 2009 13:04:28 -0800
Subject: [c-nsp] EEM BGP
In-Reply-To: <C8FFDFC238974340BFA384D5FD5D9A98@flamdt01>
References: <2884C965D7B14FCEB8A99CA67ED2C988@flamdt01>	<00e501ca7dcd$f3680a50$da381ef0$@com>	<765B4353E6674BC59F02E05CCAE42F34@flamdt01>	<001e01ca7e9b$fab61cb0$f0225610$@com>
	<C8FFDFC238974340BFA384D5FD5D9A98@flamdt01>
Message-ID: <00e501ca7f5c$85a3e530$90ebaf90$@com>

Tony,

"event timer countdown time 120" means that the applet BGPADJ_NOSHUT will
run once, two minutes after it is added to the config.

For EEM v2.2 in place of "action 150 publish-event sub-system 798 type 100
arg1 "shutdown"" you could add policy B to the config. Policy B would then
run once, 120 seconds after policy A runs.

Policy B could remove itself from the config using:
event manager applet t1
 event timer countdown time 120
 action 000 syslog msg "Timer expired"
 action 001 cli command "enable"
 action 002 cli command "config t"
 action 003 cli command "no event manager applet t1"

Multiple event support was added to EEM in v2.4. For a complete list of what
features where added in which EEM release visit our website at
http://www.progrizon.com/forum/index.php?topic=3.0. For a list of IOS
releases and which version of EEM they contain visit
http://www.progrizon.com/forum/index.php?topic=8.0.

The only docs currently available for EEM are on the Cisco web site.

Thanks,

Clyde Wildes
Progrizon, Inc.
www.progrizon.com

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale
Sent: Thursday, December 17, 2009 12:22 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] EEM BGP

Clyde,

Thanks so much for your help.  This appears to work well.

I did try and map this into a 12.4(15)T/EEM 2.2 and it appears to work.  I'm

just not sure how.

Here's the 2.2 config:

event manager applet BGPADJ_SHUT
 event syslog occurs 2 pattern "%BGP-5-ADJCHANGE: neighbor 172.16.10.3 Down"

period 600
 action 100 cli command "enable"
 action 110 cli command "configure terminal"
 action 120 cli command "router bgp 666"
 action 130 cli command "neighbor 172.16.10.3 shutdown"
 action 140 syslog msg "Neighbor 172.16.10.3 shutdown by EEM"
 action 150 publish-event sub-system 798 type 100 arg1 "shutdown"
event manager applet BGPADJ_NOSHUT
 event timer countdown time 120
 action 100 cli command "enable"
 action 110 cli command "configure terminal"
 action 120 cli command "router bgp 666"
 action 130 cli command "no neighbor 172.16.10.3 shutdown"
 action 140 syslog msg "Neighbor 172.16.10.3 noshut by EEM"

The event tag command isn't available in 2.2.

I do not understand how the router knows to unshut.  Is this functionally 
the same as the 3.0 config?

Are there any better docs than the ones on cisco.com?

Thanks!
----- Original Message ----- 
From: "Clyde Wildes" <cwildes at progrizon.com>
To: "'Tony Varriale'" <tvarriale at comcast.net>; <cisco-nsp at puck.nether.net>
Sent: Wednesday, December 16, 2009 4:06 PM
Subject: RE: [c-nsp] EEM BGP


> Tony,
>
> Yes EEM does not screen on the syslog messages that it emits. When we 
> built
> the EEM syslog Event Detector the test team insisted that we implement it
> this way to prevent recursion. ;-)
>
> You can always use an application specific event to trigger policy B from
> policy A. You could use a trigger statement to delay the running of policy

> B
> if desired.
>
> Use the following:
>
> event manager applet BGPADJ_SHUT
> event syslog occurs 2 pattern "%BGP-5-ADJCHANGE: neighbor 172.16.10.3 
> Down"
>
> period 600
> action 100 cli command "enable"
> action 110 cli command "configure terminal"
> action 120 cli command "router bgp 666"
> action 130 cli command "neighbor 172.16.10.3 shutdown"
> action 140 syslog msg "Neighbor 172.16.10.3 shutdown by EEM"
> action 150 publish-event sub-system 798 type 100 arg1 "shutdown"
>
> event manager applet BGPADJ_NOSHUT
> event tag bgpevent2 application sub-system 798 type 100
> trigger delay 600
> action 100 cli command "enable"
> action 110 cli command "configure terminal"
> action 120 cli command "router bgp 666"
> action 130 cli command "no neighbor 172.16.10.3 shutdown"
> action 140 syslog msg "Neighbor 172.16.10.3 noshut by EEM"
>
> Thanks,
>
> Clyde
> Progrizon, Inc.
> www.progrizon.com
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale
> Sent: Wednesday, December 16, 2009 9:38 AM
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] EEM BGP
>
> Well, did a bunch of testing and I am still stuck.  So here's the basic 
> idea
>
> and config.
>
> When the peer is actually shut, I log a message to syslog (info simplified
> and anonymized to protect innocent).
>
> event manager applet BGPADJ_SHUT
> event syslog occurs 2 pattern "%BGP-5-ADJCHANGE: neighbor 172.16.10.3 
> Down"
>
> period 600
> action 100 cli command "enable"
> action 110 cli command "configure terminal"
> action 120 cli command "router bgp 666"
> action 130 cli command "neighbor 172.16.10.3 shutdown"
> action 140 syslog msg "Neighbor 172.16.10.3 shutdown by EEM"
>
> This works great.  Notice action 140.
>
> To turn the peer back up, I would like to wait 60 seconds (probably 10
> minutes in real world) and look for the "Neighbor 172.16.10.3 shutdown by
> EEM" in the syslog as this will tell me when I need to start my timer.
>
> event manager applet BGPADJ_NOSHUT
> event tag bgpevent1 syslog pattern "%BGP-5-ADJCHANGE: neighbor 172.16.10.3
> Down"
> event tag bgpevent2 syslog pattern "Neighbor 172.16.10.3 shutdown by EEM"
> trigger delay 600
>  correlate event bgpevent1 and event bgpevent2
> action 100 cli command "enable"
> action 110 cli command "configure terminal"
> action 120 cli command "router bgp 666"
> action 130 cli command "no neighbor 172.16.10.3 shutdown"
> action 140 syslog msg "Neighbor 172.16.10.3 noshut by EEM"
>
> This is the part that does not work.  For the correlation, I want to 
> either
> look for event 1 and 2 or just 2.  1 and 2 is really just a self check.
>
> The apparent problem is that EEM doesn't look at the messages that it
> injects into syslog.  So, the trigger never happens.  And as verification,

> I
>
> tried it with event1 or event2.  While watching debug it picks up on 
> event1.
>
> Any ideas?  Recommendations?
>
> tv
>
> ----- Original Message ----- 
> From: "Clyde Wildes" <cwildes at progrizon.com>
> To: "'Tony Varriale'" <tvarriale at comcast.net>; <cisco-nsp at puck.nether.net>
> Sent: Tuesday, December 15, 2009 3:31 PM
> Subject: RE: [c-nsp] EEM BGP
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From emccaleb at gmail.com  Thu Dec 17 17:56:00 2009
From: emccaleb at gmail.com (Ernest McCaleb)
Date: Thu, 17 Dec 2009 17:56:00 -0500
Subject: [c-nsp] Serial link CTS=down link UP
In-Reply-To: <62f79b510912171004y13a06d48i1c930798bf0c4fbe@mail.gmail.com>
References: <62f79b510912171004y13a06d48i1c930798bf0c4fbe@mail.gmail.com>
Message-ID: <d74e1f010912171456v7ba86949pf9f1317d402cc11c@mail.gmail.com>

CTS isn't needed for synchronous serial so i thought?  The only time you
would need clear to send is if you are asynchronous...or so i thought.  My
impression was that those pins were not tied to anything typically.  And the
wires would be tied back to DCD.

Not sure i'm correct, but logically I dont see any reason for CTS on a
synchronous interface.  But by all means correct me if I'm wrong.

Ernest

On Thu, Dec 17, 2009 at 1:04 PM, Marcelo Zilio <ziliomarcelo at gmail.com>wrote:

> Hi,
>
> Has anyone seen this in serial interfaces before?
> Link is UP and traffic is going through, however router shows CTS=down
> besides a lot CRCs/Input Errors.
> It doesn't make sense to me the parameter which should advise that the link
> is "ready to go" is DOWN while there is traffic on it.
> Users are complaining some application are slow.
>
> The router is a Cisco 2811 IOS 12.4(15)T10.
>
> Router#sh int s0/1/0
> Serial0/1/0 is up, line protocol is up
>  Hardware is GT96K Serial
>  MTU 1500 bytes, BW 256 Kbit/sec, DLY 20000 usec,
>     reliability 255/255, txload 40/255, rxload 42/255
>  Encapsulation FRAME-RELAY IETF, loopback not set
>  Keepalive set (10 sec)
>  CRC checking enabled
>  LMI enq sent  48, LMI stat recvd 48, LMI upd recvd 0, DTE LMI up
>  LMI enq recvd 0, LMI stat sent  0, LMI upd sent  0
>  LMI DLCI 0  LMI type is ANSI Annex D  frame relay DTE  segmentation
> inactive
>  FR SVC disabled, LAPF state down
>  Broadcast queue 0/64, broadcasts sent/dropped 7/0, interface broadcasts 0
>  Last input 00:00:00, output 00:00:00, output hang never
>  Last clearing of "show interface" counters 00:07:55
>  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
>  Queueing strategy: dual fifo
>  Output queue: high size/max/dropped 0/256/0
>  Output queue: 0/128 (size/max)
>  30 second input rate 43000 bits/sec, 68 packets/sec
>  30 second output rate 41000 bits/sec, 78 packets/sec
>     34746 packets input, 2956769 bytes, 0 no buffer
>     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
>     602 input errors, 602 CRC, 433 frame, 107 overrun, 0 ignored, 323 abort
>     43237 packets output, 3308125 bytes, 0 underruns
>     0 output errors, 0 collisions, 0 interface resets
>     0 unknown protocol drops
>     0 output buffer failures, 0 output buffers swapped out
>     0 carrier transitions
>     DCD=up  DSR=up  DTR=up  RTS=up  *CTS=down*
>
>  Thanks,
>  _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
Ernest McCaleb

From chris at lavin-llc.com  Thu Dec 17 17:25:31 2009
From: chris at lavin-llc.com (chris at lavin-llc.com)
Date: Thu, 17 Dec 2009 17:25:31 -0500
Subject: [c-nsp] Data Center switch replacement
Message-ID: <7a3db498bb8e599d1efaeb0115a3b9bf.squirrel@email.fatcow.com>

Sometimes the simplest things can grow into the biggest projects.

For those of you that provide or support large data centers, I have a
situation that I'd like to pick your brains about.

We have some older switch gear that needs replaced because line cards are
beyond MTBF and several have failed recently. Because of these outages the
need to upgrade isn't a hard sell. We already have the new gear on hand.

The challenge is in the migration to these new switches. The four switches
are deployed as pairs. One switch of a pair is the primary link for
servers and the other switch is the secondary link for servers.

I have two options I'm kicking around. The first and most disruptive is to
power down a switch, unplug the cables, remove the switch from the rack,
install the new switch and plug the server connections in. My clients are
pushing hard against this option because of the downtime involved. The
second option is to stand up the new switches in other places within the
data center and run patch panel to patch panel connections. This would
provide for much less down time (est. 30 seconds per server) but would
incur a pretty hefty cabling cost. Of course, money is an issue.

In the end I realize someone will have to evaluate the trade off and tell
me to either execute and take the customers down or pay the piper, buy the
additional cabling and minimize the impact to the customers.

I'm curious to know how other folks have approached this situation before?
How do you move 600+ server connections from an old switching environment
to a new switching environment? Since we're experiencing outages, time is
a piece of the equation.

Thanks,
-chris


From tvarriale at comcast.net  Thu Dec 17 18:43:37 2009
From: tvarriale at comcast.net (Tony Varriale)
Date: Thu, 17 Dec 2009 17:43:37 -0600
Subject: [c-nsp] Data Center switch replacement
References: <7a3db498bb8e599d1efaeb0115a3b9bf.squirrel@email.fatcow.com>
Message-ID: <B791EE0BF6D94BC5885E6AB8C6843FF5@flamdt01>

What's the current architecture?

tv
----- Original Message ----- 
From: <chris at lavin-llc.com>
To: <cisco-nsp at puck.nether.net>
Sent: Thursday, December 17, 2009 4:25 PM
Subject: [c-nsp] Data Center switch replacement


> Sometimes the simplest things can grow into the biggest projects.
>
> For those of you that provide or support large data centers, I have a
> situation that I'd like to pick your brains about.
>
> We have some older switch gear that needs replaced because line cards are
> beyond MTBF and several have failed recently. Because of these outages the
> need to upgrade isn't a hard sell. We already have the new gear on hand.
>
> The challenge is in the migration to these new switches. The four switches
> are deployed as pairs. One switch of a pair is the primary link for
> servers and the other switch is the secondary link for servers.
>
> I have two options I'm kicking around. The first and most disruptive is to
> power down a switch, unplug the cables, remove the switch from the rack,
> install the new switch and plug the server connections in. My clients are
> pushing hard against this option because of the downtime involved. The
> second option is to stand up the new switches in other places within the
> data center and run patch panel to patch panel connections. This would
> provide for much less down time (est. 30 seconds per server) but would
> incur a pretty hefty cabling cost. Of course, money is an issue.
>
> In the end I realize someone will have to evaluate the trade off and tell
> me to either execute and take the customers down or pay the piper, buy the
> additional cabling and minimize the impact to the customers.
>
> I'm curious to know how other folks have approached this situation before?
> How do you move 600+ server connections from an old switching environment
> to a new switching environment? Since we're experiencing outages, time is
> a piece of the equation.
>
> Thanks,
> -chris
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 


From mhernand1 at comcast.net  Thu Dec 17 19:00:45 2009
From: mhernand1 at comcast.net (manolo hernandez)
Date: Thu, 17 Dec 2009 19:00:45 -0500
Subject: [c-nsp] Data Center switch replacement
In-Reply-To: <7a3db498bb8e599d1efaeb0115a3b9bf.squirrel@email.fatcow.com>
References: <7a3db498bb8e599d1efaeb0115a3b9bf.squirrel@email.fatcow.com>
Message-ID: <4B2AC62D.8090101@comcast.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/17/09 5:25 PM, chris at lavin-llc.com wrote:
> Sometimes the simplest things can grow into the biggest projects.
> 
> For those of you that provide or support large data centers, I have a
> situation that I'd like to pick your brains about.
> 
> We have some older switch gear that needs replaced because line cards are
> beyond MTBF and several have failed recently. Because of these outages the
> need to upgrade isn't a hard sell. We already have the new gear on hand.
> 
> The challenge is in the migration to these new switches. The four switches
> are deployed as pairs. One switch of a pair is the primary link for
> servers and the other switch is the secondary link for servers.
> 
> I have two options I'm kicking around. The first and most disruptive is to
> power down a switch, unplug the cables, remove the switch from the rack,
> install the new switch and plug the server connections in. My clients are
> pushing hard against this option because of the downtime involved. The
> second option is to stand up the new switches in other places within the
> data center and run patch panel to patch panel connections. This would
> provide for much less down time (est. 30 seconds per server) but would
> incur a pretty hefty cabling cost. Of course, money is an issue.
> 
> In the end I realize someone will have to evaluate the trade off and tell
> me to either execute and take the customers down or pay the piper, buy the
> additional cabling and minimize the impact to the customers.
> 
> I'm curious to know how other folks have approached this situation before?
> How do you move 600+ server connections from an old switching environment
> to a new switching environment? Since we're experiencing outages, time is
> a piece of the equation.
> 
> Thanks,
> -chris
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
Chris,

  If you already have the redundancy in place with the old hardware, it
should be as simple as migrating one side of the pair of switches. This
way the customer is always up and running and you can switch them over
to the new gear seamlessly and then replace the other side with minimal
downtime.


  Just my 2 cents from someone who has gone through that same scenario.



Manny
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.12 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJLKsYtAAoJEOcnyWxdB1Ir8PUH/2M5Bi1xkk9WQfgVn0+m3HK1
08ot2eUMfBnfjQSitp/UBnIih+eKaAQG6up1PszCk+RvLAK9Cl0V3sZ2nHbXxKWQ
hu066zbnMD2G9vAYT4RHE2LtyKoEdyRnzuFgQ2FQqcCDN3r+X7Rkm/0Va+ojyN49
QDqBvusYZbIdV32+QXywIWyFj0D+KcGTPY5GrbrvI2PgjB4YFkrEy6b0l3cPtjlw
E/zVXZBbNcgN+h2amPuD0n5tvbq1/JpXEwv0jOJAF/pDmIb1RsuCD1m/P7xfgMNr
VJ/E92ixQr2dE6h2jVgVQyMzqU9JS4VYgsHTG4pqJknNI5IhQYzMlLxls17RwIM=
=eIj7
-----END PGP SIGNATURE-----

From brad.henshaw at qcn.com.au  Thu Dec 17 19:16:08 2009
From: brad.henshaw at qcn.com.au (Brad Henshaw)
Date: Fri, 18 Dec 2009 10:16:08 +1000
Subject: [c-nsp] Egress QoS on FE links with less than 100Mbps speeds
Message-ID: <8B25B862BC09784B9B74FB950D4F64D40F87CB@qcnapp01.corp.qcn>

Lobo wrote: 

> Wow thanks Daniel that did the trick on the 3750 platform!  Here's a
> sample config in case anyone ever needs it:
> interface FastEthernet1/0/23
>  srr-queue bandwidth limit 80

Glad to hear that worked. Be aware that bandwidth limiting on these
platforms is not an exact science - you'll always need to test to ensure
you're getting what you expect - sometimes you may need to tweak the
SRR-Queue buffer allocations and thresholds especially if traffic is
bursty.

The same goes for implementation of flow control. (with regard to the
testing requirement, not the buffering)

Flow control comes with its own set of challenges however such as varied
support across vendors and models and the fact that it's almost never
QoS-aware in the kind of edge switches you're using.

Regards,
Brad

From chris at lavin-llc.com  Thu Dec 17 20:31:11 2009
From: chris at lavin-llc.com (chris at lavin-llc.com)
Date: Thu, 17 Dec 2009 20:31:11 -0500
Subject: [c-nsp] Data Center switch replacement
In-Reply-To: <B791EE0BF6D94BC5885E6AB8C6843FF5@flamdt01>
References: <7a3db498bb8e599d1efaeb0115a3b9bf.squirrel@email.fatcow.com>
	<B791EE0BF6D94BC5885E6AB8C6843FF5@flamdt01>
Message-ID: <7b71de852778c90600faac238b7a06a7.squirrel@email.fatcow.com>

> What's the current architecture?
>
> tv

Tony,

Good question. For this portion of the data center it is more traditional.
By that I mean these 6509 switches provide the Layer 2 connections to the
servers. The 6509s have dual uplinks to an Agg layer. The Agg layer hosts
the default gateways using HSRP. All connections are copper. They're a
home run connection from the servers to a patch panel near the switches.
Then a small jumper from the patch panel to the switch.

-chris





> ----- Original Message -----
> From: <chris at lavin-llc.com>
> To: <cisco-nsp at puck.nether.net>
> Sent: Thursday, December 17, 2009 4:25 PM
> Subject: [c-nsp] Data Center switch replacement
>
>
>> Sometimes the simplest things can grow into the biggest projects.
>>
>> For those of you that provide or support large data centers, I have a
>> situation that I'd like to pick your brains about.
>>
>> We have some older switch gear that needs replaced because line cards
>> are
>> beyond MTBF and several have failed recently. Because of these outages
>> the
>> need to upgrade isn't a hard sell. We already have the new gear on hand.
>>
>> The challenge is in the migration to these new switches. The four
>> switches
>> are deployed as pairs. One switch of a pair is the primary link for
>> servers and the other switch is the secondary link for servers.
>>
>> I have two options I'm kicking around. The first and most disruptive is
>> to
>> power down a switch, unplug the cables, remove the switch from the rack,
>> install the new switch and plug the server connections in. My clients
>> are
>> pushing hard against this option because of the downtime involved. The
>> second option is to stand up the new switches in other places within the
>> data center and run patch panel to patch panel connections. This would
>> provide for much less down time (est. 30 seconds per server) but would
>> incur a pretty hefty cabling cost. Of course, money is an issue.
>>
>> In the end I realize someone will have to evaluate the trade off and
>> tell
>> me to either execute and take the customers down or pay the piper, buy
>> the
>> additional cabling and minimize the impact to the customers.
>>
>> I'm curious to know how other folks have approached this situation
>> before?
>> How do you move 600+ server connections from an old switching
>> environment
>> to a new switching environment? Since we're experiencing outages, time
>> is
>> a piece of the equation.
>>
>> Thanks,
>> -chris
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



From chris at lavin-llc.com  Thu Dec 17 20:42:49 2009
From: chris at lavin-llc.com (chris at lavin-llc.com)
Date: Thu, 17 Dec 2009 20:42:49 -0500
Subject: [c-nsp] Data Center switch replacement
In-Reply-To: <4B2AC62D.8090101@comcast.net>
References: <7a3db498bb8e599d1efaeb0115a3b9bf.squirrel@email.fatcow.com>
	<4B2AC62D.8090101@comcast.net>
Message-ID: <76bd2dfaa8714d1d62a199ac9fc27230.squirrel@email.fatcow.com>


> Chris,
>
>   If you already have the redundancy in place with the old hardware, it
> should be as simple as migrating one side of the pair of switches. This
> way the customer is always up and running and you can switch them over
> to the new gear seamlessly and then replace the other side with minimal
> downtime.
>
>
>   Just my 2 cents from someone who has gone through that same scenario.
>

Manny,

Very good points. And that is our design. However, lack of strict
adherence to our standard has led to two problems. First, several servers
didn't get cabled with two connections. Second, the folks who manage the
servers have challenges with the NIC configurations. So while we expect
many of the servers can sustain the loss of one NIC, we have several that
we know and many that we may not know, will lose network connectivity as
we flip the connection to the new switch.

VM can't get rolled out fast enough. sigh

-chris


From tdurack at gmail.com  Thu Dec 17 21:12:33 2009
From: tdurack at gmail.com (Tim Durack)
Date: Thu, 17 Dec 2009 21:12:33 -0500
Subject: [c-nsp] Data Center switch replacement
In-Reply-To: <76bd2dfaa8714d1d62a199ac9fc27230.squirrel@email.fatcow.com>
References: <7a3db498bb8e599d1efaeb0115a3b9bf.squirrel@email.fatcow.com>
	<4B2AC62D.8090101@comcast.net>
	<76bd2dfaa8714d1d62a199ac9fc27230.squirrel@email.fatcow.com>
Message-ID: <9e246b4d0912171812w6b21aab6sb9ea9acec5ccee7f@mail.gmail.com>

> Manny,
>
> Very good points. And that is our design. However, lack of strict
> adherence to our standard has led to two problems. First, several servers
> didn't get cabled with two connections. Second, the folks who manage the
> servers have challenges with the NIC configurations. So while we expect
> many of the servers can sustain the loss of one NIC, we have several that
> we know and many that we may not know, will lose network connectivity as
> we flip the connection to the new switch.

Float the switch out of the rack live, making room for the new
install? Depends on the cable plant of course. It has worked for us in
a few desperate situations.

> VM can't get rolled out fast enough. sigh

Don't worry, that will bring it's own challenges...

Tim:>

From alandaluz at gmail.com  Thu Dec 17 21:22:32 2009
From: alandaluz at gmail.com (Cassidy Larson)
Date: Thu, 17 Dec 2009 19:22:32 -0700
Subject: [c-nsp] Data Center switch replacement
In-Reply-To: <9e246b4d0912171812w6b21aab6sb9ea9acec5ccee7f@mail.gmail.com>
References: <7a3db498bb8e599d1efaeb0115a3b9bf.squirrel@email.fatcow.com>
	<4B2AC62D.8090101@comcast.net>
	<76bd2dfaa8714d1d62a199ac9fc27230.squirrel@email.fatcow.com>
	<9e246b4d0912171812w6b21aab6sb9ea9acec5ccee7f@mail.gmail.com>
Message-ID: <d88efacd0912171822y152817dbh34f22396cea905c7@mail.gmail.com>

>> Very good points. And that is our design. However, lack of strict
>> adherence to our standard has led to two problems. First, several servers
>> didn't get cabled with two connections. Second, the folks who manage the
>> servers have challenges with the NIC configurations. So while we expect
>> many of the servers can sustain the loss of one NIC, we have several that
>> we know and many that we may not know, will lose network connectivity as
>> we flip the connection to the new switch.

How about you individually move each connection over to the secondary
switch one at a time.  This should only be a 30 second downtime window
per port, I'd think?  Once you've migrated everybody off of the
primary switch, pull it, upgrade it and then move everybody back
one-by-one?  This would minimize everybody's downtime and I think
would go over better with your clients.  Plus, you can drag out the
upgrade over time rather than an "all or none" scenario.

From rsm at fast-serv.com  Thu Dec 17 21:42:34 2009
From: rsm at fast-serv.com (Randy McAnally)
Date: Thu, 17 Dec 2009 21:42:34 -0500
Subject: [c-nsp] Data Center switch replacement
In-Reply-To: <d88efacd0912171822y152817dbh34f22396cea905c7@mail.gmail.com>
References: <7a3db498bb8e599d1efaeb0115a3b9bf.squirrel@email.fatcow.com>
	<4B2AC62D.8090101@comcast.net>
	<76bd2dfaa8714d1d62a199ac9fc27230.squirrel@email.fatcow.com>
	<9e246b4d0912171812w6b21aab6sb9ea9acec5ccee7f@mail.gmail.com>
	<d88efacd0912171822y152817dbh34f22396cea905c7@mail.gmail.com>
Message-ID: <20091218024052.M6236@fast-serv.com>


> How about you individually move each connection over to the secondary
> switch one at a time.  This should only be a 30 second downtime 
> window per port, I'd think?  Once you've migrated everybody off of 
> the primary switch, pull it, upgrade it and then move everybody back 
> one-by-one?  This would minimize everybody's downtime and I think 
> would go over better with your clients.  Plus, you can drag out the 
> upgrade over time rather than an "all or none" scenario. 

Agreed.  What if something goes wrong or takes longer than expected --
wouldn't you like to know by the time you've moved the first cable and not
after the original switch is completely offline and de-racked?

From tvarriale at comcast.net  Thu Dec 17 22:16:47 2009
From: tvarriale at comcast.net (Tony Varriale)
Date: Thu, 17 Dec 2009 21:16:47 -0600
Subject: [c-nsp] EEM BGP
References: <2884C965D7B14FCEB8A99CA67ED2C988@flamdt01>	<00e501ca7dcd$f3680a50$da381ef0$@com>	<765B4353E6674BC59F02E05CCAE42F34@flamdt01>	<001e01ca7e9b$fab61cb0$f0225610$@com>
	<C8FFDFC238974340BFA384D5FD5D9A98@flamdt01>
	<00e501ca7f5c$85a3e530$90ebaf90$@com>
Message-ID: <B7C713EC6AE34ED89A4231C5FE63A9E1@flamdt01>

Clyde,

I don't think I'm following your example with mine.  But, it sounds like I 
need EEM 3.0 to get the BGP functionality that I'm looking for.

Once again thanks for your help!

tv
----- Original Message ----- 
From: "Clyde Wildes" <cwildes at progrizon.com>
To: "'Tony Varriale'" <tvarriale at comcast.net>; <cisco-nsp at puck.nether.net>
Sent: Thursday, December 17, 2009 3:04 PM
Subject: RE: [c-nsp] EEM BGP


> Tony,
>
> "event timer countdown time 120" means that the applet BGPADJ_NOSHUT will
> run once, two minutes after it is added to the config.
>
> For EEM v2.2 in place of "action 150 publish-event sub-system 798 type 100
> arg1 "shutdown"" you could add policy B to the config. Policy B would then
> run once, 120 seconds after policy A runs.
>
> Policy B could remove itself from the config using:
> event manager applet t1
> event timer countdown time 120
> action 000 syslog msg "Timer expired"
> action 001 cli command "enable"
> action 002 cli command "config t"
> action 003 cli command "no event manager applet t1"
>
> Multiple event support was added to EEM in v2.4. For a complete list of 
> what
> features where added in which EEM release visit our website at
> http://www.progrizon.com/forum/index.php?topic=3.0. For a list of IOS
> releases and which version of EEM they contain visit
> http://www.progrizon.com/forum/index.php?topic=8.0.
>
> The only docs currently available for EEM are on the Cisco web site.
>
> Thanks,
>
> Clyde Wildes
> Progrizon, Inc.
> www.progrizon.com
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale
> Sent: Thursday, December 17, 2009 12:22 PM
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] EEM BGP
>
> Clyde,
>
> Thanks so much for your help.  This appears to work well.
>
> I did try and map this into a 12.4(15)T/EEM 2.2 and it appears to work. 
> I'm
>
> just not sure how.
>
> Here's the 2.2 config:
>
> event manager applet BGPADJ_SHUT
> event syslog occurs 2 pattern "%BGP-5-ADJCHANGE: neighbor 172.16.10.3 
> Down"
>
> period 600
> action 100 cli command "enable"
> action 110 cli command "configure terminal"
> action 120 cli command "router bgp 666"
> action 130 cli command "neighbor 172.16.10.3 shutdown"
> action 140 syslog msg "Neighbor 172.16.10.3 shutdown by EEM"
> action 150 publish-event sub-system 798 type 100 arg1 "shutdown"
> event manager applet BGPADJ_NOSHUT
> event timer countdown time 120
> action 100 cli command "enable"
> action 110 cli command "configure terminal"
> action 120 cli command "router bgp 666"
> action 130 cli command "no neighbor 172.16.10.3 shutdown"
> action 140 syslog msg "Neighbor 172.16.10.3 noshut by EEM"
>
> The event tag command isn't available in 2.2.
>
> I do not understand how the router knows to unshut.  Is this functionally
> the same as the 3.0 config?
>
> Are there any better docs than the ones on cisco.com?
>
> Thanks!
> ----- Original Message ----- 
> From: "Clyde Wildes" <cwildes at progrizon.com>
> To: "'Tony Varriale'" <tvarriale at comcast.net>; <cisco-nsp at puck.nether.net>
> Sent: Wednesday, December 16, 2009 4:06 PM
> Subject: RE: [c-nsp] EEM BGP
>
>
>> Tony,
>>
>> Yes EEM does not screen on the syslog messages that it emits. When we
>> built
>> the EEM syslog Event Detector the test team insisted that we implement it
>> this way to prevent recursion. ;-)
>>
>> You can always use an application specific event to trigger policy B from
>> policy A. You could use a trigger statement to delay the running of 
>> policy
>
>> B
>> if desired.
>>
>> Use the following:
>>
>> event manager applet BGPADJ_SHUT
>> event syslog occurs 2 pattern "%BGP-5-ADJCHANGE: neighbor 172.16.10.3
>> Down"
>>
>> period 600
>> action 100 cli command "enable"
>> action 110 cli command "configure terminal"
>> action 120 cli command "router bgp 666"
>> action 130 cli command "neighbor 172.16.10.3 shutdown"
>> action 140 syslog msg "Neighbor 172.16.10.3 shutdown by EEM"
>> action 150 publish-event sub-system 798 type 100 arg1 "shutdown"
>>
>> event manager applet BGPADJ_NOSHUT
>> event tag bgpevent2 application sub-system 798 type 100
>> trigger delay 600
>> action 100 cli command "enable"
>> action 110 cli command "configure terminal"
>> action 120 cli command "router bgp 666"
>> action 130 cli command "no neighbor 172.16.10.3 shutdown"
>> action 140 syslog msg "Neighbor 172.16.10.3 noshut by EEM"
>>
>> Thanks,
>>
>> Clyde
>> Progrizon, Inc.
>> www.progrizon.com
>>
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net
>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale
>> Sent: Wednesday, December 16, 2009 9:38 AM
>> To: cisco-nsp at puck.nether.net
>> Subject: Re: [c-nsp] EEM BGP
>>
>> Well, did a bunch of testing and I am still stuck.  So here's the basic
>> idea
>>
>> and config.
>>
>> When the peer is actually shut, I log a message to syslog (info 
>> simplified
>> and anonymized to protect innocent).
>>
>> event manager applet BGPADJ_SHUT
>> event syslog occurs 2 pattern "%BGP-5-ADJCHANGE: neighbor 172.16.10.3
>> Down"
>>
>> period 600
>> action 100 cli command "enable"
>> action 110 cli command "configure terminal"
>> action 120 cli command "router bgp 666"
>> action 130 cli command "neighbor 172.16.10.3 shutdown"
>> action 140 syslog msg "Neighbor 172.16.10.3 shutdown by EEM"
>>
>> This works great.  Notice action 140.
>>
>> To turn the peer back up, I would like to wait 60 seconds (probably 10
>> minutes in real world) and look for the "Neighbor 172.16.10.3 shutdown by
>> EEM" in the syslog as this will tell me when I need to start my timer.
>>
>> event manager applet BGPADJ_NOSHUT
>> event tag bgpevent1 syslog pattern "%BGP-5-ADJCHANGE: neighbor 
>> 172.16.10.3
>> Down"
>> event tag bgpevent2 syslog pattern "Neighbor 172.16.10.3 shutdown by EEM"
>> trigger delay 600
>>  correlate event bgpevent1 and event bgpevent2
>> action 100 cli command "enable"
>> action 110 cli command "configure terminal"
>> action 120 cli command "router bgp 666"
>> action 130 cli command "no neighbor 172.16.10.3 shutdown"
>> action 140 syslog msg "Neighbor 172.16.10.3 noshut by EEM"
>>
>> This is the part that does not work.  For the correlation, I want to
>> either
>> look for event 1 and 2 or just 2.  1 and 2 is really just a self check.
>>
>> The apparent problem is that EEM doesn't look at the messages that it
>> injects into syslog.  So, the trigger never happens.  And as 
>> verification,
>
>> I
>>
>> tried it with event1 or event2.  While watching debug it picks up on
>> event1.
>>
>> Any ideas?  Recommendations?
>>
>> tv
>>
>> ----- Original Message ----- 
>> From: "Clyde Wildes" <cwildes at progrizon.com>
>> To: "'Tony Varriale'" <tvarriale at comcast.net>; 
>> <cisco-nsp at puck.nether.net>
>> Sent: Tuesday, December 15, 2009 3:31 PM
>> Subject: RE: [c-nsp] EEM BGP
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


From mtinka at globaltransit.net  Fri Dec 18 00:25:10 2009
From: mtinka at globaltransit.net (Mark Tinka)
Date: Fri, 18 Dec 2009 13:25:10 +0800
Subject: [c-nsp] 12.2SB or 12.2SRC/SRD on 7200?
In-Reply-To: <a62d17300912171056w61786cc4u23bdb56c9074b748@mail.gmail.com>
References: <a62d17300912171056w61786cc4u23bdb56c9074b748@mail.gmail.com>
Message-ID: <200912181325.16298.mtinka@globaltransit.net>

On Friday 18 December 2009 02:56:29 am Chris Wopat wrote:

> I'm enabling MPLS on a network that contains 7200VXR's
>  with NPE-400s that have PA-FE and IO-FE cards and are
>  currently 12.4 mainline. 12.4 mainline does not support
>  MTU > 1500 for FE interfaces on this platform
>  (CSCsc62963). I've had one box running SB stable for
>  about two months. I also tested 12.2SRC and 12.2SRD in
>  dynamips and it is supported there as well. I'm
>  upgrading several other 7200s soon and am wondering if
>  there's any specific reasons not to just jump to the
>  latest SRD. These routers will all be doing BGP, OSPF
>  and MPLS/VRF and some will have IPv6. I've done a quick
>  comparison of 12.2SB and 12.2SRD in feature navigator
>  and am seeing pretty much what I expected- more
>  features. Thoughts?

The EoS/EoL announcement for SRC just went out yesterday. 
Recommended migration plan is now SRD and SRE (when it does 
come out).

We're generally happy with SRC5, particularly on the NPE-G2 
platform. We have it running on the NPE-G1 and the NPE-400. 
Save for some BFD madness, no major drama.

If you want to remain with the 12.2SR* branch, though, 
expect to move to SRE if you're looking to support 4-byte 
ASN's.

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20091218/6edd2d2a/attachment.bin>

From steve at ibctech.ca  Fri Dec 18 02:05:55 2009
From: steve at ibctech.ca (Steve Bertrand)
Date: Fri, 18 Dec 2009 02:05:55 -0500
Subject: [c-nsp] clue-bat requested for v6 loopback into IGP
Message-ID: <4B2B29D3.9020307@ibctech.ca>

After a long day, I'm certain that I'm missing something simple. I'm
trying to get a loopback address advertised into OSPF, after a direct
ptp setup has already been established ( I can ping6 from ptp interface
to ptp interface ).

I'm working from a C2961, and in this case, its peer is Quagga. I have
done this setup many times before between both Cisco->Quagga and
Cisco->Cisco:

O>* 2607:f118:1::e1/128 [110/1] via fe80::216:9dff:fe92:1700, em3.300,
3d06h48m
O>* 2607:f118:1::e2/128 [110/1] via fe80::209:e8ff:fe43:9f00, em6, 03:26:06
O>* 2607:f118:1::e3/128 [110/2] via fe80::21a:70ff:fe14:568a, em5, 04w2d06h

[...snip...]

O>* 2607:f118:1::ff0/128 [110/1] via fe80::20a:f4ff:fe0b:b109, em2.98,
03:17:14

The above are loopbacks within the IGP. I'm having a problem getting
::ff1/128 included.

I've been comparing rtr configs, but am still missing something due to
being over-tired. Can someone clue-bat me with a fresh approach on how
to look at this?

Steve

ps. usually things just 'click' after I send out a public message, so
here's to trying ;)




From steve at ibctech.ca  Fri Dec 18 03:22:49 2009
From: steve at ibctech.ca (Steve Bertrand)
Date: Fri, 18 Dec 2009 03:22:49 -0500
Subject: [c-nsp] clue-bat requested for v6 loopback into IGP
In-Reply-To: <4B2B29D3.9020307@ibctech.ca>
References: <4B2B29D3.9020307@ibctech.ca>
Message-ID: <4B2B3BD9.8000900@ibctech.ca>

Steve Bertrand wrote:
> After a long day, I'm certain that I'm missing something simple. I'm
> trying to get a loopback address advertised into OSPF, after a direct
> ptp setup has already been established ( I can ping6 from ptp interface
> to ptp interface ).

...

> ps. usually things just 'click' after I send out a public message, so
> here's to trying ;)

Thanks to all who replied. I did get it, and what I missed was a simple:

(config-subif)#ipv6 ospf 1 area 0.0.0.0

...on the interface that is part of the ptp which needs to advertise the
address of the loopback..

On the former-lacking Quagga box:

O>* 2607:f118:1::ff1/128 [110/1] via fe80::215:faff:fe1d:dd40, em2.97,
00:00:15

Cheers!

Steve

From David at Hughes.com.au  Fri Dec 18 02:00:23 2009
From: David at Hughes.com.au (David Hughes)
Date: Fri, 18 Dec 2009 17:00:23 +1000
Subject: [c-nsp] Port channel bug in SXI3
In-Reply-To: <94503B54-1DD5-4B99-A788-3CBB4FE849D1@Hughes.com.au>
References: <94503B54-1DD5-4B99-A788-3CBB4FE849D1@Hughes.com.au>
Message-ID: <E4628569-9300-4654-B1C5-FCFA5D26CEC5@Hughes.com.au>


This now has a bug ID associated with it.  We've got the same problem on SXI2 and SXI3.  For anyone interested, the Bug ID is CSCtd93384.


David
...


On 15/12/2009, at 11:59 AM, David Hughes wrote:

> Hi
> 
> Since moving to SXI3 we've seen issues with port channels.  Problems such as the physical interfaces and port channel config getting out of sync.  A "sh run int" on a member of the Po will say it's shutdown but a "sh run int" on the Po itself shows it's up (and a "sh int" does too).  It's not impacting on the operation of the box but it's confusing the hell out of some of the engineers having to work on them.


From md at bts.sk  Fri Dec 18 03:31:42 2009
From: md at bts.sk (=?UTF-8?Q?Marian_=C4=8Eurkovi=C4=8D?=)
Date: Fri, 18 Dec 2009 09:31:42 +0100
Subject: [c-nsp] Egress QoS on FE links with less than 100Mbps speeds
In-Reply-To: <8B25B862BC09784B9B74FB950D4F64D40F87CB@qcnapp01.corp.qcn>
References: <8B25B862BC09784B9B74FB950D4F64D40F87CB@qcnapp01.corp.qcn>
Message-ID: <20091218080859.M81606@bts.sk>

On Fri, 18 Dec 2009 10:16:08 +1000, Brad Henshaw wrote
> Flow control comes with its own set of challenges however such as 
> varied support across vendors and models and the fact that it's almost 
> never QoS-aware in the kind of edge switches you're using.

Flowcontrol doesn't need to be QOS-aware in this scenario.

On the switch side, it's enough if it supports plain RX flowcontrol
i.e. "flowcontrol receive [desired|on]". Then the wireless link can
send pause frames to slow down the switch port automatically to the
real bandwidth and output buffering / QOS configuration on the switch
port is applied as expected.


     With kind regards,

         M.

From gert at greenie.muc.de  Fri Dec 18 04:24:45 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Fri, 18 Dec 2009 10:24:45 +0100
Subject: [c-nsp] Data Center switch replacement
In-Reply-To: <76bd2dfaa8714d1d62a199ac9fc27230.squirrel@email.fatcow.com>
References: <7a3db498bb8e599d1efaeb0115a3b9bf.squirrel@email.fatcow.com>
	<4B2AC62D.8090101@comcast.net>
	<76bd2dfaa8714d1d62a199ac9fc27230.squirrel@email.fatcow.com>
Message-ID: <20091218092445.GE1917@greenie.muc.de>

Hi,

On Thu, Dec 17, 2009 at 08:42:49PM -0500, chris at lavin-llc.com wrote:
> adherence to our standard has led to two problems. First, several servers
> didn't get cabled with two connections. Second, the folks who manage the
> servers have challenges with the NIC configurations. So while we expect
> many of the servers can sustain the loss of one NIC, we have several that
> we know and many that we may not know, will lose network connectivity as
> we flip the connection to the new switch.

Now that's a good opportunity to clean up broken server configurations and
connections.

"If it's meant to be redundant, and it isn't, then it's not the network's
fault if it breaks.  Go and fix it!"

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20091218/168a5012/attachment.bin>

From pavel.skovajsa at gmail.com  Fri Dec 18 05:54:33 2009
From: pavel.skovajsa at gmail.com (Pavel Skovajsa)
Date: Fri, 18 Dec 2009 11:54:33 +0100
Subject: [c-nsp] Data Center switch replacement
In-Reply-To: <20091218024052.M6236@fast-serv.com>
References: <7a3db498bb8e599d1efaeb0115a3b9bf.squirrel@email.fatcow.com>
	<4B2AC62D.8090101@comcast.net>
	<76bd2dfaa8714d1d62a199ac9fc27230.squirrel@email.fatcow.com>
	<9e246b4d0912171812w6b21aab6sb9ea9acec5ccee7f@mail.gmail.com>
	<d88efacd0912171822y152817dbh34f22396cea905c7@mail.gmail.com>
	<20091218024052.M6236@fast-serv.com>
Message-ID: <323aca890912180254t1bb39f2bocbf1a639144304e5@mail.gmail.com>

I second that,
as a rule of thumb in all migrations in production environments it is always
much better to go with the step-by-step aproach (if possible), and don't do
the tempting "big bang" implementation.

Yes it is true this will be more costly - more cabling, more rack space,
more management around it, more man hour work&more spreadsheets -> but it is
quite easy to built a businness case around it, as some servers just NEED to
be up and you cannot risk too much.

Also in case you have tight change process it provides an easy way to
explain to management that the backout procedure is straightforward - replug
the server NIC to the previous port.

While doing migrations of servers it is always better to have a
server/application personell checking each server as some
applications/OS/drivers might not like the replugging (especially when in
the middle of something) and might decide to crash/kill/destroy.....for
example we had experience with teaming NIC drivers that decided to shut the
whole "Team" as soon as something happened to one of the NICs - and found
this out only during the replugging.
Also - nobody is perfect, especially in the "inter-tower" field where the
server people think that the network guys are responsible for their NIC
settings, so we usually find misconfigured NICs - no teaming setup,
incorrect teaming modes etc. etc. - so going with step-by-step is always
better.

Hope it helps,
-pavel skovajsa







On Fri, Dec 18, 2009 at 3:42 AM, Randy McAnally <rsm at fast-serv.com> wrote:

>
> > How about you individually move each connection over to the secondary
> > switch one at a time.  This should only be a 30 second downtime
> > window per port, I'd think?  Once you've migrated everybody off of
> > the primary switch, pull it, upgrade it and then move everybody back
> > one-by-one?  This would minimize everybody's downtime and I think
> > would go over better with your clients.  Plus, you can drag out the
> > upgrade over time rather than an "all or none" scenario.
>
> Agreed.  What if something goes wrong or takes longer than expected --
> wouldn't you like to know by the time you've moved the first cable and not
> after the original switch is completely offline and de-racked?
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From pl+list at pmacct.net  Fri Dec 18 06:01:43 2009
From: pl+list at pmacct.net (Paolo Lucente)
Date: Fri, 18 Dec 2009 11:01:43 +0000
Subject: [c-nsp] 12.2SB or 12.2SRC/SRD on 7200?
In-Reply-To: <200912181325.16298.mtinka@globaltransit.net>
References: <a62d17300912171056w61786cc4u23bdb56c9074b748@mail.gmail.com>
	<200912181325.16298.mtinka@globaltransit.net>
Message-ID: <20091218110143.GA4704@moussaka.pmacct.net>

Hi,

On Fri, Dec 18, 2009 at 01:25:10PM +0800, Mark Tinka wrote:

> The EoS/EoL announcement for SRC just went out yesterday. 
> Recommended migration plan is now SRD and SRE (when it does 
> come out).

Well, SRE is already out for a few weeks now. But whether it
can be considered for deployment, it's different story, ie.
on a 7600 after 6 days of no-frills MPLS/IS-IS/BGP (just an
handful of peers):

[ ... ]
Dec 8 21:02:37 xxxx-xx-xxx-xxxx 636: Dec 8 20:02:31.868 UTC: %BGP-4-BGP_OUT_OF_MEMORY: BGP resetting because of memory exhaustion.
Dec 8 21:02:42 xxxx-xx-xxx-xxxx 637: Dec 8 20:02:39.212 UTC: %BGP-5-ADJCHANGE: neighbor xxx.xxx.xx.xxx Down No memory 
[ ... ]

Will see what comes out of TAC; for now need to cry another
bit to get 4-bytes ASN on 7600; on the 7200 people in the SP
arena can usually fall back to a recent 12.0S.

Cheers,
Paolo


From ziliomarcelo at gmail.com  Fri Dec 18 06:02:31 2009
From: ziliomarcelo at gmail.com (Marcelo Zilio)
Date: Fri, 18 Dec 2009 09:02:31 -0200
Subject: [c-nsp] Serial link CTS=down link UP
In-Reply-To: <17838240D9A5544AAA5FF95F8D520316074E727A@ad-exh01.adhost.lan>
References: <62f79b510912171004y13a06d48i1c930798bf0c4fbe@mail.gmail.com>
	<17838240D9A5544AAA5FF95F8D520316074E727A@ad-exh01.adhost.lan>
Message-ID: <62f79b510912180302p50e1de91u5d9a4ed0de3198f6@mail.gmail.com>

Hi,

Debug keeps showing the following messages. I don't think is much helpfull.

Router#debug serial interface
Router#
000083: Dec 18 08:53:17.521 BST: Serial0/1/0(out): StEnq, myseq 61, yourseen
60, DTE up
000084: Dec 18 08:53:17.533 BST: Serial0/1/0(in): Status, myseq 61, pak size
19
Router#
000085: Dec 18 08:53:27.521 BST: Serial0/1/0(out): StEnq, myseq 62, yourseen
61, DTE up
000086: Dec 18 08:53:27.537 BST: Serial0/1/0(in): Status, myseq 62, pak size
14
Router#
000087: Dec 18 08:53:37.521 BST: Serial0/1/0(out): StEnq, myseq 63, yourseen
62, DTE up
000088: Dec 18 08:53:37.537 BST: Serial0/1/0(in): Status, myseq 63, pak size
14
As far as I could see CTS is always down. It is not flapping.

I'm talking to the Service Provider guys. I'll let you know the results.
Thanks for all responses!
On Thu, Dec 17, 2009 at 4:18 PM, Michael K. Smith - Adhost <
mksmith at adhost.com> wrote:

>  > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> > bounces at puck.nether.net] On Behalf Of Marcelo Zilio
> > Sent: Thursday, December 17, 2009 10:04 AM
> > To: cisco-nsp at puck.nether.net
> > Subject: [c-nsp] Serial link CTS=down link UP
> >
> > Hi,
> >
> > Has anyone seen this in serial interfaces before?
> > Link is UP and traffic is going through, however router shows CTS=down
> > besides a lot CRCs/Input Errors.
> > It doesn't make sense to me the parameter which should advise that the
> > link
> > is "ready to go" is DOWN while there is traffic on it.
> > Users are complaining some application are slow.
> >
> > The router is a Cisco 2811 IOS 12.4(15)T10.
> >
> > Router#sh int s0/1/0
> > Serial0/1/0 is up, line protocol is up
> >   Hardware is GT96K Serial
> >   MTU 1500 bytes, BW 256 Kbit/sec, DLY 20000 usec,
> >      reliability 255/255, txload 40/255, rxload 42/255
> >   Encapsulation FRAME-RELAY IETF, loopback not set
> >   Keepalive set (10 sec)
> >   CRC checking enabled
> >   LMI enq sent  48, LMI stat recvd 48, LMI upd recvd 0, DTE LMI up
> >   LMI enq recvd 0, LMI stat sent  0, LMI upd sent  0
> >   LMI DLCI 0  LMI type is ANSI Annex D  frame relay DTE  segmentation
> > inactive
> >   FR SVC disabled, LAPF state down
> >   Broadcast queue 0/64, broadcasts sent/dropped 7/0, interface
> > broadcasts 0
> >   Last input 00:00:00, output 00:00:00, output hang never
> >   Last clearing of "show interface" counters 00:07:55
> >   Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops:
> 0
> >   Queueing strategy: dual fifo
> >   Output queue: high size/max/dropped 0/256/0
> >   Output queue: 0/128 (size/max)
> >   30 second input rate 43000 bits/sec, 68 packets/sec
> >   30 second output rate 41000 bits/sec, 78 packets/sec
> >      34746 packets input, 2956769 bytes, 0 no buffer
> >      Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
> >      602 input errors, 602 CRC, 433 frame, 107 overrun, 0 ignored, 323
> > abort
> >      43237 packets output, 3308125 bytes, 0 underruns
> >      0 output errors, 0 collisions, 0 interface resets
> >      0 unknown protocol drops
> >      0 output buffer failures, 0 output buffers swapped out
> >      0 carrier transitions
> >      DCD=up  DSR=up  DTR=up  RTS=up  *CTS=down*
> >
> With all those errors I would say you have a physical layer problem or a
> clocking issue.  Perhaps the CTS is flapping between up and down and
> you're catching it on the down.  What happens if you debug the
> interface?
>
> Regards,
>
> Mike
>

From gert at greenie.muc.de  Fri Dec 18 06:14:28 2009
From: gert at greenie.muc.de (Gert Doering)
Date: Fri, 18 Dec 2009 12:14:28 +0100
Subject: [c-nsp] 12.2SB or 12.2SRC/SRD on 7200?
In-Reply-To: <20091218110143.GA4704@moussaka.pmacct.net>
References: <a62d17300912171056w61786cc4u23bdb56c9074b748@mail.gmail.com>
	<200912181325.16298.mtinka@globaltransit.net>
	<20091218110143.GA4704@moussaka.pmacct.net>
Message-ID: <20091218111428.GM1917@greenie.muc.de>

Hi,

On Fri, Dec 18, 2009 at 11:01:43AM +0000, Paolo Lucente wrote:
> Will see what comes out of TAC; for now need to cry another
> bit to get 4-bytes ASN on 7600; on the 7200 people in the SP
> arena can usually fall back to a recent 12.0S.

Haha.  No IPv6 in 12.0S for 7200.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20091218/fb0fc6bc/attachment.bin>

From chris at lavin-llc.com  Fri Dec 18 20:32:22 2009
From: chris at lavin-llc.com (chris at lavin-llc.com)
Date: Fri, 18 Dec 2009 20:32:22 -0500
Subject: [c-nsp] Data Center switch replacement
In-Reply-To: <20091218092445.GE1917@greenie.muc.de>
References: <7a3db498bb8e599d1efaeb0115a3b9bf.squirrel@email.fatcow.com>
	<4B2AC62D.8090101@comcast.net>
	<76bd2dfaa8714d1d62a199ac9fc27230.squirrel@email.fatcow.com>
	<20091218092445.GE1917@greenie.muc.de>
Message-ID: <a26275ba93b3e67cc37706565adfbd5b.squirrel@email.fatcow.com>

>
> Now that's a good opportunity to clean up broken server configurations and
> connections.
>
> "If it's meant to be redundant, and it isn't, then it's not the network's
> fault if it breaks.  Go and fix it!"
>
> gert
> --

Thanks to everyone that responded. I appreciate learning how much several
of us have in common. I especially liked those that shared stories with me
about similar challenges of server and NIC settings for what should be a
redundant design with Primary/Secondary configurations.

I'll update my recommended options to include a third scenario.
1. Complete blackout to power down each switch and replace it with the new
one.
2. Eat the cabling/rack/etc. cost and stand up the new switches and
migrate the connections in one night (performing some due diligence ahead
of time) and hoping all servers are properly configured for a
Primary/Secondary network connection.
3. Eat the cabling/rack/etc. cost and stand up the new switches and
migrate slowly over a period of several maintenance windows while hoping
we don't have any more line card failures during the extended migration
period.

Much appreciated,
-chris



From chris at lavin-llc.com  Fri Dec 18 20:34:30 2009
From: chris at lavin-llc.com (chris at lavin-llc.com)
Date: Fri, 18 Dec 2009 20:34:30 -0500
Subject: [c-nsp] Data Center switch replacement
In-Reply-To: <20091218092445.GE1917@greenie.muc.de>
References: <7a3db498bb8e599d1efaeb0115a3b9bf.squirrel@email.fatcow.com>
	<4B2AC62D.8090101@comcast.net>
	<76bd2dfaa8714d1d62a199ac9fc27230.squirrel@email.fatcow.com>
	<20091218092445.GE1917@greenie.muc.de>
Message-ID: <f6c3e7ab14024cf7448a1e264c0758bc.squirrel@email.fatcow.com>

> Hi,
>
> On Thu, Dec 17, 2009 at 08:42:49PM -0500, chris at lavin-llc.com wrote:
>> adherence to our standard has led to two problems. First, several
>> servers
>> didn't get cabled with two connections. Second, the folks who manage the
>> servers have challenges with the NIC configurations. So while we expect
>> many of the servers can sustain the loss of one NIC, we have several
>> that
>> we know and many that we may not know, will lose network connectivity as
>> we flip the connection to the new switch.
>
> Now that's a good opportunity to clean up broken server configurations and
> connections.
>
> "If it's meant to be redundant, and it isn't, then it's not the network's
> fault if it breaks.  Go and fix it!"
>
> gert
> --

Thanks to everyone that responded. I appreciate learning how much several
of us have in common. I especially liked those that shared stories with me
about similar challenges of server and NIC settings for what should be a
redundant design with Primary/Secondary configurations.

I'll update my recommended options to include a third scenario.
1. Complete blackout to power down each switch and replace it with the new
one.
2. Eat the cabling/rack/etc. cost and stand up the new switches and
migrate the connections in one night (performing some due diligence ahead
of time) and hoping all servers are properly configured for a
Primary/Secondary network connection.
3. Eat the cabling/rack/etc. cost and stand up the new switches and
migrate slowly over a period of several maintenance windows while hoping
we don't have any more line card failures during the extended migration
period.

Much appreciated,
-chris



From bitkraft at gmail.com  Sat Dec 19 01:18:13 2009
From: bitkraft at gmail.com (Brian Spade)
Date: Fri, 18 Dec 2009 22:18:13 -0800
Subject: [c-nsp] Data Center switch replacement
In-Reply-To: <20091218024052.M6236@fast-serv.com>
References: <7a3db498bb8e599d1efaeb0115a3b9bf.squirrel@email.fatcow.com>
	<4B2AC62D.8090101@comcast.net>
	<76bd2dfaa8714d1d62a199ac9fc27230.squirrel@email.fatcow.com>
	<9e246b4d0912171812w6b21aab6sb9ea9acec5ccee7f@mail.gmail.com>
	<d88efacd0912171822y152817dbh34f22396cea905c7@mail.gmail.com>
	<20091218024052.M6236@fast-serv.com>
Message-ID: <505b616c0912182218x74cae9c0m82f3552d4ae09346@mail.gmail.com>

Hi,

On Thu, Dec 17, 2009 at 6:42 PM, Randy McAnally <rsm at fast-serv.com> wrote:

>
> > How about you individually move each connection over to the secondary
> > switch one at a time.  This should only be a 30 second downtime
> > window per port, I'd think?  Once you've migrated everybody off of
> > the primary switch, pull it, upgrade it and then move everybody back
> > one-by-one?  This would minimize everybody's downtime and I think
> > would go over better with your clients.  Plus, you can drag out the
> > upgrade over time rather than an "all or none" scenario.
>
> Agreed.  What if something goes wrong or takes longer than expected --
> wouldn't you like to know by the time you've moved the first cable and not
> after the original switch is completely offline and de-racked?
>

+2

For example, install new switch, make it's connections to the existing AGG
layer but also interconnect it to your existing ACC layer, pre-configure
port assignments from current access switch 2 to new switch 2, move
connections one at a time off of your current access switch 2 to new switch
2.   Remove old access switch 2, install new access switch 1,
rinse-and-repeat.

Single-homed devices will have down-time from however long it takes you to
physically move the port plus your CAM timeout.  If you can do this fast
enough you might not reset some TCP connections.

However, if there is a lack of infrastructure for this... fix the servers or
determine how long the hosts will be down :-)

/bs

From omar.parihuana at gmail.com  Sun Dec 20 11:06:44 2009
From: omar.parihuana at gmail.com (omar parihuana)
Date: Sun, 20 Dec 2009 11:06:44 -0500
Subject: [c-nsp] Serial link CTS=down link UP
In-Reply-To: <62f79b510912171004y13a06d48i1c930798bf0c4fbe@mail.gmail.com>
References: <62f79b510912171004y13a06d48i1c930798bf0c4fbe@mail.gmail.com>
Message-ID: <834c50110912200806t7e63901aw7c7ffc74ee37b42@mail.gmail.com>

I'll suggest that Provider change the CSU/DSU....  since that all signals
are not open a syncronization problem can be there...

Rgds.

On Thu, Dec 17, 2009 at 1:04 PM, Marcelo Zilio <ziliomarcelo at gmail.com>wrote:

> Hi,
>
> Has anyone seen this in serial interfaces before?
> Link is UP and traffic is going through, however router shows CTS=down
> besides a lot CRCs/Input Errors.
> It doesn't make sense to me the parameter which should advise that the link
> is "ready to go" is DOWN while there is traffic on it.
> Users are complaining some application are slow.
>
> The router is a Cisco 2811 IOS 12.4(15)T10.
>
> Router#sh int s0/1/0
> Serial0/1/0 is up, line protocol is up
>  Hardware is GT96K Serial
>  MTU 1500 bytes, BW 256 Kbit/sec, DLY 20000 usec,
>     reliability 255/255, txload 40/255, rxload 42/255
>  Encapsulation FRAME-RELAY IETF, loopback not set
>  Keepalive set (10 sec)
>  CRC checking enabled
>  LMI enq sent  48, LMI stat recvd 48, LMI upd recvd 0, DTE LMI up
>  LMI enq recvd 0, LMI stat sent  0, LMI upd sent  0
>  LMI DLCI 0  LMI type is ANSI Annex D  frame relay DTE  segmentation
> inactive
>  FR SVC disabled, LAPF state down
>  Broadcast queue 0/64, broadcasts sent/dropped 7/0, interface broadcasts 0
>  Last input 00:00:00, output 00:00:00, output hang never
>  Last clearing of "show interface" counters 00:07:55
>  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
>  Queueing strategy: dual fifo
>  Output queue: high size/max/dropped 0/256/0
>  Output queue: 0/128 (size/max)
>  30 second input rate 43000 bits/sec, 68 packets/sec
>  30 second output rate 41000 bits/sec, 78 packets/sec
>     34746 packets input, 2956769 bytes, 0 no buffer
>     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
>     602 input errors, 602 CRC, 433 frame, 107 overrun, 0 ignored, 323 abort
>     43237 packets output, 3308125 bytes, 0 underruns
>     0 output errors, 0 collisions, 0 interface resets
>     0 unknown protocol drops
>     0 output buffer failures, 0 output buffers swapped out
>     0 carrier transitions
>     DCD=up  DSR=up  DTR=up  RTS=up  *CTS=down*
>
>  Thanks,
>  _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
Omar E.P.T
-----------------
Certified Networking Professionals make better Connections!

From brad.henshaw at qcn.com.au  Mon Dec 21 02:41:17 2009
From: brad.henshaw at qcn.com.au (Brad Henshaw)
Date: Mon, 21 Dec 2009 17:41:17 +1000
Subject: [c-nsp] Egress QoS on FE links with less than 100Mbps speeds
Message-ID: <8B25B862BC09784B9B74FB950D4F64D40F87D7@qcnapp01.corp.qcn>

Marian ?urkovi? wrote: 

> Flowcontrol doesn't need to be QOS-aware in this scenario.
> On the switch side, it's enough if it supports plain RX flowcontrol
> i.e. "flowcontrol receive [desired|on]". Then the wireless link can
> send pause frames to slow down the switch port automatically to the
> real bandwidth and output buffering / QOS configuration on the switch
> port is applied as expected.

That is assuming that the switch honours QoS and continues to prioritise packets appropriately when it receives a PAUSE from the radio gear - more often than not this is not the case and all traffic in the egress buffers will be equally affected.

I recall reading (maybe on this list) that the Nexium 5k or 7k supports QoS-aware flow control - but I wouldn't bet on it being included in low-end switches any time soon. (not that I'd complain if it was)

Regards,
Brad

From mtinka at globaltransit.net  Mon Dec 21 02:41:23 2009
From: mtinka at globaltransit.net (Mark Tinka)
Date: Mon, 21 Dec 2009 15:41:23 +0800
Subject: [c-nsp] Port channel bug in SXI3
In-Reply-To: <E4628569-9300-4654-B1C5-FCFA5D26CEC5@Hughes.com.au>
References: <94503B54-1DD5-4B99-A788-3CBB4FE849D1@Hughes.com.au>
	<E4628569-9300-4654-B1C5-FCFA5D26CEC5@Hughes.com.au>
Message-ID: <200912211541.28842.mtinka@globaltransit.net>

On Friday 18 December 2009 03:00:23 pm David Hughes wrote:

> This now has a bug ID associated with it.  We've got the
>  same problem on SXI2 and SXI3.  For anyone interested,
>  the Bug ID is CSCtd93384.

No case notes for this bug ID, but I'm watching it.

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20091221/8d26f1d6/attachment.bin>

From asturluismi at gmail.com  Mon Dec 21 09:58:39 2009
From: asturluismi at gmail.com (luismi)
Date: Mon, 21 Dec 2009 15:58:39 +0100
Subject: [c-nsp] Experiences with 12.4.15T11 (before: Re: 12.4 IOS
 recommendation for 7206 )
In-Reply-To: <299413.80594.qm@web180003.mail.gq1.yahoo.com>
References: <4B26A34A.8010802@gmail.com>
	<3329cbb40912141303g6aa2ebaeqfae6f12101550150@mail.gmail.com>
	<299413.80594.qm@web180003.mail.gq1.yahoo.com>
Message-ID: <1261407519.30613.3.camel@hal9000>

Platform 7206VXR NPE-G2, any serious problem with that IOS?

El lun, 14-12-2009 a las 16:49 -0800, Derick Winkworth escribi?:
> Agreed on the 12.4(15)T train.  Pick the latest release of this.  
> 
> No new features have been introduced in this "train" since T7 or T8 I believe.  Going forward, all releases will be bug-fix only.  As I understand it.  
> 
> 
> 
> 
> 
> 
> ________________________________
> From: Dale Shaw <dale.shaw+cisco-nsp at gmail.com>
> To: aptgetd at gmail.com
> Cc: cisco-nsp at puck.nether.net
> Sent: Mon, December 14, 2009 3:03:43 PM
> Subject: Re: [c-nsp] 12.4 IOS recommendation for 7206
> 
> Hi,
> 
> On Tue, Dec 15, 2009 at 7:42 AM, sky vader <aptgetd at gmail.com> wrote:
> >
> > Any recommendation for a stable enterprise IOS [for 7200]
> > supporting following feature set.
> 
> [...]
> 
> There was a thread on this in the last week or so.
> 
> I'm personally happy with 12.4(15)T - we run it on 12 or so 7200s
> (NPE-400s, NPE-G1s and NPE-G2s) and it's pretty solid. We don't run
> MPLS, BGP or OSPF on them (we're an EIGRP shop), but all your other
> boxes are ticked.
> 
> cheers,
> Dale
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



From c.spurgeon at mail.utexas.edu  Mon Dec 21 12:01:52 2009
From: c.spurgeon at mail.utexas.edu (Charles Spurgeon)
Date: Mon, 21 Dec 2009 11:01:52 -0600
Subject: [c-nsp] IOS Upgrade to SXI3
In-Reply-To: <20091215235118.GA13356@argus.gw.utexas.edu>
References: <E44AF588902937448285BC553C1F5E97128FCB9B0C@EM10.ad.ucla.edu>
	<20091215235118.GA13356@argus.gw.utexas.edu>
Message-ID: <20091221170151.GA52477@argus.gw.utexas.edu>

Responding to my own posting with an update: the SNMP issue described
below appears to have had nothing to do with the SNMP code on the
router.

Instead it appears to have been a hardware related problem with
internal communication paths in the router which was stalling the SCP
paths and "Async Write" processes, causing failures for a number of
things like writing files to flash and answering SNMP queries.

It's not clear why the issue didn't show up until the router was
reloaded on SXI3 code, but Murphy's Law is always at work.

During a maint window we power cycled the router with full startup
diagnostics, but found no hardware problems. However, the high SP CPU
load (99 percent) was present again on the slot 5 sup (slot 6 sup was
OK). Replacing the slot 5 sup appears to have resolved all issues. All
modules in the box were reseated during the power-cycling, just in
case.

The other two routers running SXI3 are not having any CPU load
problems and have been stable. One is a border router doing full BGP
peering, the other an enterprise core router.

On the port-channel issue that was noted, the error counters on the po
int have not incremented since counters were cleared. It appears that
there must have been a burst of errors at startup but nothing since
then.

-Charles

Charles E. Spurgeon / UTnet
UT Austin ITS / Networking
c.spurgeon at its.utexas.edu / 512.475.9265

On Tue, Dec 15, 2009 at 05:50:55PM -0600, Charles Spurgeon wrote:
> 
> We upgraded three core routers to monolithic 12.2(33)SXI3 on Sunday,
> Dec 13.
> 
> One of the upgraded routers started throwing SNMP input queue errors
> after several hours of runtime. All three routers are polled by the
> same servers asking for the same OIDs, but only one of the upgraded
> routers has thrown any SNMP errors: 
> "Dec 14 14:19:50: %SNMP-3-INPUT_QFULL_ERR: Packet dropped due to input queue full"
>
> SNMP graphing stopped working coincident with these error msgs.
> 
> In an attempt to clear the errors we applied these commands that
> were found when looking for info on this error:
> snmp-server view public-view iso included
> snmp-server view public-view ciscoMemoryPoolMIB excluded
> 
> Roughly coincident with applying those snmp config lines the SP CPU
> went to 100 percent load, where it has remained stuck ever since. RP
> CPU is running normally.
> 
> We have opened a TAC case, run a number of debugs, removed all SNMP
> commands, etc. But the SP CPU is still pegged and we haven't been able
> to find a smoking gun.
> 
> The biggest process load on the SP appears to be from an Async write
> process:
> --------------------
> NOCA9-sp#show proc cpu | exc 0.00
> Load for five secs: 100%/13%; one minute: 99%; five minutes: 99%
> Time source is hardware calendar, 10:46:59.677 CST Mon Dec 14 2009
> 
> CPU utilization for five seconds: 100%/13%; one minute: 99%; five minutes: 99%
>  PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process 
>   42       52936      2280      23217  0.63%  0.07%  0.01%   0 Per-minute Jobs  
>   93    51573408   1269609      40621 67.46% 65.15% 64.79%   0 Async write proc 
>  111     2197532   3855803        569  1.91%  1.88%  1.91%   0 slcp process   
> --------------------
> 
> We ran debug on SNMP packets and requests and found that the SNMP
> traffic consists of well-behaved SNMP queries from just our set of
> servers, polling only the MIB vars needed and there are no high
> quantities of requests.
> 
> Meanwhile, there are an insane number of VeryBig buffers on the RP and
> equally insane numbers of Medium buffers on the SP being created:
> --------------------
> RP
> --------------------
> VeryBig buffers, 4520 bytes (total 1013, permanent 10, peak 1016 @ 14:51:06):
>      12 in free list (0 min, 100 max allowed)
>      584335 hits, 21308 misses, 15077 trims, 16080 created
>      14417 failures (0 no memory)
> 
> --------------------
> SP
> --------------------
> Medium buffers, 256 bytes (total 30359, permanent 3000, peak 30359 @ 00:00:00):
>      66 in free list (64 min, 3000 max allowed)
>      1659825 hits, 9193 misses, 33 trims, 27392 created
>      0 failures (0 no memory)
> 
> Other than this, we have not been able to find any other useful info.
> 
> Also, we have been seeing errors on a port-channel associated with one
> of the other routers that was upgraded to SXI3. 
> 
> There have been bursts of errors received on the upstream router from
> the upgraded router on the two 10GigE ints that make up the port
> channel. As far as we can tell these ints were running clean until
> SXI3 was loaded, but we're still investigating this issue.
> 
> -Charles
> 
> Charles E. Spurgeon / UTnet
> UT Austin ITS / Networking
> c.spurgeon at its.utexas.edu / 512.475.9265
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From nbautista at cts.ucla.edu  Mon Dec 21 12:38:33 2009
From: nbautista at cts.ucla.edu (Bautista, Noel)
Date: Mon, 21 Dec 2009 09:38:33 -0800
Subject: [c-nsp] IOS Upgrade to SXI3
In-Reply-To: <20091221170151.GA52477@argus.gw.utexas.edu>
References: <E44AF588902937448285BC553C1F5E97128FCB9B0C@EM10.ad.ucla.edu>
	<20091215235118.GA13356@argus.gw.utexas.edu>
	<20091221170151.GA52477@argus.gw.utexas.edu>
Message-ID: <E44AF588902937448285BC553C1F5E97128FE49C7C@EM10.ad.ucla.edu>

Thanks to everyone who sent in their feedback on SXI3.  We're in the process of upgrading a few of our routers to the monolithic SXI3.

Noel

-----Original Message-----
From: Charles Spurgeon [mailto:c.spurgeon at mail.utexas.edu] 
Sent: Monday, December 21, 2009 9:02 AM
To: Charles Spurgeon
Cc: Bautista, Noel; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] IOS Upgrade to SXI3

Responding to my own posting with an update: the SNMP issue described
below appears to have had nothing to do with the SNMP code on the
router.

Instead it appears to have been a hardware related problem with
internal communication paths in the router which was stalling the SCP
paths and "Async Write" processes, causing failures for a number of
things like writing files to flash and answering SNMP queries.

It's not clear why the issue didn't show up until the router was
reloaded on SXI3 code, but Murphy's Law is always at work.

During a maint window we power cycled the router with full startup
diagnostics, but found no hardware problems. However, the high SP CPU
load (99 percent) was present again on the slot 5 sup (slot 6 sup was
OK). Replacing the slot 5 sup appears to have resolved all issues. All
modules in the box were reseated during the power-cycling, just in
case.

The other two routers running SXI3 are not having any CPU load
problems and have been stable. One is a border router doing full BGP
peering, the other an enterprise core router.

On the port-channel issue that was noted, the error counters on the po
int have not incremented since counters were cleared. It appears that
there must have been a burst of errors at startup but nothing since
then.

-Charles

Charles E. Spurgeon / UTnet
UT Austin ITS / Networking
c.spurgeon at its.utexas.edu / 512.475.9265

On Tue, Dec 15, 2009 at 05:50:55PM -0600, Charles Spurgeon wrote:
> 
> We upgraded three core routers to monolithic 12.2(33)SXI3 on Sunday,
> Dec 13.
> 
> One of the upgraded routers started throwing SNMP input queue errors
> after several hours of runtime. All three routers are polled by the
> same servers asking for the same OIDs, but only one of the upgraded
> routers has thrown any SNMP errors: 
> "Dec 14 14:19:50: %SNMP-3-INPUT_QFULL_ERR: Packet dropped due to input queue full"
>
> SNMP graphing stopped working coincident with these error msgs.
> 
> In an attempt to clear the errors we applied these commands that
> were found when looking for info on this error:
> snmp-server view public-view iso included
> snmp-server view public-view ciscoMemoryPoolMIB excluded
> 
> Roughly coincident with applying those snmp config lines the SP CPU
> went to 100 percent load, where it has remained stuck ever since. RP
> CPU is running normally.
> 
> We have opened a TAC case, run a number of debugs, removed all SNMP
> commands, etc. But the SP CPU is still pegged and we haven't been able
> to find a smoking gun.
> 
> The biggest process load on the SP appears to be from an Async write
> process:
> --------------------
> NOCA9-sp#show proc cpu | exc 0.00
> Load for five secs: 100%/13%; one minute: 99%; five minutes: 99%
> Time source is hardware calendar, 10:46:59.677 CST Mon Dec 14 2009
> 
> CPU utilization for five seconds: 100%/13%; one minute: 99%; five minutes: 99%
>  PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process 
>   42       52936      2280      23217  0.63%  0.07%  0.01%   0 Per-minute Jobs  
>   93    51573408   1269609      40621 67.46% 65.15% 64.79%   0 Async write proc 
>  111     2197532   3855803        569  1.91%  1.88%  1.91%   0 slcp process   
> --------------------
> 
> We ran debug on SNMP packets and requests and found that the SNMP
> traffic consists of well-behaved SNMP queries from just our set of
> servers, polling only the MIB vars needed and there are no high
> quantities of requests.
> 
> Meanwhile, there are an insane number of VeryBig buffers on the RP and
> equally insane numbers of Medium buffers on the SP being created:
> --------------------
> RP
> --------------------
> VeryBig buffers, 4520 bytes (total 1013, permanent 10, peak 1016 @ 14:51:06):
>      12 in free list (0 min, 100 max allowed)
>      584335 hits, 21308 misses, 15077 trims, 16080 created
>      14417 failures (0 no memory)
> 
> --------------------
> SP
> --------------------
> Medium buffers, 256 bytes (total 30359, permanent 3000, peak 30359 @ 00:00:00):
>      66 in free list (64 min, 3000 max allowed)
>      1659825 hits, 9193 misses, 33 trims, 27392 created
>      0 failures (0 no memory)
> 
> Other than this, we have not been able to find any other useful info.
> 
> Also, we have been seeing errors on a port-channel associated with one
> of the other routers that was upgraded to SXI3. 
> 
> There have been bursts of errors received on the upstream router from
> the upgraded router on the two 10GigE ints that make up the port
> channel. As far as we can tell these ints were running clean until
> SXI3 was loaded, but we're still investigating this issue.
> 
> -Charles
> 
> Charles E. Spurgeon / UTnet
> UT Austin ITS / Networking
> c.spurgeon at its.utexas.edu / 512.475.9265
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From cwildes at progrizon.com  Mon Dec 21 12:48:13 2009
From: cwildes at progrizon.com (Clyde Wildes)
Date: Mon, 21 Dec 2009 09:48:13 -0800
Subject: [c-nsp] EEM BGP
In-Reply-To: <B7C713EC6AE34ED89A4231C5FE63A9E1@flamdt01>
References: <2884C965D7B14FCEB8A99CA67ED2C988@flamdt01>	<00e501ca7dcd$f3680a50$da381ef0$@com>	<765B4353E6674BC59F02E05CCAE42F34@flamdt01>	<001e01ca7e9b$fab61cb0$f0225610$@com>	<C8FFDFC238974340BFA384D5FD5D9A98@flamdt01>	<00e501ca7f5c$85a3e530$90ebaf90$@com>
	<B7C713EC6AE34ED89A4231C5FE63A9E1@flamdt01>
Message-ID: <00c301ca8265$c4a0a2d0$4de1e870$@com>

Tony,

Sorry for not being totally clear with my previous response.

Your original EEM v3.0 policy set was:

event manager applet BGPADJ_SHUT
event syslog occurs 2 pattern "%BGP-5-ADJCHANGE: neighbor 172.16.10.3 Down"
period 600
 action 100 cli command "enable"
 action 110 cli command "configure terminal"
 action 120 cli command "router bgp 666"
 action 130 cli command "neighbor 172.16.10.3 shutdown"
 action 140 syslog msg "Neighbor 172.16.10.3 shutdown by EEM"
 action 150 publish-event sub-system 798 type 100 arg1 "shutdown"

event manager applet BGPADJ_NOSHUT
event tag bgpevent2 application sub-system 798 type 100
 trigger delay 60
 action 100 cli command "enable"
 action 110 cli command "configure terminal"
 action 120 cli command "router bgp 666"
 action 130 cli command "no neighbor 172.16.10.3 shutdown"
 action 140 syslog msg "Neighbor 172.16.10.3 noshut by EEM"

12.4(15)T has EEM v2.3. An equivalent EEM v2.3 policy set might be:

event manager environment _quote "
event manager applet BGPADJ_SHUT
event syslog occurs 2 pattern "%BGP-5-ADJCHANGE: neighbor 172.16.10.3 Down"
period 600
 action 100 cli command "enable"
 action 110 cli command "configure terminal"
 action 120 cli command "router bgp 666"
 action 130 cli command "neighbor 172.16.10.3 shutdown"
 action 140 syslog msg "Neighbor 172.16.10.3 shutdown by EEM"
 action 160 cli command "event manager applet BGPADJ_NOSHUT"
 action 170 cli command "event timer countdown time 60"
 action 180 cli command "action 100 cli command $_quote enable $_quote"
 action 190 cli command "action 110 cli command $_quote configure terminal
$_quote"
 action 200 cli command "action 120 cli command $_quote router bgp 666
$_quote"
 action 210 cli command "action 130 cli command $_quote no neighbor
172.16.10.3 shutdown $_quote"
 action 220 cli command "action 140 syslog msg $_quote Neighbor 172.16.10.3
noshut by EEM $_quote"
 action 230 cli command "action 150 cli command $_quote no event manager
applet BGPADJ_NOSHUT $_quote"

In this policy set, the act of running policy BGPADJ_SHUT causes policy
BGPADJ_NOSHUT to be added to the config (after the neighbor is shut down).
Policy BGPADJ_NOSHUT runs 60 seconds later, does a noshut to the neighbor,
and un-configures itself when it is complete. Note that the environment
variable _quote is meant to get around the fact that you can not escape the
double quote symbol using a backslash character in EEM v2.3.

I hope that this helps.

Thanks,

Clyde Wildes
Progrizon, Inc.
www.progrizon.com


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale
Sent: Thursday, December 17, 2009 7:17 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] EEM BGP

Clyde,

I don't think I'm following your example with mine.  But, it sounds like I 
need EEM 3.0 to get the BGP functionality that I'm looking for.

Once again thanks for your help!

tv
----- Original Message ----- 
From: "Clyde Wildes" <cwildes at progrizon.com>
To: "'Tony Varriale'" <tvarriale at comcast.net>; <cisco-nsp at puck.nether.net>
Sent: Thursday, December 17, 2009 3:04 PM
Subject: RE: [c-nsp] EEM BGP


> Tony,
>
> "event timer countdown time 120" means that the applet BGPADJ_NOSHUT will
> run once, two minutes after it is added to the config.
>
> For EEM v2.2 in place of "action 150 publish-event sub-system 798 type 100
> arg1 "shutdown"" you could add policy B to the config. Policy B would then
> run once, 120 seconds after policy A runs.
>
> Policy B could remove itself from the config using:
> event manager applet t1
> event timer countdown time 120
> action 000 syslog msg "Timer expired"
> action 001 cli command "enable"
> action 002 cli command "config t"
> action 003 cli command "no event manager applet t1"
>
> Multiple event support was added to EEM in v2.4. For a complete list of 
> what
> features where added in which EEM release visit our website at
> http://www.progrizon.com/forum/index.php?topic=3.0. For a list of IOS
> releases and which version of EEM they contain visit
> http://www.progrizon.com/forum/index.php?topic=8.0.
>
> The only docs currently available for EEM are on the Cisco web site.
>
> Thanks,
>
> Clyde Wildes
> Progrizon, Inc.
> www.progrizon.com
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale
> Sent: Thursday, December 17, 2009 12:22 PM
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] EEM BGP
>
> Clyde,
>
> Thanks so much for your help.  This appears to work well.
>
> I did try and map this into a 12.4(15)T/EEM 2.2 and it appears to work. 
> I'm
>
> just not sure how.
>
> Here's the 2.2 config:
>
> event manager applet BGPADJ_SHUT
> event syslog occurs 2 pattern "%BGP-5-ADJCHANGE: neighbor 172.16.10.3 
> Down"
>
> period 600
> action 100 cli command "enable"
> action 110 cli command "configure terminal"
> action 120 cli command "router bgp 666"
> action 130 cli command "neighbor 172.16.10.3 shutdown"
> action 140 syslog msg "Neighbor 172.16.10.3 shutdown by EEM"
> action 150 publish-event sub-system 798 type 100 arg1 "shutdown"
> event manager applet BGPADJ_NOSHUT
> event timer countdown time 120
> action 100 cli command "enable"
> action 110 cli command "configure terminal"
> action 120 cli command "router bgp 666"
> action 130 cli command "no neighbor 172.16.10.3 shutdown"
> action 140 syslog msg "Neighbor 172.16.10.3 noshut by EEM"
>
> The event tag command isn't available in 2.2.
>
> I do not understand how the router knows to unshut.  Is this functionally
> the same as the 3.0 config?
>
> Are there any better docs than the ones on cisco.com?
>
> Thanks!
> ----- Original Message ----- 
> From: "Clyde Wildes" <cwildes at progrizon.com>
> To: "'Tony Varriale'" <tvarriale at comcast.net>; <cisco-nsp at puck.nether.net>
> Sent: Wednesday, December 16, 2009 4:06 PM
> Subject: RE: [c-nsp] EEM BGP
>
>
>> Tony,
>>
>> Yes EEM does not screen on the syslog messages that it emits. When we
>> built
>> the EEM syslog Event Detector the test team insisted that we implement it
>> this way to prevent recursion. ;-)
>>
>> You can always use an application specific event to trigger policy B from
>> policy A. You could use a trigger statement to delay the running of 
>> policy
>
>> B
>> if desired.
>>
>> Use the following:
>>
>> event manager applet BGPADJ_SHUT
>> event syslog occurs 2 pattern "%BGP-5-ADJCHANGE: neighbor 172.16.10.3
>> Down"
>>
>> period 600
>> action 100 cli command "enable"
>> action 110 cli command "configure terminal"
>> action 120 cli command "router bgp 666"
>> action 130 cli command "neighbor 172.16.10.3 shutdown"
>> action 140 syslog msg "Neighbor 172.16.10.3 shutdown by EEM"
>> action 150 publish-event sub-system 798 type 100 arg1 "shutdown"
>>
>> event manager applet BGPADJ_NOSHUT
>> event tag bgpevent2 application sub-system 798 type 100
>> trigger delay 600
>> action 100 cli command "enable"
>> action 110 cli command "configure terminal"
>> action 120 cli command "router bgp 666"
>> action 130 cli command "no neighbor 172.16.10.3 shutdown"
>> action 140 syslog msg "Neighbor 172.16.10.3 noshut by EEM"
>>
>> Thanks,
>>
>> Clyde
>> Progrizon, Inc.
>> www.progrizon.com
>>
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net
>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale
>> Sent: Wednesday, December 16, 2009 9:38 AM
>> To: cisco-nsp at puck.nether.net
>> Subject: Re: [c-nsp] EEM BGP
>>
>> Well, did a bunch of testing and I am still stuck.  So here's the basic
>> idea
>>
>> and config.
>>
>> When the peer is actually shut, I log a message to syslog (info 
>> simplified
>> and anonymized to protect innocent).
>>
>> event manager applet BGPADJ_SHUT
>> event syslog occurs 2 pattern "%BGP-5-ADJCHANGE: neighbor 172.16.10.3
>> Down"
>>
>> period 600
>> action 100 cli command "enable"
>> action 110 cli command "configure terminal"
>> action 120 cli command "router bgp 666"
>> action 130 cli command "neighbor 172.16.10.3 shutdown"
>> action 140 syslog msg "Neighbor 172.16.10.3 shutdown by EEM"
>>
>> This works great.  Notice action 140.
>>
>> To turn the peer back up, I would like to wait 60 seconds (probably 10
>> minutes in real world) and look for the "Neighbor 172.16.10.3 shutdown by
>> EEM" in the syslog as this will tell me when I need to start my timer.
>>
>> event manager applet BGPADJ_NOSHUT
>> event tag bgpevent1 syslog pattern "%BGP-5-ADJCHANGE: neighbor 
>> 172.16.10.3
>> Down"
>> event tag bgpevent2 syslog pattern "Neighbor 172.16.10.3 shutdown by EEM"
>> trigger delay 600
>>  correlate event bgpevent1 and event bgpevent2
>> action 100 cli command "enable"
>> action 110 cli command "configure terminal"
>> action 120 cli command "router bgp 666"
>> action 130 cli command "no neighbor 172.16.10.3 shutdown"
>> action 140 syslog msg "Neighbor 172.16.10.3 noshut by EEM"
>>
>> This is the part that does not work.  For the correlation, I want to
>> either
>> look for event 1 and 2 or just 2.  1 and 2 is really just a self check.
>>
>> The apparent problem is that EEM doesn't look at the messages that it
>> injects into syslog.  So, the trigger never happens.  And as 
>> verification,
>
>> I
>>
>> tried it with event1 or event2.  While watching debug it picks up on
>> event1.
>>
>> Any ideas?  Recommendations?
>>
>> tv
>>
>> ----- Original Message ----- 
>> From: "Clyde Wildes" <cwildes at progrizon.com>
>> To: "'Tony Varriale'" <tvarriale at comcast.net>; 
>> <cisco-nsp at puck.nether.net>
>> Sent: Tuesday, December 15, 2009 3:31 PM
>> Subject: RE: [c-nsp] EEM BGP
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From A.L.M.Buxey at lboro.ac.uk  Mon Dec 21 13:13:20 2009
From: A.L.M.Buxey at lboro.ac.uk (Alan Buxey)
Date: Mon, 21 Dec 2009 18:13:20 +0000
Subject: [c-nsp] IOS Upgrade to SXI3
In-Reply-To: <E44AF588902937448285BC553C1F5E97128FE49C7C@EM10.ad.ucla.edu>
References: <E44AF588902937448285BC553C1F5E97128FCB9B0C@EM10.ad.ucla.edu>
	<20091215235118.GA13356@argus.gw.utexas.edu>
	<20091221170151.GA52477@argus.gw.utexas.edu>
	<E44AF588902937448285BC553C1F5E97128FE49C7C@EM10.ad.ucla.edu>
Message-ID: <20091221181320.GC16099@lboro.ac.uk>

Hi,
> Thanks to everyone who sent in their feedback on SXI3.  We're in the process of upgrading a few of our routers to the monolithic SXI3.

yes, we have had no big issues with SXI3 on a handful of our routers
and are therefore bringing the others up to match - well aware that there
are a few caveats on SXI3 but thats far less than we currently skirt around! 

:-)

alan

From drew.weaver at thenap.com  Mon Dec 21 14:39:39 2009
From: drew.weaver at thenap.com (Drew Weaver)
Date: Mon, 21 Dec 2009 14:39:39 -0500
Subject: [c-nsp] Any good Cisco (or other vendor) appliances for application
 server DDoS prevention?
Message-ID: <F3318834F1F89D46857972DD4B411D700181FF02E7@EXCHANGE.thenap.com>

Hello,

I'm currently searching for a firewall appliance which can also handle application server DDoS mitigation on a small scale (not network wide).

Does anyone know of anything like this from Cisco or any other vendor?

I'm aware of the 'huge' network wide products such as CiscoGuard, Arbor, etc but I am looking for something smaller scale, I just need to be able to put something in-line between the WAN and a group of servers that will look for things like 20 hosts on the net opening 1000s requests to the same URL.. etc

Any advice is appreciated.

thanks,
-Drew


From oles at ovh.net  Mon Dec 21 14:47:37 2009
From: oles at ovh.net (oles at ovh.net)
Date: Mon, 21 Dec 2009 20:47:37 +0100
Subject: [c-nsp] IOS Upgrade to SXI3
In-Reply-To: <E44AF588902937448285BC553C1F5E97128FE49C7C@EM10.ad.ucla.edu>
References: <E44AF588902937448285BC553C1F5E97128FCB9B0C@EM10.ad.ucla.edu>
	<20091215235118.GA13356@argus.gw.utexas.edu>
	<20091221170151.GA52477@argus.gw.utexas.edu>
	<E44AF588902937448285BC553C1F5E97128FE49C7C@EM10.ad.ucla.edu>
Message-ID: <20091221194737.GQ15659@ovh.net>

On Mon, Dec 21, 2009 at 09:38:33AM -0800, Bautista, Noel wrote:
> Thanks to everyone who sent in their feedback on SXI3.  We're in the process of upgrading a few of our routers to the monolithic SXI3.

the "cisco's" upgrading process didn't work for us. I had to reload all
router with the total downtime during 1 hour. Because when I restarted 
the slave on SXI3 (the master was in SXI1), the sync between master/slave 
didn't work. I got this:

Dec 10 04:05:51 GMT: %IDBINDEX_SYNC-4-RESERVE: Failed to lookup existing ifindex for an interface on the Standby, allocating a new ifindex from the Active (ifindex=1603, idbtype=HWIDB)
Dec 10 04:05:54 GMT: %IDBINDEX_SYNC-4-RESERVE: Failed to lookup existing ifindex for an interface on the Standby, allocating a new ifindex from the Active (ifindex=1604, idbtype=SWIDB)
Dec 10 04:05:57 GMT: %IDBINDEX_SYNC-4-RESERVE: Failed to lookup existing ifindex for an interface on the Standby, allocating a new ifindex from the Active (ifindex=1604, idbtype=HWIDB)
Dec 10 04:06:00 GMT: %IDBINDEX_SYNC-4-RESERVE: Failed to lookup existing ifindex for an interface on the Standby, allocating a new ifindex from the Active (ifindex=1605, idbtype=SWIDB)
Dec 10 04:06:03 GMT: %IDBINDEX_SYNC-4-RESERVE: Failed to lookup existing ifindex for an interface on the Standby, allocating a new ifindex from the Active (ifindex=1605, idbtype=HWIDB)
Dec 10 04:06:06 GMT: %IDBINDEX_SYNC-4-RESERVE: Failed to lookup existing ifindex for an interface on the Standby, allocating a new ifindex from the Active (ifindex=1606, idbtype=SWIDB)
Dec 10 04:06:09 GMT: %IDBINDEX_SYNC-4-RESERVE: Failed to lookup existing ifindex for an interface on the Standby, allocating a new ifindex from the Active (ifindex=1606, idbtype=HWIDB)
Dec 10 04:06:12 GMT: %IDBINDEX_SYNC-4-RESERVE: Failed to lookup existing ifindex for an interface on the Standby, allocating a new ifindex from the Active (ifindex=1607, idbtype=SWIDB)
Dec 10 04:06:16 GMT: %IDBINDEX_SYNC-4-RESERVE: Failed to lookup existing ifindex for an interface on the Standby, allocating a new ifindex from the Active (ifindex=1607, idbtype=HWIDB)
Dec 10 04:06:19 GMT: %IDBINDEX_SYNC-4-RESERVE: Failed to lookup existing ifindex for an interface on the Standby, allocating a new ifindex from the Active (ifindex=1608, idbtype=SWIDB)
Dec 10 04:06:22 GMT: %IDBINDEX_SYNC-4-RESERVE: Failed to lookup existing ifindex for an interface on the Standby, allocating a new ifindex from the Active (ifindex=1608, idbtype=HWIDB)
Dec 10 04:06:25 GMT: %IDBINDEX_SYNC-4-RESERVE: Failed to lookup existing ifindex for an interface on the Standby, allocating a new ifindex from the Active (ifindex=1609, idbtype=SWIDB)
Dec 10 04:06:28 GMT: %IDBINDEX_SYNC-4-RESERVE: Failed to lookup existing ifindex for an interface on the Standby, allocating a new ifindex from the Active (ifindex=1609, idbtype=HWIDB)
Dec 10 04:06:31 GMT: %IDBINDEX_SYNC-4-RESERVE: Failed to lookup existing ifindex for an interface on the Standby, allocating a new ifindex from the Active (ifindex=1610, idbtype=SWIDB)
Dec 10 04:06:34 GMT: %IDBINDEX_SYNC-4-RESERVE: Failed to lookup existing ifindex for an interface on the Standby, allocating a new ifindex from the Active (ifindex=1610, idbtype=HWIDB)
Dec 10 04:06:37 GMT: %IDBINDEX_SYNC-4-RESERVE: Failed to lookup existing ifindex for an interface on the Standby, allocating a new ifindex from the Active (ifindex=1611, idbtype=SWIDB)

#sh idb all | i 1601
H 1019 1601 D,A,R . Port-channelXXX
S 1016 1601 U . Port-channelXXX
#sh idb all | i 1602
H 1020 1602 D,A,R . Port-channelXXX
S 1017 1602 U . Port-channelXXX
#sh idb all | i 1603
S 1018 1603 U . Port-channelXXX
#sh idb all | i 1604
#sh idb all | i 1605
#sh idb all | i 1606
Maximum number of Software IDBs 12000. In use 1606.
Total IDBs 1606 1606
#sh idb all | i 1607

Dec 10 04:25:06 GMT: %IDBINDEX_SYNC-4-RESERVE: Failed to lookup existing ifindex for an interface on the Standby, allocating a new ifindex from the Active (ifindex=1794, idbtype=SWIDB)
Dec 10 04:25:09 GMT: %IDBINDEX_SYNC-4-RESERVE: Failed to lookup existing ifindex for an interface on the Standby, allocating a new ifindex from the Active (ifindex=1794, idbtype=HWIDB)
Dec 10 04:25:12 GMT: %IDBINDEX_SYNC-4-RESERVE: Failed to lookup existing ifindex for an interface on the Standby, allocating a new ifindex from the Active (ifindex=1795, idbtype=SWIDB)
Dec 10 04:25:16 GMT: %IDBINDEX_SYNC-4-RESERVE: Failed to lookup existing ifindex for an interface on the Standby, allocating a new ifindex from the Active (ifindex=1795, idbtype=HWIDB)

then with the hard reload, I got this:

*Dec 10 03:35:03.499: %ISSU_PROCESS-SW1_SP-3-IMAGE: Active is loading the wrong image [ disk0:s72033-advipservicesk9-mz.122-33.SXI3.bin ], expected image [ disk0:s72033-advipservicesk9-mz.122-33.SXI1.bin ]
*Dec 10 03:35:04.255: %RF-SW1_SP-5-RF_RELOAD: Shelf reload. Reason: Active is loading the wrong image
*Dec 10 03:35:04.255: %OIR-SW1_SP-6-CONSOLE: Changing console ownership to switch processor

my personal conclusion: the next vss I have to upgrade will be down during only 10 
minutes because I won't risk the new "standard" upgrading process again. I will reload
hard the vss and all will be up 10 minutes after ... The vss upgrading systeme with 
"no downtime" doesn't work for us, maybe because our vss have lot of port channels 
(350), lot of ports (582) and some trafic (40Gbps switching/routing) and it's very 
difficult to sync (more that 16 hours).

Octave

From arturnrm at gmail.com  Mon Dec 21 16:05:53 2009
From: arturnrm at gmail.com (Artur)
Date: Mon, 21 Dec 2009 19:05:53 -0200
Subject: [c-nsp] Any good Cisco (or other vendor) appliances for
 application server DDoS prevention?
In-Reply-To: <F3318834F1F89D46857972DD4B411D700181FF02E7@EXCHANGE.thenap.com>
References: <F3318834F1F89D46857972DD4B411D700181FF02E7@EXCHANGE.thenap.com>
Message-ID: <4B2FE331.1050506@gmail.com>

Hello Drew,

Unfortunately there isn't a efficient DDoS mitigation appliance. Simply 
because, to my knowledge there ins't an appliance able to handle the 
huge amount of traffic sent by a DDoS attack.
Only your SP could prevent this from reaching you.
The only things you could do would be get some redundancy.

cheers
Artur

On 12/21/2009 5:39 PM, Drew Weaver wrote:
> Hello,
>
> I'm currently searching for a firewall appliance which can also handle application server DDoS mitigation on a small scale (not network wide).
>
> Does anyone know of anything like this from Cisco or any other vendor?
>
> I'm aware of the 'huge' network wide products such as CiscoGuard, Arbor, etc but I am looking for something smaller scale, I just need to be able to put something in-line between the WAN and a group of servers that will look for things like 20 hosts on the net opening 1000s requests to the same URL.. etc
>
> Any advice is appreciated.
>
> thanks,
> -Drew
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>    


From tvarriale at comcast.net  Mon Dec 21 16:15:06 2009
From: tvarriale at comcast.net (Tony Varriale)
Date: Mon, 21 Dec 2009 15:15:06 -0600
Subject: [c-nsp] Any good Cisco (or other vendor) appliances for
	application server DDoS prevention?
References: <F3318834F1F89D46857972DD4B411D700181FF02E7@EXCHANGE.thenap.com>
	<4B2FE331.1050506@gmail.com>
Message-ID: <0B0FA43EE6FC4C46B4F711D2882F7C2B@flamdt01>

You may want to contact Arbor since they have a business model based on what 
you claim doesn't exist.

tv


----- Original Message ----- 
From: "Artur" <arturnrm at gmail.com>
To: <cisco-nsp at puck.nether.net>
Sent: Monday, December 21, 2009 3:05 PM
Subject: Re: [c-nsp] Any good Cisco (or other vendor) appliances for 
application server DDoS prevention?


> Hello Drew,
>
> Unfortunately there isn't a efficient DDoS mitigation appliance. Simply 
> because, to my knowledge there ins't an appliance able to handle the huge 
> amount of traffic sent by a DDoS attack.
> Only your SP could prevent this from reaching you.
> The only things you could do would be get some redundancy.
>
> cheers
> Artur
>
> On 12/21/2009 5:39 PM, Drew Weaver wrote:
>> Hello,
>>
>> I'm currently searching for a firewall appliance which can also handle 
>> application server DDoS mitigation on a small scale (not network wide).
>>
>> Does anyone know of anything like this from Cisco or any other vendor?
>>
>> I'm aware of the 'huge' network wide products such as CiscoGuard, Arbor, 
>> etc but I am looking for something smaller scale, I just need to be able 
>> to put something in-line between the WAN and a group of servers that will 
>> look for things like 20 hosts on the net opening 1000s requests to the 
>> same URL.. etc
>>
>> Any advice is appreciated.
>>
>> thanks,
>> -Drew
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 


From tvarriale at comcast.net  Mon Dec 21 16:16:01 2009
From: tvarriale at comcast.net (Tony Varriale)
Date: Mon, 21 Dec 2009 15:16:01 -0600
Subject: [c-nsp] Any good Cisco (or other vendor) appliances for
	application server DDoS prevention?
References: <F3318834F1F89D46857972DD4B411D700181FF02E7@EXCHANGE.thenap.com>
Message-ID: <C028B27C386A4FB9931FD4EC0EE1651E@flamdt01>

I'm not aware of anything on a small scale.  Are you looking for an 
all-in-one?  What speeds are you dealing with?

tv
----- Original Message ----- 
From: "Drew Weaver" <drew.weaver at thenap.com>
To: "Cisco-nsp" <cisco-nsp at puck.nether.net>
Sent: Monday, December 21, 2009 1:39 PM
Subject: [c-nsp] Any good Cisco (or other vendor) appliances for application 
server DDoS prevention?


> Hello,
>
> I'm currently searching for a firewall appliance which can also handle 
> application server DDoS mitigation on a small scale (not network wide).
>
> Does anyone know of anything like this from Cisco or any other vendor?
>
> I'm aware of the 'huge' network wide products such as CiscoGuard, Arbor, 
> etc but I am looking for something smaller scale, I just need to be able 
> to put something in-line between the WAN and a group of servers that will 
> look for things like 20 hosts on the net opening 1000s requests to the 
> same URL.. etc
>
> Any advice is appreciated.
>
> thanks,
> -Drew
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 


From gsgranados at comcast.net  Mon Dec 21 16:28:28 2009
From: gsgranados at comcast.net (Scott Granados)
Date: Mon, 21 Dec 2009 13:28:28 -0800
Subject: [c-nsp] Any good Cisco (or other vendor) appliances for
	application server DDoS prevention?
References: <F3318834F1F89D46857972DD4B411D700181FF02E7@EXCHANGE.thenap.com>
	<4B2FE331.1050506@gmail.com>
Message-ID: <03a501ca8284$8eb2d8e0$2408120a@am.thmulti.com>

I think the fine folks at Arbor would disagree with this statement.;)

They make some great detection gear. Cisco should be able to help here as 
well although I haven't used their products for this requirement.


----- Original Message ----- 
From: "Artur" <arturnrm at gmail.com>
To: <cisco-nsp at puck.nether.net>
Sent: Monday, December 21, 2009 1:05 PM
Subject: Re: [c-nsp] Any good Cisco (or other vendor) appliances for 
application server DDoS prevention?


> Hello Drew,
>
> Unfortunately there isn't a efficient DDoS mitigation appliance. Simply 
> because, to my knowledge there ins't an appliance able to handle the huge 
> amount of traffic sent by a DDoS attack.
> Only your SP could prevent this from reaching you.
> The only things you could do would be get some redundancy.
>
> cheers
> Artur
>
> On 12/21/2009 5:39 PM, Drew Weaver wrote:
>> Hello,
>>
>> I'm currently searching for a firewall appliance which can also handle 
>> application server DDoS mitigation on a small scale (not network wide).
>>
>> Does anyone know of anything like this from Cisco or any other vendor?
>>
>> I'm aware of the 'huge' network wide products such as CiscoGuard, Arbor, 
>> etc but I am looking for something smaller scale, I just need to be able 
>> to put something in-line between the WAN and a group of servers that will 
>> look for things like 20 hosts on the net opening 1000s requests to the 
>> same URL.. etc
>>
>> Any advice is appreciated.
>>
>> thanks,
>> -Drew
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 


From me at falz.net  Mon Dec 21 16:43:17 2009
From: me at falz.net (Chris Wopat)
Date: Mon, 21 Dec 2009 15:43:17 -0600
Subject: [c-nsp] IP MTU setting + OSPF
Message-ID: <a62d17300912211343g39615f02y891b633c99e01fe3@mail.gmail.com>

I'm changing MTU on some 7200s with PA-FE's to 1530 with the "mtu
1530" command on the interface. To get OSPF to neighbor with a 2800
(no user settable MTU), I've put "ip mtu 1500" on the 7200. In my
testing this works fine. Does this in any way prevent the 7200 from
generating an OSPF packet that's larger than 1500 and potentially
breaking things down the road? The following links have been helpful
for MTU descriptions but I'm not seeing the answer to this question in
there.

- http://puck.nether.net/pipermail/cisco-nsp/2006-June/031765.html

- http://puck.nether.net/pipermail/cisco-nsp/2008-April/049365.html

- http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml

- http://blog.ioshints.info/2007/10/tale-of-three-mtus.html

These MTU changes are being made as MPLS preparations.

From arturnrm at gmail.com  Mon Dec 21 17:05:02 2009
From: arturnrm at gmail.com (Artur)
Date: Mon, 21 Dec 2009 20:05:02 -0200
Subject: [c-nsp] Any good Cisco (or other vendor) appliances for
 application server DDoS prevention?
In-Reply-To: <0B0FA43EE6FC4C46B4F711D2882F7C2B@flamdt01>
References: <F3318834F1F89D46857972DD4B411D700181FF02E7@EXCHANGE.thenap.com>	<4B2FE331.1050506@gmail.com>
	<0B0FA43EE6FC4C46B4F711D2882F7C2B@flamdt01>
Message-ID: <4B2FF10E.7010409@gmail.com>

As far as I know Arbor does great stuff again's DDoS but for SP 
environments, and as I did pointed out, are the only one really capable 
to mitigate a DDoS attack.
For enterprise the only way to do it is with good design.

On 12/21/2009 7:15 PM, Tony Varriale wrote:
> You may want to contact Arbor since they have a business model based 
> on what you claim doesn't exist.
>
> tv
>
>
> ----- Original Message ----- From: "Artur" <arturnrm at gmail.com>
> To: <cisco-nsp at puck.nether.net>
> Sent: Monday, December 21, 2009 3:05 PM
> Subject: Re: [c-nsp] Any good Cisco (or other vendor) appliances for 
> application server DDoS prevention?
>
>
>> Hello Drew,
>>
>> Unfortunately there isn't a efficient DDoS mitigation appliance. 
>> Simply because, to my knowledge there ins't an appliance able to 
>> handle the huge amount of traffic sent by a DDoS attack.
>> Only your SP could prevent this from reaching you.
>> The only things you could do would be get some redundancy.
>>
>> cheers
>> Artur
>>
>> On 12/21/2009 5:39 PM, Drew Weaver wrote:
>>> Hello,
>>>
>>> I'm currently searching for a firewall appliance which can also 
>>> handle application server DDoS mitigation on a small scale (not 
>>> network wide).
>>>
>>> Does anyone know of anything like this from Cisco or any other vendor?
>>>
>>> I'm aware of the 'huge' network wide products such as CiscoGuard, 
>>> Arbor, etc but I am looking for something smaller scale, I just need 
>>> to be able to put something in-line between the WAN and a group of 
>>> servers that will look for things like 20 hosts on the net opening 
>>> 1000s requests to the same URL.. etc
>>>
>>> Any advice is appreciated.
>>>
>>> thanks,
>>> -Drew
>>>
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/ 
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From arturnrm at gmail.com  Mon Dec 21 17:21:18 2009
From: arturnrm at gmail.com (Artur)
Date: Mon, 21 Dec 2009 20:21:18 -0200
Subject: [c-nsp] Any good Cisco (or other vendor) appliances for
 application server DDoS prevention?
In-Reply-To: <4B2FF10E.7010409@gmail.com>
References: <F3318834F1F89D46857972DD4B411D700181FF02E7@EXCHANGE.thenap.com>	<4B2FE331.1050506@gmail.com>
	<0B0FA43EE6FC4C46B4F711D2882F7C2B@flamdt01>
	<4B2FF10E.7010409@gmail.com>
Message-ID: <4B2FF4DE.5090309@gmail.com>

Good design that should indeed have a good DDoS detection appliance :D. 
But it is not a single box solution.

On 12/21/2009 8:05 PM, Artur wrote:
> As far as I know Arbor does great stuff again's DDoS but for SP 
> environments, and as I did pointed out, are the only one really 
> capable to mitigate a DDoS attack.
> For enterprise the only way to do it is with good design.
>
> On 12/21/2009 7:15 PM, Tony Varriale wrote:
>> You may want to contact Arbor since they have a business model based 
>> on what you claim doesn't exist.
>>
>> tv
>>
>>
>> ----- Original Message ----- From: "Artur" <arturnrm at gmail.com>
>> To: <cisco-nsp at puck.nether.net>
>> Sent: Monday, December 21, 2009 3:05 PM
>> Subject: Re: [c-nsp] Any good Cisco (or other vendor) appliances for 
>> application server DDoS prevention?
>>
>>
>>> Hello Drew,
>>>
>>> Unfortunately there isn't a efficient DDoS mitigation appliance. 
>>> Simply because, to my knowledge there ins't an appliance able to 
>>> handle the huge amount of traffic sent by a DDoS attack.
>>> Only your SP could prevent this from reaching you.
>>> The only things you could do would be get some redundancy.
>>>
>>> cheers
>>> Artur
>>>
>>> On 12/21/2009 5:39 PM, Drew Weaver wrote:
>>>> Hello,
>>>>
>>>> I'm currently searching for a firewall appliance which can also 
>>>> handle application server DDoS mitigation on a small scale (not 
>>>> network wide).
>>>>
>>>> Does anyone know of anything like this from Cisco or any other vendor?
>>>>
>>>> I'm aware of the 'huge' network wide products such as CiscoGuard, 
>>>> Arbor, etc but I am looking for something smaller scale, I just 
>>>> need to be able to put something in-line between the WAN and a 
>>>> group of servers that will look for things like 20 hosts on the net 
>>>> opening 1000s requests to the same URL.. etc
>>>>
>>>> Any advice is appreciated.
>>>>
>>>> thanks,
>>>> -Drew
>>>>
>>>> _______________________________________________
>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>
>>>
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ 
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


From scott at labyrinth.org  Mon Dec 21 18:12:20 2009
From: scott at labyrinth.org (Scott Keoseyan)
Date: Mon, 21 Dec 2009 18:12:20 -0500
Subject: [c-nsp] Any good Cisco (or other vendor) appliances for
	application server DDoS prevention?
In-Reply-To: <4B2FF4DE.5090309@gmail.com>
References: <F3318834F1F89D46857972DD4B411D700181FF02E7@EXCHANGE.thenap.com>	<4B2FE331.1050506@gmail.com>
	<0B0FA43EE6FC4C46B4F711D2882F7C2B@flamdt01>
	<4B2FF10E.7010409@gmail.com> <4B2FF4DE.5090309@gmail.com>
Message-ID: <83816FF6-668E-4422-9347-3398A2E49B84@labyrinth.org>

I'd agree to some extent to this sentiment.

Is anyone looking at the techniques for ddos mitigation outlined in  
this draft with regards to helping their enterprise customers mitigate  
ddos attacks?

http://tools.ietf.org/html/draft-ietf-opsec-blackhole-urpf-04

Scott

On Dec 21, 2009, at 5:21 PM, Artur wrote:

> Good design that should indeed have a good DDoS detection  
> appliance :D. But it is not a single box solution.
>
> On 12/21/2009 8:05 PM, Artur wrote:
>> As far as I know Arbor does great stuff again's DDoS but for SP  
>> environments, and as I did pointed out, are the only one really  
>> capable to mitigate a DDoS attack.
>> For enterprise the only way to do it is with good design.
>>
>> On 12/21/2009 7:15 PM, Tony Varriale wrote:
>>> You may want to contact Arbor since they have a business model  
>>> based on what you claim doesn't exist.
>>>
>>> tv
>>>
>>>
>>> ----- Original Message ----- From: "Artur" <arturnrm at gmail.com>
>>> To: <cisco-nsp at puck.nether.net>
>>> Sent: Monday, December 21, 2009 3:05 PM
>>> Subject: Re: [c-nsp] Any good Cisco (or other vendor) appliances  
>>> for application server DDoS prevention?
>>>
>>>
>>>> Hello Drew,
>>>>
>>>> Unfortunately there isn't a efficient DDoS mitigation appliance.  
>>>> Simply because, to my knowledge there ins't an appliance able to  
>>>> handle the huge amount of traffic sent by a DDoS attack.
>>>> Only your SP could prevent this from reaching you.
>>>> The only things you could do would be get some redundancy.
>>>>
>>>> cheers
>>>> Artur
>>>>
>>>> On 12/21/2009 5:39 PM, Drew Weaver wrote:
>>>>> Hello,
>>>>>
>>>>> I'm currently searching for a firewall appliance which can also  
>>>>> handle application server DDoS mitigation on a small scale (not  
>>>>> network wide).
>>>>>
>>>>> Does anyone know of anything like this from Cisco or any other  
>>>>> vendor?
>>>>>
>>>>> I'm aware of the 'huge' network wide products such as  
>>>>> CiscoGuard, Arbor, etc but I am looking for something smaller  
>>>>> scale, I just need to be able to put something in-line between  
>>>>> the WAN and a group of servers that will look for things like 20  
>>>>> hosts on the net opening 1000s requests to the same URL.. etc
>>>>>
>>>>> Any advice is appreciated.
>>>>>
>>>>> thanks,
>>>>> -Drew
>>>>>
>>>>> _______________________________________________
>>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>>
>>>>
>>>> _______________________________________________
>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

--
Scott Keoseyan
scott at labyrinth.org
Homepage - http://www.labyrinth.org/homepages/scott
Blog - http://www.labyrinth.org/wp1
PGP Key - http://www.labyrinth.org/homepages/scott/pgp.html






From rdobbins at arbor.net  Mon Dec 21 18:44:17 2009
From: rdobbins at arbor.net (Dobbins, Roland)
Date: Mon, 21 Dec 2009 23:44:17 +0000
Subject: [c-nsp] Any good Cisco (or other vendor) appliances for
 application server DDoS prevention?
In-Reply-To: <F3318834F1F89D46857972DD4B411D700181FF02E7@EXCHANGE.thenap.com>
References: <F3318834F1F89D46857972DD4B411D700181FF02E7@EXCHANGE.thenap.com>
Message-ID: <11DEE550-EDE8-459D-8833-994231CC34A7@arbor.net>


On Dec 22, 2009, at 2:39 AM, Drew Weaver wrote:

> I'm currently searching for a firewall appliance which can also handle application server DDoS mitigation on a small scale (not network wide).

Firewalls are policy-enforcement devices and don't offer DDoS mitigation capabilities, marketing claims aside.  Firewalls are DDoS chokepoints, and have no place in front of servers, as 'stateful inspection' makes no sense whatsoever when every inbound packet is unsolicited in the first place, heh.

Before going and buying a dedicated DDoS mitigation system from any vendor, it's generally a good idea to ensure one's leveraging the existing capabilities of one's existing infrastructure.  S/RTBH is definitely something I'd recommend as a good first step, prior to spending any additional monies.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken




From sethm at rollernet.us  Mon Dec 21 20:08:42 2009
From: sethm at rollernet.us (Seth Mattinen)
Date: Mon, 21 Dec 2009 17:08:42 -0800
Subject: [c-nsp] Any good Cisco (or other vendor) appliances
 for	application server DDoS prevention?
In-Reply-To: <03a501ca8284$8eb2d8e0$2408120a@am.thmulti.com>
References: <F3318834F1F89D46857972DD4B411D700181FF02E7@EXCHANGE.thenap.com>	<4B2FE331.1050506@gmail.com>
	<03a501ca8284$8eb2d8e0$2408120a@am.thmulti.com>
Message-ID: <4B301C1A.4040300@rollernet.us>

Scott Granados wrote:
> I think the fine folks at Arbor would disagree with this statement.;)
> 
> They make some great detection gear. Cisco should be able to help here 
> as well although I haven't used their products for this requirement.
> 
> 

Well, there *is* a limited use. If I have a mitigation appliance and 
stick it at the end of a T1 or T3 and someone floods enough traffic to 
fill the pipe, does it really matter how good the box is?

~Seth

From steve at ibctech.ca  Mon Dec 21 20:23:11 2009
From: steve at ibctech.ca (Steve Bertrand)
Date: Mon, 21 Dec 2009 20:23:11 -0500
Subject: [c-nsp] Any good Cisco (or other vendor) appliances for
 application server DDoS prevention?
In-Reply-To: <11DEE550-EDE8-459D-8833-994231CC34A7@arbor.net>
References: <F3318834F1F89D46857972DD4B411D700181FF02E7@EXCHANGE.thenap.com>
	<11DEE550-EDE8-459D-8833-994231CC34A7@arbor.net>
Message-ID: <4B301F7F.4050305@ibctech.ca>

Dobbins, Roland wrote:

> S/RTBH is definitely something I'd recommend as a good first step, 

...which in the case of a significant (relative) attack is enough to
mitigate the DoS long enough so you can get your upstream(s) to combat
it before it reaches you (looking at it from a 'small' operation).

Hopefully, the upstream(s) do S/RTBH, so they can blackhole the problem
for you after you've proven your case to them, while they work with you
to validate and combat the issue.

I've even heard of some 'upstream' providers offering a community, that
after you've proven yourself to have clue, will allow you to BH up to a
/29 within their network...

Steve

ps. this is looking at the issue from a standpoint that not all DDoSs
are bandwidth-saturating. Most that I've faced have not involved
bandwidth saturation, but denial of service via more strategic,
thoughtful and intriguing means.

From shinejoseph at dodo.com.au  Mon Dec 21 20:09:49 2009
From: shinejoseph at dodo.com.au (Shine Joseph)
Date: Tue, 22 Dec 2009 09:09:49 +0800
Subject: [c-nsp] 6500 mGRE/DMVPN on VSS
Message-ID: <6B2A200DCC0D48B48C1B64EFB83E3AC4@au.didata.local>

Hi,

Wondering if anyone has done mGRE/DMVPN on VSS switches. I am thinking of a solution with VSS at the access with Layer 3 and mGRE (30+) and VSS at Distribution/Core. When multiple mGREs are required, tunnel keys must be used to differntitate between the tunnels, with the same source interface for all tunnels. But, the GREs will be done in software when tunnel keys are used in 6500 and I do not want to do this.

Can someone sugegst any alternatives to mGRE/DMVPN? I know it is hard to sugegst something without more details/information.

Thanks in advance,
Shine

From rdobbins at arbor.net  Mon Dec 21 20:43:46 2009
From: rdobbins at arbor.net (Dobbins, Roland)
Date: Tue, 22 Dec 2009 01:43:46 +0000
Subject: [c-nsp] Any good Cisco (or other vendor) appliances for
 application server DDoS prevention?
In-Reply-To: <4B301F7F.4050305@ibctech.ca>
References: <F3318834F1F89D46857972DD4B411D700181FF02E7@EXCHANGE.thenap.com>
	<11DEE550-EDE8-459D-8833-994231CC34A7@arbor.net>
	<4B301F7F.4050305@ibctech.ca>
Message-ID: <D80DB54A-51CA-4582-9D9B-151296E6B710@arbor.net>


On Dec 22, 2009, at 8:23 AM, Steve Bertrand wrote:

> I've even heard of some 'upstream' providers offering a community, that after you've proven yourself to have clue, will allow you to BH up to a /29 within their network...

Yes - however, this is going to be destination-based blackholing, in which one is essentially completing the DDoS for the attacker.

There's value in that, however, as the concept of partial service recovery is a valid one.

> ps. this is looking at the issue from a standpoint that not all DDoSs are bandwidth-saturating. Most that I've faced have not involved bandwidth saturation, but denial of service via more strategic, thoughtful and intriguing means.

Sadly, it all too often requires little in the way of bandwidth, throughput, strategy, thought, or intrigue to effectively DDoS many sites/properties, due to poor design and non-adherence to even the most basic principles of resilience and availability:

<http://www.nanog.org/meetings/nanog47/presentations/Monday/Dobbins_ISPSecTrac_N47_Mond.pdf>


-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken




From bgreene at senki.org  Mon Dec 21 22:03:50 2009
From: bgreene at senki.org (Barry Raveendran Greene)
Date: Mon, 21 Dec 2009 19:03:50 -0800
Subject: [c-nsp] Any good Cisco (or other vendor) appliances for
	application server DDoS prevention?
In-Reply-To: <4B301F7F.4050305@ibctech.ca>
References: <F3318834F1F89D46857972DD4B411D700181FF02E7@EXCHANGE.thenap.com>	<11DEE550-EDE8-459D-8833-994231CC34A7@arbor.net>
	<4B301F7F.4050305@ibctech.ca>
Message-ID: <004401ca82b3$69dbcd90$3d9368b0$@org>

> Dobbins, Roland wrote:
> 
> > S/RTBH is definitely something I'd recommend as a good first step,
> 
> ...which in the case of a significant (relative) attack is enough to
> mitigate the DoS long enough so you can get your upstream(s) to combat
> it before it reaches you (looking at it from a 'small' operation).
> 
> Hopefully, the upstream(s) do S/RTBH, so they can blackhole the problem
> for you after you've proven your case to them, while they work with you
> to validate and combat the issue.

For those who are wondering what S/RTBH is all about, check out the tutorial
given at NANOG:

My post with PPT slides: http://www.senki.org/?p=696

The NANOG Link
http://www.nanog.org/meetings/nanog47/abstracts.php?pt=MTQ0NCZuYW5vZzQ3&nm=n
anog47

It has information on how D/RTBH and S/RTBH are used - as well as BGP
Shunts, Sink Holes, etc. Enterprise networks should take the time to know
what their upstream provider can do for them in a DDOS Emergency.

> I've even heard of some 'upstream' providers offering a community, that
> after you've proven yourself to have clue, will allow you to BH up to a
> /29 within their network...

"Customer Triggered RTBH." Works well in several SP networks.





From dcp at dcptech.com  Mon Dec 21 21:19:37 2009
From: dcp at dcptech.com (David Prall)
Date: Mon, 21 Dec 2009 21:19:37 -0500
Subject: [c-nsp] 6500 mGRE/DMVPN on VSS
In-Reply-To: <6B2A200DCC0D48B48C1B64EFB83E3AC4@au.didata.local>
References: <6B2A200DCC0D48B48C1B64EFB83E3AC4@au.didata.local>
Message-ID: <009301ca82ad$51178750$f34695f0$@com>

Do it from a dedicated loopback per tunnel. Advertise an aggregate only of
the loopbacks. Now doing this from VSS I'm not so sure about though.

David

--
http://dcp.dcptech.com
 

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Shine Joseph
> Sent: Monday, December 21, 2009 8:10 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] 6500 mGRE/DMVPN on VSS
> 
> Hi,
> 
> Wondering if anyone has done mGRE/DMVPN on VSS switches. I am thinking
> of a solution with VSS at the access with Layer 3 and mGRE (30+) and
> VSS at Distribution/Core. When multiple mGREs are required, tunnel keys
> must be used to differntitate between the tunnels, with the same source
> interface for all tunnels. But, the GREs will be done in software when
> tunnel keys are used in 6500 and I do not want to do this.
> 
> Can someone sugegst any alternatives to mGRE/DMVPN? I know it is hard
> to sugegst something without more details/information.
> 
> Thanks in advance,
> Shine
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From tvarriale at comcast.net  Tue Dec 22 00:10:51 2009
From: tvarriale at comcast.net (Tony Varriale)
Date: Mon, 21 Dec 2009 23:10:51 -0600
Subject: [c-nsp] Any good Cisco (or other vendor) appliances for
	application server DDoS prevention?
References: <F3318834F1F89D46857972DD4B411D700181FF02E7@EXCHANGE.thenap.com>	<4B2FE331.1050506@gmail.com><0B0FA43EE6FC4C46B4F711D2882F7C2B@flamdt01>
	<4B2FF10E.7010409@gmail.com>
Message-ID: <2E209D53453B4FD28BA5B025DC0C8114@flamdt01>

You didn't point out anything, didn't mention capability and didn't mention 
target market.

tv
----- Original Message ----- 
From: "Artur" <arturnrm at gmail.com>
To: <cisco-nsp at puck.nether.net>
Sent: Monday, December 21, 2009 4:05 PM
Subject: Re: [c-nsp] Any good Cisco (or other vendor) appliances for 
application server DDoS prevention?


> As far as I know Arbor does great stuff again's DDoS but for SP 
> environments, and as I did pointed out, are the only one really capable to 
> mitigate a DDoS attack.
> For enterprise the only way to do it is with good design.
>
> On 12/21/2009 7:15 PM, Tony Varriale wrote:
>> You may want to contact Arbor since they have a business model based on 
>> what you claim doesn't exist.
>>
>> tv
>>
>>
>> ----- Original Message ----- From: "Artur" <arturnrm at gmail.com>
>> To: <cisco-nsp at puck.nether.net>
>> Sent: Monday, December 21, 2009 3:05 PM
>> Subject: Re: [c-nsp] Any good Cisco (or other vendor) appliances for 
>> application server DDoS prevention?
>>
>>
>>> Hello Drew,
>>>
>>> Unfortunately there isn't a efficient DDoS mitigation appliance. Simply 
>>> because, to my knowledge there ins't an appliance able to handle the 
>>> huge amount of traffic sent by a DDoS attack.
>>> Only your SP could prevent this from reaching you.
>>> The only things you could do would be get some redundancy.
>>>
>>> cheers
>>> Artur
>>>
>>> On 12/21/2009 5:39 PM, Drew Weaver wrote:
>>>> Hello,
>>>>
>>>> I'm currently searching for a firewall appliance which can also handle 
>>>> application server DDoS mitigation on a small scale (not network wide).
>>>>
>>>> Does anyone know of anything like this from Cisco or any other vendor?
>>>>
>>>> I'm aware of the 'huge' network wide products such as CiscoGuard, 
>>>> Arbor, etc but I am looking for something smaller scale, I just need to 
>>>> be able to put something in-line between the WAN and a group of servers 
>>>> that will look for things like 20 hosts on the net opening 1000s 
>>>> requests to the same URL.. etc
>>>>
>>>> Any advice is appreciated.
>>>>
>>>> thanks,
>>>> -Drew
>>>>
>>>> _______________________________________________
>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>
>>>
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 


From noc at phibee.net  Tue Dec 22 00:46:21 2009
From: noc at phibee.net (Phibee Network Operation Center)
Date: Tue, 22 Dec 2009 06:46:21 +0100
Subject: [c-nsp] NAT on a cisco 3745
Message-ID: <4B305D2D.2090108@phibee.net>

Hi

i am search the command for NAT all traffic at destination of one IP:

My config:

Two port:

FastEthernet 1/0
    Description LAN
    ip address 172.16.1.254 255.255.255.0

FastEthernet 2/0
    Description WAN
    ip address 172.20.8.254 255.255.255.252

ip route 172.20.8.0 255.255.255.252 172.20.8.253

Actually no nat ..

I want that on the Lan interface, he answer at a new IP: 172.16.1.250
and all traffic at destination of 172.16.1.250 are sent to 172.20.8.1

If the user put in SMTP: 172.16.1.250 port 25, 172.20.8.1:25 answer

Anyone know the good command ?

thanks
jerome

   

From rens at autempspourmoi.be  Tue Dec 22 01:31:17 2009
From: rens at autempspourmoi.be (Rens)
Date: Tue, 22 Dec 2009 07:31:17 +0100
Subject: [c-nsp] IP MTU setting + OSPF
In-Reply-To: <a62d17300912211343g39615f02y891b633c99e01fe3@mail.gmail.com>
References: <a62d17300912211343g39615f02y891b633c99e01fe3@mail.gmail.com>
Message-ID: <9D25E93512614100AE602AB99785B3F7@EU.corp.clearwire.com>

As long as the ip mtu is the same on all the interfaces running OSPF all is
fine.

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Chris Wopat
Sent: lundi 21 d?cembre 2009 22:43
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] IP MTU setting + OSPF

I'm changing MTU on some 7200s with PA-FE's to 1530 with the "mtu
1530" command on the interface. To get OSPF to neighbor with a 2800
(no user settable MTU), I've put "ip mtu 1500" on the 7200. In my
testing this works fine. Does this in any way prevent the 7200 from
generating an OSPF packet that's larger than 1500 and potentially
breaking things down the road? The following links have been helpful
for MTU descriptions but I'm not seeing the answer to this question in
there.

- http://puck.nether.net/pipermail/cisco-nsp/2006-June/031765.html

- http://puck.nether.net/pipermail/cisco-nsp/2008-April/049365.html

-
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00
800d6979.shtml

- http://blog.ioshints.info/2007/10/tale-of-three-mtus.html

These MTU changes are being made as MPLS preparations.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From swmike at swm.pp.se  Tue Dec 22 03:08:54 2009
From: swmike at swm.pp.se (Mikael Abrahamsson)
Date: Tue, 22 Dec 2009 09:08:54 +0100 (CET)
Subject: [c-nsp] IP MTU setting + OSPF
In-Reply-To: <a62d17300912211343g39615f02y891b633c99e01fe3@mail.gmail.com>
References: <a62d17300912211343g39615f02y891b633c99e01fe3@mail.gmail.com>
Message-ID: <alpine.DEB.1.10.0912220907540.23464@uplift.swm.pp.se>

On Mon, 21 Dec 2009, Chris Wopat wrote:

> I'm changing MTU on some 7200s with PA-FE's to 1530 with the "mtu
> 1530" command on the interface. To get OSPF to neighbor with a 2800
> (no user settable MTU), I've put "ip mtu 1500" on the 7200. In my
> testing this works fine. Does this in any way prevent the 7200 from
> generating an OSPF packet that's larger than 1500 and potentially
> breaking things down the road? The following links have been helpful
> for MTU descriptions but I'm not seeing the answer to this question in
> there.

If you set "ip mtu 1500" then indeed it will not send any IP packets 
larger than 1500, and since OSPF runs over IP, this is also affected.

But yes, you're doing the right thing (if the "mtu 1530" command is 
because you're running MPLS or something else non-IP that needs a higher 
MTU).

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se

From reuben-cisco-nsp at reub.net  Tue Dec 22 03:31:28 2009
From: reuben-cisco-nsp at reub.net (Reuben Farrelly)
Date: Tue, 22 Dec 2009 19:31:28 +1100
Subject: [c-nsp] IP MTU setting + OSPF
In-Reply-To: <alpine.DEB.1.10.0912220907540.23464@uplift.swm.pp.se>
References: <a62d17300912211343g39615f02y891b633c99e01fe3@mail.gmail.com>
	<alpine.DEB.1.10.0912220907540.23464@uplift.swm.pp.se>
Message-ID: <4B3083E0.3010608@reub.net>

And don't forget - just in case this applies to you:

ip mtu 1500

does NOT apply to IPv6, you'll need to -explicitly- set "ipv6 mtu 1500" as 
well :-)

Reuben
(who recently found this out the hard way with IPv6 OSPF)


On 22/12/2009 7:08 PM, Mikael Abrahamsson wrote:
> On Mon, 21 Dec 2009, Chris Wopat wrote:
>
>> I'm changing MTU on some 7200s with PA-FE's to 1530 with the "mtu
>> 1530" command on the interface. To get OSPF to neighbor with a 2800
>> (no user settable MTU), I've put "ip mtu 1500" on the 7200. In my
>> testing this works fine. Does this in any way prevent the 7200 from
>> generating an OSPF packet that's larger than 1500 and potentially
>> breaking things down the road? The following links have been helpful
>> for MTU descriptions but I'm not seeing the answer to this question in
>> there.
>
> If you set "ip mtu 1500" then indeed it will not send any IP packets
> larger than 1500, and since OSPF runs over IP, this is also affected.
>
> But yes, you're doing the right thing (if the "mtu 1530" command is
> because you're running MPLS or something else non-IP that needs a higher
> MTU).
>

From almog.purepeak at gmail.com  Tue Dec 22 03:59:37 2009
From: almog.purepeak at gmail.com (almog ohayon)
Date: Tue, 22 Dec 2009 10:59:37 +0200
Subject: [c-nsp] Cisco ACE FT track host
Message-ID: <3b53747c0912220059p4cb3c3dbg67c2da5860f5cd83@mail.gmail.com>

Hi All,
i have configure in my Cisco ACE 4710 2 types of tracking for the FT group
and the results are:
1. when i use ft track interface it works great.
2. when i use ft track host it is not working at all.

this is the config of the FT:
*ft interface vlan 10*
*  ip address 10.10.10.1 255.255.255.0*
*  peer ip address 10.10.10.2 255.255.255.0*
*  no shutdown*
*
*
*ft peer 1*
*  heartbeat interval 300*
*  heartbeat count 10*
*  ft-interface vlan 10*
*ft group 1*
*  peer 1*
*  no preempt*
*  priority 120*
*  peer priority 110*
*  associate-context Admin*
*  inservice*
*ft group 2*
*  peer 1*
*  no preempt*
*  priority 120*
*  peer priority 110*
*  associate-context Production*
*  inservice*
*ft group 3*
*  peer 1*
*  no preempt*
*  priority 120*
*  peer priority 110*
*  associate-context Staging*
*  inservice*
*
*
*ft track interface Vlan597*
*  track-interface vlan 597*
*  priority 50*
*ft track host DGW_CHECK*
*  track-host 192.168.97.1*
*  priority 50*

From brett.wooldridge at gmail.com  Tue Dec 22 07:04:52 2009
From: brett.wooldridge at gmail.com (Brett Wooldridge)
Date: Tue, 22 Dec 2009 21:04:52 +0900
Subject: [c-nsp] Cisco CNS initial configuration
Message-ID: <71a64ba60912220404o8b850f8m79a2388bd2c59a6f@mail.gmail.com>

Hello list,

I am trying to build a provisioning solution that uses Cisco CNS' initial
configuration facility.  Initial configuration is a facility by which a
device, when booted with a minimal bootstrap obtains it's configuration via
HTTP(S).  However, it seems there is scant documentation available on doing
so.  Cisco provides documentation on how to configure a device's CNS agent
for initial configuration, but no documentation on the internals of how that
configuration is delivered.  The only solutions that seem capable of
delivering initial configuration are Cisco's own products.  However, CNS and
it's netconf-based XML schemas was meant to provide an "open" API to
developers, provisioners, and engineers.

I have a device (a Cisco 3640) that is configured with an initial bootstrap,
like so:

!
Version 12.4
!
cns config connect-intf FastEthernet ping-interval 30 retries 3
 config-cli description Deployment test
 config-cli ip address dhcp
 config-cli no shutdown
 config-cli ip route 0.0.0.0 0.0.0.0
 exit
!
cns id string 12345678
cns config initial 192.168.0.111 page /ciscocns
!
end

And when the device boots, it does indeed hit my web server running at
192.168.0.111 at the appropriate URL.  However, when I try to deliver an
initial configuration, I get an error on the device saying that the XML is
invalid.  Which is not surprising given that I've had to try to make an
educated guess as to what the device is expecting.

What I'd like to do is blast a standard "startup-config", in standard form
(same as obtained from 'show startup-config'), down to the device.  I am
aware that the device is expecting netconf-like XML.  However, how exactly
to encapsulate the configuration text in XML is where I seem to be failing.
And therefore, I'm asking for some help here from anyone with CNS
experience.

What I'm currently sending the device is this:

<?xml version=\"1.0\" encoding=\"UTF-8\"?>
<rpc message-id="123" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"
    "xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <edit-config>
        <target><startup/></target>
        <default-operation>replace</default-operation>
        <test-option>test-then-set</test-option>
        <error-option>stop-on-error</error-option>
        <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0"
xc:operation="replace">
             <cli-config-data-block>
                    ... config text here ...
             </cli-config-data-block>
    </edit-config>
</rpc>

I know this is a rather esoteric question, that's why I'm dipping deep into
the well of Cisco knownledge here.  Any ideas or suggestions?

TIA,
Brett

From Eddie.Lindsay at synetrix.co.uk  Tue Dec 22 07:24:01 2009
From: Eddie.Lindsay at synetrix.co.uk (Eddie.Lindsay at synetrix.co.uk)
Date: Tue, 22 Dec 2009 12:24:01 +0000
Subject: [c-nsp] Cisco CNS initial configuration
In-Reply-To: <71a64ba60912220404o8b850f8m79a2388bd2c59a6f@mail.gmail.com>
References: <71a64ba60912220404o8b850f8m79a2388bd2c59a6f@mail.gmail.com>
Message-ID: <1DA7900C-B2C2-4467-8BAD-D9440B1EB7AA@synetrix.co.uk>


Hi,

I tried to do something similar a while ago and hit a brick wall on API documentation.  It would be nice to see some if available.

Regards,

Eddie
On 22 Dec 2009, at 12:04, Brett Wooldridge wrote:

> Hello list,
> 
> I am trying to build a provisioning solution that uses Cisco CNS' initial
> configuration facility.  Initial configuration is a facility by which a
> device, when booted with a minimal bootstrap obtains it's configuration via
> HTTP(S).  However, it seems there is scant documentation available on doing
> so.  Cisco provides documentation on how to configure a device's CNS agent
> for initial configuration, but no documentation on the internals of how that
> configuration is delivered.  The only solutions that seem capable of
> delivering initial configuration are Cisco's own products.  However, CNS and
> it's netconf-based XML schemas was meant to provide an "open" API to
> developers, provisioners, and engineers.
> 
> I have a device (a Cisco 3640) that is configured with an initial bootstrap,
> like so:
> 
> !
> Version 12.4
> !
> cns config connect-intf FastEthernet ping-interval 30 retries 3
> config-cli description Deployment test
> config-cli ip address dhcp
> config-cli no shutdown
> config-cli ip route 0.0.0.0 0.0.0.0
> exit
> !
> cns id string 12345678
> cns config initial 192.168.0.111 page /ciscocns
> !
> end
> 
> And when the device boots, it does indeed hit my web server running at
> 192.168.0.111 at the appropriate URL.  However, when I try to deliver an
> initial configuration, I get an error on the device saying that the XML is
> invalid.  Which is not surprising given that I've had to try to make an
> educated guess as to what the device is expecting.
> 
> What I'd like to do is blast a standard "startup-config", in standard form
> (same as obtained from 'show startup-config'), down to the device.  I am
> aware that the device is expecting netconf-like XML.  However, how exactly
> to encapsulate the configuration text in XML is where I seem to be failing.
> And therefore, I'm asking for some help here from anyone with CNS
> experience.
> 
> What I'm currently sending the device is this:
> 
> <?xml version=\"1.0\" encoding=\"UTF-8\"?>
> <rpc message-id="123" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"
>    "xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
>    <edit-config>
>        <target><startup/></target>
>        <default-operation>replace</default-operation>
>        <test-option>test-then-set</test-option>
>        <error-option>stop-on-error</error-option>
>        <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0"
> xc:operation="replace">
>             <cli-config-data-block>
>                    ... config text here ...
>             </cli-config-data-block>
>    </edit-config>
> </rpc>
> 
> I know this is a rather esoteric question, that's why I'm dipping deep into
> the well of Cisco knownledge here.  Any ideas or suggestions?
> 
> TIA,
> Brett
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

----------------------------------------------------------------------------------------------------------
Synetrix Holdings Limited
Tel: +44 (0)1252 405 600
www.synetrix.co.uk

Synetrix (Holdings) Limited is a limited company registered in England and Wales. Registered number: 0349 1956. VAT number: GB776 1259 07. Registered office: Synetrix House, 49-51 Victoria Road, Farnborough, Hampshire, GU14 7PA.

IMPORTANT NOTICE:
This message is intended solely for the use of the Individual or organisation to whom it is addressed. It may contain privileged or confidential information. If you have received this message in error, please notify the originator immediately. If you are not the intended recipient, you should not use, copy, alter, or disclose the contents of this message. All information or opinions expressed in this message and/or any attachments are those of the author and are not necessarily those of Synetrix Holdings Limited. Synetrix Holdings Limited accepts no responsibility for loss or damage arising from its use, including damage from virus. 

From p.mayers at imperial.ac.uk  Tue Dec 22 08:07:19 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Tue, 22 Dec 2009 13:07:19 +0000
Subject: [c-nsp] Cisco CNS initial configuration
In-Reply-To: <1DA7900C-B2C2-4467-8BAD-D9440B1EB7AA@synetrix.co.uk>
References: <71a64ba60912220404o8b850f8m79a2388bd2c59a6f@mail.gmail.com>
	<1DA7900C-B2C2-4467-8BAD-D9440B1EB7AA@synetrix.co.uk>
Message-ID: <4B30C487.7030709@imperial.ac.uk>

Eddie.Lindsay at synetrix.co.uk wrote:
> Hi,
> 
> I tried to do something similar a while ago and hit a brick wall on
> API documentation.  It would be nice to see some if available.

I've had a lot of trouble trying to speak netconf to our 6500s running 
SXI; the XML PI docs seem to be just flat-out wrong in many places, not 
to mention the SSH bugs I'm chasing in SXI relating to RFC compliance...

I did eventually get it sort-of working with XML such as the following:

<?xml version="1.0" encoding="UTF-8"?>
<rpc message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
    <edit-config>
       <target>
          <running/>
       </target>
       <config>
          <cli-config-data>
<cmd>hostname core-spare</cmd>
<cmd>no interface Lo99</cmd>
          </cli-config-data>
       </config>
    </edit-config>
</rpc>

It would be great if Cisco would step up and actually give someone to 
engage with for the xml/netconf/cns stuff - at the moment it looks like 
abandonware on IOS platforms (I'm sure it's not, but that's the 
impression it gives)

From p.mayers at imperial.ac.uk  Tue Dec 22 08:10:09 2009
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Tue, 22 Dec 2009 13:10:09 +0000
Subject: [c-nsp] Cisco CNS initial configuration
In-Reply-To: <71a64ba60912220404o8b850f8m79a2388bd2c59a6f@mail.gmail.com>
References: <71a64ba60912220404o8b850f8m79a2388bd2c59a6f@mail.gmail.com>
Message-ID: <4B30C531.8010305@imperial.ac.uk>

> 
> What I'm currently sending the device is this:
> 
> <?xml version=\"1.0\" encoding=\"UTF-8\"?>
> <rpc message-id="123" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"
>     "xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
>     <edit-config>
>         <target><startup/></target>
>         <default-operation>replace</default-operation>
>         <test-option>test-then-set</test-option>
>         <error-option>stop-on-error</error-option>
>         <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0"
> xc:operation="replace">
>              <cli-config-data-block>
>                     ... config text here ...
>              </cli-config-data-block>
>     </edit-config>
> </rpc>

What Content-Type are you sending in the HTTP headers?

Have you tried the various "debug cns" commands; they seemed to provide 
varying degrees of info when I tried them (though I was trying to use 
netconf over SSH, as you say they seem to use the same underlying subsystem)

From me at falz.net  Tue Dec 22 09:01:48 2009
From: me at falz.net (Chris Wopat)
Date: Tue, 22 Dec 2009 08:01:48 -0600
Subject: [c-nsp] cisco-nsp Digest, Vol 85, Issue 67
In-Reply-To: <mailman.9173.1261484725.2123.cisco-nsp@puck.nether.net>
References: <mailman.9173.1261484725.2123.cisco-nsp@puck.nether.net>
Message-ID: <a62d17300912220601p1064df49l69b9f498cf6b54c0@mail.gmail.com>

>> From: Mikael Abrahamsson <swmike at swm.pp.se>
>
> If you set "ip mtu 1500" then indeed it will not send any IP packets
> larger than 1500, and since OSPF runs over IP, this is also affected.
>
> But yes, you're doing the right thing (if the "mtu 1530" command is
> because you're running MPLS or something else non-IP that needs a higher
> MTU).

Excellent, this is what I was hoping to hear. And yes, this is a part
of our MPLS preparation.


>> From: Reuben Farrelly <reuben-cisco-nsp at reub.net>
>
> And don't forget - just in case this applies to you:
>
> ip mtu 1500
>
> does NOT apply to IPv6, you'll need to -explicitly- set "ipv6 mtu 1500" as
> well :-)
>
> Reuben
> (who recently found this out the hard way with IPv6 OSPF)

Thanks for the tip, I hadn't thought that far ahead and likely would
have been in the same boat.

--Chris

From drew.weaver at thenap.com  Tue Dec 22 09:32:49 2009
From: drew.weaver at thenap.com (Drew Weaver)
Date: Tue, 22 Dec 2009 09:32:49 -0500
Subject: [c-nsp] Any good Cisco (or other vendor) appliances
	for	application server DDoS prevention?
In-Reply-To: <C028B27C386A4FB9931FD4EC0EE1651E@flamdt01>
References: <F3318834F1F89D46857972DD4B411D700181FF02E7@EXCHANGE.thenap.com>
	<C028B27C386A4FB9931FD4EC0EE1651E@flamdt01>
Message-ID: <F3318834F1F89D46857972DD4B411D700181FF0311@EXCHANGE.thenap.com>

Hi,

The attack wasn't enough to crush a 100Mbps circuit but it was enough to crush the web servers/database servers.

That is why I was looking for something smaller scale than say Arbor or CiscoGuard.

thanks,
-Drew
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale
Sent: Monday, December 21, 2009 4:16 PM
To: Cisco-nsp
Subject: Re: [c-nsp] Any good Cisco (or other vendor) appliances for application server DDoS prevention?

I'm not aware of anything on a small scale.  Are you looking for an 
all-in-one?  What speeds are you dealing with?

tv
----- Original Message ----- 
From: "Drew Weaver" <drew.weaver at thenap.com>
To: "Cisco-nsp" <cisco-nsp at puck.nether.net>
Sent: Monday, December 21, 2009 1:39 PM
Subject: [c-nsp] Any good Cisco (or other vendor) appliances for application 
server DDoS prevention?


> Hello,
>
> I'm currently searching for a firewall appliance which can also handle 
> application server DDoS mitigation on a small scale (not network wide).
>
> Does anyone know of anything like this from Cisco or any other vendor?
>
> I'm aware of the 'huge' network wide products such as CiscoGuard, Arbor, 
> etc but I am looking for something smaller scale, I just need to be able 
> to put something in-line between the WAN and a group of servers that will 
> look for things like 20 hosts on the net opening 1000s requests to the 
> same URL.. etc
>
> Any advice is appreciated.
>
> thanks,
> -Drew
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From cnsp at shreddedmail.com  Tue Dec 22 09:43:25 2009
From: cnsp at shreddedmail.com (Rick Ernst)
Date: Tue, 22 Dec 2009 06:43:25 -0800
Subject: [c-nsp] What/where are the knobs on a 7600/Sup720?
Message-ID: <d066472f0912220643x30423361t87ba8a668aa64e26@mail.gmail.com>

I received my first 7600 (7609-S) with Sup720-3BXL for familiarization
today. The line cards are non-DFC. Previous IOS is on software platforms
such as the 7200 and 7500.

What are the additional buttons and knobs I should be looking for on the
Sup720?  The only one I've seen jump out on the list is carving up CEF space
for IPv4/v6.

The device role is pure core; glue multiple edge routers together, act as a
BGP RR server, and feed everything to the aggregation layer.  Netflow for
anomaly detection and uRPF for RTBH are also used. Current aggregate
utilization is less than 1Gbs (but it's really taxing the 7507s currently in
use).

Thanks,
Rick

From zivl at gilat.net  Tue Dec 22 10:23:40 2009
From: zivl at gilat.net (Ziv Leyes)
Date: Tue, 22 Dec 2009 17:23:40 +0200
Subject: [c-nsp] Any good Cisco (or other vendor) appliances
	for	application server DDoS prevention?
In-Reply-To: <F3318834F1F89D46857972DD4B411D700181FF0311@EXCHANGE.thenap.com>
References: <F3318834F1F89D46857972DD4B411D700181FF02E7@EXCHANGE.thenap.com>
	<C028B27C386A4FB9931FD4EC0EE1651E@flamdt01>
	<F3318834F1F89D46857972DD4B411D700181FF0311@EXCHANGE.thenap.com>
Message-ID: <EC993E87D960A541A66BF21D62AA42A6232C85C94F@exch2k7.gilat.local>

Radware DefensePro might be of your interest

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Drew Weaver
Sent: Tuesday, December 22, 2009 4:33 PM
To: 'Tony Varriale'; Cisco-nsp
Subject: Re: [c-nsp] Any good Cisco (or other vendor) appliances for application server DDoS prevention?

Hi,

The attack wasn't enough to crush a 100Mbps circuit but it was enough to crush the web servers/database servers.

That is why I was looking for something smaller scale than say Arbor or CiscoGuard.

thanks,
-Drew
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale
Sent: Monday, December 21, 2009 4:16 PM
To: Cisco-nsp
Subject: Re: [c-nsp] Any good Cisco (or other vendor) appliances for application server DDoS prevention?

I'm not aware of anything on a small scale.  Are you looking for an 
all-in-one?  What speeds are you dealing with?

tv
----- Original Message ----- 
From: "Drew Weaver" <drew.weaver at thenap.com>
To: "Cisco-nsp" <cisco-nsp at puck.nether.net>
Sent: Monday, December 21, 2009 1:39 PM
Subject: [c-nsp] Any good Cisco (or other vendor) appliances for application 
server DDoS prevention?


> Hello,
>
> I'm currently searching for a firewall appliance which can also handle 
> application server DDoS mitigation on a small scale (not network wide).
>
> Does anyone know of anything like this from Cisco or any other vendor?
>
> I'm aware of the 'huge' network wide products such as CiscoGuard, Arbor, 
> etc but I am looking for something smaller scale, I just need to be able 
> to put something in-line between the WAN and a group of servers that will 
> look for things like 20 hosts on the net opening 1000s requests to the 
> same URL.. etc
>
> Any advice is appreciated.
>
> thanks,
> -Drew
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************




 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************




From paul at paulstewart.org  Tue Dec 22 11:27:15 2009
From: paul at paulstewart.org (Paul Stewart)
Date: Tue, 22 Dec 2009 11:27:15 -0500
Subject: [c-nsp] Any good Cisco (or other vendor)
	appliances	for	application server DDoS prevention?
In-Reply-To: <EC993E87D960A541A66BF21D62AA42A6232C85C94F@exch2k7.gilat.local>
References: <F3318834F1F89D46857972DD4B411D700181FF02E7@EXCHANGE.thenap.com>	<C028B27C386A4FB9931FD4EC0EE1651E@flamdt01>	<F3318834F1F89D46857972DD4B411D700181FF0311@EXCHANGE.thenap.com>
	<EC993E87D960A541A66BF21D62AA42A6232C85C94F@exch2k7.gilat.local>
Message-ID: <008e01ca8323$a1ab90f0$e502b2d0$@org>

What about some of the smaller Juniper SRX stuff?  Just getting ready to
start using them and I understand they have some features in them for DOS
related attacks - no first hand experience specific to DOS stuff yet,
perhaps others on here can chime in.... or the IDP series possibly too..?

Paul


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ziv Leyes
Sent: December-22-09 10:24 AM
To: Cisco-nsp
Subject: Re: [c-nsp] Any good Cisco (or other vendor) appliances for
application server DDoS prevention?

Radware DefensePro might be of your interest

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Drew Weaver
Sent: Tuesday, December 22, 2009 4:33 PM
To: 'Tony Varriale'; Cisco-nsp
Subject: Re: [c-nsp] Any good Cisco (or other vendor) appliances for
application server DDoS prevention?

Hi,

The attack wasn't enough to crush a 100Mbps circuit but it was enough to
crush the web servers/database servers.

That is why I was looking for something smaller scale than say Arbor or
CiscoGuard.

thanks,
-Drew
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale
Sent: Monday, December 21, 2009 4:16 PM
To: Cisco-nsp
Subject: Re: [c-nsp] Any good Cisco (or other vendor) appliances for
application server DDoS prevention?

I'm not aware of anything on a small scale.  Are you looking for an 
all-in-one?  What speeds are you dealing with?

tv
----- Original Message ----- 
From: "Drew Weaver" <drew.weaver at thenap.com>
To: "Cisco-nsp" <cisco-nsp at puck.nether.net>
Sent: Monday, December 21, 2009 1:39 PM
Subject: [c-nsp] Any good Cisco (or other vendor) appliances for application

server DDoS prevention?


> Hello,
>
> I'm currently searching for a firewall appliance which can also handle 
> application server DDoS mitigation on a small scale (not network wide).
>
> Does anyone know of anything like this from Cisco or any other vendor?
>
> I'm aware of the 'huge' network wide products such as CiscoGuard, Arbor, 
> etc but I am looking for something smaller scale, I just need to be able 
> to put something in-line between the WAN and a group of servers that will 
> look for things like 20 hosts on the net opening 1000s requests to the 
> same URL.. etc
>
> Any advice is appreciated.
>
> thanks,
> -Drew
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 
****************************************************************************
********
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer
viruses.
****************************************************************************
********




 
 
****************************************************************************
********
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer
viruses.
****************************************************************************
********



_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



From abhishake00 at yahoo.com  Tue Dec 22 17:16:32 2009
From: abhishake00 at yahoo.com (abs)
Date: Tue, 22 Dec 2009 14:16:32 -0800 (PST)
Subject: [c-nsp] Port 1720 & 1863
Message-ID: <468187.69874.qm@web53708.mail.re2.yahoo.com>

Hello all,
I am new to cisco (cisco 2800 series) so please excuse my ignorance.? I have the following acl applied to all inbound traffic on the WAN interface:

ip access-list extended WANInBoundACL
?permit udp any range bootps bootpc any range bootps bootpc
?permit tcp any any established
?permit udp any eq domain any
?permit tcp any any eq 22
?deny?? ip any any log

When I run a port scan I see port 1720 as well as port 1863 open.? Port 1863 tends to open and close at random (don't understand why).? I realize that I may need to add an explicit entry in the ACL's for port 1720 as the service runs by default given the version of IOS that I am running.? 

What I am failing to understand is why the above 2 ports are open even though I have a deny all statement at the end of the ACL.? Am I misunderstanding something?? Would someone be able to point me in the right direction?? Thank you in advance.

cheers,
abs



      

From steve at ibctech.ca  Tue Dec 22 18:34:54 2009
From: steve at ibctech.ca (Steve Bertrand)
Date: Tue, 22 Dec 2009 18:34:54 -0500
Subject: [c-nsp] Port 1720 & 1863
In-Reply-To: <468187.69874.qm@web53708.mail.re2.yahoo.com>
References: <468187.69874.qm@web53708.mail.re2.yahoo.com>
Message-ID: <4B31579E.7030903@ibctech.ca>

abs wrote:

> ip access-list extended WANInBoundACL
>  permit udp any range bootps bootpc any range bootps bootpc
>  permit tcp any any established
>  permit udp any eq domain any
>  permit tcp any any eq 22
>  deny   ip any any log
> 
> When I run a port scan I see port 1720 as well as port 1863 open.  Port 1863 tends to open and close at random (don't understand why).  I realize that I may need to add an explicit entry in the ACL's for port 1720 as the service runs by default given the version of IOS that I am running.  
> 
> What I am failing to understand is why the above 2 ports are open even though I have a deny all statement at the end of the ACL.  Am I misunderstanding something?  Would someone be able to point me in the right direction?  Thank you in advance.

What interface do you have this ACL applied on, and how is it applied?

Further, where are you scanning from (connected to which interface), and
which address are you scanning? ie. are you scanning the IP address of
the interface itself, or an address behind the interface the ACL is
applied against?

Is your scan UDP or TCP?

Steve

From jared at puck.nether.net  Tue Dec 22 18:38:50 2009
From: jared at puck.nether.net (Jared Mauch)
Date: Tue, 22 Dec 2009 18:38:50 -0500
Subject: [c-nsp] Port 1720 & 1863
In-Reply-To: <4B31579E.7030903@ibctech.ca>
References: <468187.69874.qm@web53708.mail.re2.yahoo.com>
	<4B31579E.7030903@ibctech.ca>
Message-ID: <4F20D9E4-3C3D-4DA5-867E-08CFC8C0021D@puck.nether.net>

You can close h.323 (1720) with a config like:

!
voice service voip 
 h323
  call service stop
!

- Jared

On Dec 22, 2009, at 6:34 PM, Steve Bertrand wrote:

> abs wrote:
> 
>> ip access-list extended WANInBoundACL
>> permit udp any range bootps bootpc any range bootps bootpc
>> permit tcp any any established
>> permit udp any eq domain any
>> permit tcp any any eq 22
>> deny   ip any any log
>> 
>> When I run a port scan I see port 1720 as well as port 1863 open.  Port 1863 tends to open and close at random (don't understand why).  I realize that I may need to add an explicit entry in the ACL's for port 1720 as the service runs by default given the version of IOS that I am running.  
>> 
>> What I am failing to understand is why the above 2 ports are open even though I have a deny all statement at the end of the ACL.  Am I misunderstanding something?  Would someone be able to point me in the right direction?  Thank you in advance.
> 
> What interface do you have this ACL applied on, and how is it applied?
> 
> Further, where are you scanning from (connected to which interface), and
> which address are you scanning? ie. are you scanning the IP address of
> the interface itself, or an address behind the interface the ACL is
> applied against?
> 
> Is your scan UDP or TCP?
> 
> Steve
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From abhishake00 at yahoo.com  Tue Dec 22 18:42:50 2009
From: abhishake00 at yahoo.com (abs)
Date: Tue, 22 Dec 2009 15:42:50 -0800 (PST)
Subject: [c-nsp] Port 1720 & 1863
In-Reply-To: <4B31579E.7030903@ibctech.ca>
Message-ID: <433310.47266.qm@web53702.mail.re2.yahoo.com>

the acl is being applied to my wan interface (hand off from isp).
i've applied it using ip access-group <name> in

i am performing the scan from an off site location on the external ip address (wan interface).? The scan was done on TCP.? let me know if you need additional info.

cheers,
abs

--- On Tue, 12/22/09, Steve Bertrand <steve at ibctech.ca> wrote:

From: Steve Bertrand <steve at ibctech.ca>
Subject: Re: [c-nsp] Port 1720 & 1863
To: "abs" <abhishake00 at yahoo.com>
Cc: cisco-nsp at puck.nether.net
Date: Tuesday, December 22, 2009, 6:34 PM

abs wrote:

> ip access-list extended WANInBoundACL
>? permit udp any range bootps bootpc any range bootps bootpc
>? permit tcp any any established
>? permit udp any eq domain any
>? permit tcp any any eq 22
>? deny???ip any any log
> 
> When I run a port scan I see port 1720 as well as port 1863 open.? Port 1863 tends to open and close at random (don't understand why).? I realize that I may need to add an explicit entry in the ACL's for port 1720 as the service runs by default given the version of IOS that I am running.? 
> 
> What I am failing to understand is why the above 2 ports are open even though I have a deny all statement at the end of the ACL.? Am I misunderstanding something?? Would someone be able to point me in the right direction?? Thank you in advance.

What interface do you have this ACL applied on, and how is it applied?

Further, where are you scanning from (connected to which interface), and
which address are you scanning? ie. are you scanning the IP address of
the interface itself, or an address behind the interface the ACL is
applied against?

Is your scan UDP or TCP?

Steve



      

From abhishake00 at yahoo.com  Tue Dec 22 19:02:53 2009
From: abhishake00 at yahoo.com (abs)
Date: Tue, 22 Dec 2009 16:02:53 -0800 (PST)
Subject: [c-nsp] Port 1720 & 1863
In-Reply-To: <4F20D9E4-3C3D-4DA5-867E-08CFC8C0021D@puck.nether.net>
Message-ID: <797514.43753.qm@web53705.mail.re2.yahoo.com>

i tried what you mentioned that did not seem to close the port.? i also tried the following in the config but that didn't seem to work either:

voice service voip
shutdown

any other thoughts?

--- On Tue, 12/22/09, Jared Mauch <jared at puck.nether.net> wrote:

From: Jared Mauch <jared at puck.nether.net>
Subject: Re: [c-nsp] Port 1720 & 1863
To: "Steve Bertrand" <steve at ibctech.ca>
Cc: "abs" <abhishake00 at yahoo.com>, cisco-nsp at puck.nether.net
Date: Tuesday, December 22, 2009, 6:38 PM

You can close h.323 (1720) with a config like:

!
voice service voip 
 h323
? call service stop
!

- Jared

On Dec 22, 2009, at 6:34 PM, Steve Bertrand wrote:

> abs wrote:
> 
>> ip access-list extended WANInBoundACL
>> permit udp any range bootps bootpc any range bootps bootpc
>> permit tcp any any established
>> permit udp any eq domain any
>> permit tcp any any eq 22
>> deny???ip any any log
>> 
>> When I run a port scan I see port 1720 as well as port 1863 open.? Port 1863 tends to open and close at random (don't understand why).? I realize that I may need to add an explicit entry in the ACL's for port 1720 as the service runs by default given the version of IOS that I am running.? 
>> 
>> What I am failing to understand is why the above 2 ports are open even though I have a deny all statement at the end of the ACL.? Am I misunderstanding something?? Would someone be able to point me in the right direction?? Thank you in advance.
> 
> What interface do you have this ACL applied on, and how is it applied?
> 
> Further, where are you scanning from (connected to which interface), and
> which address are you scanning? ie. are you scanning the IP address of
> the interface itself, or an address behind the interface the ACL is
> applied against?
> 
> Is your scan UDP or TCP?
> 
> Steve
> _______________________________________________
> cisco-nsp mailing list? cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/




      

From steve at ibctech.ca  Tue Dec 22 19:12:00 2009
From: steve at ibctech.ca (Steve Bertrand)
Date: Tue, 22 Dec 2009 19:12:00 -0500
Subject: [c-nsp] Port 1720 & 1863
In-Reply-To: <797514.43753.qm@web53705.mail.re2.yahoo.com>
References: <797514.43753.qm@web53705.mail.re2.yahoo.com>
Message-ID: <4B316050.6050005@ibctech.ca>

abs wrote:
> i tried what you mentioned that did not seem to close the port.  i also
> tried the following in the config but that didn't seem to work either:
> 
> voice service voip
> shutdown
> 
> any other thoughts?

Show the relevant config bits, and the command you are using to scan
(along with the output).

Also, insert an explicit 'deny log' for the ports you can seemingly see
as open near the top of your ACL.

I've never used a 28xx, but I can't imagine that it can open ports
dynamically with NAT or something even with an ACL in place, can it?

Steve

From asad747 at cyber.net.pk  Tue Dec 22 23:32:10 2009
From: asad747 at cyber.net.pk (Asad)
Date: Wed, 23 Dec 2009 09:32:10 +0500
Subject: [c-nsp] PPPoE Requirement!
Message-ID: <001301ca8388$e490db90$adb292b0$@net.pk>

Dear Friends!

 

I have the following scenario. 

 

(Customer Cisco Router)------Ethernet-----[Routed CPE]-------RF
Media---------(ISP Cisco Router)------Ethernet-------(ISP Cisco BRAS)

 

 

My Requirement is to Dial PPPoE Connection from Customer Cisco Router. But
because of Routed CPE(Bridging is not supported on CPE) presence i am unable
to achieve that. 

 

Can someone suggest how is it possible?? 

 

I read somewhere that client initiated L2TP can be used for such scenarios,
but i am not sure if it is the right solution??

 

Please help.

 

 

Regards,

 

Asad.


From asturluismi at gmail.com  Wed Dec 23 04:56:17 2009
From: asturluismi at gmail.com (luismi)
Date: Wed, 23 Dec 2009 10:56:17 +0100
Subject: [c-nsp] cisco cube or a solution based on asterisk?
Message-ID: <1261562177.11970.47.camel@hal9000>

Hi all,

I would like to deploy a VoIP PBX here with also SIP trunk options to
multiple VoIP Providers.

As far as I know Cisco Cube just support 1 SIP Trunk -I thought to
remember that in one version out there it supported more but I didn't
find that information again so maybe I am wrong about it-

The idea is...
 - Provide SIP services here to several offices
 - Have options to have SIP trunks to several providers depending the
destination number
 - Provide advanced services as: voicemail, IVR....

Is anyone here doing that or something similar?
I would like also to know if anyone here is using an astekisk PBX
solution -it must have also commercial support in the background-




From adam at thepub.cx  Wed Dec 23 05:41:37 2009
From: adam at thepub.cx (Adam Strawson)
Date: Wed, 23 Dec 2009 10:41:37 -0000
Subject: [c-nsp] Port 1720 & 1863
In-Reply-To: <797514.43753.qm@web53705.mail.re2.yahoo.com>
References: <797514.43753.qm@web53705.mail.re2.yahoo.com>
Message-ID: <2B502A45F8304BEE9565D7512E1598AE@AdamInspiron>

Do you really need "permit tcp any any established" or can you be more 
specific?  I'd bet that is causing what you are seeing.

Adam.

----- Original Message ----- 
From: "abs" <abhishake00 at yahoo.com>
To: "Steve Bertrand" <steve at ibctech.ca>; "Jared Mauch" 
<jared at puck.nether.net>
Cc: <cisco-nsp at puck.nether.net>
Sent: Wednesday, December 23, 2009 12:02 AM
Subject: Re: [c-nsp] Port 1720 & 1863


i tried what you mentioned that did not seem to close the port. i also tried 
the following in the config but that didn't seem to work either:

voice service voip
shutdown

any other thoughts?

--- On Tue, 12/22/09, Jared Mauch <jared at puck.nether.net> wrote:

From: Jared Mauch <jared at puck.nether.net>
Subject: Re: [c-nsp] Port 1720 & 1863
To: "Steve Bertrand" <steve at ibctech.ca>
Cc: "abs" <abhishake00 at yahoo.com>, cisco-nsp at puck.nether.net
Date: Tuesday, December 22, 2009, 6:38 PM

You can close h.323 (1720) with a config like:

!
voice service voip
 h323
call service stop
!

- Jared

On Dec 22, 2009, at 6:34 PM, Steve Bertrand wrote:

> abs wrote:
>
>> ip access-list extended WANInBoundACL
>> permit udp any range bootps bootpc any range bootps bootpc
>> permit tcp any any established
>> permit udp any eq domain any
>> permit tcp any any eq 22
>> deny ip any any log
>>
>> When I run a port scan I see port 1720 as well as port 1863 open. Port 
>> 1863 tends to open and close at random (don't understand why). I realize 
>> that I may need to add an explicit entry in the ACL's for port 1720 as 
>> the service runs by default given the version of IOS that I am running.
>>
>> What I am failing to understand is why the above 2 ports are open even 
>> though I have a deny all statement at the end of the ACL. Am I 
>> misunderstanding something? Would someone be able to point me in the 
>> right direction? Thank you in advance.
>
> What interface do you have this ACL applied on, and how is it applied?
>
> Further, where are you scanning from (connected to which interface), and
> which address are you scanning? ie. are you scanning the IP address of
> the interface itself, or an address behind the interface the ACL is
> applied against?
>
> Is your scan UDP or TCP?
>
> Steve
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/





_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/ 


From s.ganschow at buelow-masiak.de  Wed Dec 23 05:16:49 2009
From: s.ganschow at buelow-masiak.de (Sebastian Ganschow)
Date: Wed, 23 Dec 2009 11:16:49 +0100
Subject: [c-nsp] VPDN Problem
Message-ID: <4B31EE11.4020205@buelow-masiak.de>

Hi all,

we've got a little problem with our vpdn where we're stuck. Could anyone
explain the following debugging messages from our 7206 to me:

VPDN Vi12 disconnect (AAA) IETF: 8/port-error Ascend: 41/TCP Foreign Host Close
VPDN Vi12 vpdn shutdown session, result=2, error=6, vendor_err=0,
syslog_error_code=23, syslog_key_type=1
%VPDN-6-CLOSED: L2TP LNS viade-dbmg-lns closed Vi12 user username; Result
2, Error 6, Locally generated disconnect


What is the meaning of:
 - 8/port-error Ascend: 41/TCP
 - Result 2, Error 6, Locally generated disconnect

On CCO there is no information about those messages.

The session gets disconnected, if the upstream bandwith is exceeded. There
are two providers, who are delivering those vpdn sessions to us. We've
tried with users of them, but the disconnect only happens on our own LNS.
If the user is connected two the LNS of one of the two providers, the
session won't be disconnected.

Any Ideas?

Regards
Sebastian

From doug at warner.fm  Wed Dec 23 10:13:28 2009
From: doug at warner.fm (Doug Warner)
Date: Wed, 23 Dec 2009 10:13:28 -0500
Subject: [c-nsp] 8 Racks of Servers and Growing;
	switch/layout recommendations
Message-ID: <4B323398.3060908@warner.fm>

We currently have 8 racks of servers with about 21 servers per rack +2 IP-PDUs
and are pretty much using an entire 24-port switch (C2960G right now) in each
rack.  Some racks have a 48-port C2960G due to some boxes having redundant
nics, but our "main" 48 port switch is maxxed out due to some servers using
dual nics and uplinks to the other switches.  We're pushing 600Mbps right now
and growing about 50Mbps/month.

What are peoples' recommendations for where to go from here? The 2960's work
well per-rack for us and are ridiculously cheap.  We were considering getting
a C4948-10GE for our main data drop, but as we can see we're already maxing
out the ports in that rack.  We're also pushing the limits of the c2960s where
we actually push some bandwidth around (seeing outdiscards on trunk ports) and
were looking to move to something with a faster backplane and move some
servers around to consolidate the bulk of the bandwidth onto that switch.

What's a good method for growing here?  Do people like top-of-rack for
situations where we have a cage (all the racks are side-by-side), or do you
prefer end-of-row?  Will a couple 4948's (maybe a mix of 10GE and SFP models)
to hold the big talkers be sufficient, or do we need to look at just getting a
6509 with associated 48 port Gig-E blades?  The biggest fear I have with going
to the 6500 is price, but at our growth rate I'm not sure if I can avoid it.

Any advice or past experiences is welcome.

-Doug

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: OpenPGP digital signature
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20091223/8059d4f4/attachment.bin>

From avayner at cisco.com  Wed Dec 23 11:22:35 2009
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Wed, 23 Dec 2009 17:22:35 +0100
Subject: [c-nsp] VPDN Problem
In-Reply-To: <4B31EE11.4020205@buelow-masiak.de>
References: <4B31EE11.4020205@buelow-masiak.de>
Message-ID: <FDD1CDB3FB499E4087CC7670BBCA22C6E7B7AA@XMB-AMS-101.cisco.com>

Sebastian,

You can try looking at the output of "show vpdn history".
I think the error you get means that the remote side requested a
disconnect, but I also see some cases this appears by mistake...

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Sebastian
Ganschow
Sent: Wednesday, December 23, 2009 12:17
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] VPDN Problem

Hi all,

we've got a little problem with our vpdn where we're stuck. Could anyone
explain the following debugging messages from our 7206 to me:

VPDN Vi12 disconnect (AAA) IETF: 8/port-error Ascend: 41/TCP Foreign
Host Close
VPDN Vi12 vpdn shutdown session, result=2, error=6, vendor_err=0,
syslog_error_code=23, syslog_key_type=1
%VPDN-6-CLOSED: L2TP LNS viade-dbmg-lns closed Vi12 user username;
Result
2, Error 6, Locally generated disconnect


What is the meaning of:
 - 8/port-error Ascend: 41/TCP
 - Result 2, Error 6, Locally generated disconnect

On CCO there is no information about those messages.

The session gets disconnected, if the upstream bandwith is exceeded.
There
are two providers, who are delivering those vpdn sessions to us. We've
tried with users of them, but the disconnect only happens on our own
LNS.
If the user is connected two the LNS of one of the two providers, the
session won't be disconnected.

Any Ideas?

Regards
Sebastian
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From nick at inex.ie  Wed Dec 23 12:01:30 2009
From: nick at inex.ie (Nick Hilliard)
Date: Wed, 23 Dec 2009 17:01:30 +0000
Subject: [c-nsp] 8 Racks of Servers and Growing;
	switch/layout recommendations
In-Reply-To: <4B323398.3060908@warner.fm>
References: <4B323398.3060908@warner.fm>
Message-ID: <4B324CEA.60908@inex.ie>

On 23/12/2009 15:13, Doug Warner wrote:
> What's a good method for growing here?  Do people like top-of-rack for
> situations where we have a cage (all the racks are side-by-side), or do you
> prefer end-of-row?

There was an interesting presentation at NANOG last June about the various
top-of-rack models:

> http://www.nanog.org/meetings/nanog46/abstracts.php?pt=MTQwOCZuYW5vZzQ2&nm=nanog46

Nick

From andy.petrenko at gmail.com  Wed Dec 23 12:30:39 2009
From: andy.petrenko at gmail.com (Andrey 'sshd' Petrenko)
Date: Wed, 23 Dec 2009 19:30:39 +0200
Subject: [c-nsp] PPPoE Requirement!
In-Reply-To: <001301ca8388$e490db90$adb292b0$@net.pk>
References: <AcqDiORJyc/SxRz4S8SmpChOt4xwIg==>
	<001301ca8388$e490db90$adb292b0$@net.pk>
Message-ID: <6b300f5d0912230930i24e0ca9alde2c8090862b6ab8@mail.gmail.com>

you have mpls in ISP network?

2009/12/23 Asad <asad747 at cyber.net.pk>

> Dear Friends!
>
>
>
> I have the following scenario.
>
>
>
> (Customer Cisco Router)------Ethernet-----[Routed CPE]-------RF
> Media---------(ISP Cisco Router)------Ethernet-------(ISP Cisco BRAS)
>
>
>
>
>
> My Requirement is to Dial PPPoE Connection from Customer Cisco Router. But
> because of Routed CPE(Bridging is not supported on CPE) presence i am
> unable
> to achieve that.
>
>
>
> Can someone suggest how is it possible??
>
>
>
> I read somewhere that client initiated L2TP can be used for such scenarios,
> but i am not sure if it is the right solution??
>
>
>
> Please help.
>
>
>
>
>
> Regards,
>
>
>
> Asad.
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
With best regards,
     Andrey 'sshd' Petrenko
     xmmp: sshd at jabber.org
     gtalk: andy.petrenko at gmail.com
     skype: andy.petrenko
     web: http://sshd.by

From avayner at cisco.com  Wed Dec 23 12:40:14 2009
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Wed, 23 Dec 2009 18:40:14 +0100
Subject: [c-nsp] PPPoE Requirement!
In-Reply-To: <001301ca8388$e490db90$adb292b0$@net.pk>
References: <001301ca8388$e490db90$adb292b0$@net.pk>
Message-ID: <FDD1CDB3FB499E4087CC7670BBCA22C6E7B7DC@XMB-AMS-101.cisco.com>

Asad,

Yes, client initiated L2TP on the CPE router could do it if you want to
have a PPP session and do normal PPP authentication on the BRAS.
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gtvoltun.
html

Another option could be to just run a static GRE tunnel from the CPE to
the "BRAS" (which in this case would not rally be a BRAS...)

It really depends on what you want to achieve.

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Asad
Sent: Wednesday, December 23, 2009 06:32
To: cisco-nsp at puck.nether.net
Cc: cisco-bba at puck.nether.net
Subject: [c-nsp] PPPoE Requirement!

Dear Friends!

 

I have the following scenario. 

 

(Customer Cisco Router)------Ethernet-----[Routed CPE]-------RF
Media---------(ISP Cisco Router)------Ethernet-------(ISP Cisco BRAS)

 

 

My Requirement is to Dial PPPoE Connection from Customer Cisco Router.
But
because of Routed CPE(Bridging is not supported on CPE) presence i am
unable
to achieve that. 

 

Can someone suggest how is it possible?? 

 

I read somewhere that client initiated L2TP can be used for such
scenarios,
but i am not sure if it is the right solution??

 

Please help.

 

 

Regards,

 

Asad.

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From gtb at slac.stanford.edu  Wed Dec 23 12:48:09 2009
From: gtb at slac.stanford.edu (Buhrmaster, Gary)
Date: Wed, 23 Dec 2009 09:48:09 -0800
Subject: [c-nsp] 8 Racks of Servers and Growing;
 switch/layout recommendations
In-Reply-To: <4B323398.3060908@warner.fm>
References: <4B323398.3060908@warner.fm>
Message-ID: <6F51B50ECF32084788B9B3A8469A71B52918E23050@EXCHCLUSTER1-02.win.slac.stanford.edu>

> What's a good method for growing here?  Do people like top-of-rack for
> situations where we have a cage (all the racks are side-by-side), or do you
> prefer end-of-row?  

Top-of-rack vs. end-of-row approaches a religious debate.  There
are arguments on both sides, and the believers will attempt to
convince you of the value of their faith.  The answer, unfortunately,
will always be "it depends".  An important question will be
where are you heading (quo vadis?) with your deployment.

*Some* considerations include:

   Cabling costs (tends to favor tor)
   Virtualization (layer-2 requirements, tends to favor eor)
   bisection bandwidth (tends to favor eor)
   Racks (tends to favor tor since 1U is "free")
   Redundancy (arguments on both sides, power, supervisor, links...)
   10Gb/sec server plans (and how that effects the other issues)
   Flexibility (tends to favor eor - any service at any port)
   Unified fabric plans (currently in the Nexus line)
   Cost (will depend on the eor/tor switch chosen, of course)
   
It should be noted, as you mention, that a "data center" top
of rack switch is often different than a wiring closet switch.
The 4948, for example, is really a lot different than a 2960G.
Note that the Nexus line may offer some options for both tor
and eor.

"We" tend(*) to use tor for the lower bandwidth management ports on
our servers, and eor for the higher bandwidth data centric ports
(note that our environment is data intensive science, which is
going to be unlike many other deployments).

Gary

(*) There are exceptions to every rule.

From abhishake00 at yahoo.com  Wed Dec 23 13:17:04 2009
From: abhishake00 at yahoo.com (abs)
Date: Wed, 23 Dec 2009 10:17:04 -0800 (PST)
Subject: [c-nsp] Port 1720 & 1863
In-Reply-To: <2B502A45F8304BEE9565D7512E1598AE@AdamInspiron>
Message-ID: <110969.99031.qm@web53706.mail.re2.yahoo.com>

that is what i was thinking as well so i removed that line but that caused all responses to internal traffic to be blocked.? What do you exactly mean by specific?? Wouldn't I have to put a rule for each type of traffic?? 

--- On Wed, 12/23/09, Adam Strawson <adam at thepub.cx> wrote:

From: Adam Strawson <adam at thepub.cx>
Subject: Re: [c-nsp] Port 1720 & 1863
To: "abs" <abhishake00 at yahoo.com>
Cc: cisco-nsp at puck.nether.net
Date: Wednesday, December 23, 2009, 5:41 AM

Do you really need "permit tcp any any established" or can you be more specific?? I'd bet that is causing what you are seeing.

Adam.

----- Original Message ----- From: "abs" <abhishake00 at yahoo.com>
To: "Steve Bertrand" <steve at ibctech.ca>; "Jared Mauch" <jared at puck.nether.net>
Cc: <cisco-nsp at puck.nether.net>
Sent: Wednesday, December 23, 2009 12:02 AM
Subject: Re: [c-nsp] Port 1720 & 1863


i tried what you mentioned that did not seem to close the port. i also tried the following in the config but that didn't seem to work either:

voice service voip
shutdown

any other thoughts?

--- On Tue, 12/22/09, Jared Mauch <jared at puck.nether.net> wrote:

From: Jared Mauch <jared at puck.nether.net>
Subject: Re: [c-nsp] Port 1720 & 1863
To: "Steve Bertrand" <steve at ibctech.ca>
Cc: "abs" <abhishake00 at yahoo.com>, cisco-nsp at puck.nether.net
Date: Tuesday, December 22, 2009, 6:38 PM

You can close h.323 (1720) with a config like:

!
voice service voip
h323
call service stop
!

- Jared

On Dec 22, 2009, at 6:34 PM, Steve Bertrand wrote:

> abs wrote:
> 
>> ip access-list extended WANInBoundACL
>> permit udp any range bootps bootpc any range bootps bootpc
>> permit tcp any any established
>> permit udp any eq domain any
>> permit tcp any any eq 22
>> deny ip any any log
>> 
>> When I run a port scan I see port 1720 as well as port 1863 open. Port 1863 tends to open and close at random (don't understand why). I realize that I may need to add an explicit entry in the ACL's for port 1720 as the service runs by default given the version of IOS that I am running.
>> 
>> What I am failing to understand is why the above 2 ports are open even though I have a deny all statement at the end of the ACL. Am I misunderstanding something? Would someone be able to point me in the right direction? Thank you in advance.
> 
> What interface do you have this ACL applied on, and how is it applied?
> 
> Further, where are you scanning from (connected to which interface), and
> which address are you scanning? ie. are you scanning the IP address of
> the interface itself, or an address behind the interface the ACL is
> applied against?
> 
> Is your scan UDP or TCP?
> 
> Steve
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/





_______________________________________________
cisco-nsp mailing list? cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/ 



      

From abhishake00 at yahoo.com  Wed Dec 23 13:38:26 2009
From: abhishake00 at yahoo.com (abs)
Date: Wed, 23 Dec 2009 10:38:26 -0800 (PST)
Subject: [c-nsp] Port 1720 & 1863
In-Reply-To: <4B316050.6050005@ibctech.ca>
Message-ID: <305796.9854.qm@web53706.mail.re2.yahoo.com>

I have included the command, it's output, the ACL? and the config for the interface getting the ACL below, but was still wondering why the explicit deny is required if i have a deny all (default deny policy) at the end of the ACL? 

command:
nmap -P0 -A -O <ip address>
PORT???? STATE? SERVICE????? VERSION
22/tcp?? open?? ssh?????????? (protocol 2.0)
25/tcp?? closed smtp
113/tcp? closed auth
1720/tcp open?? H.323/Q.931?
6000/tcp closed X11
6001/tcp closed X11:1
6002/tcp closed X11:2
6003/tcp closed X11:3
6004/tcp closed X11:4
6005/tcp closed X11:5
6006/tcp closed X11:6
6007/tcp closed X11:7
6008/tcp closed X11:8
6009/tcp closed X11:9
6017/tcp closed xmail-ctrl
6050/tcp closed arcserve
Nmap finished: 1 IP address (1 host up) scanned in 33.178 seconds


config: 
interface Ethernet0
?ip address dhcp
?ip access-group WANInBoundACL in
?no ip redirects
?no ip unreachables
?no ip proxy-arp
?ip nat outside
?ip virtual-reassembly
?ip route-cache flow
?no fair-queue
?no cdp enable

ip access-list extended WANInBoundACL
?permit udp any range bootps bootpc any range bootps bootpc
?permit udp any eq domain any
?permit tcp any any eq 22
?permit tcp any any established
?deny?? ip any any log

--- On Tue, 12/22/09, Steve Bertrand <steve at ibctech.ca> wrote:

From: Steve Bertrand <steve at ibctech.ca>
Subject: Re: [c-nsp] Port 1720 & 1863
To: "abs" <abhishake00 at yahoo.com>
Cc: "Jared Mauch" <jared at puck.nether.net>, cisco-nsp at puck.nether.net
Date: Tuesday, December 22, 2009, 7:12 PM

abs wrote:
> i tried what you mentioned that did not seem to close the port.? i also
> tried the following in the config but that didn't seem to work either:
> 
> voice service voip
> shutdown
> 
> any other thoughts?

Show the relevant config bits, and the command you are using to scan
(along with the output).

Also, insert an explicit 'deny log' for the ports you can seemingly see
as open near the top of your ACL.

I've never used a 28xx, but I can't imagine that it can open ports
dynamically with NAT or something even with an ACL in place, can it?

Steve



      

From steve at ibctech.ca  Wed Dec 23 14:20:54 2009
From: steve at ibctech.ca (Steve Bertrand)
Date: Wed, 23 Dec 2009 14:20:54 -0500
Subject: [c-nsp] Port 1720 & 1863
In-Reply-To: <110969.99031.qm@web53706.mail.re2.yahoo.com>
References: <110969.99031.qm@web53706.mail.re2.yahoo.com>
Message-ID: <4B326D96.10003@ibctech.ca>

abs wrote:
> that is what i was thinking as well so i removed that line but that caused all responses to internal traffic to be blocked.  What do you exactly mean by specific?  Wouldn't I have to put a rule for each type of traffic?  

On an inbound ACL, allowing established TCP sessions means that a TCP
connection must be made from the 'internal' side of the interface, and
only inbound TCP traffic that is associated with that session can
ingress the interface.

Your 'deny ip any any' at the end would block ALL inbound TCP, other
than SSH and pre-established (by an internal device) sessions.

Reviewing your other email (that hasn't hit the list yet), do you happen
to have an H.323 session established to your nmap box when you see the
port as open?

What do you see when you (while on your nmap box):

% telnet <ip addr> 1720
% netstat -na | grep 1720
% netstat -na | grep <ip of remote>

If you want, provide me with the IP of the box off-list, and I'll scan
it from one of my hosts.

Steve

From abhishake00 at yahoo.com  Wed Dec 23 14:34:38 2009
From: abhishake00 at yahoo.com (abs)
Date: Wed, 23 Dec 2009 11:34:38 -0800 (PST)
Subject: [c-nsp] Port 1720 & 1863
In-Reply-To: <4B326D96.10003@ibctech.ca>
Message-ID: <439809.40722.qm@web53706.mail.re2.yahoo.com>

that makes a lot more sense now.. 

the box i'm running nmap from is from a remote location.? i am able to telnet into port 1720 and the connection is established (as per netstat -na)

i also added deny tcp any any eq 1720 at the top of the acl but that still didn't help.? i'm still able to connect to that port using telnet... 

i even tried removing the established rule but that didn't change anything as well.

--- On Wed, 12/23/09, Steve Bertrand <steve at ibctech.ca> wrote:

From: Steve Bertrand <steve at ibctech.ca>
Subject: Re: [c-nsp] Port 1720 & 1863
To: "abs" <abhishake00 at yahoo.com>
Cc: "Adam Strawson" <adam at thepub.cx>, cisco-nsp at puck.nether.net
Date: Wednesday, December 23, 2009, 2:20 PM

abs wrote:
> that is what i was thinking as well so i removed that line but that caused all responses to internal traffic to be blocked.? What do you exactly mean by specific?? Wouldn't I have to put a rule for each type of traffic?? 

On an inbound ACL, allowing established TCP sessions means that a TCP
connection must be made from the 'internal' side of the interface, and
only inbound TCP traffic that is associated with that session can
ingress the interface.

Your 'deny ip any any' at the end would block ALL inbound TCP, other
than SSH and pre-established (by an internal device) sessions.

Reviewing your other email (that hasn't hit the list yet), do you happen
to have an H.323 session established to your nmap box when you see the
port as open?

What do you see when you (while on your nmap box):

% telnet <ip addr> 1720
% netstat -na | grep 1720
% netstat -na | grep <ip of remote>

If you want, provide me with the IP of the box off-list, and I'll scan
it from one of my hosts.

Steve



      

From jared at puck.nether.net  Wed Dec 23 14:38:29 2009
From: jared at puck.nether.net (Jared Mauch)
Date: Wed, 23 Dec 2009 14:38:29 -0500
Subject: [c-nsp] Port 1720 & 1863
In-Reply-To: <439809.40722.qm@web53706.mail.re2.yahoo.com>
References: <439809.40722.qm@web53706.mail.re2.yahoo.com>
Message-ID: <824F1157-33A8-4E98-8D1B-8E60A5D82C1A@puck.nether.net>

Have you done a tcptraceroute to see if someone is intercepting your tcp/1720?

- Jared

On Dec 23, 2009, at 2:34 PM, abs wrote:

> that makes a lot more sense now.. 
> 
> the box i'm running nmap from is from a remote location.  i am able to telnet into port 1720 and the connection is established (as per netstat -na)
> 
> i also added deny tcp any any eq 1720 at the top of the acl but that still didn't help.  i'm still able to connect to that port using telnet... 
> 
> i even tried removing the established rule but that didn't change anything as well.
> 
> --- On Wed, 12/23/09, Steve Bertrand <steve at ibctech.ca> wrote:
> 
> From: Steve Bertrand <steve at ibctech.ca>
> Subject: Re: [c-nsp] Port 1720 & 1863
> To: "abs" <abhishake00 at yahoo.com>
> Cc: "Adam Strawson" <adam at thepub.cx>, cisco-nsp at puck.nether.net
> Date: Wednesday, December 23, 2009, 2:20 PM
> 
> abs wrote:
>> that is what i was thinking as well so i removed that line but that caused all responses to internal traffic to be blocked.  What do you exactly mean by specific?  Wouldn't I have to put a rule for each type of traffic?  
> 
> On an inbound ACL, allowing established TCP sessions means that a TCP
> connection must be made from the 'internal' side of the interface, and
> only inbound TCP traffic that is associated with that session can
> ingress the interface.
> 
> Your 'deny ip any any' at the end would block ALL inbound TCP, other
> than SSH and pre-established (by an internal device) sessions.
> 
> Reviewing your other email (that hasn't hit the list yet), do you happen
> to have an H.323 session established to your nmap box when you see the
> port as open?
> 
> What do you see when you (while on your nmap box):
> 
> % telnet <ip addr> 1720
> % netstat -na | grep 1720
> % netstat -na | grep <ip of remote>
> 
> If you want, provide me with the IP of the box off-list, and I'll scan
> it from one of my hosts.
> 
> Steve
> 
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From abhishake00 at yahoo.com  Wed Dec 23 15:14:20 2009
From: abhishake00 at yahoo.com (abs)
Date: Wed, 23 Dec 2009 12:14:20 -0800 (PST)
Subject: [c-nsp] Port 1720 & 1863
In-Reply-To: <824F1157-33A8-4E98-8D1B-8E60A5D82C1A@puck.nether.net>
Message-ID: <166684.57304.qm@web53705.mail.re2.yahoo.com>

doesn't look like it's being intercepted... the traffic goes from my host to the router to my ip address... 

--- On Wed, 12/23/09, Jared Mauch <jared at puck.nether.net> wrote:

From: Jared Mauch <jared at puck.nether.net>
Subject: Re: [c-nsp] Port 1720 & 1863
To: "abs" <abhishake00 at yahoo.com>
Cc: "Steve Bertrand" <steve at ibctech.ca>, cisco-nsp at puck.nether.net
Date: Wednesday, December 23, 2009, 2:38 PM

Have you done a tcptraceroute to see if someone is intercepting your tcp/1720?

- Jared

On Dec 23, 2009, at 2:34 PM, abs wrote:

> that makes a lot more sense now.. 
> 
> the box i'm running nmap from is from a remote location.? i am able to telnet into port 1720 and the connection is established (as per netstat -na)
> 
> i also added deny tcp any any eq 1720 at the top of the acl but that still didn't help.? i'm still able to connect to that port using telnet... 
> 
> i even tried removing the established rule but that didn't change anything as well.
> 
> --- On Wed, 12/23/09, Steve Bertrand <steve at ibctech.ca> wrote:
> 
> From: Steve Bertrand <steve at ibctech.ca>
> Subject: Re: [c-nsp] Port 1720 & 1863
> To: "abs" <abhishake00 at yahoo.com>
> Cc: "Adam Strawson" <adam at thepub.cx>, cisco-nsp at puck.nether.net
> Date: Wednesday, December 23, 2009, 2:20 PM
> 
> abs wrote:
>> that is what i was thinking as well so i removed that line but that caused all responses to internal traffic to be blocked.? What do you exactly mean by specific?? Wouldn't I have to put a rule for each type of traffic?? 
> 
> On an inbound ACL, allowing established TCP sessions means that a TCP
> connection must be made from the 'internal' side of the interface, and
> only inbound TCP traffic that is associated with that session can
> ingress the interface.
> 
> Your 'deny ip any any' at the end would block ALL inbound TCP, other
> than SSH and pre-established (by an internal device) sessions.
> 
> Reviewing your other email (that hasn't hit the list yet), do you happen
> to have an H.323 session established to your nmap box when you see the
> port as open?
> 
> What do you see when you (while on your nmap box):
> 
> % telnet <ip addr> 1720
> % netstat -na | grep 1720
> % netstat -na | grep <ip of remote>
> 
> If you want, provide me with the IP of the box off-list, and I'll scan
> it from one of my hosts.
> 
> Steve
> 
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list? cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/




      

From Michael.Balasko at cityofhenderson.com  Wed Dec 23 17:11:22 2009
From: Michael.Balasko at cityofhenderson.com (Michael Balasko)
Date: Wed, 23 Dec 2009 14:11:22 -0800
Subject: [c-nsp] 8 Racks of Servers and Growing;
	switch/layout recommendations
In-Reply-To: <4B324CEA.60908@inex.ie>
References: <4B323398.3060908@warner.fm> <4B324CEA.60908@inex.ie>
Message-ID: <9AF22D15085E7D409ED5710CBC779E930D0AA1CE@COHNTCS09.ci.henderson.nv.us>

We are a pretty small enterprise(100 racks, ~300servers and lots of
Cisco gear) and we are "consolidated" end of row. That means we have
aggregated our switches in a few central racks and haul all of the
copper to each rack.

Our datacenter is extremely nice and we pride ourselves on how the place
is organized and how clean the cabling is kept. Thank being said if we
were greenfield we'd probably go true top of rack because of the cabling
densities in the racks are getting difficult to manage with EOR. We are
looking at up to 60 copper connections per rack and at least 24 FC
fiber. 

The EOR consolidation of copper is a massive chokepoint/headache and
we'd likely not do it again:) 

There are dozens of technical arguments either way, but our "issue" is
primarily cable density....

YMMV....  

Mike

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Nick Hilliard
Sent: Wednesday, December 23, 2009 9:02 AM
To: Doug Warner
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] 8 Racks of Servers and Growing;switch/layout
recommendations

On 23/12/2009 15:13, Doug Warner wrote:
> What's a good method for growing here?  Do people like top-of-rack for
> situations where we have a cage (all the racks are side-by-side), or
do you
> prefer end-of-row?

There was an interesting presentation at NANOG last June about the
various
top-of-rack models:

>
http://www.nanog.org/meetings/nanog46/abstracts.php?pt=MTQwOCZuYW5vZzQ2&
nm=nanog46

Nick
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



From abhishake00 at yahoo.com  Wed Dec 23 20:01:28 2009
From: abhishake00 at yahoo.com (abs)
Date: Wed, 23 Dec 2009 17:01:28 -0800 (PST)
Subject: [c-nsp] RESOLVED:  Port 1720 & 1863
In-Reply-To: <4B32BA9A.5070101@ibctech.ca>
Message-ID: <339587.1594.qm@web53701.mail.re2.yahoo.com>

thank you all for your help.? for the folks interested the issue was that the two ports are being intercepted by my ISP.? once again thank you all for you help

cheers,
abs

--- On Wed, 12/23/09, Steve Bertrand <steve at ibctech.ca> wrote:

From: Steve Bertrand <steve at ibctech.ca>
Subject: Re: [c-nsp] Port 1720 & 1863
To: "abs" <abhishake00 at yahoo.com>
Date: Wednesday, December 23, 2009, 7:49 PM

abs wrote:
> Now this makes a lot more sense.? i was going crazy trying to figure
> this out.? I think they are doing the same for port 1863. 
> 
> It would be greatly appreciated if you could setup a vm for me to run
> some scans off of. 

No problem.

I've got to finish up writing some code right now, so I'll get the vm
set up first thing tomorrow before I'm done for the week.

Hopefully you're familiar with FreeBSD, as that is what the host will be.

All I ask is that you *only* probe hosts that are your own. I'm an ISP,
and I've been burned before after being taken advantage of after doing
favours like this.

Believe it or not, I'm not generally a trusting person, but that is
generally outweighed my desire to help others.

So, with that understanding, and the understanding that you can do
whatever you want within the vm so long as there is no network abuse,
I'll get things configured, and send you the detail in the morning so
that you can SSH into the box via IPv4 and IPv6.

Cheers!

Steve

ps. it would likely be kind to reply your original post to the cisco-nsp
list with [RESOLVED] in the subject, just so the others who were
following the thread can rest assured that all is well and good with you ;)



      

From ayourtch at cisco.com  Wed Dec 23 20:42:12 2009
From: ayourtch at cisco.com (Andrew Yourtchenko)
Date: Thu, 24 Dec 2009 02:42:12 +0100 (CET)
Subject: [c-nsp] Port 1720 & 1863
In-Reply-To: <166684.57304.qm@web53705.mail.re2.yahoo.com>
References: <166684.57304.qm@web53705.mail.re2.yahoo.com>
Message-ID: <alpine.DEB.2.00.0912240117200.16972@ayourtch-lnx.stdio.be>



On Wed, 23 Dec 2009, abs wrote:

> doesn't look like it's being intercepted... the traffic goes from my host to the router to my ip address...

I'm with Jared on the theory that there is a middlebox somewhere on 
the way being "transparently helpful" - though probably worth clarifying 
that you need to run *two* tcptraceroute sessions  - one to e.g. port 22 
on your router (that you *know* you are talking to the router itself), 
and the other to your suspect port. If the second one gives a different 
path, good chances that there's a middlebox flirting with TCP.

Digression: for both of the cases you will indeed always see your router's 
IP as the final hop, since tcptraceroute would use received SYN-ACK from 
the target IP address to know it is done. And since you are able to 
telnet to that port, we already know before starting the tcptraceroute 
that the source address of the SYN-ACK will be the same as your router's 
IP. That's why you would need to compare the two outputs.

Another "indirect" approach to do is also to capture the traffic on your 
host's end into the PCAP - both the scan and the regular ssh session that you 
would have to the router; and compare the TTL of the IP packets for ssh 
and for the "suspected" ports. Other differences in the things like MSS, 
SACK, window scaling, etc. are worth looking at as well - each of those 
differences is an extra clue about where the SYN-ACK came from. IP ID 
analysis between the two series might work, but can be a bit difficult - 
two streams of random numbers are hard to separate.
other. In any case, generally the helpful middleboxes will out themselves 
this way.

But: both of these approaches do not detect the esoteric case of a 
sufficiently helpful middlebox that would L4-proxy all of your traffic and 
then selectively forward some (though I'd not count this as very likely, 
so still worth suggesting two tcptraceroutes).

Few additional ideas to verify that the suspect traffic is indeed hitting 
the router:

If you are on a recent enough version, you can do embedded packet capture 
on the router side too: 
http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_packet_capture_ps6441_TSD_Products_Configuration_Guide_Chapter.html

If not, to verify it is an open port for the to-the-box traffic,
replace "123" below with a number that you do not use for an 
extended ACL currently:

access-list 123 permit tcp any host x.x.x.x eq 1720
access-list 123 permit tcp host x.x.x.x eq 1720 any
access-list 123 permit tcp any host x.x.x.x eq 1863
access-list 123 permit tcp host x.x.x.x eq 1863 any

then run "debug ip packet detail 123" (make sure to have "logging monitor 
debugging" and "terminal monitor"). (IMPORTANT: do not forget the access 
list, and turn off the debug before removing the ACL, else you will print 
debugs for all the  traffic to the box that includes your ssh session to 
it, with obvious painful experience). And see if you have the packets 
reflected in that debug.

If you *do* see the packets from your test host to 1720/1863 either in the 
packet capture on the *router itself* or in the debugs on the router, 
feel free to send me those outputs unicast alongside with the "sh 
ver"/"sh run", please.

cheers,
andrew



>
> --- On Wed, 12/23/09, Jared Mauch <jared at puck.nether.net> wrote:
>
> From: Jared Mauch <jared at puck.nether.net>
> Subject: Re: [c-nsp] Port 1720 & 1863
> To: "abs" <abhishake00 at yahoo.com>
> Cc: "Steve Bertrand" <steve at ibctech.ca>, cisco-nsp at puck.nether.net
> Date: Wednesday, December 23, 2009, 2:38 PM
>
> Have you done a tcptraceroute to see if someone is intercepting your tcp/1720?
>
> - Jared
>
> On Dec 23, 2009, at 2:34 PM, abs wrote:
>
>> that makes a lot more sense now..
>>
>> the box i'm running nmap from is from a remote location.? i am able to telnet into port 1720 and the connection is established (as per netstat -na)
>>
>> i also added deny tcp any any eq 1720 at the top of the acl but that still didn't help.? i'm still able to connect to that port using telnet...
>>
>> i even tried removing the established rule but that didn't change anything as well.
>>
>> --- On Wed, 12/23/09, Steve Bertrand <steve at ibctech.ca> wrote:
>>
>> From: Steve Bertrand <steve at ibctech.ca>
>> Subject: Re: [c-nsp] Port 1720 & 1863
>> To: "abs" <abhishake00 at yahoo.com>
>> Cc: "Adam Strawson" <adam at thepub.cx>, cisco-nsp at puck.nether.net
>> Date: Wednesday, December 23, 2009, 2:20 PM
>>
>> abs wrote:
>>> that is what i was thinking as well so i removed that line but that caused all responses to internal traffic to be blocked.? What do you exactly mean by specific?? Wouldn't I have to put a rule for each type of traffic??
>>
>> On an inbound ACL, allowing established TCP sessions means that a TCP
>> connection must be made from the 'internal' side of the interface, and
>> only inbound TCP traffic that is associated with that session can
>> ingress the interface.
>>
>> Your 'deny ip any any' at the end would block ALL inbound TCP, other
>> than SSH and pre-established (by an internal device) sessions.
>>
>> Reviewing your other email (that hasn't hit the list yet), do you happen
>> to have an H.323 session established to your nmap box when you see the
>> port as open?
>>
>> What do you see when you (while on your nmap box):
>>
>> % telnet <ip addr> 1720
>> % netstat -na | grep 1720
>> % netstat -na | grep <ip of remote>
>>
>> If you want, provide me with the IP of the box off-list, and I'll scan
>> it from one of my hosts.
>>
>> Steve
>>
>>
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list? cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From xerusian at gmail.com  Wed Dec 23 22:44:57 2009
From: xerusian at gmail.com (O n i)
Date: Thu, 24 Dec 2009 11:44:57 +0800
Subject: [c-nsp] VPN Tunnel Question
Message-ID: <63cd55240912231944q7ce895ebxaf829eea861bedb@mail.gmail.com>

Good Evening Everyone

can this policy support a esp-3des setup? or only a esp-des? usually i do a
put in a "encryption des" or "encryption 3des", but not sure if not putting
in one could default to a des? inf theres an existing policy like the one
below, should i create a new policy or just include the command "encryption
3des" hope you understand, since my english is bad.


crypto isakmp policy 10
 hash md5
 authentication pre-share
 group 2

From frnkblk at iname.com  Wed Dec 23 23:18:10 2009
From: frnkblk at iname.com (Frank Bulk)
Date: Wed, 23 Dec 2009 22:18:10 -0600
Subject: [c-nsp] Loopback/VLAN question
In-Reply-To: <alpine.DEB.1.10.0912161243590.2899@red.crap.retrofitta.se>
References: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAACMtoIyIUzcQrWh6euFTkv8AQAAAAA=@iname.com>
	<FDD1CDB3FB499E4087CC7670BBCA22C6D9AD25@XMB-AMS-101.cisco.com>
	<!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAACU1gX4BTpSS6CPa7aI/RrCAQAAAAA=@iname.com>
	<alpine.DEB.1.10.0912161243590.2899@red.crap.retrofitta.se>
Message-ID: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADKItAFhP5tQIq5iNcj3nGHAQAAAAA=@iname.com>

The transport product was supposed to be able to re-tag, but we learned
during the turn-up that that's coming in future version.  As you can
imagine, we will be having further discussions on this issue.

Frank

-----Original Message-----
From: Thomas Habets [mailto:thomas at habets.pp.se] 
Sent: Wednesday, December 16, 2009 6:50 AM
To: Frank Bulk - iName.com
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Loopback/VLAN question

On Tue, 15 Dec 2009, Frank Bulk - iName.com wrote:
> I have 5 remote sites where I'm doing FTTH and transporting the traffic
over
> a third-party transport gear to our HQ.  Each site-HQ link is a separate
> VLAN and uniquely numbered.

Have you considered re-tagging the VLANs on a cheaper device before the 
7600 (which I assume you're sparing because of port cost) and re-tagging 
them to the same VLAN, with some private vlan conf on there to keep VLANs 
from talking to each other (assuming you want that)? Then the 7600 will 
just get all sites on one VLAN.

Re-tagging VLANs does take up a few ports on a cheap switch, but it may be 
cheaper than using up more ports in the 7600 and the 3rd party transport.

And I never said it wasn't ugly.

>
> SiteA  SiteB  SiteC  SiteD  SiteE
>  |      |      |      |      |
> VLAN1  VLAN2  VLAN3  VLAN4  VLAN5
>  |      |      |      |      |
>  =============================
>                |
>   802.1q tagged (1 thru 5)
                  |
                2960
                |||||   <- untagged, one per VLAN
            the same 2960
>                |
>             7609-S
>                |
>        DHCP server

---------
typedef struct me_s {
   char name[]      = { "Thomas Habets" };
   char email[]     = { "thomas at habets.pp.se" };
   char kernel[]    = { "Linux" };
   char *pgpKey[]   = { "http://www.habets.pp.se/pubkey.txt" };
   char pgp[] = { "A8A3 D1DD 4AE0 8467 7FDE  0945 286A E90A AD48 E854" };
   char coolcmd[]   = { "echo '. ./_&. ./_'>_;. ./_" };
} me_t;


From rdobbins at arbor.net  Thu Dec 24 01:00:23 2009
From: rdobbins at arbor.net (Dobbins, Roland)
Date: Thu, 24 Dec 2009 06:00:23 +0000
Subject: [c-nsp] 8 Racks of Servers and Growing;
 switch/layout recommendations
In-Reply-To: <9AF22D15085E7D409ED5710CBC779E930D0AA1CE@COHNTCS09.ci.henderson.nv.us>
References: <4B323398.3060908@warner.fm> <4B324CEA.60908@inex.ie>
	<9AF22D15085E7D409ED5710CBC779E930D0AA1CE@COHNTCS09.ci.henderson.nv.us>
Message-ID: <1E6A3880-E70C-409A-B631-855CFD1AD4B9@arbor.net>


On Dec 24, 2009, at 5:11 AM, Michael Balasko wrote:

> There are dozens of technical arguments either way, but our "issue" is primarily cable density....

Which also plays into cooling/HVAC.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken




From rdobbins at arbor.net  Thu Dec 24 00:59:34 2009
From: rdobbins at arbor.net (Dobbins, Roland)
Date: Thu, 24 Dec 2009 05:59:34 +0000
Subject: [c-nsp] 8 Racks of Servers and Growing;
 switch/layout recommendations
In-Reply-To: <6F51B50ECF32084788B9B3A8469A71B52918E23050@EXCHCLUSTER1-02.win.slac.stanford.edu>
References: <4B323398.3060908@warner.fm>
	<6F51B50ECF32084788B9B3A8469A71B52918E23050@EXCHCLUSTER1-02.win.slac.stanford.edu>
Message-ID: <79673B39-9023-4E69-B321-3E48F6135E46@arbor.net>


On Dec 24, 2009, at 12:48 AM, Buhrmaster, Gary wrote:

>   Cabling costs (tends to favor tor)

Concur.

>   Virtualization (layer-2 requirements, tends to favor eor)

Disagree - how do you think EoR is better in this regard?

>   bisection bandwidth (tends to favor eor)

Disagree again.

>   Racks (tends to favor tor since 1U is "free")

Concur.

>   Redundancy (arguments on both sides, power, supervisor, links...)

Concur.

>   10Gb/sec server plans (and how that effects the other issues)

Not an issue, given N5K and blade switches, IMHO.

>   Flexibility (tends to favor eor - any service at any port)

Strongly disagree - service switches are the answer for this.

>   Unified fabric plans (currently in the Nexus line)

Again, if you go N5K/N7K, this isn't an issue either way.

>   Cost (will depend on the eor/tor switch chosen, of course)

Concur.


-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken




From ccie19804 at gmail.com  Thu Dec 24 02:50:31 2009
From: ccie19804 at gmail.com (swap m)
Date: Thu, 24 Dec 2009 11:50:31 +0400
Subject: [c-nsp] VPN Tunnel Question
In-Reply-To: <63cd55240912231944q7ce895ebxaf829eea861bedb@mail.gmail.com>
References: <63cd55240912231944q7ce895ebxaf829eea861bedb@mail.gmail.com>
Message-ID: <b48b7d090912232350q7b2ef021tf7d80f7f5cb98f77@mail.gmail.com>

ios default to DES..

you can always use "sh crypto isakmp policy" to verify.

On Thu, Dec 24, 2009 at 7:44 AM, O n i <xerusian at gmail.com> wrote:

> Good Evening Everyone
>
> can this policy support a esp-3des setup? or only a esp-des? usually i do a
> put in a "encryption des" or "encryption 3des", but not sure if not putting
> in one could default to a des? inf theres an existing policy like the one
> below, should i create a new policy or just include the command "encryption
> 3des" hope you understand, since my english is bad.
>
>
> crypto isakmp policy 10
>  hash md5
>  authentication pre-share
>  group 2
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From zivl at gilat.net  Thu Dec 24 03:20:20 2009
From: zivl at gilat.net (Ziv Leyes)
Date: Thu, 24 Dec 2009 10:20:20 +0200
Subject: [c-nsp] RESOLVED:  Port 1720 & 1863
In-Reply-To: <339587.1594.qm@web53701.mail.re2.yahoo.com>
References: <4B32BA9A.5070101@ibctech.ca>
	<339587.1594.qm@web53701.mail.re2.yahoo.com>
Message-ID: <EC993E87D960A541A66BF21D62AA42A6232C85C95C@exch2k7.gilat.local>

Oh, man, that's dirty, why would they do that??
Just when it started to get interesting...
But I'm glad for you that the issue is resolved


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of abs
Sent: Thursday, December 24, 2009 3:01 AM
To: Steve Bertrand
Cc: cisco-nsp at puck.nether.net
Subject: [c-nsp] RESOLVED: Port 1720 & 1863

thank you all for your help.? for the folks interested the issue was that the two ports are being intercepted by my ISP.? once again thank you all for you help

cheers,
abs

--- On Wed, 12/23/09, Steve Bertrand <steve at ibctech.ca> wrote:

From: Steve Bertrand <steve at ibctech.ca>
Subject: Re: [c-nsp] Port 1720 & 1863
To: "abs" <abhishake00 at yahoo.com>
Date: Wednesday, December 23, 2009, 7:49 PM

abs wrote:
> Now this makes a lot more sense.? i was going crazy trying to figure
> this out.? I think they are doing the same for port 1863. 
> 
> It would be greatly appreciated if you could setup a vm for me to run
> some scans off of. 

No problem.

I've got to finish up writing some code right now, so I'll get the vm
set up first thing tomorrow before I'm done for the week.

Hopefully you're familiar with FreeBSD, as that is what the host will be.

All I ask is that you *only* probe hosts that are your own. I'm an ISP,
and I've been burned before after being taken advantage of after doing
favours like this.

Believe it or not, I'm not generally a trusting person, but that is
generally outweighed my desire to help others.

So, with that understanding, and the understanding that you can do
whatever you want within the vm so long as there is no network abuse,
I'll get things configured, and send you the detail in the morning so
that you can SSH into the box via IPv4 and IPv6.

Cheers!

Steve

ps. it would likely be kind to reply your original post to the cisco-nsp
list with [RESOLVED] in the subject, just so the others who were
following the thread can rest assured that all is well and good with you ;)



      
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************




 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************




From daltons at panix.com  Thu Dec 24 06:46:57 2009
From: daltons at panix.com (dalton)
Date: Thu, 24 Dec 2009 06:46:57 -0500
Subject: [c-nsp] vpn l2l issue - pix 506E to an asa5510
Message-ID: <177d01ab52f1a7be7b4fa97f26a0e059.squirrel@mail.panix.com>


Hi all,

I am having a strange issue trying to establish a tunnel between a pix
506E and an ASA5510.

sh isa sa on my pix shows tunnel status as failing at MM_KEY_EXCH

i have verified the phase 1 settings and key to be correct here,

also running the pix in debug mode, it appears the pix is passing phase 1.

I am natting the destination nets here, and am wondering if perhaps this
is causing the issue.

Phase 2 settings and acls also appear to be correct, tho in some sense i
can't seem to get beyond phase 1 according to the pix.

Any insight would be greatly appreciated. Pix debug output is below.

Thanks alot,
dalton

ISAKMP (0): Checking ISAKMP transform 4 against priority 18 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (basic) of 28800
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type
ID_IPV4_ADDR
ISAKMP (0:0): constructed HIS NAT-D
ISAKMP (0:0): constructed MINE NAT-D
ISAKMP (0:0): Detected port floating
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:x.x.x.x, dest:x.x.x.x spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a VPN3000 concentrator

ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): NAT does not match MINE hash
hash received: 88 37 3a f4 5e bc 63 c4 9a fd 62 1b d a3 73 ea
my nat hash  : 79 d4 19 aa 2e 88 fb b7 46 52 64 6e 11 5a 21 23
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): NAT match HIS hash
ISAKMP: Locking UDP_ENC struct 0xf5267c from crypto_ikmp_udp_enc_ike_init,
count 1
ISAKMP (0): ID payload
        next-payload : 8
        type         : 1
        protocol     : 17
        port         : 0
        length       : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src: x.x.x.x, dest:x.x.x.x spt:500 dpt:500
ISAKMP: error, msg not encrypted
crypto_isakmp_process_block:src:x.x.x.x, dest:x.x.x.x spt:500 dpt:500
ISAKMP: sa not found for ike msg




From geert.nijs at gmail.com  Thu Dec 24 06:55:02 2009
From: geert.nijs at gmail.com (Geert Nijs)
Date: Thu, 24 Dec 2009 12:55:02 +0100
Subject: [c-nsp] Order of booting line cards in C6500 and routing process
	delay
Message-ID: <d79a45fa0912240355k1ee42af2h11dd8891f1e4c1f2@mail.gmail.com>

Hello,

We are running subsecond OSPF in our enterprise LAN and just upgraded our
core switches. When one core was being brought up, we lost 30 seconds of
pings to our server farm (which is hanging of the core switches redundantly
in L3). The setup is a bit more complicated, but analysing the boot, i
noticed that all OSPF links came up rather "randomly" and i think the
downtime came from blackholing traffic because neighborships were still
missing. For example: the server farm OSPF neighborship gets up first. Since
this is a stubby area, the only route added is a default route. The server
farm starts to loadbalance to the two cores, but on one of the core switches
the downstream links are not yet up, resulting in blackholing traffic.
So my question is: can i put a WAIT timer on the routing process so that it
waits until all linecards are booted and then initiates the routing process
(preferably in a certain predetermined sequence) ?
Or on the server farm core, can i put a HOLD timer on the ospf neighborship
with the core ?
( a bit like you can configure a PRE-EMPT delay on HSRP neighbors ?)

regards,
Geert

From eng_mssk at hotmail.com  Thu Dec 24 07:54:34 2009
From: eng_mssk at hotmail.com (Mohammad Khalil)
Date: Thu, 24 Dec 2009 14:54:34 +0200
Subject: [c-nsp] IPSEC VPN
Message-ID: <BLU102-W2972ED26D9FE1B112341DFA7F0@phx.gbl>


hi all

i have the following topology
router1 F0/0 --> F0/0 router2 S0/0 --> S0/0 router3 S0/1 --> s0/0 router4 F0/0 --> router5 F0/0

below is the configuration:
router1:
interface FastEthernet0/0
 ip address 192.168.1.100 255.255.255.0
 no ip route-cache
 speed 100
 full-duplex

router2:
crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key cisco address 92.62.113.1 no-xauth

crypto ipsec transform-set kulacom esp-des esp-md5-hmac 

crypto map MAP 10 ipsec-isakmp 
 set peer 92.62.113.1
 set transform-set kulacom 
 match address 110

interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 speed 100
 full-duplex
!
interface Serial0/0
 ip address 212.118.0.1 255.255.255.0
 clock rate 64000
 crypto map MAP
!
router ospf 1
 router-id 2.2.2.2
 log-adjacency-changes
 network 2.2.2.2 0.0.0.0 area 0
 network 212.118.0.1 0.0.0.0 area 0

access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

router3:
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!
interface Serial0/0
 ip address 212.118.0.2 255.255.255.0
!
interface Serial0/1
 ip address 92.62.113.2 255.255.255.0

router ospf 1
 router-id 3.3.3.3
 log-adjacency-changes
 network 3.3.3.3 0.0.0.0 area 0
 network 92.62.113.2 0.0.0.0 area 0
 network 212.118.0.2 0.0.0.0 area 0

router4:
crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key cisco address 212.118.0.1 no-xauth
!
!
crypto ipsec transform-set kulacom esp-des esp-md5-hmac 
!
crypto map MAP 10 ipsec-isakmp 
 set peer 212.118.0.1
 set transform-set kulacom 
 match address 120

interface Loopback0
 ip address 4.4.4.4 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.2.1 255.255.255.0
 speed 100
 full-duplex
!
interface Serial0/0
 ip address 92.62.113.1 255.255.255.0
 crypto map MAP

!
router ospf 1
 router-id 4.4.4.4
 log-adjacency-changes
 network 4.4.4.4 0.0.0.0 area 0
 network 92.62.113.1 0.0.0.0 area 0
!         
access-list 120 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

router5:
interface FastEthernet0/0
 ip address 192.168.2.100 255.255.255.0
 no ip route-cache
 speed 100
 full-duplex

the IPSEC is not established and nothing appears when issuing the command show crypto isakmp sa
and neither the ping from both sides is successful

am i missing anything here ?

thanks in advance














 		 	   		  
_________________________________________________________________
Keep your friends updated?even when you?re not signed in.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_5:092010

From eng_mssk at hotmail.com  Thu Dec 24 07:55:44 2009
From: eng_mssk at hotmail.com (Mohammad Khalil)
Date: Thu, 24 Dec 2009 14:55:44 +0200
Subject: [c-nsp] Time Based QoS
Message-ID: <BLU102-W15F13FB5C72EC4FAB3308DFA7F0@phx.gbl>


hi all

can i do certain QoS configuration based on a specific time ?
for example i want to prioritize http traffic from x to y , and voip traffic from y o z for example?
 		 	   		  
_________________________________________________________________
Windows Live: Friends get your Flickr, Yelp, and Digg updates when they e-mail you.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3:092010

From brett.wooldridge at gmail.com  Thu Dec 24 08:20:08 2009
From: brett.wooldridge at gmail.com (Brett Wooldridge)
Date: Thu, 24 Dec 2009 22:20:08 +0900
Subject: [c-nsp] Cisco CNS initial configuration
In-Reply-To: <4B30C531.8010305@imperial.ac.uk>
References: <71a64ba60912220404o8b850f8m79a2388bd2c59a6f@mail.gmail.com>
	<4B30C531.8010305@imperial.ac.uk>
Message-ID: <71a64ba60912240520j1f1f73f8ve071eae6041cb9ff@mail.gmail.com>

Phil,

I'm sending back a content type of "application/xml".  Though it doesn't
seem to matter what content type I return.  I've turned on all debugging,
what I'm getting is a failure to parse the top-level tag.  Something along
the lines of "No handler for tag rpc".  I've jettisoned 'rpc' as the top
level tag and tried about twenty other tags.  I even went so far as to run
the unix 'strings' command on the uncompressed IOS image -- resulting in
about 4000 unique strings.  I've tried many of the obvious ones as top level
tags, "config", "config-data", "startup", "response", "boot", etc.  It's not
a fruitful exercise.  All result in the same error, "No handler for tag
XXX".

I'm down to putting out a call to anyone where with a Cisco Configuration
Engine (any version).  If you have said beast, would you be willing to
wireshark a 'cns config initial' conversation between a device (any IOS) and
CCE?  You'll be enriching the fountain of knowledge from which we all drink.
 I'll be happy to fully document the results here for posterity.

TIA,
Brett


On Tue, Dec 22, 2009 at 10:10 PM, Phil Mayers <p.mayers at imperial.ac.uk>wrote:

>
>> What I'm currently sending the device is this:
>>
>> <?xml version=\"1.0\" encoding=\"UTF-8\"?>
>> <rpc message-id="123" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"
>>    "xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
>>    <edit-config>
>>        <target><startup/></target>
>>        <default-operation>replace</default-operation>
>>        <test-option>test-then-set</test-option>
>>        <error-option>stop-on-error</error-option>
>>        <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0"
>> xc:operation="replace">
>>             <cli-config-data-block>
>>                    ... config text here ...
>>             </cli-config-data-block>
>>    </edit-config>
>> </rpc>
>>
>
> What Content-Type are you sending in the HTTP headers?
>
> Have you tried the various "debug cns" commands; they seemed to provide
> varying degrees of info when I tried them (though I was trying to use
> netconf over SSH, as you say they seem to use the same underlying subsystem)
>

From shaharurrizal at gmail.com  Thu Dec 24 08:47:17 2009
From: shaharurrizal at gmail.com (coredump)
Date: Thu, 24 Dec 2009 05:47:17 -0800 (PST)
Subject: [c-nsp] Time Based QoS
In-Reply-To: <BLU102-W15F13FB5C72EC4FAB3308DFA7F0@phx.gbl>
References: <BLU102-W15F13FB5C72EC4FAB3308DFA7F0@phx.gbl>
Message-ID: <3a5da71c-d32e-48c6-97d2-5655d9fc22bd@v15g2000prn.googlegroups.com>

I believe this is what you're searching for;

http://www.cisco.com/en/US/tech/tk543/tk759/technologies_tech_note09186a00801aa69d.shtml

On Dec 24, 8:55?pm, Mohammad Khalil <eng_m... at hotmail.com> wrote:
> hi all
>
> can i do certain QoS configuration based on a specific time ?
> for example i want to prioritize http traffic from x to y , and voip traffic from y o z for example?
>
> _________________________________________________________________
> Windows Live: Friends get your Flickr, Yelp, and Digg updates when they e-mail you.http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-act...
> _______________________________________________
> cisco-nsp mailing list ?cisco-... at puck.nether.nethttps://puck.nether.net/mailman/listinfo/cisco-nsp
> archive athttp://puck.nether.net/pipermail/cisco-nsp/

From lists at hojmark.org  Thu Dec 24 08:49:55 2009
From: lists at hojmark.org (Asbjorn Hojmark - Lists)
Date: Thu, 24 Dec 2009 14:49:55 +0100
Subject: [c-nsp] Order of booting line cards in C6500 and routing
	process delay
In-Reply-To: <d79a45fa0912240355k1ee42af2h11dd8891f1e4c1f2@mail.gmail.com>
References: <d79a45fa0912240355k1ee42af2h11dd8891f1e4c1f2@mail.gmail.com>
Message-ID: <1as6j5tit896ql21v1ha813vbsaqjqbe8v@hojmark.net>

On Thu, 24 Dec 2009 12:55:02 +0100, you wrote:

> So my question is: can i put a WAIT timer on the routing process so that it
> waits until all linecards are booted and then initiates the routing process

router ospf 1
 max-metric router-lsa external-lsa on-startup 300

does more or less what you're asking, i.e. telling the router to let
*other* routers know that it cannot be used for transit for the first
300 sec.

> (preferably in a certain predetermined sequence) ?

The line cards boot top down (except for the supervisor, of cause).

-A

From dean at eatworms.org.uk  Thu Dec 24 08:55:23 2009
From: dean at eatworms.org.uk (Dean Smith)
Date: Thu, 24 Dec 2009 13:55:23 -0000
Subject: [c-nsp] Time Based QoS
In-Reply-To: <BLU102-W15F13FB5C72EC4FAB3308DFA7F0@phx.gbl>
References: <BLU102-W15F13FB5C72EC4FAB3308DFA7F0@phx.gbl>
Message-ID: <003601ca84a0$bd9b0f10$38d12d30$@org.uk>

If you can combine time based acls into your class maps to match different
protocols into different classes according to time ....then yes quite
easily.

http://www.cisco.com/en/US/docs/ios/12_0t/12_0t1/feature/guide/timerang.html

If thats not flexible enough...you'd have to look at a combination of
EEM/TCL/CRON to reconfigure your class-maps / policy-maps at certain times

http://www.cisco.com/web/go/eem



-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil
Sent: 24 December 2009 12:56
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Time Based QoS


hi all

can i do certain QoS configuration based on a specific time ?
for example i want to prioritize http traffic from x to y , and voip traffic
from y o z for example?
 		 	   		  
_________________________________________________________________
Windows Live: Friends get your Flickr, Yelp, and Digg updates when they
e-mail you.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/soc
ial-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3:092010
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From avayner at cisco.com  Thu Dec 24 09:01:12 2009
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Thu, 24 Dec 2009 15:01:12 +0100
Subject: [c-nsp] Time Based QoS
In-Reply-To: <3a5da71c-d32e-48c6-97d2-5655d9fc22bd@v15g2000prn.googlegroups.com>
References: <BLU102-W15F13FB5C72EC4FAB3308DFA7F0@phx.gbl>
	<3a5da71c-d32e-48c6-97d2-5655d9fc22bd@v15g2000prn.googlegroups.com>
Message-ID: <FDD1CDB3FB499E4087CC7670BBCA22C6E7B95F@XMB-AMS-101.cisco.com>

Be careful with this, as it is not supported on all platforms...
Can you provide a little bit more info?

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of coredump
Sent: Thursday, December 24, 2009 15:47
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Time Based QoS

I believe this is what you're searching for;

http://www.cisco.com/en/US/tech/tk543/tk759/technologies_tech_note09186a00801aa69d.shtml

On Dec 24, 8:55?pm, Mohammad Khalil <eng_m... at hotmail.com> wrote:
> hi all
>
> can i do certain QoS configuration based on a specific time ?
> for example i want to prioritize http traffic from x to y , and voip traffic from y o z for example?
>
> _________________________________________________________________
> Windows Live: Friends get your Flickr, Yelp, and Digg updates when they e-mail you.http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-act...
> _______________________________________________
> cisco-nsp mailing list ?cisco-... at puck.nether.nethttps://puck.nether.net/mailman/listinfo/cisco-nsp
> archive athttp://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From eng_mssk at hotmail.com  Thu Dec 24 09:20:35 2009
From: eng_mssk at hotmail.com (Mohammad Khalil)
Date: Thu, 24 Dec 2009 16:20:35 +0200
Subject: [c-nsp] Time Based QoS
In-Reply-To: <FDD1CDB3FB499E4087CC7670BBCA22C6E7B95F@XMB-AMS-101.cisco.com>
References: <BLU102-W15F13FB5C72EC4FAB3308DFA7F0@phx.gbl>
	<3a5da71c-d32e-48c6-97d2-5655d9fc22bd@v15g2000prn.googlegroups.com>,
	<FDD1CDB3FB499E4087CC7670BBCA22C6E7B95F@XMB-AMS-101.cisco.com>
Message-ID: <BLU102-W7A7FC44B1C9208A457C71FA7F0@phx.gbl>


well , i have come leased line customers that wants to make voip traffic get the whole priority other than any type of traffic
the customer is terminated on Cisco ME3750 switches

> Subject: RE: [c-nsp] Time Based QoS
> Date: Thu, 24 Dec 2009 15:01:12 +0100
> From: avayner at cisco.com
> To: shaharurrizal at gmail.com; cisco-nsp at puck.nether.net; eng_mssk at hotmail.com
> 
> Be careful with this, as it is not supported on all platforms...
> Can you provide a little bit more info?
> 
> Arie
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of coredump
> Sent: Thursday, December 24, 2009 15:47
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Time Based QoS
> 
> I believe this is what you're searching for;
> 
> http://www.cisco.com/en/US/tech/tk543/tk759/technologies_tech_note09186a00801aa69d.shtml
> 
> On Dec 24, 8:55 pm, Mohammad Khalil <eng_m... at hotmail.com> wrote:
> > hi all
> >
> > can i do certain QoS configuration based on a specific time ?
> > for example i want to prioritize http traffic from x to y , and voip traffic from y o z for example?
> >
> > _________________________________________________________________
> > Windows Live: Friends get your Flickr, Yelp, and Digg updates when they e-mail you.http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-act...
> > _______________________________________________
> > cisco-nsp mailing list  cisco-... at puck.nether.nethttps://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive athttp://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
 		 	   		  
_________________________________________________________________
Keep your friends updated?even when you?re not signed in.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_5:092010

From eng_mssk at hotmail.com  Thu Dec 24 09:24:28 2009
From: eng_mssk at hotmail.com (Mohammad Khalil)
Date: Thu, 24 Dec 2009 16:24:28 +0200
Subject: [c-nsp] IPSEC VPN
In-Reply-To: <5DC4853C6CC3EE4788779E0726E034DD06DA53@zy-ex1.zyedge.local>
References: <BLU102-W2972ED26D9FE1B112341DFA7F0@phx.gbl>,
	<5DC4853C6CC3EE4788779E0726E034DD06DA53@zy-ex1.zyedge.local>
Message-ID: <BLU102-W234869925F814BEB5A3F8FFA7F0@phx.gbl>


Dear Ryan

i disabled routing on router 1 and router 5 to simulate them as hosts only and not to participate in the routing
and r2 through the f0/0 interface can see the subnet to r1 through the directly connected interface 
am i right ??

> From: rwest at zyedge.com
> To: eng_mssk at hotmail.com; cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] IPSEC VPN
> Date: Thu, 24 Dec 2009 14:09:15 +0000
> 
> Mohammad,
> 
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> > bounces at puck.nether.net] On Behalf Of Mohammad Khalil
> > Sent: Thursday, December 24, 2009 7:55 AM
> 
> 
> > i have the following topology
> > router1 F0/0 --> F0/0 router2 S0/0 --> S0/0 router3 S0/1 --> s0/0
> > router4 F0/0 --> router5 F0/0
> > 
> 
> From your post, it's not clear if router1 has a default route pointing to router2 and that router2 has a route back to the internal segment of router1.  Likewise from the perspective of router 4 and 5.
> 
> -ryan
 		 	   		  
_________________________________________________________________
Windows Live: Make it easier for your friends to see what you?re up to on Facebook.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009

From long.kenny at gmail.com  Thu Dec 24 09:25:11 2009
From: long.kenny at gmail.com (Kenny Long)
Date: Thu, 24 Dec 2009 07:25:11 -0700
Subject: [c-nsp] vpn l2l issue - pix 506E to an asa5510
In-Reply-To: <177d01ab52f1a7be7b4fa97f26a0e059.squirrel@mail.panix.com>
References: <177d01ab52f1a7be7b4fa97f26a0e059.squirrel@mail.panix.com>
Message-ID: <e78b26de0912240625p22914aeao316c4f1ffefd00fa@mail.gmail.com>

Dalton,

I dont see the problem in the debug, but it would be better to have both
debugs (PIX and ASA) and also a sanitized copy of each config.

Kenny

On Thu, Dec 24, 2009 at 4:46 AM, dalton <daltons at panix.com> wrote:

>
> Hi all,
>
> I am having a strange issue trying to establish a tunnel between a pix
> 506E and an ASA5510.
>
> sh isa sa on my pix shows tunnel status as failing at MM_KEY_EXCH
>
> i have verified the phase 1 settings and key to be correct here,
>
> also running the pix in debug mode, it appears the pix is passing phase 1.
>
> I am natting the destination nets here, and am wondering if perhaps this
> is causing the issue.
>
> Phase 2 settings and acls also appear to be correct, tho in some sense i
> can't seem to get beyond phase 1 according to the pix.
>
> Any insight would be greatly appreciated. Pix debug output is below.
>
> Thanks alot,
> dalton
>
> ISAKMP (0): Checking ISAKMP transform 4 against priority 18 policy
> ISAKMP:      encryption 3DES-CBC
> ISAKMP:      hash MD5
> ISAKMP:      default group 2
> ISAKMP:      auth pre-share
> ISAKMP:      life type in seconds
> ISAKMP:      life duration (basic) of 28800
> ISAKMP (0): atts are acceptable. Next payload is 0
> ISAKMP (0): processing vendor id payload
>
> ISAKMP (0:0): vendor ID is NAT-T
> ISAKMP (0): processing vendor id payload
>
> ISAKMP (0): SA is doing pre-shared key authentication using id type
> ID_IPV4_ADDR
> ISAKMP (0:0): constructed HIS NAT-D
> ISAKMP (0:0): constructed MINE NAT-D
> ISAKMP (0:0): Detected port floating
> return status is IKMP_NO_ERROR
> crypto_isakmp_process_block:src:x.x.x.x, dest:x.x.x.x spt:500 dpt:500
> OAK_MM exchange
> ISAKMP (0): processing KE payload. message ID = 0
>
> ISAKMP (0): processing NONCE payload. message ID = 0
>
> ISAKMP (0): processing vendor id payload
>
> ISAKMP (0): processing vendor id payload
>
> ISAKMP (0): received xauth v6 vendor id
>
> ISAKMP (0): processing vendor id payload
>
> ISAKMP (0): speaking to another IOS box!
>
> ISAKMP (0): processing vendor id payload
>
> ISAKMP (0): speaking to a VPN3000 concentrator
>
> ISAKMP (0:0): Detected NAT-D payload
> ISAKMP (0:0): NAT does not match MINE hash
> hash received: 88 37 3a f4 5e bc 63 c4 9a fd 62 1b d a3 73 ea
> my nat hash  : 79 d4 19 aa 2e 88 fb b7 46 52 64 6e 11 5a 21 23
> ISAKMP (0:0): Detected NAT-D payload
> ISAKMP (0:0): NAT match HIS hash
> ISAKMP: Locking UDP_ENC struct 0xf5267c from crypto_ikmp_udp_enc_ike_init,
> count 1
> ISAKMP (0): ID payload
>        next-payload : 8
>        type         : 1
>        protocol     : 17
>        port         : 0
>        length       : 8
> ISAKMP (0): Total payload length: 12
> return status is IKMP_NO_ERROR
> crypto_isakmp_process_block:src: x.x.x.x, dest:x.x.x.x spt:500 dpt:500
> ISAKMP: error, msg not encrypted
> crypto_isakmp_process_block:src:x.x.x.x, dest:x.x.x.x spt:500 dpt:500
> ISAKMP: sa not found for ike msg
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From rwest at zyedge.com  Thu Dec 24 09:03:10 2009
From: rwest at zyedge.com (Ryan West)
Date: Thu, 24 Dec 2009 14:03:10 +0000
Subject: [c-nsp] vpn l2l issue - pix 506E to an asa5510
In-Reply-To: <177d01ab52f1a7be7b4fa97f26a0e059.squirrel@mail.panix.com>
References: <177d01ab52f1a7be7b4fa97f26a0e059.squirrel@mail.panix.com>
Message-ID: <5DC4853C6CC3EE4788779E0726E034DD06DA13@zy-ex1.zyedge.local>

Dalton,

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of dalton
> Sent: Thursday, December 24, 2009 6:47 AM
> 
> 
> Hi all,
> 
> I am having a strange issue trying to establish a tunnel between a pix
> 506E and an ASA5510.
> 
> sh isa sa on my pix shows tunnel status as failing at MM_KEY_EXCH
> 
> i have verified the phase 1 settings and key to be correct here,
> 
> also running the pix in debug mode, it appears the pix is passing phase
> 1.
> 
> I am natting the destination nets here, and am wondering if perhaps
> this
> is causing the issue.
> 

Have you tried entering in the passwords again on both sides?  Can you post your relevant NAT, interesting ACLs, and crypto settings?

-ryan

From rwest at zyedge.com  Thu Dec 24 09:09:15 2009
From: rwest at zyedge.com (Ryan West)
Date: Thu, 24 Dec 2009 14:09:15 +0000
Subject: [c-nsp] IPSEC VPN
In-Reply-To: <BLU102-W2972ED26D9FE1B112341DFA7F0@phx.gbl>
References: <BLU102-W2972ED26D9FE1B112341DFA7F0@phx.gbl>
Message-ID: <5DC4853C6CC3EE4788779E0726E034DD06DA53@zy-ex1.zyedge.local>

Mohammad,

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Mohammad Khalil
> Sent: Thursday, December 24, 2009 7:55 AM


> i have the following topology
> router1 F0/0 --> F0/0 router2 S0/0 --> S0/0 router3 S0/1 --> s0/0
> router4 F0/0 --> router5 F0/0
> 

>From your post, it's not clear if router1 has a default route pointing to router2 and that router2 has a route back to the internal segment of router1.  Likewise from the perspective of router 4 and 5.

-ryan

From jared at puck.nether.net  Thu Dec 24 09:37:06 2009
From: jared at puck.nether.net (Jared Mauch)
Date: Thu, 24 Dec 2009 09:37:06 -0500
Subject: [c-nsp] RESOLVED:  Port 1720 & 1863
In-Reply-To: <EC993E87D960A541A66BF21D62AA42A6232C85C95C@exch2k7.gilat.local>
References: <4B32BA9A.5070101@ibctech.ca>
	<339587.1594.qm@web53701.mail.re2.yahoo.com>
	<EC993E87D960A541A66BF21D62AA42A6232C85C95C@exch2k7.gilat.local>
Message-ID: <49011160-B2F9-4C42-8D24-9001D5460DEF@puck.nether.net>

It may be worthwhile to name & shame the provider for intercepting your h.323 directed traffic.

(Unless of course you're in one of those countries that uses high telecom rates to justify blocking VoIP).

- Jared

On Dec 24, 2009, at 3:20 AM, Ziv Leyes wrote:

> Oh, man, that's dirty, why would they do that??
> Just when it started to get interesting...
> But I'm glad for you that the issue is resolved
> 
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of abs
> Sent: Thursday, December 24, 2009 3:01 AM
> To: Steve Bertrand
> Cc: cisco-nsp at puck.nether.net
> Subject: [c-nsp] RESOLVED: Port 1720 & 1863
> 
> thank you all for your help.  for the folks interested the issue was that the two ports are being intercepted by my ISP.  once again thank you all for you help
> 
> cheers,
> abs
> 
> --- On Wed, 12/23/09, Steve Bertrand <steve at ibctech.ca> wrote:
> 
> From: Steve Bertrand <steve at ibctech.ca>
> Subject: Re: [c-nsp] Port 1720 & 1863
> To: "abs" <abhishake00 at yahoo.com>
> Date: Wednesday, December 23, 2009, 7:49 PM
> 
> abs wrote:
>> Now this makes a lot more sense.  i was going crazy trying to figure
>> this out.  I think they are doing the same for port 1863. 
>> 
>> It would be greatly appreciated if you could setup a vm for me to run
>> some scans off of. 
> 
> No problem.
> 
> I've got to finish up writing some code right now, so I'll get the vm
> set up first thing tomorrow before I'm done for the week.
> 
> Hopefully you're familiar with FreeBSD, as that is what the host will be.
> 
> All I ask is that you *only* probe hosts that are your own. I'm an ISP,
> and I've been burned before after being taken advantage of after doing
> favours like this.
> 
> Believe it or not, I'm not generally a trusting person, but that is
> generally outweighed my desire to help others.
> 
> So, with that understanding, and the understanding that you can do
> whatever you want within the vm so long as there is no network abuse,
> I'll get things configured, and send you the detail in the morning so
> that you can SSH into the box via IPv4 and IPv6.
> 
> Cheers!
> 
> Steve
> 
> ps. it would likely be kind to reply your original post to the cisco-nsp
> list with [RESOLVED] in the subject, just so the others who were
> following the thread can rest assured that all is well and good with you ;)
> 
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> 
> ************************************************************************************
> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
> ************************************************************************************
> 
> 
> 
> 
> 
> 
> ************************************************************************************
> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
> ************************************************************************************
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From zivl at gilat.net  Thu Dec 24 09:45:26 2009
From: zivl at gilat.net (Ziv Leyes)
Date: Thu, 24 Dec 2009 16:45:26 +0200
Subject: [c-nsp] IPSEC VPN
In-Reply-To: <BLU102-W2972ED26D9FE1B112341DFA7F0@phx.gbl>
References: <BLU102-W2972ED26D9FE1B112341DFA7F0@phx.gbl>
Message-ID: <EC993E87D960A541A66BF21D62AA42A6232C85C964@exch2k7.gilat.local>

IF I get it right, what you're trying to achieve is connectivity between 192.168.1.x and 192.168.2.x.

In order for the IPSEC tunnel to go up there is need for "interesting traffic" meaning a 192.168.1.x host tries to reach a 192.168.2.x host.
If you what to do with with the routers then you must make sure you're pinging with the router's proper source IP or interface, because if not, the router will use it's default interface towards the other network wich is the serial and not the fast interface.
Hope this helps


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil
Sent: Thursday, December 24, 2009 2:55 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] IPSEC VPN


hi all

i have the following topology
router1 F0/0 --> F0/0 router2 S0/0 --> S0/0 router3 S0/1 --> s0/0 router4 F0/0 --> router5 F0/0

below is the configuration:
router1:
interface FastEthernet0/0
 ip address 192.168.1.100 255.255.255.0
 no ip route-cache
 speed 100
 full-duplex

router2:
crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key cisco address 92.62.113.1 no-xauth

crypto ipsec transform-set kulacom esp-des esp-md5-hmac 

crypto map MAP 10 ipsec-isakmp 
 set peer 92.62.113.1
 set transform-set kulacom 
 match address 110

interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 speed 100
 full-duplex
!
interface Serial0/0
 ip address 212.118.0.1 255.255.255.0
 clock rate 64000
 crypto map MAP
!
router ospf 1
 router-id 2.2.2.2
 log-adjacency-changes
 network 2.2.2.2 0.0.0.0 area 0
 network 212.118.0.1 0.0.0.0 area 0

access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

router3:
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!
interface Serial0/0
 ip address 212.118.0.2 255.255.255.0
!
interface Serial0/1
 ip address 92.62.113.2 255.255.255.0

router ospf 1
 router-id 3.3.3.3
 log-adjacency-changes
 network 3.3.3.3 0.0.0.0 area 0
 network 92.62.113.2 0.0.0.0 area 0
 network 212.118.0.2 0.0.0.0 area 0

router4:
crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key cisco address 212.118.0.1 no-xauth
!
!
crypto ipsec transform-set kulacom esp-des esp-md5-hmac 
!
crypto map MAP 10 ipsec-isakmp 
 set peer 212.118.0.1
 set transform-set kulacom 
 match address 120

interface Loopback0
 ip address 4.4.4.4 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.2.1 255.255.255.0
 speed 100
 full-duplex
!
interface Serial0/0
 ip address 92.62.113.1 255.255.255.0
 crypto map MAP

!
router ospf 1
 router-id 4.4.4.4
 log-adjacency-changes
 network 4.4.4.4 0.0.0.0 area 0
 network 92.62.113.1 0.0.0.0 area 0
!         
access-list 120 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

router5:
interface FastEthernet0/0
 ip address 192.168.2.100 255.255.255.0
 no ip route-cache
 speed 100
 full-duplex

the IPSEC is not established and nothing appears when issuing the command show crypto isakmp sa
and neither the ping from both sides is successful

am i missing anything here ?

thanks in advance














 		 	   		  
_________________________________________________________________
Keep your friends updated-even when you're not signed in.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_5:092010
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************


 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************




From rwest at zyedge.com  Thu Dec 24 09:46:57 2009
From: rwest at zyedge.com (Ryan West)
Date: Thu, 24 Dec 2009 14:46:57 +0000
Subject: [c-nsp] IPSEC VPN
In-Reply-To: <BLU102-W234869925F814BEB5A3F8FFA7F0@phx.gbl>
References: <BLU102-W2972ED26D9FE1B112341DFA7F0@phx.gbl>,
	<5DC4853C6CC3EE4788779E0726E034DD06DA53@zy-ex1.zyedge.local>
	<BLU102-W234869925F814BEB5A3F8FFA7F0@phx.gbl>
Message-ID: <5DC4853C6CC3EE4788779E0726E034DD06DD0F@zy-ex1.zyedge.local>

My fault there, I misread that the first time.   From R2 and R4 can you post, 's run | s cry' and then do a 'deb cry isa' on both sides and try again.

-ryan

From: Mohammad Khalil [mailto:eng_mssk at hotmail.com]
Sent: Thursday, December 24, 2009 9:24 AM
To: Ryan West; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] IPSEC VPN

Dear Ryan

i disabled routing on router 1 and router 5 to simulate them as hosts only and not to participate in the routing
and r2 through the f0/0 interface can see the subnet to r1 through the directly connected interface
am i right ??


r your friends to see what you're up to on Facebook.<http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009>

From eng_mssk at hotmail.com  Thu Dec 24 10:06:57 2009
From: eng_mssk at hotmail.com (Mohammad Khalil)
Date: Thu, 24 Dec 2009 17:06:57 +0200
Subject: [c-nsp] IPSEC VPN
In-Reply-To: <EC993E87D960A541A66BF21D62AA42A6232C85C964@exch2k7.gilat.local>
References: <BLU102-W2972ED26D9FE1B112341DFA7F0@phx.gbl>,
	<EC993E87D960A541A66BF21D62AA42A6232C85C964@exch2k7.gilat.local>
Message-ID: <BLU102-W1D1B30923797407AA8742FA7F0@phx.gbl>


Thanks Zivl for your support
i made the exact thing u told me before i post this mail thats y i got complicated !!

> From: zivl at gilat.net
> To: cisco-nsp at puck.nether.net
> Date: Thu, 24 Dec 2009 16:45:26 +0200
> Subject: Re: [c-nsp] IPSEC VPN
> 
> IF I get it right, what you're trying to achieve is connectivity between 192.168.1.x and 192.168.2.x.
> 
> In order for the IPSEC tunnel to go up there is need for "interesting traffic" meaning a 192.168.1.x host tries to reach a 192.168.2.x host.
> If you what to do with with the routers then you must make sure you're pinging with the router's proper source IP or interface, because if not, the router will use it's default interface towards the other network wich is the serial and not the fast interface.
> Hope this helps
> 
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil
> Sent: Thursday, December 24, 2009 2:55 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] IPSEC VPN
> 
> 
> hi all
> 
> i have the following topology
> router1 F0/0 --> F0/0 router2 S0/0 --> S0/0 router3 S0/1 --> s0/0 router4 F0/0 --> router5 F0/0
> 
> below is the configuration:
> router1:
> interface FastEthernet0/0
>  ip address 192.168.1.100 255.255.255.0
>  no ip route-cache
>  speed 100
>  full-duplex
> 
> router2:
> crypto isakmp policy 10
>  hash md5
>  authentication pre-share
> crypto isakmp key cisco address 92.62.113.1 no-xauth
> 
> crypto ipsec transform-set kulacom esp-des esp-md5-hmac 
> 
> crypto map MAP 10 ipsec-isakmp 
>  set peer 92.62.113.1
>  set transform-set kulacom 
>  match address 110
> 
> interface Loopback0
>  ip address 2.2.2.2 255.255.255.255
> !
> interface FastEthernet0/0
>  ip address 192.168.1.1 255.255.255.0
>  speed 100
>  full-duplex
> !
> interface Serial0/0
>  ip address 212.118.0.1 255.255.255.0
>  clock rate 64000
>  crypto map MAP
> !
> router ospf 1
>  router-id 2.2.2.2
>  log-adjacency-changes
>  network 2.2.2.2 0.0.0.0 area 0
>  network 212.118.0.1 0.0.0.0 area 0
> 
> access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
> 
> router3:
> interface Loopback0
>  ip address 3.3.3.3 255.255.255.255
> !
> interface Serial0/0
>  ip address 212.118.0.2 255.255.255.0
> !
> interface Serial0/1
>  ip address 92.62.113.2 255.255.255.0
> 
> router ospf 1
>  router-id 3.3.3.3
>  log-adjacency-changes
>  network 3.3.3.3 0.0.0.0 area 0
>  network 92.62.113.2 0.0.0.0 area 0
>  network 212.118.0.2 0.0.0.0 area 0
> 
> router4:
> crypto isakmp policy 10
>  hash md5
>  authentication pre-share
> crypto isakmp key cisco address 212.118.0.1 no-xauth
> !
> !
> crypto ipsec transform-set kulacom esp-des esp-md5-hmac 
> !
> crypto map MAP 10 ipsec-isakmp 
>  set peer 212.118.0.1
>  set transform-set kulacom 
>  match address 120
> 
> interface Loopback0
>  ip address 4.4.4.4 255.255.255.255
> !
> interface FastEthernet0/0
>  ip address 192.168.2.1 255.255.255.0
>  speed 100
>  full-duplex
> !
> interface Serial0/0
>  ip address 92.62.113.1 255.255.255.0
>  crypto map MAP
> 
> !
> router ospf 1
>  router-id 4.4.4.4
>  log-adjacency-changes
>  network 4.4.4.4 0.0.0.0 area 0
>  network 92.62.113.1 0.0.0.0 area 0
> !         
> access-list 120 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
> 
> router5:
> interface FastEthernet0/0
>  ip address 192.168.2.100 255.255.255.0
>  no ip route-cache
>  speed 100
>  full-duplex
> 
> the IPSEC is not established and nothing appears when issuing the command show crypto isakmp sa
> and neither the ping from both sides is successful
> 
> am i missing anything here ?
> 
> thanks in advance
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
>  		 	   		  
> _________________________________________________________________
> Keep your friends updated-even when you're not signed in.
> http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_5:092010
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>  
>  
> ************************************************************************************
> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
> ************************************************************************************
> 
> 
>  
>  
> ************************************************************************************
> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
> ************************************************************************************
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
 		 	   		  
_________________________________________________________________
Windows Live Hotmail: Your friends can get your Facebook updates, right from Hotmail?.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4:092009

From jmaimon at ttec.com  Thu Dec 24 10:48:23 2009
From: jmaimon at ttec.com (Joe Maimon)
Date: Thu, 24 Dec 2009 10:48:23 -0500
Subject: [c-nsp] NPE-G1 cant read Compact Flash
Message-ID: <4B338D47.3030705@ttec.com>

So this happily running router executes a write mem, which archives a 
copy to the CF card.

Then it hangs and doesnt come back.

Hard reset of the router doesnt read the CF card and boots the boot 
helper instead or just hangs.

ROMMON cant read the CF card, a 256MB. Cant read a new 1G card. Cant 
read a cisco branded 64MB card.

dir disk2:
open: read error...requested 0x4 bytes, got 0xffffff8
trouble reading device magic number

Booting the router from tftp works.

Up and running 15.0.1, neither that nor the boot helper 12.3(5a) can 
read the 64MB card.

%Error show disk2: (No such device)

Inserting the 256MB or the 1GB more often than not hangs the routers.

Sounds broken. Anyone else seen something like this?

Joe

From sethm at rollernet.us  Thu Dec 24 11:00:48 2009
From: sethm at rollernet.us (Seth Mattinen)
Date: Thu, 24 Dec 2009 08:00:48 -0800
Subject: [c-nsp] 8 Racks of Servers and Growing;
	switch/layout recommendations
In-Reply-To: <79673B39-9023-4E69-B321-3E48F6135E46@arbor.net>
References: <4B323398.3060908@warner.fm>	<6F51B50ECF32084788B9B3A8469A71B52918E23050@EXCHCLUSTER1-02.win.slac.stanford.edu>
	<79673B39-9023-4E69-B321-3E48F6135E46@arbor.net>
Message-ID: <4B339030.2000300@rollernet.us>

Dobbins, Roland wrote:
> 
>>   Flexibility (tends to favor eor - any service at any port)
> 
> Strongly disagree - service switches are the answer for this.

I'm not aware of a TOR switch that can provide PRI, POTS or other
non-Ethernet service that a customer could want if you're in a
colocation situation.

~Seth

From eric.hoelzle at gmail.com  Thu Dec 24 11:35:50 2009
From: eric.hoelzle at gmail.com (Eric Hoelzle)
Date: Thu, 24 Dec 2009 11:35:50 -0500
Subject: [c-nsp] 8 Racks of Servers and Growing;
	switch/layout 	recommendations
In-Reply-To: <4B339030.2000300@rollernet.us>
References: <4B323398.3060908@warner.fm>
	<6F51B50ECF32084788B9B3A8469A71B52918E23050@EXCHCLUSTER1-02.win.slac.stanford.edu>
	<79673B39-9023-4E69-B321-3E48F6135E46@arbor.net>
	<4B339030.2000300@rollernet.us>
Message-ID: <3c92c0cf0912240835r7b176520i31ef33c08ef1a5cc@mail.gmail.com>

On Thu, Dec 24, 2009 at 11:00 AM, Seth Mattinen <sethm at rollernet.us> wrote:
> Dobbins, Roland wrote:
>>
>>> ? Flexibility (tends to favor eor - any service at any port)
>>
>> Strongly disagree - service switches are the answer for this.
>
> I'm not aware of a TOR switch that can provide PRI, POTS or other
> non-Ethernet service that a customer could want if you're in a
> colocation situation.

You can stack ISR's with 3750's to accomplish this.

But in  a non-colo situation, why not use copper/fiber distribution
like Panduit's quicknet stuff back to a centralized chassis or
stackable switching area?

--
Eric

From ml at kenweb.org  Thu Dec 24 11:37:39 2009
From: ml at kenweb.org (ML)
Date: Thu, 24 Dec 2009 11:37:39 -0500
Subject: [c-nsp] NPE-G1 cant read Compact Flash
In-Reply-To: <4B338D47.3030705@ttec.com>
References: <4B338D47.3030705@ttec.com>
Message-ID: <4B3398D3.9000302@kenweb.org>

Joe Maimon wrote:
> So this happily running router executes a write mem, which archives a 
> copy to the CF card.
> 
> Then it hangs and doesnt come back.
> 
> Hard reset of the router doesnt read the CF card and boots the boot 
> helper instead or just hangs.
> 
> ROMMON cant read the CF card, a 256MB. Cant read a new 1G card. Cant 
> read a cisco branded 64MB card.
> 
> dir disk2:
> open: read error...requested 0x4 bytes, got 0xffffff8
> trouble reading device magic number
> 
> Booting the router from tftp works.
> 
> Up and running 15.0.1, neither that nor the boot helper 12.3(5a) can 
> read the 64MB card.
> 
> %Error show disk2: (No such device)
> 
> Inserting the 256MB or the 1GB more often than not hangs the routers.
> 
> Sounds broken. Anyone else seen something like this?
> 
> Joe
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

Are the alternate CF cards formatted correctly for your platform?

The original CF card may have gone bad but if you're sure the other CF 
cards are OK then they may be formatted wrong.


From avayner at cisco.com  Thu Dec 24 11:39:50 2009
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Thu, 24 Dec 2009 17:39:50 +0100
Subject: [c-nsp] Time Based QoS
In-Reply-To: <BLU102-W7A7FC44B1C9208A457C71FA7F0@phx.gbl>
References: <BLU102-W15F13FB5C72EC4FAB3308DFA7F0@phx.gbl>
	<3a5da71c-d32e-48c6-97d2-5655d9fc22bd@v15g2000prn.googlegroups.com>,
	<FDD1CDB3FB499E4087CC7670BBCA22C6E7B95F@XMB-AMS-101.cisco.com>
	<BLU102-W7A7FC44B1C9208A457C71FA7F0@phx.gbl>
Message-ID: <FDD1CDB3FB499E4087CC7670BBCA22C6E7B988@XMB-AMS-101.cisco.com>

OK, then why do you need time based policy?

Just map the voice traffic to the priority queue...

Arie

 

From: Mohammad Khalil [mailto:eng_mssk at hotmail.com] 
Sent: Thursday, December 24, 2009 16:21
To: Arie Vayner (avayner); shaharurrizal at gmail.com;
cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Time Based QoS

 

well , i have come leased line customers that wants to make voip traffic
get the whole priority other than any type of traffic
the customer is terminated on Cisco ME3750 switches

> Subject: RE: [c-nsp] Time Based QoS
> Date: Thu, 24 Dec 2009 15:01:12 +0100
> From: avayner at cisco.com
> To: shaharurrizal at gmail.com; cisco-nsp at puck.nether.net;
eng_mssk at hotmail.com
> 
> Be careful with this, as it is not supported on all platforms...
> Can you provide a little bit more info?
> 
> Arie
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of coredump
> Sent: Thursday, December 24, 2009 15:47
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Time Based QoS
> 
> I believe this is what you're searching for;
> 
>
http://www.cisco.com/en/US/tech/tk543/tk759/technologies_tech_note09186a
00801aa69d.shtml
> 
> On Dec 24, 8:55 pm, Mohammad Khalil <eng_m... at hotmail.com> wrote:
> > hi all
> >
> > can i do certain QoS configuration based on a specific time ?
> > for example i want to prioritize http traffic from x to y , and voip
traffic from y o z for example?
> >
> > _________________________________________________________________
> > Windows Live: Friends get your Flickr, Yelp, and Digg updates when
they e-mail
you.http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-ac
t...
> > _______________________________________________
> > cisco-nsp mailing list
cisco-... at puck.nether.nethttps://puck.nether.net/mailman/listinfo/cisco-
nsp
> > archive athttp://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/p! ipermail /cisco-nsp/

________________________________

Keep your friends updated- even when you're not signed in.
<http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-actio
n/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_
5:092010> 


From jmaimon at ttec.com  Thu Dec 24 11:51:25 2009
From: jmaimon at ttec.com (Joe Maimon)
Date: Thu, 24 Dec 2009 11:51:25 -0500
Subject: [c-nsp] NPE-G1 cant read Compact Flash
In-Reply-To: <4B3398D3.9000302@kenweb.org>
References: <4B338D47.3030705@ttec.com> <4B3398D3.9000302@kenweb.org>
Message-ID: <4B339C0D.5060906@ttec.com>



ML wrote:

> Are the alternate CF cards formatted correctly for your platform?

Probably. However, IOS doesnt seem to think there is any card there or 
worse, it hangs upon insert.

>
> The original CF card may have gone bad but if you're sure the other CF
> cards are OK then they may be formatted wrong.

The card is fine, tested in external reader. They are all fine.

Thanks.




From saktas at thrupoint.net  Thu Dec 24 12:39:02 2009
From: saktas at thrupoint.net (Sercan Aktas)
Date: Thu, 24 Dec 2009 21:39:02 +0400
Subject: [c-nsp] ASA Transparent Firewall with Multiple VLANs
Message-ID: <000001ca84bf$ff777800$fe666800$@net>

Hi guys,

 

I have a specific customer scenario, where multiple VLANs need to be
firewalled and due to the environment transparent firewall seems to be the
best solution. However, this is an SP environment and my customer has the
concern of having 50 virtual contexts as a serious limitation. I have seen
in some Cisco documents stating that multiple VLANs in transparent mode were
allowed either single mode or per virtual context. There is no detailed
explanation or configuration example though.

 

So what I am trying to find out is if I can bridge multiple VLAN pairs
either through a single transparent firewall or a transparent virtual
context? If this is doable, do any of you guys have a sample configuration
as reference?

 

Thanks,

Sercan



Note:The information contained in this message may be privileged and confidential and protected from disclosure . If the reader of this message is not the
intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any 
dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us
immediately by replying to the message and deleting it from your computer. Thankyou. ThruPoint Ltd.

From lukasz at bromirski.net  Thu Dec 24 14:24:30 2009
From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=)
Date: Thu, 24 Dec 2009 20:24:30 +0100
Subject: [c-nsp] NPE-G1 cant read Compact Flash
In-Reply-To: <4B339C0D.5060906@ttec.com>
References: <4B338D47.3030705@ttec.com> <4B3398D3.9000302@kenweb.org>
	<4B339C0D.5060906@ttec.com>
Message-ID: <4B33BFEE.9060706@bromirski.net>

On 2009-12-24 17:51, Joe Maimon wrote:

>> The original CF card may have gone bad but if you're sure the other CF
>> cards are OK then they may be formatted wrong.
> The card is fine, tested in external reader. They are all fine.

The CF slot of NPE-G1 is very picky about CF - even if it's from
Cisco. I'd make sure I have latest ROMMON loaded and then do following:

- make the NPE-G1 boot the IOS correctly by any means - loading
  it until it goes up
- format the CF then - new ROMMONs tend to mask various 'problems'
  the reader may have with the CF
- then check if You can reboot the router safely and it will read
  the CF correctly

If You can't make it work - RMA the NPE. Maybe the CF reader is simply
broken.

-- 
"Everything will be okay in the end. |                  ?ukasz Bromirski
 If it's not okay, it's not the end. |       http://lukasz.bromirski.net

From jmaimon at ttec.com  Thu Dec 24 15:05:57 2009
From: jmaimon at ttec.com (Joe Maimon)
Date: Thu, 24 Dec 2009 15:05:57 -0500
Subject: [c-nsp] NPE-G1 cant read Compact Flash
In-Reply-To: <4B33BFEE.9060706@bromirski.net>
References: <4B338D47.3030705@ttec.com> <4B3398D3.9000302@kenweb.org>
	<4B339C0D.5060906@ttec.com> <4B33BFEE.9060706@bromirski.net>
Message-ID: <4B33C9A5.9040205@ttec.com>



?ukasz Bromirski wrote:
> On 2009-12-24 17:51, Joe Maimon wrote:
>
>>> The original CF card may have gone bad but if you're sure the other CF
>>> cards are OK then they may be formatted wrong.
>> The card is fine, tested in external reader. They are all fine.
>
> The CF slot of NPE-G1 is very picky about CF - even if it's from
> Cisco. I'd make sure I have latest ROMMON loaded and then do following:
>
> - make the NPE-G1 boot the IOS correctly by any means - loading
>    it until it goes up

tftp with the boothelper, check.

> - format the CF then - new ROMMONs tend to mask various 'problems'
>    the reader may have with the CF

Nothing seen in the disk2: or worse the router hangs.

> - then check if You can reboot the router safely and it will read
>    the CF correctly

Nope.

>
> If You can't make it work - RMA the NPE. Maybe the CF reader is simply
> broken.

Seems like it.

From abhishake00 at yahoo.com  Thu Dec 24 15:07:21 2009
From: abhishake00 at yahoo.com (abs)
Date: Thu, 24 Dec 2009 12:07:21 -0800 (PST)
Subject: [c-nsp] RESOLVED:  Port 1720 & 1863
In-Reply-To: <49011160-B2F9-4C42-8D24-9001D5460DEF@puck.nether.net>
Message-ID: <649021.33824.qm@web53707.mail.re2.yahoo.com>

Seems like everyone is interested in knowing the ISP. ??
And the winner is..... Time Warner Cable. ?They are also doing the same for port 1863.

--- On Thu, 12/24/09, Jared Mauch <jared at puck.nether.net> wrote:

From: Jared Mauch <jared at puck.nether.net>
Subject: Re: [c-nsp] RESOLVED:  Port 1720 & 1863
To: "Ziv Leyes" <zivl at gilat.net>
Cc: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
Date: Thursday, December 24, 2009, 9:37 AM

It may be worthwhile to name & shame the provider for intercepting your h.323 directed traffic.

(Unless of course you're in one of those countries that uses high telecom rates to justify blocking VoIP).

- Jared

On Dec 24, 2009, at 3:20 AM, Ziv Leyes wrote:

> Oh, man, that's dirty, why would they do that??
> Just when it started to get interesting...
> But I'm glad for you that the issue is resolved
> 
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of abs
> Sent: Thursday, December 24, 2009 3:01 AM
> To: Steve Bertrand
> Cc: cisco-nsp at puck.nether.net
> Subject: [c-nsp] RESOLVED: Port 1720 & 1863
> 
> thank you all for your help.? for the folks interested the issue was that the two ports are being intercepted by my ISP.? once again thank you all for you help
> 
> cheers,
> abs
> 
> --- On Wed, 12/23/09, Steve Bertrand <steve at ibctech.ca> wrote:
> 
> From: Steve Bertrand <steve at ibctech.ca>
> Subject: Re: [c-nsp] Port 1720 & 1863
> To: "abs" <abhishake00 at yahoo.com>
> Date: Wednesday, December 23, 2009, 7:49 PM
> 
> abs wrote:
>> Now this makes a lot more sense.? i was going crazy trying to figure
>> this out.? I think they are doing the same for port 1863. 
>> 
>> It would be greatly appreciated if you could setup a vm for me to run
>> some scans off of. 
> 
> No problem.
> 
> I've got to finish up writing some code right now, so I'll get the vm
> set up first thing tomorrow before I'm done for the week.
> 
> Hopefully you're familiar with FreeBSD, as that is what the host will be.
> 
> All I ask is that you *only* probe hosts that are your own. I'm an ISP,
> and I've been burned before after being taken advantage of after doing
> favours like this.
> 
> Believe it or not, I'm not generally a trusting person, but that is
> generally outweighed my desire to help others.
> 
> So, with that understanding, and the understanding that you can do
> whatever you want within the vm so long as there is no network abuse,
> I'll get things configured, and send you the detail in the morning so
> that you can SSH into the box via IPv4 and IPv6.
> 
> Cheers!
> 
> Steve
> 
> ps. it would likely be kind to reply your original post to the cisco-nsp
> list with [RESOLVED] in the subject, just so the others who were
> following the thread can rest assured that all is well and good with you ;)
> 
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list? cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> 
> ************************************************************************************
> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
> ************************************************************************************
> 
> 
> 
> 
> 
> 
> ************************************************************************************
> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
> ************************************************************************************
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list? cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list? cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



      

From ryan at hack.net  Thu Dec 24 14:35:32 2009
From: ryan at hack.net (Ryan Brooks)
Date: Thu, 24 Dec 2009 13:35:32 -0600
Subject: [c-nsp] NPE-G1 cant read Compact Flash
In-Reply-To: <4B33BFEE.9060706@bromirski.net>
References: <4B338D47.3030705@ttec.com>
	<4B3398D3.9000302@kenweb.org>	<4B339C0D.5060906@ttec.com>
	<4B33BFEE.9060706@bromirski.net>
Message-ID: <4B33C284.6070507@hack.net>

On 12/24/09 1:24 PM, ?ukasz Bromirski wrote:
>
> The CF slot of NPE-G1 is very picky about CF - even if it's from
> Cisco. I'd make sure I have latest ROMMON loaded and then do following:
>
> - make the NPE-G1 boot the IOS correctly by any means - loading
>    it until it goes up
> - format the CF then - new ROMMONs tend to mask various 'problems'
>    the reader may have with the CF
> - then check if You can reboot the router safely and it will read
>    the CF correctly
>
> If You can't make it work - RMA the NPE. Maybe the CF reader is simply
> broken.
>
>    
Another thought: If you've played with these cards a lot; had them in a 
card reader, etc. I might suggest getting rid of any cruft in the first 
few blocks:

dd if=/dev/zero of=/dev/yourrawcarddevice bs=1024 count=256

On any sort of Unix box will do the trick.    (the values above aren't 
critical, just good enough to get rid of any garbage)

-Ryan Brooks
ryan at hack.net

From tvarriale at comcast.net  Thu Dec 24 15:35:54 2009
From: tvarriale at comcast.net (Tony Varriale)
Date: Thu, 24 Dec 2009 14:35:54 -0600
Subject: [c-nsp] RESOLVED:  Port 1720 & 1863
References: <649021.33824.qm@web53707.mail.re2.yahoo.com>
Message-ID: <512FA3E0D3874060AF00D7BAF13B9E6A@flamdt01>

Residental or business service?

tv
----- Original Message ----- 
From: "abs" <abhishake00 at yahoo.com>
To: "Ziv Leyes" <zivl at gilat.net>; "Jared Mauch" <jared at puck.nether.net>
Cc: <cisco-nsp at puck.nether.net>
Sent: Thursday, December 24, 2009 2:07 PM
Subject: Re: [c-nsp] RESOLVED: Port 1720 & 1863


Seems like everyone is interested in knowing the ISP.
And the winner is..... Time Warner Cable. They are also doing the same for 
port 1863.

--- On Thu, 12/24/09, Jared Mauch <jared at puck.nether.net> wrote:

From: Jared Mauch <jared at puck.nether.net>
Subject: Re: [c-nsp] RESOLVED:  Port 1720 & 1863
To: "Ziv Leyes" <zivl at gilat.net>
Cc: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
Date: Thursday, December 24, 2009, 9:37 AM

It may be worthwhile to name & shame the provider for intercepting your 
h.323 directed traffic.

(Unless of course you're in one of those countries that uses high telecom 
rates to justify blocking VoIP).

- Jared

On Dec 24, 2009, at 3:20 AM, Ziv Leyes wrote:

> Oh, man, that's dirty, why would they do that??
> Just when it started to get interesting...
> But I'm glad for you that the issue is resolved
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of abs
> Sent: Thursday, December 24, 2009 3:01 AM
> To: Steve Bertrand
> Cc: cisco-nsp at puck.nether.net
> Subject: [c-nsp] RESOLVED: Port 1720 & 1863
>
> thank you all for your help. for the folks interested the issue was that 
> the two ports are being intercepted by my ISP. once again thank you all 
> for you help
>
> cheers,
> abs
>
> --- On Wed, 12/23/09, Steve Bertrand <steve at ibctech.ca> wrote:
>
> From: Steve Bertrand <steve at ibctech.ca>
> Subject: Re: [c-nsp] Port 1720 & 1863
> To: "abs" <abhishake00 at yahoo.com>
> Date: Wednesday, December 23, 2009, 7:49 PM
>
> abs wrote:
>> Now this makes a lot more sense. i was going crazy trying to figure
>> this out. I think they are doing the same for port 1863.
>>
>> It would be greatly appreciated if you could setup a vm for me to run
>> some scans off of.
>
> No problem.
>
> I've got to finish up writing some code right now, so I'll get the vm
> set up first thing tomorrow before I'm done for the week.
>
> Hopefully you're familiar with FreeBSD, as that is what the host will be.
>
> All I ask is that you *only* probe hosts that are your own. I'm an ISP,
> and I've been burned before after being taken advantage of after doing
> favours like this.
>
> Believe it or not, I'm not generally a trusting person, but that is
> generally outweighed my desire to help others.
>
> So, with that understanding, and the understanding that you can do
> whatever you want within the vm so long as there is no network abuse,
> I'll get things configured, and send you the detail in the morning so
> that you can SSH into the box via IPv4 and IPv6.
>
> Cheers!
>
> Steve
>
> ps. it would likely be kind to reply your original post to the cisco-nsp
> list with [RESOLVED] in the subject, just so the others who were
> following the thread can rest assured that all is well and good with you 
> ;)
>
>
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.net